On July 16, 2020, the Court of Justice of the European Union (CJEU) delivered its decision in the case known as “Schrems II”. The decision recognizes the validity of Standard Contractual Clauses (SCCs) to transfer personal data outside of the European Union (EU), but invalidates the transfer of personal data from the EU to the US under the EU-US Privacy Shield.
These are the implications for Canadian companies under the Personal Information Protection and Electronic Documents Act (PIPEDA):
- All transfers of personal data from the EU and the European Economic Area (EEA) to the US under the EU-US Privacy Shield or SCCs must be reassessed.
- All such transfers on the basis of the EU-US Privacy Shield must be replaced by another legal basis for transfer, such as the SCCs, between organizations, Binding Corporate Rules, among the affiliates of one organization, or individual consent.
- Storage in Canada, under the adequacy status, or in the EU, therefore avoiding transfer, should be considered.
- The legal regime in the countries of destination, even under SCCs, must be taken into account to ensure that local laws, for example surveillance laws, do not prevent compliance with the SCCs.
Twelve countries (full list here) can receive personal data from the EEA without SCCs between organizations or express consent from the individual. Under adequacy, the cross-border transfer of personal data is generally authorized.
While companies under PIPEDA can receive personal data from the EU without further authorization, they widely use SCCs or the EU-US Privacy Shield for onward transfer to the US, or as business partners will require for greater legal certainty.
For more information, please read the complete article.