Canada privacy law may be held to EU-U.S. model: internal memo

TORONTO (Reuters) - Canadian officials expressed concern in an internal memo the European Union may hold personal-data transfers to their country to the tougher standards of the bloc’s new Privacy Shield pact with the United States.

That potentially affects the operations of Canadian businesses handling transatlantic data, according to the memo, obtained under access-to-information laws.

The EU-U.S. Privacy Shield, formally adopted on Tuesday, limits how American firms handle European personal data. It replaces Safe Harbour, the framework that the EU’s top court struck down last year on concerns about intrusive surveillance.

In a February memo, Canadian officials said Privacy Shield, which was provisionally adopted that month, may become the new standard and result in Canada’s privacy law being “scrutinized” when the EU reviews whether the law adequately protects European data.

Such a review will be conducted as part of a larger privacy-protection report due in 2020, according to the EU. But a review can also happen in the event of a legal challenge, as was the case for Safe Harbour.

Parts of the Canadian memo were redacted, and it was not immediately clear how the country is addressing the issue or the extent its businesses would be affected.

Global Affairs Canada, the country’s foreign department that created the memo, has been probing “foreign cyber policy considerations,” according to the note. It has also been assisting another federal agency, Innovation, Science and Economic Development (ISED) Canada, in “examining the span of Canadian business sectors that may be impacted.”

If Canada’s law does not pass muster, a broad range of the country’s companies, from multinationals that centralize employee data at Canadian headquarters to tech firms that parse their user data west of the Atlantic, may find themselves in the same situation as American ones after Safe Harbour’s nixing.

The EU court decision last October meant U.S. companies no longer had a legal framework to move European personal data and had to go through more complicated routes. Small- to medium-sized firms have said they lack resources for that and fear losing business.

Privacy Shield, though tougher than its predecessor, provides for easier transatlantic data movement than when there was no framework. But it had taken months of intensive talks to hammer out, leaving companies in a legal limbo in the meantime.

Asked about potential effects of Privacy Shield on the EU’s view on Canada’s privacy law, a spokesman said the two have “no direct connection.” But he added the EU’s monitoring of the issue “will be further strengthened” with regulations due 2018 that in part mandate examination of other countries’ privacy protocols.

Global Affairs referred questions to ISED, which did not immediately respond.

Editing by David Gregorio