The Trouble with the TPP yesterday examined the barriers to data localization requirements, an emerging policy choice for countries concerned with weak privacy protections once personal data is transferred outside the country. The TPP goes further in undermining potential privacy protections, however, as it also establishes a ban on data transfer restrictions (prior posts in the series include Day 1: US Blocks Balancing Provisions, Day 2: Locking in Digital Locks, Day 3: Copyright Term Extension, Day 4: Copyright Notice and Takedown Rules, Day 5: Rights Holders “Shall” vs. Users “May”, Day 6: Price of Entry, Day 7: Patent Term Extensions, Day 8: Locking in Biologics Protection, Day 9: Limits on Medical Devices and Pharma Data Collection, Day 10: Criminalization of Trade Secret Law, Day 11: Weak Privacy Standards, Day 12: Restrictions on Data Localization Requirements).
Data transfer restrictions are a key element of the European approach to privacy, which restricts data transfers to those countries with laws that meet the “adequacy” standard for protection. That approach is becoming increasingly popular, particularly in light of the Snowden revelations about governmental surveillance practices. Several TPP countries, including Malaysia, Singapore and Chile, are moving toward data transfer restrictions as are countries such as Brazil and Hong Kong.
The TPP’s restriction on data transfer limitations is very similar to the data localization provision. Article 14.11 states:
Each Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.
The rule is subject the same general exception found in the data localization provision that the historical record overwhelmingly suggests will not work. As noted yesterday, a Public Citizen study found that the exception is illusory since the the requirements are so complex (each aspect must be met) that countries relying on the exception have failed in 43 out of 44 cases.
The problem for Canada with the TPP’s data transfer restriction goes beyond just the loss of a potential legislative tool to address privacy concerns. As I discuss in my weekly technology law column (Toronto Star version, homepage version), Canada could find itself in caught in a privacy perfect storm due to a European privacy decision and the TPP.
The European case starts with Max Schrems, an Austrian law student, who became interested in privacy issues several years ago as a visitor at Santa Clara University in California. Concerned with the privacy implications of personal information collected by companies such as Facebook, he filed numerous complaints against the social media giant. While most were dismissed, one ended up before the European Court of Justice, which considered whether transferring data to the U.S. violated European privacy laws in light of the widespread use of government surveillance.
Last fall, the court shocked observers by siding with Schrems, effectively declaring the agreement that governs data transfers between the U.S. and European Union invalid. The decision sparked immediate concern among the thousands of companies that rely on the decade-old “safe harbour” agreement.
As noted above, European law sets strict restrictions on data transfers to countries without “adequate” privacy protections (as determined by European officials). The U.S. and European Union avoided an earlier data battle by compromising on the safe harbour approach in which the U.S. agreed to enforce privacy violations and the EU agreed to overlook the absence of a national privacy law.
Given the Schrems decision, the future of the data transfers between the U.S. and the European Union remains up in the air, but the case could have implications that extend to other countries, including Canada. Canadian privacy law received an adequacy designation in 2001, but there is mounting concern that the finding may be at placed at risk in light of the ease with which U.S. surveillance practices may capture data coming from Canada.
In fact, the risk to data transfers between the Canada and the European Union extend beyond the immediate reaction to the Schrems case. If the European Union requires data transfer restrictions as a condition for maintaining the Canadian adequacy ruling, the TPP means that Canada may be unable to comply. The net effect of the Schrems case and the TPP provisions is that Canada could end up caught in a global privacy battle in which Europe restricts data transfers with Canada due to surveillance activities and the TPP restricts Canada’s ability address European concerns.