As in-house counsel for Shopify, Vivek Narayanadas has to navigate a constantly changing landscape when it comes to privacy and data protection laws around the world.
The secret, he says, is to look to the future.
“Being a privacy professional, especially right now, is part fortune teller, part crystal ball teller,” says Narayanadas, associate general counsel privacy and data protection officer for one of Canada’s fastest-growing e-commerce companies.
“You just have to have a finger on the pulse — not only of what the law says now. You really have to have a sense of where it’s going because your product teams don’t really appreciate having to revisit decisions that you made six months ago just because a new law just came into effect.”
In the wake of the Cambridge Analytica scandal and Europe’s adoption of the General Data Protection Regulation, privacy and data protection laws around the world have been multiplying at a dizzying rate — many of them with extraterritorial applications and all with somewhat different provisions.
South of the border, the California Consumer Privacy Act is scheduled to go into effect on Jan. 1, 2020. Meanwhile, several other states are in the process of adopting their own privacy laws and there are initiatives at the U.S. federal level as well.
Brazil has adopted a General Data Protection Law that goes into effect in early 2020.
Overall, according to the United Nations Conference on Trade and Development, 107 countries now have online data protection and privacy laws while others have introduced draft legislation.
“It is a particularly challenging time in the world of data protection and privacy laws,” says Michael Scherman, an associate at McCarthy Tétrault LLP’s technology law group.
But with change and challenge comes opportunity for lawyers across Canada who specialize in privacy law.
Elisa Henry, a partner with Borden Ladner Gervais LLP, says privacy and cybersecurity law are the fastest-growing areas for her firm. Building that practice is one of its strategic priorities.
“I think lawyers who are able to advise on GDPR because they’re qualified to advise on the GDPR have seen a big increase in the demand for their services and, as a result, sometimes, by raising GDPR type questions to your clients, you end up realizing that they were not really in compliance with Canadian standards.
“The awareness triggered by the GDPR also triggered more consultation and more advisory work on our end on Canadian law, too.”
One place where there has been little change in privacy legislation has been Canada. Federal Privacy Commissioner Daniel Therrien has called for amendments to modernize the Personal Information Protection and Electronic Documents Act. The law, which governs private-sector privacy, hasn’t been substantially updated since it was adopted in 2000.
In late May, Navdeep Bains, the minister responsible for innovation, science and economic development, unveiled the government’s Digital Charter — a series of principles to guide changes to Canada’s federal privacy laws. However, Prime Minister Justin Trudeau’s government is not expected to table concrete legislation or regulations before the next federal election in October.
In the absence of legislative change, Therrien has been doing what he can. In April, prompted by his office’s investigation into a data breach by Equifax, he launched a consultation into a proposed reinterpretation of PIPEDA to require consent for a company to transfer an individual’s private information outside Canada for processing.
In late May, only days after the government unveiled its digital charter, Therrien announced he was suspending — but not cancelling — his consultation into cross-border data flows.
“The historic OPC position gave great weight to the accountability principle in protecting privacy in a transborder context,” Therrien told a conference of privacy professionals in Toronto. “Yet, we have seen in Equifax that this principle, as currently framed, does not always provide effective protection. During our investigation, Equifax officials had difficulty answering basic questions as to who was responsible for their clients’ personal information as between the Canadian and U.S. affiliates.”
Scherman says companies have been relying for a decade on the existing guidance that transferring data to a third party for processing didn’t require additional consent. He says Therrien’s proposed change really threw “the industry into a bit of a panic.”
“Getting a consent to an act is a very challenging matter — especially when you’re not doing it at the time of collection,” Scherman says. “Obtaining the consent afterwards can be an incredible, labour-intensive act. So, going back to all your existing customers and potentially having to request that consent could be very significant.”
The biggest change on the international privacy law landscape has been the GDPR, which is considered by many to be the new gold standard in privacy regulation since it took effect in May 2018.
It outlines rules for handling the private information of European residents and backs them up with the prospect of stiff fines — up to 20 million euros or four per cent of a company’s worldwide annual revenue for the previous year, whichever is higher.
Any company around the world that breaks the rules can face fines — even if it has no establishment in Europe.
One of the GDPR’s key measures is privacy by design — a concept developed by former Ontario privacy commissioner Ann Cavoukian. Privacy by design calls for privacy considerations to be included from the start.
Under the GDPR, companies must notify affected customers within 72 hours of becoming aware of a data breach. Consent to use someone’s information must be obtained using clear language. European residents can withdraw their consent or ask to see their information that a company has collected. They can take their data with them if they switch to another company.
The GDPR also includes the right to be forgotten, which allows an individual to ask for information about them to be erased.
The GDPR has been prompting other countries to beef up their own privacy protection regimes.
In the past year, European data protection authorities have been active, issuing orders and levying fines, says Henry.
“We’ve seen lots of activity coming from the French CNIL with the Google decision — the 50-million-euro fine against Google by the French data protection authority. The Germans also have been very active. The ICO in the U.K. has been very active and the Dutch DPA has been very active.
“Northwestern Europe has been very active overall.”
In the U.S., the International Association of Privacy Professionals has identified 14 states, including California, where privacy protection legislation has been proposed or adopted.
Kelsey Finch, a Seattle-based senior policy counsel for the Future of Privacy Forum, says the Cambridge Analytica scandal and the GDPR have prompted big changes.
“I think a lot of it is a response to the GDPR and a lot of our multinationals having to do the compliance work to come into compliance with that and then looking around and saying, you know what — it doesn’t make sense to offer two different regimes and two different sets of privacy rights to folks in the EU versus in the U.S. We’ll just roll it out everywhere.”
Traditionally, the principle privacy protection in the U.S. has been the Federal Trade Commission, which has the power to protect consumers and penalize deceptive or unfair practices. The agency fined Google US$22.5 million in 2012 for what it told users about the way its tools tracked them. It has been negotiating a settlement with Facebook over the Cambridge Analytica scandal that is expected to run into the billions.
But Finch says there has been a multiplication of privacy legislation being introduced across the U.S., starting with California’s law, which was adopted as a ballot initiative.
“We’re seeing the states stepping in, pretty actively and pretty quickly and taking on a number of different approaches. We’re seeing federal proposals start to emerge as well, although that’s a little bit slower.”
Finch says she is seeing a wide range of proposed privacy legislation — from algorithmic accountability and the use of biometrics such as facial recognition to more than 400 different student privacy bills. At the municipal level, she is starting to see surveillance ordinances.
However, Finch says there’s also a downside to the prospect of having so many different laws being proposed across the U.S.
“It’s really hard to have 50 different laws apply and it’s really difficult for people to comply with 50 different laws on how to get consent and how to process data and what kind of notices to give.
“I think that consumers would get a certain level of fatigue. If every time you accessed a website from a different state you had to go through a different process, I think folks would get sick of that pretty fast.”
Henry is also watching the various proposed privacy laws across the U.S. and around the world.
“Following the Californian trend, the federal legislation in the U.S. is a bit slow, but we saw now legislation coming out of Washington, out of Massachusetts, of Utah, of Vermont. So, different states — and it’s really the state legislators that are very active in that field in the U.S. because a federal law will take a long time, if ever, to be adopted — [are] really pushing for consumer data protection and restriction to government access to data.
“So, we see that as a major trend, and elsewhere, we saw Brazil adopting its general data protection law that’s very similar to the GDPR and that applies to any company that offers services to the Brazilian market.
“Really, it’s a global trend.”
Melanie McNaught, a partner with Toronto-based Filion Wakely Thorup Angeletti LLP, says the varying privacy laws around the world can also pose a challenge on the employment front. Canadian companies may find themselves subject to privacy laws in other countries because that is where an employee has chosen to work.
“People can work from anywhere now. So, you might have a teleworker and they might be working from Europe and then the question arises, because they’re situated in Europe, are they now subject to the GDPR, whereas, in a month, maybe they’ll be in Thailand or somewhere else.
“The workforce is increasingly mobile and personal information is extremely mobile.”
One trend privacy law specialists like Henry are seeing is international privacy laws becoming part of corporate due diligence. She says companies in the EU or the U.S. are asking Canadian firms for proof they comply with certain privacy regimes before they will hire them.
“More and more, you see vendor due diligence performed by large companies who, before they contract with you, make sure that your privacy infrastructure is robust enough not to put them at risk.
“So, those inquiries, those questions from clients, basically, push them to adopt and to improve whatever framework they had in place.”
Henry says most of the demand for legal services up until now has been at the advisory level — clients trying to determine whether various privacy laws in different countries apply to them and how to comply.
However, Henry expects to start seeing pushback in coming months as companies challenge the ability of regulators to enforce privacy laws in countries where a company doesn’t have an establishment.
“I think the litigators, also, will be busy soon.”
As it gets more complicated to comply with privacy laws that vary from one country to another, some are beginning to talk about making privacy laws around the world more interoperable.
Among them is Michael McEvoy, British Columbia’s information and privacy commissioner.
“There will be, I think, always some differences in culture and lawmaking globally,” McEvoy told reporters in Ottawa in April.
“But I sense there is — certainly among privacy regulators — a sense of convergence of similar principles that need to be brought to bear in jurisdictions around the world so that citizens, if you’re Canadian and your data travels outside the boundaries of the country, can expect that your data is going to be similarly protected.”
Speaking to a parliamentary committee in May, Therrien said the move by countries that are Canada’s commercial partners to adopt similar laws could improve privacy protection.
“I don’t think an international treaty is going to happen quickly, but we can think of different countries adopting interoperable laws and the total of the legislative and regulatory actions of different countries could lead to a result,” Therrien told MPs.
In the meantime, Canadian lawyers and their clients are left navigating a complex patchwork quilt of privacy laws around the world.
Henry’s advice is to know more than just the law.
“A lot of what the clients are asking for is whether we can benchmark what they’re doing against the rest of the industry and whether what they are doing is reasonable or not, given the state of the industry and the thinking of the regulators.”
She says it also helps to be close to the regulators and to know your client’s industry.
“Some practices that were unreasonable a few years ago in the digital world are now completely accepted, but some practices that some clients want to implement go too far and will trigger not only a privacy risk but also a reputational risk, social media, bad press — which may then lead to an investigation.”
Scherman says there’s no magic or easy button out there. Lawyers should look to the future and stay flexible.
“The more you can sort of look at the trend of what privacy laws are requiring, look at the trend of what’s best practice and develop a flexible plan to comply with those, the easier your job is going to be down the road because, if you get these processes in place early, compliance can be a lot easier than if you’re playing catch-up after you’ve already had all these processes and customers and data in place.”
Finch recommends lawyers look beyond the law and consider ethical questions when it comes to privacy and data protection.
“I think that’s an increasing part of the conversation and I think that’s part of where we’re seeing legislation start to head — particularly around automated or algorithmic decision-making.”
Finch also suggests Canadian lawyers not get too wrapped up in privacy laws while they are making their way through U.S. state legislatures.
“Once it has been written and once it has been passed, that’s a great time to start thinking about it and thinking about compliance.”
That’s also the approach Narayanadas is taking. Shopify is preparing to comply with California’s law while he watches to see what laws other states will adopt.
“Until there is something concrete, it’s hard for us to take them seriously, so we’re just waiting and seeing and keeping our exec team apprised as those discussions happen.”
Narayanadas says his job is made a bit easier by the choices Shopify made from the start about how it would handle customer data.
“I think we are in a relatively unique position just because privacy was really at the core of the business when it was built from the ground up and we have taken very strong affirmative positions when it comes to not using our customers’ data for certain purposes from day one.”
Shopify has moved to become GDPR compliant and is helping the merchants who use its services to comply as well.
“Because we’re a platform, I think we have another level of difficulty here because we’re not just building systems out for our risk tolerance or the way we interpret the law. We have 800,000 merchants and each of them have interpretations of GDPR or maybe in a different vertical that has additional requirements, and it is our job to build a platform that they can use out of the box and be compliant with however aggressively or conservatively they are approaching the law,” he says.
“So, we have had to build, to interpret the law in many different ways to be able to make sure that all of our merchants are comfortable and are able to use our system however they see fit.”
Being a privacy professional now is more than about checking boxes, audit questionnaires and inserting data provisions in contracts, he says.
“It’s really about understanding what the future looks like from today’s perspective; what it may look like a few months down the line, a few years down the line and helping your business teams and your developers really understand that when they are making decisions about their products it really is about privacy by design in a way that is difficult when privacy itself is in flux to the degree that it is right now.”