Summary Section Content 1Risks to privacy and data security grow as businesses adopt new technologies to gather and manipulate information, and as consumers demand seamless access to it. Custodians of sensitive data are held to ever-rising standards of care as regulations are reinterpreted and redefined in a race with technology. Clients in the public and private sectors and across a range of industries look to BLG’s national Privacy and Data Security Group for its multi-jurisdictional perspective and unsurpassed insight into the legal, practical and ethical issues relating to the protection of personal information in Canada. Our Group provides advice on every aspect of privacy and data security, from the collection and management of information, to crisis management in the event of a breach, and representation in privacy-related inquiries and litigation, including class actions. BLG’s lawyers ensure that clients have a full understanding of compliance-related risks so that they can make informed decisions. Members of the Group include some of Canada’s foremost lawyers on privacy and access to information law. Beyond just understanding the law, our lawyers help shape the privacy and cybersecurity landscape in Canada, testifying at standing committees, advising on the drafting of legislation and appearing before the Supreme Court of Canada. With practitioners at the forefront of regulatory developments, BLG provides advice that anticipates future trends across a wide range of industry sectors, including health, financial services and insurance, retail, telecommunications and technology. Publications & Presentations Section Content 2Media/ArticlesÉloïse Gratton and Sepideh Alavi, "Business Analytics and Privacy-related Risks," IAPP Canada Privacy Symposium 2016, May, 2016.Éloïse Gratton, "Federal privacy bill could make it easier for insurers to share suspicious auto claims information," Canadian Underwriter, June, 2015.Bradley Freedman, "U.S. Department of Justice issues guidance for cyber incident planning and response," Morning Post Exchange, May 2015.Bradley Freedman, "Privacy Commissioner issues guidance for privacy law and CASL compliance," Morning Post Exchange, May 2015.Éloïse Gratton, "Health-Tracking Bracelets and Privacy Issues,", Canadian Privacy Law Review, March 2015.Ira Nishisato interview, "Cyber security the top business risk for 2015," Business News Network, December 23, 2014.Katherine Cooligan and Daniel Hohnstein, "'Intruding upon the seclusion of personal email' — What the common law tort for invasion of privacy might mean for snooping spouses and the electronic evidence that they obtain," Canadian Family Law Quarterly, July 2014.Kelly Morris, "Acceptable Use of Technology Policies: How to Manage Employee Privacy Expectations With Respect to Personal Use of School Technology," Canadian Association for the Practical Study of Law in Education Comments, June 2014.Ira Nishisato quoted, "Cyber attack on eBay highlights importance of digital security," The Globe and Mail, May 22, 2014.Tim Buckley, Barry Glaspell and Cheryl Woodin, "Defending Class Actions in Canada," The Litigation Report, Spring 2013.Ira Nishisato quoted, "SCC Releases Private International Law Decisions", LexpertTM® Magazine, April 2012.Tim Buckley and Cheryl Woodin, "Class actions in Canada are on the rise," Canadian Insurance Broker, May 2011.Kelly Morris, "Federal Court Finds Privacy Commissioner Lacks Authority to Determine Claims of Privilege," Eye on Privacy, February 2011.Bonnie Freedman, "Requirements & Expectations of Information Technology & Information Management Services Providers to the Health Sector in Canada," The CHIEF Quarterly, Spring 2010.Bonnie Freedman, "PHIPA Primer," Healthcare Magazine, September/October 2008.Bonnie Freedman, "Trans-jurisdictional Outsourcing Involving Personal Information, Canadian Approaches," Eye on Privacy, April 2007.Bonnie Freedman, "International Disclosure of Personal Health Information by the Public Sector in Canada," Technology and E-Commerce Committee E-bulletin, September 2006.BooksÉloïse Gratton and Elisa Henry, "Practical Guide to e-Commerce and Internet Law," LexisNexis, 2015.Éloïse Gratton and Lyndsay Wasser, "Privacy in the Workplace," CCH Canada Ltd., 3rd edition, 2014.Éloïse Gratton, "Practice Advisor, module on e-Commerce," author of over 60 documents, practice notes and precedents on website management, social media and online marketing, LexisNexis, 2013.Éloïse Gratton, "Understanding Personal Information : Managing Privacy Risks," (515 pages) LexisNexis, 2013.Éloïse Gratton, "Privacy in the Workplace," CCH Canada Ltd., 2nd edition, 2009.Éloïse Gratton, "Digest of Commercial Laws of the World," Oceana Publications, Oxford University Press, New York, February 2009.Patrick Hawkins and Kristin Taylor, "Quality of Care Information Protection Act Toolkits," Ontario Hospital Association, 2004 and 2007.Éloïse Gratton, "World Online Business Law," Oceana Publications, Oxford University Press, New York, 2006 et 2009.Éloïse Gratton, "SMS Marketing for Mobile Generation," ICFAI University Press, 2005 (Author of "SMS Marketing Regulations", "Ethics in Wireless Advertising" and "Wireless spam: Ethical Issues").Éloïse Gratton, "Internet and Wireless Privacy: Legal Guide to Global Business Practices," (400 pages) CCH Canada Ltd., 2003.Barbara McIsaac, "The Law of Privacy in Canada," Carswell, 2000.BLG Bulletins "Important Recommendations from the Québec Privacy Commissioner on the Protection of Personal Information", November 2016"CASL Enforcement Decision — Sending Messages Without Consent", October 2016"CRTC Settles Alleged CASL Violation — Messages Sent Without Consent", September 2016"Ashley Madison Security Breach: Lessons Learned and Valuable Recommendations for all Businesses", August 2016"Beyond Consent-based Privacy Protection: Response to the OPC's consultation on privacy and consent", July 2016"Decision Provides Rare Insight on the Applicability of the "Right to be Forgotten" in Québec", June 2016"Do insurers have a duty to defend as a result of a failure to comply with PCI — DSS", May 2016"Challenges with the Implementation of a Right to be Forgotten in Canada", April 2016"Internet of Things: OPC Publishes Research Paper on Privacy and Security Risks Associated with Retail and Home Environments", February 2016"Apple’s encryption fight against the U.S. government could spill into Canada", February 2016"Ontario Court recognizes existence of new "revenge porn" privacy tort", January 2016"Production Order Challenge Results in Recognition of Duty to Assert Consumer Privacy Rights", January 2016"Canadian Businesses Increasingly Face Privacy Breach Class Actions Absent Traditional Forms of Damages", December 2015"Snooping Nurse's Termination Upheld by Arbitrator", October 2015"Porter Airlines Agrees to Pay $150,000 for Alleged Violations of CASL", June 2015"Digital Privacy Act — New Requirement for Valid Consent to Use Personal Information", June 2015"New Requirements of the Digital Privacy Act (Bill S-4)", June 2015"Tort Of Intrusion Upon Seclusion And Breaches Of Personal Health Information:", March 2015"CRTC Issues $1.1 Million Penalty for CASL Violation", March 2015"Industry Canada And CRTC Discuss Canada’s Anti-Spam Law At BLG", June 2014"CASL and Health Care Providers", May 2014"Ontario’s IPC Rules that there is No Right of Access to Certain Records of School Board Trustees Under the MFIPPA", May 2014"Government Of Canada Proposes Important Changes To PIPEDA", April 2014 Rankings & Recognition Section Content 3The Privacy and Data Security Group or its members are recognized as follows: 2017 edition of Chambers Canada — Canada's Leading Lawyers for Business. 2017 and previous editions of the Best Lawyers in Canada®. Éloïse Gratton was recognized in 2016 as "one of the Top 25 Most Influential Lawyers in Canada" by Canadian Lawyer Magazine. Éloïse Gratton was awarded Clawbies: Canadian Legal Blog Award for the year 2014 for the best new legal blog, for her blog on privacy and IT law (2014). Representative Work Section Content 4Below is a sample of cases and matters that our group is or has worked on.Compliance with Privacy and Data Security Legislation Provided advice respecting questions dealing with human resources and the protection of privacy for various clients, including one of the largest automobile manufacturers; a Canadian leader in consumer products; a leading company in Analog and Digital Television, High-Speed Internet and Telephone services; one of the world's largest professional services firms traded on the TSX stock exchange; one of the world's largest professional services firms, as well as a multinational corporation working in the biopharmaceutical sector.Retained by one of the "Big Four” Canadian accounting firms to develop tools and procedures to enable assisting one of its clients with certain aspects of the legislative requirements of CASL (the Canadian anti-spam law) in connection with its business practices and to provide consulting services to its clients concerning CASL compliance.Assisted a large European retailer which is expanding operations to Canada to revise their privacy policies, systems and agreements pertaining to customer loyalty programs and use of progressive technologies that collect data from consumers.Acted for the City of Ottawa on a precedent setting case that established the privacy of employee personal emails unrelated to the business of the City. The Divisional Court agreed with the City that an employee's personal emails unrelated to their work would not be captured by the public sector privacy legislation.Provided advice and drafted agreements for a party who was terminating an existing long term business relationship where the parties had shared large volumes of personal information and had not adequately accounted for the protection of such information on termination. This transaction involved extensive negotiation, analysis of privacy and consumer protection laws and complex agreements to accomplish the goals of the client to fulfil its legal obligations.Provided advice to one of the world's largest professional services firms (traded on the TSX stock exchange) on its overall strategy for implementing the "binding corporate rules" developed by the Working Group on Article 29 of the European Union. This enabled the client to transfer personal data across the borders of different European countries, in compliance with the EU's legal requirements.Represented the Commissioner of Official Languages before the Supreme Court of Canada in the Lavigne case in which the court had to reconcile the obligations of the Commissioner with respect to confidentiality with the disclosure requirements of the Privacy Act.Represented the Canadian Security Intelligence Service before the Supreme Court of Canada in the Ruby case with respect to the interpretation and application of the Privacy Act.Provided training to the team of the Privacy Commissioner of Canada, in Ottawa, focusing on privacy issues connected with location-based services, and on the challenges relating to the concept of "personal information" in the light of new Internet technologies.Class Actions Involving Data and Privacy Breaches, and CybersecurityEvans v. The Bank of Nova Scotia BLG is defending one of the first class actions brought under the “intrusion upon seclusion” breach of privacy tort. The case is likely to be precedent-setting, in what is considered by many observers to be the fastest-growing area for class actions. BLG represents a “Big Five” Bank being sued for the criminal actions of a rogue employee alleged to have breached the privacy of customers of the Bank. The matter will be proceeding to a common issues trial, which will decide novel legal issues, including whether an employer can be vicariously liable for its employees’ breach of privacy.Hopkins v. Kay BLG represents the defendant hospital in a proposed class action relating to alleged privacy breaches committed by hospital employees. In this case, the hospital is challenging application of the “tort of intrusion upon seclusion” to health care privacy, which is comprehensively governed in Ontario by the Personal Health Information Protection Act. This case considers the rules and scope of the cause of action by which health care institutions can be sued for breaches of privacy by their employees.Broutzas/Taylor v. Rouge Valley Health System and John Doe RESP Corporation BLG represents the hospital in two proposed class actions alleging that hospital employees improperly accessed new-mother contact details and sold that information to persons selling RESPs, who then contacted the patients at home. The litigation raises questions about vicarious liability for criminal breaches of privacy as well as the interplay between PHIPA and common law breach of privacy claims.BLG represented a financial services regulator named as a defendant in a class action regarding the loss of personal information. BLG was successful in obtaining the dismissal of the certification on the basis that the representative plaintiff suffered no compensable harm since his personal information was not used fraudulently.BLG represented a leading Internet search engine named as a defendant in a potential class action (now at the pre-certification stage) on behalf of persons whose electronic data was allegedly transmitted over unsecured wireless internet connection and whose personal information was allegedly intercepted.BLG represented a major automobile financing company named as a defendant in a class action regarding the loss of personal information that was stored on a data tape which was lost during transit. The class action was certified on the basis that the representative plaintiff alleged that his personal information was used fraudulently.Health Information PrivacyDrafted guides to Freedom of Information legislation (FIPPA) and health information privacy law (PHIPA) for different classes of health services providers. Regularly assist health information custodians to understand their obligations under provincial health information privacy laws and to respond to inquiries and investigations by the applicable Commissioner. Analyze and advise on privacy models for regional and provincial shared records and other electronic health information systems, services and repositories (authentication/identification, e-referral, e-notification, clinical collaboration, integrated decision support). Advise on the requirements applicable to IT services providers under health information privacy laws and draft privacy provisions for IT agreements. Draft or review data sharing, system access and IT services agreements for hospitals, CCACs, LHINs, prescribed persons (registries), prescribed entities and health care associations, among others. Assist with the performance and analysis of privacy and security assessments. Participate in regional privacy officer group meetings. Advise on the application of health information privacy laws to research.Access to InformationAssisted an organization that frequently contracts with municipal and provincial governments, on a matter concerning sensitive issues. These issues, if disclosed due to a FOIP request, could have a significant and negative impact on the organization. Drafted policies, and advised the board of directors and recommended best practices.Security Breaches Helped manage security breaches for various clients (including corporations operating in the financial services and retail trade industries) involving different Canadian jurisdictions. This included investigating the violations, acting as the contact-person with the different interested parties and stakeholders, the individuals concerned, the media and the different privacy commissioners (including the Privacy Commissioner of Canada, the Alberta and British Columbia Privacy Commissioners and the Commission d'Accès à l'Information du Québec), and assisting in drafting relevant letters of notification and generally contributing to the response strategy. Prepared the defence strategy for one of Canada's largest telecommunications and media companies (listed on the TSX) following a complaint at the Commission d’accès à l’information du Québec, alleging breaches of privacy connected with their business practices. Represented clients, including an American multinational corporation traded on the New York Stock Exchange (NYSE), a leader in international family entertainment and interactive media, a multinational technology company and two financial institutions, in investigations carried out by privacy commissioners.Cyberlitigation Represented a New York-based broker-deal prosecuting an action to obtain emergency injunctive relief against a computer network service provider which refused to provide it with administrative passwords necessary for it to access essential functions such as e-mail and the ability to print. Obtaining Anton Piller (civil search) orders for US and Canadian television broadcasters whose copyrighted television signals were being pirated, in order to seize computer servers and identify wrongdoers. Obtaining Norwich Pharmacal (disclosure) orders for a client following the theft of its confidential information that appeared on a web site in order to require the internet service provider to disclose IP addresses of the wrongdoers. Obtaining an extraordinary injunction to require an Internet hosting service provider to shut down servers being used to facilitate the global theft of copyrighted works via the internet.