Data Privacy & Artificial Intelligence


Data Privacy & Artificial Intelligence


Data breaches are a constant and ever-evolving problem, with no simple solution. Even small breaches have the potential to cause massive damage.

Protection from data breaches is rooted in training, proactive network monitoring, and continuous system reinforcement through upgrades/patches.

A formal breach plan focuses these measures according to legal standards and industry best practices.

The immediate objectives of a breach plan are:

  • identify and document operational risk tolerance specific to your organization within its industry; and

  • develop risk-mitigated approaches to data collection, use, disclosure, retention, accuracy, security and disposal.

The ultimate purposes of a breach plan are:

  • minimize delay to react to breaches;

  • maximize effectiveness of the reaction to breaches;

  • minimize liability for breaches; and

  • minimize damage caused by breaches.

We help draft breach plans according to regulation, case law, privacy-by-design and other industry best practices. Our breach plans also include appropriate safeguards in IT contracts with customers (i.e. users), and third party vendors (i.e. arm’s length data processors).

We also work with third party counsel for breach-plan compliance with the GDPR in Europe, and U.S. data privacy regulatory framework.

Top of “Data Privacy & Artificial Intelligence“


Reacting to Breaches: Breach Records, Notification and Reporting


As of November 2018, private organizations must keep records of all security breaches exposing personal information, for 2 years after each breach is discovered. The records must contain information to assess compliance with breach reporting requirements.

For any breach that creates a “real risk of significant harm” to an individual:

  • the individual must be notified in a specified form as soon as feasible upon discovery of the breach;

  • notification of the breach must be given to any organization or government institution that could reduce the risk of harm;

  • the breach must be reported to the Privacy Commissioner in a specified form; and

  • the breach record must be disclosed to the Privacy Commissioner upon request.

Failure to report can result in a fine upwards of $100,000.

Whether there is in fact a data breach, and whether that data breach causes a “real risk of significant harm”, are legal questions that differ from case to case.

We help organizations fulfill their post-breach legal obligations, while positioning the organization to limit its liability and damage, and limit any damage caused to third parties.

We also work with third party Public Relations firms to further limit reputational damage caused by a breach.

Top of “Data Privacy & Artificial Intelligence“


Cybersecurity Standards and Management of Third Party Risk


Data privacy breaches can spawn common law claims in tort, negligence, breach of contract, breach of trust/fiduciary duty, breach of privacy, intrusion upon seclusion, and unjust enrichment. In certain cases, a breach can also invoke criminal liability, and/or liability under various statutes within the Canadian privacy law framework. Organizations are generally also responsible for Privacy Commissioner reporting in respect of breaches that occur with third party data processors.

A proactive approach to avoid such liability—before it accrues—is the best approach. Internal cybersecurity standards should be set and adhered to, and such standards should be entrenched in contracts with third party data processors.

In Canada, the applicable legal standard for cybersecurity is informed by various OPC decisions. Those decisions have found inadequate cybersecurity measures with respect to the following:

  • documented security policies and practices;

  • password administration;

  • key and password management;

  • multi-factor authentication;

  • encryption measures;

  • security monitoring and logging;

  • audit trails;

  • appropriate VPN use;

  • network segmentation including with firewalls;

  • network activity logging;

  • virus protection;

  • timely upgrading and patch implementation;

  • accountability of third party data processors;

  • inconsistent security measures applied between pools of redundant data;

  • backup system testing.

Further guidance regarding cybersecurity standards are available from the OPC, provincial privacy commissioners, other Canadian regulators (e.g. OSFI, MFDA, CSA, IIROC), and through other compliance frameworks (e.g. PCI DSS, NIST, ISO27000, SOC1 & 2, COBIT, OWASP, Privacy By Design, NIS Directive).

Additional guiding principles are provided in numerous other sources. For example, the “10 Immutable Laws of Security” (Microsoft Security Response Center, 2000).

We can help establish your legal baseline for cybersecurity, and proactively minimize your liability when a breach eventually occurs.

Top of “Data Privacy & Artificial Intelligence“

Defending Against or Prosecuting a Breach

A lawsuit generally requires the Plaintiff to prove “liability” and “damages” to have any chance at recovery.

Liability and damages flowing from a data breach can involve complicated questions of law, and contentious questions of fact. Litigation counsel should be familiar with the available causes of action, and have experience litigating commercial and civil matters.

Cyber insurance coverage may also be disputed, depending on the organization’s systemic practices relating to data privacy. On either side of such a dispute, litigation counsel should know the relevant insurance law principles, and have practical experience resolving disputes for insurers.

Disputes may also extend to foreign jurisdictions on matters of data residency and disclosure of source code.

We can assess your case for prosecution or defence, and thereafter represent you in data-breach or related insurance litigation. See our Litigation & Arbitration service offerings.

Top of “Data Privacy & Artificial Intelligence“

Digital Authentication

As digital authentication legal frameworks in Canada mature, we expect that digital identify verification will become a commonly outsourced service to Canadian financial institutions and foreign affiliates.

These developments are expected to extend to the cryptocurrency industry, specifically with regard to crypto-wallet ownership and control, and activities of dealers in digital asset securities.

Preliminary legal clarification for digital authentication operations is provided by DIACC, in its Pan-Canadian Trust Framework. However, there are no model contracts involving interaction with this framework.

Your implementation of a digital authentication system will require a lawyer familiar with the status of relevant policy and direction, in Canada and internationally.

As your digital authentication counsel, we can help limit your risk in this area, navigate anticipated regulations, and plan for best practices with the blockchain-type “federated solution” proposed by the Canadian Bankers Association.

Top of “Data Privacy & Artificial Intelligence“

Data Residency

Data residency requirements are generally meant to control the locality of data at rest, and the channels of data flow.

There is no global standard for how and where data should rest, flow, and be accessed.

For example, while there is a free-flow of personal data between Canada and the U.S. (pending ratification of the USMCA), data flows to various other countries are subject to data residency requirements.

In contractual negotiations, Canadian entities therefore have varying levels of bargaining power on data residency issues. The primary factor is where the opposite contracting party is domiciled.

Negotiations should be undertaken with an understanding of the nature of the data concerned, as well as the data residency rules in the following:

Knowledge of geopolitical standards with data residency is also imperative. In particular, for any data residency negotiation, there should be an appreciation of Canada’s international law obligations with respect to data flows.

Finally, a Canadian entity’s domestic data flow obligations must be appreciated. Operations may need to be harmonized with public data storage and access requirements of certain Canadian provinces.

As your data privacy lawyers, we can assist with maximizing the flexibility of your data-residency strategy across global operations.

Top of “Data Privacy & Artificial Intelligence“

Privacy and Artificial Intelligence

[This section is under construction pending publication of the Smartblock Law Guide to Data Privacy & Cybersecurity, which will occur soon after the expected Canadian PIPEDA amendments are released.]

Top of “Data Privacy & Artificial Intelligence“


[This section is under construction pending publication of the Smartblock Law Guide to Data Privacy & Cybersecurity, which will occur soon after the expected Canadian PIPEDA amendments are released.]

Top of “Data Privacy & Artificial Intelligence“