The EU Commission recently announced that it had come to an
agreement with the US on a new framework to facilitate data flows.
This announcement follows the decision by the Court of Justice of
the European Union (CJEU) in Schrems v Data Protection
Commissioner invalidating the traditional safe-harbour
here to view our earlier bulletin on the Schrems
The effect of the CJEU's decision in Schrems was to
invalidate the safe harbour principles on which companies used to
rely to transfer personal data from the European Union (EU) to the
United States (US). The CJEU was of the view that the revelations
by Edward Snowden demonstrated a broad and indiscriminate lawful
access regime in the US that is incompatible with EU data
protection laws. The EU Data Protection Directive requires that
information being transferred outside of the EU maintain an
adequate level of protection as compared to the safeguards that
exist under EU law.1 In Schrems the CJEU
reasoned that the ability of public agencies to apply broad
surveillance frustrates the ability of businesses to provide
meaningful data protection assurances with respect to data
transferred into the United States. Therefore, the CJEU found that
the safe harbour regime could not protect personal information
transferred from the EU to the US. The Schrems decision
created great uncertainty for a number of businesses, since the
global nature of business in today's marketplace often requires
the transfer of data between the EU and the US.
The Proposed Solution
The EU Commission recently issued a press release indicating that it had come to an
agreement with the US on a new framework for transatlantic data
flows that is consistent with the CJEU's requirements in
Schrems. The press release refers to the agreement as the
"EU-US Privacy Shield".
The EU-US Privacy Shield calls for increased cooperation between
the European Data Protection Authorities and the US Department of
Commerce and Federal Trade Commission. The arrangement includes a
commitment by US authorities that the possibility of lawful access
will be subject to greater limitations and oversight. The
arrangement will require:
Greater obligations on companies
handling personal information from the EU;
Increased safeguards and transparency
regarding US lawful access; and
Recourse mechanisms for EU citizens
whose data has been mishandled.
The EU-US Privacy Shield has not yet come into force. A draft
"adequacy decision" is currently being prepared for
approval by the College of Commissioners of the EU.
Implications for Canadians
The announcement of the EU-US Privacy Shield is an important
development. Firstly, the EU-US Privacy Shield will provide
Canadian businesses that transfer data between the EU and the US
with an approved mechanism to do so.
In addition, while the EU Commission has previously found that
the Personal Information Protection and Electronic Documents
Act ("PIPEDA") provides adequate protection for
personal information,2 the EU data protection regime is
rapidly developing. It is conceivable that Canada's data
protection regime will fall out of sync with the EU's and that
a similar decision to Schrems could complicate transfers
of EU data into Canada. The announcement of the EU-US Privacy
Shield demonstrates some flexibility on the part of the EU, and may
provide a precedent for an alternate form of arrangement if
PIPEDA's adequacy is ever challenged in the future.
1. EU Directive 95/46/EC, Art. 25(1).
2. 2002/2/EC: Commission Decision of 20 December 2001
pursuant to Directive 95/46/EC of the European Parliament and of
the Council on the adequate protection of personal data provided by
the Canadian Personal Information Protection and Electronic
Documents Act (notified under document number C(2001)
The foregoing provides only an overview and does not
constitute legal advice. Readers are cautioned against making any
decisions based on this material alone. Rather, specific legal
advice should be obtained.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).