Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

The impact of Schrems II on Canada: No more onward transfer on the basis of the EU-US Privacy Shield

By Chantal Bernier
July 17, 2020
  • Cybersecurity
  • Privacy Rights
Share on Facebook Share on Twitter Share via email Share on LinkedIn

On July 16, 2020, the Court of Justice of the European Union (CJEU) delivered its decision in the case known as “Schrems II”. The decision recognizes the validity of Standard Contractual Clauses (SCCs) to transfer personal data outside of the European Union (EU), but invalidates the transfer of personal data from the EU to the US under the EU-US Privacy Shield.

These are the implications for Canadian companies under the Personal Information Protection and Electronic Documents Act (PIPEDA):

  • All transfers of personal data from the EU and the European Economic Area (EEA) to the US under the EU-US Privacy Shield or SCCs must be reassessed.
  • All such transfers on the basis of the EU-US Privacy Shield must be replaced by another legal basis for transfer, such as the SCCs, between organizations, Binding Corporate Rules, among the affiliates of one organization, or individual consent.
  • Storage in Canada, under the adequacy status, or in the EU, therefore avoiding transfer, should be considered.
  • The legal regime in the countries of destination, even under SCCs, must be taken into account to ensure that local laws, for example surveillance laws, do not prevent compliance with the SCCs.

Twelve countries (full list here) can receive personal data from the EEA without SCCs between organizations or express consent from the individual. Under adequacy, the cross-border transfer of personal data is generally authorized.

While companies under PIPEDA can receive personal data from the EU without further authorization, they widely use SCCs or the EU-US Privacy Shield for onward transfer to the US, or as business partners will require for greater legal certainty.

For more information, please read the complete article.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Chantal Bernier

About Chantal Bernier

Chantal Bernier leads Dentons’ Canadian Privacy and Cybersecurity practice group. She is also a member of the Firm’s Government Affairs and Public Policy group. Chantal advises leading-edge national and international companies as they expand into Canada and Europe, enter the e-commerce space, adopt data analytics and roll out data-based market initiatives. Her clients include ad tech companies, financial institutions, biotech companies, data analytics firms and government institutions.

All posts Full bio

RELATED POSTS

  • Cybersecurity
  • Data Breach
  • Privacy Rights
  • United Kingdom

Deepfake deception: the emerging threat of deepfake attacks

By Nick Graham and Nick Graham
  • Privacy Rights

Privacy and Data Usage in Hong Kong : An Overview and Update

For anyone interested in privacy and data usage in Hong Kong, here is an overview of current privacy and data […]

By Julianne Doe
  • Consumer Protection
  • Data Breach
  • Employee Privacy
  • Government Information
  • Health Information Privacy
  • New and Proposed Laws
  • Privacy Rights
  • Record Retention
  • United States

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

By Peter Stockburger

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site