SlideShare une entreprise Scribd logo

10 Things You Need to Know About Privacy Law Updates

Now Dentons
Now Dentons

This document provides an update on federal and provincial privacy laws in Canada. It discusses proposed amendments to PIPEDA that died in parliament and recent PIPEDA case summaries. It also discusses provincial privacy laws in Quebec, Alberta, and British Columbia that are substantially similar to PIPEDA. Additionally, it covers privacy considerations for corporate transactions and cross-border data flows.

BusinessTechnologieActualités & Politique
1  sur  60
Télécharger pour lire hors ligne
“10 Things You Need To Know  About Privacy” April 5, 2011 Presented by: Catherine Coulter & Anneli LeGault 1
Update on Federal Privacy Law 2
Update on Federal Privacy Law: ‐ Proposed amendments to PIPEDA recently died when  Parliament prorogued included the following: ‐ mandatory reporting of material breaches to the  Privacy Commissioner ‐ mandatory reporting of breaches to individuals  where there is a real risk of significant harm ‐ Business Transaction exemption ‐ expanded carve‐out of the definition of business  contact information 3
Update on Federal Privacy Law: Recent PIPEDA Findings: Case Summary #2010‐001: ‐ The Commissioner will not make findings if she is satisfied that the complaint can more appropriately be dealt with by means  of a procedure otherwise provided for at law ‐ Individuals who have been denied access to their personal  information due to solicitor & client privilege must use court  proceedings to obtain a ruling on the appropriateness of the  privilege claim (follows S.C.C. ruling in Blood Tribe (2008)) 4
Update on Federal Privacy Law: Case Summary #2010‐003: ‐ Requests for access to personal information are time‐sensitive.   Where an organization requires more than 30 days to fulfill the  request, it must advise the individual of same, advise of the  new time limit, advise of the reasons for the extension and  advise the individual of his/her right to make a complaint to  the Commissioner regarding the extension ‐ Whenever requests are made, organizations should ensure  that the requested information is not deleted during the  request period due to the organization’s regular  deletion/retention practices 5
Update on Federal Privacy Law: Case Summary #2010‐018: ‐ Personal information which has been de‐identified (had all  personally indentifying information removed) does not qualify  as anonymous information if it is still possible to link the de‐ identified data back to an identifiable individual ‐ An access request for personal information does not grant the  requester the right to information that reflects discussions  taken in preparation for possible litigation 6
Update on Federal Privacy Law: Case Summary #2010‐013: ‐ Unless and until the PIPEDA amendments are brought forward  again and passed into legislation, business email addresses  remain as personal information ‐ As a result, business email addresses may not be collected,  used or disclosed unless they are publicly available ‐ If business email address lists are rented or purchased, care  must be taken to ensure that they were collected with consent 7
Provincial Privacy Law – What to Watch  Out For With Substantially Similar  Legislation 8
Provincial Privacy Law: Quebec – An Act Respecting the Protection of Personal  Information in the Private Sector (1994) ‐ Similar to PIPEDA ‐ Applies to all enterprises in Quebec ‐ Covers information in the private sector, including health  information ‐ Violations of the Act are punishable by fines ranging from  $1,000 to $10,000 for a first offence, and $10,000 to $20,000  for subsequent offences ‐ Binding orders by the Commissioner are permitted 9
Provincial Privacy Law: Quebec – An Act Respecting the Protection of Personal  Information in the Private Sector (1994) ‐ Those binding orders can be made into binding orders of the  provincial court ‐ Offending parties are generally named in any published  findings 10
Provincial Privacy Law: Alberta – Personal Information Protection Act (“PIPA”) ‐ Similar to PIPEDA ‐ Separate legislation for personal health information (Health  Information Act, 2001) ‐ Under PIPA Alberta, there is a class of non‐profit organizations  for which the legislation only applies to their commercial  activities ‐ Under PIPA Alberta, there are special provisions for  professional regulatory organizations to follow an approved  privacy code in place of certain sections of the legislation 11
Provincial Privacy Law: Alberta – Personal Information Protection Act (“PIPA”) ‐ Binding orders by the Commissioner are permitted ‐ Those binding orders can be made into binding orders of the  provincial court ‐ Offending parties are generally named in any published  findings ‐ Violations of the Act are punishable by fines 12
Provincial Privacy Law: B.C. – Personal Information Protection Act (“PIPA”) ‐ Similar to PIPEDA ‐ Extremely similar legislation to PIPA Alberta, but for the  following: ‐ Commissioner has audit powers ‐ no provision for the filing of the Commissioner’s orders in  provincial court and having them enforced as orders of  that court ‐ Actions only permitted for “actual damages” suffered 13
Privacy in Corporate Transactions 14
Privacy in Corporate Transactions: ‐ Both PIPA Alberta and PIPA B.C. contain provisions which permit  necessary personal information to be disclosed without consent for the  purpose of a business transaction (the “Business Transaction  exemption”) ‐ Some of the recent proposed amendments to PIPEDA were aimed at  adding a Business Transaction exemption to PIPEDA, but the Bill recently  died when Parliament prorogued ‐ In an early finding of the Alberta Privacy Commissioner, customer  personal information was disclosed to a purchaser without consent  during the course of the transaction.  Although the disclosure was found  to be in compliance with the legislation, the Commissioner noted that all  business transaction agreements should specifically address the  anticipated use of any transferred personal information, and parties  should only undertake to use personal information for the purpose for  which it was collected 15
Privacy in Corporate Transactions: ‐ In a subsequent finding of the Alberta Privacy Commissioner, employee  personal information was submitted from one law firm to another as part  of the due diligence process during an acquisition.  Some of the information provided went above and beyond that required for due diligence purposes.  In addition, the receiving law firm posted that  information to the Systems for Electronic Document Analysis and Retrieval  (SEDAR). ‐ The Commissioner found that: (i) the Business Transaction exemption did  not apply to all of the transferred information (eg. home addresses, SIN’s)  and therefore there was a contravention of the legislation; and (ii)  Stikeman Elliott had a duty to review the received information before  publicly posting it to SEDAR 16
Privacy in Corporate Transactions: For business transactions in Alberta or B.C.: ‐ Determine whether or not the information sought to be  collected, used or disclosed meets the Business  Transaction exemption ‐ Only use or disclose that information for the same  purpose for which it was collected ‐ If the above is not possible, obtain consent For business transactions in Ontario and elsewhere: ‐ Obtain consent 17
Privacy in Corporate Transactions: Example consent paragraph in employment agreements: By accepting this offer, you voluntarily acknowledge and consent to the collection,  use, processing and disclosure of personal data as described in this paragraph.  The  Company will hold certain personal information which may include your name,  home address, home telephone number, date of birth, social insurance number,  employee identification number, compensation, payroll deposit account, job title,  attendance and work record, marital or family status, name of your spouse and  dependents (if any), contribution rates and amounts, account balances, benefit  selections and claims for the purpose of: (i) establishing, managing and/or  terminating the employment relationship between you and the Company; (ii)  making payroll deposits, preparing tax reports or administering benefit  entitlements; or (iii) contacting others in the event of an emergency (“Data”).  The  Company, in accordance with its standard operating procedures, may disclose Data  to its affiliates or with contracted third party outsourced services or benefit  providers as necessary, for the purpose of human resources, payroll, retirement  and benefit administration.  The Company may also disclose Data to third parties  for the purposes of exploring and carrying out mergers, acquisitions, financings,  initial public offerings or similar transactions. 18
Cross‐border Data Flow 19 9690158_1
Obligations of a Canadian organization • Accountability • Safeguards • Openness  20
Typical Cross Border Scenarios • Storage of data on servers in USA – e.g. SAP installation • Email service provider has no Canadian data centre • SPAM service provider located in USA or UK • Email run through USA • Data processed in USA • Bidding on government work, for example, in BC and NS 21
Risk Levels European Union USA Non‐APEC or non‐OECD member countries 22
European Union • EU member states have passed Data Directives prohibiting  transfer of personal information to another jurisdiction unless  the European Commission has determined that the other  jurisdiction offers adequate protection 23
United States • US Patriot Act • Section 215 allows FBI to access records held in USA by  applying for an order of the Foreign Intelligence Surveillance  Act Court • Company subject to a Section 215 order cannot reveal that the  FBI has sought or obtained information from it • US has Safe Harbor accord with EU (2000) – Companies can opt in  • US has sector specific laws and some US states have enacted  laws 24
APEC/OECD Member Countries • Organization for Economic Cooperation and Development  Guidelines on the Protection of Privacy and Transborder Flows  of  Personal Data (1980) – 31 member countries • Asia – Pacific Economic Cooperation Privacy Framework (2004)  – 21 member countries 25
Rulings Concerning Canada‐USA  Cross‐Border Data Transfers 26 9690158_1
British Columbia • BCGEU v. The Minister of Health Services and Maximus • US Company, Maximus, selected by B.C. Ministry of Health  Services for administration of B.C.’s public health insurance  program • BCGEU files complaint under FOIPPA • Personal health information of B.C. residents accessible to US  authorities under US Patriot Act 27
British Columbia (cont’d) • Privacy Commissioner initiates public process – >500 submissions received • FOIPPA amended to require a public body to ensure that  personal data under its control is stored only in Canada and  accessed only in Canada (with  certain exceptions) • New requirement to report any foreign demand for disclosure  to Minister 28
Alberta • Outsourcing email services to Google • University of Alberta spends a year investigating  the  possibility of a single campus email system using Google’s  Gmail • Users of University email system must be informed that their  emails will reside in a foreign  jurisdiction and be subject to the  laws of that jurisdiction such as US Patriot Act • U of A agrees to inform students and employees it cannot  guarantee protection against disclosure of emails residing in  US 29
Alberta PIPA amended May 1, 2010 • Duty to notify individual if a service provider outside of Canada  will collect PI or PI will be transferred to service provider – Written or oral notice re:  • how to access information about company’s policies/practices on non‐ Canadian service providers • name or title of person who can answer questions 30
Use of Service Provider in USA – Ruling 313 • VISA credit card information to be processed in US • Canadian customer data stored on U.S. based software system • VISA cardholder agreement amended • No opt‐out • US authorities may access the data 31
Ruling 313 (cont’d) • Ruling: – Bank had contract with U.S. data processor to maintain comparable  level of security and protection – Bank appropriately notified customers 32
Security System Provider Shares Customer  Data – Ruling 333 • Security system company tells Canadian customers of  intention to share customer contact information with U.S.  parent company • If catastrophic event overwhelms Canadian customer  monitoring centre, alarm signals routed to other North  American monitoring centre • Sharing of customer address, phone, emergency contacts • No sharing of financial or credit data • Customers could opt out and get reduced level of service 33
Ruling 333 (cont’d) • Ruling:  – Customer consent not required, not a disclosure – Personal data being used for same original purpose – Company was transparent and provided sufficient information about  practices  – Parent company must adhere to same level of data protection 34
Outsourcing – Ruling 394 • “canada.com” outsourcing e‐mail services to U.S. based  company • Customers requested to consent as condition of on‐going  services • U.S. Patriot Act issues 35
Ruling 394 (cont’d) • Ruling – Sharing with a third‐party subcontractor is a “use” not a “disclosure” – Consent is required to the use – Best practice is to notify – Must take contractual measures to ensure security • oversight • monitoring • auditing – Should provide notice that foreign‐based service provider will be  subject to foreign laws, which may be different than Canadian law 36
Federal Privacy Commissioner Guidelines • PIPEDA does not distinguish between domestic and  international transfers of data • An organization is responsible for personal information in its  possession, including information that has been transferred to  a third party for processing • Where information is transferred for processing, it can only be  used for the purposes for which the information was originally  collected; for example, internet service provider transfers  personal information to third party to ensure technical support  is available 24/7 • A transfer for processing is not a disclosure; it is a use 37
Federal Privacy Commissioner Guidelines • Processing means any use of the information by the third party  processer for which the transferring organization can use it • Comparable level of protection means that the third party  processor must provide protection that can be compared to  the level of protection the data would have received if it had  not been transferred • Primary means to protect personal information is through  contract 38
Best Practices • Be satisfied that the third party has policies and processes in  place, including training and effective security measures, to  ensure the data in its care is properly safeguarded • Set out requirements for safeguards in written contract • Retain the right to audit and inspect • Assess risk when transferring outside of Canada 39
Best Practices • Pay attention to the legal requirements of the jurisdiction in  which the third party processor operates as well as the  potential foreign, political, economic and social conditions and events that may reduce the service provider’s ability to  provide the service • Make it clear to individuals that their information may be  processed in a foreign country and it may be accessible to law  enforcement and national security authorities • Use clear and understandable language • Ideally do so at the time the information is collected 40
Best Practices • When bidding on a RFP involving data processing and storage,  review the bid’s terms and be ready to explain where data will  be stored and processed 41
Privacy Remedies & Risks – What’s Your “Real” Exposure? 42
What are the Remedies and Risks? Under PIPEDA: 1. Investigations & Findings 2. Section 14 Applications 3. Judicial Review 43
1. Investigations: ‐ Investigator will require a response from your organization ‐ Employees may be interviewed without your consent ‐ Company files may be requested ‐ Through the Privacy Commissioner, investigators have the  authority to receive evidence, enter premises where  appropriate and obtain copies of records ‐ After the investigator prepares a report, the Privacy  Commissioner will make a finding 44
Investigations: ‐ The Privacy Commissioner can make the following findings: ‐ Not Well‐Founded ‐ Well‐Founded ‐ Resolved ‐ Discontinued ‐ The Commissioner can make recommendations to your  organization and ask you to respond in writing with your  organization’s plans for implementing the recommendations ‐ Findings of the Commissioner can be publicly posted ‐ Although organizations can be publicly named, it only occurs  when the Commissioner deems it to be in the public interest 45
Investigations: ‐ There is an offence provision under PIPEDA  ‐ Under that provision, the Commissioner can levy fines for  obstruction of an investigation, destroying personal  information after an access request has been made and  disciplining a whistleblower ‐ Fines of up to $10,000 or $100,000 ‐ In addition, the Commissioner has the power to summon  witnesses, administer oaths and compel the production of  evidence ‐ The Commissioner is required under PIPEDA to issue any  findings within a year of the complaint 46
2. Section 14 Applications: ‐ Section 14 applications are hearing requests to the Federal  Court regarding the way in which an organization handles  personal information.  They can only be brought after the  Commissioner has investigated the matter and issued her  findings ‐ The most common reason for a Section 14 application is to ask  the Court to have the Commissioner’s  findings/recommendations enforced against the organization 47
Section 14 Applications: ‐ The Court may: ‐ Order an organization to correct its practices to comply  with PIPEDA ‐ Order an organization to publish a notice of actions taken  or proposed to be taken in order to comply with PIPEDA ‐ Order an organization to pay damages, including  damages for humiliation suffered by the complainant ‐ In December 2010, Justice Zinn of the Federal Court ordered  Transunion to pay total damages of $5,000 to a complainant  (Nammo v. Transunion of Canada Inc.) 48
Section 14 Applications: ‐ The Court found that both the question of whether damages  should be awarded and the question of the quantum of  damages should be answered with regard to: (i) whether  awarding damages would further the general objects of  PIPEDA and uphold the values it embodies; and (ii) deterring  future breaches and the seriousness or egregiousness of the  breach ‐ In another 2010 Federal Court decision, Justice Mosely  declined to award damages because he did not find the breach  to be egregious (Randall v. Nubodys Fitness Centres) 49
3. Judicial Review: ‐ Under section 18.1 of the Federal Court Act, an application can  also be brought for judicial review in order to challenge the  findings of the Commissioner ‐ The grounds for judicial review are limited and include the  following: ‐ an allegation that the Commissioner refused to exercise  her discretion ‐ an allegation that the Commissioner acted without  jurisdiction ‐ an allegation that the Commissioner surpassed the  boundaries of the jurisdiction outlined in PIPEDA 50
Breach Notification 51
Breach Notification: ‐ If your organization finds itself in a breach situation: ‐ work with experienced legal counsel to determine your course of  action ‐ with reference to the applicable legislation, also keep an eye on the  federal Privacy Commissioner’s breach Guidelines and the  accompanying Privacy Breach Checklist and Privacy Breach Incident  Report: http://www.priv.gc.ca/information/guide/index_e.cfm 52
Breach Notification: PIPEDA: ‐ Although PIPEDA does not currently have a breach notification  provision, it is encouraged in certain circumstances ‐ The Privacy Commissioner of Canada has prepared Guidelines which outline the “Key Steps for Organizations in Responding to Privacy  Breaches” PIPA Alberta: ‐ PIPA was amended in 2010 to require breach notification in cases where “a reasonable person would consider that there exists a real  risk of significant harm to an individual as a result of the loss or  unauthorized access or disclosure” of personal information 53
Breach Notification: Personal Health Information Protection Act (Ontario): ‐ Under PHIPA, there is also a positive obligation to notify affected  individuals in circumstances where the privacy of their personal health  information has been compromised.  The obligation applies only to “health  information custodians” (eg. hospitals, labs, doctors) but is required in  every case of breach. ‐ Some of the Atlantic provinces have similar health information protection  legislation and similar breach notification requirements. 54
Breach Notification: ‐ The following are some of the key points to consider when dealing with a  breach of personal information: (i) Contain the breach and conduct a preliminary assessment (ii) evaluate the risks associated with the breach (ie. the nature of the  personal information involved; cause and extent of breach;  individuals affected; foreseeable harm) (iii) Notify affected individuals if the breach “creates a risk of harm” to  them (iv) Notify appropriate privacy commissioners of material breaches so that they are aware of the situation (v) Consider whether other notifications are also appropriate (eg.  police, financial institutions, insurers, regulatory or professional  bodies) (vi) Work to prevent similar future breaches 55
Late Breaking Developments 56
“Ontario court this week ruled that  employees have a right to privacy for  material contained on a work computer” R. v. Cole, Ont. C. of A., March 22, 2011 – public sector employer governed by Charter – pornography on school computer – employee’s Charter s. 8 rights (no unreasonable search or seizure) not  breached by school technician, principal, school board – warrantless police search and seizure of laptop breached s. 8 57
“No common law tort for invasion of  privacy:  Judge” Jones v. Tsige, Ont. SCJ, March 23, 2011 – Bank employee, WT, accessed bank records of customer for purely  personal reasons – Court reviewed contradictory decisions – concluded no free‐standing right to privacy at common law – relied on 2005 OCA decision involving complaint against police and  Charter rights. 58
Catherine Coulter 613.783.9660  Email: Catherine.coulter@fmc‐law.com www.fmc‐law.com/catherinecoulter Anneli LeGault 416.863.4450  Email: Anneli.legault@fmc‐law.com www.fmc‐law.com/annelilegault
The preceding presentation contains examples of the kinds of  issues companies dealing with privacy issues could face. If you  are faced with one of these issues, please retain professional  assistance as each situation is unique.

Recommandé

Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000n|u - The Open Security Community
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 
Right to privacy on internet and Data Protection
Right to privacy on internet and Data ProtectionRight to privacy on internet and Data Protection
Right to privacy on internet and Data Protectionatuljaybhaye
 

Recommandé

Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000n|u - The Open Security Community
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 
Right to privacy on internet and Data Protection
Right to privacy on internet and Data ProtectionRight to privacy on internet and Data Protection
Right to privacy on internet and Data Protectionatuljaybhaye
 
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Vijay Dalmia
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simpleAurora Computer Studies
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008ValueMentor Consulting
 
ICT / IT Law (Cyberlaw)
ICT / IT Law (Cyberlaw)ICT / IT Law (Cyberlaw)
ICT / IT Law (Cyberlaw)franciscronje
 
Data protection act
Data protection act Data protection act
Data protection act Iqbal Bocus
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
Cyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studiesCyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studiesSneha J Chouhan
 
IT ACT 2000
IT ACT 2000IT ACT 2000
IT ACT 2000Sudarsan Subramanian
 
IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)Ms. Parasmani Jangid
 
it act
it act it act
it act 9535814851
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
Information Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakInformation Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakDipayan Sarkar
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 

Contenu connexe

Tendances

Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Vijay Dalmia
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008ValueMentor Consulting
 
ICT / IT Law (Cyberlaw)
ICT / IT Law (Cyberlaw)ICT / IT Law (Cyberlaw)
ICT / IT Law (Cyberlaw)franciscronje
 
Data protection act
Data protection act Data protection act
Data protection act Iqbal Bocus
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
Cyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studiesCyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studiesSneha J Chouhan
 
IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)Ms. Parasmani Jangid
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
Information Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakInformation Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakDipayan Sarkar
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 

Tendances (20)

Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008
 
ICT / IT Law (Cyberlaw)
ICT / IT Law (Cyberlaw)ICT / IT Law (Cyberlaw)
ICT / IT Law (Cyberlaw)
 
Data protection act
Data protection act Data protection act
Data protection act
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
 
Cyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studiesCyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studies
 
IT ACT 2000
IT ACT 2000IT ACT 2000
IT ACT 2000
 
IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008
 
IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)
 
it act
it act it act
it act
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)
 
Information Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakInformation Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K Pathak
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 

Similaire à 10 Things You Need to Know About Privacy Law Updates

What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...Dr. Oliver Massmann
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake Morgan
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptSamir Jha
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfDaviesParker
 
2014 Australian Privacy Laws Update
2014 Australian Privacy Laws Update2014 Australian Privacy Laws Update
2014 Australian Privacy Laws UpdateEtienne Lawyers
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy ActVISTA InfoSec
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Robert MacLean
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018ProColombia
 

Similaire à 10 Things You Need to Know About Privacy Law Updates (20)

What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.ppt
 
Medical Records Seminar
Medical Records SeminarMedical Records Seminar
Medical Records Seminar
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdf
 
2014 Australian Privacy Laws Update
2014 Australian Privacy Laws Update2014 Australian Privacy Laws Update
2014 Australian Privacy Laws Update
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy Act
 
Research and The Law
Research and The LawResearch and The Law
Research and The Law
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018
 

Plus de Now Dentons

FMC is Now Dentons
FMC is Now DentonsFMC is Now Dentons
FMC is Now DentonsNow Dentons
 
Foreign Workers, International Tax and Oil & Gas Market Update
Foreign Workers, International Tax and Oil & Gas Market UpdateForeign Workers, International Tax and Oil & Gas Market Update
Foreign Workers, International Tax and Oil & Gas Market UpdateNow Dentons
 
Protecting Your Start-Up Company's IP
Protecting Your Start-Up Company's IPProtecting Your Start-Up Company's IP
Protecting Your Start-Up Company's IPNow Dentons
 
Privacy and Security in Mobile E-Commerce
Privacy and Security in Mobile E-CommercePrivacy and Security in Mobile E-Commerce
Privacy and Security in Mobile E-CommerceNow Dentons
 
Drafting for the Matrimonial Property Act
Drafting for the Matrimonial Property ActDrafting for the Matrimonial Property Act
Drafting for the Matrimonial Property ActNow Dentons
 
Trends in Energy Regulatory Law
Trends in Energy Regulatory LawTrends in Energy Regulatory Law
Trends in Energy Regulatory LawNow Dentons
 
Public M&A Transactions - Deal Points
Public M&A Transactions - Deal PointsPublic M&A Transactions - Deal Points
Public M&A Transactions - Deal PointsNow Dentons
 
Giving Away the Farm
Giving Away the FarmGiving Away the Farm
Giving Away the FarmNow Dentons
 
Risk Apportionment in the Purchase and Sale Transaction
Risk Apportionment in the Purchase and Sale TransactionRisk Apportionment in the Purchase and Sale Transaction
Risk Apportionment in the Purchase and Sale TransactionNow Dentons
 
Letters of Intent - Tips and Traps for Commercial Lawyers
Letters of Intent - Tips and Traps for Commercial LawyersLetters of Intent - Tips and Traps for Commercial Lawyers
Letters of Intent - Tips and Traps for Commercial LawyersNow Dentons
 
Protect you Rights and Avoid Liability! Current Developments and Major Implic...
Protect you Rights and Avoid Liability! Current Developments and Major Implic...Protect you Rights and Avoid Liability! Current Developments and Major Implic...
Protect you Rights and Avoid Liability! Current Developments and Major Implic...Now Dentons
 
Preliminary Economic Assessments
Preliminary Economic AssessmentsPreliminary Economic Assessments
Preliminary Economic AssessmentsNow Dentons
 
An Introduction to Legal Aspects of Customer Acquisitions for Startups
An Introduction to Legal Aspects of Customer Acquisitions for StartupsAn Introduction to Legal Aspects of Customer Acquisitions for Startups
An Introduction to Legal Aspects of Customer Acquisitions for StartupsNow Dentons
 
An Introduction to Letters of Credit for Banking Lawyers
An Introduction to Letters of Credit for Banking LawyersAn Introduction to Letters of Credit for Banking Lawyers
An Introduction to Letters of Credit for Banking LawyersNow Dentons
 
Preparing the Legal Framework for Mobile and Other Emerging Payments
Preparing the Legal Framework for Mobile and Other Emerging Payments Preparing the Legal Framework for Mobile and Other Emerging Payments
Preparing the Legal Framework for Mobile and Other Emerging Payments Now Dentons
 
Update on Hydraulic Fracturing: Preparing for Gasland 2
Update on Hydraulic Fracturing: Preparing for Gasland 2Update on Hydraulic Fracturing: Preparing for Gasland 2
Update on Hydraulic Fracturing: Preparing for Gasland 2Now Dentons
 
Canada, China and Copyright Law
Canada, China and Copyright LawCanada, China and Copyright Law
Canada, China and Copyright LawNow Dentons
 
Intellectual Property and Business Law
Intellectual Property and Business LawIntellectual Property and Business Law
Intellectual Property and Business LawNow Dentons
 
The Copyright Modernization Act
The Copyright Modernization ActThe Copyright Modernization Act
The Copyright Modernization ActNow Dentons
 

Plus de Now Dentons (20)

Meet dentons
Meet dentonsMeet dentons
Meet dentons
 
FMC is Now Dentons
FMC is Now DentonsFMC is Now Dentons
FMC is Now Dentons
 
Foreign Workers, International Tax and Oil & Gas Market Update
Foreign Workers, International Tax and Oil & Gas Market UpdateForeign Workers, International Tax and Oil & Gas Market Update
Foreign Workers, International Tax and Oil & Gas Market Update
 
Protecting Your Start-Up Company's IP
Protecting Your Start-Up Company's IPProtecting Your Start-Up Company's IP
Protecting Your Start-Up Company's IP
 
Privacy and Security in Mobile E-Commerce
Privacy and Security in Mobile E-CommercePrivacy and Security in Mobile E-Commerce
Privacy and Security in Mobile E-Commerce
 
Drafting for the Matrimonial Property Act
Drafting for the Matrimonial Property ActDrafting for the Matrimonial Property Act
Drafting for the Matrimonial Property Act
 
Trends in Energy Regulatory Law
Trends in Energy Regulatory LawTrends in Energy Regulatory Law
Trends in Energy Regulatory Law
 
Public M&A Transactions - Deal Points
Public M&A Transactions - Deal PointsPublic M&A Transactions - Deal Points
Public M&A Transactions - Deal Points
 
Giving Away the Farm
Giving Away the FarmGiving Away the Farm
Giving Away the Farm
 
Risk Apportionment in the Purchase and Sale Transaction
Risk Apportionment in the Purchase and Sale TransactionRisk Apportionment in the Purchase and Sale Transaction
Risk Apportionment in the Purchase and Sale Transaction
 
Letters of Intent - Tips and Traps for Commercial Lawyers
Letters of Intent - Tips and Traps for Commercial LawyersLetters of Intent - Tips and Traps for Commercial Lawyers
Letters of Intent - Tips and Traps for Commercial Lawyers
 
Protect you Rights and Avoid Liability! Current Developments and Major Implic...
Protect you Rights and Avoid Liability! Current Developments and Major Implic...Protect you Rights and Avoid Liability! Current Developments and Major Implic...
Protect you Rights and Avoid Liability! Current Developments and Major Implic...
 
Preliminary Economic Assessments
Preliminary Economic AssessmentsPreliminary Economic Assessments
Preliminary Economic Assessments
 
An Introduction to Legal Aspects of Customer Acquisitions for Startups
An Introduction to Legal Aspects of Customer Acquisitions for StartupsAn Introduction to Legal Aspects of Customer Acquisitions for Startups
An Introduction to Legal Aspects of Customer Acquisitions for Startups
 
An Introduction to Letters of Credit for Banking Lawyers
An Introduction to Letters of Credit for Banking LawyersAn Introduction to Letters of Credit for Banking Lawyers
An Introduction to Letters of Credit for Banking Lawyers
 
Preparing the Legal Framework for Mobile and Other Emerging Payments
Preparing the Legal Framework for Mobile and Other Emerging Payments Preparing the Legal Framework for Mobile and Other Emerging Payments
Preparing the Legal Framework for Mobile and Other Emerging Payments
 
Update on Hydraulic Fracturing: Preparing for Gasland 2
Update on Hydraulic Fracturing: Preparing for Gasland 2Update on Hydraulic Fracturing: Preparing for Gasland 2
Update on Hydraulic Fracturing: Preparing for Gasland 2
 
Canada, China and Copyright Law
Canada, China and Copyright LawCanada, China and Copyright Law
Canada, China and Copyright Law
 
Intellectual Property and Business Law
Intellectual Property and Business LawIntellectual Property and Business Law
Intellectual Property and Business Law
 
The Copyright Modernization Act
The Copyright Modernization ActThe Copyright Modernization Act
The Copyright Modernization Act
 

Dernier

Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurSuhani Kapoor
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni
 

Dernier (20)

KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.
 

10 Things You Need to Know About Privacy Law Updates

  • 3. Update on Federal Privacy Law: ‐ Proposed amendments to PIPEDA recently died when  Parliament prorogued included the following: ‐ mandatory reporting of material breaches to the  Privacy Commissioner ‐ mandatory reporting of breaches to individuals  where there is a real risk of significant harm ‐ Business Transaction exemption ‐ expanded carve‐out of the definition of business  contact information 3
  • 4. Update on Federal Privacy Law: Recent PIPEDA Findings: Case Summary #2010‐001: ‐ The Commissioner will not make findings if she is satisfied that the complaint can more appropriately be dealt with by means  of a procedure otherwise provided for at law ‐ Individuals who have been denied access to their personal  information due to solicitor & client privilege must use court  proceedings to obtain a ruling on the appropriateness of the  privilege claim (follows S.C.C. ruling in Blood Tribe (2008)) 4
  • 5. Update on Federal Privacy Law: Case Summary #2010‐003: ‐ Requests for access to personal information are time‐sensitive.   Where an organization requires more than 30 days to fulfill the  request, it must advise the individual of same, advise of the  new time limit, advise of the reasons for the extension and  advise the individual of his/her right to make a complaint to  the Commissioner regarding the extension ‐ Whenever requests are made, organizations should ensure  that the requested information is not deleted during the  request period due to the organization’s regular  deletion/retention practices 5
  • 6. Update on Federal Privacy Law: Case Summary #2010‐018: ‐ Personal information which has been de‐identified (had all  personally indentifying information removed) does not qualify  as anonymous information if it is still possible to link the de‐ identified data back to an identifiable individual ‐ An access request for personal information does not grant the  requester the right to information that reflects discussions  taken in preparation for possible litigation 6
  • 7. Update on Federal Privacy Law: Case Summary #2010‐013: ‐ Unless and until the PIPEDA amendments are brought forward  again and passed into legislation, business email addresses  remain as personal information ‐ As a result, business email addresses may not be collected,  used or disclosed unless they are publicly available ‐ If business email address lists are rented or purchased, care  must be taken to ensure that they were collected with consent 7
  • 8. Provincial Privacy Law – What to Watch  Out For With Substantially Similar  Legislation 8
  • 9. Provincial Privacy Law: Quebec – An Act Respecting the Protection of Personal  Information in the Private Sector (1994) ‐ Similar to PIPEDA ‐ Applies to all enterprises in Quebec ‐ Covers information in the private sector, including health  information ‐ Violations of the Act are punishable by fines ranging from  $1,000 to $10,000 for a first offence, and $10,000 to $20,000  for subsequent offences ‐ Binding orders by the Commissioner are permitted 9
  • 10. Provincial Privacy Law: Quebec – An Act Respecting the Protection of Personal  Information in the Private Sector (1994) ‐ Those binding orders can be made into binding orders of the  provincial court ‐ Offending parties are generally named in any published  findings 10
  • 11. Provincial Privacy Law: Alberta – Personal Information Protection Act (“PIPA”) ‐ Similar to PIPEDA ‐ Separate legislation for personal health information (Health  Information Act, 2001) ‐ Under PIPA Alberta, there is a class of non‐profit organizations  for which the legislation only applies to their commercial  activities ‐ Under PIPA Alberta, there are special provisions for  professional regulatory organizations to follow an approved  privacy code in place of certain sections of the legislation 11
  • 12. Provincial Privacy Law: Alberta – Personal Information Protection Act (“PIPA”) ‐ Binding orders by the Commissioner are permitted ‐ Those binding orders can be made into binding orders of the  provincial court ‐ Offending parties are generally named in any published  findings ‐ Violations of the Act are punishable by fines 12
  • 13. Provincial Privacy Law: B.C. – Personal Information Protection Act (“PIPA”) ‐ Similar to PIPEDA ‐ Extremely similar legislation to PIPA Alberta, but for the  following: ‐ Commissioner has audit powers ‐ no provision for the filing of the Commissioner’s orders in  provincial court and having them enforced as orders of  that court ‐ Actions only permitted for “actual damages” suffered 13
  • 15. Privacy in Corporate Transactions: ‐ Both PIPA Alberta and PIPA B.C. contain provisions which permit  necessary personal information to be disclosed without consent for the  purpose of a business transaction (the “Business Transaction  exemption”) ‐ Some of the recent proposed amendments to PIPEDA were aimed at  adding a Business Transaction exemption to PIPEDA, but the Bill recently  died when Parliament prorogued ‐ In an early finding of the Alberta Privacy Commissioner, customer  personal information was disclosed to a purchaser without consent  during the course of the transaction.  Although the disclosure was found  to be in compliance with the legislation, the Commissioner noted that all  business transaction agreements should specifically address the  anticipated use of any transferred personal information, and parties  should only undertake to use personal information for the purpose for  which it was collected 15
  • 16. Privacy in Corporate Transactions: ‐ In a subsequent finding of the Alberta Privacy Commissioner, employee  personal information was submitted from one law firm to another as part  of the due diligence process during an acquisition.  Some of the information provided went above and beyond that required for due diligence purposes.  In addition, the receiving law firm posted that  information to the Systems for Electronic Document Analysis and Retrieval  (SEDAR). ‐ The Commissioner found that: (i) the Business Transaction exemption did  not apply to all of the transferred information (eg. home addresses, SIN’s)  and therefore there was a contravention of the legislation; and (ii)  Stikeman Elliott had a duty to review the received information before  publicly posting it to SEDAR 16
  • 17. Privacy in Corporate Transactions: For business transactions in Alberta or B.C.: ‐ Determine whether or not the information sought to be  collected, used or disclosed meets the Business  Transaction exemption ‐ Only use or disclose that information for the same  purpose for which it was collected ‐ If the above is not possible, obtain consent For business transactions in Ontario and elsewhere: ‐ Obtain consent 17
  • 18. Privacy in Corporate Transactions: Example consent paragraph in employment agreements: By accepting this offer, you voluntarily acknowledge and consent to the collection,  use, processing and disclosure of personal data as described in this paragraph.  The  Company will hold certain personal information which may include your name,  home address, home telephone number, date of birth, social insurance number,  employee identification number, compensation, payroll deposit account, job title,  attendance and work record, marital or family status, name of your spouse and  dependents (if any), contribution rates and amounts, account balances, benefit  selections and claims for the purpose of: (i) establishing, managing and/or  terminating the employment relationship between you and the Company; (ii)  making payroll deposits, preparing tax reports or administering benefit  entitlements; or (iii) contacting others in the event of an emergency (“Data”).  The  Company, in accordance with its standard operating procedures, may disclose Data  to its affiliates or with contracted third party outsourced services or benefit  providers as necessary, for the purpose of human resources, payroll, retirement  and benefit administration.  The Company may also disclose Data to third parties  for the purposes of exploring and carrying out mergers, acquisitions, financings,  initial public offerings or similar transactions. 18
  • 21. Typical Cross Border Scenarios • Storage of data on servers in USA – e.g. SAP installation • Email service provider has no Canadian data centre • SPAM service provider located in USA or UK • Email run through USA • Data processed in USA • Bidding on government work, for example, in BC and NS 21
  • 22. Risk Levels European Union USA Non‐APEC or non‐OECD member countries 22
  • 23. European Union • EU member states have passed Data Directives prohibiting  transfer of personal information to another jurisdiction unless  the European Commission has determined that the other  jurisdiction offers adequate protection 23
  • 24. United States • US Patriot Act • Section 215 allows FBI to access records held in USA by  applying for an order of the Foreign Intelligence Surveillance  Act Court • Company subject to a Section 215 order cannot reveal that the  FBI has sought or obtained information from it • US has Safe Harbor accord with EU (2000) – Companies can opt in  • US has sector specific laws and some US states have enacted  laws 24
  • 25. APEC/OECD Member Countries • Organization for Economic Cooperation and Development  Guidelines on the Protection of Privacy and Transborder Flows  of  Personal Data (1980) – 31 member countries • Asia – Pacific Economic Cooperation Privacy Framework (2004)  – 21 member countries 25
  • 26. Rulings Concerning Canada‐USA  Cross‐Border Data Transfers 26 9690158_1
  • 27. British Columbia • BCGEU v. The Minister of Health Services and Maximus • US Company, Maximus, selected by B.C. Ministry of Health  Services for administration of B.C.’s public health insurance  program • BCGEU files complaint under FOIPPA • Personal health information of B.C. residents accessible to US  authorities under US Patriot Act 27
  • 28. British Columbia (cont’d) • Privacy Commissioner initiates public process – >500 submissions received • FOIPPA amended to require a public body to ensure that  personal data under its control is stored only in Canada and  accessed only in Canada (with  certain exceptions) • New requirement to report any foreign demand for disclosure  to Minister 28
  • 29. Alberta • Outsourcing email services to Google • University of Alberta spends a year investigating  the  possibility of a single campus email system using Google’s  Gmail • Users of University email system must be informed that their  emails will reside in a foreign  jurisdiction and be subject to the  laws of that jurisdiction such as US Patriot Act • U of A agrees to inform students and employees it cannot  guarantee protection against disclosure of emails residing in  US 29
  • 30. Alberta PIPA amended May 1, 2010 • Duty to notify individual if a service provider outside of Canada  will collect PI or PI will be transferred to service provider – Written or oral notice re:  • how to access information about company’s policies/practices on non‐ Canadian service providers • name or title of person who can answer questions 30
  • 32. Ruling 313 (cont’d) • Ruling: – Bank had contract with U.S. data processor to maintain comparable  level of security and protection – Bank appropriately notified customers 32
  • 33. Security System Provider Shares Customer  Data – Ruling 333 • Security system company tells Canadian customers of  intention to share customer contact information with U.S.  parent company • If catastrophic event overwhelms Canadian customer  monitoring centre, alarm signals routed to other North  American monitoring centre • Sharing of customer address, phone, emergency contacts • No sharing of financial or credit data • Customers could opt out and get reduced level of service 33
  • 34. Ruling 333 (cont’d) • Ruling:  – Customer consent not required, not a disclosure – Personal data being used for same original purpose – Company was transparent and provided sufficient information about  practices  – Parent company must adhere to same level of data protection 34
  • 35. Outsourcing – Ruling 394 • “canada.com” outsourcing e‐mail services to U.S. based  company • Customers requested to consent as condition of on‐going  services • U.S. Patriot Act issues 35
  • 36. Ruling 394 (cont’d) • Ruling – Sharing with a third‐party subcontractor is a “use” not a “disclosure” – Consent is required to the use – Best practice is to notify – Must take contractual measures to ensure security • oversight • monitoring • auditing – Should provide notice that foreign‐based service provider will be  subject to foreign laws, which may be different than Canadian law 36
  • 37. Federal Privacy Commissioner Guidelines • PIPEDA does not distinguish between domestic and  international transfers of data • An organization is responsible for personal information in its  possession, including information that has been transferred to  a third party for processing • Where information is transferred for processing, it can only be  used for the purposes for which the information was originally  collected; for example, internet service provider transfers  personal information to third party to ensure technical support  is available 24/7 • A transfer for processing is not a disclosure; it is a use 37
  • 38. Federal Privacy Commissioner Guidelines • Processing means any use of the information by the third party  processer for which the transferring organization can use it • Comparable level of protection means that the third party  processor must provide protection that can be compared to  the level of protection the data would have received if it had  not been transferred • Primary means to protect personal information is through  contract 38
  • 39. Best Practices • Be satisfied that the third party has policies and processes in  place, including training and effective security measures, to  ensure the data in its care is properly safeguarded • Set out requirements for safeguards in written contract • Retain the right to audit and inspect • Assess risk when transferring outside of Canada 39
  • 40. Best Practices • Pay attention to the legal requirements of the jurisdiction in  which the third party processor operates as well as the  potential foreign, political, economic and social conditions and events that may reduce the service provider’s ability to  provide the service • Make it clear to individuals that their information may be  processed in a foreign country and it may be accessible to law  enforcement and national security authorities • Use clear and understandable language • Ideally do so at the time the information is collected 40
  • 41. Best Practices • When bidding on a RFP involving data processing and storage,  review the bid’s terms and be ready to explain where data will  be stored and processed 41
  • 44. 1. Investigations: ‐ Investigator will require a response from your organization ‐ Employees may be interviewed without your consent ‐ Company files may be requested ‐ Through the Privacy Commissioner, investigators have the  authority to receive evidence, enter premises where  appropriate and obtain copies of records ‐ After the investigator prepares a report, the Privacy  Commissioner will make a finding 44
  • 45. Investigations: ‐ The Privacy Commissioner can make the following findings: ‐ Not Well‐Founded ‐ Well‐Founded ‐ Resolved ‐ Discontinued ‐ The Commissioner can make recommendations to your  organization and ask you to respond in writing with your  organization’s plans for implementing the recommendations ‐ Findings of the Commissioner can be publicly posted ‐ Although organizations can be publicly named, it only occurs  when the Commissioner deems it to be in the public interest 45
  • 46. Investigations: ‐ There is an offence provision under PIPEDA  ‐ Under that provision, the Commissioner can levy fines for  obstruction of an investigation, destroying personal  information after an access request has been made and  disciplining a whistleblower ‐ Fines of up to $10,000 or $100,000 ‐ In addition, the Commissioner has the power to summon  witnesses, administer oaths and compel the production of  evidence ‐ The Commissioner is required under PIPEDA to issue any  findings within a year of the complaint 46
  • 47. 2. Section 14 Applications: ‐ Section 14 applications are hearing requests to the Federal  Court regarding the way in which an organization handles  personal information.  They can only be brought after the  Commissioner has investigated the matter and issued her  findings ‐ The most common reason for a Section 14 application is to ask  the Court to have the Commissioner’s  findings/recommendations enforced against the organization 47
  • 48. Section 14 Applications: ‐ The Court may: ‐ Order an organization to correct its practices to comply  with PIPEDA ‐ Order an organization to publish a notice of actions taken  or proposed to be taken in order to comply with PIPEDA ‐ Order an organization to pay damages, including  damages for humiliation suffered by the complainant ‐ In December 2010, Justice Zinn of the Federal Court ordered  Transunion to pay total damages of $5,000 to a complainant  (Nammo v. Transunion of Canada Inc.) 48
  • 49. Section 14 Applications: ‐ The Court found that both the question of whether damages  should be awarded and the question of the quantum of  damages should be answered with regard to: (i) whether  awarding damages would further the general objects of  PIPEDA and uphold the values it embodies; and (ii) deterring  future breaches and the seriousness or egregiousness of the  breach ‐ In another 2010 Federal Court decision, Justice Mosely  declined to award damages because he did not find the breach  to be egregious (Randall v. Nubodys Fitness Centres) 49
  • 50. 3. Judicial Review: ‐ Under section 18.1 of the Federal Court Act, an application can  also be brought for judicial review in order to challenge the  findings of the Commissioner ‐ The grounds for judicial review are limited and include the  following: ‐ an allegation that the Commissioner refused to exercise  her discretion ‐ an allegation that the Commissioner acted without  jurisdiction ‐ an allegation that the Commissioner surpassed the  boundaries of the jurisdiction outlined in PIPEDA 50
  • 52. Breach Notification: ‐ If your organization finds itself in a breach situation: ‐ work with experienced legal counsel to determine your course of  action ‐ with reference to the applicable legislation, also keep an eye on the  federal Privacy Commissioner’s breach Guidelines and the  accompanying Privacy Breach Checklist and Privacy Breach Incident  Report: http://www.priv.gc.ca/information/guide/index_e.cfm 52
  • 53. Breach Notification: PIPEDA: ‐ Although PIPEDA does not currently have a breach notification  provision, it is encouraged in certain circumstances ‐ The Privacy Commissioner of Canada has prepared Guidelines which outline the “Key Steps for Organizations in Responding to Privacy  Breaches” PIPA Alberta: ‐ PIPA was amended in 2010 to require breach notification in cases where “a reasonable person would consider that there exists a real  risk of significant harm to an individual as a result of the loss or  unauthorized access or disclosure” of personal information 53
  • 54. Breach Notification: Personal Health Information Protection Act (Ontario): ‐ Under PHIPA, there is also a positive obligation to notify affected  individuals in circumstances where the privacy of their personal health  information has been compromised.  The obligation applies only to “health  information custodians” (eg. hospitals, labs, doctors) but is required in  every case of breach. ‐ Some of the Atlantic provinces have similar health information protection  legislation and similar breach notification requirements. 54
  • 55. Breach Notification: ‐ The following are some of the key points to consider when dealing with a  breach of personal information: (i) Contain the breach and conduct a preliminary assessment (ii) evaluate the risks associated with the breach (ie. the nature of the  personal information involved; cause and extent of breach;  individuals affected; foreseeable harm) (iii) Notify affected individuals if the breach “creates a risk of harm” to  them (iv) Notify appropriate privacy commissioners of material breaches so that they are aware of the situation (v) Consider whether other notifications are also appropriate (eg.  police, financial institutions, insurers, regulatory or professional  bodies) (vi) Work to prevent similar future breaches 55
  • 57. “Ontario court this week ruled that  employees have a right to privacy for  material contained on a work computer” R. v. Cole, Ont. C. of A., March 22, 2011 – public sector employer governed by Charter – pornography on school computer – employee’s Charter s. 8 rights (no unreasonable search or seizure) not  breached by school technician, principal, school board – warrantless police search and seizure of laptop breached s. 8 57
  • 58. “No common law tort for invasion of  privacy:  Judge” Jones v. Tsige, Ont. SCJ, March 23, 2011 – Bank employee, WT, accessed bank records of customer for purely  personal reasons – Court reviewed contradictory decisions – concluded no free‐standing right to privacy at common law – relied on 2005 OCA decision involving complaint against police and  Charter rights. 58
  • 60. The preceding presentation contains examples of the kinds of  issues companies dealing with privacy issues could face. If you  are faced with one of these issues, please retain professional  assistance as each situation is unique.