The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1130923
w w w . c a n a d i a n l a w y e r m a g . c o m J U N E / J U LY 2 0 1 9 29 legislation or regulations before the next federal election in October. In the absence of legislative change, Therrien has been doing what he can. In April, prompted by his office's investigation into a data breach by Equifax, he launched a consultation into a proposed reinterpretation of PIPEDA to require consent for a company to transfer an individual's private information outside Canada for processing. In late May, only days after the government unveiled its digital charter, Therrien announced he was suspending — but not cancelling — his consultation into cross-border data flows. "The historic OPC position gave great weight to the accountability principle in protecting privacy in a transborder context," Therrien told a conference of privacy professionals in Toronto. "Yet, we have seen in Equifax that this principle, as currently framed, does not always provide effective protection. During our investigation, Equifax officials had difficulty answering basic questions as to who was responsible for their clients' personal information as between the Canadian and U.S. affiliates." Scherman says companies have been relying for a decade on the existing guidance that transferring data to a third party for processing didn't require additional consent. He says Therrien's proposed change really threw "the industry into a bit of a panic." "Getting a consent to an act is a very challenging matter — especially when you're not doing it at the time of collection," Scherman says. "Obtaining the consent afterwards can be an incredible, labour-intensive act. So, going back to all your existing customers and potentially having to request that consent could be very significant." The biggest change on the international privacy law landscape has been the GDPR, which is considered by many to be the new gold standard in privacy regulation since it took effect in May 2018. It outlines rules for handling the private information of European residents and backs them up with the prospect of stiff fines — up to 20 million euros or four per cent of a company's worldwide annual revenue for the previous year, whichever is higher. Any company around the world that breaks the rules can face fines — even if it has no establishment in Europe. One of the GDPR's key measures is privacy by design — a concept developed by former Ontario privacy commissioner Ann Cavoukian. Privacy by design calls for privacy considerations to be included from the start. Under the GDPR, companies must notify affected customers within 72 hours of becoming aware of a data breach. Consent to use someone's information must be obtained using clear language. European residents can withdraw their consent or ask to see their information that a company has collected. They can take their data with them if they switch to another company. The GDPR also includes the right to be forgotten, which allows an individual to ask for information about them to be erased. The GDPR has been prompting other countries to beef up their own privacy protection regimes. In the past year, European data protection authorities have been active, issuing orders and levying fines, says Henry. "We've seen lots of activity coming from the French CNIL with the Google decision — the 50-million-euro fine against Google by the French data protection authority. The Germans also have been very active. The ICO in the U.K. has been very active and the Dutch DPA has been very active. "Northwestern Europe has been very active overall." In the U.S., the International Association of Privacy Professionals has identified 14 states, including California, where privacy protection legislation has been proposed or adopted. Kelsey Finch, a Seattle-based senior policy counsel for the Future of Privacy Forum, says the Cambridge Analytica scandal and the GDPR have prompted big changes. "I think a lot of it is a response to the GDPR and a lot of our multinationals having to do the compliance work to come into compliance with that and then looking around and saying, you know what — it doesn't make sense to offer two different regimes and two different sets of privacy rights to folks in the EU versus in the U.S. We'll just roll it out everywhere." Traditionally, the principle privacy protection in the U.S. has been the Federal Trade Commission, which has the power to protect consumers and penalize deceptive or unfair practices. The agency fined Google US$22.5 million in 2012 for what it told users about the way its tools tracked them. It has been negotiating a settlement with Facebook over the Cambridge Analytica scandal that is expected to run into the billions. But Finch says there has been a multiplication of privacy legislation being introduced across the U.S., starting with California's law, which was adopted as a ballot initiative. "We're seeing the states stepping in, pretty actively and pretty quickly and taking on a number of different approaches. We're seeing federal proposals start to emerge as well, although that's a little bit slower." Finch says she is seeing a wide range of proposed privacy legislation — from algorithmic accountability and the use of biometrics such as facial recognition to more than 400 different student privacy bills. At the municipal level, she is starting to see surveillance ordinances. However, Finch says there's also a downside to the prospect of having so many different laws being proposed across the U.S. "It's really hard to have 50 different laws apply and it's really difficult for people to comply with 50 different laws on how to get consent and how to process data and what kind of notices to give. "I think that consumers would get a certain level of fatigue. If every time you accessed a website from a different state you had The awareness triggered by the GDPR also triggered more consultation and more advisory work on our end on Canadian law, too." Elisa Henry , Borden Ladner Gervais LLP