Privacy Shield Strikedown and Why You Should Care
Male: This is The Every Lawyer, presented by the Canadian Bar Association.
Marlisse Silver-Sweeney: We’re all sick of the phrase unprecedented times. But when it comes to data privacy, these are, at the very least, really interesting ones. Apps tracing COVID. European courts striking down data-transfer mechanisms. There is a lot going on. To help us make sense of it all, we have two guests today to talk about privacy law and some recent updates in this area.
Eduardo Ustaran is a partner with Hogan Lovells in London where he is co-head of the privacy and cybersecurity practice. He’s been actively involved in the development of the EU data protection framework. Eduardo will be speaking at the CBA Access to Information and Privacy Law Symposium taking place at the end of October and early November this year.
Timothy Banks is a technology lawyer at nNovation in Ottawa. He focuses on IT contracts, privacy, cybersecurity and Canada’s anti-spam legislation. He’s written extensively on Canada’s Personal Information Protection and Electronics Document Act, PIPEDA, and lectures for Osgoode’s Professional Development Program. He’s helping co-host the symposium. Thank you both for being here today.
So, I know there’s a global pandemic going on, but we’re going to put it aside for a minute and ask you what else is keeping you both up at night, particularly when it comes to privacy law right now? Eduardo, we’ll start with you because I heard that little laugh. So, let’s go straight into it.
Eduardo Ustaran: Yeah, I mean good question. I try not to be kept up at night by work, but during the day we are certainly very busy with all sorts of privacy-related developments and things going on. And of course, in Europe at least, the big development of the summer has been the Schrems II decision by the European Court of Justice. And that has generated, if not sleepless nights, at the very least many hours of work and many hours of discussion. So, that is certainly keeping us pretty busy.
Marlisse Silver-Sweeney: OK. And Timothy, I'll go to you in a moment but I actually just wanted to talk about that a little bit more with Eduardo. First of all, I'm glad that you’re not being kept up at night, that’s great. But tell me a little bit more about what you mean by that, the striking down. Is it the data-transfer mechanism?
Eduardo Ustaran: That’s right, yeah. So, the whole issue of international data transfers has always been a key challenging element of European data protection law. But as a result of the decision by the European Court of Justice in July on the Schrems II case, the outcome of that has been that there is a lot more questioning going on in terms of what mechanisms can be put in place to ensure that transfers of data from the EU to the U.S., and indeed to any other jurisdiction, are lawful. And to what extent anything can be done to avoid or at least mitigate disproportionate access to data by government agencies. And that is a real concern right now for many, many organizations worldwide, so that’s why that has become a big issue this summer.
Marlisse Silver-Sweeney: OK, that’s really interesting. And Tim, how about for you? So, Eduardo mentioned the United States, other jurisdictions. Is this something that you think about over here in Canada?
Timothy Banks: Most definitely it is a concern of mine that what we’re seeing amongst Canada’s major trading partners is sort of this loss of trust amongst different countries for the ability of other countries to protect personal information of their residents or citizens when it’s being transferred across borders. This breaking down of a consensus view, this breaking down of comedy between jurisdictions is concerning.
And it is connected to a worry that I see here in Canada of a shifting away from a very pragmatic approach to privacy protection in Canada to something that’s hardening into a more-narrow focus on privacy for privacy’s own sake, rather than in the past we’ve looked at it as one value amongst a field of other values and concerns. And I think we see that in this international data transfer issue between Europe and the United States, which the Canadian Federal Commissioner has jumped into the fray on. And we see him repeatedly telling parliament that our own law is inadequate to deal with international data transfers, and Commissioner Therrien would like to see more regulatory restrictions around that. So, I think it’s part of a general trend.
Marlisse Silver-Sweeney: Very interesting. OK, so it applies not just in the EU and those trading partners but particularly for Canada as well. I'm going to ask you both – because not all of our audience are privacy lawyers; indeed, I would suspect very few are – can you break it down for the non-privacy law specialists amongst us what European’s top court said, how it matters, what we actually mean by these data-transfer mechanisms? I am a trained lawyer but I'm a bit of a dummy when it comes to privacy law. Would you mind just breaking it down a bit more for me?
Eduardo Ustaran: Sure. And I'll give you a bit of context as well. And I would go a little bit back in times when you may remember Edward Snowden in, I think it was 2013, around that time, he managed to leak, through some media leak a number of documents that exposed the level of data access that the U.S. government and the U.S. intelligence agencies had. And that led to, at least in Europe, to a substantial degree of concern about this potentially disproportionate and possibly unjustifiable level of access to information coming from anywhere in the world.
So, that led to a complaint by someone called Max Schrems who at the time was a law student. And eventually that led to the original Schrems decision where the European Court of Justice, which is almost the Supreme Court of Europe if you want, decided that the mechanism that had been used at the time to transfer data in the context of Schrems’ complaint, the so-called safe harbour, was not sufficiently robust to protect personal data.
That eventually evolved into a follow-up complaint about other types of mechanisms. And therefore, this summer when we got the final judgement from the European Court of Justice, the main message – there were a number of messages, but the main message from the court was that, in the context of exports of data, transfers of data from the EU to the United States, the U.S. still had far too many powers to have access to data in a disproportionate manner. And the controls that were in place and that had been agreed with the European Commission following the original Schrems decision would not go far enough to protect the data in accordance with European standards.
So, what this has created is an attention that was already there but that now has been more exposed between, on the one hand, the very clear requirement under European law – which has existed for over 20 years – to protect data wherever it is in the world. And to ensure that data that is European data, personal data that is exported to other jurisdictions continues to be protected at the same level or with the same standards on the one hand. But of course, on the other hand, the ability of states of any country and the governments of those countries to have access to that data for any purposes, from law enforcement to national security and so on, and how to ensure that there is a balance between the two.
And what this case was about was essentially to try to address that balance and was saying, well in the U.S. at the moment the balance is on the side of the power of the government. And therefore, if you transfer data to the U.S., you need to ensure you put all appropriate and adequate safeguards to protect the data against that disproportion or potentially disproportionate access. So, that’s what this case is about and what the implications are.
Marlisse Silver-Sweeney: Wow. Well thank you for breaking it down like that for me. It makes it a lot clearer and I can see why it is such a big deal and so important. What about lawyers who aren’t practicing in the field of privacy law? What do they need to know? How does this affect their lives, their practices, advice that they might give clients?
Eduardo Ustaran: So, just going a little bit more in detail into the practicalities of this decision. What the court effectively said was that, in the event of any type of transfer – again, not just to the U.S. but to any jurisdiction – it was important to assess to what extent the data would be protected against this disproportionate access to data by governments. And therefore, that was an assessment that needed to be carried out, taking into account the nature of the data being transferred, the powers of the government involved and of course the protections in place. And taking all of that into account, one needed to ensure that the data was protected.
So, in terms of the work for all of us, any privacy professionals and anyone involved in this, is to undertake that type of assessment and then, on that basis, apply the appropriate safeguards, whether we’re talking of contractual safeguards or some more technical measures or some administrative measures, to prevent that level of access to data. And that is what we are all grappling with at the moment, to assess how much is good enough or what needs to be done to ensure that that level of protection meets those standards.
Marlisse Silver-Sweeney: And you’re not kept up at night. That is amazing, Eduardo. You have some good sleep skills or some good – you’re able to put your work life in a separate box. So, that seems like a huge monumental task. I wanted to turn now to you, Tim, and ask a little bit about what do you do to stay current on these types of international developments in privacy law?
Timothy Banks: Well it’s always a challenge, right? So, both for external council but also for in-house council, watching these developments in Europe and then federally here in Canada, new amendments in Quebec, potentially proposed new legislation in British Columbia, it remains to be seen but it’s possible our own federal government will make amendments to PIPEDA in order to attempt to maintain our own adequacy status under the GDPR in Europe. So, in order to keep on top of those things, you need to read widely and broadly, pay attention to experts in other fields, and really get a sense for where commissions and data protection authorities are moving, what their priorities are and what they might be – what might be keeping them up at night or keeping them concerned, in order to anticipate the directions that they may go.
You know here at home we know that our own federal commissioner has been concerned about international data transfers. And so, we can only expect that his office and the federal government, who’s concerned about trade with Europe, will be watching these developments carefully. And each will have their own agenda on how to kind of move forward with respect to Canada’s response to these developments.
And as you know from being a trade lawyer, our economy with the United States is so interconnected, and many Canadian organizations use U.S.-based cloud-computing infrastructure, as an example, and store their global data in the United States. So, even though we’re here in Canada, this decision that Eduardo has been discussing with us has a direct immediate day-to-day impact on lawyers here in – on organizations rather, here in Canada.
Marlisse Silver-Sweeney: Right, OK. That’s really interesting. And I was also, you mentioned some other updates to privacy in the field in Canada right now. What else are they? What else are you – what’s kind of on your radar right now, Tim?
Timothy Banks: Well, interestingly, you know this issue of data transfers has arisen in the Quebec proposed amendments. In Quebec, for the time Quebec is considering requiring organizations to consider the adequacy of the jurisdiction to which personal information is being transferred to, and take that into account in a sort of privacy impact assessment. So that’s very interesting and a new development and possibly will be picked up by other jurisdictions.
Another area here in Canada that seems inevitable will be catching up with Europe on the so-called right to be forgotten or the right of erasure. The federal privacy commissioner has been pushing for that for some time. The parliamentary committee that reviewed our Personal Information Protection and Electronic Documents Act and made a report about the suggested revisions also mentioned it and encouraged the government to give it further study. So that is another area that we may see more activity on this fall and winter from our federal government if they’re able to move a legislative agenda in this era of COVID.
Marlisse Silver-Sweeney: OK, interesting. So, it sounds a lot – and again, excuse my non-expertise in this area, but it sounds like Canada really looks to Europe and European privacy decisions to kind of guide our own. Is that fair to say? What’s the relationship, I guess I'm asking, between your practice and where you practice, Eduardo, based out of London, and Tim, yours in Ottawa?
Timothy Banks: I think that’s true. I think all the way along, from the initial enactment of PIPEDA right through to today, Canadian privacy commissioners and governments do look to Europe for developments in this area. And in part, that is of necessity. PIPEDA and the Alberta and British Columbia privacy legislation was enacted in an era in which Canada wanted to have an adequacy designation from the Europeans so that data could flow freely to Canada.
And it’s part of our aspiration, a long-term aspiration recently concluded in the European/ Canada free trade agreement to have closer trading relations with Europe generally and not just the United Kingdom. And so, having this ability to have data flow freely is seen as an important pillar in that relationship. So, we do look to Europe in order to understand what the developments there are and what expectations Europeans may have of Canada. And that necessarily then informs our legislative developments.
Marlisse Silver-Sweeney: Well thanks for breaking it down like that for me in that partnership. I've never seen it quite like that before and so it’s really instructive to me. Eduardo, if that’s the case, then you’re dealing with the fallout of the European top court decision about data-transfer mechanisms. But what’s next? What’s on your radar right now in your practice?
Eduardo Ustaran: Yes of course there are a number of things going on. And I think something which is very relevant in the context of what Tim is saying is that previously it’s a global issue in the same way that data is global, and of course international data transfers issue shows that. But there are a number of other things that are relevant in the context of previously developments that are global.
For example, what I'm seeing in Europe and around the world is that the whole idea of e-privacy, so the way in which our data collected from our interactions with the digital world and how that is used and how visible that is to us as individuals, that’s a universal challenge right now. And in Europe we have had laws to do with cookies and requiring consent for that sort of data collection and that’s changing. But there are other countries around the world that are looking at the same type of issues we have.
Any technological development that we’re seeing around the world, whether we’re talking about artificial intelligence or facial recognition, those are throwing at us very, very difficult privacy-related questions which, again, are being addressed in Europe and they’re being addressed everywhere else. And, as Tim is saying, Europe has been a real force in terms of driving a lot of this debate and we do see an element of perhaps consolidation in the thinking of policy makers and regulators around the world.
But of course, it’s really important to look at it from the wider perspective in terms of the different legal cultures and needs and systems that exist around the world, not just only from a European perspective. And I think it is that combination of technological developments, the whole globalization of data and of course the very important privacy implications of all that that are driving the debate right now everywhere.
Marlisse Silver-Sweeney: Right. How interesting the global importance. And that’s something that you’re speaking to in the CBA symposium on privacy, is that right? You’re giving an international update?
Eduardo Ustaran: Yes, and I'm sure there will be things that I say at the time are not even known today, because things are developing so fast that you almost want to wait until the last minute to prepare what you have to say. But yes, that’s the aim, to try to bring – of course from my perspective – a European flavour to all these international developments that we are seeing right now.
Marlisse Silver-Sweeney: Right, OK. And so, speaking of things that are rapidly changing, I can't have two privacy lawyers on a call and not ask how the pandemic is affecting your practice areas. Do people’s expectations of privacy change? Or do you see them changing right now? Should they be? What are your thoughts on this area?
Eduardo Ustaran: Well in Europe, because the pandemic came straight from Asia into Europe in sort of late February, early March, at that time there was a real need to very quickly assess the privacy implications of the whole sharing and collection of data, particularly health-related information, and all the complications behind collecting all this information so quickly and for such an important purpose. And therefore, as a result, the first few months of the pandemic crisis, in Europe at least, in March, April, May there were a lot of questions being raised in terms of to what extent data could be used and could be shared in the context of the fight against the pandemic.
And my position on this, by the way, has always been that privacy is crucial but data protection law does not get in the way of common sense. And I think this has shown how it’s really important to get both sides of the equation right in the sense that sharing data, using data, analyzing all of this information that we’ve been gathering and what we know about the pandemic and how it’s affecting people across the world is absolutely crucial.
Whilst, at the same time, these have to be respectful of the laws and the frameworks that exist around the world in terms of the use of information about individuals, particularly when we’re talking about health data and the sensitivity that it attracts. So, it’s been fascinating to see how something so relevant, so crucial to the state of the world right now is directly affected by privacy and cybersecurity considerations.
Marlisse Silver-Sweeney: Right. What a monumental task and how quickly you had to move too. And Tim, similar in Canada, different? What are you seeing?
Timothy Banks: I think very similar of course. And it’s an issue, the intersection between privacy and COVID-19 particularly around contact tracing and around exposure notification is so in the forefront of people’s minds. And it has really created a conversation around Canada’s lack of coordination in collecting statistics and data. We see calls for people to greater transparency by governments about where there are COVID hotspots, for example. Looking at the disproportionate impact upon racialized groups and others and trying to get data around that. And having this conversation that then takes place, this tension between privacy and data gathering is really happening out there in the open in the public discourse, and that’s very, very interesting.
And then I think there’s another layer that’s interesting from a privacy professional’s perspective because, in the run-up to the announcement and rollout of the COVID trace, the COVID exposure notification app here in Canada, privacy commissioners had to do evaluations of the privacy impact assessments that governments had done. And they did that in a fairly transparent way by issuing their own public reports. And so, that’s given both the public and privacy lawyers a kind of inside view of how the privacy commissioners are thinking through these issues, which has also been very instructive in this balancing of different interests, as Eduardo was mentioning.
Marlisse Silver-Sweeney: Well, thank you both so much for giving us such a comprehensive update about what you’re thinking about right now in terms of privacy law. And I don't know how you both sleep at night. There is a lot going on. What a rich and robust practice area that you both have. So, thank you both so much for being our guests today.
Eduardo Ustaran: Thank you.
Timothy Banks: Thank you.
Marlisse Silver-Sweeney: Thanks to both Eduardo and Timothy for breaking down all the recent updates, controversies and cases in the privacy space for us today. There’s a lot to think about.
If you’d like to hear more about these topics, be sure to consider attending the CBA Access to Information and Privacy Law Symposium. It takes place at the end of October and early November. Eduardo will be speaking in the international update section. For more information, check it out on the CBA’s website, and I'd love to hear your thoughts about the issues we discussed today.
Tweet to us at CBA_news, or you can reach me at my handle @MarlisseSS. We are on Spotify, Apple Podcasts and Stitcher, wherever you listen to podcasts. Subscribe to receive notifications for new episodes and leave us a review. We also have a podcast in French called Juriste branché. Thanks for listening. Stay tuned for the next episode.