The Lexpert Guides to the Leading US/Canada Cross-Border Corporate and Litigation Lawyers in Canada profiles leading business lawyers and features articles for attorneys and in-house counsel in the US about business law issues in Canada.
Issue link: https://digital.carswellmedia.com/i/991061
www.lexpert.ca/usguide | LEXPERT • June 2018 | 29 relevant data protection legislation as it wished. This has led to inevitable incon- sistencies across the EU. This problem will be solved by GDPR, which for the first time will implement the legal privacy-law regime across the full ex- panse of the 28 (to become 27 after Brexit) member countries of the EU. Doing so will help organizations which have af- filiates in EU countries, which is the good news. But while the privacy standards to be met by organizations across the EU will be uniform for the first time, those stan- dards themselves will be set higher. Old Wine in Old Bottles Many of the data-handling principles of the EU's soon-to-be-replaced Data Pro- tection Directive will carry forward into GDPR. For instance, it will remain a core principle that someone managing the data collection and handling process (typically a "data controller," who oversees the data- handling practices, or a "data processor," who processes data on behalf of a data con- troller) adhere to a range of data-processing principles, such as having to process data in a lawful manner pursuant to obtaining ex- press consent, or because it is required for the delivery of a certain service. Other traditional data-handling prin- ciples in the GDPR include: purpose limi- tation (processing data only for the pur- poses specified to the data subject); data minimization (collecting only that data that is relevant to the approved function); data accuracy (ensuring the data is kept up to date and accurate, and allowing data subjects to require its rectification when it is stale or inaccurate); and data integrity (ensuring that data is stored in an appro- priately secure environment). These data-protection principles have their analogues in Canada's Per- sonal Information Protection and Elec- tronic Documents Act (PIPEDA) and its various provincial counterparts, and to that extent they should be familiar to Canadian counsel. New Wine, New Bottles Now we turn to the new provisions in GDPR. They are not just more of the same. They are net new, and some of them will prove to be very finicky indeed as they come to be implemented in the real world. For example, it is now no longer enough to process data lawfully and fairly; under GDPR this must also be done in a trans- parent manner. This seems innocuous enough until you begin to contemplate what this might mean: to allow data subjects to have the right to information regarding the data controller's data- processing practices. Consider that you are a financial insti- tution in Canada with an affiliate in Eu- rope, and your Paris office has a complex new fintech methodology for approving personal loans. The system uses path- breaking, novel artificial intelligence algo- rithms and work flows in order to make decisions as to whether to grant credit to individuals (say, students for their univer- sity education). The system also imple- ments machine learning; that is, over time it compares its track record for loan repayment rates, and "improves" its credit granting decision making with each loan it approves or denies. In effect, it may be that the bank, for any particular student applying for a loan, does not actually know how the system weighs the various per- sonal characteristics and factual matrix of the individual loan applicant; or, even if it did initially, the system "learns" over time, such that it never is stable enough to al- low a human to understand the particular mix of variables that went into a certain decision. In such a case, how is the new "transparency" requirement of the GDPR to be met? What exactly do you tell the disgruntled loan applicant when they ask why they were refused credit? The GDPR also includes a new data- breach notification regime. In the event