No more ‘Safe Harbour’: Does it matter in Canada?

Last week, the Court of Justice of the European Union (CJEU), Europe’s highest court, made a ruling that takes a strong, principled stand on data privacy rights, and may have repercussions for Canada. The ruling declared the Safe Harbour agreement that permitted data transfers between the EU and the US invalid.

The case in question was Schrems v. Data Protection Commissioner. It began when Max Schrems, an Austrian law student at the time the case began, and his advocacy group “Europe v Facebook,” filed a complaint against Facebook Ireland Ltd., Facebook’s European headquarters, with the Irish Data Protection Commissioner. They claimed that the Snowden revelations made it clear that Facebook Ireland Ltd. was violating European data protection laws by sharing data with its US parent company because it was known that the US National Security Agency (NSA) was actively surveilling social network data through its PRISM program. They also claimed that it is problematic that there is no way for Europeans to know when their data is captured, and no legal recourse if they do suspect such capture.

Facebook, and more than 4000 other companies, were relying on a negotiated agreement colloquially known as “Safe Harbour” to make data sharing between their European headquarters and their US base legal under European law. In the 1990s, the European Union passed a directive that made privacy law uniform across Europe, and established guidelines to protect data as it moved from country to country. The directive also required that any country wishing to receive European citizens’ data must provide equivalent protection to that it enjoyed within the EU. Canada passed the Personal Information Protection and Electronic Documents Act, or PIPEDA, which was determined to be adequate. The United States chose not to pass substantially similar legislation to meet this EU requirement, and instead negotiated the Safe Harbour agreement, which allowed American companies to ‘sign on’ to a set of privacy principles negotiated between the US and EU.

The Irish Data Protection Commissioner refused to investigate; Schrems appealed to the High Court of Ireland, who referred the question of whether it could legitimately rule on or question the European Commission’s Safe Harbour deal in a national court, to the CJEU.

With the recent ruling, the CJEU has confirmed that individual state authorities may examine complaints, although only the CJEU can decide whether a Commission decision is valid. They then went on to declare the Safe Harbour agreement invalid, for three main reasons:

  • The Safe Harbour protections applied only to the companies who certified that they were compliant, not the state who nonetheless had access to the data, leaving the data potentially available without appropriate protection, “compromising the essence of the fundamental right to respect for private life.”
  • European citizens have no recourse to challenge the use or interception of their data by the state, which “compromises the essence of the fundamental right to judicial protection.
  • The Safe Harbour decision denied the national supervisory authorities the ability to fulfil their responsibility to ensure that data sharing is compatible with privacy, and the fundamental rights and freedoms of individuals who bring complaints before them, which the Commission had no right to do.

Martin Scheinin, the former United Nations Special Rapporteur on human rights and counter-terrorism, has noted that the CJEU decision is highly significant because it has made a firm stand against mass surveillance. By stating that access by public authorities to confidential or group-specific communications data is a privacy intrusion, whether or not they process that data, the decision firmly contradicts the standard intelligence agency position that it’s not invasive if the data remains unprocessed. Scheinin calls it “a huge blow to many of the current methods of electronic mass surveillance.” (https://www.justsecurity.org/26781/adding-nuance-context-max-schrems-case-safe-harbor/)

So, how does Canada enter into this equation? The decision was clearly about the United States, and Canada is in a different position, having passed PIPEDA and not relying on the Safe Harbour decision. The problem is, as a member of the Five Eyes Alliance, it is quite likely that the Canadian government has similar access to data via intelligence surveillance that caused the court concern in relation to NSA interceptions. Furthermore, with the passage of Bill C-51, now the Anti-terrorism Act, 2015, which expands the potential for information sharing exponentially, it becomes more and more likely that we, too, would fail to meet the high, privacy protective, threshold for cross-Atlantic data sharing that has now been established by the CJEU.

Jonah Kanter
en_CAEnglish (Canada)
fr_CAFrançais du Canada en_CAEnglish (Canada)