Canada: COVID-19 & Accelerated Digitization: Advice On Acquiring Emerging Technologies
Technology & Communications Bulletin

"By definition, crises have a highly dynamic trajectory, which requires a constant reframing of mental models and plans."¹

COVID-19 has pushed many corporations into an accelerated digitization curve. The phenomenon of employees working from home has certainly played a significant role in this regard, but the considerations are much more diverse than this. Corporations must plan for the possibility of increased employees' sickness, for delivering services effectively to customers, and for management costs. On March 23, the Quebec government ordered a temporary closing of all nonessential stores and services, a measure effective on March 25. This order, and previous ones, are urging many corporations to use technology to ensure the continuity of their business operations. For some of these corporations, teleworking has shifted from a possibility to a necessity. Companies that provide essential services are under pressure to deliver more efficiently than before, while other industries must reinvent the way they offer their services to avoid economic fallbacks. The agreements that bind corporations may or may not provide for force majeure events such as a pandemic, so companies have to innovate to make sure that they comply with their legal obligations and do not engage their liability.

Technological projects involving emerging technologies can bring many benefits to organizations:

• Increased productivity and operational efficiency.
• Better insights on significant metrics.
• Improved capabilities for strategic planning and prediction-based decision-making.
• Reducing cybersecurity risks associated with new technological vulnerabilities.
• Improving employees' moral and well-being during crisis management.
• Facilitate communications with all stakeholders.

Yet, such projects can also be challenging, especially when they must be implemented under economic constraints and within a tight timeline. This explains why technological projects are now being managed at the board-level to ensure strategic alignment and to reduce administrative burdens normally associated with technological deployment.

Among the new technologies implemented, artificial intelligence emerges as a candidate for better decision-making and for improving business processes. There is an increased interest into the use of virtual reality technologies, such as for conferences and event planning. As more commenters are calling for decentralized technologies in various industries, there is also an increase in the use of technologies such as drones, robotics, blockchains, smart contracts and communication tools.

These are used in telemedicine, decentralized clinical trials, supply chain deliveries and in several technologies through innovative redesign of service delivery. In the manufacturing industry, AI monitoring and analysis solutions combined with Internet of Things (IoT) capabilities are currently being deployed to accelerate digitization in manufacturing.² These initiatives speak to resilience, and to a knowledge economy that strives to adapt. Those that will be successful in doing so, may be in a good position to recover and lead their industries, a fact that leaders are well aware of, seeing opportunities in crisis management.

In this context, here are five pieces of advice provided by our emerging tech group that may be useful for corporations embarking into these technological projects and looking to fast-forward adaptation. We hope that these recommendations are digestible and adapted to a crisis management situation. They aim to strike a just middle between the usual legal risk management procedures that must be followed, and those that are essential in the current context.

1. Identify legal roadblocks

Before you go further with your project, you should consider whether it complies with the applicable legal framework. There are many rules that apply to the acquisition of technology, many of which can be found in privacy and data-related legislation.

For instance, health care providers in the United States or otherwise subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must generally comply with the HIPAA Privacy, Security and Breach Notification Rules when using information technologies. It must be noted that the Office for Civil Rights at the U.S. Department of Health and Human Services issued a Notification of Enforcement Discretion for telehealth, stating that it would not impose penalties for noncompliance with these regulatory requirements in some circumstances. Additional guidance was issued on March 20, 2020.

This example speaks to many important points. In a data-driven context, organizations are required to comply with several legislations associated with the localization of the data of collection and the types of data collected. These laws may be of international nature, such as the General Data Protection Regulation, and may apply in Canada. It also shows that many public authorities have issued guidance on how they will be approaching compliance in the context of COVID-19. Similar statements have been published by the Office of the Privacy Commissioner of Canada, and the European Data Protection Board Chair on the processing of personal data. Corporations must be aware of these guidelines, that provide good examples of the application of general legal obligations to the specific challenges encountered by businesses during the COVID-19 outbreak.

Other obligations to consider may come from ethical commitments, in the case of professionals, or from contractual obligations with third parties. Most corporations today have committed to follow some strict procedures regarding the acquisition of technology that would result in the processing of customer data. Corporations that intend to shortcut some of these commitments will have to review their contracts to ensure that they do not engage their liability when doing so, communicate with their stakeholders and manage risks in an iterative manner.

2. The importance of data

Data is the fuel of emerging technologies, so you need to consider data from a different perspective. If you are considering implementing predictive algorithms to help your decision-making, the quality and accuracy of your data will be critical. Your data will be the inputs to the technology. If you don't have the right data, you cannot rely on the predictive algorithms to help you. You may also not have the right technologies, so start by identifying your objective and explaining to your supplier what these objectives are. Moving too fast here can be costly; we have seen organizations implement the wrong algorithms to reach their goals. Corporations must remember that artificial intelligence is a category of technologies, not a technology.

This brings us to the second concern: data management and protection. Your vendor may bring you a technology, but you are always responsible of how you handle the data that you feed the technology with. This is particularly concerning with personal information. Here are some considerations to keep in mind:

• Using personal information for new purposes, including for prediction, requires a lawful basis. In Canada, this is often implied or express consent. There are rules of consent, such as ensuring it is informed and specific.
• Personal information must always be protected based on the risks of the processing. When you introduce new technologies, you introduce new security risks and you may be expanding the attack surfaces for malicious actors. You must understand the controls in place, and where the risks are. You may not be able to address all risks before deployment like you usually do, but you should have a plan to address them as soon as possible.
• In your new projects, you cannot process data that you should not have in the first place. Personal information must have data retention schedules. If you have held this data for a long time and it's considered personal information, you may not be able to process it in this new project.
• Data is not just personal information. Data can be intellectual property or confidential information. These categories of data are not regulated as much, but they are the subject of extensive contractual requirements. Make sure that you can share the data with your new service provider.

If you do not have the time or resources to perform a Privacy Impact Assessment (PIA) or an Algorithmic Impact Assessment (AIA), you should at least document these questions internally and look for the right answer. This is crucial as directors in Quebec can be held accountable in their personal name for authorizing an illicit data processing activity.³

3. Choose your business partners wisely. They will grow with you after the crisis

While some people may refer to them as vendors, we prefer to call them business partners. The organization that will help you in your accelerated digitization will continue to support you as you scale your project and tune in. You will need to work with a dedicated team that is responsive and understands your context. Here are some points to consider when choosing your business partners:

• What type of support do they offer? Should I consider an enhanced solution in case I might have issues supporting myself?
• For projects requiring implementation, what kind of help can they provide in the current circumstances?
• Are there any prerequisites to use the technology?
• What types of security measures do they have in place? For instance, can they see my data, or is it encrypted? If it is encrypted, who is responsible for securing the cryptographic keys, and how are they issued?
• Would my partner be available to help me complete a security and privacy risk assessment later, and will they cooperate even if I sign a contract today?
• What functionalities do they offer that can help me comply with my legal obligations, such as those relating to the management of privacy rights?
• What commitments do they make regarding availability?
• Where will my data travel to, and with whom will it be shared?
• Do they have a Business Continuity Plan (BCP) and a disaster recovery plan? Will they be resilient enough to get through the crisis?
• Do they have a privacy policy explaining they collect, store and process personal information? Does it comply with privacy legislation?
• Where are they located, and what is the legal framework applicable to their activities?

Corporations should keep in mind that accelerated digitization may lead to some unforeseen circumstances, and that they may need to work in an iterative manner with their business partners moving forward. This does not mean that only large corporations can deliver a reliable solution. Sometimes, a local partner may be in a better position to deliver the right technology and provide adequate support on a long-time scale. All of these elements must be considered by corporations looking to acquire new technologies.

4. The right contract, for the right technology

You and your business partners should be open-minded to discuss the provisions of the agreement in this context. For instance, you should both engage openly regarding COVID-19 and its possible impacts over the next few months, identifying risks and possible outcomes. This collaborative approach may yield more positive results than a force majeure clause stating either of the parties can end the agreement for COVID-19. Negotiation and collaboration are key in reaching a satisfactory contract.

Data-intensive projects should lead to data-intensive agreements. Make sure that the roles and responsibilities are clear, and that there are commitments on data management. Different types of data may need to be covered under their respective regimes, such as intellectual property data, usage data, aggregated data, synthetic data and personal data. They all lead to different considerations. Synthetic data quality may be critical in a project, and it may be appropriate to have provisions regarding this. In other words, quality of data may not be within the realm of what can be controlled by a vendor.

Each category of emerging technologies lead to legal considerations of their own. Drones, for example, must abide by several legislations and rules that change per jurisdictions, such as provincial trespass laws. This should be accounted for in the allocation of risks. Artificial intelligence typically does not replace judgment and is not hard-coded to do so in most deployment, so related contracts will typically have specific provisions related to how these risks are allocated in regard to the extra-contractual liability framework. In Quebec, the applicable provisions are those of the Civil Code.

Intellectual property remains an important element of contract negotiation. You need to understand what intellectual property yours at the outset of the project will be, and what will belong to you. You may develop intellectual property in the business processes that you will put into place. Corporations must also understand the deployment of the technology and consider the following elements:

• Will the technology be deployed in your IT systems?
• Will the technology require access to other software or IT components that belong to you?
• Will the technology interact with other technologies or databases, and if so, how?
• Will you be using application programming interfaces (APIs) and if so, who develops and has ownership over the API?

Software as a service (SaaS) and similar technologies including Platform as a service (PaaS) and Infrastructure as a service (IaaS) may not require any installing of third-party components in your system, which affects how the contract will be drafted. However, technologies that are installed on your end points or in your IT system raise legal considerations regarding licensing, open-source software and use by end users.

5. Leadership

The last advice from our emerging tech group is straightforward: think outside the box. Difficult times call for leadership, and solutions are emerging in innovative manner through various industries. It's important for corporations to keep looking forward, even in crisis management.

Our team is dedicated to support organizations implementing technological projects and preparing business partners so that they can participate in these projects successfully. We help emerging growth organizations of all sizes understanding their legal obligations and how they can participate in accelerated digitization, while assisting other organizations understand the benefits of doing so.

Footnotes

1. Martin Reeves , Lars Fæste , Cinthia Chen , Philipp Carlsson-Szlezak and Kevin Whitaker, How Chinese Companies Have Responded to Coronavirus, Harvard Business Review, March 10, 2020, Online: (https://hbr.org/2020/03/how-chinese-companies-have-responded-to-coronavirus).

2. Business Wire, NEC and Siemens Partner to Provide AI Monitoring and Analysis Solution to Accelerate Digitization in Manufacturing, Financial Post, March 8, 2020, Online : (https://business.financialpost.com/pmn/press-releases-pmn/business-wire-news-releases-pmn/nec-and-siemens-partner-to-provide-ai-monitoring-and-analysis-solution-to-accelerate-digitization-in-manufacturing).

3. Act respecting the protection of personal information in the private sector, CQLR c P-39.1, sec. 93.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.