Privacy & Data Protection
PRIVACY & DATA PROTECTION
Privacy and Data Protection are interrelated concepts that involve complex statutory, regulatory and common law requirements and restrictions. Privacy and data breaches – whether accidental or intentional – are frequent front-page news stories that damage corporate reputations and have led to an increasing number of class action lawsuits. Our privacy and data protection lawyers help clients examine the impact of privacy and data protection laws and regulatory requirements upon their businesses and implement measures to reduce risks.
Canada has a complex network of laws governing privacy and data protection compliance, including private-sector, health-sector and public sector statutes, sector-specific privacy obligations, statutory privacy torts, and evolving common law torts such as “intrusion upon seclusion” and “publicity given to private life.” To provide support to our client, our lawyers routinely prepare and adopt practices and procedures that ensure compliance We advise clients on establishing a comprehensive privacy compliance infrastructure, so that they can reduce the risk of privacy complaints, investigations by privacy commissioners and other regulatory bodies, and privacy-related litigation. An effective compliance infrastructure can also help clients to mitigate the damage of any risks that may materialize.
Our lawyers regularly develop organizational and employee privacy policies and function-specific documents, such as Internet privacy policies, acceptable use policies, and cookies policies. Among other things, McMillan’s data privacy lawyers provide guidance on the application of privacy laws; draft and review privacy policies, consent provisions and information collection procedures; advise on cases of privacy or security breaches; advise on issues related to cross-border transfers of information, including cloud computing; represent clients in privacy-related litigation; and CASL compliance.
Workplace privacy also presents unique issues and challenges. The sheer volume of personal employee information companies handle is just one of the reasons why privacy laws in the workplace are taking centre stage of late. Another emergent workplace privacy issue concerns medical privacy laws in the workplace, which have come to the fore as businesses navigate the legalities of workplace drug testing since Canada legalized marijuana and COVID testing came into play.
McMillan’s workplace privacy lawyers draft and review employee privacy policies, and advise corporations on the application of privacy laws, privacy issues related to searching employees and their property, collection of biometric information, privacy issues unique to unionized workforces, and more.
McMillan’s team also has valuable experience interpreting and applying Canada’s Anti-Spam Legislation (CASL) across organizations, reviewing CASL compliance and training client teams, and dealing with the CRTC and the Privacy Commissioner on CASL compliance matters. Our expertise extends to publication of a legal text, Internet Law Essentials: Canada’s Anti-Spam Law.
Essentially we help clients understand how they can balance compliance with innovation, employer rights, and business needs.
Cybersecurity is no longer solely an issue for IT or technical staff. An effective plan to protect the organization against cyber threats requires insight into both the technical threats and the many and varied ways in which those threats can manifest in personal, physical, and financial damage. Understanding and responding effectively to those threats requires a comprehensive understanding of legal and regulatory obligations and risks, all of which are rapidly evolving.
Among other things, McMillan’s cybersecurity lawyers draft security and data protection policies and protocols; advise on compliance with applicable privacy laws and other legislation; educate managers and directors on the risks associated with a data breach; prepare and implement a notice strategy to respond to data breaches; advise on dealing with the public and regulators following a breach; and assist with internal investigations and obtaining court orders for timely disclosure of necessary information from third parties.
Although organizations may use their best efforts to develop and implement policies and procedures to comply with Canada’s complex and rapidly evolving privacy and data protection regime, disputes regarding breach of privacy and mishandling of personal information are often unavoidable. McMillan helps organizations manage the risk of being drawn into litigation through, for example, inadvertent disclosure of customer information, employee misconduct, or even external hacking of their information systems.
The importance of an immediate and effective response is underscored by the recent wave of reported class actions relating to privacy and data breaches, many of which allege that the organization did not promptly notify individuals who were at risk of harm.
McMillan’s Privacy Group is experienced at resolving disputes in a client-focused way. We pair specialized privacy expertise with McMillan’s renowned Litigation Group to provide a comprehensive team that can advise and represent clients in all types of privacy litigation.
Deals and Cases
INSIGHTS (120 Posts)
FCAC’s Submission on Open Banking: Finding the Right Balance to Achieve Consumer Protection and Broad Financial Sector Participation
The authors discuss the Financial Consumer Agency of Canada's submission to the Advisory Committee on Open Banking.
Big Brother’s Access Limited – Canadian Privacy Commissioners Rule Clearview AI’s Facial Recognition Tool in Breach of Canadian Privacy Laws
Privacy Commissioners find Clearview AI's use of facial recognition software on images it scraped from the Internet to be in breach of privacy laws.
Potential Overhaul of Canadian Privacy Law – Is Your Organization Ready?
The International Comparative Legal Guide (ICLG) - Cybersecurity Canada 2021 guide covers common issues in cybersecurity laws and regulations.
The Digital Charter Implementation Act, 2020 received its first reading in the House of Commons. If passed, the Act will radically change Canadian Privacy Law.
The federal government has launched a voluntary CyberSecure program to help small and medium-sized organizations protect against cybersecurity threats
Reporting and Recording Breaches of Security Safeguards – The OPC releases new resources for businesses
Office of the Privacy Commissioner of Canada ("OPC") released a number of new resources to assist organizations with their breach assessment, reporting and recording obligations.
COVID-19 Realities Push Ontario Government to Launch Public Consultation to Improve the Province’s Privacy Laws
The Ontario government launched public consultations to guide their modernization of private-sector privacy laws within the province.
Government of Alberta announces changes to the regulatory regime that governs oil and gas liabilities.
Global privacy authorities published a letter to remind video teleconferencing companies of their obligations regarding user's privacy.
Bill 64: Modernizing Québec's Privacy Regime
Supreme Court of Canada Affirms the Genetic Non-Discrimination Act, Weighing Autonomy, Privacy, and Accessibility of Insurance
Impacts on insurers from recent decision in which SCC upholds protections for privacy and autonomy through the Genetic Non-Discrimination Act
Significant Expansion of Ontario’s Personal Health Information Protections amid COVID-19: What you need to know
Bill 188 made significant amendments to PHIPA, which affect technology companies, and potentially insurers, who provide access to personal health information.
Provinces across Canada are starting to lift COVID-19 restrictions and resume some economic and other activities.
Organizations operating in Canada are advised to immediately review their privacy-related policies and marketing to avoid false or misleading representations
It goes without saying that organizations’ use of videoconferencing is at an all-time high as many businesses have converted to remote work.
An Ontario court has recently recognized the privacy tort of "false light publicity".
An overview of the Advisory Committee on Open Banking's recent report entitled Consumer-directed finance: the future of financial services.
As the “New NAFTA” Approaches Ratification, Regulated Foreign Entities Should Anticipate Stricter Record-Keeping Requirements
A summary of notable amendments to the federal Bank Act and Insurance Companies Act that Bill C-4 (CUSMA) will bring into force.
Many organizations recognize the potential benefits that artificial intelligence can bring to their business. Canadian regulations coming sooner than later.
Focusing our discussion on significant advancements, findings and key takeaways, we will present a “Year in Review” session that will cover many of the notable developments that occurred in 2019.
New Transparency Requirements: Private Companies in British Columbia Now Required to Collect and Disclose Shareholder Information
Amendments to British Columbia Business Corporations Act require all privately held companies to maintain transparency registers of all significant individuals.
A number of recent developments suggest that momentum for significant reform to Canadian privacy and data protection laws is building.
Keepin' It "Real": OPC Finds that PIPEDA Applies to Foreign-Incorporated Business
The Competition Bureau has sent letters to advertisers and advertising agencies warning them to ensure that their Influencer advertising complies with the law.
Investigation findings of the Office of the Privacy Commissioner highlight issues surrounding the use of personal contact information posted on websites
On November 14, 2019, IIROC amended its Dealer Member Rules to require mandatory reporting by dealer members that suffer a cybersecurity incident or breach.
One-Year Anniversary of Mandatory Data Breach Reporting: Lessons the OPC Has Learned and What Businesses Need to Know
November 1st, 2018 marked a year since reporting data breaches became mandatory under the Personal Information Protection and Electronic Documents Act ("PIPEDA")
Feedback from stakeholders regarding its consultation on transfers for processing and transborder data flows, Office of the Privacy Commissioner of Canada has decided to maintain the status quo.
The federal government has launched a new cybersecurity certification program aimed at helping small and medium-sized businesses protect against cyber threats.
It is official - Canada's new Patent Rules will come into force on October 30, 2019.
“Gonna stand my ground; And I won’t back down”¹ – The OPC charges forward with its controversial consultation on transborder dataflows/transfers for processing
On June 11, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) published a reframed discussion document (the “Reframed Discussion”)
On June 17, 2019 major changes to Canada’s Trademarks Act will come into force.
On May 21, 2019, the Canadian federal government released a proposed Digital Charter
Is Data Residency Coming to Canada? The OPC Signals a Major Change to its Policy Position on Transborder Dataflows
On April 9, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) initiated a consultation on transborder dataflows under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) (the “Consultation”).
Financial Institutions: OSFI’s Heightened Cyber Security Incident Reporting Obligations Now In Effect
OSFI published the Technology and Cyber Security Incident Reporting Advisory, which sets out OSFI's expectations for reporting technology and cyber security incidents.
OSFI Boots Up Cyber Safety with its New Advisory on Technology and Cyber Security Incident Reporting
On January 24, 2019, the Office of the Superintendent of Financial Institutions (“OSFI”) published the Technology and Cyber Security Incident Reporting Advisory (the “Advisory”), which sets out OSFI’s expectations for reporting technology and cyber security incidents.
The Office of the Privacy Commissioner of Canada recently released a guidance document for Canadian private sector cannabis retailers who collect personal information from their customers.
A recent OPC investigation highlights the need to proceed with caution when asked to disclose personal information to a government institution.
This update looks at several additional causes of action and discusses how we can limit the deleterious social consequences of deepfake videos.
It is generally safe to assume that records given to government institutions will be subject to freedom of information/access to information legislation.
McMillan is pleased to host its third annual Privacy, Data Protection & Cybersecurity Seminar in Toronto.
Is your Privilege Protected? Ontario Court Revisits Doctrine of “Implied Waiver of Privilege” in Recent Decision
Recent case law from Ontario confirms that a party seeking to rely on parts of privileged document cannot simultaneously claim privilege over the same document.
July, 2018, the CRTC announced it took enforcement action against Datablocks and Sunlight Media - the first time action is taken under Canada's "Anti-Spam Law"
Personal information where it is reasonable in the circumstances to believe that the breach creates a "real risk of significant harm" to affected individuals
In the midst of the Cambridge Analytica data scandal, businesses should consider whether their data handling practices are consistent with user expectations
Stormy Daniels launches complaint asking a California court to find the NDA invalid and confirm she was free to speak publicly about an alleged 2006 sexual affair with Mr. Trump
The Office of the Privacy Commissioner of Canada recently released a draft policy position regarding the protection of online reputation.
The British Columbia Court of Appeal rules that absolute privilege precludes claim for breach of privacy.
Join the discussion where legal and industry leaders will provide the latest updates on CASL and how organizations are rising to the compliance challenge.
Members of McMillan’s Privacy, Cybersecurity, Data Protection groups will be discussing, for the second year running, how client and in-house counsel can educate their firms on how to navigate through privacy in the workplace, cyber security risks and data protection issues on Tuesday Nov 14, 2017.
Prying Eyes: Risk of Employee ‘Snooping' and How to Reduce it
CSA Provides Guidance to Registrants on Cyber Security and Social Media
Cybersecurity – The Legal Landscape in Canada
Please join us for a practical and in-depth discussion aimed at HR professionals, in-house counsel and operations managers, who want to prepare and better understand how Bill1 48 will impact their business.
Sneak Peek at PIPEDA's Breach Reporting Requirements - Proposed Regulations Released for Comment
Server Location Not Definitive in Determining Jurisdiction Over Foreign Defendant
Cybercrime Insurance Coverage Caselaw: Welcome to Canada?
Supreme Court of Canada Turns the Other Cheek: Facebook’s “Terms and Conditions” – Forum Selection Clause Unenforceable
Supreme Court of Canada Turns the Other Cheek: Facebook's "Terms and Conditions" – Forum Selection Clause Unenforceable
Taking CASL by Storm: Compliance Tips for Investment Fund Managers
CASL Private Right of Action Delayed; Enforcement by CRTC Continues
Know your Obligations: Workplace Privacy in BC
Employee personal information handled by an organization is far greater than the personal information collected by the organization about customers and third parties
The tides are changing for cyber regulation, and you may need to take action in order to stay afloat
The tides are changing for cyber regulation, and you may need to take action in order to stay afloat
Are Canadian Businesses Ready For a Cyber Attack?
We've Overpaid, Now What? OLRB Confirms Employers' Obligations in Addressing Pension Overpayments
Are You Ready for CASL's Private Right of Action?
CSA Provides Cybersecurity Risk Disclosure Guidance and Best Practices for Reporting Issuers
The Cybersecurity Implications of Driverless Cars
Privilege wins out over Document Production Requests, Orders and FOI Legislation – SCC Confirms Status of Solicitor-Client Privilege and Litigation Privilege
Privilege wins out over Document Production Requests, Orders and FOI Legislation - SCC Confirms Status of Solicitor-Client Privilege and Litigation Privilege
Cybersecurity and cyber risk are growing areas of concern for businesses, governments and individuals.
"Going Dark" – No Easy Answers on the Cybersecurity Horizon
As organizations are increasing their investment in data safeguards, McMillan’s Privacy Group would like to help our clients understand their core privacy, data protection and cybersecurity obligations and related legal issues.
McMillan's Labour and Employment Group invites you to join us at our annual employment and labour seminar.
CSA Publish Update on Cybersecurity for Market Participants
International Data Transfers to and from Canada
The GDPR – Key Points for Canadian Businesses
It's Time for Your Company's Cyber-health Check-up
Privacy Alert: Proliferation of Access Requests as New Tools Automate Request Generation and Distribution
Privacy Alert: Proliferation of Access Requests as New Tools Automate Request Generation and Distribution
Mitigating Cyber Risk and Cybersecurity Insurance
Safeguarding Data Transfers of Federally Regulated Entities: Within Canada and Beyond
Privacy and Cybersecurity Issues in Canadian M&A Transactions
Decrypting the iPhone - Everybodys Got Something to Hide, Except Me and My Monkey
Introducing Safe Harbour 2.0: the EU-US Privacy Shield
The Privacy Commissioners Annual Report on the Privacy Act
Can you keep a secret? The courts recognize a new tort for public disclosure of private facts
Bring Your Own Device (“BYOD”) Programs: Strategic Considerations to Reconcile Security and Privacy Issues
A Bring Your Own Device program permits employees to use their own personal electronic devices for both business and personal purposes.
Developments in cyber-risk insurance coverage
Insurers and other insurance professionals have traditionally been well positioned to drive improvements in risk management processes.
Cyber risk insurance: driving the risk management process
Safe Harbour Not Safe Enough: Data Transfers From E.U. To U.S. Out To Sea
Ashley Madison – A new era in privacy class actions for Canada?
Security Breach Implicating Personal Information: Which Injuries are Compensable?
Shining Light in Dark Places: GPEN Sweep Targets Children's Mobile Applications and Websites
Health Privacy Revisited – Upcoming Changes to Ontario's Health Privacy Laws
Online Behavioural Advertising: An Update for Advertisers, Ad Networks and Agencies
McMillan Privacy Basics Bulletin Series
Flag on the Play? Recent Disclosure of NFL Player’s Medical Information Sparks Allegations of Privacy Violations
Flag on the Play? Recent Disclosure of NFL Player's Medical Information Sparks Allegations of Privacy Violations
More Changes to Cyber Security Laws on the Horizon?
Bell Gets a Bad Rap for its RAP (Relevant Advertising Program)
Monitoring the Mayor – B.C. Mayor alleges that computer monitoring violated his privacy
CRTC Imposes $1.1 Million Penalty for Alleged CASL Violation
Green Eggs And Spam: The Surprising Side Dish to Canada’s Anti-Spam Law that May Catch Software Businesses Off Guard
Green Eggs And Spam: The Surprising Side Dish to Canadas Anti-Spam Law that May Catch Software Businesses off Guard
Canadian Telcos and Banks Subject to the Quebec Privacy Law
Limited Protection of Dependents Personal Information in Group Insurance Matters
Key Differences between US and Canadian Anti-Spam Laws
Top Ten Things You Need to Know About Canada's Anti-spam Law
CASL update #3 – computer download rules – potential impact for online advertisers
Get updates delivered right to your inbox. You can unsubscribe at any time.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.