I'm a Privacy Lawyer.

Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to private-sector organizations across Canada that collect, use, or disclose personal information for commercial activity.

Let’s break that down.

What is a “private-sector organization”?

All businesses that operate in Canada and handle personal information that crosses provincial or national borders during commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with their own similar legislation).

What is a “commercial activity”?

A commercial activity is broadly defined and is not only charging a fee or making a profit. For example, the Office of the Privacy Commissioner of Canada (“OPC”) decided in a recent privacy inquiry that collecting personal information only to enhance online user experience contributes to the success of the site as a commercial enterprise, and so the collection was a commercial activity.

How is personal information defined?

“Personal information” is defined in Canadian privacy laws rather simply and broadly as information about an identifiable individual.

In various information bulletins, the OPC has provided a little more guidance; however, the lists of personal information in the OPC’s guidance is not exhaustive. Personal information includes any factual or subjective information, recorded or not, about an identifiable individual, such as:

• age, name, ID numbers, income, ethnic origin, or other demographic information;

• opinions, evaluations, comments, social status, or disciplinary actions; and

• employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, and intentions (for example, to acquire goods or services, or change jobs).

What is excluded as personal information?

Business contact information such as an employee’s name, title, business address, telephone number, or an email address that is collected, used, or disclosed only to communicate with the person for their employment or profession is excluded as personal information.

What is considered sensitive personal information?

Unlike other parts of the world (such as GDPR), there is no separately defined class of sensitive personal information with specific greater protections under Canadian privacy laws. But the sensitivity of the information does factor into the severity of any privacy breaches.

Are there any new privacy developments in Canada?

Québec is the first Canadian province to update its privacy laws recently. The update to Québec’s laws bring them closer to the principles and concepts in European Union’s General Data Protection Regulation (GDPR). Every organization doing business in Québec that processes personal information needs to understand the new requirements.

Québec is the first Canadian province to update its privacy laws. The update to Québec’s laws bring them closer to the principles and concepts in European Union’s General Data Protection Regulation. Every organization doing business in Québec that processes personal information needs to understand the new requirements to ensure compliance.

The whole point of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) is to protect data belonging to EU citizens and residents. So, the law applies to organizations that handle such data whether they are EU-based organizations or not. This is known as “extra-territorial effect.”

GDPR applies to any “processing” of “personal data” of “data subjects” within the EU by a “controller” or a “processor”, where the processing is related to:

• Offering goods or services, whether or not payment is required, to data subjects in the EU;

• Monitoring data subject behaviour in the EU.

Let’s break that down.

What is “processing”?

“Processing” means performing some sort of analytical operation on personal information. GDPR includes collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing, combining, restricting, erasing, or destroying as examples of analytical operations that amount to processing personal information.

In short, if your organization is taking personal information and making it useful for some purpose, it is processing personal information.

What is a “data subject”?

“Data subject” means an identifiable human being. In other words, if someone can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the person, then the person is a “data subject” under GDPR.

What is “personal data”?

“Personal data” means any information relating to an identified or identifiable human being. As you can see, GDPR has a very broad definition of “personal data”.

What is a “data controller”?

“Controller” means the person or organization, whether alone or with others, that determines the purposes and means of processing personal data. As the term suggests, if your organization controls or instructs what personal data is collected and how it is made useful then it is a “controller” under GDPR.

What is a “data processor”?

“Processor” means the person or organization that processes the personal data on behalf of the controller.

In summary…

Putting that all together, if your organization:

• offers goods or services, for a fee or for free, to people in the EU; or

• tracks behaviour of people in the EU;

and collects, uses, or discloses information about those people, and either:

• analyses that personal data on its own; or

• outsources that analysis to someone else;

then GDPR applies to your organization.

Unlike Canada and the GDPR, the United States does not have an overarching privacy law that applies across all the individual states to make a more-or-less uniform privacy framework in the country.

There is US federal privacy laws, of course, but individual state laws cover most privacy topics. Those state laws can vary quite a bit between states and in fact, there are dozens of state privacy laws across the United States.

So, it can be challenging for organizations to decide what privacy principles they will adopt. A suggested strategy is to focus on the jurisdiction with the strictest requirements to avoid an overly complex privacy program.

With that in mind, California’s Consumer Privacy Act (“CCPA”) is seen as the most comprehensive and strongest privacy law in the United States currently.

Since the United States has a more fragmented approach to privacy, it is recommended to carefully look at your privacy practices and the laws of the states in which you plan to do business before you start collecting and processing personal information.

I can help you understand US privacy laws and coordinate with your US lawyers to come up with a privacy program that works across borders.

We should take a look at the privacy laws of any area where you are collecting information that can be linked back to an actual person.

I’ve worked with many companies to compare how privacy laws from various areas impact them, and how we can put together the privacy law puzzle in a simplified way.

For example, I’ve helped Canadian companies understand their core obligations under Canada’s laws and then compared those requirements to GDPR, California’s privacy laws, and even other areas such as Australia and New Zealand.

In the end, we create:

• Unified Privacy Policy: A combined Privacy Policy with additional addendums specific to certain areas.

• Data Hosting: Rules for keeping data hosted in the jurisdiction where the personal information was collected.

• Data Transfers: Guidelines on how personal data can be moved across borders and when it cannot be transferred.

• Strategic Privacy Practices: Privacy practices based on the most restrictive jurisdiction in which the company operates.

• Internal guides and checklists: Easy to understand information to help software developers, product development teams, sales personnel, and legal professionals understand key privacy obligations and data subject rights in each part of the world where your company operates.

A Privacy Policy is meant to help individuals that interact with your business understand what information you collect, why you collect it, and how the person can exercise their privacy rights, like the right to update, manage, export, and delete their information.

At a glance, a Privacy Policy includes:

• What personal information is collected.

• How personal information is used.

• When personal information is used.

• How personal information is shared.

• What rights people have regarding their information, such as the right to access, update, change, or delete personal information, data portability, and withdrawing consent to personal information collection and use.

• What information is sold to third-parties (if any) and the rights people have to opt-out of you selling their personal information.

• Information on where personal information is stored and what security practices you use to keep it safe.

• Information on how long personal information is kept.

• What automated decision-making is used with personal information (that’s a disclosure requirement under GDPR, for example).

• How to contact you about privacy questions.

• How you will update your Privacy Policy in the future.

Cookies and tracking technologies get a lot of attention by privacy regulators, and not without reason. These technologies are fairly invasive. Who actually likes to be tracked?

At the same time, tracking technologies are necessary for some functions of a website or application. Also, targeted marketing, which often uses cookies, really does work.

A Cookies Policy works along side a Privacy Policy to disclose how you use tracking technologies. For example, it tells people whether you use strictly necessary cookies that help to remember log in information and preferences, or if you also use tracking technologies for marketing purposes.

Cookies management pop-ups (also called cookies opt-ins or opt-outs) are widely used to help individuals manage their cookies preferences. These tools are useful and needed to comply with GDPR principles .

All that said though, cookies may be a thing of the past if Google has anything to say about it. The search engine and tech giant has a plan to phase out cookies and replace them with a new browser technology that the company claims is less intrusive. However, it will be important to see how privacy regulators, especially under GDPR, feel about this new technology.

California has some specific privacy disclaimer requirements, such as the right to opt-out of having personal information sold. Through a specific link on your website, California data subjects are given the right to be informed of how you may sell their personal information and to opt-out if they wish.

A data processing agreement, or DPA, is an agreement between a data controller (such as a company) and a data processor (such as a third-party service provider that works with the data provided by the controller). It regulates any personal data processing conducted for business purposes.

A DPA is a key part of complying with the European Union’s GDPR privacy law.

EU Representative. Organizations that sell goods or services or track behaviour regarding EU individuals must have an EU representative, unless the EU data processing is only occasional and does not include sensitive personal information.

EU Data Protection Officer. If the organizations EU data processing is substantial, a Data Protection Officer must be appointed. This individual must be a privacy expert and report to the highest levels of management.

Data Protection Impact Assessment under GDPR. Where a type of data processing, in particular using new technologies, is likely to result in a high risk to data subjects, the controller must first carry out an assessment of the impact of the processing. This is known as a “data protection impact assessment”.

Specifically, a data protection impact assessment is required in the case of:

• A systematic and extensive evaluation of personal data based on automated processing, including profiling;

• Processing on a large scale of sensitive categories of data or of personal data relating to criminal convictions and offences; or

• A systematic monitoring of a publicly accessible area on a large scale (e.g., public spaces).

A Data Retention and Destruction Policy is an internal policy document for your organization. It explains how long you will keep data, when it must be kept (for example, if you have an ongoing lawsuit then the information must be held and segregated to support your legal defense), how it must be securely stored, approvals and procedures for deleting data, and other important instructions about data retention.

I work with companies to do a full privacy legal assessment. That sounds great on paper, but does it actually mean?

• Product demonstration: I start with going through a demo of your products and services to understand two things. First, what does an administrator, insider, or backend user see about an individual customer. Second, what do I see when I pretend to be your customer (e.g., what disclosures are put in front of me and what information am I asked to give).

• Tech stack and data practices: I meet with your software developers and information technology team members to understand how you collect data, what you use it for, where it’s stored, how it’s processed, how it’s transferred and where it moves to, and what derivatives you make out of it (for example, aggregate data and benchmarking data products).

• Sales and marketing: I get an overview of your sales and marketing practices and how they use personal information.

• Product team: I talk with your product development team to understand what new features you might have coming out for your software, apps, or other products and services so we’re thinking ahead about privacy and not just reactively.

• Everything is completely confidential: As your lawyer, everything we work on together is kept strictly confidential. A lawyer owes the highest possible confidentiality obligation to their client, so you can be comfortable opening up and sharing what’s needed so we set you up for a successful privacy program.

Using the full privacy legal assessment we just talked about above, I create a tailored a Privacy and Data Security Legal Guide for you.

The Guide gives your organization and its teams an easy to use summary of key privacy legal obligations. For example, the Guide will help your development team to know whether a certain feature or new product presents a privacy legal risk.

The Guide also serves to satisfy the requirement under some privacy laws to have written policies and instructions for employees and contractors that handle personal information for your organization.

Lastly, the Guide will be a key resource for your privacy officer. This helps to empower your privacy officer to make sure privacy issues are well understood and attended to throughout the company.

Here’s what goes into it:

• Regions: We choose what regions are applicable to you, such as Canada, the European Union (GDPR), the UK, or others.

• Privacy scope: What is considered personal information and how to identify when privacy, data security, or electronic communications laws apply.

• Collection and processing: How a company may collect personal information, how that information can be processed internally and externally, and what obligations and liabilities are held by the company versus others.

• Data Subject Rights: What specific rights do individuals have, such as the right to access personal information held by the company, the right to be forgotten, and rights to data portability.

• Transfers of Personal Information: How personal information can be transferred to others, such as service providers and cloud storage platforms.

• Online Privacy: How cookies and other online tracking technologies are treated by privacy laws and what opt-out rights individuals must be given.

• Security: What your principal data security obligations are, such as pseudonymization, encryption of personal data, security testing requirements, and any guarantees of data restoration in the event of a technical incident.

• Electronic marketing: When a company can send email and other electronic marketing messages to individuals and what legal elements must be present in those communications.

• Registration requirements: When a company needs to register with privacy regulators.

• Privacy officer, data protection officer, and EU representative requirements: When a company needs to appoint a data protection officer or privacy officer, who that person can be, and what responsibilities they have, including any required EU representatives under GDPR.

• Breach notifications: What are the high-level breach notification responsibilities, such as timelines for notifying impacted individuals and the applicable privacy regulators. Also included is a privacy breach checklist.

I create a schedule of standard contractual terms that address privacy obligations, indemnifications, and breach notifications that you can use with your vendors and third-party contractors. The terms are adapted to be dropped into services agreements and other types of contracts as a schedule of standardized terms.

Whether you need a complete overhaul of your privacy documents, an update, or just a review to make sure they’re looking okay, I can help get your privacy documents, disclosures, and disclaimers in order.

I help organizations understand their breach notification responsibilities, such as timelines for notifying impacted individuals and the applicable privacy regulators. As an example, we can create a privacy breach checklist and action plan so you can respond quickly and appropriately if you ever experience a security incident.

I send my clients regular privacy updates through a quarterly update and also let you know of any major developments as they occur.