Category: New and Proposed Laws

Dec 13 2017

NIST Releases Draft Update To Cybersecurity Framework

In 2014, the National Institute of Standards and Technology (NIST) released its first version of the Framework for Improving Critical Infrastructure Cybersecurity (Cyber Framework). The Cyber Framework was originally developed as a voluntary framework to help private organizations and government agencies manage cybersecurity risk in the critical infrastructure space (e.g., bridges, power grid, etc.). Since then, it has been widely adopted across industry as a benchmark standard for measuring an enterprise’s cybersecurity readiness.

Following feedback NIST received in December 2015 from a Request for Information, and comments from attendees at the Cybersecurity Framework Workshop in 2016 held at the NIST campus in Maryland, NIST released a draft update to the Cyber Framework in January 2017 called Version 1.1. Some of the key changes in the draft update included:

  • Adding a new section on cybersecurity measurement to discuss the correlation of business results to cybersecurity risk management metrics and measures;
  • Expanding the use and understanding of cyber supply chain risk management frameworks;
  • Accounting for authentication, authorization, and identity proofing in the access control section of the framework; and
  • Better explaining the relationship between the various implementation tiers and profiles.

Last week, NIST released a second draft of Version 1.1, which is open for public comment through January 20, 2018. The new draft expands on issues such as supply chain security and vulnerability disclosure programs. It also emphasizes the need for companies using the framework to develop metrics to quantify their progress. NIST says it hopes to finalize Version 1.1 in the spring of 2018.

If you are interested in submitting comments on the new draft of Version 1.1, or learning more about its proposed changes that will likely take effect in 2018, the Dentons Privacy and Cybersecurity Group is ready to assist.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkDentons’ Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

Sep 21 2017

Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement

On September 21st, 2017, Daniel Therrien, Canada’s Federal Privacy Commissioner, tabled his annual report to Canada’s Parliament today. The report to Parliament includes results and recommendations with respect to the OPC’s study on consent. In addition, the Commissioner requests Parliament overhaul Canada’s federal private sector legislation – the Personal Information Protection and Electronic Documents Act (PIPEDA).

Consent and Technology

A key issue for regulators and businesses is how to obtain meaningful and valid consent to collect and use personal information in the digital age. Revisiting and enhancing the consent model under PIPEDA is grounded in the Commissioner’s five year strategic privacy priorities. In 2016, the OPC issued a consultation paper regarding the challenges of obtaining meaningful consent in a continuously evolving technological ecosystem where the traditional “privacy policy” may not always be suitable. The OPC received feedback through roundtables, focus groups, surveys and receipt of 51 submissions from organizations, information technology specialists, academics, advocacy groups and other stakeholders.

Four Key Elements in Privacy Policies: The Commissioner stated that the OPC will be issuing an updated version of its consent guidelines that will require businesses and organizations to highlight in a user friendly way the following four key elements in their privacy notices:

  1. What information is being collected
  2. Who is it being shared with, including an enumeration of third parties
  3. The purposes for collecting, using or sharing including an explanation of purposes that are not integral to the service, and
  4. Identify the risk of harm to individuals, if any.

Risk of Harm: The OPC is amending its guidelines to require organizations to consider the risk of harm to individuals when considering the form of consent used. This consideration will be in addition to the sensitivity of the personal information and the reasonable expectations of the individual. We expect to learn more about this in the updated guidelines.

No-Go Zones: Expect new guidance for businesses and no-go zones where the use of information, even with consent, should be prohibited as inappropriate. The guidance will be aimed to provide clarity on what the OPC considers “inappropriate uses” under subsection 5(1) of PIPEDA.

Alternatives to Consent: The Commissioner outlined three potential solutions for enhancing privacy protection where traditional consent models conflict with advances in technology, including:

  1. De-identification: In some circumstances, like big data, de-identification protocols may be the right solution. The OPC will be issuing guidance on de-identification that will help businesses assess their protocols and reduce risk of re-identification to a low level where the information may be used without consent.
  2. Publicly available information: The Commissioner agrees that the categories of publicly available information in PIPEDA’s regulations are out of date, and should be revisited by Parliament. For now these exceptions remain the same, but we may someday see changes to the regulations.
  3. Call for reform of new exceptions: The Commissioner has requested that PIPEDA be amended to include new exceptions to consent (section 7 of PIPEDA) to address social activities not contemplated when PIPEDA was first drafted. The goal is to help organizations use data for new purposes that would benefit individuals and obtaining consent is not practical. For example, a mobile app wishes to now use information collected for geolocation mapping, and the business can demonstrate that the benefit of the new use of information outweighs the privacy incursion. This option would be considered a last resort and require pre-approval by the OPC.

Overhaul of PIPEDA including new Powers

The Commissioner reported that it is time to revisit how Canada’s federal privacy legislation, enacted in 2000, meets the realities of today’s digital world, including advances technology as well the addition of new enforcement powers already used by the OPC’s counterparts in the U.S. and Europe. The Commissioner proposed to Parliament that this overhaul include a new enforcement model that emphasizes proactive powers that are backed up by order-making authorities, including:

  • involuntary audits
  • issuing binding orders, and
  • impose administrative monetary penalties.

The request for reform of PIPEDA is certainly a hot topic as businesses and organizations await how Canada’s status as an adequate country is, or is not affected as a result of Europe’s General Data Protection Regulations.

Expect a more aggressive OPC

However, do not expect the OPC to wait for new powers. The Commissioner ended his report to Parliament adding that, beginning today, we can expect a more proactive and aggressive OPC with respect to enforcement. The OPC is sending a signal that complaints to the OPC will no longer be the primary tool and the OPC will be shifting itself as a proactive regulator ready to initiate investigations. The Commissioner reported that a complaint-driven model has its limits:

People are unlikely to file a complaint about something they do not know is happening, and in the age of big data and the Internet of Things, it is very difficult to know and understand what is happening to our personal information. My Office, however, is better positioned to examine these often opaque data flows and to make determinations as to their appropriateness under PIPEDA.

This is an important message. The Commissioner is not waiting for legislative reform and has put businesses and organizations on notice to expect a more active OPC, one that will be on the lookout for “specific issues or chronic problems” that must be addressed – possibly resulting in more Commissioner-initiated investigations.

More information

You can read the OPC’s news release here.

You can read the Commissioner’s remarks and full Annual Report to Parliament here.

Sep 05 2017

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguards Regulations. The draft Regulations will be open for comment for 30 days. If the Regulations are not further amended by ISED, they may be registered and republished. ISED has stated that there will be a delay between finalizing the Regulations and their coming into force to permit organizations time to implement any necessary organizational changes.

ISED has drafted Regulations that hew close to similar regulations under Alberta’s Personal Information Protection Act. Far from being unsettling, this sense of  déjà vu will be welcome for organizations concerned about coping with divergent requirements.

However, there are still some important differences to note:

1.  Reporting to the regulator can focus on the cause of the breach rather than speculate about the harm

The content of the report to the Office of the Privacy Commissioner of Canada (OPC) tracks fairly close to the content required under Alberta’s law. Perhaps as a matter of clarification more than a substantive difference, the federal Regulations specify that the report should include the “cause” of the breach if known. However, one significant difference is that organizations are not required to engage in speculation about the potential harm to individuals. This will be highly appreciated by organizations who have had to deal with Alberta’s law.

2.  Organizations must make it easy on individuals to get information or to complain

The content of the notices to individuals of a breach are also similar to those in Alberta. However, ISED has included some consumer-friendly requirements. First, individuals should have a toll-free number to contact someone who can answer questions on behalf of the organization (or an email address). Second, individuals must be informed about the organization’s internal complaint process. Finally, individuals must be advised of their right to complain to the OPC about the breach.

3.  There is flexibility with respect to the manner of reporting

The federal Regulations specifically provide that notices to individuals can be provided:

  • by email or other secure forms of communication (to which the individual has consented)
  • by letter
  • by telephone
  • in person

Moreover, organizations can opt for indirect notification (without having to pre-clear this with the OPC) if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information.  Indirect notification can be made by conspicuous posting of the notice on the organization’s website for 90 days (or more) or by means of an advertisement that is likely to reach the affected individuals.

4. Record-keeping is much less onerous than feared

One difference between the Alberta law and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), is that PIPEDA requires an organization to maintain a record of every breach of security safeguards even if that breach does not result in a real risk of significant harm to an individual.

The ISED has heard the concerns raised by organizations about this provision. Organizations only need to maintain records for 2 years. The form and content of the records are up to the organization provided that they contain enough information to allow the OPC to assess whether the organization was making any required reports to the OPC and required notifications to affected individuals. Since a report to the OPC containing the prescribed elements would be sufficient as a record, this appears to mean that the type of information that must be kept does not include a written assessment of the risk of harm.

Read the draft Regulations here.

Aug 23 2017

Data processors under the GDPR

In our monthly GDPR Updates we discuss various key issues of the General Data Protection Regulation, (EU) 2016/679 (the GDPR), which applies from 25 May 2018. With the introduction of the GDPR, the existing Directive 95/46/EC and its implementation in the local laws of the various EU Member States will be repealed. The GDPR will bring significant and substantial changes with respect to the processing of personal data. It introduces several new concepts, such as Privacy by Design, Privacy by Default and Data Portability. As the GDPR contains several onerous obligations that require significant preparation time, organisations are recommended to timely commence the implementation process.

We notice that personal data protection is becoming more and more topical within organisations, and that the first steps towards compliance with the GDPR are undertaken. Our GDPR Updates illustrate the relevant changes resulting from the GDPR and provide readers with practical recommendations on the implementation of the GDPR within their organisations.

In the August edition of our GDPR Updates we address the position of the data processor. Under the GDPR the data processor is given certain specific responsibilities, meaning that it will no longer be only the data controller who is responsible for compliance with the privacy regulations. From 25 May 2018 also the data processor can be held liable for not complying with the GDPR requirements and additional legislation relating thereto.

If the data processor falls within the territorial scope of the GDPR (data processors will be confronted with an expansion of the territorial scope of the European privacy regulations), the data processor could face the following obligations:

  • the obligation to designate a representative in the EU if the data processor is not established in the EU but its processing is related to (i) offering of goods and/or services to data subjects in the EU; or  (ii) monitoring of data subjects in the EU;
  • complying with the mandatory requirements with regard to the content of the processing agreement as set out in Article 28 GDPR;
  • the obligation to maintain a written record of processing activities. Note that this obligation is not applicable to organisations employing fewer than 250 employees, unless (i) the processing is likely to result in a risk to the rights and freedoms of data subjects, (ii) the processing is not occasional, or (iii) the processing includes special categories of data. Data processors that provide services whereby the processing of personal data is standard practice are not likely to fall within the scope of the exceptions and will therefore be obliged to maintain a written record of processing activities (e.g. SaaS, hosting and other cloud service providers);
  • the obligation to designate a data protection officer if (i) the data processor is a public authority or body; (ii) its core activities consist of processing on a large scale of special categories of personal data or data relating to criminal convictions; or (iii) its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; and
  • the obligation to notify the data controller (without undue delay) after becoming aware of a breach of the processed personal data and assist the data controller in ensuring compliance with its subsequent obligations towards the competent supervisory authorities and (where necessary) the data subjects.

Instead of only being contractually liable on the basis of a processing agreement with a data controller, under the GDPR data processors will also be subject to administrative liability in case of non-compliance. Administrative fines can increase up to EUR 20 million or (if higher) 4% of the total worldwide annual turnover of the organisation concerned. In addition to administrative liability and contractual liability towards the data controller, a data processor can be held liable towards data subjects who have suffered damages as a result of a breach of the GDPR by the data processor.

Organisations are recommended to carefully examine their positions within the various data processing activities and to make a very clear assessment on the associated responsibilities and obligations. A careful inventory should be made of the parties involved in the various personal data processing activities within an organisation and their roles (data controller/co or joint data controller/data processor/sub-processor, et cetera). This is particularly relevant as the division of roles directly influences the responsibilities a party has in the personal data processing activity, as well as the corresponding liability.

Please click here to read the entire August GDPR Update.