The Lexpert Special Editions profiles selected Lexpert-ranked lawyers whose focus is in Corporate, Infrastructure, Energy and Litigation law and relevant practices. It also includes feature articles on legal aspects of Canadian business issues.
Issue link: https://digital.carswellmedia.com/i/724053
WWW.LEXPERT.CA | 2016/17 | LEXPERT 17 manufacturers of wearables are less concerned with the security of their devices and oen shi privacy risks on to the consumer through sweeping consents that consumers will generally accept without care- ful consideration. While this approach may make sense in the con- text of consumer products, enterprises adopting wearable technology must be more careful in managing risk. e unauthorized, unintentional or overreaching use and disclosure of personal information gathered by wearables in the workplace has the potential to create liability for several parties (manufacturers, ser- vice providers, employers, etc.). Disclosure to third parties, intention- ally, in error, or as a result of illegal activities, can have a significant impact on the wearer's quality of life. For example, if personal health information is sold, stolen, or leaked through a data breach to third parties such as insurance providers, it could result in steep increases in health insurance or even a policy cancellation for the wearer. Health and financial data are arguably more valuable than other types of per- sonal information. While financial institutions have become experts in fraud detection and bank accounts can retroactively be corrected or changed, other types of personal information collected by wearables such as health and wellness information or other identifiable informa- tion such as social insurance numbers cannot be changed or deleted. In the mining sector (and in many other industries), if wearable technology is linked to data collection in equipment or production, a data breach may be profoundly detrimental to the affected company's business, in that the company may no longer be in control of the infor- mation it releases to the public, its shareholders, or its competitors re- garding its efficiency, productivity or other sensitive operational data. e risk of breach is so real that for several years companies have been purchasing cyber liability insurance to deal with sensitive information getting into the wrong hands. Even insurers are fighting back and attempting to avoid or limit coverage in the event of a claim in certain circumstances, such as a company misrepre- senting its control over the information or encryption pro- cedures in place (see Columbia Casualty Company v. Cottage Health System). While we have not yet seen headline-grabbing data breaches involving data collected from wearables (in the workplace or otherwise), there seems little doubt that com- panies are putting themselves at risk of liability and must carefully measure the risks and rewards. Employers can man- age risk by using third-party service providers to maintain and process data, ensuring adequate security measures are in place protecting data they may access or transfer and man- aging access to data processed under third-party contracts. e safest approach is generally for companies to keep their hands off the data, to collect as little as possible and to only receive anonymized data themselves. is still leaves the debate open as to whether wearables are appropriate in the workplace and whether employees must consent to their use. Undoubtedly, employers who mandate the use of wearables should clearly provide employ- ees and potential employees with the job-related reasons for the collection of such data and the limits on its use. In Brit- ish Columbia and Alberta, the regulatory framework gener- ally, subject to certain exceptions, allows an employer to col- lect personal information without the employees' consent if the collection is reasonable for the purposes of establishing, managing, or terminating an employment relationship (s. 13 of British Columbia's Personal Information Protection Act and s. 15 of Alberta's Personal Information Protection Act). For example, in Re Kone Inc., 2013 BCIPC 23, the collection and use of GPS informa- tion from employer-provided cell phones was held to be reasonable and appropriate to the business purposes for which it was sought and was also seen as appropriate as it was minimally invasive. Unfortunately, private-sector employees in other Canadian prov- inces do not have the same privacy legislation to rely upon. In federal- ly-regulated workplaces the Privacy Commissioner has held under the federal Personal Information Protection and Electronic Documents Act that the collection and use of this information must undergo a similar balancing, considering the loss of privacy and the benefit gained from the collection, and where there is a less privacy-invasive way of achiev- ing the same end that measure will be preferred (www.priv.gc.ca/cf- dc/2009/2009_011_0527_e.asp). Unfortunately, due to the recent rise of wearables in the workplace and the rapid pace of innovation, large regulatory voids still exist with respect to privacy and data security. Managing the inherent security and privacy risks involved with wearable devices will need to be man- aged through a combination of government and enterprise. With the Internet of ings (which includes wearable devices) expected to surpass mobile phones as the largest category of connected devices in 2018, according to the Ericsson Mobility Report (www.ericsson.com/ mobility-report), and with industry increasing its efforts to implement wearables, what is clear is that the workplace has the potential to dra- matically change the relationship between employers and employees. Whether the risks outweigh the rewards is yet to be determined, but risk rarely stifles innovation and we may be on the cusp of a welcome evolution in the mining industry. Karen MacMillan Lawson Lundell LLP (604) 631-9160 | kmacmillan@lawsonlundell.com Karen MacMillan is a partner at Lawson Lundell LLP practising corporate and commercial law with an emphasis on commercial arrangements and asset-level acquisitions and dispositions in the mining sector, including with respect to projects in Latin America. Her practice includes repre- senting mining clients in connection with earn-in arrangements and joint ventures, royalty financing and other strategic arrangements, as well as procurement, construction and services agreements. Khaled Abdel-Barr Lawson Lundell LLP (604) 631-9233 | kabdelbarr@lawsonlundell.com Khaled Abdel-Barr is a partner at Lawson Lundell LLP practising corporate commercial law and mining law, including advising on acquisitions and dispositions of mines and significant mining projects, and on a broad range of mining-related matters, both domestically and internationally. His prac- tice includes advising clients in the negotiation of earn-in, joint-venture, strategic alliance and royalty agreements, mineral title review, and all phases of the mining cycle (from exploration, development and production Amaan Gangji Lawson Lundell LLP (604) 631-9105 | agangji@lawsonlundell.com Amaan Gangji is an associate in Lawson Lundell LLP's Privacy and Data Management Group whose practice includes a focus on technology and privacy laws. His experience includes helping clients implement compli- ance programs with respect to Canadian privacy and anti-spam legislation; address complaints and adhere to appropriate response protocols in the event of data breaches; and implement cloud computing projects.