1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement

On September 21st, 2017, Daniel Therrien, Canada’s Federal Privacy Commissioner, tabled his annual report to Canada’s Parliament today. The report to Parliament includes results and recommendations with respect to the OPC’s study on consent. In addition, the Commissioner requests Parliament overhaul Canada’s federal private sector legislation – the Personal Information Protection and Electronic Documents Act (PIPEDA).

Consent and Technology

A key issue for regulators and businesses is how to obtain meaningful and valid consent to collect and use personal information in the digital age. Revisiting and enhancing the consent model under PIPEDA is grounded in the Commissioner’s five year strategic privacy priorities. In 2016, the OPC issued a consultation paper regarding the challenges of obtaining meaningful consent in a continuously evolving technological ecosystem where the traditional “privacy policy” may not always be suitable. The OPC received feedback through roundtables, focus groups, surveys and receipt of 51 submissions from organizations, information technology specialists, academics, advocacy groups and other stakeholders.

Four Key Elements in Privacy Policies: The Commissioner stated that the OPC will be issuing an updated version of its consent guidelines that will require businesses and organizations to highlight in a user friendly way the following four key elements in their privacy notices:

  1. What information is being collected
  2. Who is it being shared with, including an enumeration of third parties
  3. The purposes for collecting, using or sharing including an explanation of purposes that are not integral to the service, and
  4. Identify the risk of harm to individuals, if any.

Risk of Harm: The OPC is amending its guidelines to require organizations to consider the risk of harm to individuals when considering the form of consent used. This consideration will be in addition to the sensitivity of the personal information and the reasonable expectations of the individual. We expect to learn more about this in the updated guidelines.

No-Go Zones: Expect new guidance for businesses and no-go zones where the use of information, even with consent, should be prohibited as inappropriate. The guidance will be aimed to provide clarity on what the OPC considers “inappropriate uses” under subsection 5(1) of PIPEDA.

Alternatives to Consent: The Commissioner outlined three potential solutions for enhancing privacy protection where traditional consent models conflict with advances in technology, including:

  1. De-identification: In some circumstances, like big data, de-identification protocols may be the right solution. The OPC will be issuing guidance on de-identification that will help businesses assess their protocols and reduce risk of re-identification to a low level where the information may be used without consent.
  2. Publicly available information: The Commissioner agrees that the categories of publicly available information in PIPEDA’s regulations are out of date, and should be revisited by Parliament. For now these exceptions remain the same, but we may someday see changes to the regulations.
  3. Call for reform of new exceptions: The Commissioner has requested that PIPEDA be amended to include new exceptions to consent (section 7 of PIPEDA) to address social activities not contemplated when PIPEDA was first drafted. The goal is to help organizations use data for new purposes that would benefit individuals and obtaining consent is not practical. For example, a mobile app wishes to now use information collected for geolocation mapping, and the business can demonstrate that the benefit of the new use of information outweighs the privacy incursion. This option would be considered a last resort and require pre-approval by the OPC.

Overhaul of PIPEDA including new Powers

The Commissioner reported that it is time to revisit how Canada’s federal privacy legislation, enacted in 2000, meets the realities of today’s digital world, including advances technology as well the addition of new enforcement powers already used by the OPC’s counterparts in the U.S. and Europe. The Commissioner proposed to Parliament that this overhaul include a new enforcement model that emphasizes proactive powers that are backed up by order-making authorities, including:

  • involuntary audits
  • issuing binding orders, and
  • impose administrative monetary penalties.

The request for reform of PIPEDA is certainly a hot topic as businesses and organizations await how Canada’s status as an adequate country is, or is not affected as a result of Europe’s General Data Protection Regulations.

Expect a more aggressive OPC

However, do not expect the OPC to wait for new powers. The Commissioner ended his report to Parliament adding that, beginning today, we can expect a more proactive and aggressive OPC with respect to enforcement. The OPC is sending a signal that complaints to the OPC will no longer be the primary tool and the OPC will be shifting itself as a proactive regulator ready to initiate investigations. The Commissioner reported that a complaint-driven model has its limits:

People are unlikely to file a complaint about something they do not know is happening, and in the age of big data and the Internet of Things, it is very difficult to know and understand what is happening to our personal information. My Office, however, is better positioned to examine these often opaque data flows and to make determinations as to their appropriateness under PIPEDA.

This is an important message. The Commissioner is not waiting for legislative reform and has put businesses and organizations on notice to expect a more active OPC, one that will be on the lookout for “specific issues or chronic problems” that must be addressed – possibly resulting in more Commissioner-initiated investigations.

More information

You can read the OPC’s news release here.

You can read the Commissioner’s remarks and full Annual Report to Parliament here.

Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement

CASL Private Right of Action Delayed (Indefinitely)

The Government of Canada has repealed the coming into force of the private right of action for violations of Canada’s Anti-Spam Legislation (CASL). The Government has listened to concerns raised by businesses, charities and the not-for-profit sector about the implementation of CASL, which would have permitted individuals to sue for violations of the law.

The Government has also acknowledged that “businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation” and has asked a Parliamentary Committee to review the legislation.

Read the Press Release here.

,

CASL Private Right of Action Delayed (Indefinitely)

Private Right of Action under CASL coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014.  Since then, all eyes have been on the Canadian Radio-television and Telecommunications Commission (CRTC) for decisions concerning CASL violations.  In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million.  Canadian and foreign companies have learned some things in the past two years about how CASL applies to their business, and many have taken steps to put in place policies and procedures to avoid violations.

Whatever steps you have taken to date, 2017 will be the time to revisit CASL compliance

On July 1, 2017, the private right of action (PRA) comes into force under CASL.  An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly.  While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group.

Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments up to the following amounts:

  • for sending commercial electronic messages contrary to CASL – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred
  • for altering the transmission data of a commercial electronic message – a maximum of $1 million for each day that the conduct occurred
  • for installing apps or other computer programs contrary to CASL – a maximum of $1 million for each day that the conduct occurred
  • for scraping, generating or otherwise accessing electronic addresses contrary to PIPEDA – a maximum of $1 million for each day that the conduct occurred
  • for sending commercial electronic messages with false or misleading information, including sender, locator or subject matter information, contrary to the Competition Act – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred

When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance…and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”.

CASL also provides for extended liability.  Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention.  Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable.

Revisiting CASL

CASL provides that where a person establishes that they exercised due diligence to prevent a violation, they cannot be found to have contravened CASL.  Despite this provision, a number of well-meaning businesses have been found offside CASL’s provisions, have made significant penalty or settlement payments, and in some cases have received negative media coverage for their failure to meet CASL requirements.

In July 2017, the risk exposure will increase.  Now is the time to revisit your CASL compliance.

  1. Discuss with your Board and Senior Management team why you need to revisit CASL in 2017.
  2. Make sure that you have a CASL Compliance Policy and Procedure that covers your operations, and that is easy for employees to understand and use.
  3. Ensure that existing and new employees have access to – and receive appropriate training in – the Policy and Procedure.
  4. Conduct an audit under the Compliance Policy and Procedure, including how consent is obtained and documented; whether unsubscribe requests are fulfilled quickly; whether CASL-compliant message templates are consistently used; how complaints are addressed (etc.).
  5. Consider whether you need to check in with service providers (to send messages or install apps or other computer programs) about their CASL compliance.
  6. Consider whether service provider contracts include the appropriate clauses to address CASL compliance, liability, and indemnification.

See also:

Lessons Learned: E-Learning Company Faces $50K Spam Fine

CRTC Enforcement Advisory – Records to Show Consent

Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner

Canada’s Anti-Spam Law: Not just for Canadians

CASL Applies to Software January 15 2015

New CASL Compliance and Enforcement Guidelines

 

, ,

Private Right of Action under CASL coming July 2017

New York Proposes First-in-the-Nation Cybersecurity Regulation for Financial Institutions

On September 13, 2016, the New York Department of Financial Services introduced a new rule that would require banks, insurance companies and other financial institutions regulated by the Department to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety of New York’s financial services industry.  The proposed regulation is subject to a 45-day notice and public comment period, following the September 28, 2016 publication in the New York State register before final issuance.

Under the proposed rule, regulated financial institutions would be required to:

  • Establish a cybersecurity program;
  • Adopt a written cybersecurity policy;
  • Designate a Chief Information Security Officer responsible for implementing and overseeing the new cybersecurity program and policy; and
  • Have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to third-parties.

Establishment of a Cybersecurity Program

According to the proposed rule, regulated financial institutions will need to establish a “cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:”

  • Identification of cyber risks.
  • Implementation of policies and procedures to protect unauthorized access / use or other malicious acts.
  • Detection of cybersecurity events.
  • Responsiveness to identified cybersecurity events to mitigate any negative events.
  • Recovery from cybersecurity events and restoration of normal operations and services.

Additional requirements for each “cybersecurity program” include:

  • Annual penetration testing and vulnerability assessments.
  • Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges.
  • Limitations and periodic reviews of access privileges.
  • Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually.
  • Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted.
  • Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures.
  • Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access.
  • Timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
  • Monitoring of authorized users and cybersecurity awareness training for all personnel.
  • Encryption of all nonpublic information held or transmitted.
  • Written incident response plan to respond to, and recover from, any cybersecurity event.

Adoption of a Cybersecurity Policy

The new rule would require regulated financial institutions to adopt a written cybersecurity policy, setting forth “policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:”

  • Information security.
  • Data governance and classification.
  • Access controls and identity management.
  • Business continuity and disaster recovery planning and resources.
  • Capacity and performance planning.
  • Systems operations and availability concerns.
  • Systems and network security.
  • Systems and network monitoring.
  • Systems and application development and quality assurance.
  • Physical security and environmental controls.
  • Customer data privacy.
  • Vendor and third-party service provider management.
  • Risk assessment.
  • Incident response.

Creation of Chief Information Security Officer

The new rule would require regulated financial institutions to designate a qualified individual to serve as a CISO, responsible for “overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy.”  The new rule also would require the CISO to “report to the board, at least bi-annually to:”

  • Assess the confidentiality, integrity and availability of information systems.
  • Detail exceptions to cybersecurity policies and procedures.
  • Identify cyber risks.
  • Assess the effectiveness of the cybersecurity program.
  • Propose steps to remediate any inadequacies identified.
  • Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.

Third Party Protections

The new rule also would require regulated financial institutions to have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, including the following:

  • Identification and risk assessment of third-parties with access to such information systems or such nonpublic information.
  • Minimum cybersecurity practices required to be met by such third-parties.
  • Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties.
  • Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices.

A draft of the proposed rule is here.

New York Proposes First-in-the-Nation Cybersecurity Regulation for Financial Institutions

The Connected Retail Store

In the battle for consumer engagement, brick-and-mortar retailers and shopping centres are investing in new technologies to gather data on their customers and offer new shopping centre experiences. According to the Toronto Star, retailers are finding that millennials have a different approach to luxury than previous generations. No surprise – it is a more social and experiential understanding of luxury. Retailers are not stopping with social listening. Recent articles in the National Post and on the CBC describes technologies, such as those offered by Eyeris, that retailers can use to analyze and track emotions and engagement levels using in-store cameras. Another technology, offered by Stefanka, allows for 3D body scans to assist salespersons to find apparel that will fit the customer’s body.

Dentons, with special guests from Deloitte, will be tackling the legal issues pertinent to a successful Connected Retail Store in a half-day program to be held in Toronto on April 14, 2016. Dentons and Deloitte will address:

  • Omnichannel marketing issues and trends
  • Bringing eyeballs to the screens and feet to the stores
  • Privacy issues in tracking shoppers in stores
  • Negotiating percentage rent when dealing with online sales
  • Supply chain challenges and cross-border fulfillment

Learn more at http://www.dentons.com/en/whats-different-about-dentons/connecting-you-to-talented-lawyers-around-the-globe/events/2016/april/14/the-connected-retail-store

The Connected Retail Store