The premier weekly newspaper for the legal profession in Ontario
Issue link: https://digital.lawtimesnews.com/i/1052783
Law Times • November 19, 2018 Page 13 www.lawtimesnews.com whether for processing or host- ing. "Valid consent means that the individual understands the consequences of providing the information," says Bernier. She adds that European data being transferred to the U.S. has to have certification under the EU-U.S. privacy shield and, if not, using the standard contrac- tual clauses approved by the Eu- ropean Commission. Bernier says that when it comes to European data that is being transferred to a country such as India, companies need to have standard contractual claus- es because there is no EU-India privacy shield. Those clauses will dictate how privacy will be protected in accordance with the GDPR obligations. Bernier adds that notification also means that a business' cli- ents need to be aware that their data will come under the appli- cable laws of those jurisdictions, which can include access by law enforcement officials. "If there is only one country, then it's easy," says Bernier. "Transparency favours that you name the country." Bernier says contracts with outsourcing companies in India can include things such as data security measures and privacy audit trails. "The transfer must not com- promise a comparable level of protection [to Canada's]," says Bernier. Oates says Canadian busi- ness' obligations include the fact that they are accountable for data that gets transferred to the U.S. or overseas for processing or storage. "You need to enter into con- tracts to ensure that the data is adequately protected in ac- cordance with Canadian stan- dards," says Oates. "On top of that, there are obligations for transparency in the federal privacy law, and the commissioner has held that that includes international f lows of data and the resulting potential for foreign government or law enforcement to access it." This kind of law enforcement access granted in the U.S. under post-9/11 laws such as the Pa- triot Act and others means that companies need to notify their clients of this potential. "You're not going to be able to contract around foreign na- tional security law or foreign law enforcement," says Oates. When it comes to the United States, says Backman, there is very little in the way of overarch- ing federal framework, but it does have sectoral legislation. "Each state will have its own laws within its own sectors," says Backman. "Depending on the industry that you're operating in, and de- pending on the states that you're operating in, you may have 20 different pieces of legislation that you're going to need to know about and try to comply with." Backman says this makes it easier for those doing busi- ness in Canada because they are more aware of what they need to comply with. "In the States, it's so sectoral and industry specific, it's like a puzzle in trying to fit together the different pieces of legislation that you need to be aware of and comply with," says Backman. When it comes to clients gathering data for their opera- tions, Backman says, she advises clients to be clear about what information they are collecting and why they are collecting it. "Limit the amount of infor- mation to what is necessary," says Backman. "Make sure that you've got data security that is connected to the sensitivity of the information." Backman says information needs to also be considered in the context for which it's being gathered, meaning that other- wise innocuous information may become sensitive in partic- ular contexts. "If you go with these basic principles, you've got a really good start, whether you're in Canada or the U.S., or even in Europe," says Backman. Antoine Guilmain, an associ- ate at Fasken Martineau DuMou- lin LLP in Montreal, who also practises in Paris, says lawyers need to ensure that their clients are compliant with GDPR be- cause they may get requests from customers to exercise rights such as the right to be forgotten, and if businesses can't comply, they may suffer reputational damage. "In some situations, you may need to appoint a data protec- tion officer," says Guilmain, add- ing that companies need to have data-mapping tools in place that are updated on a frequent basis. While Canada is moving to- ward privacy by design as a stan- dard practice, Guilmain says, this is an obligation under the GDPR. He adds that it is also incum- bent upon lawyers to ensure whether European countries in which their clients do business have additional obligations on top of GDPR, citing the example that France includes the protection of privacy for the deceased, which is not included in the GDPR. "Canadian lawyers should look behind the GDPR," says Guilmain. "It's a bit more com- plex than it looks." LT INTERNATIONAL/CROSS-BORDER LAW SOLVING CANADIAN CUSTOMS & TRADE PROBLEMS ISN'T ROCKET SCIENCE! WE HELP CANADIAN LAWYERS ON THESE ISSUES EVERY DAY! 416.864.6200 | 416.864.6201 (FAX) | TAXANDTRADELAW.COM Third Floor, 24 Duncan St. Toronto Ontario, Canada M5V 2B8 2015-16 TOP 5 Tax Law BOUTIQUE C A N A D I A N L AW Y E R M A G A Z I N E AW A Y W E E C A N A D I A N M A M G A A Z I N E 2015 16 OP 5 T w BOUTIQU 22001155--1 -1 - 6 16 TTOO TOP O 55 TTax Law ax Law Tax Law ax L x L BBO BOU O T UTIIQ IQU QUE U A N L A L W A Y W E Y R M A M HELPING YOU. HELP YOUR CLIENTS. ® TAX & TRADE LAWYERS MillarKreklewetz_LT_Apr9_18.indd 1 2018-04-05 9:55 AM Continued from page 12 Breaking rules can mean hefty fines for companies Alethea Au says lawyers need to do their due diligence when it comes to any kind of outsourcing in which their clients engage. Valid consent means that the individual understands the consequences of providing the information. Chantal Bernier