The Lexpert Guides to the Leading US/Canada Cross-Border Corporate and Litigation Lawyers in Canada profiles leading business lawyers and features articles for attorneys and in-house counsel in the US about business law issues in Canada.
Issue link: https://digital.carswellmedia.com/i/991061
30 | LEXPERT • June 2018 | www.lexpert.ca/usguide In such an environment, implementing an effective "right to be forgotten" will be challenging for sure. A similar (but easier to operationalize) new right that will in- variably drive material IT development and deployment is the new "data porta- bility" right in the GDPR. For example, when an employee leaves one employer in the EU and joins another, the data subject can require that the previous employer transfer his or her personal information to the new one. Again, IT consultants will see material additional work from imple- menting this new requirement for data controllers and data processors. Non-Compliance is not an Option The GDPR is very serious about compli- ance, as can be seen in its enhanced penalty regime. A two-tiered approach is mandat- ed. For certain transgressions (such as vio- lation of the data-breach notification), the fine is up to €10,000,000, or, in the case of companies, up to two per cent of global sales in the prior year. This latter figure could be a very hefty amount indeed. But wait! The total possible fine for a breach of the right to be forgotten, con- sent requirements, and the right to object (among others) is set at up to €20,000,000, or four per cent of global sales. These are some very significant thresholds for cer- tain companies, and so expect the largest global companies — including some in Canada with meaningful affiliates in the EU — to amplify their global data-protec- tion legal compliance regimes. Over the past number of years some commentators have taken the view that — with the full-on effects of the internet, e- commerce, and the unstoppable rise of dig- ital generally in our lives — privacy is dead and we should all just learn to live with this new fact of life. Well, clearly the law makers in Europe are not buying that line. Rather, in the GDPR, they are making a bold statement to the very opposite effect: that the principle of data privacy is impor- tant, and the legal system should buttress it. And with the size of the new potential penalties, even global tech giants will have to take heed of the privacy-law gauntlet that is being thrown down in Europe. Financing of a security breach, you must notify the relevant national data-protection au- thority, and promptly (typically within 72 hours of learning of the breach). And if there is a potential harm to data subjects, they must also be notified. While these rules are broadly similar to those coming to Canada when Bill S-4's breach-notification amendments to PIPEDA come into effect, the tighter timelines under the GDPR will require organizations to have even better data- breach plans and procedures. Another new and related requirement under the GDPR is that controllers and processors implement technical measures to ensure certain levels of security. "Pseud- onymisation" will be important; this is a concept by which personal data can be "masked" or modified in a manner so that the data can no longer be attributed to a spe- cific individual. This is an example of the GDPR requiring controllers and proces- sors to undertake "privacy by design" when building their systems and workflows, so that the risk of data breach is reduced. Enforcing Amnesia Perhaps the GDPR data-privacy protec- tion rule garnering the most publicity is the so-called "right to be forgotten." In practice, this requires an organization to erase personal information of a data sub- ject under certain circumstances when asked to do so by a data subject. This can be demanded, for instance, if the data sub- ject withdraws consent, or the information is no longer necessary for the original pur- pose for which it was collected. These requirements are actually re- flected (with some different language) in PIPEDA, so to that extent the principle is not that new in Canada. But here is what's different: if the data controller (essentially, the entity collecting the data) has made the data public (for instance, on a social media site), then that entity has an obligation to notify all others it gave the data to in order to have them in turn erase the links to the data and so on down the chain of Inter- net random distribution. This will likely require organizations to create or adopt fairly elaborate computer systems in order to implement these legislative objectives. The "right to be forgotten" raises some fascinating questions. In short, our social media-infused age, supercharged by the in- ternet, is creating untold volumes of new data every day. One calculation suggests that more data has been created in the past 24 months than was brought into the world in all of previous recorded history.