BY COLIN BENNETT
One of the more popular clichés about the Internet is that it knows no geographical boundaries. So when we shop, blog, connect or communicate online, our personal data may be transmitted instantaneously across many national borders. Thus, when one jurisdiction changes the rules about how personal data should be protected, that decision can have ripple effects around the world.
That’s what happened last week when Europe’s highest court, the European Court of Justice, ruled that the ‘Safe Harbor’ arrangement that allowed companies to freely transfer personal data to the U.S. is illegal. The decision could have implications for Canada.
The story begins in the mid-1990s, when the European Union passed a directive that harmonized all European privacy laws and established some basic rules for the transfer of personal data across the continent. The directive also said that information on European citizens could not be sent outside the borders of the EU to countries that could not guarantee an “adequate level of protection.”
As a result, many jurisdictions, including Canada, passed legislation similar to the European model. The Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA, was passed in 2000 and imposes a common set of privacy standards across the private sector, gives individuals access to their data, and offers us some control over how our information should be used and disclosed. Canada was then deemed “adequate” and personal information could flow freely on European consumers and employees to companies located in this country.
The United States did not pass such a law. The Americans protested that their political system is different, and that their culture and values favored free flow over “data protection” (the way the Europeans frame the issue). American policy makers were not about to be told what to do by bureaucrats in Brussels. And U.S. companies lobbied vigorously against regulation.
At the same time, U.S. companies needed secure and legal ways to ensure the free flow of personal information to the United States. Individual contracts were considered unwieldy and time-consuming. So, about 15 years ago, they came up with the idea of a “Safe Harbor.” Companies would self-certify to a set of privacy principles, negotiated between the U.S. Department of Commerce and the European Commission.
At the same time, if it could be shown that the company had breached these principles, then they would be open to challenge before the Federal Trade Commission, who would be able to investigate and fine. And this has happened on a number of occasions. Over the years, about 4,000 companies have signed up.
There has been a lot of skepticism about this arrangement; none of this legal apparatus helps consumers that much. And there have been continued discussions between European and U.S. officials about its possible revision. But the Safe Harbor Agreement did enable certain American companies to continue their business in Europe, and transfer relevant data on consumers and employees to their servers in the U.S., without restriction.
Canada is particularly vulnerable. The European Parliament already has raised some searching questions about the continued engagement of Canada in mass surveillance activities, as part of the ‘Five Eyes’ alliance.
Enter Max Schrems, a very smart Austrian law student, with a canny ability to mobilize supporters through social media and a dogged and fearless desire to expose corporate hypocrisy.
A few years ago, Schrems started an organization called Europe v. Facebook and began to systematically challenge Facebook’s privacy practices in European courts. Schrems and thousands of his colleagues tried to access their personal data from Facebook using European privacy laws, prompting changes in the company’s practices and causing headaches for the Irish Data Protection Authority (Facebook has chosen Ireland as its European HQ).
When Edward Snowden revealed, among other things, that U.S. intelligence authorities were gaining backdoor access to the servers of big Internet companies (including Facebook) through a program called Prism, Schrems saw another opportunity. How could the company respect the fundamental rights of European citizens to privacy if personal data on Europeans could be accessed by U.S. intelligence without oversight or accountability? He asked the Irish regulator to investigate the case and suspend Facebook’s data transfers to its servers in the U.S.
Facebook denied the allegations and the Irish authority refused to investigate on the grounds that Facebook was Safe Harbor-certified. Schrems’ complaint, it said, was “frivolous and vexatious.”
Not so, said the European Court of Justice. In a historic ruling, the court said that Schrems had a right to bring the case and that the Irish authority should have investigated. Regardless of any adequacy decision by the European Commission, the European authorities must be able to independently examine the lawfulness of transfers to other countries.
Furthermore, they struck down Safe Harbor as being invalid and inconsistent with Europeans’ fundamental rights to privacy.
It’s likely that the Europeans and Americans will cobble together another agreement over the coming months — Safe Harbor 2.0. In the meantime, companies will need to rely on other contractual mechanisms.
But the implications are huge — and not just for American companies. We in Canada should also take notice.
The message of this ruling is that no finding about the adequacy of overseas privacy protection is immune from challenge by a European citizen. Which means that no privacy regime is immune from investigation by European authorities.
And Canada is particularly vulnerable. The European Parliament already has raised some searching questions about the continued engagement of Canada in mass surveillance activities, as part of the ‘Five Eyes’ alliance. To the extent that Canada participates in similar generalized data collection through the Communications Security Establishment Canada (CSEC), and does so through capturing data from private companies, without adequate judicial oversight or rights of redress, Canada’s regime could also be challenged.
Canada’s new Anti-Terrorism Act (C-51) will no doubt also come under some scrutiny from European authorities. C-51 facilitates the sharing of information on individuals, broadens the definition of terrorist activities, and gives new powers to the Canadian Security Intelligence Service.
At one level, this may seem a rousing “David and Goliath” story that restores our faith in the ability of the little guy to make a difference. But it also raises profound questions about the nature of the Internet. Do we want this wonderful medium to be open, democratic and participatory? Or do we want it to be a tool for surveillance?
It would have been very nice to see our political leaders engage with these questions during this election. The future of the digital economy, and Canada’s role within that economy, should be matters for serious debate. So should the ability of individuals to communicate online without fear of surveillance.