Recent Developments in Data Privacy Regulation and Risk

Recent Developments in Data Privacy Regulation and Risk Mitigation and Compliance Strategies Canadian Technology Law Association 2019 Annual Conference John M. Cassell National Privacy and Cyber-Security Group Co-Chair Norton Rose Fulbright Canada LLP October 28, 2019

Agenda • Introduction • Anticipated Data Privacy Regulatory Developments – Digital Charter / proposed PIPEDA Amendments • Cross-Border Transfers • Security Safeguards • Meaningful Consent 2 2019 CAN-TECH Law Annual Conference

Introduction • Major data privacy regulatory developments occurring in 2018: – GDPR came into force – PIPEDA mandatory breach reporting requirements (November 2018) • Canadian privacy regulatory developments in 2019 primarily consist of interpretation and clarification of existing regulatory requirements. • Risk mitigation and compliance strategies continually updating in response to growing domestic and international privacy/data security regulatory regimes and developing cyber risks. 3 2019 CAN-TECH Law Annual Conference

Anticipated Privacy Developments Legislative developments on the horizon • California Consumer Privacy Act (January 1, 2020) • Digital Charter – May 2018, Digital Charter released by Minister of Innovation, Science and Economic Development Canada. – Digital Charter includes several proposals to update and modernize PIPEDA. The amendments, if introduced may significantly impact the manner in which Canadian companies collect, use and disclose personal information. • Proposed PIPEDA amendments include: – Revised consent regime/mechanisms – Enabling data trusts – Data mobility – Enhanced OPC powers 4 2019 CAN-TECH Law Annual Conference

Cross Border Transfers – Evolving Guidance 2019 Guidance regarding Cross-Border Transfers • OPC – PIPEDA Investigation Report #2019 -001 (Equifax) • OPC Consultation on Cross-Border Transfers of personal information • OPC conclusion of consultation on transfers for processing (September 2019) – confirms OPC guidelines for processing personal data across borders remain unchanged. PIPEDA Investigation Report #2019 -003 (Loblaws) (October 16, 2019) • OPC Investigation report provides useful summary and affirmation of key principles regarding crossborder transfers of personal information. • OPC analyzed three factors regarding cross-border data flows: – Accountability (comparable level of protection) – Consent requirement – Openness regarding data transfers to third party processors 5 2019 CAN-TECH Law Annual Conference

PIPEDA Investigation Report #2019 -003 (Cont. ) Accountability (PIPEDA principle 4. 1. 3) • Organizations responsible for data in possession or custody, including information transferred to a third party for processing. Contracts primarily used to provide a comparable level of protection while data being processed by third party. • OPC reviewed Loblaw’s contract with its third party administrator based in the U. S. • Contract found to provide guarantees of confidentiality and security of personal information and included a list of specific safeguard requirements (para. 41). • OPC concluded that detailed contractual requirements were sufficient to ensure a comparable level of protection of Data. Loblaws’s implemented similar safeguards in contract with other international third party processor. • PIPEDA Investigation Report #2019 -001 (Equifax). OPC discusses minimum requirements under accountability principle (para. 74). • When implementing a data-sharing agreement, the requirements set out in Loblaws and Equifax should be consulted and may serve as baseline. 6 2019 CAN-TECH Law Annual Conference

PIPEDA Investigation Report #2019 -003 (Cont. ) Consent to cross-border transfers • OPC confirmed that if personal information being used for the purpose it was originally collected, additional consent not required for transfer to third party service provider. • Loblaws clearly set out the purpose of collection of personal information at the time of seeking consent from individuals, additional consent not required for the transfer to service provider. • Reaffirms importance of initial consent clearly listing the purposes that personal information may be used. Openness Principle • OPC confirms that cross-border guidelines require organizations to be transparent about personal information handling practices including: advising individuals that personal information may be sent to another jurisdiction for processing and that data may be accessible by law enforcement/national security authorities in that Country. Risk mitigation reminder: Initial consent should clearly set out the purposes that the personal information may be used. Name of service provider and countries outside of Canada where personal information transferred for processing expressly listed in accompanying policies. 7 2019 CAN-TECH Law Annual Conference

Security Safeguards • Updated OPC guidance regarding what constitutes acceptable “security safeguards”. • PIPEDA principle 4. 7. Organizations required to implement physical, organizational and technological security safeguards over personal information. • PIPEDA Investigation Report #2019 -001 (Equifax) (April 9, 2019) – OPC noted numerous security safeguards over personal information to be in place: § Vulnerability management § Network segregation § Basic security practices § Oversight mechanisms (internal security assessments, external penetration testing). Risk mitigation reminder: Security Safeguards discussed in Equifax and V-Tech decisions should form baseline standard of care for sensitive personal information. Security safeguards to form part of vendor and transaction due diligence reviews. 8 2019 CAN-TECH Law Annual Conference

Meaningful Consent PIPEDA Investigation Report #2019 -002 (Facebook) • OPC investigation regarding Facebook’s disclosure of personal information of certain users to third-party app that was later used for political messaging. Focus of Investigation by OPC included whether meaningful consent obtained from users for sharing of personal information to third-party app. • OPC concluded that Facebook had relied on third party apps to obtain consent from users however insufficient oversight mechanisms to confirm if apps had actually obtained meaningful consent. • Additionally, privacy statements and policies did not expressly indicate that disclosure would occur to third party apps and purpose of disclosure not made clear. OPC found users cannot provide meaningful consent to disclose third party (“friends”) personal information. Risk mitigation reminder: • Privacy policies need to clearly explain the purposes of use of personal information and refer to disclosure to third parties where possible. • If relying on third party to obtain consent from individuals, needs to be oversight mechanism to ensure meaningful consent obtained. 9 2019 CAN-TECH Law Annual Conference

John Cassell Partner, Norton Rose Fulbright Canada LLP John Cassell is Chair of Norton Rose Fulbright Canada LLP’s national privacy and cyber-security group. Mr. Cassell assists clients with all types of privacy and cyber-law issues including: responding to complex multi-jurisdictional cybersecurity incidents, advising on privacy risk mitigation and compliance strategies, privacy and cyber components of commercial transactions, advising on CASL compliance issues, access to information requests as well as helping clients respond to complaints and proceedings before Federal and Provincial Privacy Commissioners. Mr. Cassell also maintains a general commercial civil litigation practice that includes assisting clients with all manner of commercial claims including responding to privacy-focused civil claims. 10 2019 CAN-TECH Law Annual Conference

Law around the world nortonrosefulbright. com Norton Rose Fulbright US LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. References to ‘Norton Rose Fulbright’, ‘the law firm’ and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright.