Kirsten Thompson Archives - IPOsgoode /osgoode/iposgoode/tag/kirsten-thompson/ An Authoritive Leader in IP Thu, 04 Aug 2016 16:43:25 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 German Regulator Finds Banks’ Data Rules “impede non-bank competitors” /osgoode/iposgoode/2016/08/04/german-regulator-finds-banks-data-rules-impede-non-bank-competitors/ Thu, 04 Aug 2016 16:43:25 +0000 http://www.iposgoode.ca/?p=29566 The re-posting of this article is part of a cross-posting agreement with CyberLex. “Open Banking” is an emerging term in financial services / financial technology that refers, among other things, to the use of open application programming interfaces (“APIs“) enable third party developers to build applications and services around a financial institution. This requires a […]

The post German Regulator Finds Banks’ Data Rules “impede non-bank competitors” appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

“Open Banking” is an emerging term in financial services / financial technology that refers, among other things, to the use of open application programming interfaces (“APIs“) enable third party developers to build applications and services around a financial institution. This requires a financial institution to throw open the doors to its customer data and allow it to be used by developers and other third party providers. Think of it as an app store for banks, where the apps allow consumers to compare rates, manage their accounts, obtain credit and make payments – all without having to actuallyengage a bank.

In Europe, this is set to become the norm in early 2018, thanks to the revised which was passed in January. PSD2 is designed to create a more level playing field for third party payment processors by making banks in Europe offer APIs that provide access to account information to third parties.

Some banks are embracing this, and see it as an opportunity to drive value in innovative new ways. Other banks are not as keen, and are taking steps to cut out the interlopers to preserve existing value and protect the customer relationship.

Long before there was a concept of “open banking”, there were similar products available, products that don’t rely on the openness of banking but rather the willingness of an account holder to share his or her login information. Users provide their user IDs and passwords for the financial accounts they want to consolidate, so that the aggregation service can access these accounts to gather their financial information (a process known as “screen scraping”). A single third party web portal then displays the information, dashboard-style.

 

Concern in Canada and the US

In March of 2011, the Financial Consumer Agency of Canada (“FCAC”) issued a , warning Canadians to be aware of the possible risks of disclosing their online banking and credit card information to financial aggregation services. Aside from the obvious data security and privacy risks, the FCAC cautioned that using such a service could also violate the terms and conditions of the account:

Consumers should be aware that if they disclose their online banking information to any other party, including financial aggregators, they may risk losing their protection against unauthorized transactions. Some financial institutions’ user agreements clearly state that users will be responsible for unauthorized transactions if they provide other parties, including financial aggregators, with their passwords and account information.

The FCAC reminded consumers it was their responsibility to manage their online banking and credit card credentials in accordance with the terms of their user agreements, as well as to review their user agreements and to understand their responsibilities thereunder.

In 2015, that a number of US banks had cut off data to these financial aggregators, citing concern that the rising use of such sites will overload bank servers, on top of worries that customer data could potentially be vulnerable to hackers. The aggregators charged that the banks, facing increasing competition from these companies, were becoming too protective of their customer information.

 

Germany Finds Banks’ Data Rules Violate Competition Law

The German competition regulator has now weighed in,that rules set buy the German Banking Industry Committee violate both German and European competition law by imposing“special conditions for online banking” that mean customers cannot use their PINs (personal identification numbers) and TANs (transaction authentication numbers) in non-bank payment systems.

This, said the German regulator, has “significantly impeded” the use of non-bank providers for online purchases, preventing people from using lower-priced alternatives.

The German Banking Industry Committeehad cited security concerns as the basis of the rules but the German competition regulator (the Bundeskartellamt) dismissed this, saying that “the rules currently used cannot be considered as a necessary part of a consistent security concept of the banks and they impede non-bank competitors”.

Andreas Mundt, president of the Bundeskartellamt, said:

The online banking conditions of the German Banking Industry Committee hinder the offer of new and innovative services in the growing market for payment services in the e-commerce sector. In essence, it is about whether non-bank payment services can also use PINs and TANs. We have taken careful consideration of the justified interest of the banking industry that security in online banking has to be safeguarded. However, the rules currently used cannot be considered as a necessary part of a consistent security concept of the banks and they impede non-bank competitors.

The Bundeskartellamt has only declared certain specified clauses of the banks’ terms and conditions illegal, not the entire agreement. It also suspended the enforcement of its decision, meaning the parties are not under tight deadlines to change their course of action, although they must make the necessary changes.The Bundeskartellamt also noted that rules governingthe activity of non-bank payment solution providers are currently undergoing a European legislative process.

 

© McCarthy Tétrault LLP

is Counsel in McCarthy Tétrault’s National Technology Group.

The post German Regulator Finds Banks’ Data Rules “impede non-bank competitors” appeared first on IPOsgoode.

]]>
Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations /osgoode/iposgoode/2016/07/20/federal-privacy-commissioner-provides-submission-on-new-data-breach-notification-and-reporting-regulations/ Wed, 20 Jul 2016 15:15:11 +0000 http://www.iposgoode.ca/?p=29468 The re-posting of this article is part of a cross-posting agreement with CyberLex. The Office of the Privacy Commissioner of Canada (“OPC“) has provided its views on the data breach reporting and notification requirements that are soon to be prescribed by regulation under thePersonal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA“). […]

The post Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

The Office of the Privacy Commissioner of Canada (“OPC“) has provided its views on the data breach reporting and notification requirements that are soon to be prescribed by regulation under thePersonal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA“).

On June 18, 2015, the (also known as Bill S-4) received Royal Assent in Canada’s Parliament. The Digital Privacy Act amended PIPEDA. Among other important changes, the Digital Privacy Act amended PIPEDA to require mandatory notification of both the OPC and affected indivdiuals, and introduced a record-keeping requirement (and fines for organizations which fail to meet either of these new requirements).

These newdata breach requirements in PIPEDA will come into force once the Government passes regulations, and to that end, the Government has circulated a and solicited comments.

The OPC has provided its , and as body charged with administering and ultimately enforcing the resulting regulations, the OPC’s views are of significance (although they are not determinative of the final form of the regulations).

 

When Organizations Will Need to Report

A challenge organizations face when dealing with a breach affecting personal information is whether to report the breach to the OPC. Currently voluntary, this dilemma will not go away when it becomes mandatory – rather, the question will simply become one of how to determine whether the trigger (“real risk of significant harm”) has been met.

The OPC is of the view that the current set of factors enumerated in subsection 10.1(8) of PIPEDA are sufficient and any other further guidanceon conducting a risk assessment couldbe provided by the OPC in due course. [1]

The Discussion Paper had also asked if encryption should provide a kind of “get out of jail free” card insofar as encrypted information that is lost or accessed would be presumed to present no or a low “real risk of significant harm”. The OPC was against equating encryption with adiminished risk of significant harm. This raises the question of why the OPC has regarded the use of encryption as an adequate security safeguard to be considered under Principle 4.7.3.

 

What the Report Should Look Like

The OPC is of the view that anynew mandatory breach reports should be in written form (digital or paper) andrequirethe following information:

  • Name of responsible organization;
  • Contact information of an individual who can answer questions on behalf of the organization;
  • Description of the known circumstances of the breach, including:
    • Estimated number of individuals affected by the breach;
    • Description of the personal information involved in the breach;
    • Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
    • A list of other organizations involved in the breach, including affiliates or third party processors;
  • An assessment of the risk of harm to individuals resulting from the breach;
  • A description of any steps planned or already taken to notify affected individuals, including:
    • date of notification or timing of planned notification;
    • whether notification has been or will be undertaken directly or indirectly and, when applicable, rationale for indirect notification;
    • a copy of the notification text or script;
  • A list or description of third party organizations that were notified of the breach, pursuant to s. 10.2(1) of PIPEDA, as well as Privacy Enforcement Authorities from other jurisdictions;
  • A description of mitigation measures that have been or will be undertaken to contain the breach and reduce or control the risk of harm to affected individuals,
  • A description of the organization’s relevant security safeguards, taking into consideration any improvements made or committed to, to protect against the risk of a similar breach reoccurring in the future.

The informationis not substantially different than that already required by Alberta, which already has a mandatory breach reporting regime, although the OPC’s proposed approachwould require more detail. [2] Also, the proposal that organizations provide a “description of the organization’s relevant safeguards” is not found in the Alberta requirements and may give rise to privilege and litigation risk issues. As well, organizations are likely to balk at disclosing this information because it potentially telegraphs an organization’s security strategy and vulnerabilities to bad actors. This is particularly true since this information is at risk of public disclosure via the Access to Information regime.

The OPC believes organizations should have an ongoing obligation to provide updates “as soon as feasible”, a requirement also not found in the Alberta requirements.

 

What Notification to Individuals and Third Parties Should Look Like

The OPC essentially adopts its own document, “” and proposes that the regulations require the following elements be includedin notifications to affected persons:

  • Description of the circumstances of the breach incident;
  • Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
  • Description of the personal information involved in the breach;
  • Description of the steps taken by the organization to control or reduce the harm;
  • Steps the individual can take to reduce the harm or further mitigate the risk of harm;
  • Contact information of an individual who can answer questions about the breach on behalf of the organization;
  • Information about right of recourse and complaint process under PIPEDA.

The OPC is of the view that direct notification should be required (e.g. direct communication with each affected individual) and that indirect notification (e.g. via newspaper ads, websites, etc.) should be allowed only with permission and only in certain circumstances. Organizations will be pleased to know that the OPC accepts that “prohibitive costs to the organization and [unreasonable interference] with its operations” are one of the circumstances in which the OPC would accept indirect notification. However, the OPC suggests that organizations must first “[demonstrate] that they may validly use indirect notifications”. It is unclear if to be “valid” an organization will have to demonstrate, for instance, prohibitive costs or other criteria, or that “validity” will be evaluated on the basis of likelihood of the message effectively reaching the target demographic.

On this latter point, the OPC is of the view that indirect notification wouldneed to be to the appropriate geographic market, be relevant to the product or service and the type of customer interaction, be for an appropriate length of time and in plain English, and where appropriate, allow organizations to use third parties to conduct such notification

With respect to the notification of third parties (potentially vendors, industry organizations, other organizations in that sector), the OPC has sensibly supported a permissive approach to notifying third parties, instead of a mandatory one.

 

What an Organizations Record Keeping Obligations Would Be

The OPC appears to regard the new record-keeping requirements (which require organizations to keep a record of all breaches of security safeguards) as a mechanism for general oversight.

The OPC is of the view that such records should include “sufficient information to demonstrate compliance with PIPEDA’s new notification requirements and should contain sufficient information to enable the Office to effectively perform its oversight functions.” More significantly, “[t]he content of these records should also assist the OPC in understanding the process through which organizations determine whether or not to notify affected individuals.”

Relying on this, the OPC believesthe following data elements should be included in records of breaches:

  • Date or estimated date of the breach;
  • General description of the circumstances of the breach;
  • Nature of information involved in the breach;
  • Summary and conclusion of the organization’s risk assessment leading to its decision whether to notify/report or not.

These are not particularly onerous, except that including a rationale as to whether to report or not to report such a breach introduces fertile ground for plaintiffs’ lawyers to explore as they make a case for negligence or breach of privacy. Organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could face fines of up to $100,000 per violation.

As a consequence of this, organizations will be torn between sufficiently documenting such breaches in order to demonstrate that they evaluated reporting the breach to the OPC and affected individuals (thereby avoiding “knowingly” failing to report) and not including so much information that it could be subsequently used against them.

The OPC would like to see all such incidentsdocumented and recorded on an individual, non-aggregated basis. For organizations such as financial institutions or large retailers which face upwards of 200 threat incidents a week, this could be onerous.

With respect to retentionthe OPC suggests thatrecords be maintained for a period of five years from the date of creation of the record, after which records could be destroyed.

 

An Organizations Obligations to non-Canadians

The OPC notes thatorganizations that are subject to PIPEDA may collect personal information which pertains to individuals who reside outside of Canada(for instance, residents of the U.S.).As such, the OPC is of the view the data breach notification and reporting requirements should consider the extent to which organizations may have to notify individuals outside of Canada who may be affected by a data breach undergone by an organization subject to PIPEDA. At a minimum, the OPC suggests that regulations should require organizations toconsider the breach notification laws of those jurisdictions., as well as any local notification requirements.

 

Future OPC Guidance

The OPC clearly sees itself as playing an instrumental role in the future primacy landscape, and has indicated thatonce the Government passes final regulationsit isprepared to develop guidelines that will complement the content of regulations and provide additional compliance assistance for organizations.

 

© McCarthy Tétrault LLP

is Counsel in McCarthy Tétrault’s National Technology Group.

 


 

[1] Subsection 10.1(8) reads “The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include(a)the sensitivity of the personal information involved in the breach;(b)the probability that the personal information has been, is being or will be misused; and(c)any other prescribed factor.

[2] Section 19 of thePersonal Information Protection Act Regulation, Alta Reg 366/2003

The post Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations appeared first on IPOsgoode.

]]>
Privacy Commissioner Seeks Public Input on Consent Model /osgoode/iposgoode/2016/07/05/privacy-commissioner-seeks-public-input-on-consent-model/ Tue, 05 Jul 2016 14:00:50 +0000 http://www.iposgoode.ca/?p=29409 The re-posting of this article is part of a cross-posting agreement with CyberLex. On May 11, 2016, Privacy Commissioner Daniel Therrien announced the Office of the Privacy Commissioner of Canada (“OPC”) would seek public input on the issue of how Canadians can give meaningful consent to the collection, use and disclosure of their personal information […]

The post Privacy Commissioner Seeks Public Input on Consent Model appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

On May 11, 2016, Privacy Commissioner Daniel Therrien announced the Office of the Privacy Commissioner of Canada (“OPC”) would seek public input on the issue of how Canadians can give meaningful consent to the collection, use and disclosure of their personal information in an increasingly digital age. The OPC has released a (“Report”) on considerations related to “enhancing” the consent model under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and a inviting all interested parties to answer specific questions related to the Report and also to provide any thoughts on issues raised. The deadline for submissions is July 13, 2016.[1]

The Report – An Overview

The Report considers the approaches taken by other jurisdictions to the issue of consent, including the , and the US approach, as governed by the Federal Trade Commission.

The Report also focuses on challenges that both businesses and individuals face when it comes to providing meaningful consent in an era of Big Data and the Internet of Things (“IoT”):

The consent model of personal information protection was conceived at a time when transactions had clearly defined moments at which information was exchanged. Whether an individual was interacting with a bank or making an insurance claim, transactions were often binary and for a discrete, or limited, purpose. They were often routine, predictable and transparent. Individuals generally knew the identity of the organizations they were dealing with, the information being collected, and how the information would be used…[N]ew technologies and business models have resulted in a fast-paced, dynamic environment where unprecedented amounts of personal information are collected by, and shared among, a myriad of often invisible players who use it for a host of purposes, both existing and not yet conceived of. Binary one-time consent is being increasingly challenged because it reflects a decision at a moment in time, under specific circumstances, and is tied to the original context for the decision, whereas that is not how many business models and technologies work anymore.

The Report goes on to offer several possible solutions to the problems in the current consent model and poses questions for reflection for the public consultation process.

 

The Suggested Changes

While noting that “[c]onsent should not be a burden for either individuals or organizations, nor should it pose a barrier to innovation and to the benefits of technological developments to individuals, organizations and society”, the OPC’s proposed “enhancements” to consent will likely cause concerns for business.

A great deal of the focus in the proposed reform revolves around creating processes that simplify complicated concepts such that individuals will be able to readily comprehend and appreciate the purposes to which their personal information may be put.

The proposed solutions are intended to address several specific challenges, including making informed consent and information related to privacy preferences more readily comprehensible individuals, creating “no-go zones” or “proceed with caution zones” to protect particularly vulnerable groups in high risk sectors, devising accountability processes that include independent third parties, placing a greater emphasis on fairness and ethical balance with regards to the use of personal information, and stronger regulatory oversight of privacy protection that includes enforcement mechanisms that can be implemented for deterrence purposes.

 

Proposed Enhancements to Consent

The Report advocates for privacy policies that lack opacity and privacy preferences that can be managed with greater ease through the following mechanisms and considerations:

  • Greater transparency in privacy policies – through communicating privacy information at integral points in time to increase the ease with which a consumer can understand the flow of information and utilizing layered privacy policies that are simultaneously inclusive and intelligible.
  • Managing privacy preferences across services – through the use of an independent third party that screens and controls preferences and the related release of personal information.
  • Technology specific safeguards – through built in compliance mechanisms and broadly constructed recommendations for best practices, including comprehensive disclosure requirements to consumers both pre- and post-purchase.
  • Privacy as a default setting – whereby privacy is an inherently integrated component by default.

What this means to business remains to be seen. “Layered” privacy policies will, at a minimum, require most organizations to rewrite their current their policies and add an additional layer of technological administration. The call for “dynamic, interactive data maps and infographics, or short videos” is unlikely to be met with enthusiasm by business, either. While the goal of transparency and readability is laudable, it is doubtful that consumers will spend any more time on these items than they do on existing text-based policies.

The use of an independent third party to manage privacy preferences across devices places the burden for doing so squarely on business. In this proposal, users would associate themselves with a standard set of privacy preference profiles offered by third parties and these third party websites would then vet apps and services based on the user’s privacy profile. It seems unlikely that these proposed third parties would offer this service for free.

 

Proposed Alternatives to Consent

The Report contemplates practicable alternatives to the traditional approach to consent, such as the de-identification of data and types of information that may not necessarily require consent, as well as the necessary changes to the applicable legislative framework that may be required for implementation.

  • De-identification – While the anonymization of information necessarily strips it of the contextual factors related to personal information that necessitate consent, the increasing sophistication of both data sets and the methods for analysis leave concerns about the value of this approach as a privacy protection mechanism.
  • “No-Go Zones” – Areas or zones of personal information of vulnerable groups whose data would be subject to a limited level of processing or potentially a complete prohibition.
  • Legitimate Business Interests – Situations in which personal data could be processed for a legitimate purpose that would no longer require consent unless another fundamental right necessarily required it.

 

Proposed Governance Considerations

The Report advocates for a greater level of accountability associated with ensuring the adequacy of privacy protections, encouraging transparency and assuring that best practices are being implemented consistently. This would include codes of practice that function to create transparent obligations and suggestions for best practices by using privacy trustmarks to create accountability mechanisms by which regulators can evaluate and designate organizations as compliant, as well as ethical assessments and autonomous organizations with specifically delineated goals focused on protecting the privacy of individuals.

 

Proposed Enforcement Models

While the Report considers situations in which self-regulation at both the industry and organization level may be appropriate, it also strongly suggests that there is a need for independent oversight, with accountability facilitated through fines and the ability to create orders, as opposed to recommendations, in order to maximize effectiveness. While independence is seen as the cornerstone of any regulatory body in the future for ensuring privacy and meaningful consent, the Report focuses on a proactive compliance model that would serve a stronger deterrent purpose than that of the OPC as it exists today.

 

What Does this Mean for Businesses?

In the era of the IoT and Big Data, traditional conceptualizations of consent processes no longer necessarily apply. The OPC has expressed concerns about opaque consent processes that individuals don’t actually read or comprehend, and has indicated that the solution to this may include sector specific regulation on the collection and use of data as well as the associated consent processes utilized in obtaining personal information. Many businesses may need to both re-visit and re-word existing privacy policies and consent protocols in order to increase transparency, as well as the accessibility and intelligibility of the policies surrounding data and the purposes to which personal information will potentially be put.

 

© McCarthy Tétrault LLP

 

is Counsel in McCarthy Tétrault’s National Technology Group. is an Associate at McCarthy Tétrault Toronto.

 


[1] Editor's note: The deadline has been extended to July 31, 2016.

The post Privacy Commissioner Seeks Public Input on Consent Model appeared first on IPOsgoode.

]]>
Spokeo: Will U.S. Supreme Court’s Decision Impact Privacy Damages in Canada? /osgoode/iposgoode/2016/05/25/spokeo-will-u-s-supreme-courts-decision-impact-privacy-damages-in-canada/ Wed, 25 May 2016 19:08:54 +0000 http://www.iposgoode.ca/?p=29247 The re-posting of this article is part of a cross-posting agreement with CyberLex. The Spokeo decision’s requirement that there be a concrete injury in order to ground privacy damages is not just a U.S. issue. Canadian courts have been wrestling for some time with the question of what damages look like in the context of […]

The post Spokeo: Will U.S. Supreme Court’s Decision Impact Privacy Damages in Canada? appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

The Spokeo decision’s requirement that there be a concrete injury in order to ground privacy damages is not just a U.S. issue. Canadian courts have been wrestling for some time with the question of what damages look like in the context of privacy breaches, especially in class actions. While not definitive or binding north of the border, Spokeo may provide insight into how future statutory privacy breach actions are framed in Canada.

On May 16, the Supreme Court of the United States (“SCOTUS”) released its reasons in (“Spokeo”). The case is significant because it addressed the issue of what degree of damages are necessary in order to assert standing to bring such a claim, an issue that has long troubled “privacy breach” claimants in both Canada and the U.S. The existence of a private right of action under a U.S. federal statute does not automatically suffice to meet the “real” harm standard.

The court ultimately adopted a middle-ground position, allowing the action to proceed but maintaining a narrow approach to the type of injury that will give rise to standing. Of interest, the dissent raises new questions about the legal recourse available to those who allege injury from the mismanagement or inaccuracy of their personal information.

illustrates a contrast between privacy and consumer reporting law regimes in Canada and the U.S., and the associated legal risk exposure of organizations that manage the personal information of consumers, clients, or members of the public.

 

Background

Spokeo operates a “people search engine” that reviews a wide spectrum of databases to provide its users with information about individuals. The site markets itself as a mechanism for reuniting with lost connections, but can also be used for investigative purposes, such as evaluating job applicants.

The respondent, Thomas Robins, discovered that his Spokeo profile contained inaccurate information. He filed a federal class action complaint against Spokeo, alleging that the company failed to comply with its requirements under the (the “FCRA”). The FCRA requires consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy” of consumer reports and imposes liability on “[a]ny person who willfully fails to comply with any requirement [of the FCRA]” with respect to any individual.

(Canada does not have a “fair credit reporting act” per se, but provincial statutes such as Ontario’s require consumer reporting agencies to “adopt all procedures reasonable for ensuring accuracy and fairness in the contents of its consumer reports.[1] In additional, Canada’s privacy legislation incorporates the principle of accuracy and a right of correction.[2])

Robins alleged that Spokeo disseminated false information related to his education, family status, and wealth, causing Robins to fear that potential employers would rely on this inaccurate information and be disinclined to consider him for employment. Spokeo argued that Robins’ fear, without more, did not constitute actual harm.

The District Court dismissed the complaint, holding that Robins had not suffered an actual injury, and therefore had not properly pleaded “injury-in-fact”, as required by (“Article III”). As a result, he lacked standing. On appeal, a panel of the Court of Appeals for the Ninth Circuit reversed the District Court decision. The Ninth Circuit’s decision was appealed to SCOTUS.

 

The Decision

The SCOTUS panel filed a 6-2 split decision. The majority determined that the Ninth Circuit’s decision was incomplete for failing to satisfy the “injury-in-fact” requirement under the test for standing.

The test for standing before federal courts in the U.S. has a constitutional basis. establishes the judicial branch of the federal government. It gives courts the authority to adjudicate “any case or controversy”. The court has developed these principles fairly narrowly. A plaintiff only has standing in federal court if they suffer a concrete and particularized injury, that is “actual or imminent, not conjectural or hypothetical.” For an injury to be particularized, it “must affect the plaintiff in a personal and individual way”. A concrete injury must actually exist, though it can be either tangible or intangible.

Significantly, the court in Spokeo emphasized that violations of FCRA procedural rights do not necessarily result in concrete harm and that “not all inaccuracies cause harm or present any risk of harm.” SCOTUS held that a “bare procedural violation, divorced from any concrete harm,” will not “satisfy the injury-in-fact requirement of Article III.” This is likely to reign in attempts by lower courts which have taken a more lenient view of standing. In one regard, it represents a reiteration and clarification of SCOTUS’ position in , which stated that a “‘threatened injury must be certainly impending to constitute injury in fact,’ and that ‘[a]llegations of possible future injury’ are not sufficient.”

Clapper opened the door to much debate (and litigation) in respect of the scope of a “certainly impending” injury – a door which SCOTUS appears to be have incrementally closed. However, the court did not say outright that a plaintiff must have suffered concrete harm in order to sue. It noted that in some circumstances, a “risk of real harm” may be sufficient to satisfy the requirement of concrete harm.

In the end, the Spokeo majority ultimately concluded that the Ninth Circuit failed to fully appreciate the distinction between concreteness and particularization in its reasons, and it sent the matter back for the lower court to consider of whether “the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement.”

The dissent agreed with the majority’s analysis, but took issue with the need to remand the decision to the Ninth Circuit for an assessment of whether Robins’ injury was, in fact, particular and concrete. The dissent found that the evidence before the court had shown that Spokeo’s inaccurate information about Robins could jeopardize his candidacy for jobs he had or would apply for, and could cause potential employers to make negative judgments, based on inaccurate information, about his suitability for certain work demands. In the dissent’s view, this was far more egregious than an incorrect zip code (citing the majority’s example).

 

Privacy Damages in Canada

Spokeo raises a number of considerations for organizations that manage consumer and public data, both in the U.S. and Canada.

In the U.S., the decision raises questions about the ability of claimants to sue to enforce privacy-compliance requirements or other procedural matters under causes of action established by legislation like the FCRA. This is particularly so where the statutory right of action does not explicitly include requirements for concrete or particular injuries or where no clear harm has (yet) materialized that the plaintiff can point to.

Moreover, the split decision illustrates a divide on the SCOTUS bench over the harm that can accrue from the mismanagement of personal information and the growing importance of strong consumer privacy laws in a data-rich and networked world. While the majority characterizes the erroneous Robins profile as an error of no particular consequence, the dissent appears to be alive to the consequences and risks to individuals of poor data gathering, management, and publication where personal information is concerned.

These issues are very much alive in the Canadian privacy landscape as well. Canadian courts and legislators continue to grapple with the nature and quality of damages required to prove a claim.

Across Canada’s legislatures, there have been a patchwork of statutory suit provisions enacted for privacy complaints. For instance, the explicitly includes a statutory tort, actionable without proof of damage,[3] as do the privacy acts of , , and .[4] The creates only administrative offences, and contains no civil right of action.[5]

Under the personal information legislation of some provinces, the statutes create a right to sue for damages only after the statutory administrative processes have resulted in an order or conviction, and then only for “for damages for loss or injury that the individual has suffered as a result of the breach”.[6] Canada’s federal (“PIPEDA”), takes a similar approach, but permits a court to “award damages to the complainant, including damages for any humiliation that the complainant has suffered.”[7]

Canadian courts’ struggle with these issues are evident in decisions like :

The fixing of damages for privacy rights’ violations is a difficult matter absent evidence of direct loss. However, there is no reason to require that the violation be egregious before damages will be awarded. To do so would undermine the legislative intent of paragraph 16(c) which provides that damages be awarded for privacy violations including but not limited to damages for humiliation.

Privacy rights are being more broadly recognized as important rights in an era where information on an individual is so readily available even without consent. It is important that violations of those rights be recognized as properly compensable.[8]

An earlier decision, , addressed the issue as well, but took a more cautious approach:

Section 16 of PIPEDA provides that “[t]he Court may, in addition to any other remedies it may give … award damages to the complainant, including damages for any humiliation that the complainant has suffered.” This provides the Court with exceptionally broad power to award damages. Nevertheless, any damages awarded must be awarded on a principled basis, and be appropriate and just in the circumstances.[9]

Of note, the amendments to PIPEDA made under the regarding mandatory data breach reporting set the reporting trigger as “real risk of significant harm” and state explicitly that “significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property”.[10] An organization which concludes that it must report a breach may, in doing so, be inadvertently conceding a measure of damages.

© McCarthy Tétrault LLP

 

is Counsel in McCarthy Tétrault’s National Technology Group. Douglas Judson is an articling student in McCarthy Tétrault’s Toronto office.


 

[1] Consumer Reporting Act, R.S.O. 1990, c. C.33 at s. 9.

[2] See, for instance, Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Sch. I at “Principle 6 – Accuracy”.

[3] Privacy Act, R.S.N.L. 1990, c. P-22.

[4] Privacy Act, R.S.B.C. 1996, c. 373; Privacy Act, R.S.M. 1987, c. P125; Freedom of Information and Protection of Privacy Act, R.S.S. 1978, c. P-24.

[5] An Act respecting the Protection of Personal Information in the Private Sector, C.Q.L.R., c. P-39.1. In Québec, the right to privacy is also protected by several provisions of the Civil Code of Québec and by the Charter of Human Rights and Freedoms, and a breach of these rights to privacy can lead to broad damages awards.

[6] Personal Information Protection Act, SA 2003, c P-6.5, section 60. See Martin v. General Teamsters, Local Union No. 362, 2011 ABQB 412, at paras. 47-48, in which the Court struck portions of a Claim on this point; Personal Information Protection Act, SBC 2003, c 63.

[7] Personal Information Protection and Electronic Documents Act, S.C. 2000, c 5 at s. 16. Along with the statutory regime, there is the common law intentional tort of “intrusion upon seclusion”, developed in Jones v. Tsige, 2012 ONCA 32. However, this tort has been rejected in B.C. and Alberta, where the courts have found that the provincial privacy statute excludes a common law action for intrusion upon seclusion. See Ladas v. Apple Inc., 2014 BCSC 1821 at paras. 76-77 and Martin v. General Teamsters, Local 362, 2011 ABQB 412 at paras. 43-48.

[8] Chitrakar v. Bell TV, 2013 FC 1103 at para. 24.

[9] Nammo v. TransUnion of Canada Inc., 2010 FC 1284 at para. 66.

[10] Digital Privacy Act, S.C. 2015, c. 32 at s. 10.1(7)

 

 

The post Spokeo: Will U.S. Supreme Court’s Decision Impact Privacy Damages in Canada? appeared first on IPOsgoode.

]]>
IIROC Releases Two Cybersecurity Resources: Best Practices Guide and Incident Planning Guide /osgoode/iposgoode/2016/01/27/iiroc-releases-two-cybersecurity-resources-best-practices-guide-and-incident-planning-guide/ Wed, 27 Jan 2016 22:06:03 +0000 http://www.iposgoode.ca/?p=28665 The re-posting of this article is part of a cross-posting agreement with CyberLex. Last week, the Investment Industry Regulatory Organization of Canada (“IIROC“) published twodetailed guidesto help IIROC-regulated firms protect themselves and their clients against cyber threats and attacks. The creation of these guides wastelegraphed at the beginning of the year in IIROC’s annual consolidated […]

The post IIROC Releases Two Cybersecurity Resources: Best Practices Guide and Incident Planning Guide appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

Last week, the Investment Industry Regulatory Organization of Canada (“IIROC“) published twodetailed guidesto help IIROC-regulated firms protect themselves and their clients against cyber threats and attacks. The creation of these guides wastelegraphed at the beginning of the year in IIROC’s , released January 27, 2015, and underline IIROC’s increased focus on cyber risk.

The first resource, the (“Practices Guide”), is intended to provide “an enterprise-wide risk-based framework of industry standards and best practices that IIROC-regulated firms can apply”. The complementary (“Planning Guide”) is a companion tool for firms to use in order to prepare effective response plans for cyber threats and attacks.

 

The Practices Guide

The Practices Guide is “voluntary guidance” but Andrew Kriegler, IIROC President and CEO has said that IIROC regards “[a]ctive management of cyber risk [a]s critical to the stability of IIROC-regulated firms, the integrity of Canadian capital markets and the protection of investors.”

The Practices Guide, at just over 50 pages long, provides detailed standards-based security controls that make up a best practice cybersecurity program. While applicable to IIROC dealer members of all sizes and budgets, it is specifically targeted at small and mid-sized firms

Key points in Practices Guide include:

Sound Governance and Board Engagement. A sound governance framework with strong leadership is identified as being “essential” to effective enterprise-wide cybersecurity, along with board-level and senior management-level engagement, which IIROC characterizes as “critical”.

Training. Responding to increasing threats presented by social engineering (the manipulation of insiders into providing confidential information or downloading malicious code), IIROC notes that effective training helps to reduce the likelihood of a successful attack by providing staff with the knowledge to avoid becoming inadvertent attack vectors.

Scalable. IIROC acknowledges that there is a range of sizes and sophistication among its member dealers and that that ability to customize and quantify adjustments to their cybersecurity programs using cost-effective security controls and risk management techniques will be important. Nonetheless, IIROC cautions that while a smaller firm may not be positioned to implement the Practices Guide’s controls in their entirety, it is of the view that these strategies can nonetheless serve a critical benchmarking function.

Third Party Vendor Management. IIROC recognizes that its dealer members typically use third-party vendors for services, which requires vendor access to sensitive firm or client information, or access to firm systems. It also notes that the number of security incidents attributed to partners and vendors has risen consistently, year on year. As a result, the IIROC urges firms to exercise “strong due diligence and developing clear performance and verification policies.”

 

The Planning Guide

The Planning Guide is the slimmer document at only 29 pages and presents a set of voluntary cybersecurity strategies, guidelines, and tools for small and mid-sized IIROC dealer members. These can be used by dealer members to assist them in developing their own internal plans as part of their cybersecurity strategy. The Planning Guide is careful to state that it is “not intended to create new legal or regulatory obligations or modify existing ones”, and dealer member firms will need to be aware of additional requirements layered on by anti-money laundering, privacy and consumer protection legislation, for example.

The Planning Guide is divided in to three sections with the first section providing a brief background on cybersecurity and key industry standard references. The second section is an overview of the incident lifecycle, planning concepts, and key tools upon which to base incident response plans. The third section addresses firm interactions with outside parties (e.g. regulators and clients, as well as partners, external vendors, and government) during a breach.

There are two appendices: Appendix A includes key recommendations for implementing a cybersecurity incident response capability and Appendix B includes a 10-step guide, which outlines how to respond to a cybersecurity incident when an organization is not prepared.

Both Guides are extensive and firms would be wise to begin seriously engaging them in the development of their cybersecurity risk planning, which should already be well underway. It is not unreasonable to assume that these Guides, though voluntary, will inform the expectations of regulators.

The Guides are in many respects technical documents, and as a result do not in and of themselves provide a comprehensive enterprise risk management perspective. For instance, one key piece which is not fully addressed in the Guides is the crucial role of counsel and, in particular, the importance of managing privileged information, both prior to and during a breach. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances and boards should understand the contours of liability related to these risks and the decisions made in response to them.

© McCarthy Tétrault LLP

 

is Counsel in McCarthy Tétrault’s National Technology Group.

The post IIROC Releases Two Cybersecurity Resources: Best Practices Guide and Incident Planning Guide appeared first on IPOsgoode.

]]>
The Internet of Things: Guidance, Regulation and the Canadian Approach /osgoode/iposgoode/2015/11/27/the-internet-of-things-guidance-regulation-and-the-canadian-approach/ Fri, 27 Nov 2015 17:27:50 +0000 http://www.iposgoode.ca/?p=28356 The re-posting of this article is part of a cross-posting agreement with CyberLex. The Internet of Things (IoT) has been identified as a disruptive technology, bringing with it both the promise of seamless interconnectivity of devices and, the flip side of that interconnectivity, single-point vulnerability of multiple systems. While businesses rush to embrace the technology, […]

The post The Internet of Things: Guidance, Regulation and the Canadian Approach appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

The Internet of Things (IoT) has been identified as a disruptive technology, bringing with it both the promise of seamless interconnectivity of devices and, the flip side of that interconnectivity, single-point vulnerability of multiple systems. While businesses rush to embrace the technology, the regulators have begun considering the issues raised byit.

 

What is the Internet of Things?

The “Internet of Things” is a phrase that refers to everyday products that are connected to the internet that can send and/or receive communications from other devices. It includes internet-enabled products such as thermostats, fitness trackers, watches, cars, light bulbs, washers and dryers or even toasters and toothbrushes.[1]On a larger scale, it can include industrial controls and factory machinery.

The Internet of Things is expected to have an economic impact of $3.9 trillion to $11.1 trillion per year by 2025, which will represent up to 11% of the world’s economy.[2] The world’s largest manufacturers have already jumped onboard the Internet of Things, but as with any disruptive industry it will take a few years for the regulatory frameworks to catch up.

With this new industry comes a host of new legal issues. Some areas of law that will be affected by the Internet of Things include: security, privacy and competition law. Regulators may introduce minimum security protocols for IoT devices since breaches of security can lead to more direct and physical effects on a consumer’s safety. Privacy also becomes exponentially more important since the amount of information about an individual’s life will increase as more products become internet-enabled. Consumers of these products will demand more control over their private information, while companies will want to store that information for commercial purposes. Competition will also be an issue as the big technological players attempt to standardize and control the frameworks that connect these devices through patenting these technologies and seeking exclusive commercial deals.

The Internet of Things can help make society more effective, safer and greener so it is important that these future regulations strike a proper balance between supporting helpful innovation and protecting consumers. It is also important that these future regulations be in accordance with international approaches, since asymmetric regulations can lead to increased regulatory compliance costs to enter the Canadian market and they can also increase the barriers of Canadian companies to enter the global markets.

As of yet, there have not been any direct regulatory adjustments to deal with these unique issues. However, there have been committees established and meetings taking place around the world to deal with the Internet of Things. Businesses that have begun to embrace Internet of Things technologies, whether in their products or as part of their manufacturing processes and controls, should pay close attention to the increasing activity of regulators in this area.

 

The European Union

The European Commission, the executive body of the European Union, has created the “Alliance for Internet of Things Innovation” (“AIOTI”). The European Commission has suggested that future regulations must focus on security, privacy, consumer protection, functioning competition and choice.[3]

The European Commission released a report based on a public consultation on the Internet of Things.[4] The public consultation found, amongst other things, the following:

  • Privacy: Industry representatives wanted to see no changes to current privacy laws to help promote innovation, while the majority of consumers and consumer organizations considered the current privacy regulations inadequate and wanted to see IoT-specific Data Protection Impact Assessment guidelines. In addition, consumers thought that they should be in control of their data and wanted stronger enforcement for privacy breaches.
  • Security and Safety: Industry representatives wanted to see no changes to the current security requirements and did not want to see overregulation. Consumers, on the other hand, wanted to see the creation of guidelines and standards for security to ensure data confidentiality, integrity and availability in an IoT context.
  • Competition: The majority of respondents agreed that IoT devices should inter-operate to promote competition and service innovation. Industry leaders, however, pointed out that non-interoperable vertically-integrated systems should not be prevented by legislation, especially in non-consumer facing products.

 

The United States

In January, 2015, the Federal Trade Commission released a on the Internet of Things. The report was prepared in conjunction with leading technologists, academics, industry representatives and consumer advocates. This report focused on the issues of privacy, security and whether legislation is required to regulate the Internet of Things. The report suggested the following:

  • Privacy: The report suggested that companies practice “data minimization” which involves limiting the collection of data and the time that data is held for the period of time it needs to be used.
  • Security and Safety: The report recognized that security in the context of the Internet of Things is becoming more important. Namely, the report outlined the various ways that security breaches can lead to real-life safety concerns. [5] The report suggests that companies should prioritize the building of security into devices, should train employees adequately, should ensure that contractors can maintain security, and should monitor devices and report to the consumer when security breaches are detected.

The reports suggests that IoT-specific legislation would be premature at this point. Instead, the report suggests that broad security and privacy legislation should be introduced to deal with these matters while remaining flexible enough to adapt to technological innovations.

 

The Canadian Approach

It remains to be seen how Canada will adapt to a world of connected devices. From the reports created in the EU and US it is apparent that there will be tension in the creation of new regulatory frameworks since these have the potential to stifle innovation and increase business costs. Nonetheless, the security, privacy and competition implications of the Internet of Things are equally apparent. Companies should ensure that they are continually monitoring and improving their privacy and security practices to stay in front of any legislative changes. In the long run, this will decrease compliance costs and help gain the trust of consumers.

The federal Privacy Commissioner has taken what it describes as a “keen interest” in the problems associated with the Internet of Things and notes that is conducting various research projects related to the Internet of Things.[6] In June, 2015 Privacy Commissioner Daniel Therrien in his submission to the House of Commons Standing Committee on Industry, Science and Technology said that his Office planned to release “several reports on the Internet of Things”.[7]

While no reports have been forthcoming, the Privacy Commissioner reiterated his Office’s interest in and concern with the Internet of Things,[8] noting specifically that in Spring, 2016, it will produce a “discussion paper” outlining the various challenges associated with the current consent model, explore potential solutions, such as industry codes and other forms of self-regulation, and enhanced regulation. While these are not specific to the Internet of Things, the Internet of Things, and IoT-enabled devices, will be included.

The Privacy Commissioner also anticipates “provid[ing] guidance to businesses and technology developers on how to build privacy protections into products and services; and educate users on the privacy risks associated with wearable devices” and other connected technologies.

 

© McCarthy Tétrault LLP

is Counsel in McCarthy Tétrault’s National Technology Group. is an articling student in McCarthy Tétrault’s Toronto office.

[1] http://www.wsj.com/articles/SB10001424052702304360704579415161522531046

2ٳٱ://ɷɷ.쾱Բ.dz/Բٲ/ܲԱٱ𳦳ԴDZDz/ٳ徱ԳٱԱٳǴڳٳ󾱲Բٳ屹ܱǴڳ徱پԲٳɴǰ

[3] Internet of Things: the next revolution, CONNECT Advisory Forum, the European Commission, at page 10.

[4] Report on the Public Consultation on IoT Governance, January 16, 2013.

[5] For more examples, see the list of possible security concerns released by the FBI: .

[6] Yesterday was already tomorrow… The Internet of Things: The need for an adequate information security and privacy framework, Remarks at the Information Security Rendez-vous (ISR) 2014, Montreal, Quebec, May 7, 2014 (Address by Daniel Caron, Legal Counsel, OIPC).

[7] Study on the State of Disruptive Technologies, Submission to the House of Commons Standing Committee on Industry, Science and Technology, June 18, 2015 (Address by Daniel Therrien, Privacy Commissioner of Canada).

[8] National Security and Privacy in 2015, Remarks at the Privacy and Access 20/20 Conference, November 12, 2015,Vancouver, British Columbia (Address by Daniel Therrien, Privacy Commissioner of Canada).

The post The Internet of Things: Guidance, Regulation and the Canadian Approach appeared first on IPOsgoode.

]]>
Data Transfers from EU to US “unlawful”; EU Signals Enforcement Actions Possible After January, 2016 /osgoode/iposgoode/2015/10/28/data-transfers-from-eu-to-us-unlawful-eu-signals-enforcement-actions-possible-after-january-2016/ Wed, 28 Oct 2015 20:58:23 +0000 http://www.iposgoode.ca/?p=28132 The re-posting of this article is part of a cross-posting agreement with CyberLex. On Friday, October 16, 2015, the Article 29 Working Party (“WP29”) released a statement on the decision of the Court of Justice of the European Union (“CJEU”) in the case Schrems v Data Protection Commissioner (C-362-14), the landmark decision which invalidated the […]

The post Data Transfers from EU to US “unlawful”; EU Signals Enforcement Actions Possible After January, 2016 appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

On Friday, October 16, 2015, the Article 29 Working Party (“WP29”) released a on the decision of the Court of Justice of the European Union (“CJEU”) in the case , the landmark decision which invalidated the decision of the European Commission underpinning the Safe Harbour framework by which personal information was permitted to move from the EU to the United States.

Status of Model Contract Clauses and Binding Corporate Rules

The WP29 stated that it was still considering the Schrems decision and acknowledged the uncertainty that the decision had caused, emphasizing that “data protection authorities (“DPAs”) consider that it is absolutely essential to have a robust, collective and common position on the implementation of the judgment.”

During the WP29’s evaluation period, it suggests that certain similar mechanisms for rendering lawful a transfer of data from the EU to the United States remain valid. In particular, WP29 advises that during its evaluation period, “data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used”. Accordingly, while certain data protection commissioners have doubted the validity of these mechanisms, it appears that the majority of commissioners will accept them as legitimate at least for a transitional period. WP29 goes on to note, however, that this will not prevent DPAs from investigating individual cases.

 

Transfers Considered Unlawful – Enforcement by January 1, 2016

The WP29 also unequivocally stated its view that “it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”).” It then goes on to say that (emphasis added) “transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.”

Businesses will have a short timeline in which to bring themselves into compliance. The WP 29 has set a 3-month deadline for the EU and United States to conclude negotiations and implement a new safe harbour regime. It has warned that “[i]f by the end of January 2016, no appropriate solution is found with U.S. authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”

 

Other Points in the WP29 Statement

In WP29’s view, the “the question of massive and indiscriminate surveillance is a key element of the Court’s analysis” in Schrems and warned that such surveillance is “is incompatible with the EU legal framework” and warned that the transfer of personal information to third countries “where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers.”

This implies that any future adequacy decisions from DPAs will undertake a broad analysis of the third country’s domestic laws and international commitments. In this regard, there is a risk that Canada’s PIPEDA will be called into question in light of this country’s relationship (formal and otherwise) with the United States and Canada’s recent data legislation (in particular Bill C-51, introduced by the Canadian federal government and affording Canadian law enforcement officials greater access to data). It is an open question as to whether this constellation of factors could push Canada into the realm of “inadequate” safeguards insofar as the EU is concerned.

Likewise, there remains a risk that other bases for sending data from the EU to the United States will be threatened by this interpretation of Schrems. In particular, in a number of circumstances, it is unclear whether an importer of data in the United States can make the strong warranties required by the model contract clauses or the binding corporate rules, if similar guarantees were deemed inadequate under the now-invalidated Safe Harbour regime.

Businesses will want to pay close attention to the ongoing Safe Harbour negotiations between the EU and the United States, and in the interim, seriously consider rerouting data flows, evaluate the risks and benefits of model contract clauses and binding corporate rules, and re-evaluate their collection and transfer of personal information where possible.

© McCarthy Tétrault LLP

 

is Counsel in McCarthy Tétrault’s National Technology Group. is an IP Osgoode Advisory Board member and a senior partner with McCarthy Tétrault in the Toronto office. He is the former Co-Chair of the firm’s Technology Law Group and was the head of the firm’s Internet and Electronic Commerce Group. is a partner in McCarthy Tétrault’s Intellectual Property Group and a member of the Privacy, Technology, Franchise & Distribution, and Appellate Groups. is the national leader of McCarthy Tétrault’s Information Technology Law Group and co-leader of the Firm’s national Cybersecurity, Privacy and Data Protection Group.

The post Data Transfers from EU to US “unlawful”; EU Signals Enforcement Actions Possible After January, 2016 appeared first on IPOsgoode.

]]>
Businesses Should Re-evaluate Approach to Privacy with Passage of Digital Privacy Act /osgoode/iposgoode/2015/06/25/businesses-should-re-evaluate-approach-to-privacy-with-passage-of-digital-privacy-act/ Thu, 25 Jun 2015 14:14:58 +0000 http://www.iposgoode.ca/?p=27442 The re-posting of this article is part of a cross-posting agreement with CyberLex. The Digital Privacy Act (Bill S-4) passed into law yesterday, introducing (among other things) significant fines and mandatory breach notification (not yet in force) into the Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations which handle personal information in the course […]

The post Businesses Should Re-evaluate Approach to Privacy with Passage of Digital Privacy Act appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

The Digital Privacy Act (Bill S-4) passed into law yesterday, introducing (among other things) significant fines and mandatory breach notification (not yet in force) into the Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations which handle personal information in the course of their commercial activities will want to undertake a review of their privacy policies and security safeguards. In light of the new power to levy significant monetary penalties, boards of directors may want to review their organization’s allocation of risk around these issues.

All new measures under the Digital Privacy Act are now in force, except for the data breach requirements (see discussion below).

The Digital Privacy Act introduces some provisions that will improve the operation of PIPEDA (for instance, introducing targeted exceptions to the consent principle, and expanding the scope of “business contact information” that will not be treated as “personal information”). However, there are four areas that will be of significant concern to organizations: consent, mandatory breach notification, penalties and confidentiality.

 

Consent

The Act introduces a “sliding scale” of consent that could render existing consents null. The new section 6.1 states (emphasis added):

For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

The government’s press release indicates that clear, simple language will be necessary to obtain valid consents from “vulnerable” Canadians, particularly children, to ensure they fully understand the potential consequences of providing their personal information online.

Previously, there was a “one size fits all” form of consent. Provided the consent was informed, and the purpose of collecting the personal information was clearly stated, that was sufficient. The new sliding scale of consent will cause difficulty for organizations.

The amended language appears to require organizations to assess the sophistication of the users of its websites, products, and services and determine whether such persons understand what they are reading and agreeing to. For an organization with a website that has millions of visitors across multiple demographics, this may be expensive and ultimately, unworkable. For instance, a clothing retailer may have an online catalogue of kids’ and teens’ clothes – is the target demographic kids and teens? Or their parents? Would an organization have to “gate” their webpage with a question about age that, once answered, directs that person to one of a variety of privacy policies? Similar questions will arise for mass-market apps that are attractive to all kinds of audiences.

 

Mandatory Notification

The Act introduces a new set of obligations with respect to breaches of security safeguards or a failure to establish those safeguards. These will not be in force until the government crafts implementing regulations following a consultation with stakeholders and the Office of the Privacy Commissioner. No timeline has been provided for the implementing of any regulations.

Once these provisions come into force, organizations will be required to report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Such report must be made “as soon as feasible after the organization determines that the breach has occurred”.

Organizations will also be required to notify a potentially affected individual of such breach, using a similar threshold.

The “as soon as feasible” requirement is likely to be challenging for organizations in the throes of a data breach, where facts are moving targets and it takes weeks (sometimes months) to understand what has happened. Organizations will be reluctant to provide anything too specific for fear of litigation risk down the road, and may in fact be required to issue multiple notices as an investigation evolves, leading to consumer confusion and “breach fatigue”.

Notice is required where there is a “real risk of significant harm” to an individual. The term “significant harm” is defined to include, among other things, “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.

Further, an organization encountering a breach will have additional reporting obligations to other organizations and government institutions if the breached organization believes the other organizations may be able to reduce their risk of harm as a result.

 

Penalties

The Act introduces liability for knowingly violating the notification requirements. An organization may be liable for fines up to $100,000 per violation. It is unclear at this time whether a “violation” will include a single incident. (e.g. a single failure to notify all individuals) or each incident (e.g. each failure to notify each individual).

Faced with the risk of this kind of liability, organizations will likely be inclined to over-report, once again leading to “breach fatigue” in consumers.

 

Confidentiality

Under the previous regime, while the Commissioner had the power to “name and shame” wrongdoers, the Commissioner was (with few exceptions) required to keep information that was provided to it confidential. The new Act now provides the Commissioner with the right to make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties or powers as well as information in security breach notifications to the Commissioner. (s. 20)

This is likely to make organizations much less willing to make a full and frank disclosure to the Commissioner. In addition, organizations dealing with the Commissioner will now have to be concerned about ensuring their trade secrets and confidential information are adequately protected (potentially through sealing orders or similar mechanisms) as well as ensuring that, by providing information to the Commissioner, they are not in violation of their agreements with third parties or requests made by law enforcement.

 

Improvements to PIPEDA

(a) New Exemptions to Consent Requirements

The government used the Digital Privacy Act to introduce a number of sorely needed exemptions to consent requirements under PIPEDA. Of note, consent will not be required to:

  • use personal information contained in a witness statement that is necessary to assess, process or settle an insurance claim
  • use personal information produced by an employee in the course of their employment, business or profession
  • disclose personal information to a government institution if the disclosing organization has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction
  • disclose personal information made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada, or for the purposes of detecting or suppressing fraud or of preventing fraud
  • use or disclose necessary personal information in association with a prospective business transaction, so long as the information is safeguarded and the information is returned or destroyed if the transaction does not proceed

The final provision is particularly welcome in transactional contexts where the vendor has not obtained the consents to share personal information for due diligence purposes in a deal. While courts have occasionally issued orders to permit such disclosures, this has always been a cumbersome and uncertain process for parties to a transaction.

(b) Business Contact Information

The Digital Privacy Act modernizes the “business contact” carve-out from the definition of personal information. It expands it by exempting any contact information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession. This amendment clarifies that a business e-mail address is not covered by PIPEDA so long as it is used for the appropriate purpose of contacting an individual in a work context.

 

© McCarthy Tétrault LLP

is Counsel in McCarthy Tétrault’s National Technology Group. is the national leader of McCarthy Tétrault’s Information Technology Law Group and co-leader of the Firm’s national Cybersecurity, Privacy and Data Protection Group. is a partner in McCarthy Tétrault’s Intellectual Property Group and a member of the Privacy, Technology, Franchise & Distribution, and Appellate Groups. is an IP Osgoode Advisory Board member and a senior partner with McCarthy Tétrault in the Toronto office. He is the former Co-Chair of the firm’s Technology Law Group and was the head of the firm’s Internet and Electronic Commerce Group.

 

 

The post Businesses Should Re-evaluate Approach to Privacy with Passage of Digital Privacy Act appeared first on IPOsgoode.

]]>