Privacy Commissioner Extends Deadline for Transborder Data Flow Consultation

The Office of the Privacy Commissioner of Canada (“OPC”) has announced it will now be accepting comments related to its consultation on transborder data flows until Friday, June 28, 2019.

The discussion document, which was released on April 9, 2019 (see our blog post here, and our blog post about the OPC’s supplemental consultation paper here) reflected a reversal in the OPC’s twenty-year-old policy position on transborder data flows under the Personal Information Protection and Electronic Documents Act (“PIPEDA“).

The OPC has indicated that it intends to provide guidance on disclosures for processing and related consent and accountability requirements.

Read More

Certification of Breach Class Action Denied in Absence of Provable Losses, Commonality

On May 7, 2019, Justice Belobaba denied the motion for certification in the class action brought against Casino Rama relating to a 2016 data breach (Kaplan v. Casino Rama, 2019 ONSC 2025). Despite having five representatives, the plaintiffs were unable to show provable losses, which significantly hampered their case. What was ultimately fatal to the motion, however, was the lack of commonality, leading Justice Belobaba to remark:

The problem here, with almost all of the [proposed common issues (“PCI”)], is that there is no basis in fact for either the existence of the PCI or its overall commonality or both.

Read More

CRTC Finds Director Vicariously Liable for Company’s Violation of CASL

On April 23, 2019, the Canadian Radio-television and Telecommunications Commission (“CRTC”) imposed a $100,000 penalty on a corporate director for violations of Canada’s anti-spam legislation[1] (“CASL”) committed by the company. This is the first time an individual has been held liable under CASL for violations committed by a corporation.

Background

Operating under multiple business names (notably nCrowd, Teambuy, DealFind, and Dealathons – collectively, “nCrowd”), nCrowd sent unsolicited commercial emails to Canadians. nCrowd offered promotional vouchers for discounted rates on products, such as electronics, or services, such as beauty treatments, to be redeemed by consumers from third-party suppliers.

Read More

Privacy Commissioner Issues Supplemental Consultation Paper on Consent for Transborder Data Flows

On April 9, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) announced it would be holding a stakeholder consultation on transborder data flows. The consultation paper (“Consultation Paper”) proposed a reversal of the two-decades old existing policy on consent in such cases. See our previous post here.

However, the Consultation Paper simply stated the OPC’s position and invited the public’s views, with no indication of why the OPC thought the change was necessary or what the key issues were. Shortly thereafter, the OPC then issued supplemental consultation paper (“Supplemental Consultation Paper”), in which the OPC provided its rationale for its about-face, and posed specific questions for stakeholders to consider.

Read More

Privacy Commissioner Proposes Consent be Required for Transborder Data Flows

On April 9, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) announced it would be holding a stakeholder consultation on transborder data flows. The consultation paper (“Consultation Paper”) proposes a reversal of the two-decades old existing policy on consent.

However, the Consultation Paper simply stated the OPC’s position and invited the public’s views, with no indication of why the OPC thought the change was necessary or what the key issues were. Shortly thereafter, the OPC then issued supplemental consultation paper (“Supplemental Consultation Paper”), in which the OPC provided its rationale for its about-face, and posed specific questions for stakeholders to consider.

Read More

OSFI Advisory Requiring Cyber Incidents be Reported Within 72 Hours Effective March 31, 2019

On January 24, 2019, the Office of the Superintendent of Financial Institutions (“OSFI”) published an Advisory setting out new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cybersecurity incidents within 72 hours of determining the incident is reportable.  These new reporting requirements become effective on March 31, 2019.

The Advisory adds mandatory reporting requirements to OSFI’s  2013 Cyber Security Self-Assessment Guidance. The Advisory sets out when FRFIs must disclose cybersecurity incidents to OSFI and provides details of the required content of the disclosures. It is part of a constellation of efforts by OSFI to require FRFIs to address technology and cybersecurity incidents in a timely and effective manner.

Read More

New York Department of Financial Services Cybersecurity Regulation Requirements Applicable to Third Parties Now in Effect

With March comes Spring – and the full force and effect of the Cybersecurity Regulation of the New York Department of Financial Services (“NYDFS”). This includes requirements relating to Third Party Service Providers (e.g., vendors, suppliers, agents – the term Third Party Service Providers is defined in the Regulations). Canadian companies and financial service providers may be caught by these and other provisions of the Regulations and should review the applicability of these recently-in-force provisions.

The Regulation was first promulgated on March 1, 2017 and required banks, insurance companies, and other financial institutions and individuals who are, or should be, licensed with NYDFS (called Covered Entities in the Regulation) to comply with what some characterized as fairly onerous cybersecurity and data security requirements.

Read More