Data Privacy & Artificial Intelligence
Data Privacy & Artificial Intelligence
Data Governance, Breach Planning, and Third Party Risk
The term “data governance” relates to the treatment of data in your control. In particular, data governance refers to how data is collected, protected, used, analyzed, disclosed, marketed, and sold.
These operations generally trigger privacy and related laws. We help companies work towards legally compliant and risk-mitigated data governance. We also help strategize—in accordance with law—how data can be collected and maximally leveraged in any given situation.
One aspect of compliant data governance involves the safeguarding of private data from cyber breaches. A formal breach plan focuses your breach protocol, and functions as legal due diligence.
We can help establish your legal baseline for cybersecurity, and proactively minimize your liability when a breach eventually occurs. We assist with breach planning according to regulations, case law, foreign legal developments, and industry best practices. Our breach plans also include appropriate safeguards in IT contracts with customers (i.e. users), and third party vendors (i.e. arm’s length data processors).
As needed, we also work toward data governance and breach-plan compliance with the GDPR in Europe, and the CCPA in California.
For more information, see Chetan Phull’s book, Big Data Law in Canada, Chapter 1, Chapter 3 and Chapter 4 at subsections I and II.
Reacting to Cybersecurity Breaches: Notification and Reporting
As of November 2018, private organizations must keep records of all security breaches exposing personal information, for 2 years after each breach is discovered. The records must contain information to assess compliance with breach reporting requirements. Failure to report as required can result in a fine upwards of $100,000.
Whether there is in fact a data breach, and whether that data breach causes a “real risk of significant harm”, are legal questions that differ from case to case. We help organizations fulfill their post-breach legal obligations, while positioning the organization to limit its liability and damage, and limit any damage caused to third parties.
For more information, see Chetan Phull’s book, Big Data Law in Canada, Chapter 4 at subsection III.
Artificial Intelligence: Privacy and Automated-Decision-Making Regulations
Algorithmic decision-making invokes many legal issues.
Privacy issues apply to: large pools of training data, explainability regarding the parameters of AI learning, and the effectiveness of data anonymizing methods. Licensing issues apply to proprietary data pools, and many opensource data pools.
Moreover, it is essential to consider the fast-developing framework of regulations—internationally and domestically—governing decision-making systems themselves. Such systems in the public sector are already subject to third-party algorithmic audits, and numerous other requirements. Meanwhile, in the private sector, an official standard has been developed and is likely to be followed by legislation.
The results of decision-making systems also invoke legal issues in human rights, consumer protection, product liability, contract, tort, negligence, and trusts.
Finally, rules of attribution may invoke the personal liability of corporate directors, developers, trainers, contractors, testers, and system operators. This risk should be safeguarded with various due diligence measures, including appropriate contractual and insurance handling.
We handle AI legal issues from many angles—during development and operation, and in the course of litigation.
For more information, see Chetan Phull’s book, Big Data Law in Canada, Chapter 10.
Data Privacy and Ransomware Litigation
After a breach exposing personal information is reported (as required), regulatory scrutiny will follow. We represent companies during this investigation phase, and in any subsequent regulatory hearings.
Breaches may also spawn civil lawsuits in tort, negligence, breach of contract, breach of trust/fiduciary duty, breach of privacy, intrusion upon seclusion, and unjust enrichment. Moreover, any of these claims may be brought in a class action. We represent parties involved in such civil litigation, from commencement of proceedings to factual discovery, to mediation and trial.
Ransomware attacks, intercepted payments online, and fraudulent e-money transfers may also give rise to disputes involving banks and insurance companies. We represent parties in these kinds of disputes as well, when data or e-payments are taken hostage by a hacker.
For more information, see Chetan Phull’s book, Big Data Law in Canada, Chapter 4 at subsection IV, and Chapter 3 at subsection II.
See also our Litigation service offering.
Digital Authentication and Open Banking Issues
Digital authentication in Canada is covered by a variety of government directives, broadly applicable guidelines, and the developing Pan-Canadian Trust Framework.
These standards are further informed by digital ID requirements under open banking laws in Europe and Australia, and the U.S. NIST Guidelines, as endorsed by the Financial Action Task Force.
We help companies with due diligence related to login portals, by navigating current and anticipated regulations, in Canada and internationally.
For more information, see Chetan Phull’s book, Big Data Law in Canada, Chapter 5.
Digital Marketing and CASL
CASL applies in respect of commercial electronic messages, altering transmission data, and installing software or causing software to send electronic messages.
Liability under CASL is triggered by non-compliance, as well as aiding or inducing such non-compliance. The regulator has a right to documents and data controlled by your company, in order to assess compliance with CASL and any foreign anti-spam law.
When faced with a CASL fine, simply “giving in” and paying the fine, or ignoring the fine, is not recommended. This would result in “deemed liability”, and would empower the regulator to openly publicize details of such liability.
We help companies prepare for CASL compliance. We also advise how to react to a fine under CASL, and we represent companies CASL-related litigation.
For more information, see Chetan Phull’s book, Big Data Law in Canada, Chapter 6.
See also our Litigation service offering.
The Right to Be Forgotten (Right of Erasure), and Blocking Orders
A Canadian “right to be forgotten” follows the establishment of a European “right of erasure”. This right in Canada is currently being litigated. As an alternative remedy, a court may issue a “blocking order”.
Companies should therefore be prepared to respond to their users’ demands of data deletion, or data correction.
We assist with developing policies and responses to requests for data deletion, or data correction, in accordance with current and foreseeable law, and legal developments in other jurisdictions.
We also litigate with respect to blocking orders.
For more information, see Chetan Phull’s book, Big Data Law in Canada, Chapter 7.
See also our Litigation service offering.
International Trade: Data Flow and Data Residency
Trans-border data flows are essential to the modern data processing economy and business model. However, there is an increasing trend in favour of keeping private data within the borders of specific jurisdictions.
Moreover, upcoming international treaties have no unified position on whether data flows should be unimpeded by default, or whether restrictions can be imposed. The Office of the Privacy Commission, meanwhile, has struggled to determine whether the transfer of personal information across borders for processing requires consent.
We are monitoring the emerging issue of international data flows, and the uncertainty it represents for business operations. On this basis, we can issue an opinion and recommendations for how your company should handle data that must flow into other jurisdictions.
For more information, see Chetan Phull’s book, Big Data Law in Canada, Chapter 8.
Government Surveillance and Charter Issues
The National Security Act, 2017 established a new national security framework in Canada.
New surveillance and cyber operation powers may unjustifiably infringe upon various constitutional rights, namely: the freedom of expression; right to life, liberty, and security of the person; and right to be secure against unreasonable search or seizure.
Charter litigation may therefore be a by-product of the new national security framework. The grounds for challenging a cyber surveillance operation are becoming clearer and stronger as privacy law reform takes place.
We can act on matters involving an arguable Charter infringement caused by a government surveillance program or cyber operation.
For more information, see Chetan Phull’s book, Big Data Law in Canada, Chapter 9.
See also our Litigation service offering.
Competition / Anti-Trust Issues
Data can be leveraged to gain crucial business insights and competitive market advantage. This practice is subject to competition law, which promotes market ingenuity and discourages anti-competitive acts.
In recent years, the big data sector has attracted increasing scrutiny of competition regulators. Lawful and common business conduct is subject to the competition regulator’s review. Moreover, even the suspicion of anti-competitive acts may give rise to a lengthy deposition. Private parties may also bring claims in competition law, thereby alleging unfair play in the big data marketplace.
We practice competition law in the big data sector, in the context of operational planning and litigation.
For more information, see Chetan Phull’s book, Big Data Law in Canada, Chapter 11.