Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/864045
64 LEXPERT MAGAZINE | SEPTEMBER 2017 TECHNOLOGY | COLUMNS | George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law. ganization's data repositories. Here's what you need to do. First, make a thorough inventory of the data so that you understand where it all comes from. Does your organization gener- ate it all, or is some of it sourced from third parties? And very importantly, does any of the data comprise "personal information." is is a critical question, because per- sonal information (PI) in Canada, Europe and other places is subject to privacy regu- lations. Even if the data doesn't contain PI, you still need to perform due diligence on the data source. For instance, in certain countries geological seismic data is consid- ered a "state secret," and removing it from the country is a criminal offence (this ac- tually came up in a global IT outsourcing deal, and my firm had to create a separate server site in this particular Southeast Asian country just to accommodate this data sovereignty rule). Second, once you have done sufficient due diligence on all the data you are har- vesting for your big data project/service, you need to find out whether there are any strings attached to this data. For example, if it's PI, you must review the privacy agree- ment/policy under which you collected the PI data. What restrictions did you agree to when the data subjects were consenting to give you access to their data? ese are criti- cal questions, obviously. Even if the data is not PI, there may still be some complexity around your ability to use the data. Are you collecting the raw data under a services arrangement, and then you want to aggregate and anonym- ize the data so you can sell insights gleaned from the aggregated data sets? is is done with greater frequency now that we are well into the era of big data, but some caution must be exercised relative to the follow- ing questions: how many data sets do you need before you can say the data is suitably anonymized? How narrowly can you seg- ment the data, before it loses its anonymous quality? What are the best practices in your industry for these sorts of issues? YOU'RE IN THE DATA BUSINESS NOW You have managed to clear the legal rights in the big data you wish to exploit, so you are ready to consider a host of issues at the technical product-delivery level. You have to make sure that you have state-of-the-art physical and logical (i.e., computer-based) security for the systems storing and deliv- ering your big data. e more valuable your service, the more it will become a target of hackers, extortionists, unscrupulous data disseminators, illegal data trolls, spammers and a range of online criminals (welcome to the unfortunate, dark side of the inter- net). erefore, you must take reasonable measures to protect it, particularly if it con- tains personal information. You will also need a commercial agree- ment with your customers who use the big data service. ose customers need to agree to a number of important provisions: first, there will invariably be limits on what the customer can do with the big data. It would be very customary, for example, to not al- low the client to share the big data, or even any insights gained from it, with third par- ties, save and except as you narrowly permit it in your contract. You have to be very vigilant to protect your data asset, and the principal way to do that is through imple- menting reasonable-use restrictions on the data in the customer contract. If you are marketing any form of per- sonal information, and assuming you have received permission from the data subjects to share the PI with a specific third party, then you need to be very mindful of the pri- vacy laws that apply to such PI. In Canada, that will largely be federal privacy law, but some of the provincial statutes may be relevant as well. And keep in mind that other jurisdictions may ap- proach privacy regulation somewhat dif- ferently than Canada (and, in the case of Europe, even more stringently). In this regard, it is important to note that starting in May 2018 — less than a year from now — a new privacy law in Europe will come into effect. If your organ- ization or one of your affiliates is active in Europe and you collect personal informa- tion, you have less than a year to prepare for the new legal regime, which will bring some new compliance challenges. One will be the right of consumers to require you to transfer their PI from your systems to an- other provider of services. is "data port- ability" right will require some system and soware changes, so ideally your efforts in that regard are already well under way. In a similar vein, the new European data protection law will provide for a "right of erasure" (sometimes known as the "right to be forgotten"). And finally, there are new rules regarding profiling and automated decisions, both of which, again, may well require some modifications in your IT sys- tems. In short, privacy law compliance is a fairly complicated matter nowadays, given that Europe and the United States do not see eye to eye on this subject, and Canada is somewhere in between them. In conclusion, there are certainly eco- nomic and other benefits to be derived from exploiting big data, but you have to manage this new asset and value generator with great care. IF YOUR ORGANIZATION or one of your affiliates is active in Europe and you collect personal information, you have less than a year to prepare for the new legal regime, which will bring some new compliance challenges