1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Office of the Privacy Commissioner of Canada discusses its investigation against Compu-Finder

The Office of the Privacy Commissioner of Canada (OPC) recently hosted a knowledge session to stakeholders to discuss its recent investigation against Compu-Finder. This was the first investigation by the OPC involving the address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). See our post summarizing the findings and the OPC’s full report here.

While the OPC could not disclose details of its investigation, the OPC provided attendees with information about its interpretation of its investigative powers, its approach to the investigation and tips for organizations.

The Investigation

Unlike its complaint-driven investigations, this investigation was an intelligence-driven case under the address harvesting provisions that were added to PIPEDA by Canada’s Anti-Spam Legislation (CASL). After significant intelligence gathering to meet its reasonable grounds burden, a Commissioner-initiated investigation was commenced allowing the OPC to collect further intelligence from Compu-Finder, affected individuals and third parties, including by affidavits. The OPC highlighted it applied a cross-functional investigation, using numerous departments and tools, including extensive use of the OPC technology LAB.

It is important to note that unlike the Canadian Radio-television and Telecommunications Commission (CRTC), which is the regulator with main responsibility for enforcement of CASL, the OPC must have reasonable grounds to start an investigation that has not been filed by an individual. The CRTC does not have to discharge that burden before commencing an investigation.

Key Takeaways

“The truth is in your records”. The OPC stressed the importance of record keeping. This has become a consistent theme regarding PIPEDA and CASL. (See our post on the CRTC’s guidance here.) The OPC highlighted that record-keeping was a fundamental issue in its investigation. Organizations must be able to meet their due diligence obligations and prove they have consent for the personal information they collect and use, and for every e-mail they send under CASL. The OPC found that Compu-Finder’s records were inadequate or in some cases may have contradicted their position.

Other lessons offered were:

  • Exercise care when crafting responses to the OPC during investigation
  • An established privacy compliance program can greatly assist you in demonstrating accountability
  • Part of due diligence involves following up, double checking and auditing your policies and procedures

Stakeholders undoubtedly appreciated the OPC’s proactive gesture in providing this opportunity to learn more.

Office of the Privacy Commissioner of Canada discusses its investigation against Compu-Finder

Impact of the European General Data Protection Regulation (GDPR) on Adequacy and 5 Tips to Weather the Changes

Recent media coverage has brought to light the internal deliberations of the Government of Canada regarding the possible impact of the entry into force in 2018 of the GDPR on Canada’s adequacy status to receive personal data from the European Union (EU).  Ten other countries, and the businesses in those countries, should examine the same question:  Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. The EU-US Privacy Shield, to which U.S. companies may self-certify, has received adequacy status.

Two issues arise: i) since the provisions of the new GDPR are stricter than the current  European regime with which these eleven States have been deemed  adequate,  will adequacy survive the coming into force of the new GDPR? And,  ii) now that adequacy may be repealed, how should governments or business prepare in that regard?

The following seeks to summarize what to watch for and how to weather this significant,  yet still ill-defined legal development.

  1. Why is adequacy status important?

European privacy law prohibits the transfer of personal data outside of the EU, except to states that have been recognized as providing adequate privacy protection (GDPR, Chapter V). “Non-adequate” states may only receive EU data under onerous conditions, namely:

  • Individual consent, and even then this is not valid for employee information as the employer-employee relationship is one of authority which defeats the assurance of “free” consent; or,
  • Standard model clauses, adopted by the European Commission, that bind the parties to the same level as European data protection law and submits the party receiving the data to audits by the party transferring the data; or,
  • Binding Corporate Rules, which apply within “a group of enterprises engaged in a joint economic activity” (Article 43.1) and bind the companies within the group to the European standards of privacy law.

Non-EU states that have been recognized as providing adequate protection for privacy may receive transfers of personal data from Europe without “any specific authorization.” (Article 41.1)

With a European market of 500 million, this is a critical economic advantage.

  1. How is a State considered adequate?

Article 41.2 of the GDPR summarizes the conditions for adequacy:

  • Respect for “the rule of law, human rights and fundamental freedoms, relevant legislation both general and sectoral, data protection rules and  security measures, including rules for onward transfer of personal data to another third country or international organization, as well as the existence of effective and enforceable data subject rights and effective administrative and judicial redress for the concerned data subjects;
  • Existence of an effective data protection authority;
  • International commitment of the State to uphold protection of personal data.
  1. What is the difference between State adequacy and the EU-US Privacy Shield?

Because the U.S. does not have adequacy status for not meeting the criteria above, U.S. companies  require a specific legal instrument to receive EU personal data. That is the EU-US Privacy Shield under which U.S. companies self-certify and commit to:

  • European data protection standards;
  • The new scrutiny of the Ombudsperson to be created in the US as well as of the Department of Commerce and Federal Trade Commission;
  • Stronger requirements on consent ;
  • New Europeans’ access to remedies in the U.S.

It is noteworthy that the EU-US Privacy Shield process is still more burdensome than for companies in States that have adequacy status.

  1. What next for adequacy?

The coming into the force of the GDPR introduces the possibility for an adequacy decision to be “amended, replaced or repealed” (Article 41.3a) by a Commission decision. Moreover, the Commission will “monitor the functioning of decisions”  already adopted in view of adequacy remaining in force, being amended or repealed.

So nothing can be taken for granted.  The maintenance of adequacy will be earned with conformity to European standards on privacy law.

  1. Honing privacy compliance strategies in the context of adequacy

Here are the best practices from our clients transferring or receiving European personal data:

  • Identify legal obligations under the coming GDPR;
  • Perform a gap analysis to address possible compliance issues in advance of the GDPR coming into force;
  • Negotiate with sub-contractors contract clauses compliant with GDPR;
  • Include monitoring provisions in the contract clauses such as the right to audit the sub-contractor to ensure compliance.
  • Establish data centres or hire cloud services in States having adequacy or companies being self- certified under the EU-US Privacy Shield.

Adequacy status is a shared objective by governments and companies.

Impact of the European General Data Protection Regulation (GDPR) on Adequacy and 5 Tips to Weather the Changes

CRTC ENFORCEMENT ADVISORY: REMEMBER, YOU MUST HAVE RECORDS TO PROVE CONSENT

The Canadian Radio-television and Telecommunications Commission (CRTC) issued an enforcement advisory to both businesses and individuals that send commercial electronic messages (CEMs) to keep records of consent. The CRTC reminded senders of CEMs that section 13 of Canada’s anti-spam legislation (CASL) places the onus on the sender to prove they have consent to send every single CEM.

The advisory made a point to note the CRTC has observed businesses and individuals unable to demonstrate they have obtained consent before sending CEMs. Failure to meet record keeping requirements has been alleged in recent CRTC enforcement decisions against organizations. However, today’s enforcement advisory may suggest the CRTC is finding record keeping to be a widespread concern, warranting this advisory.

Record keeping is one of the most contested provisions under CASL as the financial, organizational and technical burden weighs on senders to meet the high record-keeping standards set by the CRTC. Having the record keeping requirements on the CRTC’s radar adds further urgency to ensure a sender’s compliance program is sufficient.

The CRTC emphasized in its advisory that good record-keeping practices can assist senders establish a due diligence defense in the case of a violation under CASL. Violations of CASL may result penalties of up to CAD $1,000,000 for individuals, and up to CAD $10,000,000 for organizations.

The CRTC reiterated its guidance that record-keeping should document:

  • All evidence of express or implied consent from consumers who agree to receive CEMs. Evidence can be in various forms such as audio, electronic or paper.
  • The procedures and methods through which senders obtain consent
  • The sender’s CASL policies and procedures
  • All unsubscribe requests and subsequent actions taken

Click here to read the full CRTC Enforcement Advisory. For more guidance on record keeping, read the CRTC’s guidelines to help develop a corporate compliance program.

 

 

CRTC ENFORCEMENT ADVISORY: REMEMBER, YOU MUST HAVE RECORDS TO PROVE CONSENT

Dentons to Host Webinar “Don’t Call Me, I’ll Call You: Navigating TCPA Compliance and Class Actions”

Join Dentons on August 4th from 2:00-3:00 p.m. EDT as we discuss recent developments and upcoming issues under the Telephone Consumer Protection Act (TCPA). Our panelists will discuss the surge in class action activity, the anticipated impact of recent FCC declaratory rulings and orders, and steps you can take to protect yourself against liability.

Close up image of Smart Phone background

Topics covered during the one-hour webinar will include:

  • An overview of the TCPA, including what it prohibits, who it protects, and why it needs to be on the radar of every consumer-facing company
  • Frequently litigated provisions and emerging issues, including key agency orders relevant to TCPA suits
  • The implications of the Supreme Court’s Spokeo and Campbell-Ewald decisions for individual and class action litigation
  • Best practices, compliance tips, and business strategies for avoiding and defending against TCPA claims

The panel will feature the following Dentons partners:

  • Petrina McDaniel, a certified information privacy professional (CIPP/US) who has successfully litigated TCPA class actions in federal courts across the US and routinely counsel clients on TCPA compliance and FCC regulations.
  • Nathan Garroway, an experienced trial lawyer who has worked on federal and state TCPA matters for more than 10 years, including defending class actions in Illinois, Indiana, Florida, Georgia and California.
  • Laura Geist, whose complex litigation defense practice for the insurance and financial services industries includes her recent defeat of class certification in a federal nationwide “junk fax” class action brought under the TCPA.
  • Todd Daubert, an industry leader with nearly 20 years of experience in the telecommunications and technology space who has developed and implemented compliance strategies relating to telemarketing, defended against claims of consumer protection law violations and advocated for changes to telemarketing rules.

To register, click here.

Dentons to Host Webinar “Don’t Call Me, I’ll Call You: Navigating TCPA Compliance and Class Actions”

Dentons to Participate in Whistleblowing and Privacy Webinar

Whistleblowing is back in the news with the recent unveiling of the Ontario Securities Commission’s office of the Whistleblower. Our post about the new program can be found here.

Join DataGuidance and Dentons on August 4, 2016 for an examination of Whistleblowing & Privacy in Canada and select other jurisdictions. Click here to register.

Dentons to Participate in Whistleblowing and Privacy Webinar