A European Court of Justice ruling that companies moving user data from the European Union (EU) to other jurisdictions need to provide the same protections given inside the bloc has implications for Canadian companies, B.C.’s top privacy officer says.
And, said B.C. Information and Privacy Commissioner Michael McEvoy, Canada and its jurisdictions need to be looking at privacy laws.
“We want to put our companies on a really solid footing to compete internationally” he said. “It puts us on notice that Europe is looing at our privacy standards.”The EU’s high court said July 17 those wanting to move European users’ data abroad, must ensure a comparable level of protection provided by the union’s General Data Protection Regulation.
That law, McEvoy said, is considered the world’s gold standard for data privacy protection.
The court heard the case after Austrian activist Maximilian Schrems complained that data from Facebook’s Irish subsidiary was being transferred to the United States.
Schrems complained to Ireland’s Data Protection Commissioner. He asserted the United States did not offer protection of data from surveillance by its intelligence services. He based that claim on the revelations of former CIA contractor Edward Snowden, who leaked details of extensive Internet and phone surveillance by American intelligence services.
It had been widely understood that data transfers were covered by so-called safe harbour agreements whereby an entity controlling data would voluntarily comply with EU regulations.
The court said the U.S. application of such agreements allowed interference by public authorities.
“National security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements,” the court said.
The upshot is that the court said Ireland needs to decide if “transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”
And, that, said McEvoy, has seriously implications for Canadian business, particularly the IT sector.
“Europe is signalling that U.S. privacy laws are not up to scratch,” he said.
Further, McEvoy said, Canadian privacy laws – split between federal and provincial jurisdictions, are considered adequate by Europe but do need examining. He said those in B.C., Alberta and Quebec as well as federal legislation need updating.
But, he added, those laws need reviewing in order to provide a level of protection prevailing in the EU.
McEvoy said companies moving large amounts of data should be aware of the ruling and its implications for their businesses.
@Jhainswo