In previous bulletins, we have seen that Bill 64 introduces a new framework before transferring personal information outside of Quebec. Indeed, an impact assessment must be conducted to show that the information will be protected to the same extent as provided under Quebec's Private Sector Act[1]. Besides, just as the European Union does, the Minister will publish a list of states where the privacy protection laws are equal to those applicable in Quebec. This list is comparable to the adequacy decisions provided under European Union law that allow the transfer of personal information from the EU to a third country (in particular, see GDPR, art. 45)[2].
In order to determine what could be included in the impact assessment of Bill 64, we can refer to the new documents released by the European Data Protection Board ("EDPB"), explaining the conditions laid down by the Court of Justice of the European Union ("CJEU"), in its Schrems II decision[3].
It can be reminded that, under Schrems II, the CJEU invalidated the Privacy Shield and specified that transferring personal information to third countries cannot be a means to undermine the protection it is afforded in the European Union.
The Court also stated that exporters of personal information are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards mentioned in the GDPR, such as Standard Contractual Clauses ("SCC") and Binding Corporate Rules ("BCR"). In those cases, the Court left open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law. However, the CJEU did not specify which measures these could be.
In this context, the EDPB has adopted recommendations[4] which provide exporters with a series of information/obligations. If the impact assessment is the core of the process of transfer of personal information, it is not the only one. Indeed, before transferring personal information, the exporter shall follow the following steps.
Step 1: Know your transfers
Exporters of personal information, whether they act as data controller or data processor, shall implement a data mapping in order to verify that the data transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country. In order to do that, the exporter can rely on the record of processing activities and shall take into account onward transfers.
Step 2: Verify the transfer tool your transfer relies on
Exporters transferring personal information shall verify the tools on which they rely on, i.e. adequacy decision or appropriate safeguards.
To date, the European Commission[5] has so far recognized Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Adequacy talks are ongoing with South Korea. If exporters decide to transfer personal information to the above mentioned countries, they will have nothing else to do.
In case of the absence of the adequacy decision, exporters may rely on Article 46 GDPR transfer tools, such as SCC and BCR. In this case, the exporters shall supplement these transfer tools and the safeguards they contain with additional measures ("supplementary measures") to ensure an essentially equivalent level of protection.
Besides adequacy decisions and Article 46 GDPR transfer tools, the GDPR contains a third avenue allowing transfers of personal data in certain situations. Subject to specific conditions, exporters may still be able to transfer personal data based on a derogation listed in Article 49 GDPR, such as the consent of the individual. However, these derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive.
If the transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, the exporters need to continue with step 3.
Step 3: assessment of the law of the recipient country
Here is the impact assessment! Exporters shall assess if there is anything in the law or practice of the recipient country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools the exporter is relying on.
The applicable legal context will depend on the circumstances of the transfer, in particular the purposes for which the data are transferred and processed; the types of entities involved in the processing; the sector in which the transfer occurs; the categories of personal data transferred, etc.
In order to make this assessment, the EDPB has issued another recommendation[6], in which it considers that the applicable legal requirements to make the limitations to the data protection and privacy rights recognised by the European Charter of Human Rights justifiable can be summarised in four European Essential Guarantees:
- Processing should be based on clear, precise and accessible rules;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- An independent oversight mechanism should exist;
- Effective remedies need to be available to the individual.
Step 4: identification and adoption of supplementary measures
This step is only necessary if the assessment reveals that the recipient country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool.
Note that, if the exporter decides to continue with the transfer notwithstanding the results of the assessment, the exporter should notify the competent supervisory authority. The competent supervisory authority will suspend or prohibit data transfers in those cases where it finds that an essentially equivalent level of protection cannot be ensured.
This being said, the EDPB gives examples of supplementary measures which may be adopted according to the circumstances of the transfer:
- Strong encryption before transmission of personal information;
- Pseudonymisation of personal information;
- Split of personal information in such a way that no part an individual processor receives suffices to reconstruct the personal data in whole or in part;
- Additional contractual measures such as transparency obligations : the importer could be for instance required to enumerate the laws and regulations in the recipient country applicable to the importer or its (sub) processors that would permit access by public authorities to the personal data that are subject to the transfer;
- Internal policies for governance of transfers;
- Data minimisation measures.
Step 5: taking formal procedural steps
As a fifth step, the EDPB requires to take any formal procedural steps the adoption of supplementary measure may require, depending on the Article 46 GDPR transfer tool the exporter is relying on (e.g. SCC, BCR, ad hoc contractual clauses).
Note that the European Commission has published a draft of new SCC[7], taking into account the GDPR and Schrems II. However, if the draft remains as is, the exporter of personal information shall still follows the six steps. Indeed, the draft contains notably provisions requiring data exporter to commit that it has used efforts to satisfy its obligations such as the implementation of a transfer risk assessment by taking into account (i) the specific circumstances of the transfer; (ii) the laws of the third country and (iii) any additional safeguards. These SCC also provide obligation in case of governmental access requests.
as well as provision on local laws which may affect compliance with the SCC. This being said, Annex II to the SCC provide indications on the type of security measures to be implemented (e.g. requirements for: pseudonymization and encryption; the protection of data during transmission; events logging; certification, etc.) which may be considered as guidelines for supplementary measures.
Step 6: continuous evaluation of the transfer
The sixth and final step will be for the exporters to re-evaluate the level of protection afforded to the personal information transferred to third countries and to monitor if there have been or there will be any developments that may affect it. The principle of accountability requires continuous vigilance of the level of protection of personal information.
Henceforth, it will not be easy to transfer personal information from the European Union and/or Quebec. All these steps, except maybe the fifth one which is specific to the GDPR, may apply in Quebec. Therefore, Fasken remains available to assist you.
|
BILL 64 RESOURCE CENTER - Visit our Bill 64 Resource Center for all the information you need to help you to cope with the changes that might be made to the legislation. DISTRIBUTION LIST - If you do not want to miss our next bulletins and any other relevant information on this subject, sign up now on our distribution list to receive all communications related to this new Bill. |
[1]J. Stoddart, G. Laliberté, Bill 64 and The Exportation of Personal Data From Quebec: Complications In Sight, Fasken Bulletin.
[2] J. Uzan-Naulin, Bill 64: Mirroring the GDPR?, Fasken Bulletin.
[3] CJEU, July 16, 2020, aff. C-311/18, Data Protection Commissioner/Maximillian Schrems and Facebook Ireland. See J. Uzan-Naulin, Safe Harbour - Privacy Shield, Same Battle?, Fasken Bulletin.
[4] EDPB, Recommendation 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, November 10, 2020
[5] Adequacy decisions | European Commission (europa.eu)
[6] Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, November 10th, 2020
[7] Data protection - standard contractual clauses for transferring personal data to non-EU countries (implementing act): https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries
