How the European Union's General Data Protection Regulation (GDPR) will impact Canada and the weaknesses inherent in our own legislation will be hot topics for in-house counsel across the country as the GDPR comes into force on May 25.
These concerns didn't go unnoticed at the Canadian Corporate Counsel Association (CCCA) National Conference and In-House Counsel Worldwide Summit , held in Toronto from April 19 to May 1, as they were the subject of a well-attended workshop titled "Compliance in the Global Digital World: Implications of CASL, CAN-SPAM and GDPR."
The panel, consisting of Nina Barakzai, the head of data protection and privacy at the London, Eng.-based Sky, Derek Lackey, the president of the Direct Marketing Association of Canada and Fazila Nurani, senior privacy counsel at PRIVATECH Consulting of Thornhill, Ont., agreed that the GDPR will raise the bar for regulation.
"The pressure on our government to update our standards is very real and therefore we, aside from abiding by corporate rules, [need to] know when to transfer data," Lackey said, adding that there had been speculation that Canada's adequacy designation would not be up to par when the GDPR comes into effect.
Barakzai provided perspective as someone who is working with data protection in Europe and said her core approach to data and privacy is, "keep it safe; keep it secure; and don't lose it."
She said if you start with those concepts when thinking about how your business deals with confidentiality you will hit a range of compliance that will cover jurisdictions.
Conference attendees discussed high standards in varying jurisdictions and which ones must be met in order to comply. As one attendee told the panel, "I've been told to pick the jurisdiction with the highest bar, but then you get pushback because the highest bar isn't suitable for other countries."
Barakzai explained that in Europe, businesses are starting to say that while it's "lovely" to have a high bar for standards in privacy and data protection, it's impossible to do it in practice.
"Part of the challenge we have as in-house counsel is to express our operational issues to the regulators. In terms of privacy hitting the highest bar, focus on what is the security. How am I making this work in practice? Can I defend this to a regulator? Even if I haven't hit the precise nature of the high bar, will the regulator understand that in practice this is the utmost I can do as an in-house counsel in this commercial environment?
"And what you'll find is the European regulators are now saying, 'we acknowledge that we have set some really high legal challenges and we are now in a position to understand that that harmonizing is beginning to cause commercial challenge and as regulators we want to drive commerce. So, we are now getting together to build the guidelines that will make it a bit more flexible,'" she said.
"They're not going to come and beat you over the head and say, 'you didn't get it right.' What they'll want to see is have you offered, have you made an attempt, and are you thinking about it. And that's when I come back to 'safe, secure, don't lose it.' Because if you've got that objective really clear and upfront you've got a story for your regulators," she added.
The workshop moderator, Neil Beaton, the vice-president of corporate development for the CAPS Group, a company that provides fully automated solutions for GDPR, CASL and CAN-SPAM, as well as the VP of project management at the OTC Group, a marketing company, asked the panel how steering committees can be set up at companies to ensure compliance success.
Nurani noted that having a "risk-based" approach is useful and should be kept top of mind.
"Clearly you want people with that decision-making authority on that steering committee. Where I see a lot of organizations go wrong is they just have their once-a month-steering committee meeting. And it's more of a formality than actually being able to drive that privacy program forward," she added.
Nurani suggested having structured operating principles for the steering committee to give them a clear sense of what their roles are.
That sentiment was echoed by Barakzai, who said steering committee members should have "some skin in the game."
"One of the things that I've found in Europe is that you have these steering committees and you have the policies, but if you don't make the attendees accountable for the data and the work that they're doing, they don't really have any skin in the game," she said, adding that when there's accountability and a tightly controlled agenda people start to turn their minds to the real relevance of privacy and data protection.
"It goes from being 'law' to 'how do I get to my sales target if you won't let me use the data?'" she said.
Lackey added that this will be a time for not just retraining companies on privacy and data but consumers as well.
"They [consumers] are not used to giving permissions and consent for every little thing. So, it's going to be interesting in GDPR how the actual citizens of the EU react to this. Are they going to train them to authentically give and remove consent?" he asked.
Barakzai explained that because of the upcoming deadline for GDPR legislation, EU citizens are dealing with a massive amount of correspondence regarding consent. She questioned how many people are actually reading those requests for consent and how many people might be saying no to consent that don't intend to.
Nurani pointed out that there's a lot of strength in the GDPR, and Canada will soon see guidelines about online consent.
Nurani also noted that recommendations made in February to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) was Canada's reaction to the GDPR.
"The federal privacy commissioner for years has asked for bigger teeth when it comes to the legislation and more powers," she said, adding that the objective of the amendments is to ensure Canada's adequacy designation after the GDPR comes into effect.
"The big concern is that if PIPEDA is no longer deemed adequate, which it has that standing now, then would that create a barrier in terms of data flow between the EU and Canada? So, there's that knowing that we're going to be going through an adequacy review for PIPEDA - let's strengthen the legislation," she explained, noting that in-house counsel should turn to Alberta for privacy and data protection guidance.
"Alberta has had the same test in place since May 2010. All of the commissioner's decisions are on the website. How the commissioner determined whether the test was met of a real risk of significant harm. They have a lot of great guidance of breach notification tools, so clearly the regs very much follow Alberta. That provides us with a good set of resources for compliance," she said.
The panel was also asked whether Canada's anti-spam legislation was making a difference. The resounding response was "not anymore."
"We saw a significant shift in the marketplace on June 7 last year when the private right to action was indefinitely postponed. The market doesn't give a damn now about CASL. We very seldom now field questions, maybe the big organizations, but the average company has stopped. They've moved on," said Lackey, adding that the lack of enforcement is going to kill the legislation and turn it into a joke akin to the 'do not call' list.
"I think CASL needs a ton of cleanup before private right of action. For me, it was a huge relief that it was gone. I had class action lawyers calling me on a weekly basis saying, 'who do we go after?' They were ready because it was going to be easy to be able to find those organizations that are trying their best, but are not compliant because CASL is so poorly drafted," explained Nurani.
This article was originally published by The Lawyer's Daily -- providing Canadian legal news, analysis and current awareness for lawyers and legal professionals who need a real-time view on the shifting legal landscape.