Many questions follow in the wake of the European Court of Justice ruling invalidating the EU-U.S. Safe Harbor regime for the transfer of personal information. Companies will need to adapt in the long term to a new approach, but interim measures to ensure business continuity exist, and may create opportunity for businesses with Canadian operations.
In early October, the Court of Justice of the European Union struck down the 15-year-old decision of the European Commission recognizing the adequacy of protection for personal information when transferred from the EU to the U.S. within the framework of "safe harbor" privacy principles.1 This decision is expected to have significant long-term effects for companies engaged in multijurisdictional business, data processing, and litigation.
EU data protection laws prohibit the transfer of personal information to non-member countries unless they provide adequate protection for that information. The European Commission decided shortly after the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted that it provided an adequate level of protection for personal information as required by EU data protection laws. Accordingly, Canada was deemed to be a country that provides adequate privacy protection. However, the U.S. does not have federal legislation of general application comparable to PIPEDA or EU laws, so country-wide adequacy was not possible. The U.S. government and the European Commission therefore negotiated the safe-harbor framework of principles to permit U.S.-based organizations subject to Federal Trade Commission or Department of Transportation jurisdiction to self-certify that they provided such protection for information transferred from the EU. In 2000, the European Commission declared that organizations that adhered to the safe-harbor principles adequately protected personal information and the framework has since been widely used to facilitate transfers from EU states to the U.S.
In its recent ruling, the EU Court found that the Commission decision on adequacy did not find that the U.S. as a country ensures an adequate level of protection for personal information and that the safe-harbor principles apply only to certain organizations that choose to adhere to them. Governmental authorities could override these protections by operation of national security laws, without sufficient oversight to ensure the protection of the privacy rights of EU...