Maintaining robust data protection and privacy protocols is critical to the development and reputation of international franchise systems. Data breaches disrupt business operations, devastate the goodwill and reputation of a franchise brand, and often result in an inordinate degree of legal liability. In a landscape of ever-increasing privacy law regulation and scrutiny, it is imperative that franchisors develop and implement adequate policies and programs to ensure that their franchise systems safeguard personal information in compliance with applicable legal and regulatory requirements.
In Canada, data protection and privacy are governed by a complex legal and regulatory framework. This post focuses on the foundational elements of the statutory framework governing the protection of personal information within the Canadian private sector and, while there are a number of statutes, of particular importance is the Personal Information Protection and Electronic Documents Act (“PIPEDA“). PIPEDA is the federal legislation that applies to protection of, among other things, personal information that is collected, used and disclosed in the course of commercial activities in all Canadian provinces and territories that have not enacted substantially similar legislation, as well as to all international and interprovincial processing of personal information in the course of commercial activities.
Currently, Alberta, British Columbia and Quebec have enacted substantially similar legislation (as have some other provinces for the health sector only) and, as such, the provincial legislation generally applies in place of PIPEDA within those provinces.
At a high level, PIPEDA and the substantially similar statutes require the following implicit and explicit accountability and security obligations.
- Businesses are responsible for personal information in their possession or under their control, and must designate an individual or individuals who are accountable for compliance with the principles set out in Schedule 1 of PIPEDA.
- Security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which it is held.
- The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, format of the information, and the method of storage. More sensitive information must be safeguarded by a higher level of protection.
- The methods of protection include (a) physical measures – eg, locked filing cabinets and restricted access to offices; (b) organizational measures – eg, security clearances and limiting access on a “need-to know” basis; and (c) technological measures – eg, the use of passwords and encryption.
Beyond the above basic principles and obligations in PIPEDA, there are additional specific sets of requirements for businesses operating in particular industries such as financial institutions and “healthcare custodians” together with other legislation for specific businesses activities such as marketing and advertising.
Trend Insight: Recent amendments to PIPEDA require organizations to report data breaches to the privacy commissioner and notify affected individuals in certain circumstances. Knowingly contravening the reporting, notification and record-keeping provisions can attract a fine of up to $100,000.
New Reporting and Notification Requirements
In order to trigger the reporting and notification requirement, an organization must determine that:
A breach has occurred. A “breach of security safeguards” includes the loss, unauthorized access to or unauthorized disclosure of personal information resulting from (i) a breach of an organization’s security safeguards and/or (ii) the organization’s failure to establish those safeguards.
It is reasonable to believe that the breach creates a real risk of significant harm. The number of individuals impacted does not matter. As long as there is a real risk of significant harm to even one individual, the organization is obliged to report the breach. PIPEDA defines “significant harm” to broadly include, without limitation, bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property.
Organizations should also be aware that the requirements to safeguard personal information vary depending on the sensitivity of the information at issue. For example, cloud storage of personal information is not always problematic for Canada. However, in the context of cannabis transactions, the identity of cannabis users may be considered particularly sensitive since cannabis is illegal in most jurisdictions outside of Canada. Cannabis retailers should therefore be mindful of the risks associated with storing data in the cloud, since this may include the transfer or storage of personal information outside of Canada, and such information could then potentially be accessed by foreign law enforcement. Therefore, it may be necessary for cannabis retailers to consider storing personal information on a server located in Canada in order to ensure compliance with Canadian privacy laws, unless the information will be encrypted and the cloud provider will not have access to the encryption key.
The above points are just a summary of the elementary aspects of PIPEDA that apply to data protection. Importantly, failure to understand the more comprehensive Canadian legal and regulatory framework, including failure to take active steps to reduce risks as required (or the impact of such risks when they materialize), can have serious legal and financial consequences. In particular, following a data breach it is common for class action lawsuits to be filed against the company that failed to protect the personal information, with plaintiffs claiming exorbitant damages in some cases (eg, over $750 million for the highly publicized Ashley Madison breach).
Best Practice Recommendations
We recommend that franchisors operating in Canada, or contemplating Canadian expansion, undertake the following:
- Carefully consider the nature and extent of the obligations imposed on the franchisor and its franchisees, and keep abreast of the rapidly evolving Canadian regulatory framework.
- Develop and implement policies, protocols, and programs based on the respective obligations determined from the above analysis, and be intentional about ensuring that all parties strictly comply with same. There are a number of resources and tools available to assist including: (a) PIPEDA self-assessment tool for organizations to evaluate their overall compliance with PIPEDA, (b) Security obligations self-assessment tool, (c) Breach Reporting Guidelines.
- Ensure that franchise agreements contain specific data protection provisions addressing matters such as the following.
- How personal information will be collected, stored, used and disclosed by franchisees and the franchisor.
- The franchisor’s access rights to such information (both while the franchisee remains within the franchise system and thereafter).
- Addressing potential restrictions on the transfer of such information across Canadian borders.
- Appropriate levels of safeguards to be maintained with respect to such information.
- The allocation of responsibilities between the franchisor and the franchisee for compliance with data protection and privacy laws, and the consequences for failure to comply with those obligations.
To receive further information or resources on franchise expansion into Canada, please email me. Stay tuned for our next post in the Franchise Expansion into Canada Series.
This post is published to inform clients and contacts of important developments in the field of franchise and distribution law. The content is informational only and does not constitute legal or professional advice. We encourage you to consult a McMillan lawyer if you have specific questions or concerns relating to any of the topics covered here.