Canada’s Privacy and New

Anti-spam Laws What you need to know to comply

Topics Include

• An overview of Canada’s federal and provincial

privacy laws

• Storing and transferring personal information

outside Canada

• Video surveillance

• Online behavioural advertising

• How to respond to a data breach

• Canada’s new anti-spam laws

2

Gowlings at a Glance

• One of Canada’s largest

law firms

• Over 750 professionals

across 10 offices

worldwide

• Recognized expertise in

Business Law, Advocacy

and Intellectual Property

Law

3

Gowlings at a Glance

www.gowlings.com

4

Canadian

Privacy Law

5

Canadian Privacy Law

• The Personal Information Protection and Electronic

Documents Act (PIPEDA) applies to private sector

businesses in most Canadian provinces

• Similar laws apply to information collected in

Québec, British Columbia and Alberta

6

Canadian Privacy Law

• These laws apply to foreign (non-Canadian

businesses) that collect, use or disclose

personal information about individuals in

Canada, even if the business does not have a

Canadian presence

• Applies to “personal information” – a term that is

broadly defined as “information about an

identifiable individual” (apart from their business

contact information)

7

Storing and

Transferring

Personal

Information

8

Storing and Transferring Personal Information

• Privacy laws don’t prevent it, but it is subject to

certain legal obligations:

• Accountability: The organization is responsible for

personal information in its possession and custody,

including that transferred to a third-party service

provider

• Transparency: Canadian customers must be advised

if their personal information is going to be transferred

or stored outside of Canada

9

Video

Surveillance

10

Video Surveillance

• PIPEDA and the provincial laws apply to the

capturing of video images in the course of

commercial activity, whether those images

are recorded or not

• “Overt” surveillance:

• Must give clear notice about the use of cameras on

their premises, before people enter the premises

(include information on how they can get access to

their images)

11

Video Surveillance

• “Covert” surveillance:

• Allowed only in exceptional circumstances where overt

surveillance would compromise the availability and

accuracy of the data, and the collection is for the

purposes of investigating a breach of law or breach of

an agreement

12

Online

Behavioural

Advertising

13

Online Behavioural Advertising

• Online Behavioural Advertising:

• Web-based programs that allow businesses to track

consumers’ online activities

e.g., flash cookies, beacons, tracking pixels, etc.

• Contrary to popular belief online behavioural

advertising IS classified as “personal

information”

14

Online Behavioral Advertising

• Permissible, but subject to regulations:

• Transparency:

• Users must be aware that this tool is being used

• Consumers must be able to “opt out” but still be able to

use the services

• Should not be used on websites targeted at children,

due to their inability to give meaningful consent

15

How to

Respond to a

Data Breach

16

How to Respond to a Data Breach

• Federal legislation - PIPEDA

• Voluntary security breach notification

• Guidelines from Federal Privacy Commissioner

• Voluntary but expected

17

How to Respond to a Data Breach

• The Guidelines state there are four key steps

to consider when responding to a breach:

• Breach containment and preliminary assessment

• Evaluation of the risks associated with the breach

• Notification

• Prevention

18

How to Respond to a Data Breach

• Alberta Personal Information Protection Act

(PIPA)

• Private sector organizations are required under

mandatory privacy breach notification provisions to

notify the Privacy Commissioner

• Threshold of notification: “real risk of significant harm”

• “Real risk” means “a reasonable degree of likelihood that

the harm could result”

19

How to Respond to a Data Breach

• Who is responsible for notifying the

commissioner?

• Organization with control of the personal information,

even if the breach occurred at service provider level

• Contents of the report

• How many people affected

• Information released

• Circumstances surrounding the breach

• What mechanisms are in place to protect data

20

How to Respond to a Data Breach

• If “real risk” is determined, the organization is

required to notify those affected

• The Privacy Commissioner issues a written decision

which is available on their website

• The Privacy Commissioner will provide direction on

what needs to be in the notice

21

How to Respond to a Data Breach

• Protect your organization from a data breach

• Review privacy policies and procedures regularly

• Train staff on how to prevent breaches

• Create guidelines on what to do if there is a breach

22

Canada’s New

Anti-spam

Laws

23

Canada’s New Anti-spam Laws

• Slated to come into effect mid to late 2013

• Canada’s Anti-spam Legislation (CASL) will

apply to “Commercial Electronic Messages,”

prohibiting all but those messages that comply

with its requirements

• The CRTC and Industry Canada take the position

that existing, valid consent may not survive the

transition period

• Organizations will need to seek new consent from

existing mailing lists

24

Canada’s New Anti-spam Laws

• Electronic messages must contain prescribed

disclosure language

• An unsubscribe mechanism

• CASL applies to:

• An electronic mail account

• An instant messaging account

• A telephone account; or

• Any similar account

25

Canada’s New Anti-spam Laws

• Messages that may be exempt

• Those sent between employees of an organization

relating to the affairs of the organization

• Messages sent between two organizations with an

existing business relationship relating to their affairs

• Those that respond to an inquiry, complaint, etc.

26

Canada’s New Anti-spam Laws

• Penalties for violations

• A fine of up to $1,000,000 for a violation by an

individual

• A fine of up to $10,000,000 for a violation by a

corporation

27

Canada’s New Anti-spam Laws

• Private right of action for persons who allege

they have been affected by a violation

• Compensation equal to the actual loss or damage

suffered; and

• $200 for each contravention, not exceeding

$1,000,000 for each day on which a contravention

occurred

28

Canada’s New Anti-spam Laws

• How organizations can ensure they comply

• Be aware of requirements for expressed consent

• Why?

• Who is asking?

• Provide contact information (mailing address + telephone

numbers, email or web address)

• State that consent can be withdrawn

29

Q&A 30

Thank You

montréal ottawa toronto hamilton waterloo region calgary vancouver beijing moscow london

Visit www.gowlings.com

Email: wendy.wagner@gowlings.com

taryn.burnett@gowlings.com

chris.oates@gowlings.com