Privacy Issues for In-House
Counsel: A New Context of
Risk and Safeguards
Association of Corporate CounselOttawa
April 16, 2015
1
Two experiences
• Amanda Maltby, General Manager, Compliance and Chief Privacy
Officer, Canada Post
• A View from the Inside: The constants
• Chantal Bernier, Former Interim Privacy Commissioner of Canada,
Counsel, Dentons Canada
• A View from the Outside: The trends
05 May 2015 2
A View from the Outside:
The Trends
305 May 2015
1. Incessant, often sophisticated cyber-attacks
• Some Canadian stats:
• 70% business report some form of attack
• 40% is in the financial and retail industry
• 80% of business do not know whether they are at risk of an attack
• Attackers spend an average of 229 days in an organisation’s system
International Cyber-security Protection Alliance, December 2014
• An international example: Carbanak
• Since 2013
• 100 major banking entities in Russia, US, Germany, China and the U.K.
• Through spear-fishing emails, decrypting codes and executing a back door
(named Carbanak)
• Kaspersky Report, Carbanak APT – The Great Bank Robbery, February 2015
05 May 2015 4
2. Law enforcement requests
• Ramping up…
• 1.3 million overall in 2012
Public Safety Canada memo made public through ATI 2014
• Police requests client data from telcos in 80% of probes
CBC 10.4.2015
Then decreasing…
• 58,000 less since requiring warrant
• Rogers,10.4.2915
• Without a proper governance system
OPC Annual Report for the Privacy Act, 2013-2014
• In an atmosphere of legal uncertainty
Reaction of the telcos to OPC revelations of 1.2M requests per year to 9 telcos
05 May 2015 5
3. Outsourcing and cross-border data flows
• Inherent to globalization
• 2.3 B people on the Internet – 5B forecasted in 2020
• International Telecommunications Union, 2012
• Mobile traffic expected to increase 18 fold by 2016
• Cisco 2011
• Essential to commerce
• Internet contributed to 10% of GDP growth in top 10 economies, creating 2.6
jobs for every job lost
• OECD Internet Economy 2012
05 May 2015 6
4. Moving to the Cloud
• Cloud computing estimated to have grown by 600% between 2013 and
2015
• Exports in cloud computing services mount to 1.5B$ per year
Journal of International Commerce and Economics, Nov. 2012
• ISO and IEC adopt ISO Standard 27018 for privacy on the cloud
Code of Practice for PII protection in public clouds
acting as PII processors, April 25, 2014
05 May 2015 7
5. Data based business models
• Data monetization
• “Since 2001 the founders of Data Monetization LLC have generated more than
$100,000,000.000 worth of leads through digital and traditional media.”
Data Monetization LLC
• Service in return for ads
• Over 90% of Google revenues comes from advertising
Google ‘s filings to U.S. Securities Exchange Commission
• Device tracking
• “Now it’s all about tailoring the shopping experience to match your target
shopper”
Path Intelligence
05 May 2015 8
6. Pressure towards BYOD
• 78% of employees feel it provides better work-life balance
• 62% of companies plan to go BYOD
• 42% of companies already to have BYOD
• 67% of employees use personal devices whether BYOD is recognized or
not…
05 May 2015 9
Risk Managing the Trends
1005 May 2015
1. Managing Cybersecurity Risks
The legal test is accountability, not occurrence
1. Using “security safeguards appropriate to the sensitivity of the information”
Principle 4.7, Schedule I , PIPEDA
2. Demonstrating the necessary governance structure to address the risks
Bringing in the C-suite
Hack Attacks Hit Home: The Kind of thing CEOs get fired for, National Post , 2.2.2015
Integrating privacy standards to corporate standards
Five Golden Rules for Accountability on Privacy and Cyber-security, Dentons Website
Principle 4.1, Schedule I PIPEDA
Two Illustrations
Google Streetview, OPC Report of Findings, 2011
ESDC, OPC Special Report to Parliament, 2014
05 May 2015 11
Managing cybersecurity…
The coming test: S-4 The Digital Privacy Act
• Mandatory breach notification
• Sections 10ss
• Compliance agreements
• Sections 17.1ss
• Expanded power to name
• section 20 (1.1)
• Reinforced consent
• Sections 5,6,7
• B to B disclosure
• Section 6 (10)
05 May 2015 12
2. Clarifying lawful access
• BSI behind an IP address is personal information accessible by LEA only
with lawful authority
• An ongoing investigation does not constitute “exigent circumstances”
• The test is not what information is sought but what the information
reveals
R. v. Spencer, S.C.C. 2014
• Protecting Canadians from Online Crime Act S.C. 2014, C-31
• Expansion of preservation orders, warrants for tracking, warrant for
transmission data recording,
05 May 2015 13
3. Safeguarding data across borders
Privacy obligations extend across borders
Principle 4.1.3 Schedule I PIPEDA
Privacy protection must be secured by contract
Same
Information must be protected through public sector outsourcing
Taking Privacy Into Account Before Making Contracting Decisions
Treasury Board Secretariat Guidance Document
B.-C. and Nova Scotia have data residency requirements for public bodies
FIPA R.S.B.C.1996,C-165,s.30.1 and PIIDPA 2006,SNS, c.3.s.5
European companies are restricted in transferring data to “non-adequate” countries
European Directive of 1996
05 May 2015 14
Privacy on the cloud
• ISO/IEC 27018
• Universal standard for privacy compliance certification of cloud providers
• Based on obligations of cloud provider to
• Manage data only according to instructions of customer
• Refuse access without lawful authority
• Protect data
• Notify customer of breaches promptly
• Allow audits by cloud customer to independent auditor
• Microsoft announced certification in February
• Only certified cloud provider at this point
05 May 2015 15
Data based business models
• Lessons learned from the OPC Report of Findings on Bell, April 7, 2015
1. The law applies differently to free internet and paid services
2. Lawfulness of data monetization brings into play
1. Sensitivity of information
2. Reasonable expectations of customers
3. Both vary with the amount of information collated
• The comparison with Google OBA
• Free vs. paid
• Cookie tracking vs profile building
• Bottom line:
• Data monetization requires
• Data minimization
• Appropriate consent
• Higher transparency
05 May 2015 16
Managing BYOD
• Main legal issues: Corporate Security and Employee Privacy
• Monitoring employees activities on personal devices
• Managing corporate information entangled with personal information
• Inadvertently collecting personal information
• Cybersecurity threats from personal downloads
• Breach risks from corporate to personal devices’ connections
• Solution: If you can’t beat them join them
• Adopt a clear policy according to the test of “appropriateness” of safeguards
taking into account sensitivity of the information and digital literacy of
employees
• Inform employees of their obligations and monitoring
05 May 2015 17
In short,
• On cybersecurity: advise on basis of reality of risk and sensitivity of data
• On lawful access: require a warrant except in risk to life or safety
• On cross-border data flows: get proper contractual protections
• On cloud: go with ISO/IEC certified clouds
• On data monetization: either anonymize or get consent, express or
implied based on:
• Sensitivity of information
• Reasonable expectations of privacy
• On BYOD: get a policy … quick
05 May 2015 18
A View from the Inside:
The Constants
1905 May 2015
Some Issues on Your CPO’s Mind
• Ensuring organizational accountability
• Incidents and breaches
• Impact of technology and data – cloud computing, apps and mobile
• Tension between privacy and security
• Growing demand for control and transparency
• Changing definitions of ‘personal information’ and ‘consent’
• Workplace issues -- BYOD, surveillance, social media
• Monitoring of third-party relationships and partnerships
05 May 2015 20
A CPO’s “Constants” Then…
• Compliance
• Operational
• Policy
• Regulatory
• Risk management and mitigation
• Awareness, education and prevention
• Management of 3rd party relationships
• Thought leadership
• Brand Protection
05 May 2015 21
What’s Changed?
• Many more players -- greater need for collaboration (internal and
external)
• Much more sophisticated technology – and employees who know how to
use it!
• Greater complexity of the issues and risks – legislation, tech innovation,
legal decisions, international considerations
• Regulators, shareholders, customers all seeking greater accountability
• Changing accountability models to meet external demands
• Changing business models – increased pressure to find creative
compliance solutions
05 May 2015 22
A CPO’s “Constants” Now…
• Getting out of your office -- importance of relationships and
communication
• More active and proactive - knowing the business and being responsive
to the business
• Acknowledging the importance of culture and history
• Being risk aware and evolving the approach
• Hands-on approach and being future focussed
• Being empathetic – understanding the differing values and perspectives
05 May 2015 23
Dentons Canada LLP
99 Bank Street
Suite 1420
Ottawa, Ontario K1P 1H4
Canada
Thank you
© 2015 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. This document is not designed to provide legal or other advice and you should not take, or refrain from taking, action
based on its content. We are providing information to you on the basis you agree to keep it confidential. If you give us confidential information but do not instruct or retain us, we may act for another client on any matter to which that confidential
information may be relevant. Please see dentons.com for Legal Notices.