EU–US Privacy Shield Ends, Canada Keeps Adequacy Status

Canada's data privacy laws in alignment with the EU's GDPR

Canadian forest and flag

A battle between privacy and surveillance has ended in a court decision that invalidates the EU-US Data Privacy Shield. The July 16, 2020 Schrems II decision in the Court of Justice of the European Union no longer allows the transfer of personal information of EU citizens to the U.S. under the EU-US Privacy Shield framework on the basis that the U.S. cannot assure the same level of data protection equivalent to that guaranteed by the EU’s General Data Protection Regulation (GDPR).

The Privacy Shield, valid since August 1, 2016, provided a data transfer framework relied upon by over 5,300 United States companies conducting more than $7 trillion in commercial transactions with European organizations. The decision to end the agreement with the U.S. took effect abruptly with no grace period, leaving many companies uncertain over how to conduct business involving data transfers from abroad. 

Many organizations will now lean on alternate data transfer mechanisms like standard contractual clauses (SCCs) and binding corporate rules (BCRs) as they apply to Canadian operations, as the Schrems II decision maintained validity of SCCs issued by the European Commission for the transfer of personal data outside of the EU, subject to additional assurances around the adequacy of those alternative mechanisms. 

What is Privacy Shield?

Privacy Shield is a voluntary set of standards designed to provide assurances that European citizens are adequately protected under EU data protection laws when their personal information is transferred outside the EU to the United States. Prior to the invalidation, compliance with the EU-US Privacy Shield was generally understood to mean the subject data transfer met the privacy standards of the EU’s GDPR

The GDPR began imposing restrictions on the transfer of personal data outside the European Union in April 2016. Leading up to the May 2018 deadline for compliance, companies in the EU, Canada, the United States and elsewhere, conformed their supplier, customer, and other third party agreements to comply with requirements under GDPR by including express security and data processing safeguards in those agreements. U.S. privacy laws did not meet “adequacy status” on their own to sufficiently protect EU data, but operating under Privacy Shield framework enhanced the data protection posture to enable EU-US data transfers in compliance with the new EU law. 

What is Canada’s current status?  

The EU granted Canada “adequacy status” in 2001 (reaffirmed in 2006), recognizing that in Canada privacy is considered a human right. In Canada, citizen data is protected under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and offers a level of protection in alignment with the EU's GDPR, making it easier for Canadian companies to do business in Europe.

Using Canada as a data processing centre may be an easier alternative to comply with GDPR data privacy requirements, especially for multinational businesses that already have Canadian operations. It could help U.S.-based companies avoid major procedural changes to meet privacy standards by shifting data processing operations to Canada to stay compliant in this evolving privacy landscape currently at issue. 

Docusign is a good example, where the Canadian entity Docusign Canada Ltd. already has two on-shore datacentres, one in Toronto and one in Quebec City. Given the importance of protecting Personal Identifiable Information (PII), and the further requirement of certain provinces to keep that data within Canadian borders, Docusign Canada fully complies with data residency and data privacy requirements using Microsoft Azure Cloud Canada datacentres.

The path forward

The launch of the National Digital and Data Consultation in June 2018 is Canada’s commitment to examine and reform the federal privacy act to drive forward its stated purpose of “maintaining trust and confidence in the marketplace” in the context of modern information exchange.

As Canada strengthens privacy protections for the digital age and additionally works to harmonize with data protection laws globally, it positions us well as commercial leaders and competitors, while honouring the privacy of citizens and stakeholders who choose to park their data safely within our borders.  

Learn how Docusign Insight uses AI to analyze privacy clauses in your agreements.  

Contribution by: Stuart Brock, Esq.*, Sr. Agreement Cloud Strategy Practice Director, Docusign This blog is offered for general information purposes. It is not intended as, nor is it a substitute for, legal advice.