Insights on cybersecurity, privacy and data protection law

Saskatchewan Court Upholds Electronic Waiver as Enforceable

Posted in E-Commerce
Krupa Kotecha

The Saskatchewan Court of Queen’s Bench recently upheld an electronic waiver as enforceable in Quilichini v Wilson’s Greenhouse, 2017 SKQB 10.

The plaintiff in the case  was injured while go-karting at a racing facility operated by Velocity, a business owned by the defendant Wilson’s Greenhouses. It was contended by the plaintiff that the defendants either: (a) breached their contractual obligations to maintain the go-kart in sufficient working condition, or (b) engaged in a negligent breach of the same obligation.

The defendants contended that the plaintiff’s injuries were incurred as a result of his own conduct, including driving at excessive speed. Moreover, the defendants brought an action for summary judgement dismissing the plaintiff’s action, given that the plaintiff executed an electronic form of waiver and release that the defendants argued was binding on him.

The Form of Waiver

Velocity’s go-kart customers are required to proceed through a kiosk system where they must provide personal information, complete a membership application, pay for such membership, be photographed, and go through a series of electronic pages on a computer screen and click “next” to move from one page to the next. As a final step, customers must agree to terms of a waiver and release. As the plaintiff had proceeded through the kiosk system and successfully completed all of the steps required to race at the facility, the defendants asserted that the plaintiff had no claim enforceable at law. The plaintiff countered by arguing that whether he had signed the waiver or not was equivocal and that, even if signed, the waiver did not absolve the defendants from liability.


Saskatchewan, like all the other provinces in territories in Canada, has electronic commerce legislation. This type of legislation is intended, generally, to mandate the equivalency of electronic documents with traditional paper documents.  As with most legislation, there are exceptions to this statutory equivalency. The statutes also generally specify the conditions under which electronic documents and electronic signatures will be valid and enforceable.

In considering the parties’ assertions, Scherman J properly focused the scope of the inquiry on the section of the Electronic Information and Documents Act (2000, SS 2000, c E‑7.22) that  pertains to the formation and operation of contracts (i.e. section 18), as opposed to the section of the Act that focuses on signatures (i.e. section 14). Considering the legislation in the context of the case at bar, Scherman J held that:

The legislation is clear. Agreement to contractual terms can be expressed by touching or clicking on an appropriately designated icon or place on a computer screen. The fact that the contract could have alternatively been executed by printing a hard copy and having a participant sign a hard copy form does not detract from the foregoing. The fact that there are optional ways to execute the contract does not lead to the conclusion that using only one of those options does not constitute agreement.

Further, the Court held that the waiver was indeed enforceable, given that the plaintiff had the full opportunity to read the waiver and there was nothing obscure in the presentation of the waiver and release or the choice of whether to accept or not:

In my opinion, there can be no question but that when the plaintiff clicked “I agree”, he was intending to accept and assume responsibility for any possible risk involved and knew he was agreeing to discharge or release the defendants from all claims or liabilities arising, in any way, from his participation. The words “all claims, liabilities, demands and/or actions for damages (including legal costs) arising in any way from my participation in go‑kart racing” mean what they say and include claims arising from negligence.

Scherman J supported this conclusion by pointing to various concurring common law decisions addressing the enforceability of waiver and release agreements. The Court consequently provided for summary judgement in favour of the defendants (with costs).

Lessons for Business

The decision in Quilichini v Wilson provides affirmation to business owners (especially those in the recreational industry) that a well-drafted electronic waiver and release that is properly presented in an understandable format will likely be held to be enforceable. The result thus helps provide for commercial certainty in the electronic era, as it properly places the emphasis on substance (i.e. the clear understanding and intent of the parties to waive liability) rather than form (i.e. the use of electronic waiver as opposed to traditional paper signatures).

Bill S-201 and the Protection Against Genetic Discrimination.

Posted in Discrimination, Employment, Legislation, Privacy
Carole Piovesan

You have done testing to determine whether you have a genetic predisposition to certain medical conditions. The results come back: You do. This is important information for you and your doctor to make more informed decisions about your health care.  But now that you know, are there circumstances in which you should be required to disclose the results to others?

The heart of the debate about one’s privacy in genetic testing concerns whether an individual may suffer discrimination where it is or may be determined that he or she is genetically predisposed to a particular disease. This is the heart of Bill S-201, an act to prohibit and prevent genetic discrimination.

Those in favour of robust protections caution that required disclosure of genetic results may have a chilling effect on undergoing testing. The argument goes that, for many, the risk of discrimination (namely in the employment and insurance contexts) could outweigh the benefits of information that could lead to more personalized and efficient health care. That is, some people would opt out of genetic testing despite its profound potential benefits.

Those in favour of select disclosure, including the insurance industry, underscore the relevance of genetic information in certain contexts, particularly for the purposes of risk assessment and risk pooling, upon which insurance products are built. For instance, where an applicant for life insurance has information regarding her increased risk to a potentially life-threatening condition, this information is critical to the risk assessment in determining her insurance premiums. The Canadian Institute of Actuaries (CIA), in a research paper proposing amendments to the bill, concluded that if insurers are not able to access the results of genetic tests, “the impact on insurance companies will be substantial”, concluding that insurance premiums for term life insurance “could go up by 30 percent for males and 50 percent for females”. This would occur, says the CIA, in order to counter the fact that those with a genetic predisposition to develop a serious health issue would have an incentive to buy more insurance because they would know that since they need not report this predisposition to a prospective insurer, their insurance premiums would be below cost and thus a very good deal.

The Canadian Life and Health Insurance Association (CLHIA), which opposes the bill, has taken the position that regulation is unnecessary and  recently announced that the Canadian life and health insurers would, on a voluntary basis, not request or use genetic testing information for new life insurance applications up to $250,000, effective January 1, 2018. This commitment is included in the CLHIA voluntary Industry Code on genetic testing and is to be implemented by all CLHIA members. Among other things, the Industry Code also requires that companies have a dispute resolution system to deal with complaints relating to underwriting decisions involving genetic testing information.

Bill S-201: A Response to Genetic Discrimination

The United States and United Kingdom have taken steps to protect individuals from required disclosure of genetic results, with the United States passing federal legislation directly addressing the health insurance context and the United Kingdom voluntarily implementing a restrictive agreement on the use of genetic testing in certain circumstances since 2001. The basic terms of the Concordat and Moratorium on Genetics and Insurance adopted by the Association of British Insurers are that customers will neither be asked to, nor be put under any pressure to, undergo a predictive genetic test in order to obtain insurance or to disclose any predictive or diagnostic genetic test results acquired as part of clinical research or after the policy has started, whether their own test or that of another person (i.e., a blood relative).

Canada is now following suit with the introduction of Bill S-201, an act to prohibit and prevent genetic discrimination. Senator James Cowan is championing the bill, which recently passed the Senate and is now in the House of Commons.

Bill S-201 prohibits requiring an individual from undergoing genetic testing or disclosing genetic test results as a condition of: (a) providing goods and services; (b) entering into or continuing a contract or agreement with that individual; or (c) offering or continuing specific terms or conditions in a contract or agreement with that individual.

Parenthetically, the bill is silent on whether an individual may be required to disclose the mere fact of having undergone genetic testing, which in itself is valuable information.

The bill amends the Canada Labour Code to prevent employees from being required to take a genetic test or disclose results of a test to employers. It further amends the Canadian Human Rights Act to prohibit discrimination based on “genetic characteristics”.

The bill makes it a criminal offence to contravene the operative sections of the proposed legislation. A conviction on indictment would attract a maximum penalty of $1,000,000 and/or imprisonment for a term not exceeding five years.  A summary conviction would attract a maximum fine of $300,000 and/or imprisonment for a term not exceeding twelve months.

Constitutionality of the Bill

An important issue facing this bill is whether it is properly conceived as federal legislation. While the criminal law aspect of the bill – the penalties for contravention – are unlikely to face constitutional scrutiny, it can be argued that Bill S-201 seeks to regulate matters falling under the province’s jurisdiction, namely employment and insurance contracts. While Bill S-201 does not make any reference to a specific industry or type of contract, it is conceivable that, if passed, it could face a constitutional challenge on this basis.


The increasing popularization of genetic testing is challenging privacy legislation in new ways. While there are those who argue that the provinces already have the legislative armour to protect privacy interests in genetic testing, it remains to be seen whether Canada will institute protections in a manner similar to the U.S. or the U.K., or adopt a hybrid approach.

[Correction: An earlier version of this article incorrectly stated that the United Kingdom had adopted a legislative approach to this issue.]

The New U.S. Executive Order: Effects on Canadian Privacy Laws and Cross Border Data Transfers

Posted in Privacy
Keith RoseEmily MacKinnon

President Donald J. Trump’s executive order issued January 25, 2017, contained one little paragraph with big words about Canadians’—and other non-U.S. citizens’—privacy:

Sec. 14.  Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

This paragraph has triggered alarm in some corners of the Internet. However, on closer inspection, it doesn’t appear to change much, at least legally speaking and from a Canadian private-sector perspective.

This section of President Trump’s order concerns only one statute: the Privacy Act. The order, like the Act itself, is directed only at executive departments and agencies. And it concerns only their policies.  Thus, the executive order does not appear to change any person’s substantive legal rights or obligations.

The context of section 14 suggests its intention. The executive order, as a whole, deals primarily with measures to promote “interior enforcement” of U.S. immigration laws—including against “removable aliens”.  Hence, section 14 is plausibly aimed at ensuring U.S. federal departments and agencies comply with requests for information about non-citizens.

That said, the executive order has no direct impact on the treatment of personal information by the private sector.  In particular, the order does not appear to change the circumstances in which US law enforcement or security agencies can compel private actors to disclose information about Canadians (or other non-U.S. citizens).

On the Canadian side of the border, the public and private sectors have long paid attention to the information they send to the U.S., pursuant to both policy and legislative requirements.

In the private sector, s. 13.1 of Alberta’s Personal Information Protection Act requires organizations to provide notice of certain transfers of personal information outside of Canada. The federal Personal Information Protection and Electronic Documents Act requires organizations to provide similar notice and to ensure that personal information in the hands of a third party—whether inside Canada or elsewhere—receives a “comparable level of protection” to that provided by the organization itself.

The effect of the executive order on Canadian regulators’ views of cross border information transfers in the private sector is uncertain at this point in time. Canadian regulators generally require Canadian organizations to disclose the consequences of information sharing across national borders and it is currently unclear what, if any, effect, the executive order have on those disclosures.

In the public sector, s. 30.1 of BC’s Freedom of Information and Protection of Privacy Act requires all personal information to be stored and accessed in Canada, subject to an extensive list of exceptions. Nova Scotia’s Personal Information International Disclosure Protection Act imposes similar requirements, again subject to certain exceptions. And s. 50(1) of Ontario’s Personal Health Information Protection Act, 2004 prohibits the disclosure of personal information outside of Ontario unless the affected individual consents or certain other conditions are met.  None of these restrictions is conditioned on the legal treatment of the information by U.S. agencies, and their application does not appear to be affected by the executive order.

On the international stage, the order may be of a similarly limited legal effect. The order does not appear to alter obligations under the Judicial Redress Act to extend portions of the Privacy Act to citizens of “covered countries”—a measure that was specifically implemented to satisfy European requirements for transfers of personal information. This order should have little impact, if any, on the legal foundations of the EU-U.S. Privacy Shield—which, in any event, does not apply to U.S. federal agencies.

It is apparent, however, that the U.S. executive is moving quickly to implement its policy agenda.  President Trump’s next steps are far from clear.

And while President Trump’s executive order may not have altered substantive legal protections for personal information, it has clearly attracted public attention to the issue. Moving forward, it appears likely that the public will pay increased attention to cross-border information-sharing with the U.S.—a development of which organizations should remain cognizant.

PIPEDA’s global extra-territorial jurisdiction: A.T. v.

Posted in Privacy
Barry Sookman

The Federal Court of Canada released a landmark decision finding that the court has the jurisdiction to make an extra-territorial order with world-wide effects against a foreign resident requiring the foreign person to remove documents containing personal information about a Canadian citizen that violates the person’s rights under Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). In A.T. v., 2017 FC 114 the Honourable  Mr Justice Mosely ordered the individual operator of the website to remove all Canadian tribunal and court decisions  posted on the site that contain personal information and to take all necessary steps to remove the decisions from search engines caches.

The decision arose from an application made under section 14 of PIPEDA which enables a complainant to the Office of the Privacy Commissioner, after receiving the Commissioner’s report, to apply to the court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report. The legal process was used by an individual who complained that, a site hosted and operated from Romania, was re-publishing decisions of Canadian courts and tribunals containing personal information including personal information about him, for the purpose of demanding fees from aggrieved persons to take the content down.

While the decisions published were generally available on other sites such as Canlii those sites did not make the information available for indexing by search engines. Thus, while the public could find the decisions online, this would not happen merely by virtue of searching on someone’s name using a search engine like Google.

The site operator claimed that PIPEDA did not have extra-territorial application over him because the activities were conducted from the foreign website. The argument was rejected by the court relying on prior decisions that clearly confirmed the potential extra-territorial application of PIPEDA where a real and substantial connection is established.

[50]           Section 4 of PIPEDA, the application provision for Part I, is silent with respect to the statute’s territorial reach. However, there is no language expressly limiting its application to Canada. In the absence of clear guidance from the statute, the Court can interpret it to apply in all circumstances in which there exists a “real and substantial link” to Canada, following the Supreme Court’s guidance in Society of Composers, Authors and Music Publishers of Canada v Canadian Assn. of Internet Providers, 2004 SCC 427, [2004] 2 SCR 427 at paras 54-63 [SOCAN] and the other authorities cited therein…

[52]           As Mr. Radulescu and are foreign-based, the Court must consider whether there is a real and substantial connection between them and Canada to find that PIPEDA applies to their activities. The operative question underlying the test is “whether there is sufficient connection between this country and the [activity] in question for Canada to apply its law consistent with the ‘principles of order and fairness’” and international comity: SOCAN, above, at paras 57 and 60.

[53]           This Court has applied PIPEDA to a foreign-based organization where there was evidence of a sufficient connection between the organization’s activities and Canada: Lawson v Accusearch Inc (cob, 2007 FC 125 (CanLII), [2007] FCJ No 164 at paras 38-43 [Lawson]. The relevant connecting factors include (1) the location of the target audience of the website, (2) the source of the content on the website, (3) the location of the website operator, and (4) the location of the host server: SOCAN, above, at paras 59 and 61; see also Lawson, above, at para 41; Davydiuk v Internet Archive Canada, 2014 FC 944 (CanLII), [2014] FCJ No 1066 at paras 31-32 [Davydiuk]; Desjean v Intermix Media, Inc, 2006 FC 1395 (CanLII), [2006] FC 1395, [2007] 4 FCR 151 at para 42 [Desjean], aff’d 2007 FCA 365 (CanLII); Equustek Solutions Inc v Google Inc, 2015 BCCA 265 (CanLII), leave to appeal to the SCC granted [2015] SCCA No 355 [Equustek].

[54]           In this case, the location of the website operator and host server is Romania. However, when an organization’s activities take place exclusively through a website, the physical location of the website operator or host server is not determinative because telecommunications occur “both here and there”: Libman v The Queen, 1985 CanLII 51 (SCC), [1985] 2 SCR 178 at p 208 [Libman].

[55]           In its submissions, the OPCC highlights three key connecting factors between the foreign-based website and Canada. First, the content that is at issue is Canadian court and tribunal decisions containing personal information which was copied by the respondent from Canadian legal websites. Second, the website directly targets Canadians by specifically advertising that it provides access to “Canadian Caselaw”/”Jurisprudence de Canada”. The evidence is that the majority of visitors to are from Canada. Third, the impact of the website is felt by members of the Canadian public. This is evidenced by the complaints received both by the OPCC and media reports of individuals suffering distress, embarrassment and reputational harm because of republishing their personal information and making it accessible via search engines. The respondent is aware of these complaints.

[56]           There is evidence that the Romanian authorities have acted to curtail the respondent’s activities and that they have cooperated with the OPCC investigation.  Is that sufficient reason not to exercise the PIPEDA jurisdiction in this context? I think not.  I accept the submission of the OPCC that the principle of comity is not offended where an activity takes place abroad but has unlawful consequences here: Libman, above, at p 209….

[57]           In Chevron Corp v Yaiguaje, 2015 SCC 42 (CanLII), [2015] 3 SCR 69 [Chevron], the Supreme Court was asked to determine whether the Ontario Courts have jurisdiction over a Canadian subsidiary of Chevron, an American corporation and a stranger to the foreign judgment for which recognition and enforcement was being sought in Canada. In that case, the Ontario Court of Appeal had affirmed an Ecuadorian judgment against Chevron.

[58]           In upholding the Ontario Court of Appeal’s decision, Justice Gascon noted that “Canadian courts, like many others, have adopted a generous and liberal approach to the recognition and enforcement of foreign judgments”: Chevron, above, at para 23. The only prerequisite for recognizing and enforcing such a judgment is that the foreign court had a real and substantial connection with the litigants or with the subject matter of the dispute, or that the traditional bases of jurisdiction were satisfied: Chevron, above, at para 27.

[59]           On the principle of comity, Justice Gascon observes that “the need to acknowledge and show respect for the legal action of other states has consistently remained one of the principle’s core components”: Chevron, above, at para 53. In this regard, comity militates in favour of recognition and enforcement. The principle of comity further provides that legitimate judicial acts should be respected and enforcement not sidetracked or ignored: Chevron, above, at para 53.

[60]           In the case at bar, since Romanian authorities have cooperated with the OPC investigation and taken action to curtail the respondent’s activities, the legitimate judicial acts of this Court will not be seen as offending the principle of comity. The respondent was fined for contravening Romanian data protection laws by, among other things, charging a fee for the removal of personal information from The respondent has appealed this fine to a Romanian court. Given the involvement of the Romanian counterpart to the OPCC, this Court’s findings would compliment rather than offend any action that may be taken in a Romanian court.

Justice Mosely also used the occasion to clarify a passage from the Van Breda decision of the Supreme Court which has sometimes mistakenly been read as suggesting that Canadian courts do not have personal jurisdiction (or territorial competence) over persons whose only connections to the Canadian forum are electronic.

[61]           During the OPCC’s investigation, the respondent relied on the Supreme Court’s decision in Club Resorts Ltd v Van Breda, 2012 SCC 17 (CanLII), [2012] 1 SCR 572 [Van Breda] to argue that the PIPEDA did not apply to his activities in Romania. Van Breda concerned two individuals that were injured while on vacation outside of Canada. Actions were brought in Ontario against a number of parties, including Club Resorts Ltd., a company incorporated in the Cayman Islands.

[62]           Club Resorts Ltd., the appellant in Van Breda, argued that the Ontario courts lacked jurisdiction. To determine the issue of jurisdiction, the Supreme Court applied the “real and substantial connection” test. The Court had to consider whether carrying on business in the jurisdiction may also be considered an appropriate connecting factor. Ultimately, the Court found that the notion of carrying on business requires some form of actual, not only virtual, presence in the jurisdiction, such as maintaining an office there or regularly visiting the territory of the particular jurisdiction: Van Breda, above, at para 87.

[63]           However, I note that the Supreme Court was careful to distinguish between traditional categories of business and “e-trade”. Justice LeBel noted that the Court was not asked to decide whether e-trade in the jurisdiction would amount to a presence in the jurisdiction. Had there been a discussion about jurisdiction in the context of e-trade, I would have considered the connecting factors discussed in Van Breda as helpful to the analysis in the case at bar.

[64]           Van Breda was limited to the specific context of tort claims. The Supreme Court was clear that it was not, in that case, providing an “inventory of connecting factors covering the conditions for the assumption of jurisdiction over all claims known to the law”: Van Breda, above, at para 85. The Court was concerned about creating what would amount to forms of universal jurisdiction in respect of tort claims arising out of certain categories of business or commercial activity. As such, Justice LeBel confined the application of Van Breda to limited areas of private international law and international tort: Van Breda, above, at para 87; see also Chevron, above, at paras 38-39; Davydiuk, above, at paras 28-29.

The site operator claimed he was protected by the journalism and publicly available exceptions in PIPEDA. Both the Commissioner and the court easily dismissed those defenses. The court also had no trouble concluding that the collection, use and disclosure of personal information in the decisions on the website was not for an appropriate purpose under subsection 5(3) of PIPEDA.

Having found personal jurisdiction over the respondent website operator, the court then examined whether it had the jurisdiction to make an order with extra-territorial effects. Following recent decisions including the decision of the British Columbia Court of Appeal in Equustek Solutions Inc v Google Inc, 2015 BCCA 265 (CanLII), leave to appeal to the SCC granted [2015] SCCA No 355, the court concluded that the jurisdiction existed and could be exercised on the facts of the case without impinging any concerns related to comity.

[80]           The OPCC supports the applicant’s request for an order requiring the respondent to correct his practices in order to comply with PIPEDA under paragraph 16(a). The respondent not being a resident of Canada does not bar the making of an extra-territorial order where the underlying dispute is within the jurisdiction of the court: Impulsora Turistica de Occidente, SA de CV v Transat Tours Canada Inc, 2007 SCC 20 (CanLII), [2007] 1 SCR 867 [ImpulsoraTuristica] at para 6; Barrick Gold Corporation v Lopehandia et al, 2004 CanLII 12938 (ON CA), [2004] OJ No 2329 (ONCA) [Barrick Gold] at paras 73-77; Equustek, above, at paras 81-99…

[82]           The jurisprudence is clear that courts must exercise restraint in granting remedies that have international ramifications. That said, in some circumstances, courts do issue extraterritorial orders where there is a “real and substantial connnection” between the organization’s activities and Canada: Equustek, above, at paras 51-56.

[83]           The OPCC has presented considerable evidence as to the nature of the respondent’s enterprise based in Romania, and the degree to which it can be said to do business in Canada. As mentioned above, the content of that is at issue is Canadian court and tribunal decisions. The OPCC’s evidence demonstrates that these decisions containing personal information were deliberately downloaded by the respondent from Canadian legal websites, such as CanLII, and republished on Moreover, the respondent has made a profit from Canadians by requiring them to pay a fee to have their personal information removed from the website.

[84]           As noted by the British Columbia Court of Appeal in Equustek, above, at paragraph 85, “[o]nce it is accepted that a court has in personam jurisdiction over a person, the fact that its order may affect activities in other jurisdictions is not a bar to it making an order.” Further, in the context of Internet abuses, courts of many other jurisdictions have found orders that have international effects to be necessary: Equustek, above, at para 95, citing APC v Auchan Telecom, 11/60013, Judgment (28 November 2013) (Tribunal de Grand Instance de Paris); McKeogh v Doe (Irish High Court, case no. 20121254P); Mosley v Google, 11/07970, Judgment (6 November 2013) (Tribunal de Grand Instance de Paris); and ECJ Google Spain SL, Google Inc v Agencia Espanola de Protecciób de Datos, Mario Costeja González, C-131/12 [2014], CURIA.

[85]           I was concerned about the enforceability of any order against the respondent as he and his server are not physically present in Canada. However, having considered the matter I am satisfied that the issuance of a corrective order in Canada may assist the applicant in pursuing his remedies in Romania. Moreover, as argued by the Commissioner, it may assist in persuading the operators of search engines to de-index the pages carried by the respondent web site.

[86]           Paragraph 16(a) of PIPEDA does authorize this Court to grant a corrective order requiring the respondent to correct his practices to comply with sections 5 to 10 of that legislation. Having reviewed the relevant authorities and having found that the underlying dispute is within the jurisdiction of this Court, I do not find that there is either a jurisdictional or a practical bar to granting a corrective order with extraterritorial effects.

The court was also asked to grant declaratory relief that the respondent had contravened PIPEDA, combined with a corrective order, that would allow the applicant and other complainants to submit a request to Google or other search engines to remove links to decisions on from their search results. The OPCC contended that this may be the most practical and effective way of mitigating the harm caused to individuals since the respondent is located in Romania with no known assets. The court agreed and made an order that transcended the complaint before it to cover all decisions containing personal information published by Canadian courts and tribunals on the website. After referring to other cases decided under PIPEDA and the Charter the court stated:

[95]           These cases demonstrate that remedies may transcend the particular circumstances of an applicant where it has been established that an organization’s practices are deficient. In such cases, broadly crafted remedies were required in order to ensure that the organization’s practices going forward did not result in further violations of constitutional and quasi-constitutional rights.

[96]           The request for a systemic remedy in the present matter is supportable because the evidence demonstrates that the effects of the respondent’s actions are not confined to the single applicant named in this application. The OPCC has received a total of 49 complaints relating to Moreover, affidavit evidence filed by the OPCC demonstrates that over 150 complaints have been received by CanLII regarding personal information found on As a result, I agree that the circumstances of this case justify a broadly crafted corrective order pursuant to paragraph 16(a) of PIPEDA.

The Judgment of the court, reproduced below, ordered, among other things, the Romanian operator of the foreign website to remove all Canadian court and tribunal decisions containing personal information from the website and to take steps to remove them from caches of search engines as well.


  1. It is declared that the Respondent, Sebastian Radulescu, contravened the Personal Information Protection and Electronics Documents Act, SC 2000, c 5 by collecting, using and disclosing on his website, (“”), personal information contained in Canadian court and tribunal decisions for inappropriate purposes and without the consent of the individuals concerned;
  2. The Respondent, Sebastian Radulescu, shall remove all Canadian court and tribunal decisions containing personal information from and take the necessary steps to remove these decisions from search engines caches;
  3. The Respondent, Sebastian Radulescu, shall refrain from further copying and republishing Canadian court and tribunal decisions containing personal information in a manner that contravenes the Personal Information and Electronic Documents Act, SC 2000, c 5

As can be seen, the order was not limited to removing access to the personal information to Canadians or to searches from IP addresses in Canada. Nor was the order to remove the decisions from search engines limited to any country domain e.g., or to search engines that make the decisions available only to Canadians. In this regard, the decision is consistent with the interpretation of France’s data protection authority, the CNIL, which fined Google € 100,000  for not removing personal information from all of its search engines after being ordered to remove information about a Spanish citizen in Google Spain SL, Google Inc v Agencia Espanola de Protecciób de Datos, Mario Costeja González, C-131/12 [2014]. It is also consistent with the decision of the EU Article 29 Working Party Guideline which considered, amongst other things, the appropriate territorial scope of de-indexing orders against search engines.

The decision is also consonant with rulings by other courts that have ordered online service providers to remove or disable access to personal information made available over the Internet. For example, courts in France and Germany ordered Google to de-index websites that published personal information violating Max Mosley’s privacy rights. The Court of Justice of the European Union in the Google Spain case referred to above, also ordered Google to de-index information about an individual in the “right to be forgotten” case. The desirability of search engines de-indexing websites to help enforce privacy injunctions was recently also endorsed by the UK Supreme Court in the PJS case.

Most recently, the Irish Court of Appeal in CG v Facebook Ireland Limited [2016] NICA 42 (21 December, 2016) affirmed an injunction ordering Facebook to remove a site posted on Facebook that was used to harass an individual and which involved the misuse of private information. For good summaries of that case, see, Lorna Woods When is Facebook liable for illegal content under the E-commerce Directive? CG v. Facebook in the Northern Ireland courts, Aidan Wills, The Facebook Ireland cases: Intermediary Liability and defences under the E-Commerce Regulations (Part 1, the Judgments )The Facebook Ireland cases: Intermediary Liability and Defences under the E-Commerce Regulations (Part 2).

The decision demonstrates that Canadian courts consider privacy to be an important right and are willing to fashion remedies to ensure these statutory rights can be vindicated online. It also confirms the court’s jurisdiction to make global take down orders against foreign operators of foreign websites to protect privacy. The court’s ruling that Canada’s privacy law PIPEDA can be violated by publishing materials that are lawfully published in a more limited way on another website is also consistent with the Google Spain “right to be forgotten” case and suggests that such a remedy may be available in Canada as well in certain circumstances such as where personal information is made available online for a purpose that a reasonable person would not consider to be appropriate.

This article was originally published on and is republished here with permission.

Is There a Duty of Device Security? U.S. Regulator Fires Warning Shot Over Obligations of IoT Manufacturers

Posted in Internet of Things, Privacy

A complaint filed by the U.S. Federal Trade Commission (the “FTC”) against D-Link Corporation, a Taiwanese computer networking equipment manufacturer, and its U.S. subsidiary (collectively, “D-Link”) is raising questions about the extent of responsibility that networking equipment manufacturers may have for the security of their products, and how much of that responsibility rests with consumers and end users.

On January 5, the FTC filed a complaint in the U.S. District Court in the Northern District of California, alleging that D-Link failed to take reasonable steps to secure its routers and internet-based cameras. The mandate of the FTC is to promote competition and to protect and educate consumers. The agency may file a complaint when it has a reason to believe that the law has been or is being violated, and it appears that proceeding would be in the public interest. The FTC has used its broad mandate to protect consumers from unfair or deceptive practices in the marketplace to investigate privacy and security claims.

The FTC’s media release announcing the lawsuit indicates that the alleged failure on the part of D-Link compromised sensitive consumer information (such as providing live video and audio feeds from private D-Link cameras, or by redirecting a consumer to a fraudulent website). The FTC claims that despite D-Link’s promotional representations about the security of its routers (i.e., “Easy to Secure”, “Advanced Network Security”), the company failed to take steps to address widely known and easily preventable security issues. Security issues with a number of common routers used in businesses and homes have been widely reported in the media in recent months and years.

The FTC’s complaint comes at a formative stage in the development of regulations for the Internet of Things (“IoT”) – a matter we have blogged about before. The FTC has emphasized that the only way for the IoT to reach its full potential for innovation is with the trust of consumers. To that end, it has published guidance on device security protocols and standards for both corporations and consumers. Likewise, it is through FTC litigation such as that brought against D-Link, ASUS, and TRENDnet that the regulator seeks to give force and shape to the obligations of manufacturers over the security of their equipment. This comes at a time when breaches of privacy and security can have further-reaching consequences than ever before, and even the most mundane household products are gaining network-based functionality. With that functionality comes vulnerability.

Like the FTC, the Privacy Commissioner of Canada is tasked with protecting the privacy interests of consumers, albeit with different powers and jurisdiction. The Commissioner recently expressed that there is significant room for improvement with respect to how well companies explain to consumers how Internet-connected devices handle their personal information. It is unclear whether Canadian policymakers will unveil more particularized directives with respect to the IoT.

What is clear is that neither U.S. or Canadian privacy regulators are content to allow manufacturers to wash their hands of responsibility for providing a reasonable level of security and protection on their networked devices and products. The alleged failure of D-Link to address widely-reported and easily-addressed security flaws also points to the need for such manufacturers (and those looking to move into the IoT space) to stay abreast of new security threats and establish formal protocols for managing privacy risks and the legal liability which may follow. The D-Link litigation may serve as a cautionary tale for Canadian manufacturers seeking growth in the U.S. market.

McCarthy Tétrault Celebrates Data Privacy Day, 2017 With New Cybersecurity Risk Guide

Posted in Cybersecurity, Privacy

In celebration of Data Privacy Day, McCarthy Tétrault is pleased to launch the 2017 edition of our newly designed online Cybersecurity Risk Management Guide, to help clients manage data risks in a quickly evolving business environment. 


Data Privacy Day, celebrated on January 28, 2017, is an opportunity for businesses to review privacy and data protection policies, and to consider taking steps to reduce operational and legal exposures that relate to the data being used and accumulated as part of business activity.

Data Privacy Day, or Data Protection Day in Europe, was originally initiated by the Council of Europe. Data Privacy Day occurs each year on January 28th, the day on which the Council of Europe’s data protection convention, known as “Convention 108”, was opened for signature.

The purpose of Data Privacy Day is to raise awareness to the importance of data protection and data privacy, to educate about data related risks, and to inform individuals and organizations on their rights and obligations in connection with their data.

Data Privacy Day is an opportunity to give special attention to the specific data issues of the business, whether through review of existing data protection and privacy policies, creating awareness to privacy among employees and vendors, improving existing cybersecurity systems, or through the mitigation of data and privacy legal exposures.

Importance for Businesses

For businesses, there are many ways in which protection of data is a critical part of operations, including: compliance with applicable data protection laws and regulations; prevention of, and preparation for, data breaches; addressing rights of individuals whose data is held by the business; and managing exposure to legal actions in connection with data.

Key issues to consider, in this regard:

  • The Digital Privacy Act: the Digital Privacy Act, passed into law on June 18, 2015, introduced requirements with respect to the requisite consent by individuals prior to collection of personal information, notification and reporting obligations in the event of data breach (not yet in force, pending approval of regulations), and fines of up to $100,000 per violation of these requirements. These requirements apply to any business which handles personal information in the course of its activity. In addition, under the Digital Privacy Act, the Privacy Commissioner of Canada may make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties.
  • EU Requirements: Canadian businesses that collect personal information of residents of the EU, may be caught by the EU Data Protection Directive. Adding to the complexity, the General Data Protection Regulation (GDPR) is set to overhaul the EU Data Protection Directive when it comes into force in the spring of 2018. The GDPR will impose significant new obligations on data processors including record keeping, data security, and breach notification obligations. Canadian businesses which offer (including through websites) goods and services to individuals in the EU, or who track user behavior of individuals in the EU, should consider compliance with the GDPR, especially in view of potential fines of up to € 20 M or 4% of annual global revenues.
  • Corporate Governance: the protection of privacy and data raises issues of corporate governance and exposure to legal actions by individuals and corporations (including class actions). Businesses should examine their data protection policies in view of best practices in the industry in which the business operates. In some cases, the relevant best practice applies through mandatory requirements that are applicable to certain types of businesses, or to businesses in certain jurisdictions (for examples, see mutual funds, public corporations and investment bodies).

McCarthy Tétrault’s Leadership in Privacy and Data Management

McCarthy Tétrault’s Cybersecurity, Privacy and Data Management Group is at the forefront of data protection and data incident response. We regularly advise clients from all industries, including energy, resources, power, banking, insurance, health, technology and retail. We have been lead counsel on numerous key public and private cybersecurity responses. We offer a seamless, integrated response through our close partnerships with insurers, IT forensics firms, PR firms and others.

We work with our clients on developing strategies and policies for compliance with applicable requirements, prevention of data breaches, and readiness and response to a breach. Our legal solutions and strategies are designed to drive value while mitigating risk. Whether it is Big Data, data analytics, FinTech, connected vehicles, we have done it.

Our recent acquisition of Wortzman’s, one of Canada’s most respected e-discovery firms, solidifies McCarthys as a leader in meeting its client’s needs in e-discovery, information governance and technology strategy. McCarthy Tétrault’s Information Technology group is ranked Band 1 on Chambers Canada, and we are the only firm in Canada to have more than one lawyer ranked in the area of Privacy & Data Protection.

McCarthy Tétrault Acquires Wortzmans, Canada’s Leading e-Discovery Law Firm

Posted in E-Discovery

On January 4, 2017, McCarthy Tétrault announced it had acquired Wortzmans, Canada’s leading e-discovery law firm.

This acquisition marks another first for McCarthy Tétrault and solidifies its role as an innovative leader in the legal market. The Wortzman team will be integrated into McCarthy Tétrault and Susan Wortzman will join the firm as an equity partner. Wortzmans will continue to operate as a separate e-discovery and managed review service for its clients.

“This announcement is tremendously exciting for our firm,” said Matthew Peters, McCarthy Tétrault’s National Leader of Innovation. “By partnering with Wortzmans, McCarthy Tétrault is putting forward a clear vision for the future of e-discovery, information governance and legal technology strategies. This partnership is an exciting market differentiator – it increases our global reach and strengthens an already powerful platform and market position.”

“Our clients are at the root of what we do and how we do it,” said Dave Leonard, McCarthy Tétrault CEO. “By bringing Wortzmans to our firm, we will be able to focus even more on ensuring we deliver our clients the very best service, even more efficiently and with a greater focus on innovation, technology and results.”

“My team and I are thrilled to be joining McCarthy Tétrault,” said Susan Wortzman. “Together, we can deliver collaborative, innovative and high-quality client services and efficiencies. The future of information and data management in the legal industry in Canada is changing rapidly. With new technologies and more effective, efficient ways to serve clients, our new partnership continues McCarthy Tétrault’s history of cutting-edge innovation.”

About McCarthy Tétrault

McCarthy Tétrault LLP provides a broad range of legal services, advising on large and complex assignments for Canadian and international interests. The firm has substantial presence in Canada’s major commercial centres and in London, UK.

Built on an integrated approach to the practice of law and delivery of innovative client services, the firm brings its legal talent, industry insight and practice experience to help clients achieve the results that are important to them.

About Wortzmans

Wortzmans is one of the first law firms in North America to specialize in the complexities of technology and the law. Since 2007, the firm has provided clients with expert advice and guidance in the areas of e-discovery, information governance and technology strategies.

Susan Wortzman is one of Canada’s most respected e-discovery lawyers. Her practice focuses on providing e-discovery and information management advice to law firms and corporations. She works extensively with clients on litigation, tribunal and regulatory matters, including Competition Bureau matters. Susan Wortzman also advises on information governance and privacy issues.


Fintech Regulatory Developments: 2016 Year in Review

Posted in FinTech
Kirsten ThompsonAna BadourHeidi GordonLaure FouinJessica Firestone

This year was a tremendously active year for Fintech in Canada and internationally, and 2017 promises to be even more so.  In the Fall of 2016, we co-authored a comprehensive report together with the Digital Finance Institute, “FinTech in Canada: British Columbia Edition” on the state of the Canadian Fintech ecosystem, highlighting a number of the then-current industry and regulatory developments.  As we head into 2017, we provide a brief summary of some of last year’s Fintech regulatory developments in Canada and globally, and some developments to watch for in the upcoming year.

Canada – Federal

In May 2016, the Competition Bureau announced the launch of a market study on Fintech.  This study is intended to explore whether regulatory reform is necessary to promote innovation while also ensuring consumer confidence.  The Competition Bureau is expected to publish its report in the Spring of 2017.

On August 26, 2016, the Department of Finance Canada announced its launch of a two-stage consultation process on the federal financial sector legislative and regulatory framework.  It provided a consultation document containing an overview of the landscape of the Canadian financial sector and describing the current trends and regulatory environment in Canada.  The Department of Finance Canada asked stakeholders to provide those submissions by November 15, 2016 as part of the first stage of its consultation process.  Those submissions will shape the policy paper that it will publish in 2017 as part of the second stage of its consultation process.

A number of other developments also occurred that will affect or affected Fintech entities.  On the payments front, Payments Canada is currently undergoing a modernization project to modernize the Canadian payments system, as detailed further in its consultation paper issued in April 2016.  There were also a number of developments with respect to anti-money laundering (“AML”) requirements in Canada, including the issuance of amendments and new guidance with respect to identification requirements and dealing with politically exposed persons.  In addition, the Financial Action Task Force released its Mutual Evaluation Report for Canada in September 2016.  While the report indicated that Canada’s existing AML regime is generally strong, it noted that the quality of AML practices lag in a number of sectors, including in money services businesses.  It also identified open loop prepaid cards, white label ATMs and virtual currencies as inadequately covered by the AML regime and stated that upcoming amendments to the AML regime will be introduced to address these.

With the increase in electronic and digital payments, the Office of the Privacy Commissioner of Canada (the “OPC”) began to take an interest in this area as well, recently publishing a consumer guide to privacy considerations with respect to a number of different payment mechanisms.  The stakes could be higher in 2017 for companies using personal information, as it is widely expected that the draft regulations for the federal privacy legislation in respect of mandatory breach reporting, recordkeeping, and penalties will be published, and potentially implemented shortly thereafter.  Finally, subsequent to the OPC’s consultation and review of consent to the use of personal information (particularly in the context of data analytics and big data, both of which underlie many Fintech initiatives), we expect that the OPC will make recommendations to Parliament on this issue.  These issues will become increasingly important in the financial sector as both incumbents and newer entrants seek to share personal information, either on a proprietary basis or via an Open Application Program Interface (“API”) model.


In January 2016, a new equity crowdfunding regime came into effect in Ontario (with similar regimes introduced in Québec, Manitoba, New Brunswick and Nova Scotia).  It gave companies access to a bigger pool of investors by allowing them to raise money online through a registered crowdfunding portal from Canadians looking to make equity investments.  Under this regime, Ontario “everyday investors” can make crowdfunding investments of up to $2,500 per investment (capped at $10,000 annually) and Ontario accredited investors (i.e. those who meet certain asset and income thresholds) can make crowdfunding investments of up to $25,000 per investment (capped at $50,000 annually).

In October 2016, the Ontario Securities Commission (the “OSC”) launched OSC LaunchPad, the first Fintech hub for a Canadian securities regulator, seeking to engage with Fintech companies to help them navigate securities regulation and support them through the authorization process.  The OSC also announced it had signed an agreement with Australia’s financial regulator to allow Fintech companies based in Ontario and Australia to leverage the combined resources of the Ontario and Australian regulators as the companies look to operate in the other’s market.

The OSC also announced in November 2016 that it was seeking applications for a Fintech advisory committee.

Additionally, the OSC had an active year of working directly with Fintech companies to help pave the way for them to operate within the existing regulatory framework imposed by the OSC.  Vault Circle (a subsidiary of Lendified) became Canada’s first digital lending platform to receive an exempt market dealer license from a Canadian securities regulator.  That license enables Vault Circle to present lending opportunities to Ontario investors who qualify as accredited investors.  Lending Loop became registered as an exempt market dealer in Ontario (and all other Canadian provinces), enabling Lending Loop to operate a peer-to-peer lending platform that connects small businesses seeking financing with Canadian investors (who need not be accredited investors) looking for alternative investing opportunities.  AngelList received novel exemptive relief from the OSC, enabling it to operate (under a two-year trial program) a platform that brings together syndicates of investors with startup companies in need of financing, provided the investors and startups each meet certain criteria imposed by the OSC.

In addition, Ontario reiterated its intention to proceed with a new provincial financial services regulator, the Financial Services Regulatory Authority of Ontario, which will replace and consolidate existing regulators in the financial services space.  It announced consultations to identify any “unclear, outdated, redundant or unnecessarily costly” financial services or insurance regulation in Ontario.  The consultation process will remain open until January 31, 2017, and the Ontario Government will publish its findings on July 31, 2017.


In June 2016, the Québec Autorité des marchés financiers (“AMF”) announced that it created a Fintech working group mandated with analyzing technological innovations in the financial sector and anticipating regulatory, market efficiency and consumer protection issues.  Québec follows an integrated regulator model, thus the AMF oversees insurance, deposit institutions, securities, derivatives, distribution of financial products and services, as well as the financial planning sectors.  The AMF Fintech working group can examine how Fintech impacts all of these sectors individually and as a whole.  The AMF announced the eleven members of the AMF Fintech working group in December 2016; in line with the group’s focus on engaging with the industry, most of the members represent industry stakeholders involved in financial sector technological innovations.


Globally, the major development in 2016 was the increasing popularity of “regulatory sandboxes”, which seek to create a regulatory “safe space” in which businesses that qualify can test innovative products and services without immediately incurring all the normal regulatory consequences of engaging in such activity.  The United Kingdom’s Project Innovate for example features a regulatory sandbox, as well as an advice unit and an innovation hub.  A number of other jurisdictions also moved forward with regulatory sandboxes, including Australia, Switzerland, Singapore and Hong Kong.

There were a number of important developments in the United States in 2016 as well.  In particular, on December 2, 2016, the Office of the Comptroller of the Currency (the “OCC”) announced that it would move forward with considering applications from Fintech companies to become special purpose national banks.  The OCC published a paper discussing the issues and conditions that it will consider in connection with such applications.  Comments on the paper are due on January 15, 2017.  In addition, the Consumer Financial Protection Bureau (the “CFPB”) also has in place its Project Catalyst aiming to promote consumer-friendly innovation and is engaging with key stakeholders and other government agencies and hosting “office hours” as outreach for the Fintech community.  The Director of the CFPB also made headlines at Money20/20 when he endorsed the concept of “open data” in the financial context and stated that the CFPB is “gravely concerned” that financial institutions are limiting or shutting off access to financial data, rather than “exploring ways to make sure that such access…is safe and secure.”

What to Watch for in 2017

  • The Competition Bureau is expected to publish the results of its market study in the Spring of 2017.
  • The Department of Finance is expected to release its policy paper on the federal financial sector legislative and regulatory framework in 2017.
  • Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLTFA”) may be introduced in 2017 in respect of, among other things, open loop prepaid cards and virtual currencies. In particular, the PCMLTFA was previously amended in 2014 to specifically extend the definition of “money services businesses” to include “persons dealing in virtual currencies”, but the regulations implementing this change remain outstanding, even as virtual currencies have become more popular.
  • In Europe, the first real steps toward implementing the Directive on Payment Services (“PSD2”) Access-to-the-Account provisions will occur in 2017. The provisions will require banks to provide standardized API access to third parties under the auspices of the European Banking Authority.  This is a significant shift toward the creation of an Open Banking ecosystem.

For more information about our firm’s Fintech expertise, please see our Fintech group page.

Blockchain And Privacy: Transparency And Innovation Pose Challenges for Data Protection

Posted in FinTech, Privacy
Anaïs GalpinCharles Morgan

A blockchain is a peer network of nodes that use a distributed ledger that can be used to track transactions involving value including money, votes, property, etc. The most well-known application of blockchain technology is bitcoin. Transactions on a blockchain are not regulated by any central counterparty: the individuals involved in a given transaction provide their information (including personal information), a record is created that can be verified by nodes in the network. In this sense, the users forming the community act as their own regulators.

In its openness, blockchain technology is full of new opportunities to transact in different ways. However, in the case of a public blockchain, in order to allow security and certainty, every transaction is recorded on a publicly available ledger and the disclosed transaction information is unalterable. This latter rule is one of the most fundamental in the functioning of blockchain. Indeed, data can only be added to blockchain, rather than removed (as each node contains a replication of the blockchain). If a change is applied to a node, such change would be rejected by the other nodes in the network. It provides a great certainty over the time within the chain of transactions. Altering a node would be like activating a time machine: it is impossible not to change the present if you alter the past, the entire chain of information is thus modified.

Although the above is justifiable from a technological standpoint (an can even facilitate anti-money laundering measures), blockchain’s inalterability can raise issues for individuals who wish to protect their privacy (including as regards the nascent and evolving “right to be forgotten”, which is recognized in some jurisdictions). For example, what is an individual supposed to do if the publicly disclosed information she provided in order to complete a transaction becomes inaccurate or if the publicity of her information one day creates an important risk to her safety? Changes in people’s lives could trigger this individual need for an alteration of the information stored in blockchain ledgers, such as insolvency, criminal records, change of name, change of gender, etc. As such, given the decentralized nature of blockchain, how could a court order a change in blockchain the same way it would order a web page to disappear from Google search results?

In this regard, a distinction should be made between anonymity and privacy. Some have argued that bitcoin, even though not private, is anonymous. Indeed, the email address provided when registering for a Bitcoin transaction may be any email address and as such, the link to personal information of the user, such as his name or birth date, may be avoided. However, bitcoin is more accurately described as as pseudo-anonymous. As the Office of the Privacy Commissioner explained in one of its few publications on the topic of digital payments and privacy:

…some people suggest virtual currencies can be used to make purchases anonymously. This isn’t necessarily true because the digital trail associated with these currencies can still be tied to an individual, although the trail usually consists only of transaction records rather than personal information. To set up an account in order to use these virtual currencies, however, you may be required to provide some personal information, such as your name, credit card information, banking information, driver’s licence, utility bill or even passport information. While the anonymity of digital currencies may limit the exposure of details related to your payment information, retailers can still combine your purchase information with other information they have such as your name, email address, purchase history or rewards/loyalty points you have with the store.

Even though some technological solutions are under consideration to address privacy challenges with respect to the use of blockchains and to design blockchains that are protective of privacy—such as data encryption or the use of timestamps for information held elsewhere, there could still be a potential benefit to regulatory guidance on privacy matters relating to blockchain technology.

Regulatory developments in respect of digital currencies in Canada have to date mostly been limited to anti-money laundering and taxation matters.  However, there is a growing interest in blockchain technology in Canada  by various industries including major financial institutions and the Bank of Canada, which is running experiments on interbank payment systems “to build a proof of concept wholesale interbank payment system using a distributed ledger”, as stated by Deputy Governor Carolyn Wilkins.

In addition, certain securities regulators (such as the OSC and the AMF) are in the process of forming committees to consider Fintech matters.  In this context, ensuring data protection in connection with the use of blockchain technology could become an important regulatory consideration going forward.

For more information about our firm’s Fintech expertise, please see our Fintech group‘s page.

Transport Canada Launches Online “Drone Incident” Reporting Tool

Posted in Regulatory Compliance, UAVs
Kirsten Thompson

Transport Canada has announced the launch of a new incident-reporting tool “to keep Canadians safe from reckless drone use.”

The new online reporting tool will allow people to report drone “incidents” from their mobile phones and will help Transport Canada “gather valuable information that will assist inspectors with investigations.” It serves as a single-entry-point for drone incident reporting but is not intended to replace the existing official aviation incident reporting systems, such as the Civil Aviation Daily Occurrence Reporting System (CADORS).

Along with basic information such as date and location of the incident, the online form asks the following questions:

  • Was the drone flying near an aircraft?
  • Was the drone flying at a high altitude?
  • Was the drone flying close to an airport/aerodrome (helipad, heliport, seaplane base, etc.)? and
  • Did the drone fly close to or over the following zones? (such as a populated area; home/private property; crowd (sporting event, concert, festival); forest fire; moving vehicles, highways, busy streets, bridges, etc.)

Complaints are also asked to provide a description of the drone (helpful drone silhouettes are provided) and a description of the operator. The form also asks the complainant whether they have “gathered evidence” such as photos or video. Complainants have the option of reporting anonymously.

In the last twelve months, Transport Canada has increased its scrutiny and supervision of drones (also known as unmanned air vehicles (UAVs)) and, according to its backgrounder on the issue, has focused on a number of key areas, including:

Revising and/or increasing regulations for drone operators: In spring 2017, Transport Canada will publish proposed regulations in Canada Gazette, Part I, for small drones (25 kilograms or less) that are operated within visual line-of-sight. This category of drone was previously exempt from specific regulation. Transport Canada has said that the proposed changes will introduce more flexible and clear rules for all drone operators. The public will have the opportunity to comment on the proposed regulations before they come into force. Proposed changes include:

  • new flight rules
  • aircraft marking and registration requirements
  • knowledge testing
  • minimum age limits
  • pilot permits for certain UAV operations

Simplifying rules for commercial operators with two new exemptions:  Commercial and research drones were already subject to regulations, but Transport Canada will issue two new UAV exemptions for non-recreational operators that will replace the existing exemptions, which expired on December 21, 2016. These new exemptions will allow UAV operators flying for work or research to conduct lower-risk operations without having to apply for a Special Flight Operations Certificate (SFOC). The new exemptions will allow operators to fly closer to built-up areas and smaller aerodromes as long as they comply with strict safety conditions and notify Transport Canada before flying. Detailed information regarding the new exemptions will be available on TC’s drone safety webpage when the exemptions come into effect on December 22, 2016;

Announcing a new commercial drone test site in Alberta: On November 3, 2016, the Minister announced that the Village of Foremost, Alberta together with the  Canadian Centre for Unmanned Vehicle Systems (CCUVS) in Lethbridge, Alberta had established the Foremost Centre for Unmanned Systems based out of the Foremost Aerodrome. The site will support research and development and provide the industry with dedicated, restricted airspace where they can test UAVs beyond visual line of sight;

Partnering with retailers to provide safety information at the point-of-sale: Participating manufacturers have agreed to include a Transport Canada safety card with every drone they sell. Participating retailers have agreed to provide a link to the department’s drone safety webpage on their respective websites; and

Launching a “No Drone Zone” public awareness campaign: In June, 2016 the Ministry launched a No Drone Zone public awareness campaign that focused on partnering with airports and other organizations to educate Canadians about drone safety. Transport Canada also introduced “No Drone Zone” signs and has worked with 20 organizations to install over 100 of these signs in and around airports, the backgrounder said.


According to Transport Canada, anyone who operates a drone in a reckless and negligent manner, violates controlled or restricted airspace, or endangers the safety of manned aircraft could face fines of up to $25,000 and/or jail time. If an operator does not follow the requirements of their SFOC, Transport Canada can issue fines of up to $3,000 for an individual and $15,000 for a business.