CyberLex

CyberLex

Insights on cybersecurity, privacy and data protection law

When Loose Lips Will (or Will Not) Sink Ships: Privilege, Privacy and Wilfulness

Posted in Privacy, Privacy Act
Krupa Kotecha

The Background

On July 26th, 2016, the Supreme Court of British Columbia released an interesting decision that addresses questions regarding: (1) the scope of privilege that applies to work done by lawyers in relation to judicial proceedings; and (2)  the interpretation of BC’s Privacy Act with respect to the requirements of “wilfulness”

In Duncan v. Lessing, 2016 BCSC 1386, the issue centered on claims brought by an individual, Mr. Duncan, against Mr. Lessing, a lawyer that represented Duncan’s former wife in family litigation between the two parties. The plaintiff claimed that the defendant lawyer breached his privacy: (1) in the course of serving application materials; and (2) through the conveyance of information about the plaintiff in a casual conversation with another lawyer.

The first alleged breach of privacy concerned prior litigation between the plaintiff and his former wife. In the course of bringing an action against the plaintiff, the defendant’s process server unintentionally served an unsealed notice of application and affidavit on several companies not party to the litigation. The plaintiff contended that these documents contained information of circumstances between the couple which were private, including tax returns and a pre-nuptial agreement.

Additionally, the plaintiff also alleged that a breach of privacy took place when the defendant lawyer and another lawyer were conversing over a break in an examination for discovery pertaining to an unrelated action. The defendant discussed the facts of the case without naming the parties and disclosed that he was representing a wife whose husband had previously sold a business in Alberta for $15 million. The other lawyer’s client, who was familiar with the fact that the defendant was acting for the plaintiff’s wife, was able to deduce the identity of the plaintiff from the information divulged.

In response to the plaintiff’s claims, the defendant lawyer raised several defences. With respect to the service of the companies, the defendant contended that, because the impugned actions were undertaken in furtherance of the lawyer’s duties to the plaintiff’s wife, the defence of absolute privilege provided the defendant with immunity from civil liability. The defence also asserted that neither the service of the companies, nor the disclosure arising from the “casual conversation”, resulted in violations of the Privacy Act.

The Decision

Defence of Absolute Privilege Applicable to Breach of Privacy Claim

In handing down the decision, Justice Griffin rejected the plaintiff’s claims relating to the first alleged breach of privacy, first confirming that the defence of absolute privilege was applicable:

The absolute privilege that applies to lawyers working for a client in the context of an ongoing judicial proceeding provides a defence to intentional misconduct such as defamation. It clearly also must apply to an error in service of court documents, for all the same policy reasons. Here [the lawyer’s] only purpose for service was in furtherance of the Family Action.

The fact that the defendant’s actions were undertaken for the sole purpose of furthering his client’s interests thus served to shield the defendant from civil liability. Furthermore, Justice Griffin noted that nothing in the Rules of Civil Procedure required a party effectuating service to place the documents in a sealed enveloped marked “confidential” or otherwise. The Court noted that, despite the fact that “serving court documents within a sealed envelope could be a good practice”, it was nonetheless the case that “[n]o evidence was called to suggest that service within a sealed envelope is standard practice when a law firm hires a third party to effect service.” As a result, the defendant’s failure to use sealed envelopes did not bring service of the application outside the scope of absolute privilege.

Information Not Embarrassing or Particularly Unique Won’t Support a Finding of “Wilful” Privacy Violation

Furthermore, the Court also held that no breach of privacy arose from the “casual conversation” incident involving the defendant. This was determined on the basis of the Court’s finding that the sale of the plaintiff’s business was not private. In setting out the rationale for this finding, Justice Griffin noted that:

The plaintiff’s evidence failed to prove that Mr. Lessing could only have learned this information from private information disclosed by Mr. Duncan in the Family Action, as opposed to learning it from his own client or general investigations […] [T]here is no obvious inference here that the sale price in relation to a past business transaction involving several parties was information about which a person involved in the transaction could in the circumstances reasonably be entitled to privacy.

Concluding that the plaintiff could not establish a reasonable entitlement to privacy with respect to the disclosed information, Justice Griffin rejected the basis for the plaintiff’s second claim. Of particular interest is the Justice’s obiter commentary dealing with the question of  whether the defendant’s disclosure was a “wilful” violation of the plaintiff’s privacy. This discussion included the assertion that subsections 1(1) and (3) of the Privacy Act must be read together to determine whether a breach of an individual’s privacy occurred, and that “[t]he act must be wilful, without a claim of right, and the nature, incidence and occasion of the act and the relationship between the parties must be considered.” As the information relating to the sale was not embarrassing or particularly unique, the Court determined that the defendant did not willfully reveal private information about the plaintiff or intend to pursue any other malicious intention. In this sense, Justice Griffin distinguished the case at bar from instances involving the disclosure of a medical condition (Hollinsworth (1998), 59 BCLR (3d) 121), something to which shame attaches (Watts v Klaemt, 2007 BCSC 662), or that is deeply personal (Griffin v Sullivan, 2008 BCSC 827).

The Takeaway

While the outcome of the case is a lawyer-friendly decision, the factual situation giving rise to the claim serves as a stark reminder to counsel with a tendency to engage in idle inter-discovery chit chat. Although the information disclosed by the defendant (in this instance) was not “private” per se, a situation involving the communication of potentially embarrassing or personal information could very well leave a lawyer on the wrong side of privacy law (at least in BC) and susceptible to ensuing liability and litigation. The term “wilful” appears in most provincial privacy legislation.

Lawyers will also be relieved to know that the defence of absolute privilege has been confirmed to be available to them in the context of a breach of privacy action.

 

 

 

 

Cybersecurity Best Practices for Connected Cars Released

Posted in Cybersecurity, Internet of Things, Standards, Telematics
Kirsten Thompson

It has been predicted that by 2020, there will be a quarter billion connected vehicles on the road with connected capabilities; Tesla founder Elon Musk is even more aggressive, predicting fully autonomous vehicles on the roads within two years.  However, some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC)  by a group of US automakers  in July of 2014 (see our previous blog post on the subject).  The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.

The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties. The Best Practices expand on the Framework for Automotive Cybersecurity published in January 2016 by the Alliance of Automobile Manufacturers (“Auto Alliance”) and the Association of Global Automakers (“Global Automakers”).

Previously, the Auto Alliance and the Global Automakers had published a set of “Consumer Privacy Protection Principles” to address vehicle technologies, but the document in many respects fell short of what was required by Canadian privacy laws.

Best Practice Framework

The framework covers seven major topic areas and is designed to help those engineering connected vehicles to create vehicles that are not only resistant to attack but also fail-safe (in other words, it an attack does succeed, the vehicle fails in a way that is safe i.e. coming to a slow stop versus a sudden halt). The topic areas are:

  • Governance:  Effective governance practices include defined executive oversight for security, defined roles and responsibilities for cybersecurity within the organization,  dedication of appropriate resources to cybersecurity and the establishment of governance processes to ensure compliance.
  • Risk Assessment and Management:  In order to mitigate the impact of cybersecurity vulnerabilities, organizations are expected to standardize their processes to identify  and manage risks and to monitor compliance by relevant stakeholders.
  • Security by Design:  Cybersecurity features should be integrated into the design process by including security reviews in the development process, vulnerability testing,  and validation of software updates.
  • Threat Detection and Protection:  In order to proactively detect threats, automakers are expected to use consistent processes to identify vulnerabilities, use a risk-based approach to threat monitoring, and have a plan in place for vulnerability disclosure and updates.
  • Incident Response and Recovery:  Automakers are expected to have an incident response plan with a dedicated incident response team that is periodically tested  and evaluated to promote timely and appropriate action.
  • Training and Awareness:  In order to create a culture of security automakers are expected to establish training programs to stakeholders and educate employees on their security roles and responsibilities.
  • Collaboration ad Engagement with Appropriate Third Parties: Since the connected car will involve interaction between the original equipment manufacturer and external vendors, having a policy in place for third parties that is regularly reviewed is an industry best practice.

Where the Rubber Meets the Road: Key Implications and Canadian Business

The release of the Auto ISAC best practices is a welcome step, but also raises several issues.  The primary concern is the enforceability of the standards.   Membership in the Auto Alliance which runs the Auto  ISAC  is voluntary, meaning there is no easy way to hold automakers accountable for implementing best practices.  If an automaker believes the cost of implementing cybersecurity best practices exceeds the benefit from being part of the Auto Alliance, they can simply leave the Auto Alliance.  The best practices are also limited in scope to “refer primarily to US light-duty, on-road vehicles” which raises questions about whether they will be observed in Canada and other countries.

There are also questions about how feasible implementation of the best practices is.  The Auto ISAC report gives no timeline for implementation and recognizes that there could be variations between different automakers.  For example, one of the best practices identified is the creation of an incident response and recovery strategy although many auto executives acknowledge that they have not considered how they would respond if their vehicles were hacked.

Automakers operating in Canada should be aware that the adoption of  industry-specific cybersecurity standards does not mean that Personal Information and Protection of Electronic Documents Act (PIPEDA) does not apply, or that adoption of such best practices translates into compliance with PIPEDA.  Industry codes, while helpful, cannot be used to substitute for  compliance with Canada’s privacy legislation.  Differences between PIPEDA and the Privacy Principles of the US Alliance of Automobile Manufacturers suggest  that  adopting the latter and applying a blanket approach to Canada may not be in the best interest of automakers or others in the auto industry.  A tailored privacy management program to stay abreast of legal developments impacting automotive products is a more prudent approach.

* Arie van Wijngaarden is a JD/MBA student in McCarthy Tetrault’s Toronto office.

Payments Association Adopts Biometric Verification Specification

Posted in Authentication
Kirsten ThompsonMeghan S. Bridges

The Payments Association of South Africa (“PASA”), the payments system management body of that country, recently announced a new biometric verification specification, which is set to become the standard for biometric payments throughout South Africa. The new specification will facilitate biometric authentication on payment cards. Visa and Mastercard are partners in the initiative.

Typically, biometric authentication standards are particularized to the company or financial institution facilitating payment. The biometric standard accepted for authenticating payment at one vendor would not necessarily, or even generally, be the same as the standard accepted at another vendor. The PASA standard is designed to eliminate or at least minimize these discrepancies and permit authentication of a payment via the same biometric standard at any vendor.

Biometrics in Canada

Biometric authentication is not unique to South Africa. Closer to home, Tangerine recently re-released its mobile app for iOS, which includes biometric authentication features allowing users to protect their accounts via iris scan or vocal password. In the first quarter of 2016, the Bank of Montreal released a biometric corporate credit card in partnership with Mastercard, which relies on facial recognition and fingerprint biometrics.

Financial institutions are not the only groups interested in biometrics—the Canadian Border Services Agency is running a trial project with the federal Immigration Department to use biometric technology to catch individuals traveling with fraudulent documents. A waterpark in Ontario, realizing their swimsuit-clad patrons had few places in which to carry a wallet, employs cashless fingerprint payments.

Finally, as noted in recent CyberLex blog posts (here and here), provincial governments in British Columbia and Manitoba are investing in all-in-one identification technologies also targeted at improving identification and authentication for payments.

Considerations for Business

Biometric measures are appealing to businesses because they are convenient (no need to remember a PIN, or enter a code) and they automatically identify people or verify their identity. However, biometric characteristics (such as fingerprints, voiceprints, retina scans and so on) are personal information under provincial and federal privacy laws and as such, must be treated in accordance with those privacy laws. One of the chief concerns is that biometric information collected for one purpose (e.g. payment account identity verification) will be employed for another (e.g. routine surveillance, stored to be matched against future samples, targeted advertising, etc. ).

In biometrics, the potential for multiple uses originates from the fact that they are relatively permanent and highly distinctive, making them a convenient identifier that is both constant and universal. These characteristics are difficult, if not impossible, to change – which heightens the need to protect this type of information. While the breach of a database of PIN numbers is problematic, at the end of the day, the PIN numbers can be changed; a breach of a database of DNA or fingerprints does not permit such risk mitigation.

The Privacy Commissioner of Canada has suggested businesses ask themselves four questions before undertaking a biometric system:

  1. Is the measure demonstrably necessary to meet a specific need?
  2. Is it likely to be effective in meeting that need?
  3. Would the loss of privacy be proportionate to the benefit gained?
  4. Is there a less privacy-invasive way of achieving the same end?

Companies have run into difficulties where they have deployed biometrics in the context of identification for exams and facial recognition for surveillance or marketing.

 

For more information about our firm’s Fintech expertise, please see our Fintech group‘s page.

RegTech Stepping Forward: UK Financial Services Regulator Publishes Results on RegTech Consultation

Posted in Big Data, Financial, FinTech, Privacy, Regulatory Compliance
Kirsten ThompsonAna BadourMatthew FlynnJason Phelan

What is RegTech?

The UK’s financial prudential regulator, the Financial Conduct Authority (the “FCA”), has recently published its Feedback Statement on Call for Input: Supporting the development and adopters of RegTech, where it outlined the result of its earlier Call for Input on how to support the development of “RegTech”.

“RegTech” is defined by the FCA as the application of “new technologies to facilitate the delivery of regulatory requirements”.

In short, RegTech promises to make sense of cluttered and intertwined sets of data, rapidly configure and generate reports using this data, and intelligently mine the data to realize its value (i.e. use the same data for multiple purposes). Some examples of applications of this approach are big data reporting tools that could increase regulators’ use of big data, to real-time system-embedded compliance evaluation tools that could improve operational efficiency in monitoring transactions, anti-money laundering and fraud risk. RegTech could potentially assist financial services providers comply with regulation in a more cost-effective and easier way, while also potentially allowing regulators to have access to, analyse and process an increasing amount of data.

Context of the Call for Input

The FCA recognized that in the aftermath of the financial crisis, the financial services sector has had to deal with more onerous reporting requirements and comply with stricter regulatory standards. Regulators are also facing new challenges in monitoring compliance, as they have to supervise the application of more regulation while having to review more data to measure risk. The FCA seeks to improve effective compliance and reduce the cost of regulation for both firms and the regulator, and it sees the development and adoption of RegTech as a way to help achieve this aim.  The Call for Input was issued as part of the FCA’s Project Innovate, which was launched in October 2014.

In its Call for Input, the FCA sought views on the following issues: (1) what type of RegTech would make it easier for firms to interact with regulators, at a lower cost and lower administrative burden; (2) what role should the FCA play in order to foster development and adoption of RegTech in financial services; (3) specific regulatory rules or policies posing barriers to innovation of RegTech; (4) regulatory rules or policies that should be introduced; and (5) existing regulatory compliance or regulatory reporting requirements that would most benefit from RegTech.

Types of RegTech

The FCA categorized the types of RegTech that could benefit the financial services industry as the following, based on feedback received:

  1. Technology that allows more efficient methods of sharing information.

These include alternative reporting methods, shared utilities, cloud computing, and online platforms.   

  • At a base level, cloud computing, and open online platforms could be leveraged as universally accessible tools that would better enable firms to interact with regulators, promote improved collaboration and engagement amongst the various industry players in the financial regulatory ecosystem, and help provide accessibility to regulatory changes.
  • Cloud computing and open online platforms would also be critical in enabling types of RegTech described in item #3 below – technology that simplifies data, allows better decisions and the creation of adaptive automation, such as big data analytics, risk and compliance monitoring, modelling/ visualization technology and machine learning and cognitive technology (artificial intelligence).
  • A move to cloud computing and open online platforms could also enable financial institutions to de-shackle themselves from closed, archaic legacy systems and make a strategic leap to best-in-class systems (in terms of performance, security, and open standards) at a low cost, given that the cloud computing and open online platform applications and infrastructure could be accessed on a relatively low subscription basis with little to no long term capital outlays.
  • Shared utilities, in which financial institution participants would collectively take part in contracting for and accessing 3rd party services, could substantially lower the administrative burdens and costs of such financial institution’s compliance. For example, a service could collect end-client information in a shared portal (e.g., information required by know-your-client rules) for the immediate use of all financial institution participants.
  • Alternative reporting methods, which permit financial institutions to provide regulatory data in various formats would also be enabled by online platforms that permit for the development of application programming interfaces (APIs) (as described in item#2 below).
  1. Technology that drives efficiencies by closing gaps between intention and interpretation.

This is technology that makes the compliance process more efficient by closing the gap between the intention of the regulatory requirements and the subsequent interpretation and implementation within the regulated entity. Some examples of this type of technology are:

  • semantic technology and data points models: semantic technologies encode meaning into content and data to enable a computer system to possess human-like understanding and reasoning. In one example of this technology (called linked data), links are created between data points within documents and other forms of data containers, rather than the documents themselves. In this way, regulatory text is translated into code.
  • shared data ontology: an ontology represents knowledge as a hierarchy of concepts within a domain, using a shared vocabulary to denote the types, properties and interrelationships of those concepts. Ontology does to applications what Google does to the Web – instead of having to go to each web page and search for a piece of information, an ontology allows a user to search a schematic model of all data within the applications. This allows the user to extract relevant data from a source application, such as a CRM system, big data applications, files, warranty documents etc. From a compliance perspective, shared ontology allows the creation of a compliance management solution based on a shared conceptualization of the compliance management domain.
  • application programming interfaces (APIs): this is technology which allows the integration and interoperability between systems (chiefly over the internet) and can reduce costs, increase efficiency and provide platforms for innovation.
  • robo-handbooks and other robo-advice tools: these are computerized tools that are intended to deliver advice and guidance, and could allow firms to interact with regulation in order to understand the impact on their systems and processes.
  1. Technology that simplifies data, allows better decisions and the creation of adaptive automation.

Put simply, this is technology that simplifies and assists firms in managing and exploiting their existing data, supports better decision-making and makes ferreting out those who are not playing by the rules easier. Financial institutions are often challenged by the complexities of growing amounts of data stored in various locations in different formats and legacy compliance processes and systems struggle to keep up. What is needed are smarter, more efficient solutions – hence, RegTech. Examples of these types of technology include big data analytics, risk and compliance monitoring, modelling/ visualization technology and machine learning and cognitive technology (artificial intelligence).

  1. Technology that allows regulation and compliance to be looked at differently.

These include blockchain/ distributed ledgers, inbuilt compliance, biometrics and system monitoring and visualization.

Encouraging Adoption of Regtech

The FCA identified that, based on the feedback received, it can play a role in the development of RegTech by driving industry standards, encouraging improved collaboration and engagement and, possibly, FCA certification of RegTech.

In terms of why RegTech has not yet been widely adopted, respondents pointed to uncertainty over regulations, the stance of regulators and the credibility of unproven technologies.  In addition, privacy legislation, the lack of standards in reporting, lack of accessibility to regulatory changes, as well as general infancy of the sector also proved a challenge.

Feedback suggested that the following would assist encourage the adoption of RegTech:

  1. Defining new regulations in a machine readable format. Similarly, the recent U.S. Department of the Treasury’s white paper on marketplace lending “Opportunities and Challenges in Online Marketplace Lending” also recommended, more generally, the release of government data in formats that can be easily processed by third party software (so called “smart disclosure”) as described in further detail in our recent post;
  2. Greater consistency and compatibility of regulations internationally; and
  3. Establishing a common global regulatory taxonomy.

The FCA report also outlined specific examples of RegTech that could assist with meeting regulatory requirements.  These included global requirements such as Basel III, and more generally capital requirements and stress testing, as well as requirements under Dodd-Frank in the U.S.

RegTech in Canada

The Canadian financial services industry, like that in the UK, is subject to numerous regulatory requirements, particularly following the financial crisis.  Many of these requirements are very similar, and Canadian firms, and regulators, would likewise benefit from additional technology tools facilitating compliance and reporting, where appropriate.

However, in seeking such benefits, attention must be paid to existing regulations that affect the adoption of RegTech in Canada.  By way of example, the requirements set out in Guideline B-10, Outsourcing of Business Activities, Functions and Processes (“Guideline B-10”) issued by the Office of the Superintendent of Financial Institutions (“OSFI”) apply in the event that an entity that is deemed a “federally regulated entity” (“FRE”) under Guideline B-10 outsources one or more of its business activities to a service provider.  In the financial services industry context, FRE’s include federally regulated banks, and Guideline B-10 could materially impact how the FRE’s must contract for, among other things, cloud computing solutions and online platforms.

For more information about our firm’s Fintech and RegTech expertise, please see our Fintech group‘s page.

 

 

 

Proving Consent under CASL: CRTC Issues Enforcement Advisory Notice

Posted in CASL, Regulatory Compliance

The Canadian Radio-television and Telecommunications Commission (“CTRC”) has issued an Enforcement Advisory notice directed to businesses and individuals that send commercial electronic messages (“CEMs”) as part of their commercial activities. Notably, the sender of CEMs must have the consent of the recipient to send them a message, or else the message is considered spam. Section 13 of the federal anti-spam legislation (“CASL”) puts the onus on the sender of CEMs to prove that they have the proper consent, either explicitly or implicitly, to send the message. However, the CRTC has observed that some businesses and individuals are unable to prove such a thing.

Accordingly, the CRTC issued this Enforcement Advisory to remind relevant parties of the requirements pertaining to record-keeping in order to comply with section 13 of CASL. The Advisory reads, in part:

  • Senders of commercial electronic message should consider keeping a hard copy or an electronic record of, among others:
  • all evidence of express and implied consent (e.g. audio recordings, copies of signed consent forms, completed electronic forms) from consumers who agree to receive CEMs
  • documented methods through which consent was collected
  • policies and procedures regarding CASL compliance
  • all unsubscribe requests and resulting actions

The CRTC further stated that these types of practices can assist the sender:

  • identify potential non-compliance issues
  • investigate and respond to consumer complaints
  • identify the need for corrective actions
  • demonstrate that these corrective actions were implemented
  • establish a due diligence defense in the case of a violation of CASL

Businesses and individuals that are experiencing difficulty in obtaining consent or tracking it should consult the CRTC’s Guidance  on Implied Consent or the CRTC’s guidance on corporate compliance programs (Compliance and Enforcement Information Bulletin CRTC 2014-326).

* Amanda Iarusso is a summer student in McCarthy Tetrault’s Toronto office. 

BC Government Explores Smartphone App for ID Authentication

Posted in Authentication, FinTech
Genevieve Pinto

According to media reports, the B.C. government is developing a new smartphone app that will one day allow people access to secure government websites, services and databases simply by tapping their new Services Card to their smartphones in order to authenticate their identity. The new chip-enabled Services Cards recently rolled out by the B.C. government combine a driver’s licence and Care Card (health care card) in one piece of ID that employs NFC (near field communication) technology, similar to that in credit and debit cards.

In addition to convenience and ease of use, the government has stated that one goal of the new Services Card is to reduce fraud in the health care system, noting that it is estimated there are 9 million Care Cards issued in British Columbia for a population that numbers only 4.5 million. The new mobile technology currently being developed will also aim to make it easier for people to identify themselves and access their records, including personal eHealth medical records, drug prescriptions, drivers’ licences, and even online voting.

Other Efforts at Digital IDs

B.C is not alone in pursuing all-in-one identification technology. The Manitoba government announced this year that it is investing $13 million to allow Manitobans to receive, starting in the fall of 2017, all-in-one Personal Identification Cards, which will combine driver’s licences, photo ID, health card and travel ID (see our previous post here). The Manitoba government is also aiming, with this project, to improve access to photo ID and authentication for low-income and homeless Manitobans.

Internationally, media reported that the U.K.’s Driver and Vehicle Licensing Agency also announced earlier this year the development of a digital driver’s licence using Apple Wallet. The digital driver’s licence would be an “add-on” to existing plastic driver’s licences, with a view to enhancing security.

Improvements in identification and authentication technology are expected to make significant improvements to everyday tasks for Canadians. In 2014, Canadian leaders from the public sector, banks, and tech companies came together to launch a non-profit coalition, the Digital ID and Authentication Council of Canada (“DIACC”). The DIACC “is committed in developing a Canadian digital and identification and authentication framework to enable Canada’s full and secure participation in the global digital economy”. The DIACC has released several proof of concepts, including online proof of residency and online opening of bank accounts, aimed at solving real world problems with innovative solutions for commercial, government and research purposes.

Privacy and Data Security Concerns

Along with with the improved accessibility and convenience of these all-in-one identification solutions comes the expected concerns regarding data security and confidentiality of personal information. Some have also raised concerns regarding the potential for use citizen profiling, state surveillance, and external attacks. However, proponents of these projects note that the main sources of identity theft and fraudulent use are often the result of human interaction that occurs in the supply chain of such data. It may be that reducing human activity that occurs in the issuance, management and use of identity might make it safer. In the near future, advances in biometric technology may incorporate these types of features into the digital authentication systems, thereby enhancing security.

For more information about our firm’s Fintech expertise, please see our Fintech group‘s page.

* Sophie Brown is an articling student in the Québec office of McCarthy Tétrault.

E-Signed Union Membership Cards (Mostly) Accepted by Labour Relations Board

Posted in E-Commerce, Employment
Laura DeVries

In what appears to be the first decision of its kind, the British Columbia Labour Relations Board (the “Board”) recently accepted electronically signed union membership cards submitted in support of a union certification application.

Context

The United Food and Commercial Workers Union (the “Union“) had applied under section 18 of the Labour Relations Code (the “Code“) for certification of a unit of the employer’s employees.

However,  the Union didn’t use the ordinary pen and paper practice of signed membership cards and opted instead to use electronically signed membership cards. The cards in question were created using an e-signature software program, with mandatory “Name”, “Signature” and “Date” fields, and sent to prospective union members via email. The recipients could then sign using either a “draw” function (with finger or stylus) or a “type” function. In the latter case, the program automatically converted the typed name into a font which resembled handwriting. The e-signature program also generated an audit trail indicating the dates and times at which the blank cards were created, sent to the recipients, viewed, signed, and sent back to the Union organizer, and the IP addresses of the devices used at each step.

At the Union’s certification application, the issue was whether the electronic signatures met the requirement in the Labour Relations Regulation (the “Regulation“) that “a membership card must be signed and dated at the time of signature”. Given the novelty of the issue, the Board in Working Enterprises Consulting & Benefits Services Ltd v United Food and Commercial Workers International Union, Local 1518, 2016 CanLII 29625 (BC LRB) elected to provide written reasons.

Interestingly, the employer did not oppose the certification application.

Typed Signatures Rejected

The Board reviewed the audit trail and the cards, and commented that the mandatory nature of the name, signature, and date fields provided assurance that the cards had been signed and dated at the time indicated.
However, the Board rejected a card that appeared to have been signed using the “type” function, commenting that this card was “no different than a pen and paper printed block signature in quotation marks”.

Demonstrated Reliability and Authenticity

The Board also stated that in future, it would “expect a similar demonstration” of reliability and authenticity of the date and signing of cards as that provided by the audit trail.

Interestingly, this seems to set a standard regarding proof of authenticity that the Board has not historically required for traditional pen-and-ink signatures. The requirement seems inconsistent with the Board’s comment in the same decision that “[a] challenge to the reliability of membership evidence must be supported by evidence of a relatively high degree of probative value”. The Board also took no issue with the Union’s assertion that the Board ordinarily accepts paper forms without attempting to determine whether the forms were signed by the individuals to whom the signatures were attributed, or on the dates indicated.

The Board also held that the electronic signatures in this case complied with British Columbia’s Electronic Transactions Act (the “Act”). The Act itself does not include an audit requirement; it expressly provides that “[i]f there is a requirement under law for the signature of a person, that requirement is satisfied by an electronic signature”. The question of whether the Board’s requirement for an audit trail is consistent with the Act may arise in future litigation.

If you don’t got it, don’t flaunt it: FTC Issues Warnings to Companies Claiming APEC Privacy Certification

Posted in Privacy, Regulatory Compliance, Standards

The United States Federal Trade Commission (“FTC”) has issued warning letters to 28 companies claiming  to be certified participants in the Asia-Pacific Economic Cooperative (“APEC”) Cross-Border Privacy Rules (“CBPR”) system. This is an important reminder for companies, including Canadian companies, that the use of international certifications  is something in which regulators take a keen interest.

Background

The APEC CBPR system provides a common standard for cross-border flows of personal information based on the APEC Privacy Framework. Companies that wish to self-certify as CBPR compliant must implement privacy policies and practices compliant with the CBPR program requirements and then obtain certification of this compliance from an APEC-recognized Accountability Agent.  Once an organization has been certified for participation in the CBPR system, these privacy policies and practices will become binding as to that participant and will be enforceable by an appropriate authority, such as a regulator, to ensure compliance. Participating countries include the United States, Japan and Mexico. Canada joined in 2015, meaning CBPR-certified Canadian companies can freely transmit personal information to other self-certified companies in these jurisdictions (and vice-versa). It is anticipated that the system will expand to eventually encompass the remaining 16 APEC member economies.

Warning Letters

The FTC warning letter is targeted at companies that claim to be APEC CBPR certified but have not presented evidence of taking the correct steps to obtain the certification.  This leaves them open to an enforcement action based on the FTC’s authority over unfair or deceptive acts or practices:

We are writing because your website indicates that you represent that you participate in the [APEC CBPR]. However, our records indicate that your organization has not taken the requisite steps to be able to claim participation in the APEC CBPR system, such as undergoing a review by an APEC-recognized Accountability Agent. A company that falsely claims APEC CBPR system participation may be subject to an enforcement action based on the FTC’s deception authority under Section 5 of the Federal Trade Commission Act (“FTC Act”). Indeed, we have brought many cases against companies that we allege, among other things, have falsely claimed to participate in  international privacy program such as the APEC CBPR system, see generally https://www.ftc.gov/tips-advice/business-center/legalresources?type=case&field_consumer_protection_topics_tid=251.

We ask, therefore, that your organization (1) immediately remove from its website, privacy policy statement, and any other public documents all representations that could be construed as claiming APEC CBPR participation; and (2) contact us within 45 days at apec.cbpr@ftc.gov to inform us that you have done so.

The FTC did not release the names of the organizations to which it sent letters. This gives the organizations a chance to demonstrate compliance and revise their websites and thereby avoid the reputational damage  associated with being publicly cited by the regulator.  However, the fact that the FTC publicized the issuance of the warning letters likely indicates that it views the problem of unsubstantiated certifications as an issue which needs to be addressed.

Lessons for Canadian Business

While the Canadian privacy regime generally benefits from having broad private-sector privacy legislation that permits transfers of personal information under specified conditions, companies may want to (or be required to) obtain certification in certain circumstances. If they do, they should keep in mind the following points:

1. Regulators all over the world, including in Canada, are more closely scrutinizing self-certification. The FTC letter is part of a broader crackdown on APEC CBPR certifications. In May 2016, the FTC reached a settlement with Very Incognito Technologies, Inc., doing business as Vipvape, based on allegations that Vipvape represented on its website that it was APEC CBPR certified when, according to the complaint, it was not.

The FTC’s action on the APEC CBPR self-certification program can be seen as part of a broader regulatory concern with deceptive  or misleading attestations of compliance. False (or out of date) certifications were also an issue with the now-defunct US-EU Safe Harbor certification program, and in August of 2015, the FTC announced settlements with thirteen companies it charged had misled consumers by claiming they were certified members of the Safe Harbor framework.

Companies which are part of self-certification programs should be watchful of regulatory actions and be prepared to respond to requests for information from their regulators. It would be prudent to expect regulators in other jurisdictions including Canada, the EU and Australia to be more aggressive in their investigation of self-certification systems in future.  The best way for a company to avoid trouble is straightforward: do not falsely claim a certification your organization does not have (and ensure that any such certifications validly obtained have not expired).

2. Have your compliance monitored by a reputable organizations APEC CBPR sets out a certified process and ongoing requirements for becoming an “Accountability Agent” which can certify that a company is meeting standards required by APEC for cross-border flows of personal information.  In order to become an Accountability Agent, an organization must apply  first to the relevant authority where it intends to operate (such as the Office of the Privacy Commissioner in Canada or the FTC and Department of Commerce in the United States).  Once the organization has obtained  the approval of the relevant authority, its application is forwarded to the APEC Joint Oversight Panel for approval. The process takes time, and is detailed.

Companies should be wary of organizations which claim to offer auditing and certification on the cheap. Consider asking questions about the would-be Accountability Agent’s experience with regulators in different jurisdictions, their technical capabilities, and if any organization which they certified has ever experienced a privacy breach or regulatory investigation.  The bona fides of an Accountability Agent may also be confirmed online.

3. Retaining records of audits is important, but… Companies being assessed for compliance with an international privacy framework will be request by regulators to produce documentation of certification. No company wants to be in a situation where a regulator asks questions about their international certifications and the supporting documentation is unavailable, incomplete or out of date.  A similar situation can arise if a company has entered into contracts in which it has represented that it has valid certifications – the counter party may ask for proof (either at the time of execution, or during the life of the contract). As a result, companies will want to ensure that documentation supporting its certifications is updated regularly, stored securely, and can be produced in response to a regulatory inquiry.

However, retaining information about compliance with international privacy standards also comes with risk. Regulators are not the only ones interested in this information.  A company’s privacy audit results can be valuable evidence to opposing counsel in future litigation.  Companies should consider engaging their own counsel prior to undertaking an auditing or compliance process to ensure they are taking steps to protect privilege (if appropriate) and understand potential litigation risk.

Conclusion

The recent FTC warning letters are an important reminder that regulators are interested in privacy self-certification programs.  Prudent organizations should ensure their certifications are valid and up to date, and that they are prepared to respond to regulators if necessary.

*Arie van Wijngaarden is a JD/MBA student in McCarthy Tetrault’s Toronto office.

German Regulator Finds Banks’ Data Rules “impede non-bank competitors”

Posted in Big Data, European Union, Financial, FinTech
Kirsten Thompson

“Open Banking” is an emerging term in financial services / financial technology that refers, among other things, to the use of open application programming interfaces (“APIs“) enable third party developers to build applications and services around a financial institution. This requires a financial institution to throw open the doors to its customer data and allow it to be used by developers and other third party providers. Think of it as an app store for banks, where the apps allow consumers to compare rates, manage their accounts, obtain credit and make payments – all without having to actually engage a bank.

In Europe, this is set to become the norm in early 2018, thanks to the revised Payment Services Directive (“PSD2“) which was passed in January. PSD2 is designed to create a more level playing field for third party payment processors by making banks in Europe offer APIs that provide access to account information to third parties.

Some banks are embracing this, and see it as an opportunity to drive value in innovative new ways. Other banks are not as keen, and are taking steps to cut out the interlopers to preserve existing value and protect the customer relationship.

Long before there was a concept of “open banking”, there were similar products available, products that don’t rely on the openness of banking but rather the willingness of an account holder to share his or her login information. Users provide their user IDs and passwords for the financial accounts they want to consolidate, so that the aggregation service can access these accounts to gather their financial information (a process known as “screen scraping”). A single third party web portal then displays the information, dashboard-style.

Concern in Canada and the US

In March of 2011, the Financial Consumer Agency of Canada (“FCAC”) issued a statement, warning Canadians to be aware of the possible risks of disclosing their online banking and credit card information to financial aggregation services. Aside from the obvious data security and privacy risks, the FCAC cautioned that using such a service could also violate the terms and conditions of the account:

Consumers should be aware that if they disclose their online banking information to any other party, including financial aggregators, they may risk losing their protection against unauthorized transactions. Some financial institutions’ user agreements clearly state that users will be responsible for unauthorized transactions if they provide other parties, including financial aggregators, with their passwords and account information.

The FCAC reminded consumers it was their responsibility to manage their online banking and credit card credentials in accordance with the terms of their user agreements, as well as to review their user agreements and to understand their responsibilities thereunder.

In 2015, media reported that a number of US banks had cut off data to these financial aggregators, citing concern that the rising use of such sites will overload bank servers, on top of worries that customer data could potentially be vulnerable to hackers. The aggregators charged that the banks, facing increasing competition from these companies, were becoming too protective of their customer information.

Germany Finds Banks’ Data Rules Violate Competition Law

The German competition regulator has now weighed in, finding that rules set buy the German Banking Industry Committee violate both German and European competition law by imposing “special conditions for online banking” that mean customers cannot use their PINs (personal identification numbers) and TANs (transaction authentication numbers) in non-bank payment systems.

This, said the German regulator, has “significantly impeded” the use of non-bank providers for online purchases, preventing people from using lower-priced alternatives.

The German Banking Industry Committee had cited security concerns as the basis of the rules but the German  competition regulator (the Bundeskartellamt) dismissed this, saying that “the rules currently used cannot be considered as a necessary part of a consistent security concept of the banks and they impede non-bank competitors”.

Andreas Mundt, president of the Bundeskartellamt, said:

The online banking conditions of the German Banking Industry Committee hinder the offer of new and innovative services in the growing market for payment services in the e-commerce sector. In essence, it is about whether non-bank payment services can also use PINs and TANs. We have taken careful consideration of the justified interest of the banking industry that security in online banking has to be safeguarded. However, the rules currently used cannot be considered as a necessary part of a consistent security concept of the banks and they impede non-bank competitors.

The Bundeskartellamt has only declared certain specified clauses of the banks’ terms and conditions illegal, not the entire agreement. It also suspended the enforcement of its decision, meaning the parties are not under tight deadlines to change their course of action, although they must make the necessary changes. The Bundeskartellamt also noted that rules governing the activity of non-bank payment solution providers are currently undergoing a European legislative process.

EU-US Privacy Shield Adopted: Now What?

Posted in European Union, Legislation, Privacy
Keith Rose

On July 12, 2016, the European Commission formally issued its adequacy decision endorsing the EU-US Privacy Shield, following the approval of the deal by the Article 31 Committee on July 8.  Although the European adequacy decision has immediate effect, U.S. organizations will not be able to take advantage of the Privacy Shield until the U.S. Department of Commerce begins accepting self-certifications, on August 1.

Self-Certification

The Department of Commerce has issued guidance to companies wishing to self-certify under the Privacy Shield.  Only U.S. organizations subject to the jurisdiction of either the Federal Trade Commission or the Department of Transportation will be eligible for self-certification.  This will exclude some organizations, such as banks and telecommunications companies, which are outside the jurisdictions of those agencies.

Eligible organizations that wish to self-certify should carefully review the guidance as well as the seven framework principles and the sixteen supporting principles (the “Principles”) that they must commit to adhere to.  Although participation in the program is voluntary, once made, the commitment to adhere the Principles will be enforceable under U.S. law.

Many of the Principles will be familiar to U.S. organizations that have previously participated in the former Safe Harbour regime, although they have now been elaborated in more detail, creating new compliance obligations.  There are some significant practical differences in the new model, including an obligation for organizations to provide access, at no cost to the individual, to an independent recourse mechanism, stricter limitations on onward transfers to third parties (including service providers)

Organizations should be cautious about any representations that suggest compliance with Privacy Shield if the organization has not formally self-certified.  The FTC has recently issued a number of warning letters to organizations it alleges are claiming compliance with the APEC Cross-Border Privacy Rules system without actually meeting the certification requirements.  Moreover, the U.S. government has formally stated in a letter to the European Commission that it intends to actively police false claims of participation in the Privacy Shield program.

Legal Challenges Likely

Legal challenges to the Privacy Shield framework are probably inevitable.  For example, Max Schrems, the Austrian whose successful challenge invalidated the previous Safe Harbour regime (see our previous articles, here, here, and here) apparently intends to challenge the Privacy Shield as well.

The Article 29 Working Party had expressed some skepticism of a previous draft of the Privacy Shield.  The deal was then strengthened at the negotiating table address concerns relating to bulk data collection, the independence of the Privacy Shield Ombudsperson mechanism for review of complaints about state access to personal information, and data retention.

Even after these enhancements, it is perhaps unclear whether the proposed Ombuds mechanism would qualify as a means of “redress”, as that concept has been described by the CJEU.  The terms of reference provide only that the Ombudsperson will “respond” to the complaint, in one of two ways: either to confirm either that relevant safeguards provided by U.S. law were complied with or, if that is not the case, that the non-conformance has been remedied.  The Privacy Shield Ombudsperson will expressly not be permitted to report on any remedial action taken.  Nor will the mechanism involve any possibility of access to, rectification of, or erasure of, any personal data in the hands of any state actors.  As the Commission noted in the adequacy decision, these were explicit requirements set out by the CJEU in the Schrems decision.

In response, the new adequacy decision simply states that “The Commission’s assessment has confirmed that such legal remedies are provided for in the United States, including through the introduction of the Ombudsperson mechanism.”  [See para. 124.]

It remains to be seen whether the CJEU agrees with this assessment.  Until such a decision has been rendered, the Privacy Shield mechanism may offer less stability than most organizations would prefer.  Moreover, the mechanism will be subject to annual reviews and the obligations it imposes may be subject to further elaboration over time.

Alternatives to Privacy Shield

U.S. organizations which do not wish to, or are not eligible to, participate in the Privacy Shield self-certification program can instead continue to rely on other mechanisms recognized by European law, including Standard Contractual Clauses (although these are themselves currently subject to a challenge and reference to the CJEU) or Binding Corporate Rules.

GDPR on the Horizon

All of this must also be assessed in light of the new General Data Protection Regulation (GDPR), set to come into force in the EU in 2018.  The GDPR will impose significant new obligations on data processors (including some data processors located outside of the EU) including record keeping, data security, and breach notification obligations.  Non-European data processors who offer goods and services to individuals in the EU, or who monitor the behavior of individuals in the EU, may be directly liable for fines up to € 20 M or 4% of annual global revenues.

Organizations will have to consider how they will respond to the new GDPR obligations whether or not they self-certify under the Privacy Shield.  Furthermore, the GDRP also tightens the rules by which the “adequacy” of foreign laws respecting the protection of personal information must be assessed.  This raises the spectre of further challenges to (or evolutions of) the Privacy Shield itself in the future.

Implications for Canadian Organizations

Canada’s privacy laws have been endorsed in 2001 as adequate in a separate decision of the EC.  This decision was not directly affected by the Schrems decision and it remains in effect.

However, there has been some speculation that the Privacy Shield has effectively raised the bar and that Canada’s laws may be subject to new scrutiny.  The Canadian adequacy decision is scheduled to be reviewed as part of a larger review, which is not due until 2020, but a review could be triggered at any time by a direct challenge.

To date, there have been no suggestions of any particular changes to Canadian privacy legislation that might be considered to strengthen the case for a renewed adequacy decision.

However, Canadian organizations which store or process personal information about EU citizens may wish to consider how their practices might be assessed against the Principles articulated in the Privacy Shield agreement.

In any event, they will have to consider how the GDPR may apply to them and what changes that may require, particularly in light of the significant penalties that can be assessed under the new regulation.

As a result, Canadian organizations that deal with European data will need to pay close attention to the changing global compliance landscape and should expect that they will face new compliance challenges over the next 18-24 months.