Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/945258
64 LEXPERT MAGAZINE | MARCH/APRIL 2018 TECHNOLOGY | COLUMNS | George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law. tics and factual matrix of the individual loan applicant; or, even if it did initially, the system "learns" over time, such that it never is stable enough to allow a human to understand the particular mix of variables that went into a certain decision. In such a case, how is the new "transparency" re- quirement of the GDPR to be met? What exactly do you tell the disgruntled loan applicant when they ask why they were re- fused credit? e GDPR also includes a new data- breach notification regime. In the event of a security breach, you must notify the relevant national data-protection author- ity, and promptly (typically within 72 hours of learning of the breach). And if there is a potential harm to data subjects, they must also be notified. While these rules are broadly similar to those coming to Canada when Bill S-4's breach-notification amendments to PIPEDA come into effect, the tighter timelines under the GDPR will require organizations to have even better data-breach plans and procedures. Another new and related requirement under the GDPR is that controllers and processors implement technical meas- ures to ensure certain levels of security. "Pseudonymisation" will be important; this is a concept by which personal data can be "masked" or modified in a man- ner so that the data can no longer be at- tributed to a specific individual. is is an example of the GDPR requiring controllers and processors to undertake "privacy by design" when building their systems and workflows, so that the risk of data breach is reduced. ENFORCING AMNESIA Perhaps the GDPR data-privacy protection rule garnering the most publicity is the so- called "right to be forgotten." In practice, this requires an organization to erase per- sonal information of a data subject under certain circumstances when asked to do so by a data subject. is can be demanded, for instance, if the data subject withdraws consent, or the information is no longer necessary for the original purpose for which it was collected. ese requirements are actually reflected (with some different language) in PIPEDA, so to that extent the principle is not that new in Canada. But here is what's differ- ent: if the data controller (essentially, the entity collecting the data) has made the data public (for instance, on a social media site), then that entity has an obligation to notify all others it gave the data to in order to have them in turn erase the links to the data and so on down the chain of Internet random distribution. is will likely re- quire organizations to create or adopt fairly elaborate computer systems in order to im- plement these legislative objectives. e "right to be forgotten" raises some fascinating questions. In short, our social media-infused age, supercharged by the internet, is creating untold volumes of new data every day. One calculation suggests that more data has been created in the past 24 months than was brought into the world in all of previous recorded history. In such an environment, implementing an effective "right to be forgotten" will be challenging for sure. A similar (but easier to operationalize) new right that will in- variably drive material IT development and deployment is the new "data portabil- ity" right in the GDPR. For example, when an employee leaves one employer in the EU and joins another, the data subject can re- quire that the previous employer transfer his or her personal information to the new one. Again, IT consultants will see material additional work from implementing this new requirement for data controllers and data processors. NON-COMPLIANCE IS NOT AN OPTION e GDPR is very serious about compli- ance, as can be seen in its enhanced penalty regime. A two-tiered approach is mandat- ed. For certain transgressions (such as vio- lation of the data-breach notification), the fine is up to €10,000,000, or, in the case of companies, up to two per cent of global sales in the prior year. is latter figure could be a very hey amount indeed. But wait! e total possible fine for a breach of the right to be forgotten, con- sent requirements, and the right to object (among others) is set at up to €20,000,000, or four per cent of global sales. ese are some very significant thresholds for certain companies, and so expect the largest global companies — including some in Canada with meaningful affiliates in the EU — to amplify their global data-protection legal compliance regimes. Over the past number of years some commentators have taken the view that — with the full-on effects of the internet, e-commerce, and the unstoppable rise of digital generally in our lives — privacy is dead and we should all just learn to live with this new fact of life. Well, clearly the law makers in Europe are not buying that line. Rather, in the GDPR, they are making a bold statement to the very opposite effect: that the principle of data privacy is impor- tant, and the legal system should buttress it. And with the size of the new potential pen- alties, even global tech giants will have to take heed of the privacy-law gauntlet that is being thrown down in Europe. WHILE these rules are broadly similar to those coming to Canada when Bill S-4's breach-notification amendments to PIPEDA come into effect, the tighter timelines under the GDPR will require organizations to have even better data-breach plans and procedures