Thoughts on the ECJ Passenger Name Record Data Decision

The European Court of Justice concluded that there were flaws in the agreement between the European Community and the Government of Canada regarding passenger name record data. The purpose of the agreement was to permit commercial airlines to send to the Canadian Board Services Agency (CBSA) information regarding passenger information on commercial flights departing the EU for Canada. The agreement was necessary, in part, because data can only be transferred from the EU to Canada if it is given adequate protection. An international commitment, such as the agreement between the EU and Canada, could form the basis of adequate protection.

So, what lessons can we learn from the ECJ’s July 26, 2017 opinion that the agreement provided inadequate protection to the personal information of European Union residents?

Lesson #1: Canada’s adequacy designation is limited

In recent week, there has been an uptick in “panic” over whether Canada’s adequacy designation will survive its next review when the EU’s General Data Protection Directive comes into force in May 2018. Calls for strengthening the Personal Information Protection and Electronic Documents Act (PIPEDA) are based on claims (so far unsubstantiated with any evidence) that Canada’s economy will be harmed by the loss of Canada’s adequacy ruling.

However, Canada’s adequacy ruling has always been limited, as the ECJ’s decision illustrates. It doesn’t cover data being transmitted to the CBSA and other Canadian governmental agencies. So the transfers needed to be legitimized by an agreement between the EU and Canada.

It isn’t just transfers of data to Canadian governmental agencies that fall outside of Canada’s adequacy ruling. The ruling only applies to transfers of data about European Union residents to organizations that are subject to PIPEDA. Since most employee data is not covered by PIPEDA, the ruling has always had a major hole in it. That hole was widened when the Article 29 Working Party (a group of EU Data Protection Authorities) declined to recommend Quebec for adequacy designation, even though Quebec’s privacy law has been declared by the Canadian government to be substantially similar to PIPEDA. This decision threw into doubt whether data can be transferred from the EU into Quebec and then used in Quebec under the adequacy ruling.

Lesson #2: Comity is the key issue

The ECJ’s issues with the passenger name record data transfers were essentially that the agreement just wasn’t precise enough. There is no suggestion that Canada has to change its laws.

Here’s where the agreement failed:

  • it did not specify the specific data fields that were going to be the subject of the data transfers
  • it failed to provide sufficient guarantees that the data would be used to fight terrorism and international crime
  • it failed to commit to the principle that the models that would be used by Canada to automatically process the data would be reliable and non-discriminatory
  • it failed to commit that the data would only be used during the passenger’s stay in Canada and for a limited period after departure
  • it failed to commit to destroy data for passengers after their departure if there was no objective evidence of being linked to terrorism or serious transnational crime
  • It failed to require the CBSA to notify passengers that their data had been used
  • it failed to commit to ensuring any onward transfer by the CBSA to other agencies would be subject to similar protections
  • it failed to commit to only sharing data with governmental authorities of other countries with whom the EU had an agreement or that had an adequacy designation covering the recipients
  • it failed to commit to Canada being subject to any oversight body with respect to its use of the data.

Fair enough. The EU wants to ensure that if it is authorizing the hand over of data, Canada will respect the EU’s interest in protecting its residents. This isn’t about Canada’s laws or the EU requiring Canada to “measure up”. It is about commitments that the EU has made to its own residents and ensuring that Canada respects EU laws with respect to the data Canada gets from the EU. That’s just asking for substantive comity.

Lesson #3: Comity is compatible with independence

Canada can respect the EU’s vision of privacy rights for its residents without the necessity of abandoning its own public policy choices. An international agreement is an appropriate way to reconcile the two views. It isn’t necessary for one country simply to cede to the public policy choices of the other.

Motivated governments will find solutions. Look south of the border to the United States. Despite ongoing disputes between the EU and Silicon Valley companies, data is still flowing. It is open for governments to negotiate agreements directly with the EU in order to permit data flows. This is exactly what the US government did with the Safe Harbor Program and when that fell due to insufficient safeguards, the US government negotiated the Privacy Shield. If that goes, there will be another agreement or companies can enter into model clauses or binding corporate rules – essentially, voluntarily agreeing to abide by EU rules to do business in the EU. That’s not at all unusual in the world of consumer protection.

Whether Canada should or should not amend its own privacy laws is a question that Canadians should engage in in the context of their own vision of privacy and their own balancing of various human rights. It shouldn’t and doesn’t depend on the promises the EU has made to its own residents.

Interested in the ECJ Opinion? You can find it here.

Update on “All-In” Travel Industry Pricing

The Ontario government is proposing to extend the “all-in pricing” rule to cover travel agents and wholesalers located outside of Ontario who target their advertising of travel services to Ontarians. Since January 1, 2017, travel agents and wholesalers located in Ontario who are subject to the Travel Industry Act, 2002 must advertise all-in pricing.

However, the 2017 all-in pricing rule has major gaps because it only applies to wholesalers and travel agents who are located in or have employees in Ontario. As a result of the shift in consumer purchasing habits in the travel industry, the vast majority of travel bookings are now online either directly with the travel service provider or through online wholesalers. Drawing on an Ipsos survey, the Ministry of Government and Consumer Services estimates that 44% of consumers book directly with the travel service provider (airline or hotel) and 27% book using online travel sites. Only 14% book using a store front travel agency.

The proposal is part of the Ministry of Government and Consumer Services consultation on updating travel industry regulations in Ontario. The Ministry is also proposing to grant the Travel Industry Council of Ontario new enforcement tools, including the ability to issue administrative penalties to those who contravene these requirements.

Comments on the Ministry’s Phase 2 report are due July 24, 2017.

For a copy of the Phase 2 report and to learn more, visit the Ministry website here.