The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1130923
30 J U N E / J U LY 2 0 1 9 w w w . c a n a d i a n l a w y e r m a g . c o m to go through a different process, I think folks would get sick of that pretty fast." Henry is also watching the various proposed privacy laws across the U.S. and around the world. "Following the Californian trend, the federal legislation in the U.S. is a bit slow, but we saw now legislation coming out of Washington, out of Massachusetts, of Utah, of Vermont. So, different states — and it's really the state legislators that are very active in that field in the U.S. because a federal law will take a long time, if ever, to be adopted — [are] really pushing for consumer data protection and restriction to government access to data. "So, we see that as a major trend, and elsewhere, we saw Brazil adopting its general data protection law that's very similar to the GDPR and that applies to any company that offers services to the Brazilian market. "Really, it's a global trend." Melanie McNaught, a partner with Toronto-based Filion Wakely Thorup Angeletti LLP, says the varying privacy laws around the world can also pose a challenge on the employment front. Canadian companies may find themselves subject to privacy laws in other countries because that is where an employee has chosen to work. "People can work from anywhere now. So, you might have a teleworker and they might be working from Europe and then the question arises, because they're situated in Europe, are they now subject to the GDPR, whereas, in a month, maybe they'll be in Thailand or somewhere else. "The workforce is increasingly mobile and personal information is extremely mobile." One trend privacy law specialists like Henry are seeing is international privacy laws becoming part of corporate due diligence. She says companies in the EU or the U.S. are asking Canadian firms for proof they comply with certain privacy regimes before they will hire them. "More and more, you see vendor due diligence performed by large companies who, before they contract with you, make sure that your privacy infrastructure is robust enough not to put them at risk. "So, those inquiries, those questions from clients, basically, push them to adopt and to improve whatever framework they had in place." Henry says most of the demand for legal services up until now has been at the advisory level — clients trying to determine whether various privacy laws in different countries apply to them and how to comply. However, Henry expects to start seeing pushback in coming months as companies challenge the ability of regulators to enforce privacy laws in countries where a company doesn't have an establishment. "I think the litigators, also, will be busy soon." As it gets more complicated to comply with privacy laws that vary from one country to another, some are beginning to talk about making privacy laws around the world more interoperable. Among them is Michael McEvoy, British Columbia's information and privacy commissioner. "There will be, I think, always some differences in culture and lawmaking globally," McEvoy told reporters in Ottawa in April. "But I sense there is — certainly among privacy regulators — a sense of convergence of similar principles that need to be brought to bear in jurisdictions around the world so that citizens, if you're Canadian and your data travels outside the boundaries of the country, can expect that your data is going to be similarly protected." Speaking to a parliamentary committee in May, Therrien said the move by countries that are Canada's commercial partners to adopt similar laws could improve privacy protection. "I don't think an international treaty is going to happen quickly, but we can think of different countries adopting interoperable laws and the total of the legislative and regulatory actions of different countries could lead to a result," Therrien told MPs. In the meantime, Canadian lawyers and their clients are left navigating a complex patchwork quilt of privacy laws around the world. Henry's advice is to know more than just the law. "A lot of what the clients are asking for is whether we can benchmark what they're doing against the rest of the industry and whether what they are doing is reasonable or not, given the state of the industry and the thinking of the regulators." She says it also helps to be close to the regulators and to know your client's industry. "Some practices that were unreasonable a few years ago in the digital world are now completely accepted, but some practices that some clients want to implement go too far and will trigger not only a privacy risk but also a reputational risk, social media, bad press — which may then lead to an investigation." Scherman says there's no magic or easy button out there. Lawyers should look to the future and stay flexible. "The more you can sort of look at the trend of what privacy laws are requiring, look at the trend of what's best practice and develop a flexible plan to comply with those, the easier your job is going to be down the road because, if you get these processes in place early, compliance can be a lot easier than if you're playing Getting a consent to an act is a very challenging matter —— especially when you're not doing it at the time of collection. Obtaining the consent afterwards can be an incredible, labour-intensive act." Michael Scherman, McCarthy Tétrault LLP