Privacy law has become one of the most dynamic areas of legal practice with almost daily headlines of successful database hacks and breaches of users’ rights to having their information kept private.
The concern for the protection of these rights has kept lawmakers and privacy commissioners busy and thereby kept people like Bonnie Freedman up at night.
“You don’t sleep a lot and you read a lot,” says the regional leader of Borden Ladner Gervais LLP’s Toronto privacy and access-to-information group in summing up her experience in this area of practice.
She notes that privacy law’s roots trace back to long before the explosion of electronic documents and communication but she agrees that those types of technologies now consistently drive the area of practice into unforeseen places.
“Because of the dynamism with which information technology changes, it’s an area of the law that’s perpetually in motion,” she says.
“That makes it intellectually very interesting. It’s what I love about it. I love that there’s not just one way to look at a situation.
You have to characterize the roles of the parties, you have to understand the data flows, and you have to basically do an analysis of every situation. It’s not like you can just pick this up and go with it.”
Freedman notes that privacy law issues have become particularly relevant in the health-care and financial services sectors where databases are built and populated with massive volumes of personal information.
She adds that the provinces are moving, if they haven’t done so already, to creating specific legislation for the handling of personal health information.
David Young, a member of McMillan LLP’s privacy law group, explains that this area of practice has a lot of what he calls “ancillary connections.” He continues on that thought by adding that privacy law “relates to other areas of life, really, and law.”
His bridge into this area of practice came from his previous concentration on advertising and marketing law. Young notes that contemporary privacy law often deals with issues surrounding the commercial exploitation of personal information.
“The whole mantra today, if you think of the Internet and the issues of privacy on the Internet, is advertisers, promoters, companies looking to sell products and wanting to find out about their customers,” he says.
“It was a logical morph, quite frankly, from the advertising-marketing general field down to the more specific one of privacy.”
Meanwhile, the former chairman of the Canadian Bar Association’s privacy and access law section says he has learned how important it is for privacy law practitioners to be willing and able to liaise with members of other practice groups and expand their own legal knowledge base.
“You’re never going to get a client that just has a very narrow privacy issue,” says Young. “They’re going to be related to marketing law issues, IT issues broadly . . . so you’ve got to know those areas.”
“You need to be able to do the rest of that stuff because if you just narrowly excluded those issues, got somebody else to deal with all of that stuff, you might not have as much challenge or volume of work,” he adds.
And while privacy law lawyers are rarely bored, Freedman notes that it can be extremely time-consuming to stay ahead of the game.
“You’ve got a rapidly changing area of the law, you have many pieces of applicable legislation and so you have to have enough time to invest to track all that’s going on,” she says. “It’s not only changes in the legislation but the interpretation of the commissioners, the interpretation of the courts.”
That means privacy law can be a difficult area in which to practise if your goal is the production of a high volume of billable hours. There simply isn’t enough time to keep up with changes in the law and therefore be in a position to provide sound advice to clients.
“That’s the challenge of it: making it work given the amount of work you need to do to keep up to date,” says Freedman.
She spends plenty of time on various privacy commissioners’ web sites to keep track of their latest rulings in addition to several blogs not only in Canada but across the globe that include relevant content.
Yet for lawyers at law firms, the amount of daily research time required can create conflict in terms of meeting partners’ profit expectations. For sole practitioners, it can make it difficult to make ends meet.
With this in mind, Freedman notes the irony of practising in this specialty area: the ever-changing nature of the law that’s so intellectually stimulating also creates time demands that can threaten financial viability.
But that leads her to what she views as another upside to practising privacy law: it’s very much in line with what’s being preached on the topic in academia.
“There are areas where what people are studying in law schools and writing about in universities is not necessarily directly applicable to getting through on a day-to-day basis. There’s lots of legal theory and all this sort of thing.
“It’s actually one of the things I didn’t like about law school,” she continues. “To me, there was too much of that and too little of the nuts and bolts of how we use the law to solve problems.
This is an area where sometimes what the academics are involved in and what they’re writing really do assist you in applying the law to practical situations.”
Peter Ruby, who deals with privacy law matters as a partner at Goodmans LLP, emphasizes how important it is for practitioners in this area to keep up to speed with developments abroad.
His firm has acted for companies engaged in privacy audits of their worldwide operations, which can often span up to 12 countries. Just participating in such a file is the best way to gain knowledge of privacy law in other jurisdictions, says Ruby.
“Practitioners from all those countries will address usually very specific questions,” he says. “I very often get to see the results.”
Ruby’s frequent work on privacy breaches also helps expand his knowledge base beyond Canada’s provincial and federal laws as such matters typically involve cross-border aspects.
“Particularly with the U.S., but quite often with Europeans, I am helping formulate with lawyers in various jurisdictions how we’re going to deal with something,” he says. “So one of the ways I keep up is just from talking to my colleagues in other countries.”
Ruby says he’s most attracted to privacy law due to the issues it addresses, particularly those surrounding crisis management following database hacks or otherwise compromised digital records related to an employee, for example, who has lost a work laptop containing sensitive files.
He says privacy law lawyers need to be equally adept at providing advice on what he calls “prophylactic measures” such as privacy policies, employee training, and handling of breaches for which a detailed understanding of the law must be combined with crisis-management and litigation skills.
“I see them as quite different professional skill sets, although there are lots of people who do both,” says Ruby.