Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/894157
LEXPERT MAGAZINE | NOVEMBER/DECEMBER 2017 79 | IN-HOUSE ADVISOR: PRIVACY LAW | is an offence in itself for any company han- dling EU citizens' information. Yet, Corry says, his own unofficial survey found "the vast majority of Alberta companies said they had no intention of appointing a pri- vacy officer." e General Data Protection Regula- tion says personal data of EU citizens may not be collected by, or transferred to, any foreign entity unless it's subject to laws or agreements in that country deemed by EU authorities to provide protections substan- tially similar to the GDPR. Canada's Personal Information Pro- tection and Electronic Documents Act (PIPEDA) currently holds such an EU "ad- equacy" rating — but privacy lawyers have expressed serious doubts as to whether the adequacy ruling will stand up to either a court challenge or a routine review, which the European Union promises to conduct every four years. Meanwhile, the United States has no overarching privacy law and, therefore, no EU adequacy rating, says David Young of David Young Law in Toronto. US privacy protection depends primarily on tort law, with the exception of the US Privacy Act. at statute regulates information col- lected by the federal government — but specifically exempts non-US citizens from its protections by way of an executive order under President Donald Trump. Young says American companies have, so far, relied on EU certifications of corpo- rate privacy-protection policies in order to legally collect, retain and process EU data. But the original Safe Harbor model agree- ment has been defeated in European courts and the Privacy Shield agreement that re- placed Safe Harbor may be defeated as well, observers say. Adequacy Young says the GDPR is "getting a lot more air time" from Canadian boards of direc- tors as its May 25, 2018, date of enactment approaches. "It makes any organization that collects information from EU citizens subject to the full regime of the GDPR, and it has another level of prescriptiveness that goes beyond the previous Data Protec- tion Directive," he says. "But a point that should not be lost sight of is that we have privacy laws that have been determined to be adequate." Canada's PIPEDA accords closely with the GDPR in certain respects, and so Ca- nadian companies that are PIPEDA-com- pliant are a big step closer to being GDPR- ready, Young says. e right of individuals to access personal information held by companies is assured under PIPEDA, and while the so-called "right to be forgotten," also known as the right of erasure, is not explicitly guaranteed in Canada, it has ef- fectively been the subject of common-law rulings on the right of individuals to with- draw consent to the retention of their per- sonal data. "I am of the view that we have that right today," Young says. "But this issue of dele- tion is huge. ere are always two or three backups and deleting all of that is very complicated." In an era when storing data has become cheaper than deleting it, "many companies do not have a comprehensive inventory of information." As a result, he says compliance with the General Data Protection Regulation will place major new demands on the information management capabilities of Canadian companies. Banks points out that the right of erasure runs counter to the corporate imperative that "transactions need to live," and it may prove very difficult to preserve transaction records while deleting consumers' names. If it has to be done manually, he says, large corporations could face huge costs. e GDPR also imposes an obligation on companies to ensure the "portability" of personal data. "e concept is that it's my information and I can ask for it to be moved," Young says. Examples might in- clude moving personal financial informa- tion from one bank to another or legal re- cords from one law firm to another. "at right does not exist, generally, in Canada," he says, although there are sectoral excep- tions, such as for medical records. And por- tability will also require data compatibility or conversion protocols be established be- tween sender and receiver. Young says the requirement for data pro- tection through encryption, or what the GDPR calls pseudonymization, "is just a cost, and [large Canadian] companies do that already." But he adds, "ere's always the question of whether you've actually achieved anonymization," as breaches of retail data regularly demonstrate. If not, penalties would rise with the seriousness of any breach. LYNDSAY WASSER > MCMILLAN LLP I think Canadian businesses in general have struggled for many years to balance US demands for information with EU privacy protections. … The chief concern with the GDPR is the massive fines — and the lack of flexibility.