Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/1045898
74 LEXPERT MAGAZINE | NOVEMBER/DECEMBER 2018 | DATA PRIVACY | which allows for seamless data transfer be- tween the jurisdictions." Indeed, the view of many privacy law ex- perts is that the GDPR represents the gold standard in privacy law. "If a company is looking for feasible, user-friendly uniformity in its privacy poli- cies, it should go with the GDPR, which is now the highest common denominator," Bernier said. "But there are also little ac- commodations that have to be made." It's these "little accommodations" that give some privacy law practitioners cause for concern. "ere are places where there are dis- connects between Canadian law and the GDPR, where the laws don't work well to- gether," she said. "ere has to be consid- erable thought given about when to use a global standard and when to use a country- specific standard." Areas for concern include diverging rules regarding what constitutes personal information; residency and cross-border data transfer requirements; distinctions between the obligations of data control- lers and data processers; the availability of mechanisms other than consent as pre- conditions for lawful processing; and dif- ferences in requirements for notifying au- thorities and/or individuals affected. "In some cases, complying with the GDPR can hinder Canadian companies' flexibility that might exist under domestic law," Wasser said. "What I recommend to clients is that they should think carefully about whether it's best for them to com- ply with the GDPR, especially if adhering to the Canadian standard does not create meaningful risk." Hengesbaugh advocates a practical ap- proach to breach notification as well. "It may not be necessary to notify everybody, particularly if the information is non-sen- sitive or if the risk in certain jurisdictions is otherwise acceptable," he said. A consensus exists that engaging local counsel or partners in relevant jurisdic- tions is essential. "What clients need is a coordinated effort because what is said and done in one jurisdiction can affect the risk in others," Promislow says. at's true even within the EU. "Ex- perts have pointed out that as all-en- compassing as the GDPR is, member states have the ability to expand the rules beyond the minimum and adopt differ- ent approach to enforcement," said Matt Saunders in Cox & Palmer's Halifax of- fice. "It just means there's another layer of complexity to something that's already extraordinarily complex." Extraordinarily complex indeed. So much so that, earlier this year, global law firm Norton Rose Fulbright launched a data breach chatbot named Parker. "Parker is an artificial intelligence tool built on the IBM Watson platform that helps organiza- tions understand whether they are subject to certain privacy laws," Berger said. e Canadian version is aimed spe- cifically at guiding clients in determining their exposure and obligations under the new breach notification regime. It follows on the success of Parker in Australia, where the program originated, and its subsequent modification to answer questions about the GDPR. e GDPR version is primarily aimed at multinational businesses which need to determine whether and how the new law applies to them. Nick Abrahams, global head of tech- nology at Norton Rose, and his Sydney colleague Edward Odendaal developed the first Parker in anticipation of major changes in the Australia data protection notification regime that came into force in late February. e first 24 hours' of Parker Australia's December 2017 launch drew over 1,000 conversations to the chat- bot. As of June 13, the number had grown to 5,976. "Generally, the average number of mes- sages per conversation varies between four to six questions," Berger says. "Taking an average of three minutes per conversation, Parker Australia has provided clients and potential clients with just shy of 300 hours of legal information in its first six months." e GDPR Parker rang up 3,826 con- versations between its launch in May and June 13. Just how many of the conversa- tions involved Canadian businesses is not known. Parker and artificial intelligence not- withstanding, the fact remains that com- plying with the maze of global privacy laws is like shooting at a moving target. "Not even the European lawyers who are heavily engaged with the Regulation know exactly how it will be enforced," says Éloïse Grat- ton, a partner in Borden Ladner's Montreal and Toronto offices. Fortunately for their clients, Canadian law firms appear to be up for the challenge. Julius Melnitzer is a writer based in Toronto. GLOBAL STUDY AT A GLANCE Ponemon Institute, 2018 Cost of a Data Breach Study: Global Overview Average total cost of a data breach: $3.86 million Average total one-year cost increase: 6.4% Average cost per lost or stolen record: $148 One-year increase in per capita cost: 4.8% Likelihood of a recurring material breach over the next two years: 27.9% Average cost savings with an Incident Response team: $14 per record