State surveillance programs spell serious consequences for business -- could Canada be next?
A few weeks ago the Court of Justice of the European Union (CJEU) rendered a judgment in Case C-362/14 that invalidated the Safe Harbour Decision that heretofore had allowed U.S. companies to transfer and store personal data of EU citizens in the U.S. as long as they voluntarily agreed to respect certain principles. This decision will affect over 4,700 companies who have EU customers or store and process EU user data in the U.S.
In brief, the Safe Harbour Decision was premised on the EU Data Protection Directive which provides that the transfer of personal data of EU citizens to a non-EU country "may take place only if that third country ensures an adequate level of protection of the data by reason of its domestic law or its international commitments." The EU Commission had decided in 2000 that under the safe harbour scheme, a series of principles concerning the protection of personal data to which U.S. companies could voluntarily subscribe, an adequate level of protection of personal data transferred to the U.S. existed. The commission has made adequacy findings for other non-EU jurisdictions, such as Canada.
In this case, Facebook user Maximillian Schrems filed a complaint with the Irish Data Protection Commissioner over the transfer of his data and the data of other EU users to Facebook's servers in the Unites States, claiming that U.S. law and practice does not offer sufficient protection against surveillance by the public authorities of the data transferred. The grievance was substantiated by the 2013 Snowden revelations about the NSA's surveillance activities.
The case made its way to the CJEU which rendered a judgment invalidating the Safe Harbour Decision.
There are two major outcomes of this decision.
The first is that countries whose government security frameworks overrule privacy rights may not have an adequate data protection framework to be allowed to transfer EU citizen data out of the EU.
The court found that "national security, public interest and law enforcement requirements in the United States prevail over the safe harbour scheme" such that the U.S. businesses that had voluntarily subjected their operations to the safe harbour principles are "bound to disregard, without limitation, the protective rules laid down by [that] scheme where they conflict with such requirements."
U.S. public authorities are not prevented by the safe harbour scheme from interfering with the fundamental right of EU citizens to the protection of their personal data. Several aspects of the U.S. legal framework were found to compromise the essence of the EU's fundamental right to respect for private life and the right to effective judicial protection, namely:
(1) The existence of legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications; and,
(2) The absence of legislation providing for the possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or reassurance of such data.
In the words of the court, the basis of this finding is that "personal data transferred by companies such as Facebook Ireland to its parent company in the United States is... capable of being accessed by the NSA in the course of a mass and indiscriminate surveillance of such data."
Without doubt, this ruling will have major business implications for businesses with EU operations storing data in the U.S.
It also gives pause to contemplate Canada's own data protection framework and whether new government surveillance powers, such as those enabled by Bill C-51, might also invalidate the adequacy finding of Canadian privacy legislation.
While Canadian privacy law may at one point have been considered adequate, it may no longer be.The European Commission decided in 2001 that Canada's privacy law, PIPEDA, provided an adequate level of protection for the data of European citizens and was thus consistent with the directive. The same reasoning in the Schrems decision might be used to invalidate the ruling on Canadian adequacy, which is now almost 15 years old.
In its current form, PIPEDA includes several instances where businesses are permitted or required to disclose personal information in their possession, including those related to national security.
The second major result of this ruling is jurisdictional. The court invalidated the Safe Harbour Decision in part on the basis that it denies national authorities their powers to protect the privacy and the fundamental rights and freedoms of individuals. There is a risk that individual EU states may find Canada's privacy framework to no longer adequately protect EU user data and prohibit the flow of data from the EU to Canadian servers.
The other upshot related to Canadian data is this: If the U.S. privacy framework isn't adequate enough to protect the rights of Europeans, is it good enough for Canadian privacy rights? That being said, the power of Canadian surveillance agencies to override privacy legislation will grow under Bill C-51.
On a final note, the recently adopted Trans Pacific Partnership deal, promoted as being a major economic victory for Canada, allegedly includes restrictions on limiting the flow of data between signatory nations, which includes the Unites States, Australia and Japan.
Complete data flows and data storage in the U.S., which Europe has just said no to, may not be desirable for Canadian data either, especially more sensitive information related to health or finances. Information in the U.S. is easily accessible by the NSA and other agencies under the Patriot Act. The TPP allegedly includes a provision that bans data localization requirements, which would prohibit the type of decision just passed in Europe. There may be serious limitation place on the ability of the Canadian government to pass more stringent rules to protect the privacy of Canadians and limit data transfer.
MORE ON HUFFPOST: