Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/1163340
LEXPERT MAGAZINE | Q3 2019 41 take note of this case. From the perspective of cybersecurity, how are you doing in your acquisition deals on the due diligence front with respect to the target's computer systems and data-handling practices? Particularly if they have a B2C business that collects, pro- cesses and stores large volumes of personal information, a cursory review and a few questions of their IT department don't cut it anymore. You really have to get some tech- nical experts into the target's data centre, and review for vulnerabilities. And if you find some, it's not the end of the world … so long as you make it a priority to shore up the systems as soon as you close the deal. Don`t wait, don't prevaricate. Act right away, and bring those systems you are now accountable for at least up to the standards you have in your facilities. And yes, you either have to build that extra expense into your financial model for the deal, or you have to try to ne- gotiate an adjustment to the purchase price, because likely the sellers under invested in cybersecurity for years, from the sound of it. But, in any event, you have to find a way to pay for the rectification of the required digi- tal security deficiencies. What's interesting about these two en- forcement cases is that neither involved a big American tech company; rather, they were traditional businesses. Now, of course (and I`ve been saying this for some time), today, every business is a tech business. And so if you think "our core business isn`t sell- ing internet-based services, so I really don`t have to take cybersecurity too seriously"… well, you would be wrong. If you collect any personal information from customers, you have to be right in the thick of worry- ing about cyber-risk, and how to mitigate it through technological and other best practices — there is simply no way around it anymore. is is the prime lesson to be learned from the first year of the new Euro- pean data protection law. More Accountability from Internet B2C Businesses While digital privacy is today every organi- zation's business, of course, that is doubly true of companies that make the bulk of their earnings from online services for con- sumers. And, sure enough, the third larg- est fine last year under the new EU privacy regime for a data protection shortcoming was to Google, for $73 million. e of- fence was, put simply, for offering only one option for consent to online targeted ads. is raises another aspect of the GDPR — namely, the European privacy regulators are working hard to breathe new life into the concept of consent. is is very telling because, for us in Canada, the concept of consent has been at the very core of our data privacy law (PIPEDA), and the vari- ous provincial equivalents, right from the beginning (going back some 20 years now). For example, there are also new GDPR rules on getting consent for cookies, per- haps the most common request on websites today. In a nutshell, the European legal re- quirements require the website operator to provide greater transparency into the oper- ation of the cookie, and meaningful choice in acceptance (i.e., it helps to give a decline button). ere is, however, also a new ex- emption if the website has an existing re- lationship with the consumer and the data is processed in a manner that is reasonably expected. In a nutshell, consent continues to be a very contentious topic in privacy circles, and if you are responsible for your organization's web presence, you have to stay on top of all these developments. Beyond consent, the big American tech companies are also getting pulled over to the side of the digital highway (bet you haven`t heard that phrase in a while …) by the regulators for a range of alleged infrac- tions in Europe, including Microso and Apple. But what many don't realize is that a very large number of smaller players is hearing from the regulators as well, and, in many cases, fines in the $15,000-$50,000 range are also being levied (about 90 small- er companies were fined a collective $8.7 million last year). So, you should disabuse yourself of the thought that privacy regula- tion is only a concern for "Big Tech"; that was never a responsible attitude, and now the enforcement patterns of the European data protection regulators are proving that beyond any shadow of a doubt. Raising Awareness A few years back, a number of pundits in the media predicted that privacy was dead, that people were no longer interested in their privacy rights, and everyone should just get over these twin facts of life. e GDPR, and the raised awareness level that it has ushered in, has put the lie to this sentiment. A recent poll found that fully 73% of Europeans (a huge portion, in my view) knew of at least one specific right in the GDPR. So, it does not come as a surprise to me that, last year, fully 89,000 data breach incidents were reported to the privacy authorities. at number is twice what it was the year before … twice! In a similar vein, some 144,000 privacy complaints were lodged with the regulators in the first 12 months following the coming into force of the GDPR. Again, I think that is a huge number, keeping in mind that privacy compliance is not that big a thing in the eastern countries of the Euro- pean Union; so, we're seeing an exceptional rate of awareness of privacy questions in the Western European states, especially the UK, France, Germany and Spain. e other thing to remember about GDPR compliance is that it's not just about fines, although they certainly grab all the headlines. It's also very much about orders issued to cause the cessation of data processing, or the order requires some cor- rective action. ese sorts of remedies that can be foisted on companies under GDPR can be even more difficult for companies to comply with than payment of a simple fine. So, ultimately, it comes as no surprise to me that, since the time GDPR came into force (May 2018), more than 500,000 organiza- tions have dutifully registered their data protection officers. And these persons are being given increased powers to help ensure that their organization doesn`t fall afoul of the new privacy law regime. What makes all of this quite astounding (are you sitting down?) is that all this com- pliance activity noted above may in fact be just a preview of what's to come, and frank- ly, not a very indicative one at that. I say this because the first year of GDPR was always intended to be something like a "burn-in period"; a fairly low level of regulatory ac- tivity to give business and citizens (who increasingly are actively bringing cases di- rectly against the corporate behemoths) a period of time to adjust to the new rules. If this is indeed the cadence, it will be very in- teresting to see what the enforcement "year in review" looks like next year! George Takach is a partner at McCarthy Tetrault LLP, based in its Toronto office.