23
CANADIANLAWYERMAG.COM/INHOUSE MAY/JUNE 2019
cesses and educate your business about the
seriousness of the issue," Nguyen says.
Resolver specializes in risk management
software and has established separate data
centres in Canada, the U.S. and the EU.
However, even if your data is hosted in the
country where your business is located, he
says, there still could be jurisdictional and
compliance issues that might not have a clear-
cut answer. "There are still arguments over
what is a data transfer," Nguyen says. "We
provide customer support from a help desk in
New Zealand. If we ask to view your computer
screen with personal data on it, is that a data
transfer? In Europe, the remote viewing of a
screen is considered a transfer," he notes.
Meanwhile, the EU is scheduled to
complete a review by next year and then
state if Canada has maintained its "adequacy
status" in terms of privacy protection. Further
amendments to the Personal Information
Protection and Electronic Documents Act
may also be required to maintain this status
and to regulate new data analytics tools.
PIPEDA was meant to be technology
neutral, says Thompson, and its framework
puts Canada "on a middle road" between
regulations in the U.S. and the EU. "I do not
think it needs to be stricter, but it does need
to be updated to comply with the adequacy
provision," she says.
Whatever changes ultimately come into
force, Thompson says, it should already be
"top of mind" for internal legal departments.
"Have a strategy plan. That will make sure
there is a smooth implementation," she says.
IH