Risks to privacy and data protection grow as businesses adopt new technologies to gather and manipulate information, and as consumers demand seamless access to it. Custodians of sensitive data are held to ever-rising standards of care as regulations are reinterpreted and redefined in a race with technology.

Clients in the public and private sectors and across a range of industries look to BLG’s national Privacy and Data Protection Group for its multi-jurisdictional perspective and unsurpassed insight into the legal, practical and ethical issues relating to the protection of personal information in Canada.

Our Group provides advice on every aspect of privacy and data protection, from the collection and management of information, to crisis management in the event of a breach, and representation in privacy-related inquiries and litigation, including class actions.

BLG’s lawyers ensure that clients have a full understanding of compliance-related risks so that they can make informed decisions.

Members of the Group include some of Canada’s foremost lawyers on privacy and access to information law. Beyond just understanding the law, our lawyers help shape the privacy and cybersecurity landscape in Canada, testifying at standing committees, advising on the drafting of legislation and appearing before the Supreme Court of Canada. With practitioners at the forefront of regulatory developments, BLG provides advice that anticipates future trends across a wide range of industry sectors, including health, financial services and insurance, retail, telecommunications and technology.

Publications & Presentations



  • Éloïse Gratton and Elisa Henry, "Practical Guide to e-Commerce and Internet Law," LexisNexis, 2015.
  • Éloïse Gratton and Lyndsay Wasser, "Privacy in the Workplace," CCH Canada Ltd., 3rd edition, 2014.
  • Éloïse Gratton, "Practice Advisor, module on e-Commerce," author of over 60 documents, practice notes and precedents on website management, social media and online marketing, LexisNexis, 2013.
  • Éloïse Gratton, "Understanding Personal Information : Managing Privacy Risks," (515 pages) LexisNexis, 2013.

BLG Bulletins



  • Éloïse Gratton and Elisa Henry, "Practical Guide to e-Commerce and Internet Law," LexisNexis, 2015.
  • Éloïse Gratton and Lyndsay Wasser, "Privacy in the Workplace," CCH Canada Ltd., 3rd edition, 2014.
  • Éloïse Gratton, "Practice Advisor, module on e-Commerce," author of over 60 documents, practice notes and precedents on website management, social media and online marketing, LexisNexis, 2013.
  • Éloïse Gratton, "Understanding Personal Information : Managing Privacy Risks," (515 pages) LexisNexis, 2013.

Representative Work

Below is a sample of cases and matters that our group is or has worked on.

Compliance with Privacy and Data Protection Legislation

Provided advice respecting questions dealing with human resources and the protection of privacy for various clients, including one of the largest automobile manufacturers; a Canadian leader in consumer products; a leading company in Analog and Digital Television, High-Speed Internet and Telephone services; one of the world's largest professional services firms traded on the TSX stock exchange; one of the world's largest professional services firms, as well as a multinational corporation working in the biopharmaceutical sector.

Retained by one of the "Big Four” Canadian accounting firms to develop tools and procedures to enable assisting one of its clients with certain aspects of the legislative requirements of CASL (the Canadian anti-spam law) in connection with its business practices and to provide consulting services to its clients concerning CASL compliance.

Assisted a large European retailer which is expanding operations to Canada to revise their privacy policies, systems and agreements pertaining to customer loyalty programs and use of progressive technologies that collect data from consumers.

Acted for the City of Ottawa on a precedent setting case that established the privacy of employee personal emails unrelated to the business of the City. The Divisional Court agreed with the City that an employee's personal emails unrelated to their work would not be captured by the public sector privacy legislation.

Provided advice and drafted agreements for a party who was terminating an existing long term business relationship where the parties had shared large volumes of personal information and had not adequately accounted for the protection of such information on termination. This transaction involved extensive negotiation, analysis of privacy and consumer protection laws and complex agreements to accomplish the goals of the client to fulfil its legal obligations.

Provided advice to one of the world's largest professional services firms (traded on the TSX stock exchange) on its overall strategy for implementing the "binding corporate rules" developed by the Working Group on Article 29 of the European Union.  This  enabled the client to transfer personal data across the borders of different European countries, in compliance with the EU's legal requirements.

Represented the Commissioner of Official Languages before the Supreme Court of Canada in the Lavigne case in which the court had to reconcile the obligations of the Commissioner with respect to confidentiality with the disclosure requirements of the Privacy Act.

Represented  the Canadian Security Intelligence Service before the Supreme Court of Canada in the Ruby case with respect to the interpretation and application of the Privacy Act.

Provided training to the team of the Privacy Commissioner of Canada, in Ottawa, focusing on privacy issues connected with location-based services, and on the challenges relating to the concept of "personal information" in the light of new Internet technologies.

Class Actions Involving Data and Privacy Breaches, and Cybersecurity

Evans v. The Bank of Nova Scotia

BLG is defending one of the first class actions brought under the “intrusion upon seclusion” breach of privacy tort.  The case is likely to be precedent-setting, in what is considered by many observers to be the fastest-growing area for class actions. BLG represents a “Big Five” Bank being sued for the criminal actions of a rogue employee alleged to have breached the privacy of customers of the Bank.  The matter will be proceeding to a common issues trial, which will decide novel legal issues, including whether an employer can be vicariously liable for its employees’ breach of privacy.

Hopkins v. Kay

BLG represents the defendant hospital in a proposed class action relating to alleged privacy breaches committed by hospital employees.  In this case, the hospital is challenging application of the “tort of intrusion upon seclusion” to health care privacy, which is comprehensively governed in Ontario by the Personal Health Information Protection Act.  This case considers the rules and scope of the cause of action by which health care institutions can be sued for breaches of privacy by their employees.

Broutzas/Taylor v. Rouge Valley Health System and John Doe RESP Corporation

BLG represents the hospital in two proposed class actions alleging that hospital employees improperly accessed new-mother contact details and sold that information to persons selling RESPs, who then contacted the patients at home.  The litigation raises questions about vicarious liability for criminal breaches of privacy as well as the interplay between PHIPA and common law breach of privacy claims.

BLG represented a financial services regulator named as a defendant in a class action regarding the loss of personal information. BLG was successful in obtaining the dismissal of the certification on the basis that the representative plaintiff suffered no compensable harm since his personal information was not used fraudulently.

BLG represented a leading Internet search engine named as a defendant in a potential class action (now at the pre-certification stage) on behalf of persons whose electronic data was allegedly transmitted over unsecured wireless internet connection and whose personal information was allegedly intercepted.

BLG represented a major automobile financing company named as a defendant in a class action regarding the loss of personal information that was stored on a data tape which was lost during transit. The class action was certified on the basis that the representative plaintiff alleged that his personal information was used fraudulently.

Health Information Privacy

Drafted guides to Freedom of Information legislation (FIPPA) and health information privacy law (PHIPA) for different classes of health services providers.

Regularly assist health information custodians to understand their obligations under provincial health information privacy laws and to respond to inquiries and investigations by the applicable Commissioner.

Analyze and advise on privacy models for regional and provincial shared records and other electronic health information systems, services and repositories (authentication/identification, e-referral, e-notification, clinical collaboration, integrated decision support).

Advise on the requirements applicable to IT services providers under health information privacy laws and draft privacy provisions for IT agreements.

Draft or review data sharing, system access and IT services agreements for hospitals, CCACs, LHINs, prescribed persons (registries), prescribed entities and health care associations, among others.
Assist with the performance and analysis of privacy and security assessments.

Participate in regional privacy officer group meetings.

Advise on the application of health information privacy laws to research.

Access to Information

Assisted an organization that frequently contracts with municipal and provincial governments, on a matter concerning sensitive issues. These issues, if disclosed due to a FOIP request, could have a significant and negative impact on the organization. Drafted policies, and advised the board of directors and recommended best practices.

Security Breaches

Helped manage security breaches for  various clients (including corporations operating in the financial services and retail trade industries) involving different Canadian jurisdictions. This included investigating the violations, acting as the contact-person with the different interested parties and stakeholders, the individuals concerned, the media and the different privacy commissioners (including the Privacy Commissioner of Canada, the Alberta and British Columbia Privacy Commissioners and the Commission d'Accès à l'Information du Québec), and assisting in drafting relevant letters of notification and generally contributing to the response strategy.

Prepared the defence strategy for one of Canada's largest telecommunications and media companies (listed on the TSX) following a complaint at the Commission d’accès à l’information du Québec, alleging breaches of privacy connected with their business practices.

Represented clients, including an American multinational corporation traded on the New York Stock Exchange (NYSE), a leader in international family entertainment and interactive media, a multinational technology company and two financial institutions, in investigations carried out by privacy commissioners.

Rankings & Recognitions

BLG's Privacy and Data Protection Group and its members are frequently recognized in leading legal publications and directories, including:

  • Chambers Canada — Canada's Leading Lawyers for Business.
  • The Best Lawyers in Canada®.
  • The Canadian Legal Lexpert® Directory.
  • Benchmark Canada – The Definitive Guide to Canada's Leading Litigation Firms & Attorneys.
  • Acritas Star
  • Robert Deane was recognized by The Best Lawyers in Canada® as the 2018 "Vancouver Privacy and Data Security Law Lawyer".
  • Éloïse Gratton was recognized by Lexpert® as a 2017 Zenith Award – Celebrating Women in Law.
  • Éloïse Gratton was recognized by Canadian Lawyer Magazine in 2016 as "one of the Top 25 Most Influential Lawyers in Canada".
  • Éloïse Gratton was awarded Clawbies: Canadian Legal Blog Award in 2014 for the best new legal blog, for her blog on privacy and IT law.