On April 6, 2020, Tapplock, Inc., a Canadian maker of internet-connected smart locks, entered into a settlement with the Federal Trade Commission (“FTC”) to resolve allegations that the company deceived consumers by falsely claiming that it had implemented reasonable steps to secure user data and that its locks were “unbreakable.”  The FTC alleged that these representations amounted to deceptive conduct under Section 5 of the FTC Act.  In its press release accompanying the settlement, the FTC provided guidance for IoT companies regarding the design and implementation of privacy and security measures for “smart” devices, as discussed further below in this post.
Continue Reading IoT Update: FTC Settles with Smart Lock Manufacturer and Provides Guidance for IoT Companies

Canada’s new data breach law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Official guidance released by the country’s Privacy Commissioner explains a few of the law’s key provisions that will affect organizations, specifically, breach reporting and notification obligations, their triggers, and record retention.

Reporting & Notification Obligations

Under the new law, an organization must report and notify individuals of a data breach involving personal information under its control if it reasonably determines the breach creates a “real risk of significant harm” to an individual, regardless of the number of individuals affected. (The guidance states a covered breach that affects only one individual would nonetheless require reporting and notification.) Importantly, the organization that controls the data is required to report and notify individuals of the breach—the guidance clarifies that even when an organization has transferred data to a third-party processor, the organization remains ultimately responsible for reporting and notification. The guidance encourages organizations to mitigate their risk in the event their third-party processor faces a breach by entering sufficient contractual arrangements.

Notification to individuals must be given “as soon as feasible” after the organization has determined a covered breach has occurred. The guidance states the notification must be conspicuous, understandable, and given directly to the individual in most circumstances. It must include enough information to communicate the significance of the breach and allow the those affected to take any steps possible to reduce their risk of harm. The regulations further specify the information a notification must include. In certain circumstances, organizations are also required to notify governmental institutions or organizations of a covered breach; for example, an organization may be required to notify law enforcement if it believes it may be able to reduce the risk of harm.


Continue Reading Canadian Privacy Commissioner Releases Official Guidance as Data Breach Law Takes Effect

By Dan Cooper and Rosie Klement

On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”).  The Agreement was signed in 2014, but the CJEU was asked to determine whether it was compatible with EU data protection law before it is approved by the European Parliament.

The Opinion concluded that a number of provisions relating to the transfer of PNR data – particularly sensitive data – are incompatible with the EU Data Protection Directive (Directive 95/46) and the fundamental rights to privacy and data protection, and the protection against discrimination, under Articles 7, 8 and 21 of the EU Charter of Fundamental Rights (the “Charter”), meaning the Agreement must be renegotiated before it enters into force.

Notably, the CJEU’s opinion was consistent with its recent judgments concerning data transfers to “third countries” (outside the EEA) in Schrems and Tele2/Watson
Continue Reading CJEU: EU-Canada proposed agreement on the transfer of Passenger Name Record data does not conform to EU data protection law standards

The FTC announced today that it has reached a settlement with the operators of AshleyMadison.com (Ashley Madison) for alleged data security deficiencies and deceptive trade practices.  According to the FTC, Ashley Madison, a dating website for married individuals, was hacked in July 2015, leading to the release of 36 million users’ account and profile information.  FTC Chairwoman Edith Ramirez referred to the case as “one of the largest data breaches that the FTC has investigated to date.”

According to the FTC’s complaint, despite Ashley Madison’s representations that it was “100% secure” and “risk free,” the website failed to implement reasonable data security practices.  Specifically, the FTC cited several data security failures, including the lack of a written information security policy, reasonable access controls, employee data security training, or oversight over third-party service providers, and a failure to use “readily available security measures” to monitor its systems.  The complaint also alleged that Ashley Madison staff deceptively created fake profiles as a way to attract users, with no way for users to tell real profiles from fake ones.
Continue Reading Ashley Madison Settles Data Security and Deception Charges

On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), Senate Bill S-4, into law.  The DPA amends Canada’s federal data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA) in important respects, including introducing a new data breach notification requirement (which is not yet in force) and making other material changes to PIPEDA.  This post summarizes key changes to PIPEDA brought about by the DPA.
Continue Reading Highlights of the Canada Digital Privacy Act 2015

By Lala Qadir

Canada’s telecommunications regulator, the Canadian Radio-Television and Telecommunications Commission (CRTC), issued its first fine under a new anti-spam law.  The CRTC alleged that Compu-Finder sent users emails without acquiring their consent and did not provide a way for consumers to unsubscribe from the emails.   Compu-Finder has 30 days to submit written representations to the CRTC or pay the penalty.  It can also request an “undertaking” with the CRTC on this matter.

Under Canada’s Anti-Spam Law (CASL), which came into effect on July 1, 2014, businesses are required to obtain explicit consent from users prior to sending them commercial electronic messages.  Prior to this law, companies relied on implied consent to assume that consumers consented to communications by providing them an email address.   Additionally, CASL prohibits making false or misleading representations in electronic communications and collecting personal information without consent.
Continue Reading Compu-Finder Subjected to $1.1M Penalty, First Fine Under Canada’s New Anti-Spam Law

By Lala Qadir

The Supreme Court of Canada recently issued a 4-3 decision that gave the police a green light in conducting warrantless searches of an arrestee’s cell phone as long as the search is directly related to the suspected crime and records are kept.  Over three dissenting judges that characterized mobile phones as “intensely personal and uniquely pervasive sphere of privacy,” the majority held a balance can be struck that “permits searches of cell phones incident to arrest, provided that the search—both what is searched and how it is searched—is strictly incidental to the arrest and that the police keep detailed notes of what has been searched and why.”

Canada’s high court ruling stands in stark contrast to that of the United States.  Earlier this year, the United States Supreme Court heard argument on two cell phone cases—Riley and Wurie—ultimately holding that warrantless searches of cell phones, even when held incident to an arrest, were unconstitutional unless they were subject to specific exceptions to the Fourth Amendment’s warrant requirement.
Continue Reading Canada’s Highest Court Rules That Police Can Search Cell Phone Contents After Arrest

Last week, the Office of the Privacy Commissioner in Canada (OPC) issued important guidance under Canada’s national privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).  The guidance highlights various scenarios in which PIPEDA applies based on judicial opinions and previous OPC interpretations.  In general, PIPEDA applies to the personal information that an

The Ontario Appeals Court last Wednesday recognized—for the first time in Canada—the intrusion upon seclusion privacy tort.  In Jones v. Tsige, 2012 ONCA 32, the plaintiff sued a coworker for looking through her financial records.  The motion judge granted summary judgment for the defendant on the ground that Ontario law does not recognize plaintiff’s

On December 10, 2010, Nova Scotia’s Personal Health Information Act, which regulates the collection, use, disclosure and disposal of personal health information, was granted royal assent.  The purpose of the new legislation is to better protect citizens’ health data, while also facilitating the use of electronic medical records by provincial health institutions.  Nine of