This is the third in a series of blogs on the EU-Canada trade agreement (CETA) and data protection. (Prior blogs: CETA and mass surveillance, CETA places itself above EU Charter of Fundamental Rights)
In this blog I will show CETA provides less data projection than the EU Charter of fundamental rights. Under CETA article 13.15 the EU has to allow cross border data transfers to Canada; the related data protection standard is not compatible with the Court of Justice of the EU (CJEU) Safe Harbour ruling.
Chapter 13 Financial Services, article 13.15 Transfer and processing of information, page 103, reads:
“1. Each Party shall permit a financial institution or a cross-border financial service supplier of the other Party to transfer information in electronic or other form, into and out of its territory, for data processing if processing is required in the ordinary course of business of the financial institution or the cross-border financial service supplier.
2. Each Party shall maintain adequate safeguards to protect privacy, in particular with regard to the transfer of personal information. If the transfer of financial information involves personal information, such transfers should be in accordance with the legislation governing the protection of personal information of the territory of the Party where the transfer has originated.” (emphasis added)
Under paragraph 1 the parties have to allow data transfers related to financial services. Paragraph 2 contains a data protection standard. The parties shall maintain “adequate safeguards”. In its Safe Harbour ruling, the CJEU gives strong meaning to “adequate safeguards” by reading it in the light of the EU Charter of Fundamental Rights. Supranational arbitrators however can decide that they do not have to read “adequate safeguards” in the light of the Charter, as CETA does not mention this. Hence, “adequate safeguards” in CETA provides a lower protection than “adequate safeguards” as interpreted by the CJEU in the Safe Harbour ruling.
Regarding transfers involving personal information the privacy standard in paragraph 2 uses “should”, not “shall”; this provides guidance, but does not create an obligation. Furthermore, the text leaves room to argue that it provides guidance regarding the cross-border transfer, not regarding what happens after the transfer. A most favoured nation clause may further weaken the data protection standard. 
The text falls short of the CJEU Safe Harbour ruling paragraph 74 regarding data protection in a third country:
“(…) those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union“. (emphasis added)
Under the CETA text Canada can give our personal data related to financial services, transfered to Canada, a lower protection than under the standard set by the CJEU Safe Harbour ruling. CETA gives financial institutions a “status aparte”. This is relevant as Canada is a member of the “Five Eyes”, a group of countries committed to (suspicionless) mass surveillance. We already saw that CETA does not allow data protection measures based on a higher data protection standard than agreed in CETA.
Textual shortcomings especially become clear in conflict situations. In case the EU would strongly act to protect our personal data and would consider to suspend cross border data flows Canadian financial institutions would be able to exploit the textual shortcomings using CETA’s investor-to-state dispute settlement (ISDS) mechanism. I will show a scenario in the next blog.
The earlier consolidated CETA text (pre legal scrub) used “treatment (…) shall”, not “transfers should”.  Despite the CJEU Safe Harbour ruling, the commission agreed to or proposed a seemingly weaker formulation during the legal scrub.
Negotiations behind closed doors and a legal scrub behind closed doors led to a text that is not compatible with the Charter of Fundamental Rights of the EU.
Next blog: CETA: ISDS and data protection
 See articles 13.4 and 13.7. Regarding most favoured nation, if service suppliers and services of an other country have more favourable conditions (from the point of view of a service supplier that could be less privacy restrictions) they will also apply to Canadian service suppliers and services. Most favoured nation clauses import weaknesses and can have unexpected and unwarranted effects, in general and regarding fundamental rights.