Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/50876
providers in multiple jurisdictions." There's also a lot at stake, he adds. "To the extent that there is a security incident involved, there could be regulatory investigation, there could be potential litigation risk, and there could be adverse public relations associated with media exposure." As a result, the last decade has seen companies — and their legal departments — increasingly focus on compliance with national and international privacy regula- tions. Whether a business transfers its personnel records to an affiliate overseas or circulates client account files between international branches, keeping that information secure is a company-wide effort, one that relies heavily on in-house counsel, says De Chastelain. The counsel's role is, first and foremost, "to be a strategic adviser to the business, with respect to the issue of data flows, both in-country and externally," he says. "In that regard, what is incumbent on you is to ensure that you have a sense or an awareness — and there- by the business has a sense and awareness — of what data you manage, the nature of that data, and where that data travels, and what would be the legal considerations involved in that." That means guaran- teeing the proper security protocols and consents are in place, and if the company sends data to third-party service providers in other jurisdictions, that all processing agreements include appropriate privacy controls. Contracts are a key aspect of in-house counsel's job when it comes to priva- cy, says Kardash. By now, the industry has developed a checklist of evolving, but relatively standard, provisions for cross-border processing agreements, he says. Organizations will want the right to review or audit a service provider's operations after the contract is signed, for example, and to the extent possible, they'll want advance notification if the service provider needs to share personal informa- tion with the courts or law enforcement. "You would also include notice in your company's privacy statement expressly referencing that data may be transferred across borders into the U.S. or other juris- dictions," he says. Canadian organizations send data pri- marily to the U.S., home to many third- party service providers that facilitate or take on various corporate operations, says Theo Ling, a partner at Baker & McKenzie LLP's Toronto office and chairman of the firm's global privacy and information management steering committee. And many companies with business through- out North America — or Canadian com- panies with a strong U.S. presence — are consolidating their servers, boosting the flow of data across the border, he says. Unlike Canada, which tends to enact umbrella privacy laws, the U.S. has carved up responsibility for privacy matters into different pieces of legislation, each attached to a specific sector or context, Ling says. What's more, many states have mandatory breach notification laws, meaning compa- nies must alert customers when personal information has been compromised, even if the customer is in Canada. Similar requirements could soon apply to all Canadian companies, regardless of where they operate. Earlier this year, the Alberta government amended its private- sector privacy laws to include breach-re- porting requirements, and similar changes are in the works for PIPEDA. The switch would call attention to an often-neglected aspect of privacy protection; a recent study conducted for the federal privacy com- missioner found 42 per cent of Canadian businesses aren't concerned about security breaches related to customer data. Only a third have concrete procedures to deal with a breach. From investigating the source of the problem — is there some oversight in privacy procedures or a breakdown in the established controls — to keeping privacy regulators and affected individuals in the loop, in-house counsel play a central role in handling data breaches. Sometimes, the trickiest part is getting everyone in the company on board, says De Chastelain. Counsel shouldn't "pull a Chicken Little," he says, but by the same token, they don't want to delay issuing a statement or noti- fying customers just because someone in the organization didn't grasp the sensitive nature of the situation. For consumers, one of the most worry- ing aspects of global data transfers remains the possibility that foreign authorities could access their personal information. The issue at the heart of the RIM dispute has also sparked similar complaints in Canada, most famously against Canadian financial institutions outsourcing data pro- cessing to U.S. firms. But under Canadian legislation, companies can't prevent U.S. service providers from responding to law- fully issued subpoenas. In those situations, it's up to the orga- nization to show it's not handing over personal information indiscriminately, says De Chastelain. "Within our business, which is a consumer finance business, we'll often be called upon by tax authori- ties, local law enforcement, to provide information around our account holders," he says. "What we have done as a matter of policy . . . is say, 'We're certainly happy to provide you with that information, but it either has to come as the result of a for- mal production order — that's a warrant or a court order — or you have to indicate to us what the statutory authority is for your ability to request that information and for us to produce it.'" As organizations expand across sectors and borders, the need for internal privacy expertise continues to grow. Many orga- nizations are tapping in-house counsel to come up with a global approach to pri- vacy protection. Jeff Green, chief privacy officer for the Royal Bank of Canada, says in-house legal staff helped implement an enterprise-wide privacy program in 2008 to replace a multitude of local privacy programs in more than 50 countries. "We eliminated multiple policies that were all sort of saying the same thing. It's about efficiency, but the outcome is actually better compliance because it's easier for employees [to follow the policy]." The changing nature of technology and business means counsel must ensure a company's policies and practices keep up with the current privacy norms, says Green. The rise of cloud computing, among others, is set to stir up the privacy landscape in coming years, and could lead to even tighter regulations. "Your people have to stay apprised — they're interacting with regulators, following up with guid- ance coming from the privacy office," he says. "Your business decides to get into a different product line, technology chang- es, regulators might react to something happening in the environment. . . . There's always something coming down the road that you have to be prepared for." IH INHOUSE DECEMBER 2010/JANUARY 2011 • 29