Category: Privacy

Proposed Privacy Class Action “Collapses in its Entirety” on Commonality

May 8, 2019

On May 7, 2019, in Kaplan v. Casino Rama Services Inc. (Kaplan), the Ontario Superior Court of Justice refused to certify a privacy class action arising out of a criminal cyberattack that included allegations of breach of privacy, breach of contract and negligence. The decision comes on the heels of another recent decision denying certification of a privacy class action,…

Under Cyberattack: How Can Canadian Directors Mitigate Liability?

April 25, 2019

Several former Yahoo! Inc. executives recently settled a derivative action for US$29-million, following data breaches from 2013 and 2014 that compromised approximately three billion accounts. Given the absence of Canadian case law on director liability in the context of a data breach, prudent directors may gain an advantage by reviewing U.S. case law and adapting their strategy and approach to…

OPC Proposes a Reversal in its Approach to Transfers of Personal Information to Service Providers for Processing

April 10, 2019

On April 9, 2019, the Office of the Privacy Commissioner of Canada (OPC) played a belated April Fools’ joke. They launched a consultation on transborder data flows in which they indicated that they were revisiting their long-held position that a transfer of personal information to a service provider for processing does not require consent from the individual, and now propose…

2019 Legal Trends: Cybersecurity

March 26, 2019

As part of our quarterly series on current trends across different industries, our first article for 2019 looks at the current landscape of cybersecurity and highlights key legal trends and developments. We also offer some practical advice on what businesses can do to equip themselves and mitigate their risk in this constantly evolving space. 

OSFI Releases Advisory on Technology and Cybersecurity Incident Reporting Obligations

January 28, 2019

On January 24, 2019, the Office of the Superintendent of Financial Institutions (OSFI) published the Technology and Cybersecurity Incident Reporting Advisory (Advisory) applicable to all federally regulated financial institutions (FRFIs). The Advisory creates new incident reporting obligations for FRFIs and is effective as of March 31, 2019. Service providers to FRFIs should also familiarize themselves with FRFIs’ obligations under the…

What to Expect Come November 2018: Privacy Commissioner’s Final Guidelines on Mandatory Breach Reporting under PIPEDA

October 30, 2018

On October 29, 2018, the Office of the Privacy Commissioner of Canada (OPC) published the final guidance intended to assist organizations in complying with the mandatory breach reporting and record-keeping requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA), which come into effect on November 1, 2018. As of November 1, organizations subject to PIPEDA will be required to notify…

Privacy Commissioner Publishes Draft Guidelines for Mandatory Breach Reporting under PIPEDA

September 19, 2018

On September 17, 2018, the Office of the Privacy Commissioner of Canada (OPC) published draft guidelines on mandatory breach reporting under the Personal Information Protection and Electronic Documents Act (PIPEDA). The guidelines are intended to assist organizations in meeting their breach reporting and record-keeping obligations under PIPEDA’s mandatory breach reporting regime, which comes into force on November 1, 2018. Organizations…

Does the Public Have the Right to Know Who the Top Billing Doctors Are?

August 10, 2018

The public has a right to know the names of Ontario’s top billing doctors, the Ontario Court of Appeal (Court) ruled on August 3, 2018 in Ontario Medical Association v. Ontario (Information and Privacy Commissioner). The Court upheld the Information and Privacy Commissioner’s (IPC) decision to release the names of top billing doctors, finding that a person’s gross business or…

What the GDPR Means for Canadian Businesses

May 15, 2018

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will come into force. Though not a Canadian law, the GDPR will apply to Canadian businesses that offer goods or services to, or monitor the behaviour of, EU residents. Canadian businesses that process personal information on behalf of organizations located in the EU will also be impacted.  The…

Federal Data Breach Reporting Regulations Published – Take Effect November 2018

April 18, 2018

The final Breach of Security Safeguards Regulations (Regulations) under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) were made on March 26, 2018, and published on April 18, 2018. The Regulations set out prescribed requirements for mandatory breach reporting, which will come into force on November 1, 2018. BACKGROUND In 2015, amendments to PIPEDA (in the Digital Privacy…