The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1130923
40 J U N E / J U LY 2 0 1 9 w w w . c a n a d i a n l a w y e r m a g . c o m impose additional obligations on European data coming into Canada, which would be a headache for businesses, she says. But if PIPEDA is going to be made stricter, it must happen through an amendment to the act via Parliament, Lifshitz says, adding that the OPC risks going beyond interpreting the law to making the law. "My issue is that they're trying to do what Parliament's not doing. They sense a lack, so they're trying to fix it," she says. But "how far can they really go before they start to essen- tially create something that's not there?" The findings on cross-border data transfers reverse 10 years worth of the OPC's public guidance, says Bernice Karn, a partner at Cas- sels Brock & Blackwell LLP. According to the OPC's previous guidance, a company could send a Canadian's personal information out- side of Canada for processing if the appropri- ate protections were in place, she says. "That's huge," she says. "I just think that's going to throw the whole of outsourcing into disarray. . . . I can't really think of a situation nowadays where organizations process their own data." She says that a requirement to give con- sent to processing is not likely to "have much of an effect on whether or not a data breach is going to affect that information in the hands of the processor." Larocque says the OPC's change in posi- tion came through the Equifax investigation, where it "became apparent" that the opin- ion that a transfer of personal information between organizations was not a "disclosure" — which Lifshitz says was the position of previous OPC guidance — was "likely not correct as a matter of law." "In other words, our view is that PIPEDA — as the law is currently written — requires consent for such disclosures," says Larocque. Pop-up notifications asking for cookie-use consent have become common on website home pages, and Imran Ahmad, a partner at Blake Cassels & Gray- don LLP, says they could be coming for trans-border data transfers. This will create the operational challenge of segregating data where there is no consent for crossing the border from data where there is. Ahmad says the Equifax findings show that the OPC is becoming "very specific" and technical in its expectations, while previously allowing organiza- tions to identify industry best practices to establish standards and certifica- tions. As to what to tell clients about their data, Ahmad says, the interpretation by the OPC remains in force until it is officially revised. He says he expects the private sector to pepper the OPC with submissions during the consultation period, detailing the difficulty of implementing these consent requirements. "This is just a revisit to get comments in; it is not the official position just yet," he says. ". . . You don't need to move to the consent model just right away. Put it on your radar. It may be coming down the pipe. "And I always remind folks, the regulator's position is their interpretation of the law; it is not binding necessarily," he says. "And if we have a different view on it, certainly we can voice that view, because the law hasn't changed. PIPEDA remains the same." Larocque says the government recognizes Canada's privacy regime needs an update and a conversation about legislative reform "may touch on the issue of trans-border data flows." But apart from cross-border data transfers, Equifax made several "classic errors," says Lifshitz. There were too few resources devoted to data security, there was not a sufficient internal system of vulnerability notification, it kept data for too long and it had no point person with authority on data security processes. Like many organizations, Equifax had a good "paper policy," as opposed to an active set of practices and standards that was familiar to those in the organization from top to bottom. "Clients can have wonderful [policy on paper], but there really need to be resources devoted [to] making sure these things are living, breathable, reflect the reality and are actually implemented. Training is critical, too," Lifshitz says. Another key detail from the Equifax findings was that the OPC said it was inappropriate for Equifax to rely on third-party audits, Lifshitz says. An out- side auditor had given it a clean bill of health, but its own internal audits had come up with multiple security deficiencies. The OPC said Equifax should not have been relying on the certification it got from the outside auditor when it knew it was vulnerable. "There's an additional step required. If you are privy to additional informa- tion [that] would cast doubt on that audit, then you still have legal obligations to take additional steps to correct the deficiencies," she says. Ronald Toledano is a partner at Spiegel Sohmer in Montreal and his practice focuses on intellectual property, corporate and commercial law and includes providing advice to clients on their legal responsibilities when subject to a data breach. Toledano's post-breach game plan begins with notifying anyone whose per- sonal information was accessed; investigating, containing and mitigating the damage of the breach with an IT forensic team; addressing the public relations aspect to minimize reputational damage; notifying the privacy commissioner; and every one of these steps and everyone involved must be documented and kept for 24 months. "Then let's move forward and see how we can go and mitigate potential future beaches. Because the cyberattacks aren't going to stop," he says. Toledano deals mostly with clients in IT and pharma. It is organizations handling citizens' health records that the privacy commissioner is most atten- "You need to now, in a ledger, keep a record of that [cyber-] incident for a period of two years. And the regulator can literally knock on your door and say, 'Can I see your register, please?'" Imran Ahmad, Blake Cassels Graydon LLP