Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/813681
31 CANADIANLAWYERMAG.COM/INHOUSE MAY 2017 a world of big data and the Internet of Things," says Thomp- son, adding that citizens and organizations alike need guidance. The commissioner could not force through any consent changes himself — they would need to be legislated — but such legislation won't be straightforward, ex- perts worry. "Some things could be incor- porated fairly comfortably, but others are more challenging," Thompson says. Take the right to erasure, found in Ar- ticle 17 of the GDPR. Under this rule, an individual can order a data controller to erase any of their personal data in certain situations without undue delay. "The right to be forgotten bumps up, more so in Can- ada than in other places, against the right to free speech," Thompson says. Altering it could create problems with the Charter and with common law. In any case, privacy legislation is less ef- fective if the national data protection au- thority does not have order-making capa- bility. It's another area where Canadian law and the GDPR differ, points out Kris Klein, a partner at boutique law fi rm nNovation and managing director at the International Association of Privacy Professionals. Klein cites A.T. v. Globe24h.com as an example of the commissioner's weak pow- ers. Romanian company Globe24h scraped CanLII for legal case information, which it then made indexable by search engines on its website. When litigants contacted it, concerned about their names appearing in search results, it asked for a removal fee. The privacy commissioner investigated and told the fi rm to stop. "Shockingly, that was the end of the matter from the privacy commissioner's perspec- tive," he recalls. "There was absolutely no consequence whatsoever to the company and so, of course, it just ignored the privacy commissioner's report." A complainant had to bring the matter to Federal Court, it supported the commis- sioner's fi ndings, but it levied just $5,000 in penalties. "Where's the incentive to do pri- vacy properly?" asks Klein. The GDPR carries far greater enforce- ment powers. Data protection authorities can fi ne violators four per cent of their global revenue or 20 million euros. "We're lagging quite far behind," Klein says. There are other disparities between the new European law and Canada's own. While PIPEDA and existing European directive placed the burden of responsibility on the data controller (the company primarily tasked with handling sensitive data), the GDPR plac- es legal responsibilities on the data processor. Any third-party service hired by the control- ler under contract that has access to sensitive data is a processor, from cloud service provid- ers through to call centre operators). The status quo makes those service pro- viders responsible only within the terms of a commercial contract, points out Elder. That changes under GDPR. "If they are directly subject to the law, all of them will now have to come up to speed on privacy law," he says. ANXIETY OVER ADEQUACY The legal differences between the two pri- vacy frameworks put Canada's adequacy sta- tus in question, warns Klein, who also pro- duces the Privacy Scan Canadian privacy newsletter. "It was always tenuous," he says. The European Court of Justice will view Canada's adequacy in the context of the Max Schrems decision, warns Klein. The Aus- trian privacy activist took a case to the ECJ arguing that Facebook should not be al- lowed to transfer his data to the U.S., citing inadequate privacy protections there. Based on his case, the ECJ found the existing Safe Harbour adequacy agreement between the EU and the U.S. invalid, due in part to the potential for state surveillance. Any cross-border data transfers between the EU and Canada would become more complex, because we'd have to fi gure out another way to legitimize that transfer," says Wendy Mee, partner at Blake Cassels & Graydon LLP. "It would certainly slow things down and create more headaches for Canadian organi- zations," she adds. To keep compliance in cross-border data transfers with the EU, counsel would need to focus on one of two legal instruments: model contracts or binding corporate rules. The former are boilerplate clauses designed to articulate privacy requirements in con- tractual agreements. The second pertain to companies transferring information inter- nally between divisions in different regions. Elder wonders whether the legal hoop jumping that may be necessary to keep a blanket adequacy fi nding would be worth it. "I see European companies wanting Ca- nadian companies to sign the same model a world of big data and the Internet of Things," says Thomp- son, adding that citizens and organizations alike need guidance. The commissioner could not force thority does not have order-making capa bility. It's another area where Canadian la and the GDPR differ, points out Kris Klein a partner at boutique law fi rm nNovatio and managing director at the Internation Association of Privacy Professionals. Klein cites A.T. v. Globe24h.com as a example of the commissioner's weak pow ers. Romanian company Globe24h scrape CanLII for legal case information, whic it then made indexable by search engine on its website. When litigants contacte it, concerned about their names appearin in search results, it asked for a removal fe The privacy commissioner investigate and told the fi rm to stop. "Shockingly, that wa the end of the matte from the privacy commissioner's perspec There was absolutely no consequence whatsoever to the company and so, of course, it just ignored the privacy commissioner's report. KRIS KLEIN, nNovation