Lexpert Magazine

LEXPERT MAGAZINE | NOVEMBER/DECEMBER 2017 81 | IN-HOUSE ADVISOR: PRIVACY LAW | passenger and share that information with other airlines in cases where passengers re- quire more than one carrier to reach their destinations. PNRs typically include travel itineraries, travel habits, relationships be- tween travellers, health and financial data and, in some cases, political opinions and sexual orientation. e Canada Border Services Agency (CBSA) and its counter- parts worldwide actively monitor PNRs to track movements of suspected terrorists and criminals. e European Union Court of Justice said in July that Canada's newly proposed PNR agreement with the EU is incompat- ible with the Data Protection Directive, the incoming GDPR and fundamental rights of EU citizens. While objectives of the proposed PNR agreement — combat- ting terrorism and international organized crime — are desirable, the court said, the agreement cannot be concluded in its cur- rent form. Specific points of contention included the overly broad categories of data collec- tion, CBSA's retention of PNR data for up to five years and the routine transfers of data to authorities in other countries — read the US. "I think Canadian businesses in general have struggled for many years to balance US demands for information with EU privacy protections," Wasser says. She adds that the PNR issue is at the centre of "a growing divide" between the US and EU on privacy matters. Wasser says the various players will, hopefully, come to terms on passenger re- cords before the GDPR comes into effect. But she acknowledges that Canada's PNR proposal was partly about preserving exist- ing data and that could complicate matters because the EU wants data deleted when EU citizens leave for home. Banks says the Canada Border Services Agency "has a legitimate interest in know- ing who's coming to this country" and travellers have an interest in anything that makes customs clearance less burdensome. But he adds, "e Europeans mean what they say. ey want very precise rules when it comes to personal data, not just broad or vague principles. e European Court of Justice has said EU citizens need protec- tions similar to what they would have at home. We should want our government to do the same." PRIVACY: THE NEW STANDARD The EU's new regulation will change everything about how customer data is stored and processed The General Data Protection Regulation is coming, and in-house legal departments are staffing up, if they have not already. To help clients prepare for the May 25, 2018, enactment of the new European Union privacy law, Lyndsay Wasser of Mc- MIllan LLP has prepared a breakdown of the most important provisions for Canadi- an companies and suggested a number of steps to ensure compliance. This does not constitute legal advice. These provisions, and Wasser's recommendations, are outlined below. Extraterritoriality: The GDPR applies to any company that offers goods or services to EU residents or monitors their internet use for purposes of behavioural advertis- ing. Recommendation: Any such company is subject to the GDPR and needs to ensure compliance. Consent: It must be freely given, specific, informed and unambiguous. Offering an opt-out choice does not appear to be sufficient to provide consent. Explicit con- sent is required for collecting data related to genetics, biometrics, racial or ethnic origin, political opinions, philosophical beliefs, union membership, health or sexual orientation. EU citizens must be allowed to object to direct marketing or profiling related to direct marketing. Consent is invalid if there is a clear imbalance of pow- er, such as when service is conditional upon consent. Parental consent is required for anyone under age 16. Withdrawal of consent must be as easy as the original consent. Recommendation: Review consent documents and amend as necessary for EU use. Accountability: The GDPR incorporates many concepts of "security by design" including assessing risk of data breach and potential harm to data subjects. Recommendation: Similar to Canadian legislation but "privacy impact assess- ments" may need to be implemented if they're not standard practice. Breach Notification: These are required without delay and generally within 72 hours. Recommendation: PIPEDA is imposing new breach notification require- ments, but if EU citizens are affected, companies will need to consider differential risk and the 72-hour notice requirement under the GDPR. Data Processors: Third-party processors must delete data after processing is com- plete and notify data collector of any breach. Data collectors are responsible for data protection by processors. Recommendation: Review arrangements for data storage and processing outside Canada if they involve EU data. Amend contracts as necessary. International Transfers: Where there is no GDPR adequacy ruling, such as in the US, binding corporate rules must provide adequate protections. Recommendation: Review all processing of EU data outside Canada and amend outsourcing and sub- contracting agreements as necessary. Data Protection Officer: One must be appointed where processing involves regular and systematic monitoring of EU citizens or where it involves processing certain categories of data on a large scale. DPOs must have sufficient expert knowledge. DPOs have the right to insist on resources to perform responsibilities. Recom- mendation: Assuming the company has a chief privacy officer, review the officer's duties and qualifications to ensure GDPR compliance. Right to be Forgotten: Subject to certain exceptions, data collectors must erase personal data upon request of the data subject or if the original purpose of collec- tion has been fulfilled. Recommendation: Review policies on retention and disposal of personal data and ensure erasure requests can be honoured. IN HOUSE INSIGHT

• cover
• front
• big