Cybersecurity, Privacy and Data Protection VI
In this series of blogs, we will share the sections of Corporate Transactions, Personal Health Information, Penalties, Canada's Anit-Spam Law and Policy Initiatives in Canada of a privacy program from one of the chapters, Cybersecurity, Privacy and Data Protection of our publications: Cross Border Retailers Guide To Doing Business in Canada 2021.
Brands that acquire or invest in other businesses, or that may be acquired or are seeking investments, have heightened need to consider privacy compliance. Prospective buyers and investors may scrutinize the privacy compliance policies and practices of the target organization, which increases the need for a robust compliance program. As a prospective buyer, an organization needs to ensure it is not acquiring an organization that has poor practices, an unknown data breach, or personal information that is unusable due to lack of consent.
The transaction itself may involve the disclosure of personal information from buyer to seller, including in the due diligence phase. While disclosure generally requires consent, there are statutory exemptions from the consent requirement for disclosure for due diligence and the consummation of the transaction. However, the exceptions are conditional on meeting certain requirements, which can include notifying the individuals post-closing and including certain provisions in the transaction documents.
Personal Health Information
Owing to its sensitive nature, personal health information may have different or additional standards or laws applied to it. Certain provinces (namely Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador) have legislation dealing with health information that supplant (and apply instead of) the general privacy law applicable in the province with respect to personal health information. Certain other provinces have also passed health privacy laws except that they apply alongside the general privacy law applicable in the province (and in those provinces both laws may apply to personal health information in the province). The landscape for personal health information in Canada is more complex than in other areas so brands should check whether the information they handle constitutes personal health information and if determine which laws apply to their specific situation.
Failure to comply with privacy laws can result in orders and fines issued by the relevant provincial or federal Privacy Commissioner. Privacy Commissioners may choose to investigate a matter on their own accord or due to a submitted complaint. Depending on the industry, other regulators may become involved with privacy matters including securities, financial institutions, and public health regulators.
In addition to regulatory enforcement, those affected by privacy breaches may be able to bring a lawsuit as individuals or as members of class actions. The cause of action available to aggrieved individuals will depend on the laws of the relevant province. British Columbia, for instance, has a statutory tort for invasion of privacy that requires willful intent but does not require proof of damage, while Ontario has a common-law tort of breach of privacy that applies to general personal information.
Several consumer class actions have been commenced in Canada in the wake of a data incident, including specific claims against consumer products manufacturers in relation to over-collection by their internet-connected devices and by employees who had their personal information lost or stolen. These actions have not yet been fully considered by Canadian courts and as a result, questions regarding the legal validity of the causes of action that were advanced, and the scope of possible damage awards, remain largely open. There is also the possibility that a data breach of an organization could lead to legal action from its shareholders with an allegation that the organization’s continuous public disclosure as to the state of its cybersecurity systems was misleading. Such a shareholder class action has not yet been brought in Canada.
Both consumer and shareholder class actions will almost always be brought in provincial (as opposed to federal) courts, and it is possible the data incident of a brand could lead to multiple Canadian class actions that span different provinces where people were affected. In light of the complexity of privacy laws and the differences between the various laws that may apply to an organization or to a particular business unit, ensuring privacy compliance across an organization’s departments may be challenging, particularly for organizations that operate globally. Organizations must also keep in mind that in addition to fines, orders, and private actions, a data incident due to deficient privacy practices may risk reputational harm that leads to further financial loss.
Canada’s Anti-Spam Law4
Canada has legislation that specifically addresses the sending of commercial electronic messages. It also applies to the installation of computer programs, which can be a trap for unwary device manufacturers.
See E-commerce. For an in-depth explanation of CASL, see our AntiSpam Toolkit available on our website.
Privacy Law Reform Initiatives in Canada There are a number of very significant legislative efforts underway in Canada to amend or replace key privacy laws, including:
- federal Bill C-11, introduced in November 2020, which would replace PIPEDA with a new “Consumer Privacy Protection Act” and “Personal Information and Data Protection Tribunal Act”; and
- Québec’s Bill 64, introduced in June 2020, which would overhaul Québec’s current private sector privacy law.
There are also other reform initiatives that are being discussed by various governments in Canada. The ultimate fate of these bills and initiatives remains to be seen, but it does seem likely that the legislative framework for privacy in Canada will change significantly over the coming months and years.
Brands operating or selling or considering operating or selling in Canada can check out McCarthy Tétrault’s blog on cybersecurity, privacy, and data protection law to stay updated on new developments and policy advancements: www.mccarthy.ca/en/insights/blogs/cyberlex.
- An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23.