Summary Section Content 1Risks to privacy and data protection grow as businesses adopt new technologies to gather and manipulate information, and as consumers demand seamless access to it. Custodians of sensitive data are held to ever-rising standards of care as regulations are reinterpreted and redefined in a race with technology. Clients in the public and private sectors and across a range of industries look to BLG’s national Privacy and Data Protection Group for its multi-jurisdictional perspective and unsurpassed insight into the legal, practical and ethical issues relating to the protection of personal information in Canada. Our Group provides advice on every aspect of privacy and data protection, from the collection and management of information, to crisis management in the event of a breach, and representation in privacy-related inquiries and litigation, including class actions. BLG’s lawyers ensure that clients have a full understanding of compliance-related risks so that they can make informed decisions. Members of the Group include some of Canada’s foremost lawyers on privacy and access to information law. Beyond just understanding the law, our lawyers help shape the privacy and cybersecurity landscape in Canada, testifying at standing committees, advising on the drafting of legislation and appearing before the Supreme Court of Canada. With practitioners at the forefront of regulatory developments, BLG provides advice that anticipates future trends across a wide range of industry sectors, including health, financial services and insurance, retail, telecommunications and technology. Publications & Presentations Section Content 2Media/Articles Éloïse Gratton and Sepideh Alavi, "Business Analytics and Privacy-related Risks," IAPP Canada Privacy Symposium 2016, May, 2016.Éloïse Gratton, "Federal privacy bill could make it easier for insurers to share suspicious auto claims information," Canadian Underwriter, June, 2015.Bradley Freedman, "U.S. Department of Justice issues guidance for cyber incident planning and response," Morning Post Exchange, May 2015.Bradley Freedman, "Privacy Commissioner issues guidance for privacy law and CASL compliance," Morning Post Exchange, May 2015.Éloïse Gratton, "Health-Tracking Bracelets and Privacy Issues,", Canadian Privacy Law Review, March 2015.Ira Nishisato interview, "Cyber security the top business risk for 2015," Business News Network, December 23, 2014.Katherine Cooligan and Daniel Hohnstein, "'Intruding upon the seclusion of personal email' — What the common law tort for invasion of privacy might mean for snooping spouses and the electronic evidence that they obtain," Canadian Family Law Quarterly, July 2014.Ira Nishisato quoted, "Cyber attack on eBay highlights importance of digital security," The Globe and Mail, May 22, 2014.Tim Buckley, Barry Glaspell and Cheryl Woodin, "Defending Class Actions in Canada," The Litigation Report, Spring 2013. Books Éloïse Gratton and Elisa Henry, "Practical Guide to e-Commerce and Internet Law," LexisNexis, 2015.Éloïse Gratton and Lyndsay Wasser, "Privacy in the Workplace," CCH Canada Ltd., 3rd edition, 2014.Éloïse Gratton, "Practice Advisor, module on e-Commerce," author of over 60 documents, practice notes and precedents on website management, social media and online marketing, LexisNexis, 2013.Éloïse Gratton, "Understanding Personal Information : Managing Privacy Risks," (515 pages) LexisNexis, 2013. BLG Bulletins "IIROC Imposes Mandatory Reporting of Cybersecurity Incidents for Regulated Investment Firms," November 2019."California Consumer Privacy Act — Preparing for Compliance," November 2019."Mandatory Breach Reporting: Lessons from Year One," November 2019."When is it legal to repurpose publicly available information for commercial purposes?," October 2019."Where to Draw the Line on Pre-Certification Discovery: Karasik v. Yahoo," October 2019."Benchmarking Businesses’ Privacy Framework: Highlights from the 2019 IAPP-EY Annual Privacy Governance Report," October 2019."OPC Maintains Status Quo as it Concludes Consultation on Cross-Border Dataflows," September 2019."BLG Highlights Industry Concerns in Response to OPC Consultation on Cross-Border Dataflows," August 2019."Security incident: The Québec Superior Court confirms that the mere fact of being the victim of an incident is insufficient to support a claim for damages," July 2019."Privacy Breach Response – Prevention of Future Breaches," June 2019."Life Signs — Life Sciences Legal Trends in Canada," June 2019."The Sensor: Building a Privacy-Compliant Autonomous Vehicles Business," May 2019."Preventing, Containing, and Managing Cyber Breaches: Where to Begin?," May 2019."No Reasonable Expectation of Privacy in Case of Online Child Luring," May 2019."CRTC Issues Its First Penalty Against a CEO for Violating Canada’s Anti-Spam Legislation," May 2019."Important Privacy Commissioner Consultation Impacting Cross-Border Dataflows and Outsourcing," April 2019."IPC Releases New Guide to Privacy and Access to Information," March 2019."Frequently Asked Questions — Compliance with PIPEDA’s Security Breach Obligations," March 2019."Court Denies Certification in Privacy Class Action: Personal Information is Not Necessarily Private Information," February 2019."The Sensor: The Legal Crystal Ball: Autonomous Vehicles Developments to Watch for In 2019," January 2019."Privacy In The Iot Age," January 2019."Five Steps to Compliance with Privacy Consent Guidelines," December 2018."B.C. Privacy Commissioner Issues Guidance for Cannabis Retailers and Purchasers," November 2018."Privacy Commissioner’s Guidance for Compliance with PIPEDA’s Breach of Security Safeguards Obligations," October 2018."Impact of the New Mandatory Breach Notification Requirements under PIPEDA on Pension Plan Administration," October 2018."Privacy Laws North of the Border: A Primer," September 2018."Preparing for Compliance with New Privacy Consent Guidelines," September 2018."Privacy Business Risks on the Rise: Privacy Concerns can Lead to Significant Loss in Market Value," July 2018."Public Facebook Profiles Not Equivalent to Public Information Under PIPEDA," July 2018."California’s New Privacy Law and What it Means for Canadian Businesses," July 2018."Health Information Breach Notification Obligations under Alberta’s Health Information Act," June 2018."Government of Canada Responds to ETHI Committee Report on PIPEDA Review," June 2018."Canadian Personal Information Security Breach Obligations – Preparing for Compliance," April 2018."ETHI Committee Prepares for GDPR Adequacy Assessment in New Report on PIPEDA," March 2018."OPC Report Asserts PIPEDA Protections are Similar to EU “Right to be Forgotten”," January 2018."Expectation of Privacy in Text Message Conversations More Stringent in Canada Than the U.S.," January 2018."Top 10 Legal Risks for Business in 2018," January 2018."New Committee Report on CASL Highlights Need for Clarification and Education ," December 2017."SCC Recognizes Expectation of Privacy in Text Message Conversations," December 2017."Ontario and Québec Set to Update Legal Requirements on Loyalty Programs ," November 2017."G-7 Guidelines for Cybersecurity Assessment," October 2017."Demers v. Yahoo Inc: Québec Court Confirms that Québec Consumer Law Applies to Free Online Services," October 2017."The European Union General Data Protection Regulation – A Primer for Canadian Organizations," October 2017."Important Changes to Password Best Practices Guidance," October 2017."B.C. Supreme Court Certifies National Class Action for Financial Institution Data Breach," October 2017."The OPC Publishes its Report on Consent," September 2017."PIPEDA's Breach of Security Safeguards Regulations Now Published and Open for Comments," September 2017."Mandatory Reporting of Privacy Breaches to the Information and Privacy Commissioner now required under the Personal Health Information Protection Act, 2004," July 2017."Supreme Court Gives the Green Light to Global Orders to Take Down Search Results," July 2017."Supreme Court of Canada Confirms in Douez v. Facebook that a Business Cannot Contract Out of Local Privacy Law," June 2017."Superior Court of Québec Authorizes Privacy Class Action in Zuckerman v. Target Corporation," February 2017."Top 10 Legal Risks for Business in 2017," January 2017. Media/Articles Éloïse Gratton and Sepideh Alavi, "Business Analytics and Privacy-related Risks," IAPP Canada Privacy Symposium 2016, May, 2016. Éloïse Gratton, "Federal privacy bill could make it easier for insurers to share suspicious auto claims information," Canadian Underwriter, June, 2015. Bradley Freedman, "U.S. Department of Justice issues guidance for cyber incident planning and response," Morning Post Exchange, May 2015. Bradley Freedman, "Privacy Commissioner issues guidance for privacy law and CASL compliance," Morning Post Exchange, May 2015. Éloïse Gratton, "Health-Tracking Bracelets and Privacy Issues,", Canadian Privacy Law Review, March 2015. Ira Nishisato interview, "Cyber security the top business risk for 2015," Business News Network, December 23, 2014. Katherine Cooligan and Daniel Hohnstein, "'Intruding upon the seclusion of personal email' — What the common law tort for invasion of privacy might mean for snooping spouses and the electronic evidence that they obtain," Canadian Family Law Quarterly, July 2014. Kelly Morris, "Acceptable Use of Technology Policies: How to Manage Employee Privacy Expectations With Respect to Personal Use of School Technology," Canadian Association for the Practical Study of Law in Education Comments, June 2014. Ira Nishisato quoted, "Cyber attack on eBay highlights importance of digital security," The Globe and Mail, May 22, 2014. Tim Buckley, Barry Glaspell and Cheryl Woodin, "Defending Class Actions in Canada," The Litigation Report, Spring 2013. Books Éloïse Gratton and Elisa Henry, "Practical Guide to e-Commerce and Internet Law," LexisNexis, 2015. Éloïse Gratton and Lyndsay Wasser, "Privacy in the Workplace," CCH Canada Ltd., 3rd edition, 2014. Éloïse Gratton, "Practice Advisor, module on e-Commerce," author of over 60 documents, practice notes and precedents on website management, social media and online marketing, LexisNexis, 2013. Éloïse Gratton, "Understanding Personal Information : Managing Privacy Risks," (515 pages) LexisNexis, 2013. Representative Work Section Content 3Below is a sample of cases and matters that our group is or has worked on.Compliance with Privacy and Data Protection Legislation Provided advice respecting questions dealing with human resources and the protection of privacy for various clients, including one of the largest automobile manufacturers; a Canadian leader in consumer products; a leading company in Analog and Digital Television, High-Speed Internet and Telephone services; one of the world's largest professional services firms traded on the TSX stock exchange; one of the world's largest professional services firms, as well as a multinational corporation working in the biopharmaceutical sector.Retained by one of the "Big Four” Canadian accounting firms to develop tools and procedures to enable assisting one of its clients with certain aspects of the legislative requirements of CASL (the Canadian anti-spam law) in connection with its business practices and to provide consulting services to its clients concerning CASL compliance.Assisted a large European retailer which is expanding operations to Canada to revise their privacy policies, systems and agreements pertaining to customer loyalty programs and use of progressive technologies that collect data from consumers.Acted for the City of Ottawa on a precedent setting case that established the privacy of employee personal emails unrelated to the business of the City. The Divisional Court agreed with the City that an employee's personal emails unrelated to their work would not be captured by the public sector privacy legislation.Provided advice and drafted agreements for a party who was terminating an existing long term business relationship where the parties had shared large volumes of personal information and had not adequately accounted for the protection of such information on termination. This transaction involved extensive negotiation, analysis of privacy and consumer protection laws and complex agreements to accomplish the goals of the client to fulfil its legal obligations.Provided advice to one of the world's largest professional services firms (traded on the TSX stock exchange) on its overall strategy for implementing the "binding corporate rules" developed by the Working Group on Article 29 of the European Union. This enabled the client to transfer personal data across the borders of different European countries, in compliance with the EU's legal requirements.Represented the Commissioner of Official Languages before the Supreme Court of Canada in the Lavigne case in which the court had to reconcile the obligations of the Commissioner with respect to confidentiality with the disclosure requirements of the Privacy Act.Represented the Canadian Security Intelligence Service before the Supreme Court of Canada in the Ruby case with respect to the interpretation and application of the Privacy Act.Provided training to the team of the Privacy Commissioner of Canada, in Ottawa, focusing on privacy issues connected with location-based services, and on the challenges relating to the concept of "personal information" in the light of new Internet technologies.Class Actions Involving Data and Privacy Breaches, and Cybersecurity Evans v. The Bank of Nova Scotia BLG is defending one of the first class actions brought under the “intrusion upon seclusion” breach of privacy tort. The case is likely to be precedent-setting, in what is considered by many observers to be the fastest-growing area for class actions. BLG represents a “Big Five” Bank being sued for the criminal actions of a rogue employee alleged to have breached the privacy of customers of the Bank. The matter will be proceeding to a common issues trial, which will decide novel legal issues, including whether an employer can be vicariously liable for its employees’ breach of privacy. Hopkins v. Kay BLG represents the defendant hospital in a proposed class action relating to alleged privacy breaches committed by hospital employees. In this case, the hospital is challenging application of the “tort of intrusion upon seclusion” to health care privacy, which is comprehensively governed in Ontario by the Personal Health Information Protection Act. This case considers the rules and scope of the cause of action by which health care institutions can be sued for breaches of privacy by their employees. Broutzas/Taylor v. Rouge Valley Health System and John Doe RESP Corporation BLG represents the hospital in two proposed class actions alleging that hospital employees improperly accessed new-mother contact details and sold that information to persons selling RESPs, who then contacted the patients at home. The litigation raises questions about vicarious liability for criminal breaches of privacy as well as the interplay between PHIPA and common law breach of privacy claims.BLG represented a financial services regulator named as a defendant in a class action regarding the loss of personal information. BLG was successful in obtaining the dismissal of the certification on the basis that the representative plaintiff suffered no compensable harm since his personal information was not used fraudulently.BLG represented a leading Internet search engine named as a defendant in a potential class action (now at the pre-certification stage) on behalf of persons whose electronic data was allegedly transmitted over unsecured wireless internet connection and whose personal information was allegedly intercepted.BLG represented a major automobile financing company named as a defendant in a class action regarding the loss of personal information that was stored on a data tape which was lost during transit. The class action was certified on the basis that the representative plaintiff alleged that his personal information was used fraudulently.Health Information PrivacyDrafted guides to Freedom of Information legislation (FIPPA) and health information privacy law (PHIPA) for different classes of health services providers. Regularly assist health information custodians to understand their obligations under provincial health information privacy laws and to respond to inquiries and investigations by the applicable Commissioner. Analyze and advise on privacy models for regional and provincial shared records and other electronic health information systems, services and repositories (authentication/identification, e-referral, e-notification, clinical collaboration, integrated decision support). Advise on the requirements applicable to IT services providers under health information privacy laws and draft privacy provisions for IT agreements. Draft or review data sharing, system access and IT services agreements for hospitals, CCACs, LHINs, prescribed persons (registries), prescribed entities and health care associations, among others. Assist with the performance and analysis of privacy and security assessments. Participate in regional privacy officer group meetings. Advise on the application of health information privacy laws to research.Access to InformationAssisted an organization that frequently contracts with municipal and provincial governments, on a matter concerning sensitive issues. These issues, if disclosed due to a FOIP request, could have a significant and negative impact on the organization. Drafted policies, and advised the board of directors and recommended best practices.Security Breaches Helped manage security breaches for various clients (including corporations operating in the financial services and retail trade industries) involving different Canadian jurisdictions. This included investigating the violations, acting as the contact-person with the different interested parties and stakeholders, the individuals concerned, the media and the different privacy commissioners (including the Privacy Commissioner of Canada, the Alberta and British Columbia Privacy Commissioners and the Commission d'Accès à l'Information du Québec), and assisting in drafting relevant letters of notification and generally contributing to the response strategy. Prepared the defence strategy for one of Canada's largest telecommunications and media companies (listed on the TSX) following a complaint at the Commission d’accès à l’information du Québec, alleging breaches of privacy connected with their business practices. Represented clients, including an American multinational corporation traded on the New York Stock Exchange (NYSE), a leader in international family entertainment and interactive media, a multinational technology company and two financial institutions, in investigations carried out by privacy commissioners. Rankings & Recognitions Section Content 4BLG's Privacy and Data Protection Group and its members are frequently recognized in leading legal publications and directories, including: The 2020 edition of Chambers Canada — Canada's Leading Lawyers for Business. Chambers Canada — Canada's Leading Lawyers for Business. The Best Lawyers in Canada®. The Canadian Legal Lexpert® Directory. Benchmark Canada – The Definitive Guide to Canada's Leading Litigation Firms & Attorneys. Acritas Star Robert Deane was recognized by The Best Lawyers in Canada® as the 2018 "Vancouver Privacy and Data Security Law Lawyer". Éloïse Gratton was recognized by Lexpert® as a 2017 Zenith Award – Celebrating Women in Law. Éloïse Gratton was recognized by Canadian Lawyer Magazine in 2016 as "one of the Top 25 Most Influential Lawyers in Canada".Éloïse Gratton was awarded Clawbies: Canadian Legal Blog Award in 2014 for the best new legal blog, for her blog on privacy and IT law.