In a bombshell decision in Schrems II released earlier today, the Court of Justice of the European Union (CJEU) found that the Commission decision finding the EU-US Privacy Shield to be adequate for transferring personal data to the U.S. is invalid. In what can only be seen as a double whammy, the CJEU also ruled that transferring personal data to the U.S. pursuant to standard data protection clauses adopted by the Commission could also be found to be invalid by local data protection authorities. For more detail about the decision, see the blog post by Michael Scherman and Keith Rose of McCarthy Tetrault, Schrems II: The Saga Continues.
The Schrems II decision followed the 2015 Schrems I decision of the CJEU that struck down the framework that underpinned the EU-US privacy safe harbor.
The Schrems II decision will have significant consequences for transfers of personal information from the EU to the U.S. It will directly affect Canadian companies including multinationals that do business in the U.S. and transfer personal information to the U.S. from the EU for processing or other uses. The decision also reinforces the risk that arose after Schrems I that the adequacy finding PIPEDA enjoys will one day be revisited.
Companies that transfer personal data from the U.S. should review the basis for the transfers. This should include reviewing major agreements with processors, outsourcers and hosting providers to ensure that all transfers to the U.S. may be lawfully continued.
For questions about the implications of the Schrems II decision, you may want to call a lawyer in the McCarthy Tetrault Cybersecurity, Privacy & Data Management group.