Cross-border & international data privacy issues

Amy Westrup: Good morning. And thank you so much for joining us this morning for cross border and international data privacy issues. My name is Amy Westrup and I am the Executive Director of the ACC Wisconsin. On behalf of the ACC, Wisconsin, I'd like to welcome all of our members, as well as ACC members and non members that are joining us from across the globe. I just have a few housekeeping notes, we have applied for CLE credit in the state of Wisconsin. In order to receive that credit, our speakers today will be giving you a verbal code that you can then put into the chat. We will collect that code via the chat, and then register your attendance. Based on that if you are joining us by phone, you can still register the code by emailing it to me directly, and my email is in the chat. Currently, we will have a question and answer session at the last 10 to 15 minutes of this presentation. Please take advantage of the q&a function on the Zoom platform to enter all of your questions and answers with let's see if you're having any technical difficulties at all, please put those into the chat and we can address them directly. I would like to thank Gowling WLG for sponsoring today's webinar, as well as sponsoring the ACC Wisconsin. We're thrilled to have them as a relatively new sponsor. So without further ado, I would like to introduce you to Brent Arnold joining us from their Toronto office. And Todd Burke, joining us from the Ottawa office. Thank you so much.

Todd Burke: Thank you, Amy. Welcome to our presentation on cross border and international data privacy issues. I have the easy job today. And that is to tell you how happy we are to be part of your organization as a sponsor for the coming year. Amy has been terrific to work with and we look forward to meeting more of the members as time goes on, in this circumstances normalized to allow us to travel to your neck of the woods as we would say, for those of you that don't know Gowling WL G we are an international law firm. We have 1400 professionals in 19 cities throughout the world. We do not have an office in the United States. But pretty well anywhere else. We are available to serve as your legal needs. With a strong emphasis on the energy, financial services, life sciences, infrastructure, real estate and technology sectors. For many years, we have dedicated considerable time and attention in the US market. And we seek to be top of mind for those of you that are looking for international legal services. On that, I would like to introduce my partner of Brent Arnold, who is your presenter today. And in our firm, Brent Arnold is all things tech. And he has a commercial litigation practice with emphasis on data privacy issues, including being a data breach coach in the world of privacy. He is the vice chair of the steering committee for the cyber security and privacy data section of the Defense Research Institute. And that might be an organization that you're familiar with. So we hope that you will enjoy this present presentation today. We will be available at the end of the presentation to take questions and answers. And we'll take questions and hopefully to have answers. And you can do that by simply posing your question in the q&a icon at the bottom of the screen. So with that, I will disappear and Brent will have the floor. And thank you so much for coming today.

Brent Arnold: Thanks, Todd. And thanks for all of you for coming today. The last time I spoke in front of the ACC it was in Philadelphia about three years ago, the weather was beautiful. Also happy to do this, but I hope that we get to come out and visit you soon. As we're lawyers, we start with a legal disclaimer. This isn't legal advice. It's just legal information. If you've got a privacy issue, then you absolutely should consult a privacy lawyer. And if it concerns Canada or the god or Europe or other parts around the world, we're equipped and happy to help you. Here's where I'd like to go today. It's going to be a whirlwind tour of changes in privacy law over the last basically half a year. I know that there were some interesting news developments in America from around November through till 2020 through till early this year, we were glued to our screens too. And a lot of things happened in the world of privacy. Well, all that was going on, and it would have been easy to miss. So we're catching ourselves up. Now. I'm going to talk about some changes in the US law, which I'm sure many of you already know about. We'll talk about Europe, the GDPR. And the shrimps to decision and the fallout from that will tell you about some interesting develops in Canada and in China. And then we'll take your questions. So I'm not going to spend too long on American law, because this will be the area I imagine most of you are the most comfortable with. But as you know, the CCPA was expanded late last year by the California Privacy Rights Act. Among other changes in the remaining. It added a new category of sensitive data, which includes, as you see here, everything from social insurance numbers to data on sex life and sexual orientation.

So this is a new protected category going beyond the stricter definition of personally identifiable information that you could tie to a specific person. There isn't the GDPR style consent obligation, which you do see in many other regimes, but there is greater control for data subjects over their own data. And the comparison between this and the CCPA will show you just how much greater it goes in the cause of defining individual control and rights. There's also a new definition of consent that I won't go through, but you'll get these slides and you'll have that to work with. It expands the CCPA requirements about privacy provisions that you have to have in contracts with service providers. If you are a company that is collecting data, and you're providing it to another company to process in some way. And this includes data storage. Those contracts must now prohibit sale or sharing of personal information by the processor. It has to limit or prevent retention or use or disclosure except for the purposes specified in the contract for which you're providing the data to the processor in the first place. And it prevents the processor for combining the data with data received from others. In other words, they can't use it to build data lakes that they then use with AI for whatever other purposes. The contracts also have to specify a few other things. And I'll just highlight a couple of these. One would be that the service provider is deemed to be subject to the CPRA regardless of where they are, and they must provide protections for the person for the data subjects that that law requires. And service providers must notify the transfer if they can't meet the CPR, CPA or obligations. And this act really includes a private right of action. And this is a theme you're going to be hearing throughout some of these updates.

So why does all this matter? I mean, apart from the fact that so many American businesses do business in California with Californians. We're also seeing this as sort of the beginning of an actual process of updating and stiffening privacy laws. The International Association of privacy professionals expects that the change in the California along with law along with the coming in of the Biden administration, and the convergence we're seeing between Democratic and Republican positions over a new comprehensive federal law means you may see a federal law on data protection and privacy this year. And it sorry, it's so easy to imagine this happening now. I mean, I mean, apart from it's not really a partisan issue, privacy. And as you saw the week that you now have come into effect, the your national law on internet, the internet of things and the restrictions that puts in place over data collected over Internet of Things devices held by federal employees. And that Act was passed by, I think an even number of Republicans and Democrats. So it's easy to imagine that if there's any issue that's going to find bipartisan approval at the federal level, it may well be this. And we are seeing I don't want to say copycat because that's seen that's derogatory, but we are seeing a lot of other states extend the well, they say that imitation is the sincerest form of flattery. We are seeing imitation of the California laws across the states. Washington state is now attempting for the third time to pass a CPC CCPA CPRA style Act.

The Washington Privacy Act was passed by the State Senate for a third time this latest version is the third attempt just this month and now it moves to the House of Representatives. And we've seen similar bills introduced in 20. American states so far for Jinya has enacted a similar bill signed into law just this month and it'll take effect next January. Actually two January's from now and there are bills working through the legislative process now they've already been introduced another going through committee process and so forth and Oklahoma and Connecticut, Florida, Illinois. We're seeing bills introduced in a number of states like Alabama, Alabama and Arizona, New York, Rhode Island just to name a few and Texas. There have been a few bills that haven't been successful. And have Doa has done On arrival in North Dakota, Mississippi and Utah so they'll have to try again in those states. So let's talk about Europe for a while I'm sure many of your organization's are dealing with, with Europe and collecting data on European citizens. In late 2020, the European Commission released the draft data governance Act. The intention of this act is to give the EU a competitive advantage in the world by increasing the safe sharing of public sector data between members. And it'll allow you wide data sharing and strategic sectors like energy and health. And it includes special rules for cross border transfers of highly sensitive but not personal, personally identifiable data, and the data protected by IP rights, as you see here, again, as we saw in the CPRA, a category of data considered to be highly sensitive, not necessarily personally identifiable to a given individual. Now, we've also seen early this year, the European Data Protection Board which plays a role in the in the EU commission structure when it comes to an acting and making these laws work in Europe, a new strategy that will take it through till 2023. It identified gaps in differences in national enforcement procedures for member states that were slowing down the progress of cross border protection cases, and plans to improve that Reshmi regime by strengthening cooperation by streamlining streamlining processes and implementing a coordinated Enforcement Network to ensure cooperation. So anyone who's been sort of relying on the lack of coordination between states to avoid the consequences of being offside the GDPR, is going to find that to be a less comfortable position to be in soon. There's also they're also going to establish a support pool of experts to share expertise with investigation and enforcement. So we're moving towards a far more informed a far more effective and efficient enforcement mechanism. And the timing of this isn't coincidental. 2018 2019, we didn't see a whole lot of activity in terms of enforcement under the GDPR. But the last two, for last year and a bit, we are seeing a very sharp increase in the number of prosecutions and this is going to make go at that all the easier.

So what does all that mean for you with respect to the GDPR means that data controllers and processors ought to be paying a very close eye on what the EDP B's new guidance and future statements look like. national authorities within the EU, as I said, are going to be coordinating. So you should expect to see that there's going to be more cross border enforcement, and it's going to be faster. And there's going to be more guidance coming on international data transfers. Trump's two so this was an interesting case that came up the middle of last year, privacy X activist by the name of Maximilian Schrems, was challenging the transfer of data by Facebook to Europe to its Facebook's us entity. Now, you may recall if you've been dealing with Europe that transfers between, well, from the EU, to the US entities were covered by the Privacy Shield, which essentially allowed European entities to transfer data to us processors or sister or parent companies without having to independently verify that the adequacy of the privacy regime in this case in the US. So this was challenged, and the court ended up striking it down found in favor of him and struck down the data privacy shield. The main concerns the court had were first of all, the Patriot Act, they were concerned that the scope of surveillance by the US government was far greater than would be tolerated under the GDPR. And there is no individual mechanism for persons whose data was caught up in that to do anything about it in the States. So what that means is that the treaty was invalidated. And companies now do have to independently ensure that data and recipients state will have protection that's at a level comparable to the EU or the EEA. The possible measures that have been recommended, since this happened would include newer standard contract clauses. And the edpb has released some suggested clauses that are in the process of being reviewed and finalized. in doubt, you can find those online, it's about 29 Page pages of causes that you can include and should include probably. So you've got the standard contract clauses binding corporate rules, codes of conduct and certification measures. And the EP dB, I'm going to say that at least twice the same way by the time this talk is over recommends other measures to ensure compliance to supplement those transfer tools. One is transfer compliance data exporter has to be able to confirm that the data complies with the GDPR limit, which is to say it's limited in its scope, and it's relevant and it's a adequate. Also, there's where there's no adequacy decision issue, as many of you will know, the European Union Commission can essentially make a decision that a particular regimes privacy laws are adequate meaning compatible enough to the GDPR, that transfer becomes a lot less easier.

Transfers must assess whether the third country laws will lessen the protected power of the transfer mechanism. In other words, if you have third party laws that permit greater access and retention of use of the data by the third party, third country, public authorities that is compatible with the GDPR, that's going to be a problem. And this, again, is where we get into things like the Patriot Act. You should also be identifying and adopting supplementary measures. So we're laws of a third party country impinge on one of the transfer tools, the transfer has to adopt additional metric measures to bring that third country's data protection back up to the EU standard. And there's a bunch of different suggestions. These are largely technical things like hashing or encryption to make the data essentially unusable to anyone that is going to surveillance. So let's talk about Brexit. Because of course, UK was until very recently part of all this and now not so much. They managed to broker on the way out the door with Brexit. The trade and cooperation agreement that came into effect in January formal adoption was last month. And this allows the EU and the UK to develop different data protection measures including around data transfers, transfer of personal data from the European Economic Area to the UK will transfer will be deemed to be transfers to a third country and this brings in GDPR, article 46 standards about again, the standard contract contract clauses in the binding corporate rules. The UK will become a third country. As soon as the earlier of the these two things happens when the ECC adopts an adequacy decision. And this is actually a process or a deadline of April 30 2021. That was what happens there are two draft adequacy decisions concerning two different aspects of UK law. And they were under consideration as of mid February. And it's my understanding that they're waiting opinions from the European Data Protection Board before they will finalize those adequately as of adequate adequacy decisions, but the tentative expectation is that they are going to find the UK regime adequate, not surprising given that it was the same as the US until pretty recently.

So the UK has deemed the in reverse deemed the EU and the European Economic Area states to be adequate on transitional basis pending review. So for now, alternative transfer mechanisms aren't required. The UK or separately has uninterrupted data transfer with Argentina and Canada and Japan and a few other countries. These others will require binding corporate rules as they would have under GDPR. And the UK is no longer part of the GDPR one stop shop mechanism, obviously. So if you're dealing with privacy, regulatory issues in Europe, you will be dealing with one of the European Union member states you if you're based in UK, or primarily dealing with the UK, you cannot go through UK obviously to sort out your GDPR compliance issues. So let's talk about Canada. And now is an opportune time for me to give you the code so that you can get your credits because we'll see here a bottle of maple syrup on this not to stereotype and maple syrup is your code. So I'd like you to take a minute now to go into the chat. And type in the words maple syrup. And as I said at the outset, this will allow you to get your credits. And we can track who is here. So let me give you a brief lecture on the history of Canadian federalism, everyone's favorite topic, just so that when I tell you about the Canadian situation will make sense. In Canada, it's a federal state. And privacy is an area of joint jurisdiction between the federal and the provincial governments. So you have provincial level statutes covering public body collection of information and health information. And there is also and you have those at the federal level as well. And you have, at the federal level, a statute governing the commercial collection of data and it's called the personal information protection and electronic documents act Pepito for PIPA depending on which Canadian you're talking to about it.

So the way that that works in Canada is that provinces are automatically Peter applies at the federal level. And in individual provinces, Pepita also applies to the collection of the commercial collection of data unless the province has a similar law on the books substantially similar, such that the federal Government will say, alright, you can regulate this yourself because we're satisfied the laws are compatible enough. This looks a little bit like the adequacy decisions you see between the European Union and other states when the transfer of data very similar concept. So Peter doesn't and the regulations don't have don't they don't deal specifically with the topic of international transfers or transfers across borders. They cover transfers, as in transfers from a collector, or a transfer to a processor, or between parent and sister companies, parent and child companies. But they don't they the law is indifferent as to whether or not those transfers occur within Canadian borders or an international in nature. So this got us into a bit of a bit of a kerfuffle, as we say, a couple of years ago, it'll take me a second to sort of lay this out. But it's important for any company that's dealing with dealing with Canada to sort of be tracking the story. Peter doesn't prohibit organizations in Canada for transferring personal information. outside of the jurisdiction. It's as I said, the law is agnostic on it. But it does establish rules governing the those transfers, a transfer for processing and Processing includes what say Cloud Storage is a use of information. It's not a disclosure of information.

And these are defined concepts in the legislation. Assuming that the information is being used for the purpose it was originally collected, you don't need additional consent consent from the data subjects. That was been the federal privacy commissioners and commissioners interpretation of the law since 2009. And if you've ever looked at the data, it's a fairly skeletal law, you'll all be familiar with the sort of internationally developed principles that govern most privacy legislation. The pita is essentially a fairly short statute that Staples has provided those principles to the back. And so a lot of that is left to the interpretation of the Privacy Commissioner. So the Equifax case through all of this for a bit of a loop, because in the Equifax case, as you may know, there was the Canadian subsidiary of Equifax transferred information on millions of Canadians to the US parent company, which was then breached and litigation on a massive scale ensued. And the concern expressed by the commissioner was that there was an additional risk in transferring that information to the US entity. And the Canadians who were the subject of the data subjects have that information, then it's a credit monitoring agency, which I assume that you all know. So it's very sensitive information. It's not only personally identifiable, but it's it's sensitive, it's to do with credit ratings and financial information. And there hadn't been any collection of consent from individual data subjects because the federal commissioners interpretation law didn't require it, they were going to the US company, I should say, for use in the sense that the US company was doing all the processing for the Canadian company. So the commissioner considered whether or not the private prior consent should be required specifically for disclosures to organizations that are providing services, and the commissioner proposed expressly, that they the law ought to be changed, or at least its interpretation of the law ought to be changed to require that.

So imagine the complications that this would cause for business, all of a sudden, every, if your whole business model depends on being a subsidiary company and being able to collect data and transfer it to a parent company. And this could very well be the situation for a lot of online, online retail, for instance, lots of other entities and what much of the Canadian economy is built on subsidiaries of American entities or global entities, all of a sudden, you're required to get consent, again, to call it to transfer that information. It would have been simply unworkable, and the privacy community was up in arms about it, the business community was very concerned, I can tell you, I was actually presenting at the ACC in Philadelphia, the week that this all happened. And I announced it in the room when I was giving my talk and there was a fair amount of discomfort in the room. Because given the proximity to Canada, a lot of those GCS were running companies that were dealing with Canadian data. So this attempt was ultimately aborted following the release of a federal digital charter later that year, and the announcement that there was going to be an overhaul of Canadian privacy laws, which then proceeded very rapidly, actually.

So this year, we have the digital charter inflammation Implementation Act, Bill C 11. And what this is, is a wholesale reinvention of the federal law concerning commercial collection data. It was put together very fast. It's very good actually. It's a it's a comprehensive law. It sort of deals with a lot of the things that we didn't have encountered before, like, for instance, something approaching a right to be forgotten. It's actually is it styled here a right to deletion and a number of other individual rights around data that weren't really dealt with expressly PETA, although the principles were there. Now, as with PETA, cross border transfers are still permitted. And they're not dealt with expressly as cross border or international transfers, there's just transfers and transfers are all treated the same even if they're within Canada. And organizations under the right circumstances are still allowed to process to transfer data for processors for use, again, processing or storage without having to seek fresh consent from the data subjects. So that hasn't changed. And if anything, it's perhaps become a little bit easier for businesses to do this. And again, it allows transfer to a service provider, including one outside of Canada. And there's just the definition of what that would look like. We see here in this bill, the introduction of the private right of action, and I've stated here, but it's actually a live question whether or not that's going to fuel new class actions for violations of the law or not, there isn't an express right of private action under PETA, but people Sue on it anyway, for negligence. And there has been no shortage of data breach lawsuits in Canada, just as in the United States. And in fact, very often the ones we have a pure are, sequels are sort of parasitic on the actions that are happening in the States as well.

So organizations can transfer data for processing, as I said, without having to seek that additional consent or without the data subjects knowledge, and clarify some of the issues around this, such as liability. So personal information gathered by the service provider on behalf of the transfer, as opposed to transfer to the processor is still deemed to be in the control of the transfer, the company that's asking for the services, as long as the transfer is responsible for determining the purposes of the collection or user disclosure of the service provider. So as long as the company that's asking for the service to be performed, is making the decisions about what's collected and how and why the transfer is still the one with the ultimate legal liability if there's a breach, the transfer is still responsible for to ensure cppa compliance protection, same acronym as your previous California over the data transferred to the processor. So if the process were breaches again, the transfer is the one on the hook for it, although you can bet that the transfer will be sued by the processor will be sued by the transfer. And the acts obligations don't apply to a service provider unless it's collecting information. Types of information or using uses of the putting that data to use or disclosing it for purposes outside of what was required to service the contract with the transfer. That's a mouthful. So hopefully, you're all with me on that. It's it's, it's hard to express clearly in words. So that's Canada. And that bill is working its way through now it's had a say it's working towards the second reading in our parliament. And unless we end up having a snap election call, some would say to deflect criticism over the slower vaccine rollout we've had in Canada than you've had in the States. We may have that law this year. If there is a snap election, it'll, it'll get put on the back burner. But I think there's a very good chance that even if there's a change of government, you'll see something very much like it come up because again, in Canada as another country's good data privacy protection is a it's sort of like the new tough on crime. It's an easy political sell. And it's his dad is by has bipartisan support. So let's talk about China. This was one that I hadn't heard about, and I suspect many of you hadn't either until after the fact. But in November 2020, China passed its first omnibus privacy legislation that actually eked out individual data rights. Like the previous regulations that have been passed in China, this law grants enforcement rights to individuals. So again, you have your private right of action. A lot of the provisions on this are substantially similar to the protections you have in the GDPR. So you've got individual rights of access, rights of rectification and erasure. It's going to apply to while it does apply to all data processed in China, and it has an extra tutorial extraterritorial reach not unlike the GDPR. It'll cover provisions of products, services to persons in China, and the analysis of behavior of persons in China. Specific consents required to transfer personal data to third parties. So this is what Canada decided not to do. And you have to identify the recipient, the purpose of the transfer the type of the data transfer to the method of processing. I want to stop there for a minute to talk about extraterritorial extraterritoriality because I skimmed past Britain without mentioning it. And GDPR was a very recent decision just in the last few weeks that came down in the UK court. And this is pre Brexit, talking about whether or not essentially, it was one of the first determinations, we've seen about the extraterritorial reach of the GDPR.

So the facts of the case were British, but arose when Britain was still part of the EU and still subject to the law. So it's still it's still instructive. situation was a British citizen, sued a US publication that had been publishing stories about him. The newspaper, well, it's online, but the publication was based in the States, but was available to subscribers in Britain, which is why the person cared about it, because people he may actually bump into. We're aware of the allegations in those stories. But it was not an organization that was really going out of its way to do business in Europe, it didn't have any offices there any employees, so Britain's could subscribe to it. But that's really it. So the court somewhat surprisingly said in these situations, there isn't enough of a connection to Britain, which again, it was still under the GDPR. For that US company to be subject to the century subject to the GDPR and liable for breaches of it. That's a more limiting decision on the scope of one of these extraterritorial laws than we expected. And it'll be curious to see whether or not that we see more of that as we start to see more enforcement under the GDPR. And if some of these other acts that have extraterritorial effect, Canada's does as well for that matter. So back to China. There had been a previous law called the cyber security law. And under that regulatory approval was required for transferring data overseas, but there wasn't any process for getting permission. So it was essentially moot. This new law implements a GDPR structure, with measures for network operators transferring data above a certain threshold level, and the higher the level that the amount of data being transferred, the greater the scrutiny. The Hub below that threshold, organizations can transfer data out of China if they first obtain data protection certificate, and to enter in second enter into a contract with the recipient guaranteeing compliance with the law, not unlike the standard contractual provisions you see with GDPR, or pass a government security assessment. And that's a new option. above that threshold level, transferring organizations have to pass the security assessment, although there isn't a process in place yet to actually do that. The threshold, regardless of how much data whether you're above or below the threshold, the transfer still has to obtain subjects consent to the transfer. The fines on this or for an organization can be up to 50 million or 5%25 of its annual income, fines for breach by the individual, again, a mandatory minimum of 10,000, maximum of 100,000. I should i That reminds me, I should add that one of the changes that you'll have noticed that the CPRA to the CCPA in California was that the fines went up. So what do you do with all this? Some of the practical aspects for dealing with international data protection frameworks. First of all, how do you keep track of all this? How do you keep your arms around all of it? Start by building data maps that are relevant to your business, know what regimes where you're collecting from and what regimes may possibly apply. Prioritize risk regions, where you've got particularly active enforcement and particularly a wide ranging laws. And incidentally, if you're short on resources to do all this, I mean, obviously, you should get external counsel to help you if you don't have the privacy department to deal with it yourself. Chambers global, recently started publishing a guide that's free online, that has a chapter for each individual company, we actually authored the Canadian chapter two years ago. And this is a great place to go to get a sort of a high level understanding of what the regulatory regimes are, in each of the countries where you may be, you may have data protection obligations. So if you're looking for some self study, that's a great place to start. identify common baseline compliance elements across jurisdictions, because as you've seen, here, there's a bit of a convergence happening, like, a lot of these laws look a lot like the GDPR, which sort of led the way in terms of a comprehensive law. So a lot of the principles and privacy laws for a long time have sort of been based on the same set of agreed upon core principles now we're seeing was that themselves look a lot, a lot more similar than they did at the start. So, you know, compliance in one regime is going to bring you at least substantially close to compliance in another team. It's better than nothing. Stay up to date on the relevant global legal frameworks, and you know, that's a big job. And as with so many things, compliance with this law is probably going to be it's going to feel like it's more expensive than it's worth because it is a lot of work. You've got a world of risk. seems to deal with and at the same time and increasingly porous.

The borders have disappeared when it comes to privacy but not privacy, not when it comes to data, but not the privacy laws that control data. Happy to take questions if there are any.

Todd Burke: Well, thank you very much, Brent, for that presentation. We do have some questions. And one of the first questions are? Well, I guess it's a question in terms of the follow up to a comment that you made about country resources. Could you just repeat that particular source, please?

Brent Arnold: Oh, the chambers guides, yes, chambers global. And I can actually, if everyone will bear with me, I can, I can find it and put it in the chat.

Todd Burke: And while Brent is doing that, I'm also going to remind you to get your CLE credits, you need to put maple syrup in the chat, because this is being recorded, they're going to then take your entry. And we'll submit it for State Bar purposes. So if you haven't done so, please put maple syrup in the in the chat. So Brent, another question for you is what drives the European leadership position in terms of privacy legislation, they seem to be always out in front, what drives that?

Brent Arnold: I think it's, for one thing, it's more of what some people would charitably call a nanny state, it's just a more regulated area that many parts of the world. And so I think that they go into that with that mindset, they don't go into it with the same notion that we see in a lot of countries that increased regulation is a limit on individual freedom or reigns in business. Part of why the UK wanted out of Europe, apart from some of the less savoury reasons was complaints about the cost of compliance with the various regulatory regimes that you had under the European Union. So it's just a more regulated jurisdiction. I think it's also a jurisdiction where the economic activity is very integrated. But you still had sort of separate states. With the when you have a European sort of overarching organization like the European Union, it's easier to sort of close those borders and work across work across borders. So essentially, it would say, I would say the reason is that the European Union is working with suppose to making it possible to govern a large area across the borders.

Todd Burke: So I think a companion question to that is, and I think you've touched on it a little bit. But why now in the United States, why, what is driving this interest in privacy legislation in the United States?

Brent Arnold: I think, well, we have seen, some of it is frankly, economic. And it's catch up, because it's very difficult to do business outside of America, as you've seen, now, companies that are dealing with Americans and dealing with American data or transferring it to America are going to have more problems than they used to, because the security shield is down. So there's an economic cost to having a less robust regulatory regime than the company in the countries that you're dealing with economically. And I think we're now going to start to see a real race, to bring global regimes up to this up to snuff and up to the level of GDPR, candidly, just to make sure that it's still possible to do business in this new very digital economy. And, you know, some states are more shouldn't generalize about America to Americans, but I mean, of the states that are amenable to regulating things California was, would be one of the ones you'd think of first. So it's not a surprise that it started there. It's also an enormous economy in the states within itself, and was contending with these data issues itself.

Todd Burke: So in your presentation, you talk about a multitude of a multitude of regimes. And one of the questions that we have is, is it okay to just pick the strongest standard, for example, the GDPR, or the California law, to comply with, rather than trying to track and comply with all of the international laws that apply to my business?

Brent Arnold: It makes me uncomfortable to say yes, so I'm going to say no, but that said, one of the great things we're seeing with this slow convergence of the laws that's actually quite, it's accelerating now compared to where it was five years ago, is that the laws are starting to look a lot more like So you are more safe relying on compliance with the new California law than you would have been a few years ago. Because it's much closer in line with GDPR. It's closer in line with China, and it's going to be closer in line with Canada as well. So as this convergence continues, I don't know that we'll ever get to a global or an internationally agreed law. But we're certainly seeing a lot a lot of sameness. So you're safer than you used to be, I would put it that way. But if you're gonna go that way, do make sure that you're dealing with that you have a handle on which laws are more strict, and there are particularities to some laws that you just you need to keep a good eye on. Regardless, if you're dealing with different parts of the world where perhaps the law is less stringent, but the penalties are higher. I can't give you a concrete example. But it's something that I would want to be very clear on if I was dealing with a country that's very different from the one where I was based.

Todd Burke: Another question, I think it was in your section on Brexit, you made reference to standard contract clauses. And the question is what typically goes into a standard contract clause?

Brent Arnold: Right, right, right. So I'm going to also put into the chat, the locations for the draft answers, sorry, the draft contract clauses that are being assessed right now, you'll see two documents in there. And you want to download the annex. I'm just going to make a note of that. So it's 29 pages. And I'll read through a couple of samples, I won't read the language, but I'll give you a sense of what they look like. But there's 29 pages of them. And these are very much those who can't draft contracts for living are going to find the document that sort of comfortable to work with. It's basically like boilerplate clauses. And they're the range topically and they are essentially things that really ingrain a lot of the things that people who've been working in privacy for a while will recognize those core principles that are the same and just about every privacy privacy regime, like for instance, parties have an obligation to make sure the personal data that they're keeping is accurate and kept up to date. And to the extent necessary for having regard to its purpose of processing. So an obligation to make sure that your information is complete up to date, and that you don't have more of the thing you're supposed to there. There is a sample clause requiring the data importer, and the exporter to implement appropriate technical and organizational measures to ensure the security of personal data. And so there are clauses that bind the processor and to some extent the transfer as well. There are provisions limiting the amount of collection limiting the amount of storage and setting out all obligations with respect to request to erase. So essentially, these contract clauses just in a very fulsome way that you can just add right into an existing contract. ensure compliance with the with the basic principles that underline GDPR, and a lot of other privacy regimes.

Todd Burke: So Brent, you're in the data, breach class action business? Are you going to be busier or less busy? After these various pieces of legislation come into full force? So the question really is, should we expect all these new laws to result in more class actions?

Brent Arnold: It's going to give the lawyer answer to a roomful of lawyers, it depends to the extent that these actions just set out a private right of action, it may not make a whole lot of difference. In Ontario, for instance, where I practice law in Canada, some of the laws have a private right of action. And some don't Pepita where, which is the federal act, again, that most of the lawsuits are based on doesn't. But as in a lot of things, the law sort of is taken as a proxy for a standard of care. So if a company breaches the wall, there'll be sued for negligence and the allegation will be you had a duty of care, the standard of care you had to meet was to comply with this law. So the private right of action doesn't necessarily add anything to that unless, as we see in some other regulatory areas, like for instance, tobacco. There, we have regimes where provinces wanting to prosecute, or states wanting to prosecute tobacco companies are faced with a lower burden of proof than they would be a common law. So if you're dealing with a private right of action and a statute that also rigs the game by setting a different and lower burden of proof that's going to be very appealing for the class action bar. So it depends on what else is in the is in the act. We've had so many of these actions already before we had private rights of action in some of these jurisdictions that I think frankly, what's going to drive what's going to open the taps or close it is going to be judicial interpretation more than anything else. For instance, the you know, Ontario and Canada, we're starting to see class action decisions at the certification level and that's it's called different things in different, different states. But one typical state and Class Stage in class action lawsuits is where you have to get court approval for the action to go forward as a class action. We are starting to see judges more in Ontario at least more willing to make hard decisions about laws that are not very well, where there isn't a lot of law, which is what we're dealing with when we're talking about privacy law, like the real obligations involved in like the terms of satisfying a standard of care with a statute. Or, for instance, some of the privacy torts we in Ontario have a tort of intrusion upon seclusion that doesn't require proof of damages, arguably, so. But there's almost no law around those, we're starting to see courts be willing to throw cases out at a preliminary stage or at least consider doing that. Decide on the basis of whether or not these claims have any chance of success. If we start to see more of that attitude, by the judiciary in different states, then that's what's going to close down the flow of class actions more than anything else, I think, because plain, it'll simply be too hard to get them certified. So the short answer is maybe.

Todd Burke: That's great. Now, I think that our up is all the questions that we received. I think as a result of monitoring the q&a, there was an issue about the resources being posted and available on the chat, I think that has now been corrected. So thank you, Shannon, for correcting that Shannon's with our marketing group. And we appreciate you correcting that. So that brings to an end our presentation today. We want to thank the ACC Wisconsin for hosting us and allowing us to participate in your programming as a sponsor. If you have any questions that you would like to have answered offline, Brent, Brent's email is on our website as is mine and we would be more than happy to assist in any way we can. So thank you very much. Thank you, Amy. And thank you to everyone for taking time out of your out of your day today. To join us.

Brent Arnold: Surely stay warm, stay safe.