Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

There have been several recent regulatory developments in Canada in the area of cybersecurity. These include:

  • the coming into force of mandatory breach notification regulations under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA);
  • key regulatory findings from Canada’s Office of the Privacy Commissioner of Canada (OPC) in the case of Report of Findings #2019-001 involving Equifax Canada and Equifax Inc; and
  • legislative developments in the area of national security matters (specifically, Bill C-59).

At the federal level, PIPEDA’s mandatory breach notification and record-keeping regime came into force on 1 November 2018. Accordingly, organisations subject to PIPEDA in the private sector shall report any breach of security safeguards to the OPC, as well as to affected individuals ‘if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm’. The report to the commissioner and the notification to individuals must be made as soon as feasible after the organisation determines that the breach has occurred. The form, content and manner of reporting to the OPC and of notifying affected individuals must, in both cases, comply with the requirements prescribed by regulation.

The organisation shall also notify any other organisation or government institution that may be able to reduce the risk of harm resulting from the breach. The breach notification rules also require organisations to maintain, in prescribed form, records of every breach of security safeguards involving personal information under its control and provide the OPC with access to such records upon request.

Regarding regulatory findings, the OPC released in April 2019 its investigative findings in a matter involving Equifax Canada Co and its US parent, Equifax Inc (Report of Findings #2019-001). This case involved a global data breach of credit files by third-party hackers, affecting the personal information of 143 million individuals worldwide, including 19,000 Canadians. Notably, while the affected credit files were stored on servers located in Canada, Equifax Canada had transferred information from these files to its US affiliate to deliver certain direct to consumer products to Canadian customers that were only available through Equifax Inc in the US.

Following an extensive investigation into the matter, the OPC found that both Equifax Inc and Equifax Canada had contravened PIPEDA. Among several privacy shortcomings were poor security safeguards, inadequate consent and notification procedures, lack of accountability for Canadians’ personal information and limited protection measures offered to affected individuals following the security breach.

Significantly, the OPC found Equifax Canada’s transfer of personal data to Equifax Inc for processing required prior consent from individuals under PIPEDA. Given the sensitive nature of the data involved (financial) and what the commissioner considered were the reasonable expectations of affected individuals, the OPC further found that the form of consent should have been explicit (ie, opt-in consent).

This finding signified a drastic departure from the OPC’s 2009 Guidelines for Processing Data Across Borders. The OPC’s previous policy position had consistently treated transfers to third parties for processing as a use that could be carried out without consent, so long as the organisation ensured, through contractual or other means, that the data would receive a comparable level of protection and would only be processed for the same purpose for which the data was collected in the first place. Moreover, in cases involving cross-border data transfers, individuals had to be clearly notified that their data would be processed in a foreign jurisdiction, subject to that jurisdiction’s laws and compellable by foreign authorities, including law enforcement and national security agencies. Through its Equifax finding, the OPC introduced a new regulatory expectation that data transfers among corporate affiliates for processing should now be treated as third-party disclosures requiring consent.

The OPC has since launched stakeholder consultations seeking views on this new interpretation and whether this change in policy position should be expanded beyond Equifax, to apply more generally to all other organisations.

As a result of this finding, organisations subject to PIPEDA would be well advised to pay close attention to the OPC’s evolving policy position on transborder data flows and any anticipated legislative reform of PIPEDA that, if and when passed, will likely address this important issue.

Other key takeaways from the Equifax Report of Findings include the important privacy and security provisions to be included in written data processing agreements in order to ensure that any personal information being transferred is treated with a comparable level of protection when in the hands of the processor. Organisations should also take note of the remedial measures recommended to Equifax by the OPC to strengthen Equifax’s safeguards and retention programme, namely, to:

  • implement a procedure to keep the written agreement between Equifax Canada and Equifax Inc up to date;
  • institute a robust monitoring programme by Equifax Canada to ensure compliance with the written agreement; and
  • identify the personal information of Canadians that should no longer be retained by Equifax Inc according to its retention schedule and delete it.

The OPC also found, as part of the organisation’s safeguarding obligations, an ongoing obligation to guard against unauthorised access and use post-breach, requiring Equifax to offer affected individuals low-cost credit freeze products in addition to extended credit monitoring in order to mitigate any further risk of harm resulting from potential ID theft.

Finally, organisations should note that this investigation also culminated in Equifax entering into a compliance agreement with the OPC, involving six years of third-party audits and detailed timelines for various corrective measures to be implemented by Equifax Canada relating to consent, safeguards and accountability. We expect to see an increase in such compliance agreements being entered into between the OPC and organisations subject to privacy breach investigations by the OPC in the future.

On 21 June 2019, Bill C-59, An Act respecting National Security Matters, received Royal Assent. As noted in our 2018 update, this new law is significant for a number of reasons, including the expanded mandate of the Communications Security Establishment (CSE) to allow it to interfere with foreign online efforts that threaten Canada, including by protecting Canada’s networks from foreign cyberthreats – both defensively and actively. CSE will have greater ability to defend critical cyber-infrastructure in the private sector by removing legal barriers to the sharing of certain cyberthreat information, the provision of mitigation advice and the deployment of CSE’s cybersecurity tools, upon request.

Such expanded powers will now, however, also be subject to more robust checks and balances in the form of the newly created National Security and Review Agency and Intelligence Commissioner, tasked with overseeing different and related aspects of government’s national security efforts. While some provisions of the bill will take effect immediately (eg, changes to certain offences under the Criminal Code), others will come into force in the near future.

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

Under PIPEDA’s new breach notification regime (Breach of Security Safeguards Regulations, SOR/2018-64), which came into force on 1 November 2018, organisations will be required to report to the Privacy Commissioner, and to notify affected individuals of, any breach of security safeguards that meets the legally prescribed threshold.

‘Breach of security safeguards’ means ‘the loss of, unauthorised access to or unauthorised disclosure of personal information resulting from a breach of an organisation’s security safeguards . . . or from a failure to establish those safeguards’.

Legal threshold

The legal threshold for reporting to the Privacy Commissioner and notifying affected individuals is the same, namely: ‘if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual’.

In determining whether a real risk of significant harm exists, organisations must take into account:

  • the sensitivity of the personal information involved in the breach;
  • the probability that the personal information has been, is being or will be misused; and
  • any other prescribed factor (at time of writing, there was no other prescribed factor).

Significant harm includes ‘bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property’.

In terms of timing, both the report to the Privacy Commissioner and the notification to affected individuals must be made ‘as soon as feasible after the organisation determines that the breach has occurred’.

Form and content of the report to the Privacy Commissioner

The report to the Privacy Commissioner shall be sent in writing, by any secure means of communication, and shall contain the following prescribed elements:

  • a description of the circumstances of the breach and, if known, the cause;
  • the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
  • a description of the personal information that is the subject of the breach to the extent that the information is known;
  • the number of individuals affected by the breach or, if unknown, the approximate number;
  • a description of the steps that the organisation has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
  • a description of the steps that the organisation has taken or intends to take to notify affected individuals of the breach; and
  • the name and contact information of a person who can answer, on behalf of the organisation, the Privacy Commissioner’s questions about the breach.

Form and content of the notification to individuals

The required notification to affected individuals shall contain the following content:

  • a description of the circumstances of the breach;
  • the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
  • a description of the personal information that is the subject of the breach to the extent that the information is known;
  • a description of the steps that the organisation has taken to reduce the risk of harm that could result from the breach;
  • a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
  • contact information that the affected individual can use to obtain further information about the breach.

The notification shall be given to affected individuals directly (that is, in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances).

In limited circumstances, individuals can be notified indirectly (for example, by means of public communication or other reasonable measure expected to reach them) where:

  • direct notification would be likely to cause further harm to the affected individual;
  • direct notification would be likely to cause undue hardship for the organisation; or
  • the organisation does not have contact information for the affected individual.

Other provisions of note

Organisations shall also notify, as soon as feasible after it determines the breach has occurred, any other organisation or government institution that it believes may be able to reduce or mitigate the risk of harm that could result from the breach.

Under Canada’s new breach notification regime, organisations are now under a positive obligation to maintain a record of every breach of security safeguards and produce such records to the Privacy Commissioner of Canada upon request.

As mentioned above, an organisation that knowingly fails to report breaches to the Privacy Commissioner, notify an affected individual, or maintain breach records, as required by law, commits an offence and could be liable for a fine not exceeding C$10,000 in the case of an offence punishable on summary conviction or C$100,000 for an indictable offence.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

When a data security incident occurs, and the race is on to contain potential damage, there is very little time to react on the spot, let alone think about it. To mitigate risks effectively, issues must be anticipated and thought through well beforehand in the form of a robust breach incident readiness and response plan, and its implementation should be pilot-tested several times (through table top exercises, for example) to make sure that all of its component parts work well upon deployment. (See more about an effective breach incident readiness and response plan, below.)

Be that as it may, when the time comes, there are no more dress rehearsals. Some of the most challenging issues that arise in the ‘heat’ of a breach incident involve the preliminary investigation phase. Trying to find the source of the breach and contain the data leak as quickly as possible can be extremely challenging. Sometimes, the problem can be identified and immediately acted upon, for example, by recuperating the lost documents or hard drives, changing passwords, patching infected software, immediately closing off access to company servers, segregating compromised data from the rest of the networks, etc. Other times, the source of the data loss cannot be determined. Suspicious patterns of network behaviour may never be resolved; ransomware may or may not turn out to be empty threats; imposters behind social engineering ploys may never be identified; and missing documents, hard drives or other mobile devices may never be found.

Meanwhile, and at the same time, organisations are expected to gather concrete facts to determine the nature and scope of the information that was breached, its level of sensitivity, the numbers of individuals involved, whether or not it was adequately encrypted, etc, so as to meaningfully assess whether the threshold for notifying data protection regulators and individuals has been met. The timeline for notifying is short, namely ‘as soon as feasible’ after the organisation learns of the breach, failing which the organisation may face stiff penalties. While the temptation may be to notify peremptorily just in case, doing so before all the facts are known risks unduly alarming individuals.

Once a determination has been made that regulators and individuals should be notified, the challenge is in deciding what to say and when, for the situation may be rapidly evolving. Organisations may want to provide as many facts as possible in an effort to be transparent and project a sense of certainty, predictability and control over the situation, yet on the other hand, having to go back on information previously given as one uncovers additional and potentially contradictory facts, risks affecting credibility and may potentially come up in an eventual regulatory investigation, should it come to that.

After the what and when, comes the how. How should individuals be notified? In an effort to help mitigate potential damage, well-meaning organisations may inadvertently jump the gun by wanting to get the information out there as quickly as possible, without sufficient regard to the mechanism for doing so. Sometimes, direct notification to individuals in ways that may inadvertently disclose sensitive personal information about affected individuals to others (family members, roommates, co-workers, etc) may not be appropriate when it risks causing more harm than good. Canadian law explicitly recognises that indirect notification (through public notice) may be an acceptable alternative where appropriate, and organisations will need to carefully think that through.

Along the same vein, well-meaning organisations may rush to offer credit monitoring services by immediately contracting credit monitoring companies to provide these services to affected individuals in an effort to help mitigate harm, while omitting the necessary prior step of seeking individuals’ consent. And in the case of minors among the group of affected individuals, that process of contacting and obtaining consent may add an additional dimension of complexity.

Many times, these issues may be playing themselves out in real time, through the media. Organisations would be well served by having public relations experts on hand, well-steeped in managing crisis communications, ready to go when the need arises. This expertise may be drawn internally, or may be engaged through an external firm on retainer. Organisations should expect to face tensions between what the public relations firms may recommend is best to communicate from a reputational perspective, and what the lawyers may be advising from a potential liability point of view.

In major breach situations, where the prospect of litigation looms, including potential class action lawsuits, and counterclaims against potentially negligent processors, there is a whole additional layer of challenges facing organisations as they must strive to maintain solicitor-client privilege and preserve the chain of evidence in a volatile and rapid-fire context. Where there are potential criminal elements at play, including malicious hackers, ransomware and possible state-sponsored attacks to critical infrastructure, organisations may find themselves over their heads in dealing with what can be frightening situations. Organisations will have to handle these situations with special caution and know when to reach out to law enforcement or other government institutions for assistance.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

In light of the OPC’s recent Report of Findings #2019-001 on the Investigation into Equifax Inc and Equifax Canada Co (see question 1) organisations should consider the following best practices in efforts to improve cybersecurity preparedness.

  • Organisations (particularly those handling sensitive information) should have in place a robust security programme that assesses all security risks it may face, protects against such security risks and includes measures to ensure that all elements of such a security programme are, in fact, implemented in practice.
  • Organisations should ensure that adequate data retention and destruction policies are in place, and that employees are properly trained with respect to such policies.
  • Organisations should stand ready to demonstrate accountability for all personal information in their custody and control (including information that has been transferred to a third party for processing) using contractual and other means. As noted, this may mean implementing more robust privacy and security provisions under any data processing agreements to ensure that any personal information being transferred is treated with a comparable level of protection by recipient organisations.
  • In the event of a security breach, organisations should note that mitigation efforts are critical. In particular, affiliated organisations must promptly coordinate and cooperate in breach notification efforts to affected individuals and offer reasonable protections to affected individuals commensurate with the severity of the breach and the sensitivity of the personal information impacted.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

Until now, Canadian private sector privacy laws set out fairly consistent obligations for private sector organisations that outsource the processing of personal information. These requirements are generally contained within the statutory-based principles of accountability, safeguards and openness.

Accountability

Under PIPEDA, an ‘organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organisation shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.’ (PIPEDA, Principle 4.1.3) Comparable does not mean the same, but it does mean generally equivalent.

Consequently, an organisation that transfers personal information to a third party cloud-based service provider for processing remains accountable for the protection of the personal information it transfers. Organisations are responsible for understanding the outsourcer’s personal information handling processes and must have appropriate confidentiality agreements in place with contractors and provide for same with subcontractors.

While PIPEDA does not prohibit the transfer of personal information to foreign-based service providers, organisations thinking about moving data to a cloud-hosting environment should note that the OPC has recently taken steps toward amending its 2009 Guidelines on Processing Personal Data Across Borders. As noted, the OPC issued a notice in April 2019 initiating a consultation on transborder data flows. While this consultation process is still ongoing, it may bring about new obligations for organisations transferring data to third parties and even organisational affiliates with respect to PIPEDA’s accountability principle.

In the meantime, organisations should be diligent in their dealings with foreign-based service providers. For even the best confidentiality agreement cannot override the local laws of a foreign jurisdiction, including laws relating to law enforcement and national security. Further, organisations would be well advised to review the OPC’s recent investigation into Equifax Inc and Equifax Canada Co’s compliance with PIPEDA in light of the 2017 breach of personal information, which provides some indication of the OPC’s expectations regarding organisational accountability under PIPEDA.

Safeguards

PIPEDA contains safeguarding obligations that require an organisation to implement reasonable technical, physical and administrative measures in an effort to protect personal information against loss or theft, as well as unauthorised access, disclosure, copying, use or modification (PIPEDA, Principle 4.7). These obligations continue to apply to organisations even when personal information is in the custody of a third-party service provider.

OPC guidance provides that organisations must take all reasonable steps to ensure that personal information is safeguarded when in the custody of a third-party service provider. For instance, the organisation must be satisfied that the third-party service provider has policies and procedures in place (including training for its staff and effective security measures). The organisation should also have and exercise, when appropriate, the right to audit and inspect how the third-party service provider handles and stores personal information.

Given that PIPEDA’s mandatory breach notification and record-keeping regime is now in force, organisations would also be well advised to ensure that any data processing or other data-related agreements with third parties contain provisions outlining the obligations of each party in the event of a breach of security safeguards (eg, with respect to the notification of regulators and individuals, cooperative investigation efforts and responsibilities for the costs of such activities). Such agreements should also mandate that any third-party service providers maintain records of any such breaches and that such records will be available to the organisation for review and inspection.

In addition, and as noted above in the discussion about the OPC’s recent Report of Findings #2019-001 in the Equifax matter, an organisation’s safeguarding obligations include taking mitigation steps following a data security breach, to promptly reduce risks and offer reasonable protections to affected individuals commensurate with the severity of the breach and the sensitivity of the personal information impacted.

Openness, notice and consent

Although the OPC’s previous 2009 Guidelines on Processing Personal Data Across Borders did not require consent of individuals for organisations to transfer personal information to third-party service providers, including cloud service providers, for processing directly related to the original purpose for which the personal information was collected, that policy position is currently under review.

In April 2019, the OPC issued a notice initiating a consultation on transborder data flows (the Consultation) in conjunction with the Report of Findings #2019-001. The purpose of the Consultation was to solicit views on the OPC’s proposed reversal of its long-standing position on the transfer of personal information to third parties for processing under PIPEDA. The proposed change in policy position would henceforth require consent (explicit consent in some cases) for any transfers of personal information from one organisation to another for processing, including transfers within Canada, cross-border transfers and transfers to service providers and affiliates.

The OPC subsequently released a Reframed Discussion Document (on 11 June 2019) that consolidates and supersedes its original Consultation by seeking additional stakeholder views on how PIPEDA should be amended to address this issue in the future. The proposed policy changes anticipated with respect to transborder data flows will likely bring additional considerations for organisations engaged in moving data to a cloud hosting environment. As the deadline for submissions to the OPC’s Reframed Discussion Document was 6 August 2019, we would urge organisations to monitor any developments on this topic in the near future.

Meanwhile, provincial private sector privacy laws remain generally consistent with the OPC’s 2009 Guidelines on Processing Personal Data Across Borders, with additional considerations applicable conditions for transborder data flows in Quebec and Alberta.

In Quebec, an organisation must take reasonable steps to ensure that personal information transferred to service providers outside Quebec will not be used for other purposes and will not be communicated to third parties without consent (except under certain exceptions prescribed in the Act). The Act also specifically provides that the organisation must refuse to transfer personal information outside Quebec where it does not believe that the information will receive such protection.

In Alberta, organisations that use foreign service providers must include the following information in their policies and procedures:

  • the countries outside Canada in which the collection, use, disclosure or storage is occurring or may occur; and
  • the purposes for which the third-party service provider outside Canada has been authorised to collect, use or disclose personal information for or on behalf of the organisation.

Furthermore, in Alberta, notice to individuals must be provided at the time of collection or transfer of the personal information and must specify:

  • the way in which the individual may obtain access to written information about the organisation’s policies and practices with respect to service providers outside Canada; and
  • the name or position name or title of a person who is able to answer on behalf of the organisation the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organisation.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

Cognisant of the strategic importance of cybersecurity to Canada’s ‘competitiveness, economic stability and long-term prosperity’, the Canadian government, through Budget 2018, allocated more than C$500 million to support the implementation of the National Cyber Security Strategy (2018) by the government of Canada cybersecurity community, which includes multiple departments coordinated by Public Safety Canada. The 2018 strategy builds on Canada’s first Cyber Security Strategy of 2010 and has as its main themes:

  • ensuring secure and resilient Canadian systems to enhance cybersecurity capabilities and resilience;
  • building an innovative and adaptive cyber ecosystem to support advanced research and innovation in the area of cybersecurity; and
  • supporting effective leadership and collaboration between different levels of Canadian government and partners around the world to strengthen the federal government’s leadership role in protecting and promoting cybersecurity in Canada, working in close collaboration with provinces and international allies.

As part of the National Strategy 2018, over C$155 million was specifically earmarked to create a new Canadian Centre for Cyber Security, as part of the Communications Security Establishment (CSE). The aim of the new Centre, announced in June 2018, is to consolidate capacity and expertise, streamline efforts and facilitate coordination across relevant federal departments with operational responsibilities over cybersecurity. It is also intended to provide a unified and outward-facing source of trusted guidance, support and services to Canadians.

Mindful of the increased threats to the country’s national security via attacks on critical infrastructure that spans both public and private sectors, one of the main objectives of the new Centre will be to engage and work more closely with private sector partners in exchanging information about emerging cybersecurity threats and providing advice on means of enhancing cyber resilience.

More specifically, and as per its website:

The Cyber Centre will focus on:

  • Informing Canada and Canadians about cyber security matters, as a single, clear, trusted source of information on cyber security for Canadians and businesses
  • Protecting Canadians’ cyber security interests through targeted advice, specific guidance, direct hands-on assistance, and strong collaborative partnerships
  • Developing and sharing specialized cyber defence technologies and tools resulting in better cyber security for all Canadians
  • Defending cyber systems, including government systems, by deploying sophisticated cyber defence solutions
  • Acting as the operational leader and government spokesperson during cyber security events.

In addition, Bill C-59, described above, will strengthen the mandate and authorities of CSE to protect the security and resilience of Canada’s cybersecurity, including a defensive cyber operations mandate to protect Canada and Canadians from foreign cyber threats. Through these and other concerted efforts, the Canadian government has significantly stepped up its efforts to address serious cybersecurity threats and combat cybercrime.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

In contemplating M&A deals, privacy and data security issues are critical considerations during the due diligence stage and eventual determination of whether to proceed with a transaction. As a preliminary matter, Canada’s federal privacy law, PIPEDA, incorporates an express business transaction exception that allows an organisation that is party to a prospective business transaction to use and disclose personal information without consent when it is necessary to determine whether to proceed with the transaction. To rely on this exception, the organisations must have entered into a prescribed confidentiality agreement limiting the disclosure of personal information to only that which is necessary to proceed with the transaction; restricting its use solely for purposes related to the transaction; requiring the recipient organisation to appropriately safeguard the personal information; and, if the transaction is not completed, ensuring the secure return or disposal of such information.

Similar legal requirements apply to permit the ongoing use and disclosure of personal information without consent after the business transaction is completed. Then too, a confidentiality agreement will be required between the parties to the transaction to limit its ongoing use and disclosure solely for purposes for which the personal information was originally permitted to be collected, used or disclosed before the transaction and to ensure its ongoing protection. Individuals must also, within a reasonable time after the transaction is completed, be notified of the transaction and that their personal information has been shared with the ‘new’ organisation, and be given the opportunity to withdraw their consent accordingly.

In determining whether to proceed with a transaction, risks related to privacy and data security and how a potential target organisation has addressed such matters are critical. Parties to a prospective business transaction will want to minimise the risk that they inherit more than they bargained for, as the costs associated with responding to a data-related incident and regulatory investigation are significant. Accordingly, organisations should conduct the necessary due diligence to ensure that the potential target has taken privacy and security risks seriously, and maintains an up-to-date, comprehensive privacy programme. If they do not, it is ‘buyer beware’.

The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

The ideal lawyers to help with cybersecurity incidents are lawyers who have assisted many other clients get through the country’s largest, most complex and highly publicised data breaches. Clients also appreciate lawyers with practical and hands-on experience dealing with regulators in the context of regulatory investigations and in different scenarios. Lawyers must be comfortable dealing with multiple data protection authorities at once and in parallel. Finally, clients should look for lawyers who are able, through their past experiences, to abstract all the critical elements that should form part of a breach incident and readiness response plan.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

The interplay between Canadian privacy laws, anti-spam legislation, consumer protection laws and various other sector-specific requirements. Likewise, the intersection between privacy law, competition law and human rights law, adds further layers of complexity and fascination. In addition, the era of data analytics and artificial intelligence has raised a whole new dimension of ethical considerations that organisations are currently grappling with and will only intensify from here.

How is the privacy landscape changing in your jurisdiction?

In May 2019, Canada’s Minister of Innovation, Science and Economic Development announced Canada’s new Digital Charter that is intended to lay the foundation for increasing consumer trust in the digital economy and sets the groundwork for reforming Canada’s privacy laws. The Minister also unveiled proposals for modernising PIPEDA as part of an initial set of actions aimed at implementing the Digital Charter. The consultation paper proposes four broad areas, each with related policy options and questions for stakeholders, for further consideration and consultation.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

See PIPEDA Report of Findings #2019-001.