Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/945258
LEXPERT MAGAZINE | MARCH/APRIL 2018 63 BY GEORGE TAKACH TECHNOLOGY The EU's new GDPR, coming into effect in May, will dictate new standards for the protection of data around the world The Next Chapter in Data Protection DATA PROTECTION LAW began to be developed in Europe a number of decades ago. So it is entirely appropriate that the next chapter in data protection law — the European Union's General Data Protec- tion Regulation (GDPR) — also comes from Europe. For Canadian organizations with oper- ations or affiliates in the EU, GDPR will be important indeed. But to be caught by GDPR, one doesn't have to have a branch or affiliate in Europe; it is enough that you have a virtual connection. at is, even if you do not have an "establish- ment" in the EU where personal data is collected or otherwise processed (which includes stored, used, or retrieved), you can be caught by the GDPR if you under- take any activity (such as offering goods or services to EU residents) that has a "real and effective" connection with the EU (even monitoring remotely the behav- iour of EU citizens). is is why it's important to under- stand some of the key new parameters of this broad, sweeping data-protection reform effort. WHY A NEW GDPR? e EU legislation for GDPR was adopted in April 2016 by the European Parliament, and the new legislation will come into ef- fect in May 2018. GDPR implements some novel concepts, and also reaffirms some of privacy law's longstanding principles. Cur- rently, even these "fair information hand- ling practices," as expressed in the EU's Data Protection Directive now in force, are being implemented differently within the EU because each member state has been able to modify its relevant data protection legislation as it wished. is has led to in- evitable inconsistencies across the EU. is problem will be solved by GDPR, which for the first time will implement the legal privacy-law regime across the full ex- panse of the 28 (to become 27 aer Brexit) member countries of the EU. Doing so will help organizations which have affiliates in EU countries, which is the good news. But while the privacy standards to be met by or- ganizations across the EU will be uniform for the first time, those standards them- selves will be set higher. OLD WINE IN OLD BOTTLES Many of the data-handling principles of the EU's soon-to-be-replaced Data Pro- tection Directive will carry forward into GDPR. For instance, it will remain a core principle that someone managing the data collection and handling process (typically a "data controller," who oversees the data- handling practices, or a "data processor," who processes data on behalf of a data con- troller) adhere to a range of data-processing principles, such as having to process data in a lawful manner pursuant to obtaining ex- press consent, or because it is required for the delivery of a certain service. Other traditional data-handling princi- ples in the GDPR include: purpose limita- tion (processing data only for the purposes specified to the data subject); data mini- mization (collecting only that data that is relevant to the approved function); data ac- curacy (ensuring the data is kept up to date and accurate, and allowing data subjects to require its rectification when it is stale or inaccurate); and data integrity (ensur- ing that data is stored in an appropriately secure environment). ese data-protection principles have their analogues in Canada's Personal In- formation Protection and Electronic Docu- ments Act (PIPEDA) and its various prov- incial counterparts, and to that extent they should be familiar to Canadian counsel. NEW WINE, NEW BOTTLES Now we turn to the new provisions in GDPR. ey are not just more of the same. ey are net new, and some of them will prove to be very finicky indeed as they come to be implemented in the real world. For example, it is now no longer enough to process data lawfully and fairly; under GDPR this must also be done in a transpar- ent manner. is seems innocuous enough until you begin to contemplate what this might mean: to allow data subjects to have the right to information regarding the data controller's data-processing practices. Consider that you are a financial insti- tution in Canada with an affiliate in Eur- ope, and your Paris office has a complex new fintech methodology for approving personal loans. e system uses pathbreak- ing, novel artificial intelligence algorithms and work flows in order to make decisions as to whether to grant credit to individuals (say, students for their university educa- tion). e system also implements machine learning; that is, over time it compares its track record for loan repayment rates, and "improves" its credit granting decision making with each loan it approves or de- nies. In effect, it may be that the bank, for any particular student applying for a loan, does not actually know how the system weighs the various personal characteris- PHOTO: SHUTTERSTOCK | COLUMNS |