MT>3
  • Home
  • About
  • People
  • Services
    • e-Discovery
    • Managed Review
    • Information Governance
    • Due Diligence
  • Blog
  • News
  • Contact

CPPA - How companies will need to manage their information

19/11/2020

0 Comments

 
On November 17th Navdeep Bains, the Minister of Innovation, Science and Industry, introduced Bill C-11, the Digital Charter Implementation Act, 2020. Bill C-11 seeks to modernize Canadian privacy legislation through the introduction of the new Consumer Privacy Protection Act (“CPPA”) and the creation of a new enforcement tribunal through the Personal Information and Data Protection Tribunal Act (“PIDPT”). This represents a significant overhaul of the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”) that governs privacy in the private sector.

The proposed legislation introduces new record keeping and data management concerns for companies. In particular,
  • All organizations (large or small) are required by s. 9 to implement a “privacy management program” targeting policies, practices and procedures directed at fulfilling their obligations under the CPPA. These policies, practices and procedures must be accessible to the Commissioner (s. 10) and must address (a) protection of personal information; (b) access requests and complaint procedures; (c) training and internal information relating to the policies, practices and procedures; (d) development of external-facing materials. Subsection 9(2) of the CPPA implies that standards will be more rigorous for organizations that collect, use or disclose higher volumes of personal information or more sensitive forms of personal information.
  • New record keeping obligations are imposed by ss. 12 (3) and (4), which require companies to document the purposes for which personal information is collected, used, or disclosed, and to continually update this if new purposes arise.
  • Sections 13 and 14 restrict organizations to collecting only that personal information that is “necessary for the purposes determined and recorded under subsection 12(3)” unless that collection is the subject of an exception principle under the CPPA.
  • Section 60 continues the PIPEDA requirement to “keep and maintain a record of every breach of security safeguards involving personal information under its control”, even if the breach did not meet a reporting threshold.
  • Section 71(3) requires the keeping of a recording of disagreement with regard to amendment of personal information.
  • Section 122(1)(k) permits regulations to be created respecting record-keeping and reporting obligations of an entity that operates an approved certification program, including obligations to provide reports to the Commissioner in respect of an approved certification program.

Beyond these sections, Data data management will also be impacted by the rights to data portability (the right to transfer personal information from one organization to another) and data disposal (the right to request permanent deletion of personal information), as well as the new data de-identification obligations, particularly as applied to the sharing of information in prospective business transactions.

When the Bill is passed, it will be crucial for companies to review their privacy practices and data governance plans. These changes come with teeth – the maximum penalty for violations is the higher of $25,000,000 or 5% of the organization’s gross global revenue. This is notably higher than the 4% maximum penalty imposed by the EU General Data Protection Regulation (“GDPR”), and on par with the recent draft Personal Data Protection Law in China.

Being able to identify and locate personal information, and automating this process, will be the key to ensuring compliance with these new laws. Contact MT>3 (Susan Wortzman or Gordon Lee) to discuss how to plan and update your data governance strategies and learn more about the technological tools that exist to help this process.
 
For more analysis on the new Bill and its changes, please see the McCarthy Tétrault TechLex blog post: Hello CPPA & PIDPT: The Federal Government Proposes Dramatic Evolution of PIPEDA. 

Susan Wortzman, Daniel Glover, G​ordon Lee 

0 Comments

Who's Who Legal Recognizes MT>3

23/10/2020

 
Who's Who Legal recognized three MT>3 e-Discovery practitioners as part of the Canada 2020 national guide: Susan Wortzman, Chuck Rothman and Michael Lalande. Special congratulations to Michael Lalande for his addition to this list. WWL: Canada pinpoints the most highly regarded firms and individuals in the country.
With three e-Discovery practitioners listed, MT>3 is the most recognized Canadian e-Discovery firm for 2020.

Cyber breaches - part of living in the 21st century? Part 2

30/7/2020

 
GEDmatch is an online service to compare DNA data files from different testing companies such as My Heritage. GEDmatch was notably used by law enforcement to identify a suspect in the Golden State Killer case in California in 2018.
 
On July 22, 2020, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of their servers via an existing user account. As a result of this breach, all user permissions were reset, making all profiles visible to all users and users who did not opt-in for law enforcement matching were available for law enforcement matching.
 
This is yet another way that thieves targeting the more vulnerable “armoured car” instead of the bank to leak data.
 
Contact us to learn more about how to protect your organization's data from both direct and indirect data breaches.

Michael Lalande, e-Discovery Associate

​​

<<Previous

    Categories

    All
    Artificial Intelligence
    Blockchain
    Cyber Security
    E Discovery
    Information Governance
    Legaltech
    Privacy
    Social Media
    Technology


    Archives

    November 2020
    October 2020
    July 2020
    June 2020
    April 2020
    March 2020
    February 2020
    January 2020
    November 2019
    October 2019
    September 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    May 2018
    April 2018
    March 2018
    September 2017
    August 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    June 2011
    April 2011
    March 2011
    February 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    July 2010
    June 2010
    May 2010
    March 2010
    February 2010
    January 2010
    October 2009
    September 2009
    August 2009
    December 2008
    March 2008
    November 2007
    October 2007

130 Adelaide Street West Suite 2020
Toronto, Ontario M5H 3P5
​ ​
t: 416-642-2220  
tf: 1-877-642-2220  
f: 416-642-9021

Contact MT>3
@MT>3 2018. All Rights Reserved
Picture

Privacy Policy and Terms of Use

  • Home
  • About
  • People
  • Services
    • e-Discovery
    • Managed Review
    • Information Governance
    • Due Diligence
  • Blog
  • News
  • Contact