To stay ahead of the curve, businesses need to navigate risks associated with new technologies and unlock their value-generating potential. McCarthy Tétrault’s cross-practice approach and national presence will provide you with a 360° view of data and cyber strategy and deliver practical solutions that work for you.
Beyond the novel legal, ethical, and technological implications arising from artificial intelligence (AI)enabled technologies and the risks associated with the data they collect, organizations must be prepared for sophisticated cyber attacks and the potential for catastrophic financial and reputational damage from data breaches.
With immense experience in privacy, AI, cybersecurity, data protection, and information governance and a significant track record in advising clients across industries on novel and complex areas of law, McCarthy Tétrault’s Cyber/Data Group can help you protect and exploit your digital assets, leverage the value of data, and develop responsible AI practices, all while cementing digital trust.
Why McCarthy Tétrault
Our team works seamlessly across borders, advising global organizations on some of the largest cybersecurity incidents and regulatory investigations in Canadian history.
- Comprehensive cross-practice solutions: Our multidisciplinary team includes commercial and regulatory lawyers as well as top-ranked commercial and class action litigators with hands-on experience dealing with data breaches and privacy violations.
- Single access point: Our tightly integrated, full-service platform ensures you’ll have access to all our capabilities across practices and industries including competition law, healthcare, retail, financial services, and technology.
- Hands-on AI expertise: Our experience implementing AI solutions for legal service delivery positions us among the most innovative firms in the world. We leverage our direct experience to dig deeper in helping our clients conduct their due diligence, mitigate AI transactional risks, and implement mature AI governance processes consistent with international best practices.
- Unparalleled thought leadership on responsible AI: As privacy, cyber, data, and AI experts, members of our group are regularly invited to contribute to publications, and speak at global privacy, data and cybersecurity conferences. Recent examples include:
- Responsible AI: A Global Policy Framework
- Responsible AI: 2021 Update
- Technology Governance in a Time of Crisis
- The Canadian chapter of the Global Privacy and Security Law
- Artificial Intelligence, Law Over Borders Comparative Guide 2022
- ITechLaw AI Green Paper – The EU AIA
Our group also keeps clients and the industry up to date through regular contributions to McCarthy Tétrault’s Techlex blog.
- Unrivaled Capabilities: Our Cyber/Data Group leverages people, processes, and technology to work seamlessly with our market-leading and award-winning MT>Divisions, including MT>3, our e-Discovery, information governance, and breach analysis division, and MT>Version, our legal translation division.
Privacy Law Leaders
Privacy law in Canada is transforming from a “name and shame” regime to one where regulators wield severe fining powers and class actions are common. Organizations need strategies and structures to not only meet these challenges but thrive in a rapidly evolving marketplace.
Building and preserving trust in your organization’s ability to maintain user privacy and protect personal data is a business imperative. The reputational and monetary costs of non-compliance with the web of regional, national, and international laws and regulations is a business-critical need.
Our Cyber/Data team’s unique combination of privacy-focused legal, technical, and regulatory expertise can help you navigate this complex, highly regulated area. Our multidisciplinary approach ensures that you will receive comprehensive, practical advice tailored to your specific circumstances. We can help you reduce the risk of privacy breaches, avoid legal and regulatory sanctions, and improve your overall compliance with data privacy laws.
Our full suite of privacy law-related services includes:
- Implementing multijurisdictional privacy and data protection compliance programs to meet the demands of strict new privacy legislation.
- Assisting with the conduct of privacy due diligence and risk mitigation in the context of M&A or complex commercial transactions.
- Defending privacy and cybersecurity class actions.
- Responding to regulatory investigations and complaints (privacy commissioners in all jurisdictions across Canada, the Competition Bureau, and the CRTC), including commencement of judicial reviews where advisable.
- Conducting internal investigations into potential privacy or data protection incidents.
- Negotiating data processing agreements.
- Conducting privacy impact assessments, including for cross-border data transfers.
- Assessing compliance with data protection laws.
- Serving as “virtual CPO”.
- Advising (through MT>3) on technological solutions that may be leveraged for privacy compliance efforts, including for consent management and document retention.
- Assisting with the development of data retention and information governance policies.
- Advising on data trusts, data sharing, and data licensing agreements.
- Advising on identity management solutions.
- Protection of data litigation (scraping, breach of confidence, copyright compilations).
Comprehensive Cybersecurity and Data Breach Advice
Cyber attacks and data breaches can impact your organization’s finances, operations, and reputation, making it critical to understand the legal risks you face, and more importantly, how to mitigate them.
Whether you’re proactively working to improve your cybersecurity posture or you’re in the midst of a breach, you can expect immediate benefits and advantages when you engage McCarthy Tétrault’s Cyber/Data Group. Our customized, proactive approach combining deep hands-on experience with our legal and technical expertise will provide you with practical strategies that minimize your risk.
We can meet all your legal advisory needs related to Cybersecurity including:
- Acting as breach coach in cyber responses, including providing regulatory notifications, protecting privilege, and engaging with incident response experts (forensics experts, ransomware negotiators, PR, GR, and call centre).
- Proven class-action defence capabilities across Canada, including for complex cross-border incidents.
- Assisting with the conduct of cybersecurity due diligence and risk mitigation in the context of M&A or complex commercial transactions.
- Proactive and reactive ransomware strategies.
- Assisting with the implementation of cyber readiness and incident response processes.
- Advising on cyber insurance.
- Developing incident response plans and protocols.
- Implementing “real risk of significant harm” or RROSH analysis for complex privacy or cyber incidents.
- Assisting in relation to investigations by regulatory authorities post cyber incident.
- Assisting with post-incident remediation efforts.
At the Vanguard of Artificial Intelligence Law
The integration of AI technology across the world continues to accelerate. Companies across sectors are deploying AI-enhanced technologies that are changing the way their businesses run. However, while these transformative technologies present unprecedented opportunities for efficiency and growth, their risks are equally significant.
We understand deploying AI requires a comprehensive, principles-based approach that incorporates legal, ethical, and societal considerations. Our team will not only help you navigate legal and competitive challenges, but also consider the broader implications of AI usage in your specific organization.
Our group is at the forefront of legal developments in this fast-moving space. We regularly contribute to well-regarded publications and we will make sure you stay ahead of the curve through our thought leadership and active participation in legal developments that are transforming the AI landscape. Scroll to the bottom of this page to see a full list of recent publications authored by our Cyber/Data team.
Our unique combination of hands-on AI-implementation experience, combined with our deep expertise in privacy, cybersecurity, intellectual property, and commercial transactions will provide you with an approach that leverages the benefits of AI, minimizes potential risks, and keeps you ahead of the regulatory curve.
Our full suite of Artificial Intelligence related services includes:
- Assisting with the conduct of AI-related due diligence and risk mitigation in the context of M&A or complex commercial transactions.
- Assisting with the implementation of responsible AI governance processes.
- Responding to privacy or intellectual property challenges associated with AI.
- Interacting with regulators asserting jurisdiction over AI processes.
- Developing and implementing algorithmic impact assessments.
- Advising on data readiness and bias risk for training data.
- Advising on data trusts, data sharing, and data licensing agreements.
- Advising on constraints on the use of automated decision-making systems.
- Assistance in the categorization of “high risk” and “high impact” AI-systems.
- Advising on platform liability risks.
- Class action defence.
Selected Experience
- Advising a leading Canadian financial services company on its response to the largest financial services sector data breach in Canadian history.
- Assisting a leading Canadian health services provider, regarding its response to the largest data breach in Canadian history.
- Acted for major Canadian retailers regularly advising on multi-jurisdictional privacy and data-related issues in relation to their operations throughout Canada.
- Advising a participant in the $250 million SCALE.AI supercluster initiative to bring AI-enhanced solutions to help solve complex supply chain management challenges.
- Advising a leading national retailer in relation to the development of a new, AI-enhanced, integrated e-commerce platform, warehousing (automated pick and pack), and logistics platform to serve third-party retailers.
- Advising a leading pharmaceutical company to develop and implement a responsible AI governance policy.
- Assisting a leading public sector utility to develop and implement a data anonymization policy as part of a strategic lake project.
- Acting for a leading Canadian insurance company on both data breach/cyber incident response and the subsequent investigations by privacy commissioners.
- Acted for Home Depot on both the regulatory and the multi-jurisdictional class action proceedings in Canada with respect to the data breach affecting 54 million North Americans. We were successful in convincing the federal privacy commissioner that the retailer had not violated Canadian privacy laws, and in settling the class action at minimal cost ($250,000 settlement).
Québec Privacy Compliance Toolkit
Designed to help you comply with Law 25, and help your organization understand the new layer of regulation that Bill 64 has added on top of prior federal and provincial obligations.
Cookies Regulations: An International Outlook
Providing a global perspective with authors from Canada, Germany, China, France, Hong Kong and the UK, this article focuses on regulations specifically governing cookies and provides a closer look at how cookies and similar technologies are regulated in some different jurisdictions in the European Union and around the world. Canada Chapter authored by Cyber/Data co-Lead, Charles Morgan.
Gary Cywie, Charles Morgan, Fabrice Perbost, Alexander Brandt, Padraig Walsh, Jun Yang and Eduardo Ustaran, ‘Cookies Regulations: An International Outlook’, Revue internationale de la propriété intellectuelle et du droit du numérique, 13 (Luxembourg, Legitech, 2023), 1-11
Artificial Intelligence, Law Over Borders Comparative Guide 2022
Giving clarity to the shifting AI regulatory landscape, McCarthy Tétrault has written a chapter in the first edition of Artificial Intelligence, Law Over Borders Comparative Guide 2022. This publication is one of the first to provide a multijurisdictional perspective on the most recent developments concerning the implementation of nascent AI regulatory frameworks.
iTechLaw AI Green Paper – The EU AIA
Charles Morgan, alongside an extraordinary group of ITechLaw Association thought leaders, published Responsible AI: The EU AIA: Green Paper Policy Analysis A Global Policy Framework, a commentary on the forthcoming EU European Commission Artificial Intelligence Act (AIA). A product of work from 34 lawyers in 32 law firms across 14 international jurisdictions, the report is intended as a companion guide to ITechLaw’s Responsible AI Framework and is a formal benchmarking of the EU's AIA against ITechLaw's own Responsible AI Principles.
Data Altruism: Data Serving the General Interest
*Currently available in French only*
As board member of the Institute of Technology for Humanity - Montreal , Charles Morgan participated in a working group that drafted the report “Data Altruism: Data Serving the General Interest” published by Human Technology Foundation (HTF) and Sopra Steria Next. The detailed report explores the various “success factors” that will help leverage and amplify the societal benefits of the nascent “digital altruism” regime under the EU Data Governance Act.
Global Privacy & Security Law (Canada Chapter)
Global Privacy and Security Law provides a thorough and practical explanation of the different aspects of information privacy and security, the major drivers that shape the development of modern data protection laws, and clear analyses of the specific regulations of key countries around the world.
Canada Chapter authored by Cyber/Data Co-Lead, Daniel Glover.
Responsible AI: A Global Policy Framework
An in-depth review of the eight policy principles related to ethical guideposts that encourage the responsible development, deployment, and use of artificial intelligence.
Book edited and co-authored by Cyber/Data Co-Lead, Charles Morgan.
Cybersecurity Risk Management: A Practical Guide for Businesses
Where there is data, there is the potential for data loss. How an organization prepares for and manages a data incident will have a measurable impact on the outcome. A data incident that could potentially cost millions of dollars and shatter an organization’s reputation can, if handled effectively, be brought under control and have a significantly reduced impact.
Anti-Spam Toolkit
Designed to help you understand the law and adapt your business where necessary, as well as helpful tools to use in compliance programs to assist your legal team with compliance efforts.
Unlocking Digital Identity
This report rigorously examines the ethical, regulatory, and socio-economic dimensions of digital identity technologies, emphasizing the critical need for trust, inclusiveness, and individual empowerment. The Human Technology Foundation assembled an international working group of policy, legal, technology, and identity specialists, including McCarthy Tétrault’s Cyber/Data team members Jade Buchanan and Charles Morgan, to navigate this complex landscape.
The findings, based on key use cases like online protection of minors, health, electronic voting, and generative AI content authentication, underscore a pivotal moment in our journey toward a digital future.
Awards & Rankings
Chambers Canada
Leading Firm - Privacy & Data Protection
Report on Business: Canada’s Best Law Firms 2022
Areas of Distinction – Cyber Security & Data Protection
Benchmark Canada Awards
Impact Case Award, 2024 – Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533
Canadian Law Awards
Commercial Litigation Team of the Year, 2024 – Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533
RECENT PUBLICATIONS
- Michael Scherman and Adam Goldenberg, "Automation Not Domination: AI and Inclusion", June 2019
- Michael Scherman and Adam Goldenberg, "Automation Not Domination: Legal and Regulatory Frameworks for AI", June 2019
- Michael Scherman and Adam Goldenberg, "Automation Not Domination: AI and the Workforce", June 2019