Law Times

Page 12 November 19, 2018 • Law Times www.lawtimesnews.com Clients need to be aware of cybersecurity obligations BY DALE SMITH For Law Times C ompanies or clients that do business in- ternationally, particu- larly online, need to be aware of their obligations when it comes to cybersecurity and privacy, particularly in jurisdic- tions such as the United States or the European Union, say law- yers. The European Union's Gen- eral Data Protection Regulation, which applies extra-territorially to those doing business in the EU, has requirements around the collection, storage and trans- mission of personal data. Lawyers say contravening those rules can mean fines of up to €20 million (about $30 mil- lion) or four per cent of global revenues of the companies that violate those rules, whichever is greater. Paige Backman, a partner at Aird & Berlis LLP in Toronto, says lawyers need to be aware of how the laws of different coun- tries can apply to their clients in Canada. "You can get into trouble pretty quickly if you're not aware of those laws, and the punish- ment in the EU in particular can get into some significant issues around damages and penalties," she says. Backman says the obliga- tions under the GDPR are dif- ferent than the obligations in Canada. "Canada currently enjoys ad- equacy status under the EU data protection laws, meaning that you can transfer data between the EU and Canada with some [additional] requirements, but not as many as if you were trans- ferring [between] the EU and the United States," she says. Backman says that, under the GDPR, Canadian companies under its jurisdiction must have data mapping in place so that, if someone wants to exercise the right to be forgotten available to them under European law, the Canadian company can locate the company and delete it. "The levels of consent that are required under different circumstances under the GDPR are different than the consent requirements in Canada," says Backman. "The GDPR is more prescrip- tive in terms of the types of con- sent, but in Canada, we're lean- ing more to express consent." Alethea Au, counsel at Stike- man Elliott LLP in Toronto, says lawyers need to do their due dili- gence when it comes to any kind of outsourcing in which their clients engage, especially if there is a cross-border component to the outsourcing that could have privacy implications. "For a business that out- sources some of their data pro- cessing needs, we make sure that there is a chain of account- ability," says Au. "If a client has asked someone to perform a specific function for them, we need to make sure that the privacy and data secu- rity obligations that the client is responsible for f lows through by way of contract to some of their service providers." Au says this applies to situ- ations where clients are using cloud servers that may be lo- cated outside of Canada, which requires a better and more ro- bust understanding of the regu- lations and obligations of the cloud service providers. "The big players certainly un- derstand that, like Amazon Web Services and Microsoft, their se- curity has the right certifications and they provide the right kinds of reports to clients to demon- strate their security practices," says Au. "Having those are certainly a bonus when clients decide to move to a cloud and which ser- vice provider they go to." Au says this means that law- yers need to have discussions with the chief information of- ficers of their client companies and should be drafting an ap- propriate breach response plan that ref lects how the organiza- tion works, including how ser- vice providers fit into the busi- ness. Christopher Oates, a partner at Gowling WLG in Toronto, says those doing business in the U.S. should probably find American counsel to navigate those privacy obligations. "If you're a Canadian resident, the federal overarching privacy law is PIPEDA," says Oates, re- ferring to the Personal Informa- tion Protection and Electronic Documents Act. "It doesn't impose a jurisdic- tional test, so there are certainly cases where the Federal Court has said that the privacy com- missioner can investigate cases that are overseas to the extent they're doing business and col- lecting information about Cana- dians," says Oates. He adds that, likewise, deal- ing with the Americans' person- al information will likely subject Canadian businesses to their regulators, much as Canadians are subject to the GDPR when it comes to European data. Chantal Bernier, of counsel at Dentons Canada LLP in Ot- tawa and head of the firm's pri- vacy and cybersecurity practice, says a business' clients must be notified in the company's pri- vacy policy if any of their data is transferred out of country, INTERNATIONAL/CROSS-BORDER LAW © 2018 Thomson Reuters Canada Limited 00252JY-91616-NP The best tools to do your best work Preparing a separation agreement? Stop looking for answers. Start finding them with WestlawNext Canada – now fully integrated with Practical Law legal know-how and ProView eLooseleafs. See how WestlawNext Canada gives you all the answers you need in one place. Visit thomsonreuters.ca/bestwork See Breaking, page 13 Paige Backman says the obligations under the GDPR are different than the obligations in Canada. If you're a Canadian resident, the federal overarching privacy law is PIPEDA. Christopher Oates

• Cover