2. Topics Include
• An overview of Canada’s federal and provincial
privacy laws
• Storing and transferring personal information
outside Canada
• Video surveillance
• Online behavioural advertising
• How to respond to a data breach
• Canada’s new anti-spam laws
2
3. Gowlings at a Glance
• One of Canada’s largest
law firms
• Over 750 professionals
across 10 offices
worldwide
• Recognized expertise in
Business Law, Advocacy
and Intellectual Property
Law
3
6. Canadian Privacy Law
• The Personal Information Protection and Electronic
Documents Act (PIPEDA) applies to private sector
businesses in most Canadian provinces
• Similar laws apply to information collected in
Québec, British Columbia and Alberta
6
7. Canadian Privacy Law
• These laws apply to foreign (non-Canadian
businesses) that collect, use or disclose
personal information about individuals in
Canada, even if the business does not have a
Canadian presence
• Applies to “personal information” – a term that is
broadly defined as “information about an
identifiable individual” (apart from their business
contact information)
7
9. Storing and Transferring Personal Information
• Privacy laws don’t prevent it, but it is subject to
certain legal obligations:
• Accountability: The organization is responsible for
personal information in its possession and custody,
including that transferred to a third-party service
provider
• Transparency: Canadian customers must be advised
if their personal information is going to be transferred
or stored outside of Canada
9
11. Video Surveillance
• PIPEDA and the provincial laws apply to the
capturing of video images in the course of
commercial activity, whether those images
are recorded or not
• “Overt” surveillance:
• Must give clear notice about the use of cameras on
their premises, before people enter the premises
(include information on how they can get access to
their images)
11
12. Video Surveillance
• “Covert” surveillance:
• Allowed only in exceptional circumstances where overt
surveillance would compromise the availability and
accuracy of the data, and the collection is for the
purposes of investigating a breach of law or breach of
an agreement
12
14. Online Behavioural Advertising
• Online Behavioural Advertising:
• Web-based programs that allow businesses to track
consumers’ online activities
e.g., flash cookies, beacons, tracking pixels, etc.
• Contrary to popular belief online behavioural
advertising IS classified as “personal
information”
14
15. Online Behavioral Advertising
• Permissible, but subject to regulations:
• Transparency:
• Users must be aware that this tool is being used
• Consumers must be able to “opt out” but still be able to
use the services
• Should not be used on websites targeted at children,
due to their inability to give meaningful consent
15
17. How to Respond to a Data Breach
• Federal legislation - PIPEDA
• Voluntary security breach notification
• Guidelines from Federal Privacy Commissioner
• Voluntary but expected
17
18. How to Respond to a Data Breach
• The Guidelines state there are four key steps
to consider when responding to a breach:
• Breach containment and preliminary assessment
• Evaluation of the risks associated with the breach
• Notification
• Prevention
18
19. How to Respond to a Data Breach
• Alberta Personal Information Protection Act
(PIPA)
• Private sector organizations are required under
mandatory privacy breach notification provisions to
notify the Privacy Commissioner
• Threshold of notification: “real risk of significant harm”
• “Real risk” means “a reasonable degree of likelihood that
the harm could result”
19
20. How to Respond to a Data Breach
• Who is responsible for notifying the
commissioner?
• Organization with control of the personal information,
even if the breach occurred at service provider level
• Contents of the report
• How many people affected
• Information released
• Circumstances surrounding the breach
• What mechanisms are in place to protect data
20
21. How to Respond to a Data Breach
• If “real risk” is determined, the organization is
required to notify those affected
• The Privacy Commissioner issues a written decision
which is available on their website
• The Privacy Commissioner will provide direction on
what needs to be in the notice
21
22. How to Respond to a Data Breach
• Protect your organization from a data breach
• Review privacy policies and procedures regularly
• Train staff on how to prevent breaches
• Create guidelines on what to do if there is a breach
22
24. Canada’s New Anti-spam Laws
• Slated to come into effect mid to late 2013
• Canada’s Anti-spam Legislation (CASL) will
apply to “Commercial Electronic Messages,”
prohibiting all but those messages that comply
with its requirements
• The CRTC and Industry Canada take the position
that existing, valid consent may not survive the
transition period
• Organizations will need to seek new consent from
existing mailing lists
24
25. Canada’s New Anti-spam Laws
• Electronic messages must contain prescribed
disclosure language
• An unsubscribe mechanism
• CASL applies to:
• An electronic mail account
• An instant messaging account
• A telephone account; or
• Any similar account
25
26. Canada’s New Anti-spam Laws
• Messages that may be exempt
• Those sent between employees of an organization
relating to the affairs of the organization
• Messages sent between two organizations with an
existing business relationship relating to their affairs
• Those that respond to an inquiry, complaint, etc.
26
27. Canada’s New Anti-spam Laws
• Penalties for violations
• A fine of up to $1,000,000 for a violation by an
individual
• A fine of up to $10,000,000 for a violation by a
corporation
27
28. Canada’s New Anti-spam Laws
• Private right of action for persons who allege
they have been affected by a violation
• Compensation equal to the actual loss or damage
suffered; and
• $200 for each contravention, not exceeding
$1,000,000 for each day on which a contravention
occurred
28
29. Canada’s New Anti-spam Laws
• How organizations can ensure they comply
• Be aware of requirements for expressed consent
• Why?
• Who is asking?
• Provide contact information (mailing address + telephone
numbers, email or web address)
• State that consent can be withdrawn
29