Canadian privacy law 2.0: Artificial intelligence (AI) and Bill C-11, the Consumer Privacy Protection Act
In a recent announcement, the Canadian federal Privacy Commissioner of Canada (“OPC”) released a report containing recommendations on how AI should be treated under Canadian privacy law, and what protections need to be in place to ensure AI applications reach […]
British Columbia Supreme Court emphasizes the importance of contextual assessment when assessing privacy risks associated with information access requests
Introduction In Airbnb Ireland UC v Vancouver (City), 2023 BCSC 1137, the British Columbia Supreme Court (the “Court”) highlighted the privacy implications for companies and other parties who provide information to public bodies. Airbnb Ireland UC (“Airbnb”) applied for judicial […]
Mobile apps: What businesses should know a year after the Tim Hortons data tracking scandal
Many businesses are tapping into the digital economy by creating mobile apps to enhance customer experience, build brand awareness, and boost marketing outcomes, which often includes collecting (sometimes very detailed) information from users. However, creating and deploying these apps comes […]
AI poses new threats to cybersecurity: How Canadian boards can navigate the evolving cyber risk landscape to stay ahead of the curve
The cybersecurity threat landscape is currently at a time when new threats are continuing to emerge, not the least of which are risks related to the use of artificial intelligence (AI), specifically generative AI. In response, there is increasing pressure […]
Meaningful consent and data protection of third-party apps: Federal Court dismisses Privacy Commissioner’s complaint against Facebook
On April 13, 2023, the Federal Court handed down its decision in a case brought by the Office of the Privacy Commissioner of Canada (the “OPC”) against Facebook Inc. (“Facebook”).[1] The case centers around Facebook’s obligations with respect to third-party […]
Failure to prevent a data breach not equal to invasion of privacy: Ontario Court of Appeal shuts the door on “intrusion upon seclusion” tort
The Ontario Court of Appeal has released a new trilogy of cases regarding the privacy tort “intrusion upon seclusion.” Specifically, whether the privacy tort is available as against commercial entities collecting and storing clients’ personal information, where there was a […]
Privacy Commissioners call on Health Industry to phase out use of traditional fax and unencrypted email in shift to digital healthcare
On September 21, 2022, the Office of the Privacy Commissioner of Canada released a Joint Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombudspersons with Responsibility for Privacy Oversight entitled Securing Public Trust in Digital Healthcare (the “Joint […]
A to-do list for incident response
Cybersecurity incidents and data breaches arise without notice. Your organization may have fallen victim to a cyberattack or you may have received notice from a supplier that they have been attacked. Or perhaps a key employee has lost an unencrypted […]
Managing cybersecurity in M&A transactions: How to mitigate risk through due diligence
As companies have become increasingly technology-driven in recent years, a target’s cybersecurity posture has become a key focal point in the diligence process. The COVID-19 pandemic has made this concern particularly acute: notwithstanding that an increasingly large number of people […]
Tactical and strategic steps for successful cyber incident preparedness
To kick-off this year’s cyber awareness month, we wanted to present an article that would look back on the past year along with our experience counseling organizations, large and small across all sectors, through the ordeal of cyberattacks, data extortion […]
Cybersecurity for Canada’s financial institutions
In the Office of the Superintendent of Financial Institution’s (OSFI) first Annual Risk outlook for Fiscal Year 2022-2023, the OSFI identifies the most material risks which face federally regulated financial institutions (FRFIs). Among the financial risks that the OSFI identifies […]
Takeaways on privacy breach risk assessment and data security programs: Alberta Privacy Commissioner issues breach report
On July 29, 2022 the Office of the Information and Privacy Commissioner of Alberta (the “OIPC”) issued its report on data breaches (PDF) (the “Report”). Alberta has been the leading Canadian jurisdiction with the most long-standing experience when it comes to reviewing, […]
Bill C-26: A strengthening of Canada’s cyber security through mandatory reporting of cyber incidents
With the continuing threats posed by cyber criminals, state sponsored attacks, and other cybersecurity issues, the Canadian government has taken steps in line with those recently taken by the US government in order to protect and maintain oversight over critical […]
A double-take on double-tracking: Takeaways from the privacy investigation into the Tim Hortons’ app
A recent investigation report into Tim Hortons, co-authored by the Office of the Privacy Commissioner of Canada (“OPC“), Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner of Alberta, and Office of the Information and Privacy […]
Federal Commissioner tables recommendations for privacy law reform
In the context of the Canadian Government’s plans to replace the current federal private sector privacy legislation in Canada – The Personal Information Protection and Electronic Documents Act (the “PIPEDA“), the Office of the Privacy Commissioner of Canada (the “OPC“) has […]
French data protection authority fines health software provider €1.5M for failing to protect personal information
Cybersecurity attacks, data security, and privacy breaches are no longer confined to the technical and esoteric discussions of lawyers, IT professionals, and privacy communities but rather over the past two years have become part of “coffee row” and “water cooler” […]
Privacy Commissioners take stance against collection of biometric data
The collection (and over collection) of personal information, cybersecurity incidents, and data breaches have never been more topical. Advancements in technology have led to greater global interaction and allowed for commercial efficiency in a time of limited connection. With advancements […]
Quebec’s new privacy law (Bill 64) is here – Canadian businesses take note!
While federal attempts to modernize Canadian law, in the form of Bill C-11, is languishing in privacy purgatory, the province of Quebec has completed the first step of its journey to bring its law in close alignment with those of […]
Privacy injunctions: the judicial response to cyber ransom demands
Ransom demands from cyber terrorists have become an epidemic for businesses in Canada. As we have reported in previous articles, both for-profit and not-for profit businesses have been impacted. Governments and charities have not been spared from the destruction and […]
New house on the block(chain)
Introduction Would you trade your home for a work of art? An art critic might consider it. But what if it wasn’t art you were trading your home for, but Bitcoin? Like artwork, Bitcoin’s value is largely dependent on the […]
OSFI updates cybersecurity breach notification requirements
The Office of the Superintendent of Financial Institutions (“OSFI”) released a new Advisory on Technology and Cyber Security Incident Reporting, effective August 13, 2021 (the “Advisory”) which seeks to govern how federally-regulated financial institutions (“FRFIs”) should disclose and report technology […]
Ransomware trickles down into your supply chain – Kaseya cyberattack highlights cybersecurity risks and business impact
Over the July long weekend, Canadian, American, and other international businesses were victims of a far-reaching ransomware attack. The REvil group, a ransomware syndicate also known as Sodin or Sodinokibi, are believed to be behind the attack. This gang’s most prominent […]
Cyberattacks in your supply chain – Canada Post data breach highlights risks
Over the past twelve months, we have seen more and more clients experiencing a variety of cybersecurity incidents. Most prominently, these have been “business email compromise” incidents as well as malware deployments, such as ransomware attacks. The latter have received […]
Canadian organizations take note – Data Protection Authority fines foreign-based business under GDPR for not having “Article 27” representative
As we have discussed in several previous articles, Canadian businesses and other organizations can be subject to the European General Data Protection Regulation (“GDPR”) for a number of reasons and in a number of different contexts, be it as a […]
Ransomware – Privacy law, sanctions, and the pandemic
It is trite to say that no matter the sector, size, or location of an organization, cyberattacks can be devastating. As we have seen throughout 2020 and this year in Canada and elsewhere, data breaches and operational interruptions caused by […]
The Consumer Privacy Protection Act (CPPA): Increasing accountability and transparency
In a recent MT Cybersecurity Blog, we discussed Bill C-11, the Consumer Privacy Protection Act (the “CPPA”), which was introduced on November 17, 2020, by the Minister of Innovation, Science and Industry with the aim of modernizing federal privacy law […]
“Made in Canada” – What is happening to Privacy by Design under the CPPA?
“Privacy by Design” has long been understood as the “gold standard” of data protection and at the core of how to sustain privacy rights in the digital age. It is a concept that can be said to have been “made […]
Consent and the business activities exemption: A dive into the Consumer Privacy Protection Act (CPPA)
Now in its Second Reading, Bill C-11, the Consumer Privacy Protection Act (“CPPA”), is moving ever closer to adoption. The opening remarks by the Bill’s sponsor, MP Navdeep Bains, emphasized the law’s focus on control and consent with the aim […]
Transport Canada’s Vehicle Cyber Security Strategy
Transport Canada (“TC”) has partnered with the U.S. Department of Transportation’s Volpe Center to develop TC’s Vehicle Cyber Security Strategy (“Vehicle Cyber Strategy”). The Vehicle Cyber Strategy is intended to set out forward-looking cyber security priorities for TC over the […]
The dawn of Canadian Privacy Law 2.0: The Consumer Privacy Protection Act introduced
The long-awaited overhaul of federal private sector privacy law, as outlined in our previous blog post, is finally here. The Digital Charter Implementation Act was introduced for First Reading on November 17, 2020, as Bill C-11. If enacted, the new […]
M&A and cybersecurity – top nine ways to mitigate risk through due diligence
The authors would like to acknowledge the contribution of Iain Paterson, Chief Executive Officer at Cycura, a global team of leading cybersecurity experts headquartered in Toronto, Ontario. While the COVID-19 pandemic[1] is by no means over, increasing M&A activity and […]
40% of data breach records insufficient – Canadian Privacy Commissioner releases findings on data breach register inspections
As the Canadian Office of the Privacy Commissioner (“OPC”) signaled it would do at the end of 2019, it completed a targeted investigation of data breach registers at a select number of organizations. The OPC released has now released a […]
British Columbia Court of Appeal upholds certification of data breach class action
Following in the footsteps of Jones v. Tsige from the Court of Appeal for Ontario in 2012, the recent British Columbia Court of Appeal decision in Tucci v. Peoples Trust Co. (2020 BCCA 246) appears to be solidifying the future […]
Ontario government launches consultations on establishing provincial privacy regime for private sector
On August 13, 2020, the Ontario Government (the “Government”) launched consultations on establishing provincial privacy legislation for the private sector, likely including not-for-profits and charities. The collection, use, and disclosure of personal information is currently governed by federal legislation, the […]
Responding to cyber-attacks – lessons for Saskatchewan municipalities from recent data breaches
Privacy concerns are at the forefront of our increasingly digital world, with cybercrime such as ransomware, business email compromise and phishing attacks becoming a noticeable risk for organizations. It is essential for municipalities to understand their minimum responsibilities under Saskatchewan […]
European Data Protection Board (EDPB) releases FAQ on “Schrems II”: A primer for Canadian organizations
As we have reported previously, on July 16, 2020, the Court of Justice of the European Union (“CJEU”) released its decision in the case of Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), which ruled that […]
“Schrems II” decides validity of personal data transfer mechanisms – impact on Canadian organizations
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) released its long-awaited decision regarding the validity of existing personal data transfer mechanisms outside the EU under the General Data Protection Regulation (“GDPR”), the so-called “Schrems II” […]
Ransomware attack on cloud-services provider affects charities and not-for-profits
A company that supplies cloud fundraising and accounting software to the charity and not-for-profit sector announced yesterday that it experienced a ransomware attack in May 2020. Blackbaud is the company behind such programs as Raiser’s Edge NXT, eTapestry, and The […]
COVID-19 contact tracing debate highlights need for privacy law reform: Lessons for developers and users
We have been following the COVID-19 crisis and its impact on privacy law over the course of the past few months. It has become apparent during that time that the requirements of the pandemic and the contact tracing debate highlight […]
IIROC issues Notice regarding cybersecurity in cloud services and application programming interfaces
On June 24, 2020, the Investment Industry Regulatory Organization of Canada (“IIROC”) released an Education Notice to members (“Cybersecurity – Cloud Services and Application Programming Interfaces”) outlining key elements of cybersecurity strategies pertaining to adoption and implementation of cloud services […]
British Columbia Information and Privacy Commissioner calls for changes to Personal Information Protection Act
As we’ve reported in past blog posts, Canada’s privacy regulators have been vocal about the need for change to the privacy and data protection laws that apply to the private, public and health sectors in Canada. Most recently, the British […]
Privacy Commissioner consultation on AI
Continuing to highlight the need for reform, the Office of the Privacy Commissioner of Canada (“OPC”) has initiated a consultation on recommendations they have presented to adapt the private sector privacy statute Personal Information Protection and Electronic Documents Act (“PIPEDA”) to address […]
Canadian Privacy Commissioner Tables Annual Report, Calling for Human Rights-Based Overhaul of Privacy Laws
On December 10, 2019, Commissioner Therrien presented his office’s 2019 annual report to Parliament, which was later followed by a press release highlighting key aspects of and views expressed in this latest report. Unsurprisingly, the need for privacy law reform […]
Implicit Waiver of Privilege
Overview Solicitor-client privilege and litigation privilege are a fundamental component of our justice system. Solicitor-client privilege is intended to provide “full, free and frank communication between those who need legal advice and those who are best able to provide it,” […]
Enforceability of e-signatures during COVID-19 pandemic
While the COVID-19 pandemic is having an enormous impact on Canadian organizations, including those within the charitable and non-profit sector, they must continue to operate despite the “physical distancing” measures imposed by the government. This is especially true given that […]
Privacy Commissioners: Privacy laws not a barrier to effective COVID-19 response, emphasize compliance when using contact tracing apps
The COVID-19 pandemic has created an unprecedented challenge for federal and provincial governments and other public health organizations in Canada. To respond in a timely and effective manner, government organizations require greater access to, and an enhanced ability to use, […]
Privacy and cybersecurity during COVID-19 – Tips for Canadian organizations
With the emergence of COVID-19 in Canada, organizations are faced with many additional concerns and considerations in their daily operations and strategic planning. Remote work has become the norm, and the health of employees, customers and suppliers is a key […]