Amazon’s announcement last week that it plans to establish Canadian-based data centres to address mounting fears over the privacy and surveillance implications of information stored in the United States highlights how businesses and consumers have become increasingly concerned with where their data is transferred and stored. Yet two unconnected developments – a recent European privacy decision and the Trans Pacific Partnership – could create a Canadian privacy problem that even local data centres will not solve.
The European case starts with Max Schrems, an Austrian law student, who became interested in privacy issues several years ago as a visitor at Santa Clara University in California. Concerned with the privacy implications of personal information collected by companies such as Facebook, he filed numerous complaints against the social media giant. While most were dismissed, one ended up before the European Court of Justice, which considered whether transferring data to the U.S. violated European privacy laws in light of the widespread use of government surveillance.
Last fall, the court shocked observers by siding with Schrems, effectively declaring the agreement that governs data transfers between the U.S. and European Union invalid. The decision sparked immediate concern among the thousands of companies that rely on the decade-old “safe harbour” agreement.
European law sets strict restrictions on data transfers to countries without “adequate” privacy protections (as determined by European officials). The U.S. and European Union avoided an earlier data battle by compromising on the safe harbour approach in which the U.S. agreed to enforce privacy violations and the EU agreed to overlook the absence of a national privacy law.
Given the Schrems decision, the future of the data transfers between the U.S. and the European Union remains up in the air, but the case could have implications that extend to other countries, including Canada. Canadian privacy law received an adequacy designation in 2001, but there is mounting concern that the finding may be at placed at risk in light of the ease with which U.S. surveillance practices may capture data coming from Canada.
In fact, the risk to data transfers between the Canada and the European Union extend beyond the immediate reaction to the Schrems case. The TPP, the massive Pacific trade deal that the Canadian government is currently considering for signature and ratification, could further complicate the issue by restricting the ability of Canadian officials to react to global privacy developments.
The TPP features a ban on the ability of member countries to establish restrictions on data transfers. Financial services are exempt from the rule since the U.S. Treasury wanted to ensure it could implement such requirements for its banking institutions. There is also a “public policy” exception. However, that exception relies on rules that have proven notoriously difficult to apply. If the European Union requires data transfer restrictions as a condition for maintaining the Canadian adequacy ruling, the TPP means that Canada may be unable to comply.
Interestingly, other TPP countries appear to have anticipated this issue and obtained additional privacy assurances from the U.S. For example, a TPP side letter between the U.S. and Australia features a U.S. promise to extend any privacy commitments in other trade agreements to Australia. Moreover, the same side letter promises to work to extend privacy protections to Australian data held by the U.S. government.
The side letter could prove important should the U.S. and European Union renegotiate the safe harbour agreement in order to address the concerns expressed in the Schrems case. While Australia would enjoy the benefits of additional protections, Canadian officials did not obtain a similar commitment.
The net effect of the Schrems case and the TPP provisions is that Canada could end up caught in a global privacy battle in which Europe restricts data transfers with Canada due to surveillance activities, the TPP restricts Canada’s ability to address European concerns, and the absence of a U.S. commitment means that Canada can’t count on it to provide Canadians with upgraded privacy protections.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.