Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/894157
80 LEXPERT MAGAZINE | NOVEMBER/DECEMBER 2017 Exposure "Realistically, there's a scale of compliance [and] some Canadian companies may de- termine their exposure is limited," Young says. Corporations with large sales and operations in Europe will be most exposed and will face the GDPR requirement to designate a privacy officer. Where compa- nies have European operations and a pri- vacy officer, he says, the issue of extraterri- toriality may be moot, since EU authorities will have the option of proceeding against those entities. But he warns that it's unlikely that com- panies based outside the European Union will be successful if they attempt to set up miniscule European subsidiaries as barriers against large EU fines."I would suggest they would look beyond the corporate veil," he says, referring to jurisprudence on limited liability that typically recognizes a legal barrier between a subsidiary and its parent, protecting the parent from liability for the actions of the sub. Corry agrees that subsidiaries in Europe are unlikely to shelter Canadian parent companies from GDPR liabilities. "ey're not going to prosecute ABC Europe Inc. ey're going to prosecute the ABC parent company because the data goes to the par- ent," Corry says. And, of course, global rev- enue flows to the parent, providing a much larger target for fines. As the GDPR comes into effect, query: will authorities in the European Union have the time or capacity to conduct wide- spread compliance examinations of Ca- nadian companies? Young says he doubts routine compliance audits would happen "anytime soon." Still, a systems breach or some glaring contravention of the General Data Protec- tion Regulation could easily attract the attention of European Union authorities. Corry observes that the routine act of transferring information to a cloud-based server could be a contravention of the new EU privacy regime if that server is located in the United States. Patriot Act Whatever else the GDPR may be, it's inar- guably the latest major artifact in the 16- year dispute between the European Union and the United States over the interplay of individual privacy and national secu- rity. Since the Sept. 11 terrorist attacks, the United States, through the PATRIOT Act and other legislation, has made security a top priority, oen above privacy and other civil liberties, while Europe has more oen defended the privacy of its citizens despite the heightened security environment. Central to the ongoing disagreement be- tween the EU and US are the legal actions of Austrian citizen Max Schrems. In 2011, according to court documents, Schrems was a visiting law student at Santa Clara University. When Facebook privacy lawyer Ed Palmieri spoke at the university, Sch- rems was taken aback by the lack of regard Palmieri showed for Europe's Data Protec- tion Directive, which regulates the process- ing of personal data. To press his point, Schrems made a re- quest, under the European right of access, for all Facebook's records on himself and received a CD containing 1,200 pages of data. He then filed complaints with the Data Protection Commissioner (DPC) of Ireland, where Facebook's European head- quarters are located. While the Irish DPC dismissed his complaints, Facebook was nevertheless audited under provisions of the Data Protection Directive and required to delete some files and disable its facial rec- ognition soware. In 2013, when Schrems filed a new complaint with the Irish DPC seeking to prohibit Facebook from transferring data from Ireland to the US, the DPC dismissed his action as "frivolous and vexatious." Sch- rems then sought a judicial review of the Safe Harbor model agreement between the EU and US, but the review found that the agreement provided adequate protection for the privacy of EU citizens. en, aer Edward Snowden revealed the extent of massive electronic spying operations by the US National Security Agency, Schrems argued before the Euro- pean Union Court of Justice that the data of EU citizens clearly lacked adequate safe- guards in the US. In 2015 all Safe Harbor certifications were struck down, taking with them the rights of US companies to collect and process data of EU citizens. Safe Harbor was rapidly replaced by the Privacy Shield model agreement and data continued to flow to Facebook and other US compa- nies. But Schrems is now pursuing a class action against Facebook, with 25,000 par- ticipants. Known as Schrems II, the action alleges that US data surveillance practices render Privacy Shield ineffective in protect- ing the privacy of EU citizens. Given the Snowden revelations and Pres- ident Trump's decision to remove foreign- ers from the protections of the US Privacy Act, lawyers say it appears unlikely Privacy Shield will survive for long. "Prior to the current government, I might have said [Schrems's] concerns were overblown, but now I don't think I can say that," Wasser observes. Supporting this view is the recent warning by errien that, "Canadians have reportedly faced deeply personal interroga- tions when travelling to the US and have been forced to turn over passwords to lap- tops and mobile phones." How this all comes together — or comes apart — for Canadian companies can per- haps best be seen in the recent rejection of a proposed EU/Canada agreement on Pas- senger Name Records (PNRs). Commer- cial airlines routinely collect data on every | IN-HOUSE ADVISOR: PRIVACY LAW | DAVID YOUNG > DAVID YOUNG LAW [The GDPR] makes any organization that collects information from EU citizens subject to the full regime … But a point that should not be lost sight of is that we have privacy laws that have been determined to be adequate.