Thoughts on the ECJ Passenger Name Record Data Decision

The European Court of Justice concluded that there were flaws in the agreement between the European Community and the Government of Canada regarding passenger name record data. The purpose of the agreement was to permit commercial airlines to send to the Canadian Board Services Agency (CBSA) information regarding passenger information on commercial flights departing the EU for Canada. The agreement was necessary, in part, because data can only be transferred from the EU to Canada if it is given adequate protection. An international commitment, such as the agreement between the EU and Canada, could form the basis of adequate protection.

So, what lessons can we learn from the ECJ’s July 26, 2017 opinion that the agreement provided inadequate protection to the personal information of European Union residents?

Lesson #1: Canada’s adequacy designation is limited

In recent week, there has been an uptick in “panic” over whether Canada’s adequacy designation will survive its next review when the EU’s General Data Protection Directive comes into force in May 2018. Calls for strengthening the Personal Information Protection and Electronic Documents Act (PIPEDA) are based on claims (so far unsubstantiated with any evidence) that Canada’s economy will be harmed by the loss of Canada’s adequacy ruling.

However, Canada’s adequacy ruling has always been limited, as the ECJ’s decision illustrates. It doesn’t cover data being transmitted to the CBSA and other Canadian governmental agencies. So the transfers needed to be legitimized by an agreement between the EU and Canada.

It isn’t just transfers of data to Canadian governmental agencies that fall outside of Canada’s adequacy ruling. The ruling only applies to transfers of data about European Union residents to organizations that are subject to PIPEDA. Since most employee data is not covered by PIPEDA, the ruling has always had a major hole in it. That hole was widened when the Article 29 Working Party (a group of EU Data Protection Authorities) declined to recommend Quebec for adequacy designation, even though Quebec’s privacy law has been declared by the Canadian government to be substantially similar to PIPEDA. This decision threw into doubt whether data can be transferred from the EU into Quebec and then used in Quebec under the adequacy ruling.

Lesson #2: Comity is the key issue

The ECJ’s issues with the passenger name record data transfers were essentially that the agreement just wasn’t precise enough. There is no suggestion that Canada has to change its laws.

Here’s where the agreement failed:

  • it did not specify the specific data fields that were going to be the subject of the data transfers
  • it failed to provide sufficient guarantees that the data would be used to fight terrorism and international crime
  • it failed to commit to the principle that the models that would be used by Canada to automatically process the data would be reliable and non-discriminatory
  • it failed to commit that the data would only be used during the passenger’s stay in Canada and for a limited period after departure
  • it failed to commit to destroy data for passengers after their departure if there was no objective evidence of being linked to terrorism or serious transnational crime
  • It failed to require the CBSA to notify passengers that their data had been used
  • it failed to commit to ensuring any onward transfer by the CBSA to other agencies would be subject to similar protections
  • it failed to commit to only sharing data with governmental authorities of other countries with whom the EU had an agreement or that had an adequacy designation covering the recipients
  • it failed to commit to Canada being subject to any oversight body with respect to its use of the data.

Fair enough. The EU wants to ensure that if it is authorizing the hand over of data, Canada will respect the EU’s interest in protecting its residents. This isn’t about Canada’s laws or the EU requiring Canada to “measure up”. It is about commitments that the EU has made to its own residents and ensuring that Canada respects EU laws with respect to the data Canada gets from the EU. That’s just asking for substantive comity.

Lesson #3: Comity is compatible with independence

Canada can respect the EU’s vision of privacy rights for its residents without the necessity of abandoning its own public policy choices. An international agreement is an appropriate way to reconcile the two views. It isn’t necessary for one country simply to cede to the public policy choices of the other.

Motivated governments will find solutions. Look south of the border to the United States. Despite ongoing disputes between the EU and Silicon Valley companies, data is still flowing. It is open for governments to negotiate agreements directly with the EU in order to permit data flows. This is exactly what the US government did with the Safe Harbor Program and when that fell due to insufficient safeguards, the US government negotiated the Privacy Shield. If that goes, there will be another agreement or companies can enter into model clauses or binding corporate rules – essentially, voluntarily agreeing to abide by EU rules to do business in the EU. That’s not at all unusual in the world of consumer protection.

Whether Canada should or should not amend its own privacy laws is a question that Canadians should engage in in the context of their own vision of privacy and their own balancing of various human rights. It shouldn’t and doesn’t depend on the promises the EU has made to its own residents.

Interested in the ECJ Opinion? You can find it here.

Wait, Canada Doesn’t Rule the Internet?

Remember that worldwide injunction the Supreme Court of Canada upheld against Google? See Worldwide Injunction OK’d by SCC.

Well, round four just started. This time in the United States. The Supreme Court of Canada is not the last court of resort after all when dealing with who gets to block what on the Internet. Google has sought an injunction from the US District Court in Northern California to prevent enforcement of the Supreme Court of Canada’s judgment complaining that the Canadian courts “issued a novel worldwide order against Google, restricting what information an American company can provide to people inside of the United States and around the world.”

Google argues that the Canadian court failed to abide by the principles of international comity by  placing “the Canadian court in the position of supervising the law enforcement activities of a foreign sovereign nation (the United States) against the United States’ own citizens on American soil.” Google argues that the order violates the First Amendment right to freedom of speech and erodes its immunity under the US Communications Decency Act.

You can find the complaint and the story over at


Prosecuting Deceptive Privacy Practices, FTC Weights in on Security, Cybersecurity and Event Planning

Here are this week’s suggestions for summertime weekend reading resources!

  • Using Consumer Protection Statutes to Protect Privacy: Most Canadian provincial consumer protection statutes prohibit false, misleading or deceptive representations (see e.g. s. 14 -17) of the Ontario Consumer Protection Act). If the product or services involve the collection and use of personal information, these provisions could theoretically apply to representations about the company’s personal information handling practices.  A deceptive practice could be prosecuted as a provincial offence. Fines for companies could be up to $250,000. Individual remedies are limited to rescission or damages (including exemplary damages). In the United States, several states have now expressly included misstatements regarding privacy practices in their consumer protection laws, signalling that State Attorney Generals are serious about prosecuting deceptive privacy practices as a consumer protection issue. Baker Hostettler has an interesting comparison of three state laws that you can access here.
  • FTC Provides Guidance on Security: The FTC has been criticized for failing to provide fair warning of what it expects companies to do to protect and secure consumer data. Clearly, the FTC has listened to businesses and is publishing a series of blog posts to describe lessens learned in its investigations and enforcement actions. Read the July 21 post “Stick with Security” here. Upcoming posts can be found here.
  • Cybersecurity, Conferences, Event Planning: Cybersecurity should be on the list of considerations for corporate event planning. I’ve written a short article for my upcoming presentation at IncentiveWorks 2017 conference in August. You can read it here.

NAFTA and Privacy

On July 17, the United States Trade Representative (USTR) issued a Summary of Objectives for the renegotiation of the North American Free Trade Agreement among Canada, the United States and Mexico (NAFTA). There are a number of objectives that could affect Canada’s freedom to enact or maintain data localization measures. Data localization measures are rules that require data to remain in Canada.

In particular, the USTR wants to ensure the NAFTA countries:

  • refrain from imposing measures in the financial services sector that would restrict cross-border data flow or require the use or installation of servers and computing equipment in Canada
  • establish rules with respect to the digital trade in goods and services that would not restrict cross-border data flow or require the use or installation of servers and computing equipment in Canada

The USTR wishes to maintain broad exceptions for government procurement in order to deal with issues of national security. This could permit data localization laws, if there was a a real security need to maintain data in Canada.

Currently, Canada has several laws that either require data localization or that could be interpreted as effectively requiring data localization. Moreover, many public institutions embed data localization requirements into their procurement policies.  These data localization measures are usually justified on one or more of the following bases:

  • data localization is necessary in order for regulators to exercise their regulatory functions without being dependent on the aid of U.S. authorities
  • data localization provides Canada with the ability to provide Canadians with greater privacy protections than they would enjoy in the United States
  • Canadians do not have the same procedural rights when U.S. law enforcement or governmental authorities seek access to their data
  • Canada needs to the freedom to carve a different path on privacy than the U.S. in order to preserve its position with Europe as an “adequate” jurisdiction in which transfer data of European residents

Most of these arguments tend to crumble under scrutiny, particularly when we consider how much data is shared with the United States and the number of mutual legal enforcement agreements exist between the two countries.

A possible exception is the argument related to procedural rights. However, even here, the measures requiring localization tend to be confined to situations in which the entity seeking to transfer the data has the economic resources to address the issue through contractual or other means (such as public bodies in British Columbia). When it comes to individual consumers choosing to purchase goods and services from the U.S. they are largely on their own. Therefore, one wonders (as the USTR evidently does) whether these data localization policies are more about protecting industries and jobs than privacy and data protection.

Government Disruption of Fintech

The Canadian government is proposing an oversight framework that could result in significant disruption to the innovation taking place in Canadian financial technology. The public is invited to comment on the proposed “New Retail Payments Oversight Framework” by October 6, 2017.

There has been a sea change in the way Canadians pay for goods and services. The government cites statistics showing that the number of cash and cheque transactions has fallen precipitously by 30 and 35% respectively between 2008-2015. Meanwhile the use of credit cards, debit cards, and e-wallet and person-to-person transactions has increased exponentially.

Much of this growth appears has been fueled by innovation in payments technology. Consumers may cheer for the choices that they now have. However, this innovation has shifted power away from a small group of financial institutions that dominated the Canadian payments systems. This old guard provided stability to the payments system through well-ordered, self-regulation and close working relationships with the Department of Finance, the Bank of Canada and the Office of the Superintendent of Financial Institutions. These institutions were effectively gatekeepers.

The government is clearly concerned about the erosion of effective oversight and has proposed a regulatory framework with long tentacles to combat perceived vulnerabilities in the electronic retail payments system. The government proposes to capture any payment service providers who perform any one of the following:

  • Provide and Maintain a Payment Account (providing and maintaining individual or group user accounts for the purposes of making electronic funds transfers)
  • Payment Initiation (enabling a user to initiate an electronic payment request)
  • Authorization and Transmission (allows for payment messages to be transmitted and/or facilitates the authorization of the payment)
  • Holding of Funds (maintaining funds in an account until withdrawn or transferred to third parties)
    Clearing and Settlement (exchanging and processing payment items for settlement between institutions)

If the government proceeds with proposed regulation, these providers would have to:

  • Register with a regulatory authority
  • Maintain trust accounts for funds that are not settled the same day
  • Create and maintain records that allow for the identification of funds held in trust and the beneficiaries
  • Comply with security and operational standards and business continuity planning to maintain the confidentiality and the integrity of the system
  • Conduct self-assessments or obtain independent assessments of their compliance with security and operational standards
  • Make consumer protection disclosures and provide dispute resolution processes
  • Provide consumers with indemnities for unauthorized transaction

Find full details on the proposed Oversight Framework and how to comment here.

PIPEDA Guide – Suggestions welcome

I’m in the midst of drafting the new edition of the Guide to the Personal Information Protection and Electronic Documents Act (LexisNexis). If you currently use the Guide, I would appreciate your advice on things you’d like to see expanded, shortened, or clarified. Is there anything missing that you would like me to discuss? How important is it to you that I compare PIPEDA to European and U.S. regulations? Now’s the time! If you don’t have a copy of the Guide, you can check it out here and let me know what would make it more useful to you.