78 LEXPERT MAGAZINE
|
NOVEMBER/DECEMBER 2017
billion in annual revenue, the maximum
works out to $80 million. "e chief con-
cern with the GDPR is the massive fines
— and the lack of flexibility," says Lyndsay
Wasser, co-chair of the privacy and data
protection group at McMillan LLP in
Toronto. e EU law is both prescriptive
and punitive, and four per cent maximums
could be enormous, Wasser says. "I think
those won't be levied in every case, but the
potential is there."
e second point of interest, Banks says,
is that Canada's Privacy Commission,
among others, can very likely be enlisted
to support European Union authorities
in conducting joint investigations in this
country. He notes that Canadian Privacy
Commissioner Daniel errien closed his
May 17 remarks to the International Asso-
ciation of Privacy Professionals conference
in Toronto by extolling the virtues of cross-
border joint investigations.
"Despite differences in privacy law and
practice, it's important to note that my office
enjoys strong partnerships with our coun-
terparts around the world," errien said.
"ese collaborative efforts are essential to
boosting privacy protections globally."
Extraterritoriality
Wasser notes that law enforcement agencies
have "lots of mechanisms for joint enforce-
ment," including mutual legal assistance
treaties between Canada and EU coun-
tries. As recently as June 2017, the Supreme
Court of Canada called privacy a "quasi-
constitutional" right and upheld Canadian
jurisdiction in Douez v. Facebook, 2017
SCC 33, despite a forum-selection clause
in Facebook's customer contract requiring
legal issues to be tried in California.
"I think extraterritoriality is real," Was-
ser says. Privacy lawyers generally agree
that, in the age of globalization, the inter-
net, "big data" and the Internet of ings,
no country can purport to protect its citi-
zens' privacy without claiming some level
of trans-border reach.
e General Data Protection Regula-
tion asserts global legal authority over all
data that can identify or be associated with
an European Union citizen, wherever it's
gathered, stored or processed, worldwide.
It covers both digital and paper records,
requires that EU citizens be given access
to any personal data upon request and that
any inaccurate information be corrected
upon request. It says that any EU citizen
may request the erasure of any or all of their
personal data held by a commercial entity
and places time limits on retention of EU
citizen's data.
All records relating to citizens of the
European Union must be protected with
a separately secured identification code
("pseudonymization"), so that, in case of a
systems breach, individuals cannot be iden-
tified. e GDPR mandates that authori-
ties be notified within 72 hours of a data
security breach and that all "data subjects"
also be notified individually.
e GDPR further decrees that com-
panies collecting information on EU citi-
zens must appoint a privacy officer who
is directly liable for any contravention of
the new law. David Corry, a partner in the
Calgary office of Gowling WLG (Canada)
LLP, says this provision places the GDPR
in the category of self-regulatory law, where
daunting fines and personal liabilities are
intended to offset authorities' lack of a vast
enforcement apparatus.
"It's about a big stick and big teeth,"
Corry says. is arrangement also makes
enforcement far easier because the mere
fact of failing to appoint a privacy officer
TIMOTHY BANKS
>
DENTONS CANADA LLP
The Europeans mean
what they say. They want very
precise rules when it comes
to personal data, not just
broad or vague principles.
The European Court of Justice
has said EU citizens need
protections similar to what
they would have at home. We
should want our government
to do the same.
ILLUSTRATION
BY
ROBERTO
CIGNA
| IN-HOUSE ADVISOR: PRIVACY LAW |
