Canada’s Privacy and New         Anti-spam Laws  What you need to know to comply
Topics Include• An overview of Canada’s federal and provincial  privacy laws• Storing and transferring personal informatio...
Gowlings at a Glance• One of Canada’s largest  law firms• Over 750 professionals  across 10 offices  worldwide• Recognized...
Gowlings at a Glancewww.gowlings.com                                4
CanadianPrivacy Law              5
Canadian Privacy Law• The Personal Information Protection and Electronic  Documents Act (PIPEDA) applies to private sector...
Canadian Privacy Law• These laws apply to foreign (non-Canadian  businesses) that collect, use or disclose  personal infor...
Storing andTransferring  PersonalInformation               8
Storing and Transferring Personal Information• Privacy laws don’t prevent it, but it is subject to  certain legal obligati...
VideoSurveillance               10
Video Surveillance• PIPEDA and the provincial laws apply to the  capturing of video images in the course of  commercial ac...
Video Surveillance• “Covert” surveillance:  • Allowed only in exceptional circumstances where overt    surveillance would ...
OnlineBehaviouralAdvertising              13
Online Behavioural Advertising• Online Behavioural Advertising:  • Web-based programs that allow businesses to track    co...
Online Behavioral Advertising• Permissible, but subject to regulations:  • Transparency:    • Users must be aware that thi...
How toRespond to aData Breach               16
How to Respond to a Data Breach• Federal legislation - PIPEDA  • Voluntary security breach notification  • Guidelines from...
How to Respond to a Data Breach• The Guidelines state there are four key steps to consider when responding to a breach:  •...
How to Respond to a Data Breach• Alberta Personal Information Protection Act  (PIPA)  • Private sector organizations are r...
How to Respond to a Data Breach• Who is responsible for notifying the  commissioner?  • Organization with control of the p...
How to Respond to a Data Breach• If “real risk” is determined, the organization is  required to notify those affected  • T...
How to Respond to a Data Breach• Protect your organization from a data breach  • Review privacy policies and procedures re...
Canada’s New Anti-spam   Laws               23
Canada’s New Anti-spam Laws• Slated to come into effect mid to late 2013• Canada’s Anti-spam Legislation (CASL) will  appl...
Canada’s New Anti-spam Laws• Electronic messages must contain prescribed  disclosure language  • An unsubscribe mechanism•...
Canada’s New Anti-spam Laws• Messages that may be exempt  • Those sent between employees of an organization    relating to...
Canada’s New Anti-spam Laws• Penalties for violations  • A fine of up to $1,000,000 for a violation by an    individual  •...
Canada’s New Anti-spam Laws• Private right of action for persons who allege  they have been affected by a violation  • Com...
Canada’s New Anti-spam Laws• How organizations can ensure they comply  • Be aware of requirements for expressed consent   ...
Q&A      30
Thank You     Visit       www.gowlings.com     Email:      wendy.wagner@gowlings.com                 taryn.burnett@gowling...
Upcoming SlideShare
Loading in …5
×

Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply

4,114 views

Published on

Canada's Privacy and New Anti-spam Laws: What you need to know to comply webinar

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,114
On SlideShare
0
From Embeds
0
Number of Embeds
2,352
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply

  1. 1. Canada’s Privacy and New Anti-spam Laws What you need to know to comply
  2. 2. Topics Include• An overview of Canada’s federal and provincial privacy laws• Storing and transferring personal information outside Canada• Video surveillance• Online behavioural advertising• How to respond to a data breach• Canada’s new anti-spam laws 2
  3. 3. Gowlings at a Glance• One of Canada’s largest law firms• Over 750 professionals across 10 offices worldwide• Recognized expertise in Business Law, Advocacy and Intellectual Property Law 3
  4. 4. Gowlings at a Glancewww.gowlings.com 4
  5. 5. CanadianPrivacy Law 5
  6. 6. Canadian Privacy Law• The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private sector businesses in most Canadian provinces• Similar laws apply to information collected in Québec, British Columbia and Alberta 6
  7. 7. Canadian Privacy Law• These laws apply to foreign (non-Canadian businesses) that collect, use or disclose personal information about individuals in Canada, even if the business does not have a Canadian presence• Applies to “personal information” – a term that is broadly defined as “information about an identifiable individual” (apart from their business contact information) 7
  8. 8. Storing andTransferring PersonalInformation 8
  9. 9. Storing and Transferring Personal Information• Privacy laws don’t prevent it, but it is subject to certain legal obligations: • Accountability: The organization is responsible for personal information in its possession and custody, including that transferred to a third-party service provider • Transparency: Canadian customers must be advised if their personal information is going to be transferred or stored outside of Canada 9
  10. 10. VideoSurveillance 10
  11. 11. Video Surveillance• PIPEDA and the provincial laws apply to the capturing of video images in the course of commercial activity, whether those images are recorded or not• “Overt” surveillance: • Must give clear notice about the use of cameras on their premises, before people enter the premises (include information on how they can get access to their images) 11
  12. 12. Video Surveillance• “Covert” surveillance: • Allowed only in exceptional circumstances where overt surveillance would compromise the availability and accuracy of the data, and the collection is for the purposes of investigating a breach of law or breach of an agreement 12
  13. 13. OnlineBehaviouralAdvertising 13
  14. 14. Online Behavioural Advertising• Online Behavioural Advertising: • Web-based programs that allow businesses to track consumers’ online activities e.g., flash cookies, beacons, tracking pixels, etc.• Contrary to popular belief online behavioural advertising IS classified as “personal information” 14
  15. 15. Online Behavioral Advertising• Permissible, but subject to regulations: • Transparency: • Users must be aware that this tool is being used • Consumers must be able to “opt out” but still be able to use the services • Should not be used on websites targeted at children, due to their inability to give meaningful consent 15
  16. 16. How toRespond to aData Breach 16
  17. 17. How to Respond to a Data Breach• Federal legislation - PIPEDA • Voluntary security breach notification • Guidelines from Federal Privacy Commissioner • Voluntary but expected 17
  18. 18. How to Respond to a Data Breach• The Guidelines state there are four key steps to consider when responding to a breach: • Breach containment and preliminary assessment • Evaluation of the risks associated with the breach • Notification • Prevention 18
  19. 19. How to Respond to a Data Breach• Alberta Personal Information Protection Act (PIPA) • Private sector organizations are required under mandatory privacy breach notification provisions to notify the Privacy Commissioner • Threshold of notification: “real risk of significant harm” • “Real risk” means “a reasonable degree of likelihood that the harm could result” 19
  20. 20. How to Respond to a Data Breach• Who is responsible for notifying the commissioner? • Organization with control of the personal information, even if the breach occurred at service provider level• Contents of the report • How many people affected • Information released • Circumstances surrounding the breach • What mechanisms are in place to protect data 20
  21. 21. How to Respond to a Data Breach• If “real risk” is determined, the organization is required to notify those affected • The Privacy Commissioner issues a written decision which is available on their website • The Privacy Commissioner will provide direction on what needs to be in the notice 21
  22. 22. How to Respond to a Data Breach• Protect your organization from a data breach • Review privacy policies and procedures regularly • Train staff on how to prevent breaches • Create guidelines on what to do if there is a breach 22
  23. 23. Canada’s New Anti-spam Laws 23
  24. 24. Canada’s New Anti-spam Laws• Slated to come into effect mid to late 2013• Canada’s Anti-spam Legislation (CASL) will apply to “Commercial Electronic Messages,” prohibiting all but those messages that comply with its requirements• The CRTC and Industry Canada take the position that existing, valid consent may not survive the transition period • Organizations will need to seek new consent from existing mailing lists 24
  25. 25. Canada’s New Anti-spam Laws• Electronic messages must contain prescribed disclosure language • An unsubscribe mechanism• CASL applies to: • An electronic mail account • An instant messaging account • A telephone account; or • Any similar account 25
  26. 26. Canada’s New Anti-spam Laws• Messages that may be exempt • Those sent between employees of an organization relating to the affairs of the organization • Messages sent between two organizations with an existing business relationship relating to their affairs • Those that respond to an inquiry, complaint, etc. 26
  27. 27. Canada’s New Anti-spam Laws• Penalties for violations • A fine of up to $1,000,000 for a violation by an individual • A fine of up to $10,000,000 for a violation by a corporation 27
  28. 28. Canada’s New Anti-spam Laws• Private right of action for persons who allege they have been affected by a violation • Compensation equal to the actual loss or damage suffered; and • $200 for each contravention, not exceeding $1,000,000 for each day on which a contravention occurred 28
  29. 29. Canada’s New Anti-spam Laws• How organizations can ensure they comply • Be aware of requirements for expressed consent • Why? • Who is asking? • Provide contact information (mailing address + telephone numbers, email or web address) • State that consent can be withdrawn 29
  30. 30. Q&A 30
  31. 31. Thank You Visit www.gowlings.com Email: wendy.wagner@gowlings.com taryn.burnett@gowlings.com chris.oates@gowlings.commontréal  ottawa  toronto  hamilton  waterloo region  calgary vancouver  beijing  moscow  london

×