Insights on cybersecurity, privacy and data protection law

Competition Bureau to Study Fintech Market

Posted in Mobile Payments, Payments
Ana BadourDiego Beltran


The Competition Bureau announced on May 19, 2016 that it will launch a market study focused on how innovation in the fintech sector is impacting consumers and businesses, with the results intended to be published in the spring of 2017, seeking to determine whether there is a need for “regulatory reform to promote greater competition while maintaining consumer confidence in the sector.”

The announcement cites a report indicating that Canada appears to be lagging other countries in adoption of fintech as one of the reasons for deciding to study the financial services industry.

The study “will examine peer to peer banking, e wallets, mobile wallets, mobile payments, crowdfunding and online based financial advisory services [or robo-advisors]” and, according to the Bureau, will help it advise regulators and other authorities on how to ensure innovation and competition in the sector is not impeded. Blockchain technology is not part of the study as it is not considered by the Bureau to be within the study’s focus on consumer facing activities. However, the Bureau indicates it is open to changing the scope of the study should stakeholder consultation reveal a need for such change.

The study will not cover insurance (property and casualty, travel, and health), currencies and crypto currencies (e.g., Bitcoin), payday loans, loyalty programs, deposit taking, accounting, auditing, and tax preparation and services, large corporate, commercial or institutional investing and banking (e.g., pension fund management, corporate mergers and acquisitions) or business to business financial services other those services noted above as being within the scope of the study.

Interested stakeholders are invited to make submissions on the study or on issues specific to the study before June 30, 2016.

More information can be found at

Spokeo: Will U.S. Supreme Court’s Decision Impact Privacy Damages in Canada?

Posted in Privacy
Kirsten ThompsonDouglas Judson

The Spokeo decision’s requirement that there be a concrete injury in order to ground privacy damages is not just a U.S. issue. Canadian courts have been wrestling for some time with the question of what damages look like in the context of privacy breaches, especially in class actions. While not definitive or binding north of the border, Spokeo may provide insight into how future statutory privacy breach actions are framed in Canada.

On May 16, the Supreme Court of the United States (“SCOTUS”) released its reasons in Spokeo, Inc. v. Robins (“Spokeo”). The case is significant because it addressed the issue of what degree of damages are necessary in order to assert standing to bring such a claim, an issue that has long troubled “privacy breach” claimants in both Canada and the U.S. The existence of a private right of action under a U.S. federal statute does not automatically suffice to meet the “real” harm standard.

The court ultimately adopted a middle-ground position, allowing the action to proceed but maintaining a narrow approach to the type of injury that will give rise to standing. Of interest, the dissent raises new questions about the legal recourse available to those who allege injury from the mismanagement or inaccuracy of their personal information.

Spokeo illustrates a contrast between privacy and consumer reporting law regimes in Canada and the U.S., and the associated legal risk exposure of organizations that manage the personal information of consumers, clients, or members of the public.


Spokeo operates a “people search engine” that reviews a wide spectrum of databases to provide its users with information about individuals. The site markets itself as a mechanism for reuniting with lost connections, but can also be used for investigative purposes, such as evaluating job applicants.

The respondent, Thomas Robins, discovered that his Spokeo profile contained inaccurate information. He filed a federal class action complaint against Spokeo, alleging that the company failed to comply with its requirements under the U.S. Fair Credit Reporting  Act of 1970 (the “FCRA”). The FCRA requires consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy” of consumer reports and imposes liability on “[a]ny person who willfully fails to comply with any requirement [of the FCRA]” with respect to any individual.

(Canada does not have a “fair credit reporting act” per se, but provincial statutes such as Ontario’s Consumer Reporting Act require consumer reporting agencies to “adopt all procedures reasonable for ensuring accuracy and fairness in the contents of its consumer reports.[1] In additional, Canada’s privacy legislation incorporates the principle of accuracy and a right of correction.[2])

Robins alleged that Spokeo disseminated false information related to his education, family status, and wealth, causing Robins to fear that potential employers would rely on this inaccurate information and be disinclined to consider him for employment. Spokeo argued that Robins’ fear, without more, did not constitute actual harm.

The District Court dismissed the complaint, holding that Robins had not suffered an actual injury, and therefore had not properly pleaded “injury-in-fact”, as required by Article III of the U.S. Constitution (“Article III”). As a result, he lacked standing. On appeal, a panel of the Court of Appeals for the Ninth Circuit reversed the District Court decision. The Ninth Circuit’s decision was appealed to SCOTUS.

The Decision

The SCOTUS panel filed a 6-2 split decision. The majority determined that the Ninth Circuit’s decision was incomplete for failing to satisfy the “injury-in-fact” requirement under the test for standing.

The test for standing before federal courts in the U.S. has a constitutional basis. Article III establishes the judicial branch of the federal government. It gives courts the authority to adjudicate “any case or controversy”. The court has developed these principles fairly narrowly. A plaintiff only has standing in federal court if they suffer a concrete and particularized injury, that is  “actual or imminent, not conjectural or hypothetical.” For an injury to be particularized, it “must affect the plaintiff in a personal and individual way”. A concrete injury must actually exist, though it can be either tangible or intangible.

Significantly, the court in Spokeo emphasized that violations of FCRA procedural rights do not necessarily result in concrete harm and that “not all inaccuracies cause harm or present any risk of harm.” SCOTUS held that a “bare procedural violation, divorced from any concrete harm,” will not “satisfy the injury-in-fact requirement of Article III.” This is likely to reign in attempts by lower courts which have taken a more lenient view of standing. In one regard, it represents a reiteration and clarification of SCOTUS’ position in Clapper v. Amnesty International USA, which stated that a “‘threatened injury must be certainly impending to constitute injury in fact,’ and that ‘[a]llegations of possible future injury’ are not sufficient.”

Clapper opened the door to much debate (and litigation) in respect of the scope of a “certainly impending” injury – a door which SCOTUS appears to be have incrementally closed. However, the court did not say outright that a plaintiff must have suffered concrete harm in order to sue. It noted that in some circumstances, a “risk of real harm” may be sufficient to satisfy the requirement of concrete harm.

In the end, the Spokeo majority ultimately concluded that the Ninth Circuit failed to fully appreciate the distinction between concreteness and particularization in its reasons, and it sent the matter back for the lower court to consider of whether “the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement.”

The dissent agreed with the majority’s analysis, but took issue with the need to remand the decision to the Ninth Circuit for an assessment of whether Robins’ injury was, in fact, particular and concrete. The dissent found that the evidence before the court had shown that Spokeo’s inaccurate information about Robins could jeopardize his candidacy for jobs he had or would apply for, and could cause potential employers to make negative judgments, based on inaccurate information, about his suitability for certain work demands. In the dissent’s view, this was far more egregious than an incorrect zip code (citing the majority’s example).

Privacy Damages in Canada

Spokeo raises a number of considerations for organizations that manage consumer and public data, both in the U.S. and Canada.

In the U.S., the decision raises questions about the ability of claimants to sue to enforce privacy-compliance requirements or other procedural matters under causes of action established by legislation like the FCRA. This is particularly so where the statutory right of action does not explicitly include requirements for concrete or particular injuries or where no clear harm has (yet) materialized that the plaintiff can point to.

Moreover, the split decision illustrates a divide on the SCOTUS bench over the harm that can accrue from the mismanagement of personal information and the growing importance of strong consumer privacy laws in a data-rich and networked world. While the majority characterizes the erroneous Robins profile as an error of no particular consequence, the dissent appears to be alive to the consequences and risks to individuals of poor data gathering, management, and publication where personal information is concerned.

These issues are very much alive in the Canadian privacy landscape as well. Canadian courts and legislators continue to grapple with the nature and quality of damages required to prove a claim.

Across Canada’s legislatures, there have been a patchwork of statutory suit provisions enacted for privacy complaints. For instance, the Newfoundland privacy statute explicitly includes a statutory tort, actionable without proof of damage,[3] as do the privacy acts of B.C., Saskatchewan, and Manitoba.[4]  The Quebec statute creates only administrative offences, and contains no civil right of action.[5]

Under the personal information legislation of some provinces, the statutes create a right to sue for damages only after the statutory administrative processes have resulted in an order or conviction, and then only for “for damages for loss or injury that the individual has suffered as a result of the breach”.[6] Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), takes a similar approach, but permits a court to “award damages to the complainant, including damages for any humiliation that the complainant has suffered.”[7]

Canadian courts’ struggle with these issues are evident in decisions like Chitrakar v. Bell TV:

The fixing of damages for privacy rights’ violations is a difficult matter absent evidence of direct loss. However, there is no reason to require that the violation be egregious before damages will be awarded. To do so would undermine the legislative intent of paragraph 16(c) which provides that damages be awarded for privacy violations including but not limited to damages for humiliation.

Privacy rights are being more broadly recognized as important rights in an era where information on an individual is so readily available even without consent. It is important that violations of those rights be recognized as properly compensable.[8]

An earlier decision, Nammo v. TransUnion of Canada Inc., addressed the issue as well, but took a more cautious approach:

Section 16 of PIPEDA provides that “[t]he Court may, in addition to any other remedies it may give … award damages to the complainant, including damages for any humiliation that the complainant has suffered.”  This provides the Court with exceptionally broad power to award damages.  Nevertheless, any damages awarded must be awarded on a principled basis, and be appropriate and just in the circumstances.[9]

Of note, the amendments to PIPEDA made under the Digital Privacy Act regarding mandatory data breach reporting set the reporting trigger as “real risk of significant harm” and state explicitly that “significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property”.[10] An organization which concludes that it must report a breach may, in doing so, be inadvertently conceding a measure of damages.


[1] Consumer Reporting Act, R.S.O. 1990, c. C.33 at s. 9.

[2] See, for instance, Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Sch. I at “Principle 6 – Accuracy”.

[3] Privacy Act, R.S.N.L. 1990, c. P-22.

[4] Privacy Act, R.S.B.C. 1996, c. 373; Privacy Act, R.S.M. 1987, c. P125; Freedom of Information and Protection of Privacy Act, R.S.S. 1978, c. P-24.

[5] An Act respecting the Protection of Personal Information in the Private Sector, C.Q.L.R., c. P-39.1. In Québec, the right to privacy is also protected by several provisions of the Civil Code of Québec and by the Charter of Human Rights and Freedoms, and a breach of these rights to privacy can lead to broad damages awards.

[6] Personal Information Protection Act, SA 2003, c P-6.5, section 60. See Martin v. General Teamsters, Local Union No. 362, 2011 ABQB 412, at paras. 47-48, in which the Court struck portions of a Claim on this point; Personal Information Protection Act, SBC 2003, c 63.

[7] Personal Information Protection and Electronic Documents Act, S.C. 2000, c 5 at s. 16. Along with the statutory regime, there is the common law intentional tort of “intrusion upon seclusion”, developed in Jones v. Tsige, 2012 ONCA 32. However, this tort has been rejected in B.C. and Alberta, where the courts have found that the provincial privacy statute excludes a common law action for intrusion upon seclusion. See Ladas v. Apple Inc., 2014 BCSC 1821 at paras. 76-77 and Martin v. General Teamsters, Local 362, 2011 ABQB 412 at paras. 43-48.

[8] Chitrakar v. Bell TV, 2013 FC 1103 at para. 24.

[9] Nammo v. TransUnion of Canada Inc., 2010 FC 1284 at para. 66.

[10] Digital Privacy Act, S.C. 2015, c. 32 at s. 10.1(7)

CPA Issues Consultation Paper on Vision for Canadian Payment Ecosystem

Posted in Payments
Ana Badour

On April 20, 2016, the Canadian Payments Association (the “CPA”) released a consultation paper “Developing a vision for the Canadian payment ecosystem” (the “Consultation Paper”), outlining its planned vision for the proposed modernization of the Canadian payments system. The Consultation Paper was issued following the CPA’s consultation with broad classes of stakeholders including financial institutions, fintechs, businesses, government and consumers.

Key Findings from Stakeholder Consultations

The Consultation Paper describes the CPA’s findings from its broad industry consultation on user needs.  Stakeholders identified the following features as desirable features for a modernized Canadian payments system:

  • Near real-time availability of funds – when making a payment, funds should ideally be made available to the recipient in 60 seconds or less. While some types of payments (for example Interac e-transfers) currently clear fairly quickly, other types of payments (such as wires) can take a long time to clear, as anyone who has spent several hours waiting for a wire to clear on a large transaction is well aware.  While not all transactions need to occur in real time (for example, pre-authorized and pre-scheduled payments may not be as time sensitive), businesses expressed the need for a better solution than wires for time sensitive payments.
  • 24/7/365 availability – Real-time payments should be able to be conducted at all times of the day/ week/ year, rather than only during business hours.
  • Enhanced payment data – The payor should be able to include data about a payment when sending the payment (similar to the information line available on a cheque right now). Such data could be very powerful and could, for example, be leveraged by accounting software to automate invoice reconciliation.  In this respect, Canada is in the process of adopting ISO20022, an international payments standard, which includes this feature (for further detail on ISO20022 and potential privacy and security concerns relating to the adoption of ISO20022, please see our prior post “First Draft of ISO 20022 Standard for Real-Time Payments Released, Raises Potential Privacy and Security Concerns”).
  • Transparency of payment status – Both the sender and recipient of a payment should receive automatic notification on payment status (such as currently done for Interac e-transfers for example) and should be able to track a transaction in real time (similar for example, to courier package tracking).
  • Routing of payments through information other than banking information– Payors should be able to send payments to a recipient by using information other than banking information, such as, for example, a telephone number or email address.  This would serve to both protect the privacy and security of sensitive banking information (since this information would not have to be communicated) and also to make sending payments easier and more convenient.
  • Improvement of cross-border payments – Cross-border payments should be faster, more efficient and more transparent. Both businesses and consumers expressed frustration with the current state of cross-border payments. To ensure cross-border payments in a modernized system are as efficient as possible, the CPA should ensure interoperability with international standards.  The planned adoption of ISO2002 in Canada s a key component o achieving such interoperability.

In terms of regulatory framework, the CPA noted that various stakeholders favoured regulatory oversight that would support payment innovation in Canada.  In particular, participants in the payment system favoured functional regulation of payment entities (where entities are regulated based on the type of service provided rather than on the type of entity they are), and were of the view that regulation should be based on outcomes rather than process, and that regulation should be principles-based rather than prescriptive.  New entrants (such as fintechs) also expressed the need for improved access to the payment system.  Achieving long-term cost efficiencies was also identified as a goal for the modernization of the Canadian clearing and settlement system.

Global Context

Canada is part of the second wave of countries undergoing payment system modernization.  A first wave of countries (which includes the UK, Brazil, Denmark and Singapore) have already completed their payments modernization process.  The second wave of countries is still in the planning, design or build stage, and includes Canada, the US and Australia.  The Clearing House in the U.S. is anticipating providing ISO20022-compliant real time payments by 2017.

Being part of the second wave, Canada is in a good position to take advantage of the lessons learned by the first wave.  The Consultation Paper lists the following best practices learned from a review of other countries’ experiences:

  • Build a new payment system – Most countries are building a new, standalone system rather than attempting to modify existing infrastructure. Building a new system on the whole appears to be less expensive and faster than attempting to modify existing payment systems.
  • Leverage existing resources – While the first wave of countries had to spend considerable resources into building new custom built solutions, the second wave is able to benefit from “off the shelf” options created following the first wave. It may also be possible to leverage some of the existing infrastructure to increase efficiencies.
  • Ensure appropriate incentives – While some initial modernization efforts have been mostly government mandated, more recent efforts tend to be more focused on addressing user needs.
  • Support adoption of near-real time products – There should be an alignment between the modernization effort and the commercialization of real-time payment applications (typically P2P solutions), to drive early adoption of the new payment system.
  • Support B2B functionality – While P2P solutions have generally been offered first, B2B solutions offer the most substantial value and modernization efforts should also ensure to address B2B needs, including the need for speed, scale and data.
  • Consider all types of payments – Modernization initiatives should not just focus on immediate needs for near real-time payments but also provide for longer term changes such as enhancing batch retail and high-value systems.

It is clear from the scope and depth of the Consultation Paper that the CPA is taking a very deliberate, inclusive, transparent and thoughtful approach to the modernization process, in an effort to most efficiently build a new Canadian payment system that encourages innovation and addresses user needs of the various types of participants in the payments ecosystem. In particular, the Consultation Paper points to the key importance of data and transparency in a modernized payment system, while recognizing the need to include features addressing privacy and security concerns.


Privacy Commissioner Releases Survey Results on Canadian Businesses

Posted in Data Breach, Privacy
Carole Piovesan

Canadian businesses report increased knowledge of privacy issues, but little progress in implementing privacy policies or  response plans for data breaches – placing them at risk for new enforcement activities and fines.

The Office of the Privacy Commissioner of Canada (“OPC“) recently commissioned a telephone survey of 1,016 Canadian companies to find out how Canadian businesses fare with their privacy knowledge and protections. The informative report on the survey, the 2015 Public Opinion Research with Canadian Businesses on Privacy-Related Issues, can be accessed here.

It turns out that while much has changed, much has also stayed the same. A summary of some of the highlights from the survey report is provided below.

Privacy Knowledge Increasing

There are a few notable areas where companies have improved in their knowledge of and compliance with privacy issues. For instance, companies are increasingly familiar with privacy legislation and have policies or procedures in place to assess privacy risks.

Now, more than ever, the majority of companies are at least “somewhat familiar” with their responsibilities under Canada’s privacy laws. Fifty-nine percent of business executives said their company has taken steps to ensure that it complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), and the majority of these respondents said that they have not found compliance to be difficult.

In addition, the vast majority of companies now use tools to protect customer information such passwords, firewalls and encryption, more than the last survey conducted in 2013.

These findings suggest an increase in the general knowledge of privacy obligations and concerns, as well as some greater action on behalf of companies to protect customer information.

Privacy Compliance Lagging

There has been less improvement with respect to dealing with actual privacy data breaches. The OPC’s survey results show only a modest increase in the number of companies who have policies and procedures in place in case of an actual breach.

Moreover, less than half of respondents reported having privacy policies to inform customers about what kind of personal information they collect and how the information is used.

Finally, the number of respondents who said their company is “highly aware” of its responsibilities under Canada’s privacy laws is virtually unchanged from 2013.

These trends should change more readily particularly given the OPC’s now broader powers to enforce and penalize for privacy violations (click here for more details).

Offering A Solution

Knowing one’s obligations and having the tools to promote and protect privacy, and effectively deal with data breaches should they occur, is increasingly essential. McCarthy Tétrault has developed processes and tools that can help companies minimize the risk of enforcement and fines by improving their compliance with data breach requirements, including pending mandatory breach notification and record-keeping provisions:

BC Privacy Commissioner Elizabeth Denham Confirmed as New UK Information Commissioner

Posted in Privacy
Breanna Needham

Canadian Elizabeth Denham’s appointment as Information Commissioner for the United Kingdom was confirmed on April 27, 2016 by the UK House of Commons Culture, Media and Sport Select Committee.

The role of Information Commissioner includes providing leadership and strategic direction, building and maintaining relationships with key stakeholders, and contributing to the development of national and international policy on data protection and freedom of information issues.

According to her profile, Denham was assistant privacy commissioner of Canada from 2007 to 2010, during which time led” a ground-breaking investigation into the privacy practices of Facebook which resulted in changes to the social networking site [and] also led the office’s discussions with Google, which prompted improvements to the company’s street level imaging service in Canada”.  She was appointed as British Columbia’s Information and Privacy Commissioner in 2010.

She is known for her proactive and transparent approach to the enforcement of access and privacy laws. Her work has raised the profile of information rights and has placed a greater focus on the impact of new and emerging technology. She is perhaps best known for the fallout from her Access Denied report on the opaque practices of the B.C. provincial government in deleting e-mails with the intention of destroying all documentary evidence of the communications.

Denham’s new role will put her in the middle of several upcoming privacy debates in that country including a new Europe-wide privacy law is coming up. Her decisions in the U.K. will continue to have an impact on privacy law here in Canada.

Denham will begin her five year term as Information Commissioner in the summer, replacing the incumbent, Christopher Graham.

Regulators In Canada and the U.S. Signal Increasing Interest in the Internet of Things

Posted in Internet of Things
Douglas Judson

The ‘Internet of Things’ (or IoT, which we have written about before) is generating fresh interest among legislators and regulatory authorities on both sides of the border. Recent initiatives in both the United States and Canada are likely to bring renewed political attention to the transformative potential of this technology space, particularly for its use in private enterprise and the delivery of public services. At the same time, these developments also raise significant questions about the inherent privacy, security, and consumer protection issues underlying the IoT’s rapidly growing network of interconnected objects and data sources.

U.S. Developments on the Internet of Things

Last week, the U.S. Senate’s Commerce, Science, and Transportation Committee considered the bipartisan bill S. 2607, the Developing Innovation and Growing the Internet of Things Act (or, DIGIT). The bill is scant on specifics with respect to the regulation of the IoT, and instead puts in place a process to consult with industry, technology, consumer, and business stakeholders to develop frameworks for the emerging space. The bill effectively uses a commission-style approach to inform Congress of the best way lawmakers can help stimulate the IoT. Under the bill, a working group will be convened that will ultimately submit a report that includes an analysis of the IoT spectrum’s needs, budgetary challenges, consumer protections, privacy and security matters, and the current use of the technology by government agencies.

Proponents of DIGIT point to the need to develop proactive policies to support the growth of these technologies – such as those policies that facilitated the rapid expansion and adoption of the Internet by citizens and the public and private sectors. The bill is expected to pass out of the Committee with bipartisan support.

 DIGIT resembles a recent call for public input from the U.S. Department of Commerce’s National Telecommunications & Information Administration (NTIA) – a process which may play out concurrently if the bill passes. On April 5, the NTIA posted a Request for Comment on potential policy issues with the IoT, and specifically, on what role the government ought to play in this area.

After analyzing the comments it receives, the NTIA intends to issue a ‘green paper’ that “identifies key issues impacting the deployment of these technologies, highlights potential benefits and challenges, and identifies possible roles for the federal government in fostering the advancement of IoT technologies in partnership with the private sector.”

Similar to DIGIT, the NTIA consultation appears to be aimed primarily at putting in place conditions that will help foster the growth, public, and commercial benefit of the IoT. That said, the detailed Request for Comment paper identifies that the IoT raises issues with respect to privacy, and points to recent examples involving the connection of cars and medical devices to the Internet. On this point, the NTIA references the Federal Trade Commission’s proposals on privacy and cybersecurity with respect to the IoT.

The deadline for filing comments with the NTIA is May 23, 2016.

 Canada’s Privacy Commissioner Discusses IoT Privacy Issues

 In contrast to these U.S. policymakers’ focus on developing an ecosystem for the commercialization, use, and expansion of the IoT, Canadian discussion of the IoT remains largely confined to the realm of the nation’s privacy regulators. The most recent report of observations and concerns related to the IoT was published by Canada’s Privacy Commissioner in February 2016.

The research paper, billed as An introduction to privacy issues with a focus on the retail and home environments, is intended to help Canadians understand “how their privacy will be affected by the online networking of uniquely identified, everyday objects”. The paper aptly focuses on the impact the IoT will have on individual consumers, canvassing privacy-related issues such as customer profiling; accountability and transparency; the ethics of data collection, access and correction rights; and the challenges of device and information security.

The Privacy Commissioner concludes that technological developments with respect to the IoT has not been matched by an equivalent improvement in the existing privacy governance models. The Commissioner’s report is not a call for public input, but similar to the American initiatives, it raises more questions about the future of IoT regulation than it answers. The report concludes that limited information or considerations have taken shape concerning the privacy implications of having a large amount of data points collected, aggregated across devices, and analyzed by device owners and third parties unknown to the individual user.

Underscoring its engagement with IoT issues, the Privacy Commissioner announced that it will participate in a coordinated online audit to analyze the impact of everyday connected devices on privacy. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world, and will target three categories of connected devices:

  • home IoT devices (e.g connected camera systems);
  • health connected devices (e.g. connected scales, glucometers, etc. intended to collect health-related data); and
  • connected devices for well-being (e.g. connected watches and bracelets that can collect geolocation data,  count footsteps, or analyze sleep quality).

The aim will be to verify the quality of the information provided to users, the level of security of the data flows, and the degree of user empowerment (e.g., user’s consent, etc.).

 Takeaways for Canadian Organizations

 The extent of any new regulations and policies designed for the specific issues raised by the IoT remains to be seen. Consultation and study exercises on both sides of the border are seeking to reconcile the need to support the IoT’s development (and the benefits to consumers and service users), while reasonably harnessing the risk of its intrusions. The level of interconnectivity facilitated by the IoT is not only a disruptive force for business, public, and convenience services, but necessitates the risk of single-point vulnerability for users and systems.

As these initiatives evolve into new policies and regulations, organizations will need to adapt their existing privacy standards and protocols to align with IoT rules and requirements. Moreover, present industry-established frameworks may not align with either the existing general standards or new IoT requirements. Organizations should be mindful of lawmakers’ concerns to ensure that their use of data captured through the IoT technologies remains consistent with legal standards in the jurisdictions in which they operate.

As organizations enter the IoT space with their products and services, the importance of establishing a privacy management program to stay up to speed on legal developments can help to ensure that IoT participants integrate compliance requirements in a meaningful and systematic way.

EU’ve Got Mail: European Commission Seeks Input on Electronic Communications Rules

Posted in European Union, Legislation
Breanna Needham

Technological advances and the advent of the EU General Data Protection Regulation (“GDPR”) prompted the European Commission (“Commission”) to update the EU’s Privacy and Electronic Communications  Directive. The recommendations made to it last summer suggest  wide-ranging changes are likely, including to rules on the use of cookies, direct digital marketing and on the processing of location data, along with a general expansion of the framework. Public consultations have begun and, in light of a similar review scheduled for Canadian privacy laws, may forecast what’s on the horizon for Canada. 

The Commission, which first outlined its intention to reform the e-Privacy Directive in 2014,  recently launched a public consultation project to evaluate and review the  text of the ePrivacy Directive 2002/58/EC (the “Directive”) and the related existing legal framework.  The purpose of the public consultation is to collect comments on the main provisions of the Directive, which include the scope of application, the applicable security provisions, confidentiality considerations, competent authorities, and considerations related to unsolicited commercial communications (spam).


In 2012, the Commission announced the EU Data Protection Reform (the “Reform”), designed to make Europe a leader in adaption to a technological era. The Digital Single Market Strategy (the “DSMS”) represented a priority program directed at creating improved online access to digital goods and services through rules and regulations crafted specifically to keep pace with an increasingly digital age. In addition to these mandates, the DSMS also announced that ePrivacy rules would be reviewed following the adoption of the component parts of the reform.

In December of 2015, the Commission, along with the European Parliament and the Council, announced the final agreement, which consisted of two components: the Data Protection Directive for the police sector and criminal justice system and the GDPRfor personal data. The GDPR represented an unprecedented and notable reform of data protection rules in the electronic communication sector targeted at enabling a greater level of control over consumer data and reinforcing consumer trust in data use while also levelling the playing field in the market. This reform process also affects the Directive, which is a complementary component of the GDPR that further particularizes the specific rules applicable to personal data processing in the electronic communications sector.

The ePrivacy Directive was last updated over seven years ago to provide privacy protections related to personal data breaches and to tackle issues associated with the use of cookies.

The Consultation

The public consultation process on the Directive is an integral part of a group of initiatives targeted at creating a high level of protection for European citizens in order to ensure both security and trust when it comes to personal data in the electronic communications sector, especially given the increasing use of and reliance on digital communications. Starting as of April 12, 2016, with comments being received over a period of 12 weeks, the questionnaire is open to citizens, consumer and user associations, civil society organizations, businesses, public authorities and academia.

Topics for comment in the questionnaire include:

  • The effectiveness of the Directive in harmonizing existing provisions to ensure both the free movement of data and electronic communication equipment and a consistent level of privacy protection in data processing in the electronic communications sector;
  • The relevance of the Directive as a new and necessary further particularization of the applicable rules in the electronic communications sector in the context of technological, social and legal considerations;
  • The cohesive nature of the Directive as it relates to other pre-existing rules and legislation;
  • The costs, benefits and economic efficiency of the Directive for both businesses and users;
  • The applicable scope of the Directive to publicly available, traditional electronic communication services and providers, but not so-called “over-the-top” providers that create equivalent communications services that operate over the internet (for example, VOIP providers);
  • The confidentiality and security of communications that occur over public communications networks and the related prohibition on both interception and surveillance except where authorized by law or express consent;
  • The right of subscribers to non-itemized bills, anonymity, control over automatic call forwarding, and decisions related to listings in a public directory;
  • The requirement of prior consent to unsolicited commercial communications, including via SMS, with an opt-out approach for direct marketing emails; and
  • Implementation and enforcement considerations, such as what entity should be responsible for cross-border matters covered by the ePrivacy instrument and the remedies available in instances of breach.

Considerations Closer to Home

Canada is also in the process of both reviewing and revising privacy laws. With a number of government organizations and agencies responsible for overseeing the applicable legislation related to privacy rights in the country, there may be lessons to be learned from the European approach and the public consultation process. The issues listed in the questionnaire are in large part issues that the Office of the Privacy Commissioner of Canada and the CRTC have identified as being of concern.

Privacy Commissioner Targets IoT Health Devices in Sweep

Posted in Big Data, Internet of Things, Privacy, Telematics, Wearables
Justin Shoemaker

What rumours is your fitness tracker spreading about you?  In its latest Internet of Things themed sweep, the Office of the Privacy Commissioner of Canada reviews what personal information is being collected about Canadians by “smart” health and fitness devices.

Many of us will remember Time Magazine’s audaciously titled September 2013 issue, which splashed the following headline across its cover page: “Can Google Solve Death?

At the time, there were more than a few skeptics who might have dismissed Google’s investment in Calico, a biotech subsidiary, as another moonshot investment by the tech giant or as part of a long-term expansion strategy.

Fast-forward less than three years.  Regulators continue to play catch-up with the burgeoning industry at the intersection of data analytics and user-generated personal health data.  The ballooning number of connected devices that make up the so-called internet of things (“IoT”) has accelerated in scale at a heart-clutching rate.  The Office of the Privacy Commissioner of Canada (“OPC”) quoting estimates that, by 2020, there will be between 20 and 30 billion connected devices.[1]  While devices that generate data specific to the function and use of the human body represent a subset of these devices, it is hard to deny the growth in the sophistication and potential use (and misuse) of the datasets generated from users’ health and biometric data.

Connected health technology has come a long way since the days of telephonic medical alert systems infamously portrayed in infomercials featuring “help, I’ve fallen” pushbutton necklaces.  While application driven smart-phones, watches and fitness wearables are top of mind, the healthcare industry has adopted a range of smart devices that quietly gather and amass a steady stream of data about their users: baby monitors, respiratory and glucose meters, scales, pillboxes, thermometers, contact lenses, heart-monitors, and even band-aids are but a few of the previously inert devices that have become IoT-enabled.  For individual consumers, health practitioners, and public health officials, there are extremely compelling use cases to prevent regulatory authorities from stifling the innovation in this sector.  For individual patients and clinicians, the devices open what was previously a black-box allowing insight into the lives of individuals outside a clinical setting.  The data gathered will enable the healthcare industry to open new service lines focusing on early detection and intervention as well as ongoing health monitoring.  Similarly, public health authorities can benefit from large-N data-mining that could potentially offer new insights into determinants of disease, healthy aging processes, and general population wellness.

However, without adequate regulation the (mis)use cases for health data are equally compelling.  Digital archives of health data represent new targets for data-breaches and  fraud. While the OPC singles out harm to dignity and the integrity of the human body as coordinate reasons for the special protection it affords to leaks/exposures of health data, it has also identified two particular concerns that arise from the proliferation of health data: threats to individual users’ future insurability and employability.[2]

 IoT Health Devices Raise Multiple Concerns

The cross-border fluidity of data, the proliferation of health data start-ups, the lack of consumer awareness, and the dangers of misuse of health data have not gone unnoticed by the OPC.  Last week, the OPC announced that as part of the Global Privacy Enforcement Network (“GPEN”) review of IoT devices, the focus of the OPC’s 2016 “sweep” would be health devices.

In order to build a clearer picture of the practises of Canadian businesses the OPC declared that between April 11th and 15th, 2016 it would be testing products, examining privacy information published on businesses’ websites, and directly petitioning businesses for responses to specific privacy-related questions.

As in previous years, the 2016 sweep is part of a coordinated effort by the OPC as a member of GPEN to increase public and business awareness of privacy rights and responsibilities, encourage compliance with privacy legislation, identify concerns that may be addressed through targeted education or enforcement, and enhance cooperation among privacy enforcement authorities.[3]  GPEN is an OECD organization composed of local data protection authorities of certain participating member states.  Though members of GPEN do not rule out either further follow-up with, or enforcement action against noncompliant businesses, the OPC has stated that it does not consider the sweep an investigation, nor does it conclusively identify compliance issues or possible violations of privacy legislation through a sweep alone.[4]

Those readers who have been monitoring communication from the OPC will not be surprised by the focus of the sweep.  In its June 2015 report, “The OPC Strategic Privacy Priorities 2015-2020”, the OPC identified “The body as information” as one of its four main priority areas and pledged to both “conduct an environmental scan of new health applications and digital health technologies being offered on the market and research their privacy implications”.[5]  The OPC has stated that it believes the human body to be the “vessel of our most intimate personal information”, and, as such, will strive to promote respect for its privacy and integrity.  In its strategic plan the OPC drew particular attention to biometric data associated with wearables as well as data gathered from direct-to-consumer genetic testing products and services.

Misuse of Health Information

Legislative activity reflects the increasing concern over the use and misuse of health information. Bill S-201, as adopted by the Canadian Senate on April 14th, is expected to provide a measure of much-needed protection against discrimination on the basis of genetic characteristics.  In addition to amending the Canadian Labour Code, the Canadian Human Rights Act, the Privacy Act, and the Personal Information Protection and Electronic Documents Act (PIPEDA”) to protect against genetic discrimination, the bill introduces a Genetic Non-Discrimination Act, which makes it an offence for a service provider to collect or use the results of a genetic test of an individual without that individual’s written consent.

However, even in countries where genetic discrimination protections are already enshrined in law, insurance firms continue to intensify investment in IoT analytics. For instance, as regards health-related services, between 2014 and 2015, there has been an acceleration in the use of data from health and fitness monitors by insurance companies with the percentage of firms having launched or piloted health and fitness IoT-connected insurance initiatives rising from 10% in 2014 to 39% by 2015.[6]

Businesses engaged in either the collection or use of such information should be aware that the results of the sweep will, in the medium term, likely be incorporated in new OPC guidance that will identify standards for privacy protection in products and services as well as new “no-go” zones for data collection.[7]  The OPC has identified several horizontal, cross-cutting strategic concerns which it has stated it will apply to IoT devices and services:

  1. Exploring innovative and technological ways of protecting privacy;
  2. Strengthening accountability and promoting good privacy governance;
  3. Protecting Canadians’ privacy in a borderless world;
  4. Enhancing the OPC’s public education role; and
  5. Enhancing privacy protection for vulnerable groups.

As regulators continue to fine-tune their approach through information gathered in exercises like the 2016 sweep, businesses that gather, trade-in, or use health data should be monitoring both changes in the regulatory landscape as well as the wider technological environment.  For instance, today’s means of de-identifying health data by scrubbing personally identifying information or pseudo-anonymizing individual users through the use of standard cryptographic methods like a hash may not be enough to protect the sensitive data that is at the heart of the OPC’s interest in the “body as information”.

Businesses cannot think of the information that they gather and warehouse as having a ‘static’ risk profile.  Over time, as use cases for health data and the analytical tools available to businesses become increasingly mature, we expect to see a commensurate growth in the capability of third parties (or poorly governed business units) to ‘link’ today’s privacy compliant data with offline and online datasets to recreate an identifiable profile of a de-identified or pseudo-anonymous person.

In the more mature retail environment, the Massachusetts Institute of Technology was recently able to use de-identified credit card purchase information from a 1.1 million person dataset to match 90% of the cases to specific publicly available information on social media sites such as LinkedIn, Facebook, Twitter, and Foursquare.[8]

Similarly, businesses should continue to appraise on an ongoing basis both the validity of end-user consents and the capability of users to access and correct health data as new use cases for the data are piloted.


[1]       Canada, Office of the Privacy Commissioner of Canada, The Internet of Things: An introduction to privacy issues with a focus on the retail and home environments, (February 2016) online:

[2]       Canada, Office of the Privacy Commissioner of Canada, The OPC Strategic Privacy Priorities 2015-2020: Mapping a course for greater protection, (June 2015) online:

[3]       Canada, Office of the Privacy Commissioner of Canada, Canada examines health devices during 2016 “Internet of Things” global privacy sweep, (Gatineau, Quebec: April 11, 2016) online:

[4]        Canada, Office of the Privacy Commissioner of Canada, Results of the 2015 Global Privacy Enforcement Network Sweep, (Gatineau, Quebec: September 2, 2015) online:

[5]      The OPC Strategic Privacy Priorities 2015-2020, supra note 2.

[6]        Accenture, “Digital Insurance: Reimagining Insurance Distribution” (2015), online:

[7]      Ibid.

[8]       The Internet of Things: An introduction to privacy issues with a focus on the retail and home environments, supra note 1.

BC Privacy Office Says Free Legal Advice Doesn’t Trigger Client ID Requirements

Posted in Privacy
Kirsten Thompson

A recent Mediation Settlement from the BC Privacy Commissioner has raised an issue of particular interest to law firms, and other organizations which must meet “Know Your Client” requirements. The item is brief (it is reproduced in its entirety below), but seems to suggest that free legal advice doesn’t trigger the “Know Your Client” provisions imposed by various Law Societies for compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. According to this Mediation Settlement, only paid legal advice triggers that obligation.

What sparked the issue was an individual who contacted a law firm to take advantage of a free consultation offer, and was told that they would need to show identification during the consultation. Not only did the individual not become a client of the firm, they promptly complained to the BC Privacy Commissioner. The matter was settled by way of mediation:


Potential client questions law firm demand for identification

An individual called a law firm to set up a meeting with a lawyer to discuss a legal difficulty, with the expectation they might hire the firm to handle their case, depending on the outcome of the meeting. Like many law firms, this one offered free initial consultations to enable the firm to decide if it wanted to take someone on as a client.

During their initial phone call, the potential client was told they would be required to show identification during their meeting with the firm’s lawyer. This requirement seemed unreasonable so they decided not to become a client. Instead, they complained to us that the law firm was demanding too much personal information.

Section 7 of the Personal Information Protection Act says businesses cannot collect more information than they need to provide their service or product. During mediation with our office, the law firm told us the Law Society of British Columbia rules required it to verify the identity of its clients to comply with the federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act. However, it also acknowledged that the Law Society did not require it to confirm the identity of a potential client to whom it provided free advice. It agreed to review the distinction with its staff to ensure potential clients would receive accurate information regarding personal information requirements

The key seems to be the distinction between “potential client” versus “client”. Indeed, the Law Society of Upper Canada guidance on Client Identification And Verification Requirements For Lawyers uses similar language, with the trigger being when a lawyer is “retained”.

Identifying the client means obtaining certain basic information about your client and any third party directing, instructing or who has the authority to direct or instruct your client such as a name and address. You must obtain this information whenever you are retained to provide legal services to a client unless an exemption applies.

However, in the  Rules of Professional Conduct, “client” is defined as a person who:

  • consults a lawyer and on whose behalf the lawyer renders or agrees to render legal services; or
  • having consulted the lawyer, reasonably concludes that the lawyer has agreed to render legal services on their behalf.

The commentary to rule 1.1-1[1] provides that a “solicitor and client relationship may be established without formality.” This means that no retainer agreement or monetary payment is required to establish a solicitor-client relationship. This would appear to be exactly the reverse of what the BC Mediation Settlement suggests.

However, the client versus potential client boundary is less of a bright line boundary and more of a swampy “zone”.

The law recognizes that clients and lawyers need to be able to talk under the protection of solicitor-client privilege prior to a relationship being established. The client needs to be able to describe the problem/mandate and the lawyer needs to assess whether to take on the work. As a result, solicitor-client privilege does not depend on the existence of a retainer.

However, once advice is given, then the lawyer then owes duties beyond confidentiality including competence, avoidance of conflicts, etc. These duties don’t turn on payment. A lawyer can be sued for negligence having agreed to assist whether pro-bono or paid.

Current business development practices mean many firms (like the one that is the subject matter of the Mediation Settlement) offer free advice before agreeing to act – even though there is already a lawyer-client relationship. What is really being explored is whether there should be an ongoing retainer.

Regardless, this distinction may have been lost in the Mediation Settlement.



S3nd Us teH MoNey: Ransomware Advisory Issued for Canadian Companies

Posted in Criminal, Cybersecurity
Aaron Wenner

Ransomware attacks, in which hackers encrypt all the files on a computer and threaten to delete them unless a ransom is paid, are becoming increasingly common. Disturbingly, they are often successful. Recent victims include individuals like the woman who paid Ukrainian hackers $500 in Bitcoins to prevent them from deleting her husband’s financial statements (and whose story was profiled on an excellent episode of WNYC’s Radiolab), and organizations like the hospital in Los Angeles that paid $40,000 in order to regain access to its electronic medical records and other systems.  Canadian hospitals have also been targets.

Two recent advisories—one from the Alberta Information and Privacy Commissioner, the other from the Canadian Cyber Incident Response Centre in collaboration with the United States Department of Homeland Security—discuss the extent of the threat, and suggest how Canadian individuals and organizations can protect themselves.


The advisories explain that ransomware typically finds its way onto computers through “phishing” emails, which attempt to trick recipients into opening malicious attachments, or through “drive-by downloads”, where infected websites install software onto users’ computers without their knowledge. The consequences of these attacks can be devastating: individuals and organizations may lose sensitive or proprietary information, their regular operations could be disrupted, restoring systems and files can be horribly expensive, and reputations are put at risk.

Should I Pay?

If an organization hands over the cash (or, more typically, bitcoin or other cryptocurrency), there is no way to be certain that extortionate hackers will be true to their word. As the advisories note:

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information as well. In addition, decrypting files does not mean the malware infection itself has been removed.

There are other considerations as well.

If you have readily accessible backups that have been protected against malicious encryption, then there may be no reason to pay – a relatively straightforward restore operation may be all that’s required.  Another factor is how widespread the infection is – if it’s just four computers, taking them offline may solve the immediate problem; however, if its the entire network and backup systems, there will be different considerations. Finally, before paying any ransom demand (whether in cash or cryptocurrency) organizations should confirm that by doing so, they are not funding a terrorist organization and thereby running afoul of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act S.C. 2000, c. 17 , violating the Criminal Code provisions on extortion or making a payment to a sanctioned country or individual.

Of course, the preferred approach is to prevent, not pay.

An ounce of prevention … is the law

The advisories suggest some common-sense but effective practices your organization can adopt to lessen the chances of become a victim to a ransomware attack:

  • Educate your staff and employees. Anyone using a computer should know not to open untrusted attachments and how to recognize when a website might be compromised—and about the consequences for the organization that are at stake. Develop, implement and test employee training on these matters.
  • Get your IT department on board. Your IT group can implement safeguards that can make your organization a more difficult target. Successful tactics include application whitelisting, which allows only specified programs to run, while blocking all others, including malicious software.
  • Make frequent, regular, and accessible backups! If your organization is attacked, but can restore its files from a recent backup, the ransomware threat will be greatly diminished (however, note that the more recent variants of ransomware can stay on organization’s systems for months, thereby encrypting the most recent regular backups. It is not until several months have elapsed, and the backups are encrypted, that a demand will be received – and attempts to rely on backups will be futile).

These suggestions are more than just best practices. They may also be the law. Under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) as well as the Personal Information Protection Act (British Columbia) and the Personal Information Protection Act (Alberta) and other provincial and/or sector-specific privacy legislation, organizations are required to take appropriate security safeguards to protect sensitive information.

If your organization is targeted, and if you have reason to believe that  the breach of personal information could reasonably create a “real risk of significant harm to the individual”, under the recent amendments to PIPEDA you would  be required to notify affected individuals and report the breach (these particular federal amendments are not yet in force, though a discussion paper was recently circulated addressing the proposed changes – see our previous blog post here). Alberta already has mandatory breach reporting that uses a similar threshold.

But again, it’s best not to be put in this situation at all. Taking small steps to minimize the risk of ransomware can avoid having to resolve some difficult, costly, and potentially life-threating situations.