Stephen Whitney Slides:
On January 28, 2016, Canada, along with many countries, will celebrate Data Privacy Day. Recognized by privacy professionals, corporations, government officials, academics and students around the world, Data Privacy Day highlights the impact that technology is having on our privacy rights and underlines the importance of valuing and protecting personal information.
MaRS Discovery District and Privacy Horizon have teamed up to offer this special program for entrepreneurs and startup companies. Learn what you need to know to turn privacy into a competitive advantage.
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
The Start-Up’s Guide to Privacy - MaRS Best Practices
1. The Start-up’s Guide to Privacy at MaRS:
Legal Basics & Does Privacy Matter?
Stephen Whitney
Of Counsel
Norton Rose Fulbright Canada LLP
January 28, 2016
2. 2
Agenda
Privacy Legislation in Canada
Comments on International Privacy Laws
What To Know About Your Privacy Practices
Does Privacy Matter?
3. Privacy Legislation in Canada
3
A. Federal Legislation
• PIPEDA - The Personal Information Protection and Electronic
Documents Act
PIPEDA applies across the country but for private companies
that primarily operate in a single province, PIPEDA will not
apply where the province has already enacted similar provisions
to PIPEDA and the business fits within the scope of the
provincial legislation.
4. Recommended Reading:
Privacy Toolkit
A Guide for Businesses and Organizations
Canada's Personal Information Protection and Electronic Documents Act
https://www.priv.gc.ca/information/pub/guide_org_e.pdf
4
Recommended ReadingPrivacy Legislation in Canada
5. PIPEDA and Digital Health
5
PIPEDA does not impose special obligations on digital health
companies.
Under s. 30(1.1), the Act states that the duties imposed on the use of
personal information in the private sector:
…does not apply to any organization in respect of personal health
information that it collects, uses or discloses within a province …
unless the organization … discloses the information outside
the province … .
6. Privacy Legislation in Canada
6
B. Some of the Provincial Legislation Includes:
• British Columbia (Personal Information Act);
• Alberta (Personal Information Protection Act);
• Quebec (An Act Respecting the Protection of Personal Information
in the Private Sector);
• Ontario (Personal Health Information Protection Act);
• New Brunswick (Personal Health Information Privacy and Access
Act); and
• Newfoundland and Labrador (Personal Health Information Act).
7. Comments on International Privacy Laws
7
• International privacy laws are often similar, but not identical.
• Typically based off of privacy principles.
• International privacy compliance is very challenging!
• The result is often a risk assessment of how to approach
privacy.
• Do you have one approach globally or can you customize your
approach for unique country requirements?
8. Some important things to know about your privacy practices include:
• Sector
• Target audience
• Countries
• Business model
• Operational procedures
8
What To Know About Your Privacy Practices
9. More specifically, for operational procedures it is important to know:
• What personal information and information does the company collect
from the user of its products and services, website, apps, etc. and what is
the context?
• Account and membership information?
• Unique identifiers?
• Information from children under 18 or under 13 years of age?
• Information about applications used on computer/device?
• Third party offerings (i.e. products, services, software, websites or content
provided by a third party)?
• Cookies or similar technologies?
9
What To Know About Your Privacy Practices (cont)
10. • Financial information?
• Does the company process online payments?
• Are the payments processed by the company or a third party payment
processor?
• What other financial information, if any, is collected?
• Does the company track the purchase history of customers?
• General usage data?
• Location information?
• Quality assurance and customer service?
• Health information?
• Other?
10
What To Know About Your Privacy Practices (cont)
11. • For what purposes does company use the personal information it
collects?
• billing, activation, provision, maintenance, support, trouble shooting, resolving of
disputes, deactivation, repair, refurbishment, replacement, upgrade or update of
offerings
• to manage or respond to your inquiries
• to develop new and enhance existing offerings including to communicate with you
about them using various means
• to manage and develop your business and operations
• to meet legal and regulatory requirements and to respond to emergency situations
• Does company use sales information?
• Do you send marketing communications (for example, emails)?
11
What To Know About Your Privacy Practices (cont)
12. • To whom does company disclose the personal information?
• Affiliates, Service Providers, Third Parties, Other?
• Do you send any of the personal information you collect to other
countries?
• Data Retention
• Where stored?
• How long keep?
• When and how destroy? Make anonymous?
• Security
• Adequate protections implemented?
• Encryption used? At rest and in transit?
12
What To Know About Your Privacy Practices (cont)
13. • Do you obtain consent? When, where, how? If yes, what does the consent say?
• Consent by layers
• Terms and conditions
• Privacy policy
• Notices
• Reminders/Icons
13
What To Know About Your Privacy Practices (cont)
14. Discussion based off of Prof. Michael Sandel’s
keynote at IAPP
• Uber
• Connected Cars
• Email Providers
14
Does Privacy Matter?
15. Stephen Whitney
Of Counsel
Norton Rose Fulbright Canada LLP / S.E.N.C.R.L., s.r.l.
51 Breithaupt Street, Suite 100
Kitchener, Ontario N2H 5G5 Canada
OR
Royal Bank Plaza, South Tower, Suite 3800
200 Bay Street, P.O. Box 84, Toronto, ON M5J 2Z4 Canada
T: +1 226.868.9125
stephen.whitney@nortonrosefulbright.com
15
16.
17. Disclaimer
Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP,
each of which is a separate legal entity, are members (‘the Norton Rose Fulbright members’) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the
activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.
References to ‘Norton Rose Fulbright’, ‘the law firm’, and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose
Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is
described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or
consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity.
The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright
entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual
contact at Norton Rose Fulbright.
17