The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1544922
FEATURE 10 www.canadianlawyermag.com CROSS EXAMINED can no longer treat this as a straightforward procurement choice. He says companies must conduct privacy and cyber-impact assess- ments before negotiating contractual protec- tions, such as data deletion rights and limits on cross-border redundancy paths. Contract language itself is also under greater scrutiny. For traditional cloud and outsourcing deals, Ahmad says, "data deletion is one that comes up a lot," and he spends time with clients on data redundancy, and on data deletion or suppression after contracts end. These points, once treated as boilerplate, now go to the heart of who can access an organiza- tion's data, where, and for how long. Artificial intelligence sharpens that risk calculus further. Ahmad contrasts a conven- tional database, where a company can honour a right to be forgotten request by deleting the fields tied to an individual, with an LLM trained on the same data. "You go to an LLM and say, 'All the data I gave you by accident or that I don't want to give you anymore – I want you to delete it.' That is almost impossible to do," he says. That reality is pushing corporate clients to draw harder lines in AI contracts. Financial institutions and telecommuni- cations companies are shaping the response inside Canada. Ahmad points to existing OSFI expectations that already require some banking data to be onshore, and to the heavy investment by telcos and others in Canadian hyperscale data centres, as signals that local- ization is moving from theory to infrastruc- ture. He says Canada's financial institutions and telecoms "have the wherewithal, finan- cially and just knowledge-wise, to build" the domestic capacity. Crucially, the data sovereignty discus- sion has moved to the top. He sees boards engaging directly with data residency issues as part of their oversight of strategy and geo- political risk. Directors want to know whether the company is "well positioned to make sure this happens in a way where we're not abused or taken advantage of." For Canadian organizations that want to stay ahead of tightening localization and cross-border rules, rather than scramble when regulators or customers come calling, Ahmad suggests a few key steps. First, they should invest real time in governance by understanding what data the business has, where it sits, how sensitive it is, and how it is segmented, because "you can tier your data; you don't have to put it in one place." Second, they should maintain a detailed inventory of critical third-party providers and push those vendors to provide up-to-date privacy impact and threat assessments, rather than relying on assurances that may be years old. Canada may see itself as a smaller market compared to the United States. Yet, Ahmad stresses that it remains a G7 economy with sophisticated companies that should negotiate from a position of strength when contracting with foreign vendors. "We have huge R&D and innovation; we have world-class compa- nies – we should be able to negotiate aggres- sively as needed." "We have huge R&D and innovation; we have world-class companies – we should be able to negotiate aggressively as needed" OFFICE OF THE PRIVACY COMMISSIONER – KEY GUIDANCE ON DATA TRANSFERS Organizations remain accountable for personal information transferred to third parties for processing, including across borders A transfer for processing is not a "disclosure" but requires contractual and practical safeguards Organizations should assess and mitigate risks associated with foreign laws and access by public authorities Transparency is key: privacy notices should clearly explain cross- border data transfers and associated risks