Summary Section Content 1Risks to privacy and data protection grow as businesses adopt new technologies to gather and manipulate information, and as consumers demand seamless access to it. Custodians of sensitive data are held to ever-rising standards of care as regulations are reinterpreted and redefined in a race with technology. Clients in the public and private sectors and across a range of industries look to BLG’s national Privacy and Data Protection Group for its multi-jurisdictional perspective and unsurpassed insight into the legal, practical and ethical issues relating to the protection of personal information in Canada. Our Group provides advice on every aspect of privacy and data protection, from the collection and management of information, to crisis management in the event of a breach, and representation in privacy-related inquiries and litigation, including class actions. BLG’s lawyers ensure that clients have a full understanding of compliance-related risks so that they can make informed decisions. Members of the Group include some of Canada’s foremost lawyers on privacy and access to information law. Beyond just understanding the law, our lawyers help shape the privacy and cybersecurity landscape in Canada, testifying at standing committees, advising on the drafting of legislation and appearing before the Supreme Court of Canada. With practitioners at the forefront of regulatory developments, BLG provides advice that anticipates future trends across a wide range of industry sectors, including health, financial services and insurance, retail, telecommunications and technology. Publications & Presentations Section Content 2Media/Articles Éloïse Gratton and Sepideh Alavi, "Business Analytics and Privacy-related Risks," IAPP Canada Privacy Symposium 2016, May, 2016.Éloïse Gratton, "Federal privacy bill could make it easier for insurers to share suspicious auto claims information," Canadian Underwriter, June, 2015.Bradley Freedman, "U.S. Department of Justice issues guidance for cyber incident planning and response," Morning Post Exchange, May 2015.Bradley Freedman, "Privacy Commissioner issues guidance for privacy law and CASL compliance," Morning Post Exchange, May 2015.Éloïse Gratton, "Health-Tracking Bracelets and Privacy Issues,", Canadian Privacy Law Review, March 2015.Ira Nishisato interview, "Cyber security the top business risk for 2015," Business News Network, December 23, 2014.Katherine Cooligan and Daniel Hohnstein, "'Intruding upon the seclusion of personal email' — What the common law tort for invasion of privacy might mean for snooping spouses and the electronic evidence that they obtain," Canadian Family Law Quarterly, July 2014.Ira Nishisato quoted, "Cyber attack on eBay highlights importance of digital security," The Globe and Mail, May 22, 2014.Tim Buckley, Barry Glaspell and Cheryl Woodin, "Defending Class Actions in Canada," The Litigation Report, Spring 2013. Books Éloïse Gratton and Elisa Henry, "Practical Guide to e-Commerce and Internet Law," LexisNexis, 2015.Éloïse Gratton and Lyndsay Wasser, "Privacy in the Workplace," CCH Canada Ltd., 3rd edition, 2014.Éloïse Gratton, "Practice Advisor, module on e-Commerce," author of over 60 documents, practice notes and precedents on website management, social media and online marketing, LexisNexis, 2013.Éloïse Gratton, "Understanding Personal Information : Managing Privacy Risks," (515 pages) LexisNexis, 2013. BLG Bulletins "Superior Court of Québec Authorizes Privacy Class Action in Zuckerman v. Target Corporation", February 2017"Important Recommendations from the Québec Privacy Commissioner on the Protection of Personal Information", November 2016"CASL Enforcement Decision — Sending Messages Without Consent", October 2016"CRTC Settles Alleged CASL Violation — Messages Sent Without Consent", September 2016"Ashley Madison Security Breach: Lessons Learned and Valuable Recommendations for all Businesses", August 2016"Beyond Consent-based Privacy Protection: Response to the OPC's consultation on privacy and consent", July 2016"Decision Provides Rare Insight on the Applicability of the "Right to be Forgotten" in Québec", June 2016"Do insurers have a duty to defend as a result of a failure to comply with PCI — DSS", May 2016"Challenges with the Implementation of a Right to be Forgotten in Canada", April 2016"Internet of Things: OPC Publishes Research Paper on Privacy and Security Risks Associated with Retail and Home Environments", February 2016"Apple’s encryption fight against the U.S. government could spill into Canada", February 2016"Ontario Court recognizes existence of new "revenge porn" privacy tort", January 2016"Production Order Challenge Results in Recognition of Duty to Assert Consumer Privacy Rights", January 2016"Canadian Businesses Increasingly Face Privacy Breach Class Actions Absent Traditional Forms of Damages", December 2015"Snooping Nurse's Termination Upheld by Arbitrator", October 2015"Porter Airlines Agrees to Pay $150,000 for Alleged Violations of CASL", June 2015"Digital Privacy Act — New Requirement for Valid Consent to Use Personal Information", June 2015"New Requirements of the Digital Privacy Act (Bill S-4)", June 2015"Tort Of Intrusion Upon Seclusion And Breaches Of Personal Health Information:", March 2015"CRTC Issues $1.1 Million Penalty for CASL Violation", March 2015"Industry Canada And CRTC Discuss Canada’s Anti-Spam Law At BLG", June 2014"CASL and Health Care Providers", May 2014"Ontario’s IPC Rules that there is No Right of Access to Certain Records of School Board Trustees Under the MFIPPA", May 2014 Media/Articles Éloïse Gratton and Sepideh Alavi, "Business Analytics and Privacy-related Risks," IAPP Canada Privacy Symposium 2016, May, 2016. Éloïse Gratton, "Federal privacy bill could make it easier for insurers to share suspicious auto claims information," Canadian Underwriter, June, 2015. Bradley Freedman, "U.S. Department of Justice issues guidance for cyber incident planning and response," Morning Post Exchange, May 2015. Bradley Freedman, "Privacy Commissioner issues guidance for privacy law and CASL compliance," Morning Post Exchange, May 2015. Éloïse Gratton, "Health-Tracking Bracelets and Privacy Issues,", Canadian Privacy Law Review, March 2015. Ira Nishisato interview, "Cyber security the top business risk for 2015," Business News Network, December 23, 2014. Katherine Cooligan and Daniel Hohnstein, "'Intruding upon the seclusion of personal email' — What the common law tort for invasion of privacy might mean for snooping spouses and the electronic evidence that they obtain," Canadian Family Law Quarterly, July 2014. Kelly Morris, "Acceptable Use of Technology Policies: How to Manage Employee Privacy Expectations With Respect to Personal Use of School Technology," Canadian Association for the Practical Study of Law in Education Comments, June 2014. Ira Nishisato quoted, "Cyber attack on eBay highlights importance of digital security," The Globe and Mail, May 22, 2014. Tim Buckley, Barry Glaspell and Cheryl Woodin, "Defending Class Actions in Canada," The Litigation Report, Spring 2013. Books Éloïse Gratton and Elisa Henry, "Practical Guide to e-Commerce and Internet Law," LexisNexis, 2015. Éloïse Gratton and Lyndsay Wasser, "Privacy in the Workplace," CCH Canada Ltd., 3rd edition, 2014. Éloïse Gratton, "Practice Advisor, module on e-Commerce," author of over 60 documents, practice notes and precedents on website management, social media and online marketing, LexisNexis, 2013. Éloïse Gratton, "Understanding Personal Information : Managing Privacy Risks," (515 pages) LexisNexis, 2013. Rankings & Recognition Section Content 3The Privacy and Data Protection Group or its members are recognized as follows: 2017 edition of Chambers Canada — Canada's Leading Lawyers for Business. 2017 and previous editions of the Best Lawyers in Canada®. Éloïse Gratton was recognized in 2016 as "one of the Top 25 Most Influential Lawyers in Canada" by Canadian Lawyer Magazine. Éloïse Gratton was awarded Clawbies: Canadian Legal Blog Award for the year 2014 for the best new legal blog, for her blog on privacy and IT law (2014). Representative Work Section Content 4Below is a sample of cases and matters that our group is or has worked on.Compliance with Privacy and Data Protection Legislation Provided advice respecting questions dealing with human resources and the protection of privacy for various clients, including one of the largest automobile manufacturers; a Canadian leader in consumer products; a leading company in Analog and Digital Television, High-Speed Internet and Telephone services; one of the world's largest professional services firms traded on the TSX stock exchange; one of the world's largest professional services firms, as well as a multinational corporation working in the biopharmaceutical sector.Retained by one of the "Big Four” Canadian accounting firms to develop tools and procedures to enable assisting one of its clients with certain aspects of the legislative requirements of CASL (the Canadian anti-spam law) in connection with its business practices and to provide consulting services to its clients concerning CASL compliance.Assisted a large European retailer which is expanding operations to Canada to revise their privacy policies, systems and agreements pertaining to customer loyalty programs and use of progressive technologies that collect data from consumers.Acted for the City of Ottawa on a precedent setting case that established the privacy of employee personal emails unrelated to the business of the City. The Divisional Court agreed with the City that an employee's personal emails unrelated to their work would not be captured by the public sector privacy legislation.Provided advice and drafted agreements for a party who was terminating an existing long term business relationship where the parties had shared large volumes of personal information and had not adequately accounted for the protection of such information on termination. This transaction involved extensive negotiation, analysis of privacy and consumer protection laws and complex agreements to accomplish the goals of the client to fulfil its legal obligations.Provided advice to one of the world's largest professional services firms (traded on the TSX stock exchange) on its overall strategy for implementing the "binding corporate rules" developed by the Working Group on Article 29 of the European Union. This enabled the client to transfer personal data across the borders of different European countries, in compliance with the EU's legal requirements.Represented the Commissioner of Official Languages before the Supreme Court of Canada in the Lavigne case in which the court had to reconcile the obligations of the Commissioner with respect to confidentiality with the disclosure requirements of the Privacy Act.Represented the Canadian Security Intelligence Service before the Supreme Court of Canada in the Ruby case with respect to the interpretation and application of the Privacy Act.Provided training to the team of the Privacy Commissioner of Canada, in Ottawa, focusing on privacy issues connected with location-based services, and on the challenges relating to the concept of "personal information" in the light of new Internet technologies.Class Actions Involving Data and Privacy Breaches, and Cybersecurity Evans v. The Bank of Nova Scotia BLG is defending one of the first class actions brought under the “intrusion upon seclusion” breach of privacy tort. The case is likely to be precedent-setting, in what is considered by many observers to be the fastest-growing area for class actions. BLG represents a “Big Five” Bank being sued for the criminal actions of a rogue employee alleged to have breached the privacy of customers of the Bank. The matter will be proceeding to a common issues trial, which will decide novel legal issues, including whether an employer can be vicariously liable for its employees’ breach of privacy. Hopkins v. Kay BLG represents the defendant hospital in a proposed class action relating to alleged privacy breaches committed by hospital employees. In this case, the hospital is challenging application of the “tort of intrusion upon seclusion” to health care privacy, which is comprehensively governed in Ontario by the Personal Health Information Protection Act. This case considers the rules and scope of the cause of action by which health care institutions can be sued for breaches of privacy by their employees. Broutzas/Taylor v. Rouge Valley Health System and John Doe RESP Corporation BLG represents the hospital in two proposed class actions alleging that hospital employees improperly accessed new-mother contact details and sold that information to persons selling RESPs, who then contacted the patients at home. The litigation raises questions about vicarious liability for criminal breaches of privacy as well as the interplay between PHIPA and common law breach of privacy claims.BLG represented a financial services regulator named as a defendant in a class action regarding the loss of personal information. BLG was successful in obtaining the dismissal of the certification on the basis that the representative plaintiff suffered no compensable harm since his personal information was not used fraudulently.BLG represented a leading Internet search engine named as a defendant in a potential class action (now at the pre-certification stage) on behalf of persons whose electronic data was allegedly transmitted over unsecured wireless internet connection and whose personal information was allegedly intercepted.BLG represented a major automobile financing company named as a defendant in a class action regarding the loss of personal information that was stored on a data tape which was lost during transit. The class action was certified on the basis that the representative plaintiff alleged that his personal information was used fraudulently.Health Information PrivacyDrafted guides to Freedom of Information legislation (FIPPA) and health information privacy law (PHIPA) for different classes of health services providers. Regularly assist health information custodians to understand their obligations under provincial health information privacy laws and to respond to inquiries and investigations by the applicable Commissioner. Analyze and advise on privacy models for regional and provincial shared records and other electronic health information systems, services and repositories (authentication/identification, e-referral, e-notification, clinical collaboration, integrated decision support). Advise on the requirements applicable to IT services providers under health information privacy laws and draft privacy provisions for IT agreements. Draft or review data sharing, system access and IT services agreements for hospitals, CCACs, LHINs, prescribed persons (registries), prescribed entities and health care associations, among others. Assist with the performance and analysis of privacy and security assessments. Participate in regional privacy officer group meetings. Advise on the application of health information privacy laws to research.Access to InformationAssisted an organization that frequently contracts with municipal and provincial governments, on a matter concerning sensitive issues. These issues, if disclosed due to a FOIP request, could have a significant and negative impact on the organization. Drafted policies, and advised the board of directors and recommended best practices.Security Breaches Helped manage security breaches for various clients (including corporations operating in the financial services and retail trade industries) involving different Canadian jurisdictions. This included investigating the violations, acting as the contact-person with the different interested parties and stakeholders, the individuals concerned, the media and the different privacy commissioners (including the Privacy Commissioner of Canada, the Alberta and British Columbia Privacy Commissioners and the Commission d'Accès à l'Information du Québec), and assisting in drafting relevant letters of notification and generally contributing to the response strategy. Prepared the defence strategy for one of Canada's largest telecommunications and media companies (listed on the TSX) following a complaint at the Commission d’accès à l’information du Québec, alleging breaches of privacy connected with their business practices. Represented clients, including an American multinational corporation traded on the New York Stock Exchange (NYSE), a leader in international family entertainment and interactive media, a multinational technology company and two financial institutions, in investigations carried out by privacy commissioners.