Ripple effects

In its July 16 ruling, the European court declared the Privacy Shield, which has underpinned data flows between the European Union and the U.S., to be immediately invalid. Suddenly, as many as 5,000 companies, from banks to payroll processors and social media goliaths like Facebook and Google, are forced to find other legal ways to transfer their data across the Atlantic.

The court ruling also placed a question mark over the "standard contractual clauses" that have become part of agreements between data exporters and importers. The court said these clauses are still legal, but it placed the onus on the importing companies to ensure that European privacy rights remain protected.

That's a lot easier said than done because companies can't guarantee that the data won't be subject to surveillance by U.S. law enforcement and intelligence services like the National Security Agency (NSA). This leaves companies with the alternative of processing the data in Europe or using encryption that's so strong enough even U.S. intelligence experts can't break it, according to Colin Bennett, an expert on data privacy and a political science professor at the University of Victoria.

"The ruling has a global impact," Bennett told CBA National. "The basic policy position of the Europeans is that they have strong data protection rules and they don't want to see those weakened when that data goes offshore. So their view is that the rules should flow with the data."

Canada wasn't part of the court case, and it retains its status with the European Union as an "adequate" partner for data flows. But the ruling underscores the need for Canada to keep up by updating the federal Personal Information Protection and Electronic Documents Act (PIPEDA), passed in 2000 and which sets national standards for privacy practices in the private sector.

"It's absolutely critical that Canada's adequacy standards be expanded, and given the new rules in Europe, we need to amend our laws in Canada to bring them up to the new global standard," Bennett says.

The U.S. has never had an omnibus privacy law, which is why the Europeans have never recognized America's privacy regime as "adequate." Hence the importance of arrangements like the Privacy Shield.

Elisa Henry, a partner at BLG in Montreal and co-chair of its Privacy and Data Protection Group, says the immediate invalidation of the Privacy Shield has proven to be "problematic for many companies and raises questions about what will happen next." She adds, "We're all guessing because there's no clear guidance."

"We all have clients who depend on data processors in the U.S.," Henry says. Many companies have depended on the Privacy Shield and on "standard contractual clauses" to remain onside with European regulators. While those clauses remain valid in principle, Henry says they are rigid instruments and can't be changed. And the clauses don't offer protection if the U.S. government decides to "snoop" into the data, she says.

Yet despite the ruling, data flows between the E.U. and the U.S. have yet to been disrupted. "To my knowledge, everything continues," Henry says. "Because this is so abrupt a decision, there is a feeling in the community that data officials in the European (Commission) will not take enforcement" actions while discussions go on with the Americans on next steps. "Everybody is holding their breath."

Karen Eltis, a law professor at the University of Ottawa and an expert in online privacy, said the European court ruling demonstrates how traditional state actors are unable to regulate what goes in cyber-space. "This is part of a larger problem of democratic legitimacy and democratic accountability," Eltis said in an interview. "I don't vote for the U.S. government. I can't go to my congressman and say, 'hey, why are there no laws?' I can't go before an American court because non-Americans don't have the same rights as Americans."

The issue goes beyond data privacy and includes issues like the taxation of companies on their global income. "It's not about world government," Eltis says. "It's about like-minded democratic governments coming together and finding some model of collaboration that is suitable for governance" in the modern age.

Ann Cavoukian, Ontario's former information and privacy commissioner and head of the Privacy by Design Centre for Excellence, said the European court ruling wasn't a surprise and only emphasizes the need for Ottawa to modernize PIPEDA and the Privacy Act to allow for stricter enforcement.

Yet despite promises by Ottawa to move ahead, including the 2018 publication of a proposed Digital Charter, Cavoukian remains disappointed at the lack of legislative action. "They've done nothing. Trudeau has just sat on this. It's appalling."

But the pressure on Ottawa to update its privacy legislation is ramping up. The Quebec government has introduced amendments updating its data privacy legislation (Quebec, British Columbia and Alberta have their own statutes covering data privacy in the private sector while PIPEDA governs the remaining provinces). Quebec's proposed new law is inspired by Europe's General Data Protection Regulation (GDPR). The B.C. legislature recently appointed a special committee to conduct a review of the province's Personal Information Protection Act and plans to hold public hearings with a report expected in February.

"It's very likely that in 2021 we see major reforms throughout the country to meet thresholds and requirements that are very similar to the GDPR," says BLG's Henry.

Bennett, the University of Victoria privacy expert, thinks the Canadian government shouldn't hesitate to act sooner rather than later. "There's a window of opportunity for us to revise our privacy laws urgently and to position ourselves as the safe place in North America for the processing of data," he says.