The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1019765
32 S E P T E M B E R 2 0 1 8 w w w . c a n a d i a n l a w y e r m a g . c o m they'll fear that they're going to get a fine, they're going to get some negative press, and we don't want that." Morin says the existing system is working well. "Our enforcement regime has been found to be adequate already . . . when you look at all the pieces and the fact that our Pri- vacy commissioner can do an audit if he's got reason to believe. He can take organizations to court. Individuals can go to the Federal Court and they can get damages including changing of practices." Cavoukian, who heads Ryerson University's Privacy by Design Centre of Excellence, says one of the best ways to safeguard privacy is to bake it in from the very start with privacy by design and pri- vacy by default. "In this day and age of ubiquitous computing, massive online connectivity [and] social media . . . there's no way we're going to be able to address all of the privacy harms if we don't try and prevent them upfront. You can't just do it with regulatory compliance after the infractions have happened." Gratton says privacy by design is part of a risk-based approach for companies. "Nowadays, companies want to benefit and make money from the data that they have. They want to innovate. Sometimes, this is through business analytics, so, creating trends, analyzing the data, coming up with statistics and reusing this type of data to produce more services, more products. Maybe sell these trends. Maybe they have a value for a third party. Maybe the government has an inter- est in knowing that specific types of customers in that space have this kind of background and so on. "But they want to make sure they do this right. So, it's less and less about complying with the law. You have a list and you can check boxes." Big Data and emerging technologies also present new challeng- es when it comes to legal concepts such as consent, says Gratton. "One of the challenges is our laws are based on consent, built on the consent model, which makes less and less sense with new types of business models. The internet of things. Smart homes, smart cit- ies. How do you get consent? Can you get consent? "All of these business models sometimes have a lot of players in the chain. So, who's responsible for getting consent? Who had that interaction with the individual? Maybe it's more than one entity. We're definitely going to have to address that." Consent should also be transparent, says Gratton. "Sometimes, I will advise my clients: You can do this. You can hide a consent clause in your privacy policy or in your form and you can do this, but it is going to piss off your customers, so don't do it. It's against the expectation. Customers don't expect you to do this." Ownership of data is another emerging issue. Companies col- lect personal information from customers but then use analytics or algorithms to process that information. Bernier says the visibility of those algorithms and the way the information is processed is an important issue, as is the deletion of data. If a customer asks for their data to be deleted, can they also make a company delete the profile it created using its algorithms? De-indexing or anonymizing the data is one option, but as Geist points out, Canada's federal privacy law is silent on the use of the anonymized or de-identified data often used in Big Data. Biometrics such as facial recognition technology, fingerprints and iris scans is another new challenge in privacy law, says McEvoy. Sometimes, it makes sense, such as using a biometric identifier to allow a prisoner to communicate with their lawyers or download documents from a computer, he says. Other times, it doesn't. "It doesn't make sense to use biometrics to clock people in and out to see if they're properly counting their hours at work. I don't know if that's necessary to collect that kind of sensitive information, whether that's necessary to effect the purpose that an employer would be looking for." McEvoy says technology can also be a challenge for law firms. "Lawyers are doing more and more things online; they're stor- ing information in the cloud, potentially, in some cases. We have to be far more conscientious when we do that to ensure, for example, that a cloud provider is making proper provision for the data and ensure that the privacy rights of clients are properly protected." Therrien agrees that Canada's lawyers should take a close look at their own practices. "We know that the legal profession, as holders of important, sensitive information for their clients, are not all taking the suf- ficient precautions to safeguard that personal information." "That's certainly a sign that we see from our work that the legal profession generally needs to improve its knowledge. Although, I think in terms of awareness, we're probably far better than we were just a few years ago." Lawyers should put privacy on their due diligence checklist, says Bernier. "When they look at all the legal risk analysis for their customers, they must have that on top of the list because of what is at stake in terms of reputation, in terms of penalties, in terms of risk of litigation if something goes wrong." Privacy lawyers should adopt a more transparent approach, Bernier adds. "Privacy policies are not about covering your client's butt. They are about being transparent about your client's information man- agement practices so that your clients' customers are meaningfully informed and engaged in that contract whereby they provide per- sonal information to your client. It has to be customer focused and it has to be in friendly terms — not a contract in legalese terms." Gratton says Canadian privacy law has evolved over the past 20 years. Where once it was a client simply looking for a privacy policy for their website, now there are new challenges in the wake of the GDPR and the Cambridge Analytica scandal. "Now it has become something totally different." "Sometimes, I will advise my clients: You can do this. You can hide a consent clause in your privacy policy or in your form and you can do this, but it is going to piss off your customers, so don't do it." ÉLOÏSE GRATTON Borden Ladner Gervais LLP