New EU-US Safe Harbour Agreement

Michael Decicco and Eryn Fanjoy

On February 2, 2016, the European Commission announced that it reached a deal to replace the EU-US Safe Harbour framework that was declared invalid last year by the Court of Justice of the European Union (CJEU).  Referred to as the “EU-US Privacy Shield”, the new framework should provide businesses with guidance for the safe transfer of personal information of citizens of the European Union (EU) to the United States. 

Background

The CJEU declared the old Safe Harbour framework invalid on October 6, 2015.  Under the EU Data Protection Directive, the personal information of EU citizens can only be transferred from the EU to countries with adequate data protection standards. The old Safe Harbour agreement, negotiated between the European Commission and the United States Department of Commerce, was one of a number of mechanisms available to EU businesses to ensure there was an adequate level of protection when transferring personal data of EU citizens to the United States. One of the CJEU’s primary concerns with the old framework was the massive and indiscriminate surveillance of personal information of EU citizens in the United States, which was viewed as incompatible with the “fundamental rights” of EU citizens. 

 Regulators provided a grace period ending January 31, 2016 for the negotiation of a new agreement, during which European Data Protection Agencies would not pursue penalties against businesses improperly transferring personal information of EU citizens from the EU to the United States.

Features of the New Framework

While the terms of the new agreement have not been settled, the European Commission released some details of the EU-US Privacy Shield.

  • Obligations on businesses in the United States with respect to personal information of EU citizens and enforcement mechanisms: Similar to the original Safe Harbour, businesses in the United States will need to commit to obligations regarding how personal information will be processed and how individual rights will be guaranteed.  The Department of Commerce will ensure that businesses publish their commitments and the Federal Trade Commission will be enforce these commitments.

  • Transparency and safeguards relating to United States government access: The United States government has given assurances that personal information of EU citizens transferred to the United States will not be subject to government mass surveillance programs, and that access to such personal information for law enforcement and national security purposes will be subject to limitations, safeguards and oversight mechanisms.

  • Remedies: Companies operating under the new framework will have deadlines to reply to complaints.  European data protection authorities may refer complaints to the Department of Commerce and the Federal Trade Commission.  Any dispute resolution mechanisms offered under the EU-US Privacy Shield will be free of charge.  For complaints relating to possible access by national intelligence authorities, EU citizens may issue a complaint with a new dedicated ombudsperson based in the United States.

Next Steps

The European Commission must prepare an adequacy decision to approve the EU-US Privacy Shield as a valid data transfer mechanism under the EU Data Protection Directive, which is expected to take several weeks.  Once prepared, the adequacy decision must be adopted by the College of EU Commissioners after receiving and considering the advice of the Article 29 Working Party.  Authorities in the United States will need to take various actions, including establishing the ombudsperson and implementing monitoring mechanisms.

EU-US safe harbour for data transfers declared invalid - Canadian implications

Michael Decicco

On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the decision underlying the European Union’s (EU) safe harbor structure for cross-border data transfers from the EU to the United States in Schrems v. Data Protection Commissioner of Ireland (Schrems).  Shortly following the CJEU’s decision, the Article 29 Data Protection Working Party (Working Party) issued a statement outlining its views as to the consequences of the CJEU decision in Schrems.  The decision may directly impact Canadian businesses which transfer data from the EU to the United States or which host data in the United States.

Safe Harbor and Schrems

Under the EU Data Protection Directive, personal information of EU citizens can only be transferred from the EU to countries with adequate data protection standards.  Safe Harbour, which was negotiated between the European Commission and the United States Department of Commerce, was one of a number of mechanisms available to EU companies to ensure there was an adequate level of protection when transferring personal data of EU citizens to the United States.  To benefit from Safe Harbour, a company was required to self-certify to the United States Department of Commerce that it complied with specified EU privacy standards. 

In Schrems, the CJEU declared Safe Harbor invalid.  The CJEU held that ensuring an adequate level of data protection for EU citizens, as is required by the EU Data Protection Directive, means providing “a level of protection of fundamental right and freedoms that is essentially equivalent to that guaranteed within the European Union.” The CJEU found that Safe Harbor failed to meet this standard since it did not prohibit the United States government from collecting and examining the personal information of EU citizens.

The Working Party’s Opinion

The Working Party is an advisory board consisting of EU data protection authorities and was created pursuant to the EU Data Protection Directive.  The views of the Working Party are typically followed by EU regulators.

On October 16, 2015, the Working Party issued a statement which noted that it was still considering Schrems and acknowledged the uncertainty Schrems has created. The Working Party confirmed that certain other mechanisms permitting the transfer of EU citizens’ personal information to the United States will remain valid, such as the “Standard Contractual Clauses and Binding Corporate Rules”. However, the Working Party noted that this will not prevent EU data protection authorities from investigating individual cases.

The Working Party emphasized the need for EU data protection authorities to have a “robust, collective and common position” to successfully implement Schrems. The statement adopts the position that the core element to Schrems was the issue of massive and indiscriminate surveillance in the United States, which the Working Party previously stated is incompatible with EU law.

In addition, the Working Party called on EU member states and institutions to enter discussions with the United States in order to find political, technical and legal solutions to enable transfers of personal information to the United States, while respecting the fundamental rights of EU citizens. The Working Party stressed the need for “clear and binding mechanisms”, as well as “obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights”.

Canadian Implications

In light of Schrems and the Working Party’s statement, it is likely that any future decisions by EU data protection authorities with respect to adequate levels of protection under EU safe harbour rules will include an analysis of the laws and agreements regarding data transfer of the country to which EU citizens’ personal information is being transferred.  It will be worthwhile to monitor future decisions of EU data protection authorities and whether they call any other safe harbour structures into question.

Canadian businesses which rely on Safe Harbour to transfer personal information of EU citizens from their operations in the EU to the United States or which host personal information of EU citizens with service providers operating in the United States should promptly work to adopt one of the alternative means available to comply with the EU Data Protection Directive.

Many business concerns remain following revisions to anti-spam regulations

David Elder -

Much-anticipated revisions to the originally proposed Electronic Commerce Protection Regulations provide some useful clarifications and additional exemptions with respect to Canada’s Anti-Spam Law (CASL), but many concerns remain with respect to the potential over-reach of the not-yet-in-force law and the unnecessary and burdensome financial and administrative obligations that it may impose on legitimate business activity.

In fact, while the revised Regulations do respond to some of the concerns raised with respect to the previously proposed regulations – and indeed, the Act as a whole - the new Regulations may be more notable for what they don’t include than for what they do cover. 

In this regard, many of the issues raised and exemptions requested by the business community following the pre-publication of the original proposed Regulations have not been accommodated, including:

  • Accepting as valid under CASL consents to the receipt of commercial electronic messages that are obtained in compliance with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act.  In the explanatory remarks accompanying the proposed Regulations, the Government explicitly indicates that CASL is intended to create a higher threshold for consent for the receipt of commercial electronic messages.
     
  • Allowing Canadian businesses to send, on behalf of foreign organizations, commercial electronic messages to recipients outside of Canada.  Concerned with the potential for abuse by spammers, the Government rejected submissions that the lack of an exemption for such activity would put Canadian outsourcing and cloud computing firms at a significant disadvantage with respect to their foreign counterparts.
     
  • Allowing manufacturers without a direct relationship with end users of their products (such as where the products are purchased from a retailer) to send commercial electronic messages to those end users.  The Government rejected an exemption for manufacturers as too broad, but as noted below, has created new exemptions with respect to sending warranty and recall information.
     
  • Reducing the complexity of the requirements for the collection and withdrawal of consent for the receipt of commercial electronic messages sent by as-yet-unknown third parties.  The Regulations continue to require organizations collecting such consents on behalf of such third party organizations to engage in detailed tracking of such consents and take responsibility for the actions of such third parties.
     
  • Expanding the “existing business relationship” exemption to include legitimate commercial electronic messages sent in the context of additional ongoing business relationships, which do not clearly fall within the narrow definition of the current exemption.

Nevertheless, the revised regulations do provide some clarification of key legislative terms, as well as new exemptions for business activities that were not intended to be within the scope of CASL.  Moreover, the Government has indicated that Industry Canada and the CRTC are exploring the use of interpretational guidelines and other guidance material to provide clarity where appropriate.

Virtual Friends

One such clarification is that the revised Regulations amend the previous definition of “personal relationship” so as to correct what many argued was an unduly narrow exemption from the anti-spam requirements for commercial electronic messages sent between individuals.

CASL provides that its core anti-spam provision does not apply to commercial electronic messages that are sent by an individual to another individual with whom they have a “personal or family relationship.”  However, in the original regulations proposed by Industry Canada, the term “personal relationship” was defined so as to recognize only those relationships where the individuals concerned had actually met face-to-face within the previous 2 years.

The revised Regulations exempt commercial electronic messages sent between individuals who have had direct, voluntary two-way communications, in circumstances where it would be reasonable to conclude that the relationship is personal.  In reaching such a conclusion, all relevant factors are to be considered, including the nature and frequency of such communications, the length of time over which the parties have communicated and whether the parties have met in person.  The two-year limitation period has been removed.  Recipients of exempted “personal relationship” messages may opt-out of receipt of such messages, in which case the exemption no longer applies.

The exemption may be most relevant for businesses where they may facilitate or encourage customers to send commercial electronic messages to their personal networks, such as through “forward to a friend” features.

B2B Exemptions

One of the chief criticisms of the earlier regulations, and of CASL as a whole, has been that the since the definition of “commercial electronic message” is so broad, the Act could impose unnecessary consent and disclosure requirements on regular business communications that should not be within the scope of the law.

In response, the revised Regulations introduce new exemptions for commercial electronic messages sent within a business, or sent between businesses that are already in a business relationship, where the messages are sent by employees, representatives, contractors or franchisee and the message concerns the organization or the individual recipient’s role, functions or duties within or on behalf of the organization.

Messages in Response

Again, due to the broad definition of “commercial electronic message”, concerns were raised that businesses responding to inquiries could be caught by the anti-spam law.  While CASL includes an exemption for individuals contacting an organization to inquire about its business, there was no corresponding exemption with respect to the organization’s response.

Accordingly, the revised regulations include a new exemption for commercial electronic messages that are sent in response to a request, inquiry or complaint, or that is otherwise solicited by the recipient.

Incidentally in Canada

One of the key concerns of many foreign companies was that CASL applies to commercial electronic messages that are either sent from or accessed through a computer system located in Canada.  Accordingly, concerns arose about the potential application of the law to commercial electronic messages sent from outside Canada, to recipients who are ordinarily resident outside Canada, but who may access such messages during visits to Canada.

A new provision in the revised Regulations appears to largely satisfy this concern, by exempting such messages, provided that they relate to a product, good, service or organization located or provided outside Canada, and that the sender did not know and could not reasonably be expected to know that the message would be accessed using a computer system located in Canada.  However, uncertainties still remain, for example with respect to the treatment of a non-Canadian sender who also makes the product or service in question available through a Canadian subsidiary or affiliate.

Non-Transactional Business Communications

The revised Regulations also include a new provision exempting commercial electronic messages sent for purposes relating to the satisfaction, notification or enforcement of legal or juridical rights and obligations, such as sending warranty or recall information, electronic bank statements, notices of copyright infringement, etc..  Again, such an explicit exemption was considered necessary by some in view of the broad definition of commercial electronic message found in the Act.

Referral Messages

The revised Regulations contain a new exemption for commercial electronic messages sent based on a referral by one or more individuals, where such individuals have an existing business or non-business relationship or a personal or family relationship with the sender and the recipient.  The exemption applies only to the first commercial electronic message sent to contact the recipient, and the message must disclose the full name of the referring individual or individuals.  Several stakeholders had previously expressed concern that without such an exemption, they could not directly act upon referrals from friends, family and clients without first obtaining consent.

Telecom Service Provider Software

Finally, the revised regulations add two types of telecom service provider (TSP) software to the list of specified computer programs (such as HTML code, Java scripts, cookies, etc.), for which express consent is assumed if the individual’s conduct leads to a reasonable belief that they consent to such an installation.  The new exemptions relate to TSP programs to prevent unauthorized or fraudulent use of a service or system, or to update or upgrade systems on their networks.

Next Steps

While passed into law in December 2010, CASL has yet to be proclaimed in force, in part because the Government was awaiting the finalization of two sets of regulations: one to be made by Industry Canada, and one to be made by the CRTC.  The Electronic Commerce Protection Regulations (CRTC) were finalized last year, and the CRTC has issued two interpretation bulletins to provide guidance as to how it intends to apply those Regulations.

The proposed revisions to the remaining Electronic Commerce Protection Regulations were officially published for comment on January 5th, 2013, starting CASL on the final leg of its long journey to coming into force.  Following a 30 day comment period, it is expected that the Regulations will be finalized, and a date will be announced for the coming into force of the new anti-spam regime.

Cloud computing and Canadian federally regulated financial institutions

Wesley Ng and Stuart Carruthers  -

Cloud computing has grown significantly in the last few years. A Gartner Executive Program survey of more than 2,000 Chief Information Officers (CIOs), representing 50 countries and 38 industries, found that cloud computing is the number one technology priority for 2011. Fully 43% of the CIOs expected that a majority of their IT will be running “in the cloud” within four years. In its updated June 2011 forecast of Information Technology spending, Gartner stated that cloud computing expenditures are likely to rise by 16-20% per year through 2015, representing 4% of global IT spending by the end of that period. Richard Gordon, research vice president at Gartner, noted that expenditures for cloud computing services grew four times faster than overall IT spending.

What is Cloud Computing?

The term "cloud computing" has been used to refer to almost anything from the ability to access virtual servers over the Internet to the consumption of any information technology service situated outside an organization's infrastructure. The more precise technical meaning, however, is expressed in the following draft definition published by the U.S. Government's National Institute of Standards and Technology:

[A] model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

As this suggests, the key feature of cloud computing is the ability to access a remote, shared IT infrastructure on an as-needed basis. 

Benefits of Cloud Computing

There are many benefits of cloud computing, including that organizations that use cloud computing are not required to maintain their own localized infrastructures to support the services; rather, they pay for the use of technology resources only when and to the extent that they actually need them. As a result, users can avoid the expense of setting up and looking after in-house infrastructure. Among other things, this allows organizations to replace up-front capital expenditures with a more fluid operational expenditure that more closely tracks actual business activity. Further, because cloud computing services are available to multiple users leveraging the same infrastructure, the cloud service provider is typically able to achieve significant economies of scale, producing additional savings for its customers.

Federally Regulated Entities under OSFI Guideline B-10

Guideline B-10 of the Office of the Superintendent of Financial Institutions (Canada) (OSFI) governs cloud computing arrangements (and other outsourcing agreements) entered into by Federally Regulated Entities (FREs).  For the purposes of the Guideline, the term "FRE" encompasses all Canadian banks, insurance companies, fraternal benefit societies, trust and loan companies and cooperative credit associations and Canadian branches of foreign banks and insurance companies.

Guideline B-10 imposes overall accountability and control requirements, and requires an assessment of the materiality of an outsourcing arrangement and the implementation of a risk management program (the scope and nature of which will vary depending on the materiality of the outsourcing arrangement in question).

B-10 and Cloud Computing

Many of the issues that cloud computing raises for FREs are not unique to cloud computing; they exist in the context of any outsourcing. Nevertheless, cloud computing involves a host of inherent risks, including the use of shared resources; the use of multiple dynamic data transfer routes (to minimize bandwidth usage); dependency on a commoditized, non-customized, volume-based solution; and the use of infrastructure scattered over multiple locations (often in low-cost centres with minimal legislative data protection obligations). The significance of the issues involved in cloud computing will largely depend on the materiality and nature of the services obtained. It would be prudent for FREs to consider the following issues in connection with the development of their cloud computing strategies:

1) Data commingling and segregation
The use of shared virtual infrastructure may create data commingling and segregation issues. B-10 requires service providers to be capable of isolating an FRE's data, records and items in process from those of other customers at all times. As a precondition of entering into a cloud computing arrangement which is subject to B-10, an FRE must therefore determine whether the cloud service provider can offer the service in a manner that permits proper data segregation.

2) Accessibility of confidential information
The nature of cloud computing - including the ability for multiple entities to access shared resources and the use of multiple locations across low cost regions - can create data security and privacy issues. B-10 requires the FRE to ensure that security and confidentiality policies of the cloud computing service provider are commensurate with those of the FRE, which should ensure that all necessary protections are in place to secure the confidentiality of the data provided to the cloud infrastructure. In particular, contractual provisions should clearly define who has responsibility for protection mechanisms, the information that is covered by such protections, the ability of either party to modify security procedures and requirements and notification obligations of the cloud service provider should any confidentiality or security breach occur.

3) Business continuity
The FRE's business continuity plans must address all reasonably foreseeable situations in which a cloud service provider may be unable to continue to provide services at the required levels. Most importantly, in the context of any business interruption affecting the cloud service provider, the FRE should ensure that it has access to all necessary records to allow it to continue its business operations and meet any statutory obligations or other obligations to OSFI.

4) Data location
A cloud service provider's infrastructure and software may be dispersed across multiple locations across the globe. This may be problematic for FREs since B-10 requires the contract governing the provision of the cloud services to identify the nature and scope of the services, including specification of the physical location where the services are being provided. While this may be possible at the outset of a cloud computing arrangement, the dynamic nature of cloud computing means that regular updates should be contemplated under the contract in order to address any shift in the location of the information technology infrastructure supporting the services. In addition, contractual provisions to address any deficiencies in legislated privacy protections and issues relating to access rights of foreign governments and their regulatory agencies should be considered.

5) Subcontractors
Many cloud service providers enter into subcontracts for additional virtual technology infrastructure on an as-needed basis. FREs need to ensure that subcontracting limitations are imposed to ensure that all such subcontractors are subject to the same security, confidentiality and audit obligations as the cloud service provider.

6) Monitoring cloud arrangements
The nature of cloud computing can make monitoring and auditing the arrangements difficult. B-10 requires that the FRE be able to monitor the services to ensure that they are being delivered in accordance with the FRE's requirements. The FRE must be capable of evaluating the cloud service provider from time to time, including its internal controls (which may be satisfied through the provision of a SAS70 or analogous control report). The FRE must carefully consider how best to ensure that the necessary monitoring can occur, based on the service model and geographic territory of the services being provided, as well as on the level of monitoring required (given the risks presented by the cloud computing arrangements in question).

7) e-Discovery
While not specific to FREs, some thought should be given to the growing need to facilitate e-discovery (the production of electronic data and information required in the "discovery" process that occurs when a lawsuit is initiated). The use of cloud computing could lead to delays and costly efforts to produce relevant materials due to data commingling or data dispersion across locations and/or service providers.

Know the Challenges - Address the Risks

Virtually all organizations' IT business plans include at least some outsourcing of IT functions to third parties. Because cloud computing offers so many advantages, its adoption is, for many companies, a question of "when" rather than "if". Security and other challenges faced by FREs in the context of cloud computing are not unique to FREs, but are more pronounced due to the need to comply with B-10. While in certain contexts the challenges and compromises inherent in cloud computing may preclude its adoption by the FRE, in most cases cloud computing will work well, provided that the FRE carefully considers the relevant issues before entering into any agreements.

New privacy rules in India may impact outsourcing transactions

On April 11, 2011, the Ministry of Communications and Information Technology (Department of Information Technology), Government of India (IT Ministry), issued the following rules regarding the protection of personal information:

  • Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
  • Information Technology (Electronic service delivery) Rules, 2011
  • Information Technology (Intermediaries guidelines) Rules, 2011

(collectively, the Privacy Rules).

The new Privacy Rules represent a dramatic change in India’s policy on protection of personal information, which previously regulated only data security and hacking but not privacy. For more information on the Privacy Rules and discussions of their potential impact on outsourcing transactions, please visit publications posted by Morgan Lewis, Gibson Dunn and DLA Piper.

Privacy lessons learned: they can't steal what you don't have

David Elder -

It is an unfortunate truism that we can often learn from the misfortunes of others, and this is certainly true with respect to privacy breaches.

Beyond the need for increasingly robust security safeguards, recent media coverage of a number of high-profile privacy breaches offer another ready lesson for corporations that collect and store personal information: information that is not retained cannot be the subject of a data breach.

In one recent breach, the victim of a possible data theft noted that records provided to a vendor were apparently not destroyed, although the outsourcing organization believed that they had been. It was these records that were the subject of data theft by an unknown hacker. In another recent breach case, information was stolen from an internal database of customer information that was no longer being used.

Any data breach is a matter of great concern, but situations like these are particularly tragic as they are entirely avoidable.

Data breaches like these underline the importance of one of the fundamental tenets of Canadian privacy law: that personal information shall be retained only as long as necessary to fulfill the purposes for which it was created or collected and, once no longer required, should be destroyed, erased or made anonymous. Each of the federal Personal Information Protection and Electronic Documents Act, the Alberta Personal Information Protection Act, and the British Columbia Personal Information Protection Act explicitly require such limited retention and eventual destruction.

When outsourcing work that involves providing personal information to a third party, most companies now include requirements in the outsourcing contract that the third party return or destroy the data in question once the work is completed – but how many companies follow up at the conclusion of a contract to ensure that this actually occurs? A range of options are open to outsourcers to help ensure that vendors follow through on these commitments, ranging from requests for confirmation of destruction to audits of the vendor facilities.

However, retention of personal information that is no longer required is not limited to third party vendors: many corporations maintain stale and unused internal databases of personal information. Sometimes this data is deliberately retained “just in case” it may later prove useful for marketing purposes; sometimes it is retained simply because no one bothered to erase or destroy it. Moreover, since it is not being used, such databases may not receive the same ongoing security scrutiny of more active files. Retention of such data creates an entirely avoidable data breach risk.

This is not to say that no data can be retained; to the contrary, there are many legitimate reasons to retain personal information, such as to avoid repudiation of purchases or service orders, to provide convenience to repeat customers and to meet legal requirements, such as statutorily-mandated retention of data or compliance with limitation periods. The trick is to keep only the data for which an organization has a real business or legal need. 

All businesses that collect and retain such information should develop – and implement - a comprehensive data retention policy, setting out clearly justifiable retention periods for various data elements and mandating destruction after the expiry of these periods. Indeed, Canadian privacy laws require it.

Companies face enough challenges today in safeguarding personal information; it only make sense to minimize potential exposure to data breaches, or other misuse of personal information, by limiting retention of data.