Protection des données : aspects transfrontaliers et internationaux (en anglais seulement)

Henry:             Good afternoon, everyone and welcome all participants and guests to Gowling WLGs US Tech webinar series. Before we launch, just by way of some immediate housekeeping. We wanted to alert all registrants who are seeking California CLE credit to please visit the All Hands link which we're posting now in the comment section of this webinar. The link should be clicked on as soon as possible for those who are seeking credit so that you can time stamp your attendance here at the session today. I hope everybody is safe and doing well. If you're coming to us from the comforts of your home office, or wherever you may be tuning in for today's webinar, we're coming to you live from snowy Toronto, Canada. Home of the NHL Stanley Cup hockey champions, Toronto Maple Leafs, circa 1967, but that's another story. My name is Henry Harris. I'm a business law partner at Gowling WLG and I serve as the Canadian leader of our California regional team. Our firm acts for a number of Silicon Valley tech companies, ranging everywhere from household names to more emerging growth companies, and many of whom are joining us for this webinar so welcome to them and everyone. By way of welcome I'll introduce my partner, Brent Arnold and today's topic in just a moment. But first wanted to provide some context. Our webinar's being presented in conjunction with the SVAGC, Silicon Valley Association of General Counsel, and it's annual All Hands meeting. Gowling has been a long time sponsor of the SVAGC and I, and other partners of mine, regularly attend the All Hands meeting in person in Silicon Valley. Of course this year are pleased that the meeting was able to adapt and that we were able to adapt and present today virtually. But today we're presenting the second of a three series webinar section were we've been exploring emerging trends and issues relating to advising tech companies. Just to give us some of the landscape our first session was held last week, Thursday, January 21 on Cybersecurity and Protecting your internal client. The session was recorded and will be available to anyone who's interested to access it online. Our third webinar in the series is coming up this Thursday, so in 2 days, and it's on the topic of artificial intelligence, AI, from a European perspective being presented by our London, UK partners and we would welcome you to attend. For those who are not familiar with Gowling WLG, we're a global law firm of 1,400 professionals. We're in 19 cities worldwide. Regionally, Canada, the UK, Europe, Asia and the Middle East. So we're across 9 different countries and, with that, that brings us to today's session which I'm excited to hand over is on the topic of cross border and international data privacy issues. I think it's fitting that it's the second of three webinars because there really is a lot of meat or substance to this session. A lot of interesting information to cover so I'd like to get right into it and, in doing so, I'm pleased to introduce my partner, Brent Arnold. Brent is also based in the Toronto office. He's a commercial litigator. He handles data breach, coaching and response as well as that of breach class action defense work. Among other positions Brent is recently appointed Vice-Chair of the Steering Committee of the Cybersecurity and Data Privacy section of the Defense Research Institute, DRI, which is a US based organization. So, without further ado, I am pleased to hand over the baton to you, Brent.

Brent:              Thanks, Henry, and thanks everyone for joining us today. As Henry said we're going to talk about cross border and international data and privacy issues. We've talked about getting you credits and I have to start off with the usual disclaimer that this is not legal advice, it's legal information, and if you've got privacy issues you should consult your external counsel or solve it yourself with your general counsel. So let's talk about where I was hoping to take us today. It's going to be a bit of a whirlwind tour. So we're going to review some of the recent developments in the last few months and, projecting forward, the next few months in some of the bigger centers of the world. We're going to talk about the US. We're going to talk about Europe and the GDPR, in particular fallout from the Schrems II decision a few months back. We're going to talk about your largest trading partner. I think we're still the largest trading partner and we're going to talk about China. We'll briefly touch on some recommendations and then we'd be happy to take any questions you might have.

                        I'm going to spend probably the least time on the US because I would expect this is the jurisdiction that you all know best and know quite well. But as you know, just to set the table, late last year we saw the introduction of the California Privacy Rights Act which updated the CCPA which, of course, was already causing general counsel and external counsel alike plenty of heartburn as it was. The CPRA increases the scope of the Act but also decreases the categories of organizations that fall under its purview. It adds new sensitive data category which includes a number of fairly traditional, for privacy law, categories that we're used to seeing. It also mentions religious beliefs, biometrics, sex life, sex orientation and health date. It doesn't have a GDPR style consent obligation but it does offer greater control over data for data subjects. It gave us a new definition of consent, which is set out there, and is a very specific and more prescriptive definition than we have seen in some other Acts. So that's helpful. It also expands the requirements for what provisions you need in contracts between controllers and service providers. Now these contracts have to prohibit sale and sharing of personal information, expressly. They have to prohibit the retention or use or disclosure of data except for purposes specified in the contract. They forbid combining data with data received from others so if you're planning on making data pools this is an issue. It also requires those contracts specify the personal information sold or disclosed by the service provider is done so only for the limited and specific purposes. That service provider is subject to the CPRA and has to provide the protections that the Act requires, and we'll see shortly that's not necessarily the case in all of the jurisdictions that we see, but the mechanism is often what we see here which is those obligations are extended by way of contract. The transferor retains the right to take reasonable and appropriate steps to ensure compliance with the Act by the service provider. The service provider has to provide notice to the transferor in the event that it determines it can't meet its CPRA obligations and that is very similar to the application of the inclusions that we see in the GDPR standard contract clauses.

So, one of the things you may see as we go through this presentation is we're seeing a bit of a convergence and similar developments in a lot of these countries. The Act now provides a private right of action. There's some momentum, possibly, for new privacy laws in the coming year. We'll see whether this is overly optimistic but there's certainly a great deal of that optimism. The International Association of Privacy Professionals expects that the changes in the California law over the last 2 years, and the coming in of the new Biden Administration, along with what we've seen as a gradual process of convergence between the Republican sponsored Bills and Democrat sponsored Bills dealing with data privacy, means we may actually see a comprehensive Federal law, perhaps even this year. Business insiders predicting that an industry group pressure for rationalization clarity of the US Federal law is going to be another driver in that process and we're already seeing the introduction, I wouldn't say copycat Acts, but very similar ones in other States that track the advances made in California statute. Washington State is now attempting for the third time in 3 years to pass a CCPA CPRA like statute and we'll see how that goes.

Crossing the pond, we saw some developments in the GDPR this year as well, in Europe and among them the new European Data Protection Board, GDPR Strategy. The 3 year strategy was published earlier this month, and it comes in the backdrop of gaps and differences in national enforcement, making it difficult to make cases move forward, particularly where there's cross border data issues. So the strategy here is to sort of offer some guidance to help rationalize the process and streamline it. So what the EDPB plans to do is to strengthen cooperation between the national authorities by streamlining these processes, implementing a coordinated enforcement network to ensure cooperation, and they may also establish a support pool of experts to share expertise between the jurisdictions and to aid an investigation and enforcement. Hopefully that will make a difference. What's it mean for you if you're company is doing business in Europe? You've got data controllers, process monitors. They should be monitoring these new guidelines as they come out and any future statements or opinions that lend colour and help interpret them. National authorities within the EU are going to start acting together to issue joint actions and investigations and procedures to enhance competition and consumer protection. Some entities have perhaps benefited from the lack of organization in this field. There will hopefully be less of that in the near future. We're going to see more cross border enforcement within Europe, but it should be faster, and we're going to see more guidance on international data transfers between EU and the rest of the world, likely quite soon. Many of you will have heard about the Schrems II case last year. Mid-way through the year there was a ruling by the European Union Court Justice and it came down in favour of a privacy act of Maximillian Schrems, who's been advocating against some of the arrangements put in place to facilitate data transfer from Europe to other places, and in this case the US was at the center of this case. Prior to the Court challenge, data controllers and processors could rely on the Privacy Shield Transatlantic Treaty that covered those transfers, and that meant that companies could transfer data without having to independently verify the adequacy of the privacy regime of the recipient's State. That is no more because, as we'll see, the decision invalidated the Treaty finding that the US measures were insufficiently comparable to the GDPR. One of the issues here being that data subject's rights weren't actionable against US authorities in US courts. So it'll be interesting to see if a new US Federal law will bring along a private right of action which is something we've seen as a feature in most of the new statutes that we're seeing around the globe. Companies will now independently have to ensure that the data to the recipient State, in this case data going to the US, will still have protection at a level comparable to the EU and the EEA, notwithstanding that it's not up to that level statutorily in the view of the EU. Now some of the measures you can do to achieve this are familiar I'm sure to this audience. Standard contract clauses as we see in the GDPR. Binding corporate rules as we see in the GDPR. Codes of conduct and certification measures. All things that can be built into your contractual arrangements to give EU regulators the comfort that they need to allow for the transfers.

The Protection Board also published guidance on Schrems II last year. They're recommending measures to supplement the transfer tools to ensure GDPR compliance. They addressed transfer compliance and suggested the data exporter will now need to be able to confirm that the data complies with GDPR, in the sense that it's limited as possible in scope, that it's records are adequate and complete. All familiar principles under most privacy law regimes. There's a requirement for transfer of tool verification. So where there's no adequacy decision by the EU you'll have to rely on the tools in GDPR articles 46 and 49. You should be assessing, on a rolling basis, the third party, that's the recipient country's conflict law effects. Because you have a situation where the third country's laws will lessen the protective power that you've built into those contracts, given that statutes trump any contractual arrangements. For instance, concerns over the third party country's laws permitting greater access to State entities than would be allowed under the GDPR. So, all this to say it's a lot more administrivia for everyone in the interim. They should also be identifying and adopting supplementary measures. Again, some of these are the ones that we've seen before. There's an annex to the guidelines that also suggests things like hashing and encryption. More encryption than you would ordinarily have. So they do offer some very specific nuts and bolts means to ensure compliance.

So what about Brexit? Now that we're in a new world order in Europe, and the UK has pulled out, happily there's been chaos on the roads but less so in the privacy space. There's a trade and cooperation agreement that came into effect this month. It's going to be formally adopted in February. It allows the EU and the UK to develop and adopt data protection measures including around data transfers. Unfortunately they're going to be proceeding on parallel tracks which means you could end up with incompatible laws, or at least very different ones, when it comes to transfers. We'll have to see whether or not the sort of global convergence in thinking on how these things ought to work is going to help keep those constant, or whether there's going to be perhaps a show of defiance by the UK, as we saw around currency and perhaps they'll take a different path. We'll see. For now, transfers are personal data from the EEA to the UK, will be deemed to be transfers to a third country requiring GDPR article 46 standards. Again, standard contractual clauses, binding corporate rules and the like. The UK becomes considered a third country as of the earlier of two developments. One is the arrival of April 30 of this year or the adoption by the ECC of an adequacy decision with respect to the UK privacy regime. Obviously there'll be hope that that happens because it will mean that there's a smooth and simple mechanism in place and we don't just drop off a cliff. But we'll see. The UK is deemed the EU EEA States to be adequate on a transitional basis in the meantime, pending review, for alternative transfer mechanisms such as standard contract clauses won't be required for now. The UK has managed to sort out and arrange agreements for uninterrupted transfers with Argentina, Canada, Japan, New Zealand and a few other countries. Those that don't enjoy that are going to require binding corporate rules. Of course the UK is now no longer part of the GDPRs one stop shop mechanism. So if you've been getting approval through Britain to get approval through Europe you're now going to have to find another country to initiate that process.

Coming over across the actual physical border, to Canada. By way of background, privacy law in Canada is an area of split jurisdiction and the Provinces are either all under the Federal law, which obviously also applies to Federal matters, unless they have enacted laws that are substantially similar to the Federal law, which we call PIPEDA. In which case it comes within their own jurisdiction. About 3 Provinces have done that so far, and their laws are at least as stringent as PIPEDA, and in some cases arguably slightly more. Statutes and regulations in Canada don't expressly require additional consent to share transfer data across organizations. So a transfer for processing, let's say to a processor, and they don't deal with separately with transfers across borders or internationally. Now, since 2009 the Federal Office of the Privacy Commissioner's stance on such transfers was that transfers of personal information to another organization in another jurisdiction are perfectly acceptable. It establishes some rules governing the transfers but it's deemed that a transfer for processing, and that can include storage, is a use of the information rather than a disclosure, and that means that it doesn't trigger consent obligations under the Act. Assuming the information's being used for the purpose it was originally collected for additional consent isn't required for the transfer. So we were all quite comfortable with that until 2019 when all heck broke loose and I recall that I was actually speaking at a conference on cross border data transfers when the following happened the day before I was to speak. The Federal Office of the Privacy Commissioner released its decision in Equifax and it also released a document to the effect that they were starting a public consultation process to reverse the stance that they had before. Ie: the stance that transfer to a company to process outside of Canada was a use and not a transfer and didn't require consent. This tipped off a public consultation. It got the privacy community in Canada very nervous. I can tell you that the audience of General Counsel I was speaking to in the States were also quite nervous about it because it was going to expressly contemplate an obligation to obtain prior consent or additional consent as data was crossing the border. You can imagine how disruptive that would be to business if you've already collected this data and now to transfer it to, let's say a parent company for further processing just to simplify your business processes and not require you to duplicate everything in Canada, that would be enormously cumbersome for a lot of companies and for some it would make their business models just impossible. All this came to a screeching halt when the Federal government announced that it was implementing a digital charter for Canadians, and that was going to be followed by a revamp of the Federal privacy laws, and that's where we are today actually. The government's moved relatively quickly and is now considering Bill C-11 under which cross border transfers are still permitted on that basis. It doesn't distinguish between domestic and international transfers of information to a processor and there are no more restrictions on processors outside of Canada than inside Canada. Organizations can still transfer without the data subject's knowledge or consent. So as I was saying it allows transfer to a service provider, as it's described in the Act, and then there's your definition there, and it requires that it's for the purpose of providing a service on behalf of the transferor to assist it in fulfilling whatever its purpose is with respect to the data. Here again we see the introduction of a new private right of action and we'll see whether or not that ends up being class action fuel. Organizations can transfer data, as I said, without the subject's knowledge but the Bill clarifies a few of these responsibility/liability issues. Personal info gathered by the provider on behalf of the transferor is deemed to be under the control of the transferor, not the service provider, as long as the transferor's responsible for determining the purpose of the collection or the use or disclosure by the service provider. So even it it's not just a transfer of data to the service provider, and the service provider is the one collecting the data, ultimate responsibility still lies with the transferor as long as the service provider isn't stepping outside the bounds of what it's supposed to be doing under the contract. The transferor is still ultimately responsible to ensure the CPPA compliant protection, and that's the Canadian statute not the California one with the same acronym, with respect to the transferred data. The obligations to the statute don't apply to that service provider unless it's collecting or using or disclosing the data for a purpose beyond, as I said, what's set out in the contract. The purpose for which it was to be collecting it or receiving it in the first place.

Let's talk about China. A lot of interesting developments in China and it's interesting to me that a lot of the developments I'm talking about today happened when the world and we were distracted with all this going on in Washington. It was a very busy end of the year for the privacy community. We saw the introduction of the Personal Information Protection law. That's China's first omnibus privacy legislation that actually carves out specific individual's data rights. It's remarkably similar to Acts that we see around the world, but it's also quite similar to regulations that were passed in China, but this law grants enforcement rights to individuals for the first time. It substantially similar to the GDPR. So you see rights of access, rights of rectification and rights of erasion, the right to be forgotten as it's sometimes called. Which has been late coming to a few jurisdictions including Canada but we're now, with the new Bill C-11, we may get it as well. It looks like China got there first. It's going to apply to all data processing in China. It has extraterritorial application for products and services sold to persons in China or for companies that are analysing the behaviour of persons in China. Now here's where we see a bit of a divergence. You need specific consent to transfer the data to third parties. You have to identify the recipient, the purpose of the transfer, the type of the data transferred and the method of processing. Now, this doesn't replace the cybersecurity law that was already on the books. Sort of an umbrella law and most of the law is designed to sort of replace or supplement or just under regulations under the old law. There is a requirement under the CSL for regulatory approval for data transfer overseas but they never did rough in any sort of process for getting that permission. A couple of implements. GDPR like structures with measures for network operators transferring data above a certain threshold level of volume of data. Now if you're below that threshold the organization can transfer data out of China if they do any of the following: one, get a data protection certificate; two, enter into a contract with the recipient guaranteeing PIPPL compliance like we see with the standard contact clauses under the GDPR, or pass a government security assessment. Now if you're over the threshold you have to pass the government security assessment and there's no way of doing that yet. They're going to have to still put the requirements and the process in place to bring that to life. Regardless of the threshold, however, and here's where we see the difference with some of the other statutes we've talked about, the transferor still has to obtain the data subject's consent to transfer. In some ways this is perhaps a surprise to those who follow China's politics. This is a very consumer friendly and very citizen friendly statute with respect to privacy. It's aggressive and, indeed, fines for an organization that breaches the Act can go up to as high as 50 million RMB. It can be up to the 50 million or 5%25 of annual income which, depending on the size of the entity, could be an astronomical sum. Now if an individual in the organization is held partially responsible, or fully responsible for this organization's lapse, its fines on the individuals start at 10 thousand and can go as high as 100 thousand. Again, that's a pretty aggressive fine to levy on an individual person.

So what do we with all this? There are practical aspects for international data protection frameworks affecting you, as in house counsel, and for international businesses. First of all you do need to sort of get your arms around all of this if you're operating globally. It's a good idea to build data maps relevant to your business that help you track all of this. You want to prioritize your risk regions. Where are you most likely to get into trouble? Where are the most aggressive laws? Where are you doing the most business? Identify common base line compliance elements across jurisdictions. So the goal here is to figure out how do we comply with all these laws but don't treat them as separate obligations, separate laws? There are common threads as we've seen that weave through all of these and many other laws that we haven't looked at today. So if you design your compliance regime properly it should be possible to comply with just about all of them. It's important to stay up to date on the relevant global legal frameworks and it's a lot of work to do this and I frequently have companies say to me, "The cost of compliance is just not worth it." For a lot of small and medium sized businesses that's understandably the case. Unfortunately there isn't any sort of proportional approach to weighing whether or not you're in breach. It's just the unfortunate reality of doing business in 2021. You're going to spend a lot of money and a lot of time on compliance.

Are there any questions?

Henry:             Yes. That's great. Back to Henry. We've received some questions. Some really good ones that which I'm about to refer to and address but we welcome anyone that has any questions to just put into the Q&A section. I believe that they're all coming through as anonymous so, as they say, no such thing as a bad question. No worries about grammar or punctuation but with that being said, thank you friends. You went through the jurisdictional regulatory web of data privacy standards, a question that is flowing from that is this: Whether it's okay to just pick the strongest standard, for example GDPR or California law, to comply with rather than trying to track and comply with all of the international laws that apply to a business?

Brent:              It's a good start but we shouldn't stop there. Not least because the principles that underline most of these statutes are the same or similar. The mechanisms can be very different. Ultimately if a regulator takes you to task they're going to be interested in knowing the extent that you were actually mindful of their specific regime. But often compliance with one is going to allow you to comply with the others so if you're going to do this, I don't recommend it, but if you're going to pick a regime, yes, pick the ones that are the most stringent and set that as your baseline and you will avoid trouble in a lot of circumstances. But as we've seen there are some basic differences still. There are some jurisdictions where you don't need to obtain further consent to transfer data outside as long as you've put contractual obligations in place that can confer those requirements onto the processor. Other regimes still require a consent regardless so obviously if you're going to comply with one that requires it regardless that's a very different business model and you're going to be having to figure out how to get that consent. It's going to hamper, to some extent, what people can do with the data once they have it if they haven't already sort of anticipated all the possible uses that they might want to put it to. In a world of dreams, and as lawyers we always say, "No, comply with all of the laws. Know all the laws and you spend what it requires to do that.", but as a practical matter you're in better shape than not if you start with the most stringent laws.

Henry:             So it's the legal principle of aim up high and hope for the best.

Brent:              Yeah. Like so many other things in the law, yes.

Henry:             Yeah. Okay. Here's another one and I did take note. You mentioned in a couple of instances the use of standard contract clauses as a means of compliance. I believe in the presentation it came up in the context of Schrems II and also when you were discussing Brexit and the trade and cooperation agreements standards, sort of at a practical level can you speak as to what typically would go into a standard contract clause?

Brent:              Sure. So we see these typically spelled out as annexes to the laws. GDPR has them and I should say the UK has come out with some guidance in light of Brexit to guide what's going to go into British based contracts. But the principles are all very similar and essentially these are the kinds of provisions that under other regulatory regimes would simply be laid out in the statute and then deemed to be part of a contract. The difference here is that the way that it's done in privacy law is they require you to actually include it in the contract. So they set out some standard definitions around controller, processor, the sort of the standard building blocks you need for the privacy statutes to make sense. Then the confer obligations on the processor and they're fairly generically worded but that's in keeping with the statutes to protect that data to a level that is essentially complies with the applicable laws. So the GDPR ones are as vague as that. They say comply with all applicable laws. Of course if you're based in Europe that means GDPR and potentially the laws for the jurisdiction that you're transferring into. They set out those obligations. They set out as sort of a tree liability, let's say, where it's built into the contract. That the controller is responsible for breaches of those applicable laws regardless of whether they occur at the controller end or occur at the service provider end. But if for some reason it's not possible to pursue the controller then the remedy transfers to being as against the service provider. So if the company that collected your data goes out of business, you can still chase after the company who's processing it, if there is a breach on their watch. So that's sort of the nub of it. It builds in those obligations and sort of guarantees some avenue of recourse and sets out an understanding as to who's first in that chain. Because it wasn't always entirely clear to what extent the processor can be liable in these circumstances when it's a failure at the processor's end but, of course, your controller is the one that collected the data in the first place, typically.

Henry:             Okay. That's great. Always good to know what goes into a 'quote' standard clause on rather complex set of data points. Another question, and I had mentioned when I introduced you that part of your practice includes data breach class action defense work, so here's a bit of a softball question that came in that I'll lob to you. Should we expect all these new laws to result in more class actions?

Brent:              The short answer is maybe, as with most lawyer answers, especially litigator answers. I think that we are going to see perhaps an emboldening of the plaintiff's bar. It's interesting because, I'll use Canada as an example, but it's a typical example. At the moment we don't have that private right of action and we don't have a nominate tort of statutory breach. So in Canada you can't sue for breach of PIPEDA or one of the Provincial laws. You can, however, sue a negligence and the fact that the law wasn't complied with sort of sets the floor for a standard of care. So that hasn't really stopped plaintiff's counsel from bringing data breach law suits and goodness knows we have lots of them. It's a wave that we're seeing, particularly now coming out of COVID as well, because there is so much hacking and malicious activity during COVID. I suspect we're going to see many more of those coming out. So in a way it doesn't give you something that you didn't have before, really, but you potentially could. It depends on how the private right of action is phrased. If it's a right of action that doesn't require, and this would be a pretty wild example but let's use it as a theoretical, a private right of action that doesn't require you to prove damages. That's enormously useful to the plaintiff's counsel because it's just a much, much easier case to make out. It removes a lot of the individual assessment of people's claims, and in many jurisdictions where class actions are available what kills an action from going forward as a class action, is the lack of commonality between the claims of individual persons in the class. So if the private right of action in any statute is set up so that it lessens a burden of proof, or makes it easier to bring a generic case where you don't have to deal with the individual circumstances of individual class members, it absolutely could result in certainly more claims and claims that are easier to sort of get over the threshold of what we call in Canada, a certification, with the process of the court approving an action to go ahead as a class action rather than as individual actions. So I think that the plaintiff's bar will certainly be happy to have it but it hasn't stopped them from bringing those actions in the past.

Henry:             Right. Okay, great. I'm going to take this opportunity to apologize to Tony, one of the people who asked a question. I had said all of the questions come anonymously but maybe that's how you enter it. So I apologize for that data breach, so to speak, but Tony asks could a US Federal law preempt the State laws that crop up ahead of Federal law. I'll jump in to your defense, Brent, by qualifying neither of us are US qualified lawyers but I don't know if, with that proviso, if you have anything you would want to address in that question or feel able to.

Brent:              Sure. It depends, Tony. If the statute is set up in such a way that it's conceded that this is an area of joint jurisdiction, based on the Canadian Federal model where the US Federal law applies in the absence of an equally strong and very similar State law. That's one model for doing it. But there are also many areas where you have concurrent Federal and Provincial laws, in this case State laws, and they may simply overlap. I suspect though, if the ultimate concern is compliance, I would suspect that any Federal law that's going to get passed is going to be as stringent as the California law and probably very similar. So I don't think you're going to see a scenario where there are wide swings in the requirements from State to State. The fact that there's bipartisan support for a Federal law on this, even under the previous government they just haven't been able to arrive at the exact law, but the fact that there's bipartisan agreement that this is a law that needs to exist makes me think that it's important enough, and the inclination is going to make the laws stringent, whatever it is. I don't think you're going to see it watered down in the legislative process. It's like passing a tough on crime bill. I mean this in a way it's difficult to implement but it's easy to write the law and it's easy to set very high standards. So I think what you may well see, competing Federal and State laws, but I think they're going to be very consonant.

Henry:             Okay. That's great. There are questions that are flowing in so really appreciate the dialogue from everyone. That being said I had asked Brent, in sort of my capacity as moderator, to do the presentation at 110%25 and he complied so we're doing reasonably well for time. So if you do have a question by all means feel free to throw it up on the board and another one coming in anonymously, so I guess you have the option as to how the question pops in. Here's one of interest and you were talking, Brent, throughout the presentation about sort of keeping an eye on regulatory matters across global markets. How do you do that and what specific sources might you recommend for inhouse counsel, or counsel generally, in trying to stay abreast and keep a track on the changes that are happening in the global market or regulations globally?

Brent:              Yeah. I would love to have a piece of software in my computer that gives me a dashboard into all the countries in the world that have these regimes. I haven't seen that yet but it will make lives a lot simpler and possibly result in fewer privacy lawyers, and certainly on the defense side, if we had something that keeps us all that organized. There are a lot of private publishers that are putting out really good resources on this. One of the is the Chambers Global Guides. They have a subset of law, one devoted to cybersecurity. I guess they'd be on their fourth edition. Actually had the pleasure of being one of the co-authors for the Canadian chapter of the second edition in 2019. It's a book about that thick. It comes out every year and it gives you a good overview of what's happening in most of the key jurisdictions in the world. They are structured so that you can jump to the same topic for each country and find the answer quickly. I'd still like to see something like a massive chart that sort of maps all this out in a searchable way but I haven't seen that yet. I'm just, frankly, following a lot of law firm newsletters and in Canada and the US I'm following what the regulators themselves are saying. But it really is something that you have to sort of do a lot of reading on and check more or less constantly. So there's an invitation to commercial publishers and software publishers. That's the tool that I would like to see next in terms of legal tech.

Henry:             Yeah. Sounds like there's a business idea there. Maybe we should consult with our UK colleagues on the AI and see if there is something to be done in that regard.

Brent:              Absolutely. In any of the global firms you'll find have fairly good coverage of all of the places that they're doing business and keeping an eye on and ours is certainly one of them. So, sign up for the newsletters and just keep an eye on things.

Henry:             Yup. That's a great point. I'm just going to canvas our board to see. Some of these questions have come in through alternate channels. Just taking a look to see if there's anything else currently outstanding. I'm just looking through my email as well. While I do that I don't know if there's anything else that you wanted to add or go back to or emphasize, Brent.

Brent:              No. I think I've probably said more than I know.

                        <laughter>

Henry:             Yeah. Okay and that's great. I've just done my look through. So if there is nothing further no doubt we have not answered all the questions in the global universe of data privacy issues so please do feel free to reach out to us, to Brent or myself, both jurisdictionally and expertise wise we would be more than pleased to answer your question or put you in touch with one of our colleagues in the appropriate jurisdiction within our global platform.

Brent:              Actually, we don't complete with your regular lawyers. We don't have offices in the US for business reasons. But we work very closely with a lot of favoured nation firms in the US and probably ones that you're already using so always happy to help.

Henry:             Yup. If anyone joined us mid-way through and were so inclined to listen to this entire presentation or part thereof, it's being recorded and will be posted online. So if you're preference to listen at 80%25, 90%25 or 110%25 speed that will be available and, as mentioned, we have our final session on Thursday on artificial intelligence for European perspective. I will be tapped into that with interest. One of our presenters is actually written a book in that area. So sure to be a good session. Other than that I wanted to, once again, thank everyone. On behalf of my partner, Brent, Henry Harris and we are delighted that you could take some time out of your earlier or mid-afternoon today to join us. Thank you for very good questions and dialogue and we do hope that you found it helpful. Wish everyone to be safe, to be well and to be productive. All the best. Thank you for attending.