Chapter 1: Dealing with Data Governance Legal Issues

HTML VERSION

Chapter 1:
Dealing with Data Governance Legal Issues

I. Why You Need Big Data Lawyers, and What to Look For

Every business in big data needs big data legal counsel. This book discusses the legal issues such counsel must handle in Canada. This book also illustrates why not hiring such counsel early creates a heavy legal debt—one with ongoing interest charges and a surprise collection date.

It is widely known that poor data handling practices can result in serious financial and reputational consequences. A legally considered data governance strategy is now standard—and crucial—for ongoing operations and public image. Due diligence measures are also legally required for most approaches to process private data, and for most data-driven marketing strategies.

Moreover, the increasing trend of cyber attacks is raising legal standards for Board members. There is an emerging duty of care for oversight of cybersecurity controls; post-breach reporting is now an established legal requirement; and litigation exposure increases exponentially when a breach causing harm is poorly handled.

For all the above reasons—and numerous others beyond the core privacy issues—the selection of appropriate big data legal counsel is paramount for ongoing business success and viability. The chosen methods of data collection, protection, processing, marketing, transit, validation, use in AI training, and sale are not just technical issues. They are loaded legal issues—especially as 5G, data mining, GPS, RFID, biometrics, and IoT technologies proliferate, and the international markets for data processing continue to grow.

There are certain characteristics to look for in big data legal counsel. It is of upmost importance that such counsel have a demonstrable command of front- and back-end data collection, information security, data-based marketing strategies, data sourcing and processing, decision logic, distributed storage and access mechanisms, and various other technical mechanisms that apply in cloud- and edge-computing environments.

Counsel must also understand the developing global legal norms in privacy, artificial intelligence, and data-broker marketplaces. Moreover, as a base pre-requisite, a firm grasp is absolutely required of the numerous domestic statutory frameworks, industry-specific regulatory guidance documents, and “judge-made” law through cases.

Finally—and most importantly in the short term—it is critical for your big data lawyers to understand what makes an effective legal privilege strategy, in the context of a data-driven business. This strategy should consider when to exercise or waive such privilege following a cyber attack, or other incident triggering a data-related investigation.

Your big data lawyers are an important investment. Choose wisely.

II. Privacy at the Core of Big Data Law

While many big data legal issues extend beyond privacy, they all have some aspect of privacy at their core. This book provides a broad view of privacy from many angles, beginning from its core and circling outward, through the many other areas of big data law.

The discussion will therefore begin with privacy, the original legal right to which was defined in the late 1800s as “the right to be let alone.” Technology has forced this definition to evolve. The right to privacy now exists all over the world, in varying degrees and forms.

[See Samuel D. Warren & Louis D. Brandeis, “The Right to Privacy”, 4:5 Harv. L. Rev. (1890) 194 at 195.]

In Canada, the term “privacy” has no single definition. It is considered a “fundamental human right” with boundaries. The right can be waived by implied consent, which will raise companion issues, including whether the consent was meaningful.

[See R. v. Jarvis, 2019 SCC 10 at para. 128; United Food case, 2013 SCC 62 at para. 38; Nammo v. TransUnion of Canada Inc., 2010 FC 1284 at para. 74; Jones v. Tsige, 2012 ONCA 32 at paras. 39-46; OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 2-3, 10, 12 re a rights-based privacy framework in Canada; OPC’s position on Canada’s Aviation No-fly List (June 28, 2007).]

The issues of consent by implication, and whether such consent is meaningful, are usually context-specific. Factual discovery is often required, including with respect to the parties’ reasonable expectations and legitimate business interests. It should also be noted that waiver by implied consent may not apply to all rights under privacy law.

[See RBC v. Trang, 2016 SCC 50 at paras. 34-36, 44-45; OPC’s “Guidelines for obtaining meaningful consent” (May 24, 2018) under “Consent is not a silver bullet”.]

Europe also treats privacy as a human right—with a globally unparalleled level of protection. Moreover, while the U.S. and U.K. have historically treated privacy as a property right (i.e. capable of being waived for a fee), these jurisdictions appear to be changing their outlook. In the short term, however, the private data of Canadians may still effectively be subject to U.S. federal government control in certain cases.

[See Danielle Olofsson, Privacy Protection and Commercial Expression (Toronto: LexisNexis, 2017) at 3, 11; Marry Ross, “What one CCPA co-architect will watch closely with Sacramento back in session” (IAPP, Aug 12, 2019); Kristin Garris, “How Will Two New Privacy Laws Impact Your New York Business?” (Scarinci Hollenbeck, Aug 21, 2019); UK Government, “Online Harms White Paper” (Apr 30, 2019), executive summary at paras. 16-28; Michael Power, The Law of Privacy, 2d ed. (Toronto: LexisNexis, 2017) at §7.7.]

As should now be clear, this book provides an overview of various privacy and other big data issues under Canadian law. It will be of interest to anyone working toward compliance or litigation planning, on the basis of the following:

• “Canada’s cultural definition of privacy is very much a hybrid of the European and American approaches”;
• the threshold for many (but certainly not all) Canadian privacy obligations is high;
• there are numerous exploitable loopholes and “grey zones” in the present Canadian framework, although these framework vulnerabilities are constantly challenged (most recently by a 2019 joint resolution of Canadian privacy regulators); and
• the Canadian government is expected to pursue a global digital privacy framework that respects the Canadian privacy law outlook.

[See Kris Klein and Aron Feuer, Canadian Privacy Law, 3d ed. (Toronto: IAPP, 2018) at chapter 5; OPC, “Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners” (Oct 1-2, 2019); ETHI Committee Report, “Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly” (Dec 2018) at 73, Recommendation 25; OPC, “Canada’s access to information and privacy guardians urge governments to modernize legislation to better protect Canadians” (Nov 6, 2019).]

III. First Steps and 10 Privacy Law Principles

An organization’s very first step toward privacy compliance, and due diligence against civil litigation, is to designate an officer responsible for privacy compliance. In fact, this is the first fundamental privacy principle embedded within Canada’s federal private-sector privacy framework.

[See PIPEDA, Sch. 1, Principle 4.1.]

The second step is to perform a privacy impact assessment (“PIA”), with respect to any personal data that could arguably be within the organization’s control, either directly or indirectly.

A PIA considers the (anticipated) incoming data, data subjects, data custodians/controllers, data processors, and relevant regulators. Preliminary decisions can then be made on whether the company should be a data controller versus data processor (or both), at least for the purposes of risk- and obligation-modeling. Thereafter, as business operations continue to evolve, the PIA is continually revisited to streamline compliance monitoring and action steps.

The privacy officer should use the PIA to assess risks and the present level of privacy compliance, and to determine additionally required steps. This should all be done with a focus on the following ten fundamental privacy principles found in legislation:

• Accountability;
• Identifying Purpose for Collection;
• Consent;
• Limiting Collection;
• Limiting Use, Disclosure, and Retention;
• Accuracy;
• Safeguards;
• Openness;
• Individual Access; and
• Challenging Compliance.

[See PIPEDA, Sch. 1.]

These privacy principles arose from guidelines issued by the OECD in 1981, and were subsequently adapted by the Canadian Standards Association (“CSA”) in 1996. The CSA’s version was thereafter incorporated into Canada’s federal private sector legislation. That version also loosely arises in the public-sector context, except for the principles of consent-based collection and access-to-information relating to an investigation.

[See Englander v. Telus Communications Inc., 2004 FCA 387 at para. 43; Kris Klein and Aron Feuer, Canadian Privacy Law, 3d ed. (Toronto: IAPP, 2018) at sections 1.6.5, 2.1, 2.7, 3.13, 3.3; PIPEDA, Sch. 1.]

The above ten privacy principles may appear conceptually simple. However, they are deceptively complicated to implement for compliance purposes. The pace of technology is only part of the reason. The larger problem is the principles’ colloquial and aspirational form, which embodies an unclear compromise between recommendations and requirements. Regrettably, the chosen form does not follow proper legal drafting style, and fails to include important policy decisions behind the principles. These issues have been recognized in case law and by the OPC.

[See Englander v. Telus Communications Inc., 2004 FCA 387 at paras. 43-46, citing Perrin, Black, Flaherty & Rankin, eds., The Personal Information Protection and Electronic Documents Act: An Annotated Guide (Toronto: Irwin Law, 2001); OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 13, 18 re PIPEDA’s principled-based approach being difficult to apply in practice.]

Of all the above principles, “consent” (principle #3) has been a particularly contentious issue over the last decade. The OPC’s guidance on obtaining meaningful consent has not fixed the problem. Inadequate consent was the basis for the former Ontario Privacy Commissioner, Ann Cavoukian, to resign from the Sidewalk Labs “smart city” project in Toronto, in mid-2018. Inadequate consent was also at the center of Facebook’s practice of facilitating disclosure of user information. Such disclosure was done through third-party apps, and condemned by the federal Office of the Privacy Commissioner (“OPC”) in 2019. In response to such issues, stronger consent rights appear to be on the horizon in
Quebec and other provinces. However, such rights may present practical challenges for trans-border data flows, discussed further in Chapter 8.

[See OPC’s “Guidelines for obtaining meaningful consent” (May 24, 2018); CBC news article re Ann Cavoukian’s resignation from Sidewalk Labs (Oct 21, 2018); Ann Cavoukian’s tweet re disclosure of resignation reasons (Oct 25, 2018); OPC’s Facebook decision (PIPEDA Report of Findings #2019-002, Apr 25, 2019); “The Great Hack” (2019 Netflix documentary, directed by Karim Amer and Jehane Noujaim) re Cambridge Analytica’s use of social media to influence election results; Montreal Gazette, “Quebec wants to regulate the use of personal information online” (Nov 22, 2019).]

The privacy principle associated with “safeguards” (principle #7) is less controversial conceptually, but has received no less attention in recent years due to the increasing prevalence of data breaches. Consider, for example, the OPC’s recent Equifax decision, which identifies basic information security obligations. The law related to the safeguards principle is discussed in greater detail in Chapter 3 and Chapter 4.

[See OPC’s Equifax decision (PIPEDA Report of Findings #2019-001, Apr 9, 2019) at paras. 35-44.]

Ultimately, privacy compliance involves much more than just consent and data safeguards. Responsible data governance involves a continual evaluation of big data operations, with ongoing PIAs, according to each of the ten privacy principles, and according to applicable legal frameworks in the context of binding or persuasive case law and regulatory guidance. Specialized legal counsel should be retained to regularly monitor these matters according to corporate objectives, relevant data governance models, and practical data handling practices.

Note that privacy issues are not limited to centralized data systems. Data governance obligations are also triggered by decentralized systems. Privacy issues relating to cybersecurity, user authentication, and trans-border data flows, apply to vendors developing—and interfacing with—distributed ledger technology. This is discussed further in Chapter 2, subsection III: “Privacy and Blockchain Technology”.