Data Privacy lawyers are involved with the provision of advice in all matters relating to the collection, use, disclosure and maintenance of personal information. This includes data security, ownership, aggregation, licensing, commercialization and trans-border transfers, and advising on global and local anti-spam, health, workplace and general privacy and data breach legislation and regulatory enforcement.
Data privacy lawyers are also involved with privacy, data and cybersecurity due diligence, policies and audits; intra-corporate and international data transfers; data mapping; problematic online content; advising on artificial intelligence, machine learning, biometrics and other emerging big data technologies; and the privacy law and data provisions elements of business transactions.
Please note that the Lexpert Directory has a separate section for:
Before defining and distinguishing data protection and data privacy, and looking closely at what data privacy lawyers do, we should first understand the meaning of personal information.
Personal information are data, on its own or when these pieces of data are collated, can identify, locate, or contact an individual. It may also be known as “personally-identifiable information”, data about an “identifiable individual”, or “personal data”. These pieces of personal information are usually collected by private companies and public agencies, which can unknowingly expose an individual or breach their privacy when used feloniously.
In Canada, statutory definition of the personal information differs. Under the Privacy Act, personal information means “any recorded information about an identifiable individual” (Section 3, the Act), while the Personal Information Protection and Electronic Documents Act or PIPEDA defines personal information as “information about an identifiable individual” (Section 2(1), PIPEDA).
Both statutes may refer to the same set of data or information, such as name, sex, age, national or Indigenous origin, race, marital status, religion, personal histories (medical, education or employment), financial information, personal views or opinions, identifying numbers (social insurance number, or driver’s licence), among others.
However, there are exceptions to what are considered as personal information, such as:
Data privacy refers to the organisational policies or guidelines to protect personal information it collected, and controls who may, or may not, access these data. This may include persons who are granted access to these data in relation to their responsibility, or third parties consented to by the person giving the information and the organization handling said data. In here, data privacy lawyers can help craft these policies or guidelines.
On the other hand, data protection implements the said organisational policies or guidelines. It ensures that the personal information handled by an organisation is secured against illegal access, including theft or corruption, by putting up physical and/or technological safeguards.
Data privacy and data protection are sometimes used interchangeably but differs in application – where the former is concerned with authorising access through policies and regulations, the latter restricts access to personal information by mostly employing IT system or technicalities.
Data privacy, as earlier established that it is concerned with policies and regulations, it seeks to comply with government regulations and statutes on protecting personal information or data. Data privacy lawyers come into picture to help companies and corporations meet these regulations to prevent legal complications.
As for data protection, it would somehow be the implementation of these policies or regulations, primarily by installing systems which would prevent data breaches, anti-hacking systems, and the like.
Persons controlling the personal information are different in data privacy and data protection. In data privacy, it would be the users in control of what data or personal information they would be providing. Here, users are warned to not give personal information to untrusted organisations or entities. Once collected, then, it would be the responsibility of the organisations or agencies to protect these data, through the application of data protection.
Data privacy and data protection complements each other, in a way that when one is lacking, incomplete, or not strong enough, it would result the ineffectiveness of the other. Having good internal policies and regulations are useless when there is nothing that protects the collected data from cyberattacks; at the same time, having strong protection would render it futile where there are loose or not strict policies. As such, data privacy lawyers and IT experts are both needed to put up a holistic data privacy and data protection system for an organisation.
Canada’s data privacy laws are composed of numerous provincial and territorial statutes, and two federal laws, namely, the Privacy Act, and the Personal Information Protection and Electronic Documents Act (or PIPEDA). Data privacy lawyers’ expertise are among these several laws, identifying which law covers a specific organisation (public or private) to comply with data privacy.
The Privacy Act of Canada regulates the handling of personal information by the federal government offices and agencies. The Act primarily protects the privacy of individuals, and in addition, provides individuals with the right to access to the personal information that the Government of Canada holds about them.
Basically, information collected the federal government are protected under the Privacy Act, and this includes personal information of its federal employees. It provides for the specific collection, uses and disposal of these personal information, how these data can be requested from the government, and how investigations and complaints can be lodged with the Privacy Commissioner for any violation of the Act.
The Act applies only to federal government institutions which can be found under the Schedule of Institutions. However, the Act does not apply to political parties and political representatives, since, as mentioned above, these are public information.
Currently, there are initiatives to amend the Privacy Act to adjust to the current trends, especially after how COVID-19 changed the workplace in Canada.
PIPEDA is the federal statute that regulates commercial businesses in relation to the personal information it collects. The said Act provides for remedies which can be availed by individuals in case of breach through filing of complaints with the Privacy Commissioner (Section 11), the power of the Commissioner to conduct audits to these commercial businesses (Section 18), and the promotion and handling of electronic documents (Section 31).
The Office of the Privacy Commissioner of Canada enforces the two statutes mentioned above, headed by the Privacy Commissioner of Canada. The Office, in enforcing said statutes, conducts audits in federal government agencies or private businesses, investigates complaints filed before the Office, and pursues court actions for the violations of said laws.
Among the jobs of data privacy lawyers are advising clients whenever any of the mentioned remedies are made, or when litigation has been pursued against them. It can also be the other way around, where data privacy lawyers represent individuals whose data privacy has been breached.
Looking to incorporate data privacy and data protection in your organisation? Or do you want to pursue an action for any privacy breach? Head down below and talk with a Lexpert-ranked data privacy lawyer in your area.