A. When Quebec s data protection law is considered inadequate for Europe.
|
|
- Morris Young
- 7 years ago
- Views:
Transcription
1 P a g e 1 Privacy Interviews with Experts July 2014 Eloïse Gratton Co-Chair, Privacy Practice Group McMillan LLP Montreal, Quebec, Canada Q. When is adequacy never adequate? A. When Quebec s data protection law is considered inadequate for Europe. On June 4, 2014, the Article 29 Working Party (the Article 29WP ) released its Opinion 7/2014 in which it provides its recommendations to the European Commission ( EC ) on whether the relevant provisions of the Civil Code of Québec and the Quebec Act on the Protection of Personal Information in the Private Sector (the Quebec DPL ) ensure an adequate level of protection for international data transfers in accordance with the EU Data Protection Directive 95/46/EC (the Directive ). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an adequate level of data protection. In its Opinion, the Article 29WP recommends that the EC not adopt a decision on the adequacy of the Quebec DPL until certain improvements are made to the Quebec DPL. In light of this decision Nymity speaks with Eloïse Gratton, a partner and National Co-chair of the Privacy Practice Group at McMillan LLP based in Montreal. Eloïse advises clients from various industries on legal and privacy requirements of new projects, products, practices, programs and technologies, providing strategic national and international privacy and antispam compliance advice and assisting them in crisis management situations (privacy class action lawsuits, security breaches and privacy commissioners' investigations). Nymity: Are you surprised by this decision? Gratton: I am extremely surprised with this Opinion. The European Commission declared Canada s Personal Information Protection and Electronic Documents Act ( PIPEDA ) adequate in PIPEDA applies to federal works and to commercial activities in every Canadian province, unless the province has enacted legislation that is substantially similar 1 European Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council (notified under document number C(2001) 4539).
2 P a g e 2 to PIPEDA. The test as to whether or not a provincial statute is substantially similar resides with the Governor in Council, who takes recommendations from the Federal Privacy Commissioner via Industry Canada. Interestingly, Quebec was the first province to be deemed to have substantially similar legislation to PIPEDA. 2 Because the EC declared PIPEDA adequate and the Governor in Council declared the Quebec DPL substantially similar to PIPEDA, the operating assumption in advance of the Opinion was that the Quebec DPL was also adequate especially given that the Quebec DPL is probably the most stringent data protection law in Canada and provides stronger incentives for compliance. Nymity: How does the Quebec DPL provide for a stronger incentive for organizations to comply with the law? Gratton: PIPEDA works on an ombudsman model; this means that any complaints regarding compliance with PIPEDA must be filed with the Federal Commissioner of Canada, which may investigate, report and try to reach a satisfactory solution. However, it cannot issue binding orders. A party that is dissatisfied with the report of the Federal Commissioner may apply to the Federal Court, which has the power to issue binding orders and is not bound by the findings of the Federal Commissioner. Have the federal courts awarded any real damages since PIPEDA came into force? Since 2004, only a few decisions have been issued by the Federal Court, in which except for one case in 2013 in which the federal court awarded 20,000$ (Chitrakar v. Bell, which even included punitive damages) there have been either no damages or small amounts awarded in damages. Even Jennifer Stoddard, former Privacy Commissioner of Canada, recently stated: The days of soft recommendations with few consequences for non-compliance are no longer effective in a rapidly changing environment where privacy risks are on the rise. 3 She requested reforms that could include: instituting statutory damages (administered by the Federal Court); giving the Commissioner the power to issue orders; affording the Commissioner with the power to impose administrative monetary penalties; or a combination of the above. In Quebec, two specific types of penalties may apply for non-compliance with the Quebec DPL: an organization acting in contravention of the Quebec DPL is liable to a fine ranging from $1,000 to $50,000, and for subsequent offences, a fine ranging from $10,000 to $100, In addition, administrators, directors or representatives of an organization may be held personally liable for the payment of the fine if they ordered, authorized or consented to the illegal activity. 5 While there has been no trend to issue substantive fines following a breach of the Quebec DPL, the threat of significant fines and D&O liability may be enough to provide the incentive for businesses to comply with the Quebec DPL. Moreover, the risk of reputational damage in cases of breach is much more prominent in Quebec: while findings rendered under PIPEDA will very rarely name the organizations, the Quebec Data Protection Authority, the Commission d Accès à l Information du Québec (the CAI ) will not hesitate to name the defaulting organizations in its decisions. The presence of this risk further strengthens the incentive to comply with the Quebec DPL relative to PIPEDA. 2 Quebec s An Act Respecting the Protection of Personal Information in the Private Sector, CQLR c. P-39.1 [Quebec DPL], has been deemed substantially similar to PIPEDA as of December 11, Jennifer Stoddart, The case for reforming the Personal Information Protection and Electronic Documents Act, May Quebec DPL at s See Quebec DPL at s. 93.
3 P a g e 3 Nymity: How is Quebec DPL more stringent than PIPEDA? Gratton: The Quebec DPL is unquestionably more stringent. To give just a few examples, unlike PIPEDA, the Quebec DPL applies to an organization even if it does not carry on activities that are commercial in nature. The Quebec DPL may, for instance, apply to non-profit organizations, professionals, artisans or agricultural activities, since the definition of enterprise is interpreted very broadly. In addition, the Quebec DPL applies to and regulates the personal information of all employees, whereas PIPEDA only regulates the personal information of employees of federal works, such as banks, telcos, and so on. Unlike PIPEDA, the Quebec DPL does not recognize an implied form of consent (such as an opt-out mechanism) as valid consent. More specifically, s. 14 of the Quebec DPL provides that consent has to be manifest. While the definition of personal information found in the Quebec DPL ( information which relates to a natural person and allows that person to be identified ) is very similar to the definition given for the same term under PIPEDA ( information about an identifiable individual ), the effective scope of the definition of personal information under the Quebec DPL is broader than PIPEDA. For example, unlike PIPEDA, the definition given in the Quebec DPL does not expressly exclude business contact information from its ambit. 6 Also, in contrast with the IMS ruling under PIPEDA, 7 the Quebec CAI has determined that the work product of a professional (such as a pharmacist or a physician) should be considered personal information relating to that professional. 8 Furthermore, the Quebec DPL, unlike other Canadian private sector data protection statutes, does not include a specific exemption for personal information that may be otherwise publicly available. 9 Nymity: Is the Quebec DPL also more stringent than PIPEDA for cross-border transfers? Gratton: I believe so. The Article 29WP articulated the view that onward transfers should require the use of contractual or other binding provisions to ensure a comparable level of data protection. I don t believe that this is a Quebec issue. Cross-border information transfers are governed by PIPEDA through principle of Schedule 1, which recognizes that personal information may be transferred to third parties for processing. In such cases, PIPEDA requires organizations to use contractual or other means to "provide a comparable level of protection while the information is being processed by the third party. The Quebec DPL treats cross-border transfers directly at s. 17, which requires that if an organization communicates personal information outside Quebec, it must first take all reasonable steps to ensure that the personal information will not be used for purposes other than the purposes for which the information was collected or communicated to third parties without the consent of the person concerned and that if this requirement can t be met, then the transfer is prohibited. 10 While some have raised the possibility that this could mean an organization would need 6 See section 2 of PIPEDA. 7 See PIPEDA Case Summary # See the Superior Court s judgment in I.M.S. du Canada Ltée. v. CAI, J.E PIPEDA has Regulations Specifying Publicly Available Information, SOR/2001-7, which have been in force since 2001 and which exclude certain type of publicly available information. The Alberta and B.C. PIPAs have similar exclusions. 10 Quebec DPL, at s. 17.
4 P a g e 4 to evaluate foreign law in order to ensure that it provides the proper protections, 11 there is a consensus that this requirement usually translates at the very minimum into an obligation for the organization to execute a contract that includes the appropriate provisions necessary for the protection of such information prior to transferring personal information outside of Quebec. In addition, it should be noted that the potential fines are higher in case of non-compliance with s. 17 of the Quebec DPL (which regulates cross-border transfers) than those arising from breaches of other sections. While an organization is subject in case of a breach of the Quebec DPL to a fine ranging from $1,000 to $10,000, or for subsequent offences a fine ranging from $10,000 to $20,000, the fines in case of a breach of the cross-border restrictions of the Quebec DPL instead range from $5,000 to $50,000 and, for a subsequent offence, $10,000 to $100,000. This clearly illustrates how seriously the Quebec DPL takes the protection of personal information in cross-border transfers. Nymity: Are there any other requirements when transferring personal information outside of Quebec? Gratton: Yes, the Quebec DPL requires notification upon foreign transfer. While recent decisions of the federal Privacy Commissioner (under PIPEDA) indicate that individuals should be notified if their personal information will be transferred to and/or stored in a foreign country, although their consent is not required, 12 the Quebec DPL is the only Canadian data protection law which specifically requires that individuals be notified of the place where their personal information will be kept. 13 While this provision can be challenging for businesses that wish to go into the cloud, 14 it is yet another clear indication that Quebec has taken the protection of personal information in case of cross-border transfers seriously. Nymity: What is the issue when dealing with sensitive data? Gratton: The Article 29WP articulated the view that the security requirement under the Quebec DPL should be strengthened by defining the notion of sensitive information (because the level of security required under the Quebec DPL depends on the sensitivity of the information to be protected). 11 Karl DELWAIDE, A Review of Some of the Recent Amendments Brought To the Québec Act Respecting the protection of Personal Information in the Private Sector, November 2, 2006, at p. 2: More specifically, in connection with the recent amendment of s. 17, Delwaide states: The effect of this paragraph is not clear. [ ] The second interpretation, more restrictive, is to the effect that the foreign jurisdiction s laws must be examined in detail in order to verify if the statutory protection is sufficient in comparison with that provided by the Québec Private Sector Act before any transfer can be made. The author goes on to suggest that perhaps, the individual s consent would not even be sufficient to justify and legitimize a cross-border transfer of personal information to a foreign jurisdiction: Although it is certainly preferable to obtain such a consent (it is certainly better to have one than none), in light of previous decisions by the CAI, it is not clear that such a consent will allow an enterprise to go beyond and around the prohibition to transfer personal information outside Québec of Section 17 of the Quebec DPL. 12 Under PIPEDA, they need to be notified. See Outsourcing of canada.com services to U.S.-based firm raises questions for subscribers (19 Sept. 2008), PIPEDA case summary # ; Canadian-based company shares customer personal information with U.S. parent (19 July 2006), PIPEDA case summary # ; and Bank's notification to customers triggers PATRIOT Act concerns (19 October 2005), PIPEDA case summary # Quebec DPL, at s. 8 (3). 14 Eloïse Gratton, Dealing with Canadian and Quebec Legal Requirements in the Context of Trans-border Transfers of Personal Information and Cloud Computing Services, Développements récents en droit de l accès à l information et de la protection des renseignements personnels, Les 30 ans de la Commission d Accès à l Information, Volume 358, Éditions Yvon Blais, November 2012.
5 P a g e 5 First, security provisions in PIPEDA and the Quebec DPL are both extremely similar. 15 This being said, the Quebec DPL also has to be read in conjunction with section 26 of An Act to establish a Legal framework for information technology, 16 which provides for a specific obligation for an organization to actually inform a service provider as to the privacy protection required for a technology-based document. This translates into a stringent obligation for any Quebec organization to actually inform its service provider or partner as to the kinds of security measures the service provider should adopt when handling the organization s technology-based document containing personal information. It bears mentioning in addition that under the Act to establish a Legal framework for information technology, location tracking is prohibited without the consent of the individual, and the collection of biometric information must be immediately reported to the CAI. Second, on the sensitivity issue, PIPEDA provides at s that [a]lthough some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. I do not see how this provides better guidance than the Quebec DPL for identifying those types of information that should be considered sensitive. The Directive lists types of information which should be considered as sensitive because of their nature. I have already criticized this approach elsewhere, 17 and the fact remains that I am not convinced that the EU approach to determining which type of information is sensitive is either workable or realistic, especially in light of the ongoing emergence of new technologies and the amount of information readily available on the web. Nymity: What are the issues with regards to the Territorial scope? Gratton: The Article 29WP argues in its Opinion that the territorial scope of application of the Quebec DPL in relation to the PIPEDA should be clarified, as the Canadian Privacy Commissioner and the CAI seem to maintain different positions on this issue. The truth is that there has not been any real debate between the application of the Quebec DPL and PIPEDA. For the Quebec DPL to apply, the enterprise must be carried on in the province of Quebec, and local courts have applied broad criteria in determining this fact. For example, in Institut d assurance du Canada v. Guay, 18 the Court of Quebec ruled that the CAI had rightfully considered that the Insurance Institute of Canada, a nonprofit and educational organization, carried on an enterprise in Quebec since it sold course materials and offered examination and correction services in Quebec (although the Institute had its head office in Ontario, had no place of business in Quebec, and did not hold documents containing personal information in Quebec). All this to say that given the fact that the Quebec DPL is far reaching, organizations don t fall through the cracks because of our different Canadian laws. Instead, when in doubt as 15 Under PIPEDA schedule 1, principle , the nature of the security safeguards which an organization must use to protect personal information will vary depending on the sensitivity of the information and more sensitive information should be safeguarded by a higher level of protection. Similarly, under s. 10 the Quebec DPL, there is a similar security requirement under which the security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed have to be reasonable given the sensitivity of the information. 16 CQLR c. C Eloïse GRATTON, Understanding Personal Information : Managing Privacy Risks, LexisNexis, 2013, 515 pages, at p. 141 and following S Pre-determined Categories of Sensitive Data Challenged. 18 REJB (C.Q.).
6 P a g e 6 to the existence or extent of a potential overlap in applicable laws, organizations will ensure that they comply with the most stringent data protection requirements which may apply to them. I also think that this territorial issue should have probably been addressed at the time that the European Commission evaluated PIPEDA and declared it adequate back in 2001, especially given that the Quebec DPL has already been in effect for eight years. Nymity: Why would Quebec want to seek adequacy? Gratton: Quebec definitely wants to seek adequacy because jurisdictions that don t qualify as being adequate under the Directive may have a more difficult time dealing with the EU, if and when managing personal information from EU citizens. In the context of free trade discussions between Europe and Canada, where Quebec is one of the major economic actors, it is definitely critical that Quebec organizations be able to transfer personal information without any problems. Nymity: What are the anticipated next steps? Gratton: Following the Article 29WP Opinion, the Article 31 Committee will need to provide an approval which must be adopted by the Commission before Quebec can be recognized as adequate. To date, the Commission has recognized the adequacy of Canada s PIPEDA which, in my view, is not as stringent as the Quebec DPL. This makes me wonder about the accuracy of their methodology for assessing the adequacy of a foreign data protection law. I also believe that the critical analysis of other jurisdictions laws, when undertaken in isolation, can be counterproductive; the Article 29WP Opinion would be more evidently solutions-oriented if it offered substantial recommendations or guidance in parallel with its criticisms. We should all be working together to ensure that our current data protection regime will survive and remain relevant in the near future because let s face it there are already many challenges with our current notice and choice model. Nymity: Do you believe that the Quebec DPL needs to be updated at all? Gratton: Definitely. If the Quebec legislator will be going back to the drawing board, he/she might as well also address the real challenges that we have with the Quebec DPL. To begin with, the Quebec DPL does not provide for a business transaction exception needed to facilitate business transactions at the due diligence and closing stages as the Alberta and B.C. PIPA (Personal Information Protection Acts) have enacted. 19 Moreover, the CAI recommended the inclusion of mandatory security breach reporting in both its public sector and private sector data protection laws in its Since in the 2002 Gérald Desjardins c. Groupe Lyras Godard PV AZ , the CAI has confirmed its position that the consent of customers should be obtained prior to disclosing their personal information in the context of a business transaction. To be compliant with this ruling, one may argue that Quebec customers and employees should be asked for their consent through an opt-in (i.e. manifest consent) process prior to disclosing their personal information to a potential buyer.
7 P a g e 7 Quinquennial Report entitled Technology and Privacy, in a Time of Societal Choices. We still haven t seen any amendments on this issue. In addition, the Quebec DPL provides for specific exemptions for the communication of nominative lists at s. 22 to 26 of the Quebec DPL. A nominative list is defined as a list of names, telephone numbers, geographical addresses of natural persons or technological addresses where a natural person may receive communication of technological documents or information. 20 This portion of the Quebec DPL (s. 22 to s. 26) may contradict, to a certain extent, the new Canadian Anti- Spam Law which came into force on July 1 st. I believe it is something that the legislator should examine further. These interviews are provided by Nymity as a resource to benefit the broader privacy community. The interviews represent the points of view of the interview subjects and Nymity makes no guarantee as to the accuracy of the information. Errors or inconsistencies may exist or may be introduced over time as material becomes dated. None of the foregoing is legal advice. If you suspect a serious error, please contact research@nymity.com. Copyright 2014 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of Nymity Inc. unless otherwise indicated. Reproduction, modification, transmission, use, or quotation of any content, including text, images, photographs etc., requires the prior written permission of Nymity Inc. Requests may be sent to research@nymity.com. 20 See s. 22 of the Quebec DPL.
Privacy Interviews with Experts November 2012. Éloïse Gratton. Privacy Law in Quebec Substantially Similar but Different?
P a g e 1 Privacy Interviews with Experts November 2012 Toronto / Washington DC / Brussels www.nymity.com Éloïse Gratton Partner McMillan Montreal, Canada Privacy Law in Quebec Substantially Similar but
More informationPrivacy Law in Canada
Privacy Law in Canada Federal and provincial privacy legislation has a profound impact on the way virtually all organizations carry on business across the country. Canada s privacy laws, while likely the
More informationDoing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance
About Canada Dispute Resolution Forms of Business Organization Aboriginal Law Competition Law Real Estate Securities and Corporate Finance Foreign Investment Public- Private Partnerships Restructuring
More informationCloud Computing: Privacy and Other Risks
December 2013 Cloud Computing: Privacy and Other Risks by George Waggott, Michael Reid and Mitch Koczerginski, McMillan LLP Introduction While the benefits of outsourcing organizational data storage to
More informationPrivacy Law in Canada
by PATRICIA WILSON & MICHAEL FEKETE Protection of personal information remains at the forefront of public policy debate in. Federal and provincial privacy legislation has a profound impact on the way virtually
More informationPrivacy Bulletin. Key Differences between US and Canadian Anti-Spam Laws
Privacy Bulletin April 2014 Key Differences between US and Canadian Anti-Spam Laws Canada's Anti-Spam Law (or "CASL") will be in effect in July 2014, about ten years after the U.S. has enacted its anti-spam
More informationPIPEDA and Online Backup White Paper
PIPEDA and Online Backup White Paper The cloud computing era has seen a phenomenal growth of the data backup service industry. Backup service providers, by nature of their business, are compelled to collect
More informationSPECIAL ISSUES IN CANADIAN IT OUTSOURCING BY C. IAN KYER AND JOHN BEARDWOOD
SPECIAL ISSUES IN CANADIAN IT OUTSOURCING BY C. IAN KYER AND JOHN BEARDWOOD INTRODUCTION For an American service provider, doing an outsourcing in Canada is like a fan of the National League Chicago Cubs
More informationTaking care of what s important to you
A v i v a C a n a d a I n c. P r i v a c y P o l i c y Taking care of what s important to you Table of Contents Introduction Privacy in Canada Definition of Personal Information Privacy Policy: the ten
More informationIndex All entries in the index reference page numbers.
Index All entries in the index reference page numbers. A Audit of organizations, 37-38, Access to personal information 162-163 by individual, 22, 31, 151-154 B assistance by organization, Biometrics, 123-125
More informationCOUNCIL OF THE EUROPEAN UNION. Brussels, 22 November 2006 15644/06 DATAPROTECT 45 EDPS 3
COUNCIL OF THE EUROPEAN UNION Brussels, 22 November 2006 15644/06 DATAPROTECT 45 EDPS 3 COVER NOTE from: Secretary-General of the European Commission, signed by Mr Jordi AYET PUIGARNAU, Director date of
More informationCANADIAN PRODUCT LIABILITY LAW
CANADIAN PRODUCT LIABILITY LAW Presented by Kevin Johnson Litigation Partner Lette LLP Canadian German Chamber of Industry and Commerce Inc. September 28, 2011 LETTE LLP 20 Queen Street West, Suite 3300,
More informationFACTORING AND FINANCING IN CANADA WHAT EVERY U.S. FACTOR AND LAWYER WANTS TO KNOW ABOUT PURCHASING AND TAKING SECURITY ON CANADIAN RECEIVABLES
FACTORING AND FINANCING IN CANADA WHAT EVERY U.S. FACTOR AND LAWYER WANTS TO KNOW ABOUT PURCHASING AND TAKING SECURITY ON CANADIAN RECEIVABLES Cross-border transactions involving U.S. and Canadian parties
More informationTaking care of what s important to you
National Home Warranty Group Inc. Privacy Policy Taking care of what s important to you Table of Contents Introduction Privacy in Canada Definition of Personal Information Privacy Policy: the ten principles
More informationSouth East Asia: Data Protection Update
Data Privacy and Security Team To: Our Clients and Friends September 2013 South East Asia: Data Protection Update Europe has had data protection laws in place for over a decade. Such laws regulate how
More informationCanada s New Anti-Spam Regime: Guidance for Your Organization
Canada s New Anti-Spam Regime: Practical Compliance Tips and Guidance for Your Organization Eloïse Gratton, Partner Janine MacNeil, Partner February 6, 2014 Overview 1) Introduction 2) CASL Requirements
More informationCrawford Chondon &Partners LLP. Is your Business Ready for Canada s Anti Spam Law?
Crawford Chondon &Partners LLP Present Is your Business Ready for Canada s Anti Spam Law? By: Michael MacLellan Overview 1. What is Canada s Anti-Spam Legislation, and how will it apply? 2. What does CASL
More informationCloud Computing: Trust But Verify
Cloud Computing: Trust But Verify 14th Annual Privacy and Security Conference February 8, 2013, Victoria Martin P.J. Kratz, QC Bennett Jones LLP Cloud Computing Provision of services available on the Internet
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationE-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY
E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce:
More informationAN OVERVIEW OF CANADA S ANTI-SPAM LEGISLATION
AN OVERVIEW OF CANADA S ANTI-SPAM LEGISLATION These materials are provided for general information only and do not constitute legal advice. Readers are encouraged to seek legal advice for any particular
More informationIssue #5 July 9, 2015
Issue #5 July 9, 2015 Breach Response Plans by Lyndsay A. Wasser, CIPP/C, Co-Chair Privacy Privacy breaches can occur despite an organization s best efforts to prevent them. When such incidents arise,
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationTHE TRANSFER OF PERSONAL DATA ABROAD
THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE
More informationPersonal Information Protection and Electronic Documents Act
PIPEDA Self-Assessment Tool Personal Information Protection and Electronic Documents Act table of contents Why this tool is needed... 3 How to use this tool... 4 PART 1: Compliance Assessment Guide Principle
More informationData protection issues on an EU outsourcing
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
More informationComments and proposals on the Chapter IV of the General Data Protection Regulation
Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International
More informationAS TABLED IN THE HOUSE OF ASSEMBLY
AS TABLED IN THE HOUSE OF ASSEMBLY A BILL entitled INSURANCE AMENDMENT ACT 2014 TABLE OF CONTENTS 1 2 3 4 5 6 7 8 9 10 11 12 13 Citation Inserts section 15A Amends section 17A Amends section 30JA Amends
More informationPrivacy fact sheet 17
Privacy fact sheet 17 Australian Privacy Principles January 2014 From 12 March 2014, the Australian Privacy Principles (APPs) will replace the National Privacy Principles Information Privacy Principles
More informationPRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction
PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY Introduction The continuous globalization of the world economy influences the international transfer of personal data. The transfer of personal
More informationAN INTRO TO. Privacy Laws. An introductory guide to Canadian Privacy Laws and how to be in compliance. Laura Brown
AN INTRO TO Privacy Laws An introductory guide to Canadian Privacy Laws and how to be in compliance Laura Brown Air Interactive Media Senior DMS Advisor A Publication of 1 TABLE OF CONTENTS Introduction
More informationPersonal Data Act (1998:204);
Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their
More informationQueensland WHISTLEBLOWERS PROTECTION ACT 1994
Queensland WHISTLEBLOWERS PROTECTION ACT 1994 Act No. 68 of 1994 Queensland WHISTLEBLOWERS PROTECTION ACT 1994 Section PART 1 PRELIMINARY TABLE OF PROVISIONS Division 1 Title and commencement Page 1 Short
More informationBriefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:
UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider
More informationTHE OFFERING MEMORANDUM UNDER ONTARIO SECURITIES LAW By: Daniel A. Coderre Soloway Wright LLP
THE OFFERING MEMORANDUM UNDER ONTARIO SECURITIES LAW By: Daniel A. Coderre Soloway Wright LLP Many companies raise capital by offering shares in their capital stock for sale at one time or another. When
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationThe eighth data protection principle and international data transfers
Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 00658/13/EN WP 204 Explanatory Document on the Processor Binding Corporate Rules Adopted on 19 April 2013 This Working Party was set up under Article 29 of Directive
More informationCloud Computing Contracts. October 11, 2012
Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best
More informationCIRA Domain Name Dispute Resolution Rules Version 1.5 (July 28, 2014)
CIRA Domain Name Dispute Resolution Rules Version 1.5 (July 28, 2014) Proceedings for the resolution of disputes under the CIRA Domain Name Dispute Resolution Policy (the Policy ), shall be governed by
More informationEU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.
EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in
More informationMANUFACTURE AND SALE OF GOODS
Regulations and Product Standards 61 Consumer Protection 62 Product Liability 63 By Caroline Zayid Manufacture and Sale of Goods 61 Regulations and Product Standards The Canada Consumer Product Safety
More informationFood Law and Due Diligence Defence
The Society of Food Hygiene and Technology INTRODUCTION This document explains the general requirements of food law and covers the main EC and UK legislation on food imports and exports, safety, traceability,
More informationData Protection Working Group. Final Report on the Draft Data Protection Bill
Data Protection Working Group Final Report on the Draft Data Protection Bill Background In August 2009, upon a request from the Hon. Attorney General, the Governor-in-Cabinet established a Data Protection
More informationTransferring Personal Information about Canadians Across Borders Implications of the USA PATRIOT Act
Office of the Commissariat Privacy Commissioner à la protection de of Canada la vie privée du Canada Transferring Personal Information about Canadians Across Borders Implications of the USA PATRIOT Act
More informationINDIVIDUAL CLIENT AGREEMENT AGILITY FOREX LTD INDIVIDUAL CLIENT AGREEMENT
INDIVIDUAL CLIENT AGREEMENT INDIVIDUAL CLIENT AGREEMENT The following terms and conditions apply to individuals who are transacting: for their own account, as a sole proprietor of a business, as a trustee
More informationCommunity Housing Providers (Adoption of National Law) Bill 2012
Passed by both Houses [] New South Wales Community Housing Providers (Adoption of National Law) Bill 2012 Contents Part 1 Part 2 Preliminary Page 1 Name of Act 2 2 Commencement 2 3 Objects of Act 2 4 Definitions
More informationFactsheet on the Right to be
101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against
More informationINFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013
INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationAn overview of UK data protection law
An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44
More informationCOAG National Legal Profession Reform Discussion Paper: Trust money and trust accounting
COAG National Legal Profession Reform Discussion Paper: Trust money and trust accounting Purpose The purpose of this Paper is to outline the Taskforce s preferred approach to regulation of trust money
More informationTrust and transparency. Small Business, Enterprise and Employment Bill: Trust and transparency
Small Business, Enterprise and Employment Bill: 1 Government proposals to increase transparency of ownership and control of UK businesses came a step closer on 25 June 2014 with the publication of the
More informationInsurance Journal. Defending Until the End When Does the Duty to. Volume 1, Issue 3 Editor Keoni Norgren. May 1, 2013
Insurance Journal May 1, 2013 In this Issue Volume 1, Issue 3 Editor Keoni Norgren Defending Until the End When Does the Duty to Defend End? Cyber Liability Laws in Canada Dolden Wallace Folick Welcomes
More informationCloud Computing: Privacy & Jurisdiction from a Canadian Perspective
Cloud Computing: Privacy & Jurisdiction from a Canadian Perspective Professor Michael Geist Canada Research Chair in Internet and E-commerce Law University of Ottawa, Faculty of Law Cloud Computing - Canada
More informationData Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005
Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationManaging the message Canada s new anti-spam law sets a high bar
Managing the message Canada s new anti-spam law sets a high bar According to a recent Deloitte poll, only 13% of organizations say they understand CASL requirements and have begun to apply them to their
More informationNewsletter No. 194 (EN) Directors and Officers (D&O) Liability Insurance in Hong Kong
Newsletter No. 194 (EN) Directors and Officers (D&O) Liability Insurance in Hong Kong December 2015 All r ig ht s r e ser ved Lo r e nz & P art ner s 2015 Although Lorenz & Partners always pays great attention
More informationSAMPLE RETURN POLICY
DISCLAIMER The sample documents below are provided for general information purposes only. Your use of any of these sample documents is at your own risk, and you should not use any of these sample documents
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationThe National Library of Ireland Terms of Use of Material made available on registers.nli.ie
The National Library of Ireland Terms of Use of Material made available on registers.nli.ie PLEASE READ THE FOLLOWING TERMS AND CONDITIONS CAREFULLY. THESE SET OUT THE BASIS UPON WHICH YOU ARE PERMITTED
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationHow To Ensure Health Information Is Protected
pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health
More informationLaw Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario
PRIVACY COMPLIANCE ISSUES FOR LAW FIRMS IN ONTARIO By Sara A. Levine 1 Presented at Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario Ontario Bar Association, May 6,
More informationDaltrak Building Services Pty Ltd ABN: 44 069 781 933. Privacy Policy Manual
Daltrak Building Services Pty Ltd ABN: 44 069 781 933 Privacy Policy Manual Table Of Contents 1. Introduction Page 2 2. Australian Privacy Principles (APP s) Page 3 3. Kinds Of Personal Information That
More informationVoter Contact Registry
Voter Contact Registry How to contact Canadians the right way This Guidebook is for general information only. You should always seek independent legal advice for any specific problem or issue. Respecting
More informationSCHEDULE "C" ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL
SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING AMONG ALBERTA HEALTH SERVICES, PARTICIPATING OTHER CUSTODIAN(S) AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION) ELECTRONIC MEDICAL RECORD INFORMATION
More informationCASL Compliance: A Primer on Canada's Anti-Spam Legislation. Whitepaper by David O. Klein, Esq.
CASL Compliance: A Primer on Canada's Anti-Spam Legislation Whitepaper by David O. Klein, Esq. Part 1 Will Your Marketing Campaign Be the Target of a Class Action Lawsuit or Regulatory Investigation for
More information(a) the kind of data and the harm that could result if any of those things should occur;
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
More informationThe Data Protection Landscape. Before and after GDPR: General Data Protection Regulation
The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)
More informationPrivacy & Data Security: The Future of the US-EU Safe Harbor
Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT
More informationTerms of Use & Privacy Policy
Terms of Use & Privacy Policy These terms and conditions apply to your access and use of the Registration website and the Live Streaming website to UOB Privilege Conversations Live Webcast(collectively
More informationInsights and Commentary from Dentons
dentons.com Insights and Commentary from Dentons On March 31, 2013, three pre-eminent law firms Salans, Fraser Milner Casgrain, and SNR Denton combined to form Dentons, a Top 10 global law firm with more
More information235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
More informationCOMPUTER SOFTWARE AS A SERVICE LICENSE AGREEMENT
COMPUTER SOFTWARE AS A SERVICE LICENSE AGREEMENT This Agreement is binding on the individual and the company, or other organization or entity, on whose behalf such individual accepts this Agreement, that
More informationThe Cloud and Cross-Border Risks - Singapore
The Cloud and Cross-Border Risks - Singapore February 2011 What is the objective of the paper? Macquarie Telecom has commissioned this paper by international law firm Freshfields Bruckhaus Deringer in
More informationACOT WEBSITE PRIVACY POLICY
ACOT WEBSITE PRIVACY POLICY Our commitment to privacy acot.ca (the Website ) is a website owned and operated by The Alberta College of Occupational Therapists ( ACOT ), also referred to as we, us, or our
More informationThe Manitoba Child Care Association PRIVACY POLICY
The Manitoba Child Care Association PRIVACY POLICY BACKGROUND The Manitoba Child Care Association is committed to comply with the legal obligations imposed by the federal government's Personal Information
More informationSAMPLE BACKGROUND CHECK POLICY CANADA
SAMPLE BACKGROUND CHECK POLICY CANADA 1 CONTENTS: 1. Purpose... 2 2. Scope... 2 3. Background Check Vendor... 2 4. Notice to Applicants and Employees... 2 5. Informed Consent... 2 6. Required Background
More informationOverview of the Impact of the Privacy Reforms on Credit Reporting
Overview of the Impact of the Privacy Reforms on Credit Reporting June 2012 Andrew Galvin, Partner 1 OVERVIEW 1.1 Credit Reporting Reform - Background When initially passed, the Privacy Act 1988 essentially
More informationMemorandum of Understanding ( MOU ) Respecting the Oversight of Certain Clearing and Settlement Systems. among:
March 19, 2014 Memorandum of Understanding ( MOU ) Respecting the Oversight of Certain Clearing and Settlement Systems The Parties hereby agree as follows: among: Bank of Canada (the Bank ) Ontario Securities
More informationCOMMENTARY. Hong Kong Strengthens Its Personal Data. on Direct Marketing JONES DAY
May 2013 JONES DAY COMMENTARY Hong Kong Strengthens Its Personal Data Privacy Laws and Imposes Criminal Penalties on Direct Marketing In 2012 Hong Kong introduced the Personal Data (Privacy) (Amendment)
More informationPRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;
PRIVACY POLICY Our Privacy Commitment Glo Light Pty Ltd A.C.N. 099 730 177 trading as "Lighting Partners Australia of 16 Palmer Parade, Cremorne, Victoria 3121, ( LPA ) is committed to managing your personal
More informationPACIFIC EXPLORATION & PRODUCTION CORPORATION INSIDER TRADING POLICY
PACIFIC EXPLORATION & PRODUCTION CORPORATION INSIDER TRADING POLICY Introduction: Pacific Exploration & Production Corporation (the Corporation ) encourages all employees to become shareholders on a long-term
More informationPARLIAMENTARY RESEARCH BRANCH DIRECTION DE LA RECHERCHE PARLEMENTAIRE
PRB 99-38E INSIDER TRADING Margaret Smith Law and Government Division 22 December 1999 PARLIAMENTARY RESEARCH BRANCH DIRECTION DE LA RECHERCHE PARLEMENTAIRE The Parliamentary Research Branch of the Library
More informationBLACKBERRY AUTHORIZED ONLINE RETAILER BLACKBERRY HANDHELD REPAIR SERVICE TERMS AND CONDITIONS
BLACKBERRY AUTHORIZED ONLINE RETAILER BLACKBERRY HANDHELD REPAIR SERVICE TERMS AND CONDITIONS THESE BLACKBERRY AUTHORIZED ONLINE RETAILER BLACKBERRY HANDHELD REPAIR SERVICE TERMS AND CONDITIONS (THIS AGREEMENT
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More informationSTATEMENT FROM THE CHAIRMAN
STATEMENT FROM THE CHAIRMAN In an ever-changing global marketplace, it is important for all of us to have an understanding of the responsibilities each of have in carrying out day-to-day business decisions
More informationBy Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
More informationDO NOT DIVULGE DETAILS OF THIS MONEY TRANSFER TO A THIRD PARTY.
Disclaimers 1) If the exchange rate for your transaction was determined at the time you sent the money, the currency to be paid out and the exchange rate are listed on your receipt. Otherwise, the exchange
More informationUSER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY
USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY CONDITIONS OF USE FOR ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY Between: the Commonwealth of Australia, acting
More informationLiability of Volunteer Directors of Nonprofit Corporations (10/02)
Liability of Volunteer Directors of Nonprofit Corporations (10/02) This memorandum addresses the California and federal law protections that exist to shield volunteer directors of nonprofit corporations
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationINDEPENDENT CONTRACTOR AGREEMENT THE UNIVERSITY OF MANITOBA. (the University ) - and - (the Contractor )
CAR Form No. I ICA Contract No. INDEPENDENT CONTRACTOR AGREEMENT AGREEMENT made as of the most recent date set out on page 6 hereof. BETWEEN: THE UNIVERSITY OF MANITOBA (the University ) - and - (the Contractor
More informationB2B Business Relations and Consent Requirements under the New Canadian Anti-Spam Law
January 2014 Privacy Bulletin B2B Business Relations and Consent Requirements under the New Canadian Anti-Spam Law Last month, the Minister of Industry announced that Canada's new Anti-Spam legislation
More informationMISLEADING ADVERTISING GUIDE
MISLEADING ADVERTISING GUIDE Complying with The Competition Act CREA THE CANADIAN REAL ESTATE ASSOCIATION Table of Contents Introduction...............................................2 What is Misleading
More informationTERMS AND CONDITIONS FOR THE USE OF THE WEBSITE AND PRIVACY POLICY
TERMS AND CONDITIONS FOR THE USE OF THE WEBSITE AND PRIVACY POLICY 1. Trademarks-Intellectual Property Rights Sensus Capital, a brand of GBE Safepay Transactions Ltd (hereinafter called the Company or
More information