This document provides an update on federal and provincial privacy laws in Canada. It discusses proposed amendments to PIPEDA that died in parliament and recent PIPEDA case summaries. It also discusses provincial privacy laws in Quebec, Alberta, and British Columbia that are substantially similar to PIPEDA. Additionally, it covers privacy considerations for corporate transactions and cross-border data flows.
An Indian Outline on Database ProtectionSinghania2015
One Business Processing Outsourcing company of India was in the eye of storm when one of its employees sold confidential financial information relating to customers of few British banks to an undercover reporter from the British tabloid ‘The Sun’. The incident sparked off a debate among the offshore industry circles, media and the legal world for the need of specific legislation for the protection for personal data in India which is absent currently.
An Indian Outline on Database ProtectionSinghania2015
One Business Processing Outsourcing company of India was in the eye of storm when one of its employees sold confidential financial information relating to customers of few British banks to an undercover reporter from the British tabloid ‘The Sun’. The incident sparked off a debate among the offshore industry circles, media and the legal world for the need of specific legislation for the protection for personal data in India which is absent currently.
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Vijay Dalmia
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011
Under
The (Indian) Information Technology Act, 2000
This presentation provides in-house counsel with a brief overview of IT / ICT related legislation within South Africa and the impact it might have on its organisations and its people
Ф franciscronje.com
regulatory compliance explained
Cyber Law and Information Technology Act 2000 with case studiesSneha J Chouhan
This presentation breifs about the Information Technology Act and Cyber Law in India 2000. The various acts involved in it, case studies and some recent amendments are also mentioned.
P.S: Refer the slides for educational purpose only.
The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act of the Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law in India dealing with cybercrime and electronic commerce. It is based on the United Nations Model Law on Electronic Commerce 1996 (UNCITRAL Model) recommended by the General Assembly of United Nations by a resolution dated 30 January 1997.
An In House Counsel and Privacy Practitioners update on the changed regulatory landscape.
The Privacy and Data Protection Act 2014 received Royal Assent on 2 September 2014.
The new legislation replaces the Information Privacy Act 2000, and the Commissioner for Law Enforcement Data Security Act 2005, with a unified scheme governing the handling of personal information and data by Victorian Public sector agencies.
What does IT Act 2000 legislation deals with? The Act essentially deals with the following issues: Legal Recognition of Electronic Documents, Legal Recognition of Digital Signatures, Offenses and Contraventions, Justice Dispensation Systems for cyber crimes.
In this presentation, Catherine Coulter discusses the Federal Privacy Law and how this can affect your company. Touching on privacy in corporate transactions, Canada-USA cross border data transfers and the Federal Privacy Commissioner Guidelines, learn how to act if your organization finds itself in a breach situation.
What You Need To Know About Privacy - Now!Now Dentons
This presentation gives an update on Federal Privacy Law, privacy in corporate transactions, Canada-USA Cross-Border Data Transfers and federal privacy commissioner.
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Vijay Dalmia
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011
Under
The (Indian) Information Technology Act, 2000
This presentation provides in-house counsel with a brief overview of IT / ICT related legislation within South Africa and the impact it might have on its organisations and its people
Ф franciscronje.com
regulatory compliance explained
Cyber Law and Information Technology Act 2000 with case studiesSneha J Chouhan
This presentation breifs about the Information Technology Act and Cyber Law in India 2000. The various acts involved in it, case studies and some recent amendments are also mentioned.
P.S: Refer the slides for educational purpose only.
The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act of the Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law in India dealing with cybercrime and electronic commerce. It is based on the United Nations Model Law on Electronic Commerce 1996 (UNCITRAL Model) recommended by the General Assembly of United Nations by a resolution dated 30 January 1997.
An In House Counsel and Privacy Practitioners update on the changed regulatory landscape.
The Privacy and Data Protection Act 2014 received Royal Assent on 2 September 2014.
The new legislation replaces the Information Privacy Act 2000, and the Commissioner for Law Enforcement Data Security Act 2005, with a unified scheme governing the handling of personal information and data by Victorian Public sector agencies.
What does IT Act 2000 legislation deals with? The Act essentially deals with the following issues: Legal Recognition of Electronic Documents, Legal Recognition of Digital Signatures, Offenses and Contraventions, Justice Dispensation Systems for cyber crimes.
In this presentation, Catherine Coulter discusses the Federal Privacy Law and how this can affect your company. Touching on privacy in corporate transactions, Canada-USA cross border data transfers and the Federal Privacy Commissioner Guidelines, learn how to act if your organization finds itself in a breach situation.
What You Need To Know About Privacy - Now!Now Dentons
This presentation gives an update on Federal Privacy Law, privacy in corporate transactions, Canada-USA Cross-Border Data Transfers and federal privacy commissioner.
Explores:
1. Introduction to Privacy Regimes in the United States and Abroad
2. Mobile Applications and Devices
3. Lawful Collection and Use of “Big Data”
4. International Privacy and Cross-Border Data Transfers
5. Data Security Requirements and Data Breach Response
6. IT Outsourcing and the Cloud
7. Recent Developments and Emerging Issues
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...Dr. Oliver Massmann
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE BASIC AND GUIDANCE ON PRACTICAL HANDLING
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
What does the Privacy Act cover? What are the new Australian Privacy Principles. A detailed overview of the 13 ne Australian Privacy Principles. What are the Privacy Commissioners new powers?
What to expect from the New York Privacy ActVISTA InfoSec
In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon have to gear up for this new data privacy law. If enforced, the law may severely impact businesses, restricting their operations in the way how they collect, use and share consumer’s personal information throughout the State.
Privacy rules matter—make sure your firm stays compliant.
While every lawyer knows the basic rules behind confidentiality and attorney-client privilege, the significance of privacy law is less well-known—and that lack of knowledge can impact your law firm. Emerging privacy rights and rights of action are impacting businesses of all types—including those in the legal profession. Local, national, and even international laws are making privacy the next frontier in data management for lawyers.
Are you prepared to adjust to the new demands of privacy for law firms, and move beyond confidentiality?
Join Joshua Lenon—an IAPP Certified Information Privacy Professional and Clio’s Lawyer in Residence and Data Protection Officer—as he explains how these privacy laws can impact law firms and what your firm should do to ensure compliance.
In this free 1-hour CLE-eligible webinar, you’ll learn:
Why law firm data must conform with emerging privacy regulations
The impact of clients’ compliance with privacy law on firm operations
Future privacy laws that may affect your law firm—no matter where you operate
https://www.clio.com/events/webinar-law-firm-privacy/
Protection of Personal Information Bill (POPI)Robert MacLean
A short presentation that focuses on the proposed POPI law, how it impacts businesses, technology, IT depts & the cloud. It was based on a draft so some aspects may have changed.
Draft Bill on the Protection of Personal DataRenato Monteiro
Presentation given at the DataGuidance´s webinar "Brazil: Towards Privacy Compliance", about the Brazlian Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) issued in January 2015, which introduced concepts such as Data Protection Officer and Binding Corporate Rules.
Foreign Workers, International Tax and Oil & Gas Market UpdateNow Dentons
In this presentation, FMC Partner Shawna Vogel and Associate Yasmeen Nizam team up with MNP Partner David Yager and Associate Kathy Bonazew to deliver information about foreign workers, international tax and oil & gas market updates. The following topics are discussed:
- We Need Foreign Workers Now
- New Developments in Permanent Residence Applications for Workers
- State of Canada’s Oil & Gas Industry and Future Employment Needs
- Taxation in Canada
In this presentation, FMC Partners Rob McDonald and Marlon Rajakaruna describe the importance of protecting your start-up company’s intellectual property (IP). The following topics are discussed:
- Types of Intellectual Property
- Patents
- Copyright
- Trade-marks
- Other Ways to Protect IP
- Protecting Your IP in Commercial Agreements
Privacy and Security in Mobile E-CommerceNow Dentons
In this presentation, FMC’s Timothy Banks describes the important issues to consider when thinking about privacy and security in mobile e-commerce. The presentation includes a discussion of the following topics:
- Outlines for M-Commerce
- Overview of Guidelines
- Special Issues (address book information, online behavioral tracking and analytics, geolocation data, children, and ongoing emerging issues)
- Transparency and Accountability in Design (consent, representations and disclaimers and applying Canada’s Anti-Spam Legislation)
- The three dimensions of M-Commerce
In this presentation, FMC’s Bernard Roth outlines the current trends in energy regulatory law. The presentation includes the following topics:
- Trends in Facilities Regulation
- Alberta Non-Utility Oil and Gas Facilities
- AER Structure
- Responsible Energy Development
- Federal Budget Legislative Changes
- Federal Fisheries Act
- Navigable Waters Protection Act
- Canadian Environmental Assessment Act
- Trends in Utilities Regulation
- Performance Based Regulation for Alberta Utilities
In this presentation, FMC’s Bill Gilliland and Dan Shea discuss deal points relating to survey of deals and deal terms, including:
• Survey
• Material Adverse Change
• Non-solicitation and Superior Proposals
• Regulatory Approval Language
• Break Fees
• Expense Reimbursement
• Go-Shop Provisions
In this presentation, FMC’s Doris Bonora and Mark Woltersdorf outline the important considerations when planning before death, including:
- Power of Attorney
- Personal Directive
- Farm Tax Planning
- Estate Freeze
- Wills
Risk Apportionment in the Purchase and Sale TransactionNow Dentons
In this presentation, FMC’s Leanne Krawchuk discusses risk apportionment in the purchase and sale transaction, including:
- Representations and Warranties
- Indemnity Clauses and Limitations
- Purchase Price Adjustments and Holdbacks/Escrow
- Maximize the Value Proposition
- Due Diligence
Letters of Intent - Tips and Traps for Commercial LawyersNow Dentons
In this presentation, FMC’s Heather Barnhouse discusses the purpose of a letter of intent (LOI) and the common issues with LOI. She then discusses a relevant case (IHAG – Holding A.G. c. Intrawest Corporation, 2009 QCCS 2699) and provides an overview of the lessons learned and future application.
Protect you Rights and Avoid Liability! Current Developments and Major Implic...Now Dentons
In this presentation, FMC's Margot Patterson discusses current developments and major implications for IP legal guidelines in advertising, including:
1. Changing Copyright Rules: User Generated Content
2. How Social Media is changing your marketing practices and how you protect your brand
3. Yours, Mine and Ours: Best practices for third-party content (partners & consumers)
In this presentation, FMC's Alan Hutchison discusses Preliminary Economic Assessments (PEAs) by going over the recent focus on PEAs, providing important considerations, and going through 4 different scenarios related to PEAs.
An Introduction to Legal Aspects of Customer Acquisitions for StartupsNow Dentons
In this presentation, FMC’s Gal Smolar discusses an introduction to the legal aspects of customer acquisitions for startups. The presentation focuses on customer acquisitions, acquisition contracts, trends, right to data, restrictive covenants, exclusivity, joint development and customer acquisition tips.
Gal Smolar is a partner in FMC’s Vancouver office. Gal is a Practitioner of Foreign Law and brings to Fraser Milner Casgrain his broad international experience in commercial and corporate law and in particular in the field of technology.
Update on Hydraulic Fracturing:Preparing for Gasland 2Now Dentons
In this presentation, FMC Law's Alex MacWilliam discusses hydraulic fracturing. The presentation covers the hydraulic fracturing process; the legislative and regulatory management of key issues related to hydraulic fracturing; liability issues in fracturing litigation; finally, lessons and trends related to hydraulic fracturing.
In this presentation, V. Peter Harder describes why Canada engages with China, while Rob McDonald and Margot Patterson outline the changes to copyright laws in Canada.
In this presentation, Rob McDonald and Stephen Parker discuss the following topics related to intellectual property:
- IP Due Diligence in Commercial Transactions
- Common IP Disputes that Arise in Business
- The New Copyright Modernization Act
In this presentation, Rob McDonald outlines the key amendments to the Copyright Act and explains how Canada's copyright laws will change with the new Copyright Modernization Act.
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
Attending a job Interview for B1 and B2 Englsih learnersErika906060
It is a sample of an interview for a business english class for pre-intermediate and intermediate english students with emphasis on the speking ability.
What is the TDS Return Filing Due Date for FY 2024-25.pdfseoforlegalpillers
It is crucial for the taxpayers to understand about the TDS Return Filing Due Date, so that they can fulfill your TDS obligations efficiently. Taxpayers can avoid penalties by sticking to the deadlines and by accurate filing of TDS. Timely filing of TDS will make sure about the availability of tax credits. You can also seek the professional guidance of experts like Legal Pillers for timely filing of the TDS Return.
Premium MEAN Stack Development Solutions for Modern BusinessesSynapseIndia
Stay ahead of the curve with our premium MEAN Stack Development Solutions. Our expert developers utilize MongoDB, Express.js, AngularJS, and Node.js to create modern and responsive web applications. Trust us for cutting-edge solutions that drive your business growth and success.
Know more: https://www.synapseindia.com/technology/mean-stack-development-company.html
Improving profitability for small businessBen Wann
In this comprehensive presentation, we will explore strategies and practical tips for enhancing profitability in small businesses. Tailored to meet the unique challenges faced by small enterprises, this session covers various aspects that directly impact the bottom line. Attendees will learn how to optimize operational efficiency, manage expenses, and increase revenue through innovative marketing and customer engagement techniques.
Buy Verified PayPal Account | Buy Google 5 Star Reviewsusawebmarket
Buy Verified PayPal Account
Looking to buy verified PayPal accounts? Discover 7 expert tips for safely purchasing a verified PayPal account in 2024. Ensure security and reliability for your transactions.
PayPal Services Features-
🟢 Email Access
🟢 Bank Added
🟢 Card Verified
🟢 Full SSN Provided
🟢 Phone Number Access
🟢 Driving License Copy
🟢 Fasted Delivery
Client Satisfaction is Our First priority. Our services is very appropriate to buy. We assume that the first-rate way to purchase our offerings is to order on the website. If you have any worry in our cooperation usually You can order us on Skype or Telegram.
24/7 Hours Reply/Please Contact
usawebmarketEmail: support@usawebmarket.com
Skype: usawebmarket
Telegram: @usawebmarket
WhatsApp: +1(218) 203-5951
USA WEB MARKET is the Best Verified PayPal, Payoneer, Cash App, Skrill, Neteller, Stripe Account and SEO, SMM Service provider.100%Satisfection granted.100% replacement Granted.
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraAvirahi City Dholera
The Tata Group, a titan of Indian industry, is making waves with its advanced talks with Taiwanese chipmakers Powerchip Semiconductor Manufacturing Corporation (PSMC) and UMC Group. The goal? Establishing a cutting-edge semiconductor fabrication unit (fab) in Dholera, Gujarat. This isn’t just any project; it’s a potential game changer for India’s chipmaking aspirations and a boon for investors seeking promising residential projects in dholera sir.
Visit : https://www.avirahi.com/blog/tata-group-dials-taiwan-for-its-chipmaking-ambition-in-gujarats-dholera/
Implicitly or explicitly all competing businesses employ a strategy to select a mix
of marketing resources. Formulating such competitive strategies fundamentally
involves recognizing relationships between elements of the marketing mix (e.g.,
price and product quality), as well as assessing competitive and market conditions
(i.e., industry structure in the language of economics).
Digital Transformation and IT Strategy Toolkit and TemplatesAurelien Domont, MBA
This Digital Transformation and IT Strategy Toolkit was created by ex-McKinsey, Deloitte and BCG Management Consultants, after more than 5,000 hours of work. It is considered the world's best & most comprehensive Digital Transformation and IT Strategy Toolkit. It includes all the Frameworks, Best Practices & Templates required to successfully undertake the Digital Transformation of your organization and define a robust IT Strategy.
Editable Toolkit to help you reuse our content: 700 Powerpoint slides | 35 Excel sheets | 84 minutes of Video training
This PowerPoint presentation is only a small preview of our Toolkits. For more details, visit www.domontconsulting.com
Kseniya Leshchenko: Shared development support service model as the way to ma...Lviv Startup Club
Kseniya Leshchenko: Shared development support service model as the way to make small projects with small budgets profitable for the company (UA)
Kyiv PMDay 2024 Summer
Website – www.pmday.org
Youtube – https://www.youtube.com/startuplviv
FB – https://www.facebook.com/pmdayconference
3. Update on Federal Privacy Law:
‐ Proposed amendments to PIPEDA recently died when
Parliament prorogued included the following:
‐ mandatory reporting of material breaches to the
Privacy Commissioner
‐ mandatory reporting of breaches to individuals
where there is a real risk of significant harm
‐ Business Transaction exemption
‐ expanded carve‐out of the definition of business
contact information
3
5. Update on Federal Privacy Law:
Case Summary #2010‐003:
‐ Requests for access to personal information are time‐sensitive.
Where an organization requires more than 30 days to fulfill the
request, it must advise the individual of same, advise of the
new time limit, advise of the reasons for the extension and
advise the individual of his/her right to make a complaint to
the Commissioner regarding the extension
‐ Whenever requests are made, organizations should ensure
that the requested information is not deleted during the
request period due to the organization’s regular
deletion/retention practices
5
6. Update on Federal Privacy Law:
Case Summary #2010‐018:
‐ Personal information which has been de‐identified (had all
personally indentifying information removed) does not qualify
as anonymous information if it is still possible to link the de‐
identified data back to an identifiable individual
‐ An access request for personal information does not grant the
requester the right to information that reflects discussions
taken in preparation for possible litigation
6
9. Provincial Privacy Law:
Quebec – An Act Respecting the Protection of Personal
Information in the Private Sector (1994)
‐ Similar to PIPEDA
‐ Applies to all enterprises in Quebec
‐ Covers information in the private sector, including health
information
‐ Violations of the Act are punishable by fines ranging from
$1,000 to $10,000 for a first offence, and $10,000 to $20,000
for subsequent offences
‐ Binding orders by the Commissioner are permitted
9
10. Provincial Privacy Law:
Quebec – An Act Respecting the Protection of Personal
Information in the Private Sector (1994)
‐ Those binding orders can be made into binding orders of the
provincial court
‐ Offending parties are generally named in any published
findings
10
11. Provincial Privacy Law:
Alberta – Personal Information Protection Act (“PIPA”)
‐ Similar to PIPEDA
‐ Separate legislation for personal health information (Health
Information Act, 2001)
‐ Under PIPA Alberta, there is a class of non‐profit organizations
for which the legislation only applies to their commercial
activities
‐ Under PIPA Alberta, there are special provisions for
professional regulatory organizations to follow an approved
privacy code in place of certain sections of the legislation
11
12. Provincial Privacy Law:
Alberta – Personal Information Protection Act (“PIPA”)
‐ Binding orders by the Commissioner are permitted
‐ Those binding orders can be made into binding orders of the
provincial court
‐ Offending parties are generally named in any published
findings
‐ Violations of the Act are punishable by fines
12
13. Provincial Privacy Law:
B.C. – Personal Information Protection Act (“PIPA”)
‐ Similar to PIPEDA
‐ Extremely similar legislation to PIPA Alberta, but for the
following:
‐ Commissioner has audit powers
‐ no provision for the filing of the Commissioner’s orders in
provincial court and having them enforced as orders of
that court
‐ Actions only permitted for “actual damages” suffered
13
15. Privacy in Corporate Transactions:
‐ Both PIPA Alberta and PIPA B.C. contain provisions which permit
necessary personal information to be disclosed without consent for the
purpose of a business transaction (the “Business Transaction
exemption”)
‐ Some of the recent proposed amendments to PIPEDA were aimed at
adding a Business Transaction exemption to PIPEDA, but the Bill recently
died when Parliament prorogued
‐ In an early finding of the Alberta Privacy Commissioner, customer
personal information was disclosed to a purchaser without consent
during the course of the transaction. Although the disclosure was found
to be in compliance with the legislation, the Commissioner noted that all
business transaction agreements should specifically address the
anticipated use of any transferred personal information, and parties
should only undertake to use personal information for the purpose for
which it was collected
15
16. Privacy in Corporate Transactions:
‐ In a subsequent finding of the Alberta Privacy Commissioner, employee
personal information was submitted from one law firm to another as part
of the due diligence process during an acquisition. Some of the
information provided went above and beyond that required for due
diligence purposes. In addition, the receiving law firm posted that
information to the Systems for Electronic Document Analysis and Retrieval
(SEDAR).
‐ The Commissioner found that: (i) the Business Transaction exemption did
not apply to all of the transferred information (eg. home addresses, SIN’s)
and therefore there was a contravention of the legislation; and (ii)
Stikeman Elliott had a duty to review the received information before
publicly posting it to SEDAR
16
17. Privacy in Corporate Transactions:
For business transactions in Alberta or B.C.:
‐ Determine whether or not the information sought to be
collected, used or disclosed meets the Business
Transaction exemption
‐ Only use or disclose that information for the same
purpose for which it was collected
‐ If the above is not possible, obtain consent
For business transactions in Ontario and elsewhere:
‐ Obtain consent
17
18. Privacy in Corporate Transactions:
Example consent paragraph in employment agreements:
By accepting this offer, you voluntarily acknowledge and consent to the collection,
use, processing and disclosure of personal data as described in this paragraph. The
Company will hold certain personal information which may include your name,
home address, home telephone number, date of birth, social insurance number,
employee identification number, compensation, payroll deposit account, job title,
attendance and work record, marital or family status, name of your spouse and
dependents (if any), contribution rates and amounts, account balances, benefit
selections and claims for the purpose of: (i) establishing, managing and/or
terminating the employment relationship between you and the Company; (ii)
making payroll deposits, preparing tax reports or administering benefit
entitlements; or (iii) contacting others in the event of an emergency (“Data”). The
Company, in accordance with its standard operating procedures, may disclose Data
to its affiliates or with contracted third party outsourced services or benefit
providers as necessary, for the purpose of human resources, payroll, retirement
and benefit administration. The Company may also disclose Data to third parties
for the purposes of exploring and carrying out mergers, acquisitions, financings,
initial public offerings or similar transactions.
18
24. United States
• US Patriot Act
• Section 215 allows FBI to access records held in USA by
applying for an order of the Foreign Intelligence Surveillance
Act Court
• Company subject to a Section 215 order cannot reveal that the
FBI has sought or obtained information from it
• US has Safe Harbor accord with EU (2000)
– Companies can opt in
• US has sector specific laws and some US states have enacted
laws
24
28. British Columbia (cont’d)
• Privacy Commissioner initiates public process
– >500 submissions received
• FOIPPA amended to require a public body to ensure that
personal data under its control is stored only in Canada and
accessed only in Canada (with certain exceptions)
• New requirement to report any foreign demand for disclosure
to Minister
28
29. Alberta
• Outsourcing email services to Google
• University of Alberta spends a year investigating the
possibility of a single campus email system using Google’s
Gmail
• Users of University email system must be informed that their
emails will reside in a foreign jurisdiction and be subject to the
laws of that jurisdiction such as US Patriot Act
• U of A agrees to inform students and employees it cannot
guarantee protection against disclosure of emails residing in
US
29
32. Ruling 313 (cont’d)
• Ruling:
– Bank had contract with U.S. data processor to maintain comparable
level of security and protection
– Bank appropriately notified customers
32
33. Security System Provider Shares Customer
Data – Ruling 333
• Security system company tells Canadian customers of
intention to share customer contact information with U.S.
parent company
• If catastrophic event overwhelms Canadian customer
monitoring centre, alarm signals routed to other North
American monitoring centre
• Sharing of customer address, phone, emergency contacts
• No sharing of financial or credit data
• Customers could opt out and get reduced level of service
33
34. Ruling 333 (cont’d)
• Ruling:
– Customer consent not required, not a disclosure
– Personal data being used for same original purpose
– Company was transparent and provided sufficient information about
practices
– Parent company must adhere to same level of data protection
34
35. Outsourcing – Ruling 394
• “canada.com” outsourcing e‐mail services to U.S. based
company
• Customers requested to consent as condition of on‐going
services
• U.S. Patriot Act issues
35
36. Ruling 394 (cont’d)
• Ruling
– Sharing with a third‐party subcontractor is a “use” not a “disclosure”
– Consent is required to the use
– Best practice is to notify
– Must take contractual measures to ensure security
• oversight
• monitoring
• auditing
– Should provide notice that foreign‐based service provider will be
subject to foreign laws, which may be different than Canadian law
36
37. Federal Privacy Commissioner Guidelines
• PIPEDA does not distinguish between domestic and
international transfers of data
• An organization is responsible for personal information in its
possession, including information that has been transferred to
a third party for processing
• Where information is transferred for processing, it can only be
used for the purposes for which the information was originally
collected; for example, internet service provider transfers
personal information to third party to ensure technical support
is available 24/7
• A transfer for processing is not a disclosure; it is a use
37
38. Federal Privacy Commissioner Guidelines
• Processing means any use of the information by the third party
processer for which the transferring organization can use it
• Comparable level of protection means that the third party
processor must provide protection that can be compared to
the level of protection the data would have received if it had
not been transferred
• Primary means to protect personal information is through
contract
38
39. Best Practices
• Be satisfied that the third party has policies and processes in
place, including training and effective security measures, to
ensure the data in its care is properly safeguarded
• Set out requirements for safeguards in written contract
• Retain the right to audit and inspect
• Assess risk when transferring outside of Canada
39
40. Best Practices
• Pay attention to the legal requirements of the jurisdiction in
which the third party processor operates as well as the
potential foreign, political, economic and social conditions and
events that may reduce the service provider’s ability to
provide the service
• Make it clear to individuals that their information may be
processed in a foreign country and it may be accessible to law
enforcement and national security authorities
• Use clear and understandable language
• Ideally do so at the time the information is collected
40
44. 1. Investigations:
‐ Investigator will require a response from your organization
‐ Employees may be interviewed without your consent
‐ Company files may be requested
‐ Through the Privacy Commissioner, investigators have the
authority to receive evidence, enter premises where
appropriate and obtain copies of records
‐ After the investigator prepares a report, the Privacy
Commissioner will make a finding
44
45. Investigations:
‐ The Privacy Commissioner can make the following findings:
‐ Not Well‐Founded
‐ Well‐Founded
‐ Resolved
‐ Discontinued
‐ The Commissioner can make recommendations to your
organization and ask you to respond in writing with your
organization’s plans for implementing the recommendations
‐ Findings of the Commissioner can be publicly posted
‐ Although organizations can be publicly named, it only occurs
when the Commissioner deems it to be in the public interest
45
46. Investigations:
‐ There is an offence provision under PIPEDA
‐ Under that provision, the Commissioner can levy fines for
obstruction of an investigation, destroying personal
information after an access request has been made and
disciplining a whistleblower
‐ Fines of up to $10,000 or $100,000
‐ In addition, the Commissioner has the power to summon
witnesses, administer oaths and compel the production of
evidence
‐ The Commissioner is required under PIPEDA to issue any
findings within a year of the complaint
46
47. 2. Section 14 Applications:
‐ Section 14 applications are hearing requests to the Federal
Court regarding the way in which an organization handles
personal information. They can only be brought after the
Commissioner has investigated the matter and issued her
findings
‐ The most common reason for a Section 14 application is to ask
the Court to have the Commissioner’s
findings/recommendations enforced against the organization
47
48. Section 14 Applications:
‐ The Court may:
‐ Order an organization to correct its practices to comply
with PIPEDA
‐ Order an organization to publish a notice of actions taken
or proposed to be taken in order to comply with PIPEDA
‐ Order an organization to pay damages, including
damages for humiliation suffered by the complainant
‐ In December 2010, Justice Zinn of the Federal Court ordered
Transunion to pay total damages of $5,000 to a complainant
(Nammo v. Transunion of Canada Inc.)
48
49. Section 14 Applications:
‐ The Court found that both the question of whether damages
should be awarded and the question of the quantum of
damages should be answered with regard to: (i) whether
awarding damages would further the general objects of
PIPEDA and uphold the values it embodies; and (ii) deterring
future breaches and the seriousness or egregiousness of the
breach
‐ In another 2010 Federal Court decision, Justice Mosely
declined to award damages because he did not find the breach
to be egregious (Randall v. Nubodys Fitness Centres)
49
50. 3. Judicial Review:
‐ Under section 18.1 of the Federal Court Act, an application can
also be brought for judicial review in order to challenge the
findings of the Commissioner
‐ The grounds for judicial review are limited and include the
following:
‐ an allegation that the Commissioner refused to exercise
her discretion
‐ an allegation that the Commissioner acted without
jurisdiction
‐ an allegation that the Commissioner surpassed the
boundaries of the jurisdiction outlined in PIPEDA
50
52. Breach Notification:
‐ If your organization finds itself in a breach situation:
‐ work with experienced legal counsel to determine your course of
action
‐ with reference to the applicable legislation, also keep an eye on the
federal Privacy Commissioner’s breach Guidelines and the
accompanying Privacy Breach Checklist and Privacy Breach Incident
Report:
http://www.priv.gc.ca/information/guide/index_e.cfm
52
53. Breach Notification:
PIPEDA:
‐ Although PIPEDA does not currently have a breach notification
provision, it is encouraged in certain circumstances
‐ The Privacy Commissioner of Canada has prepared Guidelines which
outline the “Key Steps for Organizations in Responding to Privacy
Breaches”
PIPA Alberta:
‐ PIPA was amended in 2010 to require breach notification in cases
where “a reasonable person would consider that there exists a real
risk of significant harm to an individual as a result of the loss or
unauthorized access or disclosure” of personal information
53
55. Breach Notification:
‐ The following are some of the key points to consider when dealing with a
breach of personal information:
(i) Contain the breach and conduct a preliminary assessment
(ii) evaluate the risks associated with the breach (ie. the nature of the
personal information involved; cause and extent of breach;
individuals affected; foreseeable harm)
(iii) Notify affected individuals if the breach “creates a risk of harm” to
them
(iv) Notify appropriate privacy commissioners of material breaches so
that they are aware of the situation
(v) Consider whether other notifications are also appropriate (eg.
police, financial institutions, insurers, regulatory or professional
bodies)
(vi) Work to prevent similar future breaches
55