Privacy Issues for In-House

Counsel: A New Context of

Risk and Safeguards

Association of Corporate CounselOttawa

April 16, 2015

1

Two experiences

• Amanda Maltby, General Manager, Compliance and Chief Privacy

Officer, Canada Post

• A View from the Inside: The constants

• Chantal Bernier, Former Interim Privacy Commissioner of Canada,

Counsel, Dentons Canada

• A View from the Outside: The trends

05 May 2015 2

A View from the Outside:

The Trends

305 May 2015

1. Incessant, often sophisticated cyber-attacks

• Some Canadian stats:

• 70% business report some form of attack

• 40% is in the financial and retail industry

• 80% of business do not know whether they are at risk of an attack

• Attackers spend an average of 229 days in an organisation’s system

International Cyber-security Protection Alliance, December 2014

• An international example: Carbanak

• Since 2013

• 100 major banking entities in Russia, US, Germany, China and the U.K.

• Through spear-fishing emails, decrypting codes and executing a back door

(named Carbanak)

• Kaspersky Report, Carbanak APT – The Great Bank Robbery, February 2015

05 May 2015 4

2. Law enforcement requests

• Ramping up…

• 1.3 million overall in 2012

Public Safety Canada memo made public through ATI 2014

• Police requests client data from telcos in 80% of probes

CBC 10.4.2015

Then decreasing…

• 58,000 less since requiring warrant

• Rogers,10.4.2915

• Without a proper governance system

OPC Annual Report for the Privacy Act, 2013-2014

• In an atmosphere of legal uncertainty

Reaction of the telcos to OPC revelations of 1.2M requests per year to 9 telcos

05 May 2015 5

3. Outsourcing and cross-border data flows

• Inherent to globalization

• 2.3 B people on the Internet – 5B forecasted in 2020

• International Telecommunications Union, 2012

• Mobile traffic expected to increase 18 fold by 2016

• Cisco 2011

• Essential to commerce

• Internet contributed to 10% of GDP growth in top 10 economies, creating 2.6

jobs for every job lost

• OECD Internet Economy 2012

05 May 2015 6

4. Moving to the Cloud

• Cloud computing estimated to have grown by 600% between 2013 and

2015

• Exports in cloud computing services mount to 1.5B$ per year

Journal of International Commerce and Economics, Nov. 2012

• ISO and IEC adopt ISO Standard 27018 for privacy on the cloud

Code of Practice for PII protection in public clouds

acting as PII processors, April 25, 2014

05 May 2015 7

5. Data based business models

• Data monetization

• “Since 2001 the founders of Data Monetization LLC have generated more than

$100,000,000.000 worth of leads through digital and traditional media.”

Data Monetization LLC

• Service in return for ads

• Over 90% of Google revenues comes from advertising

Google ‘s filings to U.S. Securities Exchange Commission

• Device tracking

• “Now it’s all about tailoring the shopping experience to match your target

shopper”

Path Intelligence

05 May 2015 8

6. Pressure towards BYOD

• 78% of employees feel it provides better work-life balance

• 62% of companies plan to go BYOD

• 42% of companies already to have BYOD

• 67% of employees use personal devices whether BYOD is recognized or

not…

05 May 2015 9

Risk Managing the Trends

1005 May 2015

1. Managing Cybersecurity Risks

The legal test is accountability, not occurrence

1. Using “security safeguards appropriate to the sensitivity of the information”

Principle 4.7, Schedule I , PIPEDA

2. Demonstrating the necessary governance structure to address the risks

Bringing in the C-suite

Hack Attacks Hit Home: The Kind of thing CEOs get fired for, National Post , 2.2.2015

Integrating privacy standards to corporate standards

Five Golden Rules for Accountability on Privacy and Cyber-security, Dentons Website

Principle 4.1, Schedule I PIPEDA

Two Illustrations

Google Streetview, OPC Report of Findings, 2011

ESDC, OPC Special Report to Parliament, 2014

05 May 2015 11

Managing cybersecurity…

The coming test: S-4 The Digital Privacy Act

• Mandatory breach notification

• Sections 10ss

• Compliance agreements

• Sections 17.1ss

• Expanded power to name

• section 20 (1.1)

• Reinforced consent

• Sections 5,6,7

• B to B disclosure

• Section 6 (10)

05 May 2015 12

2. Clarifying lawful access

• BSI behind an IP address is personal information accessible by LEA only

with lawful authority

• An ongoing investigation does not constitute “exigent circumstances”

• The test is not what information is sought but what the information

reveals

R. v. Spencer, S.C.C. 2014

• Protecting Canadians from Online Crime Act S.C. 2014, C-31

• Expansion of preservation orders, warrants for tracking, warrant for

transmission data recording,

05 May 2015 13

3. Safeguarding data across borders

Privacy obligations extend across borders

Principle 4.1.3 Schedule I PIPEDA

Privacy protection must be secured by contract

Same

Information must be protected through public sector outsourcing

Taking Privacy Into Account Before Making Contracting Decisions

Treasury Board Secretariat Guidance Document

B.-C. and Nova Scotia have data residency requirements for public bodies

FIPA R.S.B.C.1996,C-165,s.30.1 and PIIDPA 2006,SNS, c.3.s.5

European companies are restricted in transferring data to “non-adequate” countries

European Directive of 1996

05 May 2015 14

Privacy on the cloud

• ISO/IEC 27018

• Universal standard for privacy compliance certification of cloud providers

• Based on obligations of cloud provider to

• Manage data only according to instructions of customer

• Refuse access without lawful authority

• Protect data

• Notify customer of breaches promptly

• Allow audits by cloud customer to independent auditor

• Microsoft announced certification in February

• Only certified cloud provider at this point

05 May 2015 15

Data based business models

• Lessons learned from the OPC Report of Findings on Bell, April 7, 2015

1. The law applies differently to free internet and paid services

2. Lawfulness of data monetization brings into play

1. Sensitivity of information

2. Reasonable expectations of customers

3. Both vary with the amount of information collated

• The comparison with Google OBA

• Free vs. paid

• Cookie tracking vs profile building

• Bottom line:

• Data monetization requires

• Data minimization

• Appropriate consent

• Higher transparency

05 May 2015 16

Managing BYOD

• Main legal issues: Corporate Security and Employee Privacy

• Monitoring employees activities on personal devices

• Managing corporate information entangled with personal information

• Inadvertently collecting personal information

• Cybersecurity threats from personal downloads

• Breach risks from corporate to personal devices’ connections

• Solution: If you can’t beat them join them

• Adopt a clear policy according to the test of “appropriateness” of safeguards

taking into account sensitivity of the information and digital literacy of

employees

• Inform employees of their obligations and monitoring

05 May 2015 17

In short,

• On cybersecurity: advise on basis of reality of risk and sensitivity of data

• On lawful access: require a warrant except in risk to life or safety

• On cross-border data flows: get proper contractual protections

• On cloud: go with ISO/IEC certified clouds

• On data monetization: either anonymize or get consent, express or

implied based on:

• Sensitivity of information

• Reasonable expectations of privacy

• On BYOD: get a policy … quick

05 May 2015 18

A View from the Inside:

The Constants

1905 May 2015

Some Issues on Your CPO’s Mind

• Ensuring organizational accountability

• Incidents and breaches

• Impact of technology and data – cloud computing, apps and mobile

• Tension between privacy and security

• Growing demand for control and transparency

• Changing definitions of ‘personal information’ and ‘consent’

• Workplace issues -- BYOD, surveillance, social media

• Monitoring of third-party relationships and partnerships

05 May 2015 20

A CPO’s “Constants” Then…

• Compliance

• Operational

• Policy

• Regulatory

• Risk management and mitigation

• Awareness, education and prevention

• Management of 3rd party relationships

• Thought leadership

• Brand Protection

05 May 2015 21

What’s Changed?

• Many more players -- greater need for collaboration (internal and

external)

• Much more sophisticated technology – and employees who know how to

use it!

• Greater complexity of the issues and risks – legislation, tech innovation,

legal decisions, international considerations

• Regulators, shareholders, customers all seeking greater accountability

• Changing accountability models to meet external demands

• Changing business models – increased pressure to find creative

compliance solutions

05 May 2015 22

A CPO’s “Constants” Now…

• Getting out of your office -- importance of relationships and

communication

• More active and proactive - knowing the business and being responsive

to the business

• Acknowledging the importance of culture and history

• Being risk aware and evolving the approach

• Hands-on approach and being future focussed

• Being empathetic – understanding the differing values and perspectives

05 May 2015 23

Dentons Canada LLP

99 Bank Street

Suite 1420

Ottawa, Ontario K1P 1H4

Canada

Thank you

© 2015 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. This document is not designed to provide legal or other advice and you should not take, or refrain from taking, action

based on its content. We are providing information to you on the basis you agree to keep it confidential. If you give us confidential information but do not instruct or retain us, we may act for another client on any matter to which that confidential

information may be relevant. Please see dentons.com for Legal Notices.