How international privacy laws affect Canadian tech

A recent ruling by the EU could mean you need to review your data policies

Almost all of today’s emerging technology companies would identify their data as one of their primary assets. Agricultural technology collects data relating to crop growth; wearable technology collects data relating to our bodies and their movement; social networks collect data relating to our interactions; and financial technology collects data relating to our transactions. A company can mine that data and extract significant value, which directly influences their valuations and bottom line.  It’s no wonder then that governments are increasingly focused on consumer protection when it comes to the use of that personal data.

Canadian technology companies are subject to Canadian privacy laws, and when cross-border data transfers occur, international privacy laws too. At the start of this month, there was an international legal development that has a major impact on any company relying on cross-border data transfers.

On October 6, 2015, the European Court of Justice delivered a ruling that invalidated the flagship privacy framework that regulated data transfers between the European Union and the United States. The “EU–US Safe Harbor” framework is now defunct, and here’s why that matters.

What is the Safe Harbor framework? 
The EU generally prohibits personal data from being transferred out of Europe, unless the receiving country has adequate data protections at a state level. There are only a handful of countries that the EU has recognized as having those adequate data protections—and Canada is one of them.

The U.S. has not been officially recognized in the same way (Snowden: 1, USA: 0). The Safe Harbor framework was built as a mechanism to allow U.S. companies to receive EU data despite that. And as a result of the recent ruling, any transfer of data now taking place from the EU to the U.S., in reliance on the Safe Harbor framework, is unlawful. 

Why it matters for Canadian companies
Safe Harbor was built for U.S. companies only, but that doesn’t mean it wasn’t important to Canadian companies. The EU general prohibition on data transfers to the U.S. does not just apply to direct transfers but also indirect transfers. This means that a Canadian company is just as affected by the Safe Harbor collapse if it is collecting personal data from the EU, and at any point storing or processing such data in the U.S. (Amazon Web Services, anyone?). Which means, if a Canadian company was relying on Safe Harbor in any way to make transfers to U.S. service providers, such transfers are now unlawful and need to be restructured or reconsidered.

Your action plan
If you’re a Canadian company, you’re in one of the strongest positions in the world to be collecting and using personal data from the EU. The EU has officially recognized the adequacy and strength of Canada’s current privacy laws. As long as you’re doing all your data storage and processing here in Canada or the EU, your presumed compliance with Canadian privacy laws makes you a leader in the international privacy world.

But if you’re a Canadian company that:

1. collects any personal information from the EU; and
2. at any point in your service chain, transfers any part or all of that information to the U.S. for storage, processing or any other use;

then it’s time to do a full review of your data policies to ensure that the recent events don’t expose you to legal risk and liability.

How to get that review started
1. Know your business:  Know what kind of data you’re collecting from your users and where it’s coming from, and going to, geographically.
2. Data and privacy policy:  Revisit your data and privacy policy to ensure that it accurately reflects the commercial realities of your business. Don’t fall in the trap of using a cookie cutter agreement, and don’t pull something from the vast web that seems applicable. Your data collection and use is unique, and your privacy strategy should reflect that, making best use of our Canadian standards, but also remaining current with international changes. This is an important area of law to protect against.
3. Consent:  Review your data and privacy policy’s consent procedure. Are users affirmatively consenting to the data practices you’ve established?

Data protection, privacy and anti-spam laws have teeth. And regulators across the world will bite hard if they need to. So use this recent development as a motivator to get your data protected so that you can continue to deliver the value you’ve made your business in.  

Geoff Dittrich is a corporate and commercial technology lawyer at Segev LLP, a boutique law firm in Vancouver with practice strengths in business and technology. He acts for growth stage technology companies as an outside general counsel and has broad experience in privacy and information management. This article is for informational purposes only and is not intended to be legal advice. The laws referenced in this article have been oversimplified. The commentary may not be applicable or advisable to your business based on your unique commercial realities. In any event, consult a lawyer before relying on any of the contents of this article. Special thanks to Sid Koshul for his contributions to this article.