Kristen Pennington maintains a dynamic practice in privacy, data protection and employment law.  She assists emerging and established companies across a range of industries, including manufacturing and technology, and provides insights into Canada’s distinct laws in these disciplines to support businesses entering or investing in the Canadian market.

As a Certified Information Privacy Professional / Canada (IAPP), Kristen counsels clients on a wide variety of privacy and data security issues, including cross-border transfers of personal information, preventing and responding to data breaches, and evaluating the privacy law implications of new products, services, technologies and initiatives.  She helps clients develop robust privacy compliance programs, including policies governing employees’ handling of personal information, data subject rights requests and vendor management, and frequently drafts privacy policies, cookie banners, consent forms, acceptable use policies and privacy and data protection terms in an array of commercial agreements.

Working with employers, Kristen advises on employee privacy issues, including conducting background checks, developing employee privacy policies, collecting employees’ personal information during a pandemic, and selecting and engaging payroll and other service providers who handle employees’ personal information.

Experienced in all areas of employment law, Kristen advises employers on hiring and dismissals, employment contracts, performance management and discipline, employment policies, and compliance with employment standards and human rights laws.

An experienced litigator, Kristen has appeared before the Ontario Superior Court, the Ontario Court of Appeal, the Ontario Human Rights Tribunal, the Ontario Labour Relations Board, and the Canadian Railway Office of Arbitration and Dispute Resolution, as well as at various mediations. She regularly assists employers with negotiating timely and practical resolutions to wrongful dismissal, constructive dismissal, discrimination, contractor mischaracterization and other employment-related allegations.

An area of particular expertise for Kristen is assisting employers in developing and implementing effective discrimination, violence and harassment policies and programs, and managing workplace complaints. She also provides training on workplace investigations, employee accommodation and management of conflict in the workplace.

Kristen has assisted vendors and purchasers with assessing the employment and privacy law implications of corporate transactions.  She also regularly collaborates with international counsel to advise on the Canadian privacy and/or employment law considerations of multijurisdictional projects.



Representative Matters

Privacy Law Matters

  • Privacy counsel to a leading global fast-food restaurant chain
  • Privacy counsel to the Canadian arm of an international humanitarian organization
  • Drafted Canadian privacy policies for luxury fashion and automobile brands, food services companies, payment solutions providers, IT providers, manufacturers of medical equipment, and various ecommerce platforms
  • Developed a website privacy policy, cookie policy and cookie banner for a renowned European fashion house
  • Developed various privacy notices for a purchasing and services cooperative in the food service industry
  • Assisted a multi-entity human resources and benefits organization with the development of a Canadian privacy compliance program
  • Assisted an international welding supply company with the development of a Canadian privacy compliance program
  • Assisted a large North American manufacturer and retailer of footwear with developing a privacy compliance program involving the cross-border transfer of employee personal information
  • Assisted a financial services company with evaluating its obligations with respect to the cross-border transfer and storage of personal information
  • Assisted a paper and packaging company with strategic data breach reporting and notification advice
  • Assisted a medical device manufacturer with responding to an inadvertent disclosure of customers’ personal information
  • Assisted an organization in the insurance industry with responding to a ransomware incident

Employment Law Matters

  • Successfully appealed trial court’s decision with respect to the dismissal of an employee who engaged in sexual harassment in Hucsko v. A.O. Smith Enterprises Ltd., 2021 ONCA 728
  • Assisted a board of directors with managing, investigating and responding to sensitive workplace harassment and discrimination complaints involving senior leadership
  • Acted for a transportation company with respect to the dismissal of an employee involved in a high-profile fatal accident
  • Assisted an international software company with its entry into the Canadian market, including establishing template employment agreements and compensation plans, and implementing mandatory employment policies
  • Assisted a US-based workplace technology company with its entry into the Canadian market, including hiring a Canadian workforce
  • Assisted a UK-based developer of cybersecurity software with its entry into the Canadian market, including establishing template employment agreements and hiring policies
  • Go-to employment counsel to a variety of manufacturers, including manufacturers of packaging solutions, pet products, industrial pumps, and life sciences products
  • Go-to employment counsel to a variety of engineering and engineering consulting firms
  • Go-to employment counsel to leading not-for-profit organizations, including cultural centres, national health research funders, health promotion organizations, and political research centres
  • Acted for a variety of employers in wrongful dismissal and human rights disputes, including leading payment card, cannabis, construction, software, security solutions, and not-for-profit organizations

Corporate Transactions

  • Provided privacy law advice in connection with the acquisition of a forensics and digital investigation software company
  • Provided privacy law advice in connection with the acquisition of a global pharmaceutical manufacturing and research company
  • Provided employment and privacy law advice to an international consulting firm in connection with its entry into the Canadian market through the acquisition of a leading health consulting company
  • Provided employment law advice to HCI Equity in connection with the acquisition by AmerCareRoyal, LLC of McNairn Packaging
  • Provided employment law advice to a publicly-traded payment company in connection with its acquisition of a Canadian fintech firm
  • Provided employment law advice to a private equity firm in connection with its acquisition of an online content removal business
  • Provided employment law advice to a private equity firm and its portfolio company in connection with its acquisition of a manufacturer of animal litter

Speaking Engagements

Association of Corporate Counsel, New York City - Global Business Adapts to Evolving Data Protection Laws: Key Issues You Cannot Ignore

March 6, 2024

Employment Law Masterclass: Employee Monitoring – Employees’ Rights and Employers’ Obligations

February 15, 2024

#RISK DIGITAL: Behind Closed Doors – Navigating Insider Threats in the Digital Age

February 13, 2024

Global Livestream – Global Privacy Day: Safeguarding AI Data

January 25, 2024

Global Livestream – Global Privacy Day: Data Transfers – Bridging the Gap from Policy to Implementation

January 25, 2024

Privacy Espresso Podcast: The Intersection of Privacy Law & AI Technologies in Canada

January 11, 2024

PrivSec Global Webinar: Workplace AI Policies – Does Your Company Need Them?

November 29, 2023

Ontario Bar Association Panel: Privacy Laws and the Private Sector

June 21, 2023

PrivSec Global Webinar: Should Society Tolerate Widespread Use of Facial Recognition?

June 29, 2022

Portfolio Management Association of Canada’s Regulatory & Compliance Forum: Privacy & Cybersecurity Hot Topics

May 26, 2022

TerraLex Technology & Digital Business Industry Meeting: Upcoming Changes to Quebec’s Privacy Laws – What Global Companies Need to Know

April 29, 2022

PrivacySec Global Webinar: How to Prevent Misdirected Emails – The Dreaded “Reply-All”, Cc and Wrong Recipient Errors

February 15, 2022

PrivacyRules Webinar: Destination Normal – Canadian Privacy Regulators Address Vaccine Passports

June 17, 2021

Ontario Bar Association Panel: Requesting Proof of COVID-19 Vaccinations from Customers and Clients

March 1, 2021

Ontario Bar Association Panel: Workplace Harassment Investigations

February 24, 2021

HR Insider Webinar: Mandatory Vaccination Policies – Enforceable or a Shot in the Dark?

February 10, 2021

Terralex Data Privacy Day Series: The Rise of Privacy Torts in Canada

January 28, 2021

Ontario Bar Association Panel: Mastering Summary Judgment Motions

October 27, 2020

Association of Certified Forensic Investigators’ Annual Conference: Handling Harassment Investigations – How to Minimize Workplace Disruption & Legal Liability

May 26, 2020

Glendon College: Glendon Grads Address Canada @ 150

September 23, 2017
Read more

Teaching Engagements

  • The Impact of AI in the DEI Space – Osgoode Certificate in Equity, Diversity & Inclusion in the Workplace (April 10, 2024)
  • Key Privacy Implications of Employee Monitoring – Queen’s University Professional Master of Industrial Relations Program (May 8, 2024)

News


Media Mentions


Rankings & Recognition

  • Recognized by Chambers Canada (2025) as a leading lawyer in the area of Privacy & Data Protection

Community Involvement

  • Mentor in the Glendon College Mentorship Program
  • Judge at the Lloyd Dean Moot, hosted by the Windsor Chapter of the Black Law Students’ Association (2022)

Directorships & Affiliations

  • Ontario Bar Association, Privacy Section
  • International Association of Privacy Professionals, Member

Education & Admissions

2015
Called to the Ontario bar
2022
Certified Information Privacy Professional / CanadaInternational Association of Privacy Professionals
2019
Intensive Trial Advocacy Program York University, Osgoode Hall Law School
2014
JDUniversity of Toronto, Faculty of Law
2011
Honours BA, Canadian StudiesYork University, Glendon College

Publications

Insights (51 Posts)View More

Featured Insight

Canadian Privacy Regulators Issue Resolution about Deceptive Design Patterns

Canadian privacy regulators have issued a joint resolution with expectations for organizations about the use of deceptive design patterns on websites and apps.

Read More
Nov 14, 2024
Featured Insight

McMillan’s Annual Privacy, Data Protection and Cybersecurity Client Seminar

This program will provide an overview of recent significant decisions and regulatory guidance, along with discussions about the privacy implications of AI and how deceptive design patterns could be impacting your organization’s legal compliance.

Details
Thursday, October 24, 2024
Featured Insight

The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #5: Training Employees

Providing employee training is a key action item in ensuring an effective Canadian privacy compliance program.

Read More
Sep 17, 2024
Featured Insight

The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #4: Responding to Data Subject Requests the Right Way

Under Canadian privacy laws, individuals have certain rights with respect to their personal information.

Read More
Sep 10, 2024
Featured Insight

The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #3: Managing Vendors

Under Canadian privacy laws, organizations that transfer personal information to a third party vendor for processing remain responsible for its protection.

Read More
Sep 3, 2024
Featured Insight

The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #2: Conducting Privacy Impact Assessments

Privacy Impact Assessments are a critical compliance and governance tool that help organizations comply with applicable privacy and data protection requirements

Read More
Aug 27, 2024
Featured Insight

The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #1: Obtaining Valid Consent

Many organizations are aware that they need consent to process Canadian personal information, but they are not familiar with all the specific rules.

Read More
Aug 20, 2024
Featured Insight

The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws

There are five common areas in which Canadian businesses often have gaps in their privacy compliance programs.

Read More
Aug 13, 2024
Featured Insight

AI and Workplace DEI Initiatives: Opportunities and Challenges

Though AI can help support the development of more inclusive workplaces, the use of AI in furtherance of DEI initiatives is not without risks.

Read More
Jun 25, 2024
Featured Insight

What You Need to Know about Regulatory Impacts on Auto OEMs

Join us for a webinar where we will be discussing key updates, impacts and changes to the regulatory landscape for Original Equipment Manufacturers.

Details
Wednesday, June 19, 2024
Featured Insight

Exploring Extraterritoriality: Do You Need a Physical Presence for Privacy Laws to Apply?

Join McMillan and Kochhar & Co. for an international webinar about the extraterritorial application of privacy laws in each of their jurisdictions. Can organizations without a facility or employees in Canada or India be subject to local privacy legislation? This is a must-watch program for organizations doing business in Canada and/or India.

Details
Wednesday, March 6, 2024
Featured Insight

Happy Privacy Week, Canada! 3rd Edition

Nearly every organization will collect, use, share and store the personal information of employees.  Much of this information, including financial, health and even biometric information, is considered sensitive and must be handled with great care.

Read More
Jan 24, 2024
Featured Insight

Developing, Offering and Using Generative AI Technologies: Canadian Privacy Regulators Weigh In

Canada’s privacy regulators have jointly released guidance for organizations that develop, provide and use generative artificial intelligence systems.

Read More
Jan 3, 2024
Featured Insight

An Update on Cross Border Data Transfers in Canada and the EU

This webinar will feature presentations about key and emerging issues involving the transfer of personal information within and outside of the European Union and Canada.

Details
Wednesday, November 15, 2023
Featured Insight

McMillan’s Annual Privacy, Data Protection and Cybersecurity Client Seminar

Join McMillan's Privacy & Data Protection Group on Tuesday, October 17th for an overview of recent significant decisions and regulatory guidance.

Details
Tuesday, October 17, 2023
Featured Insight

Unpacking Bill C-27 – How Organizations Can Prepare for Potential Changes to Canada’s Federal Privacy Laws

Bill C-27 – also known as the Digital Charter Implementation Act, 2022 – completed its second reading in Canada’s House of Commons, bringing Canada one step closer to privacy law reform. Join our discussion on these significant potential developments and what they may mean for your organization.

Details
Thursday, May 18, 2023
Featured Insight

Privacy, Technology and Cybersecurity Issues in Tech Transactions

Full evaluation of a target's privacy, technology and cybersecurity compliance in due diligence is critical for transactions involving technology companies.

Read More
Dec 6, 2022
Featured Insight

McMillan’s Annual Privacy, Data Protection and Cybersecurity Client Seminar

Join McMillan's Privacy & Data Protection Group on Wednesday, December 7th for an overview of recent significant legal developments, tips on complying with new and forthcoming obligations under Quebec’s Bill 64, and discussions about hot topics in data management.

Details
Wednesday, December 7, 2022
Featured Insight

Privacy Reform is on the Table Once More: Canada Introduces the Digital Charter Implementation Act, 2022

New federal privacy legislation has been introduced. If passed, Bill C-27 will materially change the legal landscape for privacy and data protection in Canada.

Read More
Jun 22, 2022
Featured Insight

Taking Control: Proactive Data Breach Preparedness and Responsible Incident Management

Join us on Tuesday, June 21st as members of our Privacy and Technology Groups discuss how your organization can proactively prepare in order to be in control if and when an incident occurs and to take measured and responsible steps to prevent and manage the associated legal and business risks.

Details
Tuesday, June 21, 2022
Featured Insight

Federal Privacy Commissioner Releases Key Recommendations for a New Federal Private Sector Privacy Law

The Office of the Privacy Commissioner of Canada released a summary of its key recommendations for a new federal private sector privacy law in Canada

Read More
May 17, 2022
Featured Insight

Court of Appeal: Single Incident of Sexual Harassment is Cause for Termination

Ontario’s Court of Appeal has upheld the termination of a 30-year employee for cause following a single incident of sexual harassment.

Read More
May 6, 2022
Featured Insight

Data Collection and Protection in the Automotive Sector

Join us on Thursday, April 28, 2022 as members of McMillan's Privacy & Data Protection Group discuss privacy and data protection issues relevant to the automotive industry.

Details
Thursday, April 28, 2022
Featured Insight

Clearview AI Ordered to Comply with Provincial Regulators’ Privacy Recommendations

Canada’s provincial privacy regulators have issued orders against Clearview AI forcing it comply with the
recommendations of a 2020 joint investigation.

Read More
Jan 5, 2022
Featured Insight

Canada Partners with the European Commission to Examine Use of Digital Credentials

Increased standards for digital credentials improve privacy and global functionality - but what does this mean for businesses who use them?

Read More
Dec 7, 2021
Featured Insight

Privacy Commissioner Releases More Guidance for Video Teleconferencing Companies

Video teleconferencing companies face unique cybersecurity and data privacy risks. The OPC has new guidance on how these companies can best address them.

Read More
Nov 3, 2021
Featured Insight

McMillan’s Annual Privacy, Data Protection and Cybersecurity Webinar

Our lawyers will provide an overview of important case law developments, regulatory guidance, upcoming statutory changes, and hot topics in Privacy, Data Protection & Cybersecurity

Details
Wednesday, November 10, 2021
Featured Insight

Alberta Recognizes Privacy Tort of Public Disclosure of Private Facts

The Alberta Court of Queen’s Bench recognized the tort of public disclosure of private facts for the first time; In deciding the recognize the tort...

Read More
Sep 27, 2021
Featured Insight

Is Private Sector Privacy Legislation Looming in Ontario?

Ontario government seeks input on privacy policy proposals, signaling that Ontario private sector privacy legislation may be on the horizon

Read More
Jul 5, 2021
Featured Insight

Canadian Privacy Commissioners Issue Joint Guidance on Vaccine Passports

Commissioners warn that privacy considerations must be “front and centre” as organizations develop and implement vaccine passports in the coming months

Read More
May 25, 2021
Featured Insight

Mandatory Vaccination Policies: Enforceable or a Shot in the Dark? (February 10, 2021)

While mass vaccination hasn’t arrived, employers are already wrestling with what the rules should be as we start to return to a new normal.

Details
February 10, 2021 - 2:00 pm to 3:00 pm EST
Featured Insight

Potential Overhaul of Canadian Privacy Law – Is Your Organization Ready?

Potential Overhaul of Canadian Privacy Law – Is Your Organization Ready?

Details
January 20, 2021 - 11:00 pm to 2:00 pm ET
Featured Insight

International Comparative Legal Guide (ICLG) – Cybersecurity Canada 2021

The International Comparative Legal Guide (ICLG) - Cybersecurity Canada 2021 guide covers common issues in cybersecurity laws and regulations.

Read More
Dec 3, 2020
Featured Insight

McMillan’s Employment and Labour Webinar

This annual workshop addresses significant legal developments and provides practical advice on responding to employee issues.

Details
November 10, 2020 - 11:30 am to 1:30 pm
Featured Insight

Canada’s New Cybersecurity Certification Goes Live

The federal government has launched a voluntary CyberSecure program to help small and medium-sized organizations protect against cybersecurity threats

Read More
Oct 13, 2020
Featured Insight

Mandatory Indoor Face Coverings: What Ontario Employers Need to Know

Mandatory Indoor Face Coverings: What Ontario Employers Need to Know

Read More
Oct 6, 2020
Featured Insight

Ontario Amends Employment Standards Legislation in Response to COVID-19

Ontario passes new protected leave of absence for employees impacted by COVID-19, and suggests COVID-19
cases should be reported as occupational illnesses.

Read More
Aug 5, 2020
Featured Insight

Privacy Penalties – Canadian Competition Bureau Wades Into Privacy Enforcement

Organizations operating in Canada are advised to immediately review their privacy-related policies and marketing to avoid false or misleading representations

Read More
May 26, 2020
Featured Insight

Privacy Commissioner Releases Tips for Secure Videoconferencing

It goes without saying that organizations’ use of videoconferencing is at an all-time high as many businesses have converted to remote work.

Read More
May 5, 2020
Featured Insight

Shedding “Light” on a New Privacy Tort

An Ontario court has recently recognized the privacy tort of "false light publicity".

Read More
Mar 3, 2020
Featured Insight

2019 Year in Review: Privacy, Data Protection & Cybersecurity

Focusing our discussion on significant advancements, findings and key takeaways, we will present a “Year in Review” session that will cover many of the notable developments that occurred in 2019.

Feb 4, 2020
Featured Insight

Inadequate Workplace Harassment Investigation Results in $75,000 Damage Award

A recent decision of the Manitoba Human Rights Commission emphasizes the importance of developing a clear plan at the outset of a workplace investigation.

Read More
Jan 28, 2020
Featured Insight

New Year, New Laws? Canada Sets its Privacy Law Resolutions

A number of recent developments suggest that momentum for significant reform to Canadian privacy and data protection laws is building.

Read More
Jan 28, 2020
Featured Insight

Keepin’ It “Real”: OPC Finds that PIPEDA Applies to Foreign-Incorporated Business

Keepin' It "Real": OPC Finds that PIPEDA Applies to Foreign-Incorporated Business

Read More
Jan 15, 2020
Featured Insight

Sorry Not Sorry: Ontario Decision Highlights “Aggravating Factors” in Sexual Harassment Cases

An Ontario Court has upheld the termination of a 30-year employee with a clean disciplinary record following a single incident of sexual harassment.

Read More
Jan 7, 2020
Featured Insight

Contact Information Posted on Websites Not Necessarily Up for Grabs

Investigation findings of the Office of the Privacy Commissioner highlight issues surrounding the use of personal contact information posted on websites

Read More
Dec 19, 2019
Featured Insight

Ontario Court Suggests Terminated Salespeople are Fish Out of Water

Recent Ontario decision calls into question prior holdings about the transferability of salespersons' skills.

Read More
Dec 16, 2019
Featured Insight

Top of the Class: New Cybersecurity Program to Certify Privacy-Minded Businesses

The federal government has launched a new cybersecurity certification program aimed at helping small and medium-sized businesses protect against cyber threats.

Read More
Aug 14, 2019
Featured Insight

Proposed Digital Charter Could Bring Sweeping Changes to Canadian Privacy Laws

On May 21, 2019, the Canadian federal government released a proposed Digital Charter

Read More
May 23, 2019
Featured Insight

Consent Unnecessary to Disclose Credit File to Statistics Canada

A recent OPC investigation highlights the need to proceed with caution when asked to disclose personal information to a government institution.

Read More
Dec 30, 2018
Featured Insight

Trick or…Breach? PIPEDA’s Breach Reporting Requirements Come Into Force on November 1, 2018

This bulletin provides an overview of the new breach reporting requirements.

Read More
Nov 1, 2018

Deals & Cases (5 Posts)

Featured Insight

Irth Solutions Acquires geoAMPS and Extends Management of Critical Processes and Data for Geo-temporal Location

On July 13, 2023, Irth Solutions LLC acquired geoAMPS, a software provider for managing land rights, stakeholder engagement and compliance serving multiple industries, including renewables, oil and gas, transportation and telecom.

Read More
Jul 13, 2023
Featured Insight

McMillan Advises Thoma Bravo in its $1.8 Billion Acquisition of Magnet Forensics Inc.

On April 6, 2023, Thoma Bravo successfully completed the acquisition of all of the issued and outstanding subordinate voting shares and multiple voting shares of Magnet Forensics Inc. (“Magnet”) (TSX: MAGT) for $1.8 Billion, by way of a plan of arrangement.  

Read More
Apr 6, 2023
Featured Insight

McMillan Advises Peak Rock Capital in its Acquisition of Innocore Sales & Marketing Inc.

On February 28, 2023, Peak Rock Capital and Tranzonic Companies, its portfolio company, completed the acquisition of Innocore Sales & Marketing Inc, a supplier of high-quality disinfectant products and sanitizing systems to a wide range of industrial and commercial customers across North America.

Read More
Feb 28, 2023
Featured Insight

McMillan Advises Calabrio, Inc. in its Acquisition of Wysdom AI

On January 9, 2023, Calabrio, Inc. announced its acquisition of Crowdcare Corporation dba Wysdom AI.

Read More
Jan 9, 2023
Featured Insight

McMillan Represents AJ Gallagher in US$3.25B Acquisition of Willis Towers Watson Assets

On December 1, 2021, Arthur J. Gallagher & Co. completed its USD$3.25 Billion acquisition of substantially all of the treaty reinsurance brokerage operations from Willis Towers Watson plc.

Read More
Dec 1, 2021