An Evolving Regulatory Landscape

Regulatory requirements in Canada have wide-reaching effects for business and will continue to ramp up, potentially impacting cross-border competitiveness

Ask in-house counsel and other business leaders what keeps them up at night and they will more than likely say that the growing regulatory and compliance burden has become the number-one thing that consumes their thoughts, especially as they relate to cross-border business and the ability to protect their organizations from harm.

As one in-house counsel remarked recently, “Change is often good, but politics continues to get in the way of a stable business climate.”

As businesses try to grow and innovate, it seems government finds more ways to complicate life and raise issues around risk mitigation. We look at three areas of regulatory compliance that remain a top concern for in-house counsel and the business units they serve.

1. CASL still vexing companies

Those in charge of ensuring compliance around Canada’s Anti-Spam Legislation (CASL) drew a collective deep breath and exhaled hard on June 7, 2017, as the federal government issued an order-in-council delaying the coming into force date of CASL’s proposed private right of action (PRA) until completion of a parliamentary review.

The suspension was issued “in order to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk.”

The looming PRA had created a sense of urgency with businesses to make sure they were compliant with CASL. It was anticipated that the PRA could provide fertile ground for class-action lawsuits, especially given the statutory damages allowed for under the law.

“I don’t think we’re going to see extensive legislative reform,” says Molly Reynolds, senior associate at Torys LLP in Toronto, who focuses on privacy litigation and anti-spam.

While many companies get external advice on CASL, much of the day-to-day compliance is handled in-house and interpreting it has been perplexing for many. But just because the PRA has been put on hold doesn’t mean it’s gone away or that the government is backing off on CASL enforcement, say lawyers who advise on the issue.

“Even though the private right of action has gone away for the moment, companies are aware of the regular enforcement by the CRTC [Canadian Radio-television and Telecommunications Commission] and they are working on making sure their marketing departments comply,” says Steve Szentesi of Szentesi Law Corporation in Toronto. “However, I’m not seeing a lot of awareness among US companies.”

Reynolds says there are a few lessons learned from the first three years of CASL where in-house counsel could be re-focusing their efforts in the regulatory enforcement area. For example, record keeping can be the easiest problem to solve, but it takes internal resources and time to create a proper record-keeping system.

“Organizations really should be keeping a database on when they received the consent and what the basis for the consent is for every person on their email list,” says Reynolds.

With every enforcement action that comes out, and there have been nine so far, Tricia Kuhl of Blake, Cassels & Graydon LLP in Montréal says there is “a bit more clarity” as to how the CRTC is enforcing the law. “We’re able to provide more specific guidance on what is considered compliance. We also advise our clients on what might be considered a best practice and what might be considered acceptable practice.”

Under the CASL regime, it’s easy for a recipient to send a complaint to the spam reporting center, but for many organizations, that won’t be the first step — the individual will hit the unsubscribe button first, so it had better work.

Experts say the regulatory investigations have been largely fueled by the volume of complaints the CRTC receives about an entity. “If organizations spent a bit more time arming their customer-facing employees with how to respond and internally how to fix issues for those who don’t want to receive messages, they could actually be lowering the complaints significantly and lower risk of getting an investigation,” says Reynolds.

Another area where CASL is rearing its ugly head is in mergers and acquisitions and the amount of focus on CASL compliance during diligence questionnaires and management calls in the M&A process.

To mitigate that risk, the solution comes back to the same steps organizations should be taking for compliance and to protect themselves against regulatory investigations.

“In many cases, the concern isn’t that the organization has been subject to a CRTC investigation but that they cannot prove their compliance through sufficient documentation,” says Reynolds.

What she’s seeing as a consequence is buyers asking for specific CASL compliance reps (representations), which is more specific, and on the seller side more concerning, than the typical compliance with applicable law representation or material compliance.

2. Privacy: data breach notifications

In September 2017, the federal government released proposed text for regulations to govern mandatory breach reporting and notification under Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).

Under PIPEDA’s mandatory reporting and notification regime, organizations that experience a data breach must report the incident to the Office of the Privacy Commissioner of Canada and notify affected individuals.

From a business standpoint, compliance is top of mind, but how do you translate it into operational efficiency?

Naïm-Alexandre Antaki of Gowling WLG (Canada) LLP in Montréal says “It’s very rare businesses will be organized on a geographical basis. Often, it is by business lines that cover various jurisdictions, so the question is what more do I need to be doing than I’m already doing?”

It will require collaboration from not only the legal department but also the IT department, risk management — a team effort, says Antaki.

Notification is required in all circumstances where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual,” defined to include humiliation, damage to reputation or relationships and identity theft.

PIPEDA indicates that the notice must be given in the “prescribed format,” which is now outlined within the proposed regulations.

While big organizations have largely been working toward this for some time, it’s the smaller organizations that will do it when they have to, but now is a good time to start getting procedures in place, as there is potential civil liability just for failing to notify now.

This is new for plaintiff-side counsel, says Brent Arnold, a Toronto partner with Gowling WLG. “Some organizations get hit with hundreds of thousands of breaches a year so, for some organizations, this will be something that ends up being a full-time job for some people.”

Antaki says small organizations can look at things broadly such as IT policies and contracts and make sure third-party providers notify you if something happens with them. “It’s not necessarily who has custody of the information but who has the control of the information based on the principles already in PIPEDA. If you outsource some of those obligations, you have to make sure you have the contractual obligations in place in order to respond to what you need to do,” he says.

Another important element is, from a cybersecurity standpoint, do you need to consider getting cyber-insurance?

3. Environment: climate change initiatives

Environmental lawyers believe interest in addressing climate change is gearing back up, in some part due to increasingly extreme weather events, causing more momentum at the regulatory level.

“People haven’t experienced these types of weather events so severely or so close together in the past, and I think that is at least driving a conversation,” says Tyson Dyck, partner in the environmental practice at Torys LLP in Toronto. “There’s been more of an appetite for government regulation only to see it fall away.”

Ontario joined the Québec-California carbon market this year under a harmonization and integration agreement. The Ontario Ministry of the Environment and Climate Change has also proposed changes to its cap-and-trade regulations. This will allow all three governments to hold joint auctions of greenhouse gas emissions allowances and to harmonize regulations and reporting.

Ontario’s program is approaching some key milestones, but across Canada, various climate change initiatives are taking off. Alberta, for example, launched its Climate Leadership in 2016 and a series of initiatives are being rolled out over a couple of years.

Dyck says most of the US clients he advises are looking at some operations in Canada, whether actually operating facilities or looking in companies already regulated and trying to figure out what it means.

Dyck hears from clients that once regulations are in place, they’re actually able to live with them and integrate them into their business models because the regulations provide at least some degree of certainty around costs they will face and have to manage their operations. That may mean new pollution control equipment, for example.

“What I think concerns some clients is the uncertainty around where those costs might go in the future.”

Where those prices will go is a bit of a question mark. Ontario, for example, has put some containment over where the price can go over time and has been looking to California as to how it’s been done there.

“The federal government plan is a little less clear on how they are going to contain the price moving forward,” says Dyck.