Lexpert Magazine

September 2019

Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.

Issue link: http://digital.carswellmedia.com/i/1163340

Contents of this Issue


Page 35 of 39

40 LEXPERT MAGAZINE | Q3 2019 as I mentioned in a recent column in this space, Canada looks to be set to be gearing up for significant changes in its own data protection laws and regulations, so in the not too distant future, what you are about to read below will be very directly applicable to you — so you may want to join many other businesses and organizations that are im- proving their privacy practices now to new best practice levels even before the legisla- tion is passed requiring them to do so. Heightened Enforcement e big story for the first year of GDPR has to the heightened enforcement — this is the headline. And the numbers are getting bigger and bigger, and certainly bigger than they were under the previous legislation. A major airline was fined the equivalent of $302 million in respect of a data breach, aer it was found by the privacy regulator to have lax cybersecurity. is is a very mus- cular decision, and it does not surprise me at all that it came out of the cybersecurity en- vironment. e reason I say this is because when my colleagues and I are negotiating large technology procurement transactions, The big story for the first year of GDPR has to be the heightened enforcement – this is the headline. such as major outsourcing deals, particularly for SaaS-based services, the cybersecurity provisions of the contract are by far the most heavily negotiated today (far more conten- tious, for example, than the intellectual property indemnity clause); and in respect of the limit of liability clause, its intersection with cybersecurity is also heavily contested, as both sides bring an extremely augmented sensitivity to the topic. Another large enforcement action arising out of a data breach involved a hotel chain; in this case, the fine was $162 million. What was very interesting about this case was that the target of the proceeding, and the direct subject of the fine, was the purchaser of the problematic, insufficiently secure data infra- structure, which it had acquired in an M&A deal some time before. But did the regulator give it a pass — absolutely not! If you are in corporate development, you really need to ONE YEAR OF THE GDPR: HEIGHTENED ENFORCEMENT Regular readers of this space will know that in Europe a new General Data Protection Regulation ("GDPR") came into force all around the European Union in May 2018. It contains many new provisions, and some eye-popping numbers for maximum fines (i.e., 4% of global sales of the offending business). So, a year later, what can we say about how the law is being administered, and, perhaps most importantly, what has been its impact on corporate and other behaviour in the increasingly important online and digital privacy space? ese questions are obviously important if you're a Canadian company or other orga- nization with operations in Europe, or you collect data from Europeans on a regular basis (i.e., you run a website that regularly caters to a worldwide audience, but you also target ads and other internet outreach to Europeans). But, in addition, even if you do not have meaningful or sustained con- nections with Europe, you should still fol- low developments in respect of the GDPR because clearly it is emblematic of the wave of the future when it comes to privacy regu- lation in the online and digital spheres. And By George S. Takach COLUMNS TECHNOLOGY

Articles in this issue

Archives of this issue

view archives of Lexpert Magazine - September 2019