GDPR Data Transfers for Canadian Organizations: Introducing Supplementary Measures

Written By Guilda Rostama

Invalidation of the Privacy Shield”, “Schrems II” decision”, “standard contractual clauses”, “adequacy” … you may have come across these terms many times in the past year or so. Just a couple of weeks ago, a German regulator held that the transfer of EU residents’ personal information from Germany to Mailchimp, a widely-used American e-mail marketing service, could be considered as unlawful. Even more recently, the Portuguese regulator ordered the Portuguese National Statistical Institute to suspend any transfer of personal information without adequate protections in place within 12 hours to Cloudflare, a California-based company.

But what does all of this mean, and what are the implications for Canadian organizations? At first glance, this could seem like a discord between the US and the EU, and therefore not of direct concern to Canadian organizations.

However, if you disclose personal information relating to residents of the EU to third countries, such as the United States, then you are directly affected by the invalidation of the Privacy Shield, and there are elements you need to carefully consider. 

Why are transfers of personal information such a big deal in the GDPR?

The GDPR is known as one of the toughest privacy regulations in the world. Though it was drafted and passed by the EU Parliament, it imposes obligations on organizations anywhere, so long as they target or collect data related to people in the EU.

The GDPR adopts the following reasoning: the protection that it grants to individuals must not be diminished when data is transferred outside the EU. In other words, European residents deserve the same level of protection when their data is transferred across the world.

This means that EU organizations may transfer personal information outside of the EU provided that a sufficient and appropriate level of data protection is ensured. In order to ensure such level of protection for data transferred from European territory to third countries, organizations can rely on:

  • An “adequacy decision”: the European Commission evaluates the privacy regulations of a third country, and decides that this country provides a level of protection similar to the GDPR;

  • In the absence of such a decision, "appropriate guarantees", the most commonly-used being Standard Contractual Clauses drafted by the European Commission.

Fortunately for Canadian organizations, PIPEDA is a legislation that is recognized as "adequate" by the European Commission. It is therefore possible for European organizations to transmit data to organizations subject to PIPEDA.

However, it often happens that Canada is not the “final destination” of personal information transferred by EU organizations; in fact, Canadian organizations may wish to transfer to another third country (for example, by using a service provider that is in the United States). This is where the “invalidation of the Privacy Shield” becomes important for Canadian organizations.

What is the Privacy Shield and why was it invalidated?

The “Privacy Shield” adequacy decision was adopted in 2016 by the European Commission to allow the transfer of data between the European Union and US operators adhering to its principles of data protection.

However, on July 16, 2020, the Supreme Court of the EU (the Court of Justice of the European Union “CJEU”) rendered a decision finding that the legislation currently in force in the United States does not ensure an adequate level of protection for European individuals, despite the existence of the Privacy Shield.

Indeed, several American surveillance programs based on section 702 of the Foreign Intelligence Surveillance Act (FISA) of 1978 and on Executive Order (EO) 12333 of 1981, allow intelligence agencies to collect and process massive amounts of information, including those relating to European residents. These programs give rise to interference with the rights of individuals, without the grounds for interference being clearly defined, and without providing individuals with an effective right of appeal against such interference.

Bluntly said, the CJEU disagreed with the European Commission and held that the Privacy Shield could not constitute a basis for transfer of EU residents’ personal information to the US.

What are the consequences of invalidating the Privacy Shield for Canadian organizations?

In a nutshell: any Canadian company that wishes to transfer EU data to the US can no longer do so on the basis of the Privacy Shield.

When the Privacy Shield was invalidated, all organizations relying on the Privacy Shield naturally turned their attention to the “appropriate guarantees”, which constitute the other path for transferring personal information to the US.

As mentioned before, EU/Canadian organizations may choose to rely on “standard contractual clauses”, drafted and adopted by the European Commission to proceed with a transfer. However, this is where the issue actually resides in: even if organizations choose to use such standard contractual clauses, it is not sufficient according to the CJEU.

Why not?

Because the problem is with the American legal system, which does not provide EU residents with a level of protection that is adequate. 

Indeed, the standard contractual clauses are only binding on the parties of the contract. They do not entail any obligation for the authorities of the third country such as the US authorities. Therefore, they may not fully remedy the shortcomings in the protection of the individuals.

In other words, organizations in Canada that think they may rely on standard contractual clauses to transfer personal information to the US need to be aware of the fact that this is not sufficient - another step is necessary.

Introducing…. Supplementary Measures.

The CJEU notes that the exporter of personal information must verify “on a case-by-case basis […] whether the law of the third country of destination provides appropriate protection. […] by providing, if necessary, additional guarantees to those offered by these clauses”.

The European regulators have published examples of the supplementary measures that data exporters and importers can put into place, such as:

  • From a technical point of view:

  • Transmission of encrypted data where the keys are retained solely under the controller of the data exporter in the EU (or in Canada);

  • Transfer of pseudonymized data only or transfer of strictly necessary personal information (for example, avoiding to the greatest extent possible the transfer of sensitive data);

  • Split or multi-party processing, i.e., transmission by the data exporter to two or more independent processors located in different countries without disclosing the content of the data to them.

From a contractual point of view, Canadian organizations could contractually require US organizations to:

  • immediately inform them of any access request by US public authorities;

  • specifically declare that they have not purposefully created or changed their business processes in a manner that facilitates access to personal information or systems;

  • reviewing, under US law, the legality of any order to disclose data, and to challenge the order if, after a careful assessment, it concludes that there are grounds to do so;

  • notify promptly individuals of the request or order received from the public authorities so that they may seek information and an effective redress.

Is a Lack of Supplementary Measures Enforceable?

Two recent EU decisions confirmed the importance of these supplementary measures.

The first one, made by the Bavarian data protection authority considered that the use of the Mailchimp newsletter tool by a German company would not guarantee data protection with regard to the risks posed by data transfers to the United States, and decided that “transfers can therefore only be authorized by taking such additional measures”.

The French Supreme Court (as an urgent applications judge) decided in March 2021 that Doctolib, a French private company that makes it possible for French residents to secure an appointment for getting their vaccination shot, did not violate the GDPR by choosing to host the personal information with the Luxembourg subsidiary of Amazon Web Services, AWS SARL.  

First, the French court considered that because AWS SARL is a subsidiary of a company under U.S. law, it may be subject to access requests by U.S. authorities. The Court considered however that there were appropriate safeguards put in place:

  • AWS SARL committed to challenge any general access request from a public authority.   

  • The data hosted by AWS SARL did not include health information, and was encrypted with the key being stored in France, not by AWS, to prevent data from being read by third parties.

  • There was a clear retention policy, where the personal information would be stored for a short 3-month period only.

It is important to remember that this decision merely constitutes a preliminary ruling, and not an analysis on the merits of the case. In addition, the fact that the hosted personal information did not constitute health information is thoroughly questionable.

However, with respect to transfers, these two decisions confirm the importance of supplementary measures when the personal information may be transferred to the US.

So, What Do Canadian Organizations Need To Do?

First of all, to the extent possible avoid transferring personal information to the US if you are subject to GDPR. You can either do so by choosing Canadian organizations as your service providers, or by requiring US service providers to host the personal information in Canada.

If you really want or need to use a US-based company as your service provider, then carefully assess which personal information you absolutely must transfer to the US and which data can remain on local servers. Obviously, the more intrusive and sensitive the personal information is, the less recommended it is to proceed with such transfers.

Finally, carefully analyze the contracts that you sign with US service providers. To the extent possible, try to require an addendum, where the above-mentioned supplementary measures are provided.

If GDPR is new to you and your organization, it is recommended to conduct a GDPR Assessment to evaluate your exposure and determine what you need to do to be compliant.

Guilda Rostama

Guilda Rostama is a GDPR specialist. As a fully-qualified French lawyer, Guilda has a PhD in law, and holds the Master of Law and Internet Technology from Paris Sorbonne, as well as the LLB of the University of Sheffield, United Kingdom, and the CIPP/C. Before moving to Canada in 2021, Guilda was a senior legal counsel in the Economic Affairs department in the CNIL (the French Data Protection authority) for more than four years. During her tenure in the CNIL, she was actively involved in building recommendations and guidelines for organizations implementing the GDPR. She was also the leader of the Social Media Expert subgroup in the European Data Protection Board (EDPB).

Previous

5 Future Data Mobility Challenges for Canadian Organizations
Next

Does My Startup Need to Care About Privacy?