Canada is recognized worldwide for its research and technological know-how, yet we face considerable challenges if we are to deliver on all the promise the innovation sector holds. We are competing against the world in the race to drive innovation, and the stakes are high: industry innovation leads to a stronger economy, better jobs and a higher standard of living.
BLG is pleased to help clients in all sectors and industries identify opportunities and mitigate risks as they chart paths in growth areas, helping drive the Canadian economy and shape a brighter future.
PRIVACY IN THE IOT AGE
The expanding Internet of Things (IoT) represents an outstanding businesses opportunity for Canadian companies.
As we increasingly interact with all these smart devices, they are collecting ever-larger amounts of data about us. How that data is secured and used is one of the most pressing policy issues of our time.
Consumers have a growing awareness around the value of data and how it can be manipulated. That realization, coupled with a slew of recent high-profile data breaches, is raising public concern about whether enough is being done by smart-device manufacturers to protect a customer’s privacy.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal law that governs how private sector organizations in Canada collect, use and disclose personal information. Introduced in April 2000—seven years before the advent of the iPhone—this legislation is not as robust as more recent regulations coming out of Europe.
The General Data Protection Regulation (GDPR), introduced by the European Union in May 2018, aims to return control of personal data to consumers.Canadian media considerably covered the GDPR and its more restrictive approach, so consumers are now expecting higher privacy protection from Canadian companies and organizations. Recent privacy breach scandals have also made consumers more aware of their rights regarding their personal information.
If a company runs afoul of the GDPR, it could be fined up to 20,000,000 EUR or up to 4% of the preceding year’s total global annual turnover.
What’s more, the GDPR prohibits European organizations from sharing personal data with non-member states that have weaker privacy protection laws. With that in mind, Canadian legislators are taking steps to fortify PIPEDA. Case in point: PIPEDA as it was originally written was a complaint-driven process. That changed November 1, 2018, when new mandatory breach-notification and record-keeping obligations went into effect, with fines of up to $100,000 for failure to comply. It’s expected that by 2020, the Canadian government will do more to bring PIPEDA’s consumer protections up to the GDPR standard.
Canadian privacy law, as it stands now, requires that companies obtain the transparent and informed consent of individuals for use of their data. But recent guidance issued by the Office of the Privacy Commissioner of Canada suggests that, even with properly obtained consent, a company could still run into trouble if their data usage does not meet the reasonable expectations and social norms of Canadians. This is a significant potential hurdle for the emerging IoT industry.
On the surface, obtaining consent seems simple enough, but when viewed through an IoT lens, things get more complicated: Your smart fridge is continuously collecting data about your shopping habits—data that could be shared with retailers or other service providers. If they then use that data to send you targeted ads, does that meet the reasonable expectations and norms of Canadians?
Smart cars come with even bigger privacy concerns. Insurance companies could use the driver-related data these cars collect to risk-adjust insurance premiums. But collecting such data without informed consent would likely infringe on a driver’s privacy rights. Take this scenario a step further and consider the insurer who might want to increase a customer’s rates if they do not consent to sharing their personal driving data. That’s the kind of uncharted territory that legal experts can help insurers and other data collectors steer through.
Compared to the US, Canada has never been fertile ground for class-action law suits, but when it comes to breaches of data protection laws, that’s changing. There are more than 80 class-action suits involving alleged privacy breaches pending or certified in Canada.
In one recent case, the federal government agreed to pay $17.5 million to 583,000 Canada student loan recipients after Human Resources and Skills Development Canada (now Employment and Social Development Canada) lost an external hard drive that contained their personal information. Developments in this area should be followed closely by any company in the IoT field.
As the IoT expands and Canadians become more engaged on the topic of privacy, responsible companies should be redoubling their privacy efforts. Complying with the Office of the Privacy Commissioner of Canada’s new Guidelines for obtaining meaningful consent which will be enforced as of January 1, 2019, is an excellent first step.
THE CANADIAN FINTECH SECTOR HAS THE POTENTIAL TO BE A WORLD LEADER
The FinTech sector in Canada has seen significant growth in recent years and has the potential to grow further as collaborations between FinTechs and regulated financial institutions continue, new and improved regulations are adopted, and a growing number of young tech superstars focus their energies on developing technology applications for financial services in Canada and the world.
Canada is home to a number of financial hubs, including Toronto, which is considered a leading international hub. It also has some of the world’s top technological talent and the Government of Canada has taken steps to facilitate the relocation of international talent to Canada. Canadian financial institutions have so far welcomed innovative technologies and have collaborated with FinTech firms to improve efficiencies and product offerings.
In some respects, FinTech has been around longer than most people realize. For decades, Canada’s big banks have used technology to accelerate workflows, reduce costs and improve the customer experience.
What’s new is the speed at which ground-breaking technologies are coming online. Machine learning, artificial intelligence, big data—they’re reshaping an entire industry. If we’re to achieve our full potential, we need to take a number of steps.
To begin with, we need to ensure that access to private capital and our public markets are sufficiently robust enough to support the development of Canadian companies throughout the development cycle. It is not enough to fund successfully the early stage development of FinTechs. We need to be sure that they have sufficient access to capital to grow into global enterprises where their mind and management remains in Canada. Governments in Canada have an important role in creating a policy environment that facilitates capital formation for FinTechs, including from individual investors, and institutional investors, including pension funds.
There is no doubt that many of the federal, provincial and territorial regulatory regimes that touch FinTech ecosystems can be improved. We need to be sure that regulations that were designed for an earlier time are appropriate for an increasingly digital economy. It is important to note that governments are actively working on regulatory reform projects, including reform of federal financial institution and payments legislation that will facilitate activity by both FinTechs and financial institutions. In addition, Canadian securities regulators are beginning to take steps to clarify the circumstances in which digital currencies can be launched and developed in Canada, without the requirement to comply with securities laws of general application.
Along with an update domestic regulatory environment, the FinTech sector in Canada will benefit from comprehensive global regulatory standards. Work in that area is getting underway, but until global standards are established, we will need to work hard to encourage FinTech developers to continue to use Canada as their base for global expansion and success.
DECODING THE LEGAL GREY ZONES AROUND CRYPTOCURRENCIES
“Disruptive” can be an overused word these days: It seems like every new innovation is heralded as a game-changer—even when it isn’t. But the invention of Bitcoin and its foundational blockchain technology has been called revolutionary for very good reason.
Cryptocurrencies, blockchain and the automated financial transactions they enable, are transforming supply-chain management practices, contracting, payment and banking services and real estate transactions. New uses for the technology are being developed every day.
Early on, cryptocurrencies were the niche domain of tech insiders. They preferred this peer-to-peer, electronic money system over fiat currencies for two main reasons:
- It removed central banking authorities from the creation and control of cash, and
- It drastically reduced service costs by eliminating middlemen.
But if cryptocurrencies got their start on the fringes of the financial ecosystem, they are now moving solidly to the mainstream.
A number of Canada’s big financial institutions are looking at the rise of cryptocurrencies and how it has impacted their operations. In response, they are testing blockchain technologies and seeking ways to help their clients transact in cryptocurrencies. Experts believe it is just a matter of time before one of them makes a major move into the cryptocurrency arena.
Even the Bank of Canada is investigating the possibility of creating its own digital currency.
Cryptocurrency developers themselves are beginning to recognize the benefits of having a presence in a more mainstream market, which could boost the credibility of their products. In fact, there is a growing number of developers that see and understand the need for more robust regulations in this space. A regulated environment, they argue, would help remove some of the stigma that has been associated with cryptoassets since their inception.
However, authorities in Canada and around the world are struggling to regulate cryptocurrencies as new and more innovative blockchain applications emerge. Why the hold up? For one thing, blockchain is a form of technology, and as a rule, laws don’t regulate technology, just certain uses.
Then there’s the fundamental question of whether cryptocurrencies should be defined as securities. Canadian regulators have yet to take a firm position on that issue, and this is making it difficult for industry players looking to establish cryptocurrency exchanges. The uncertainty has some local developers considering foreign bases of operation.
Regulators will catch up—they have no choice. And as they do, we’ll see more and more sophisticated investors moving into this field, including:
- Funds that are vying to offer cryptoasset-backed investment opportunities at both the institutional and retail levels
- Businesses that want to set up exchange platforms for cryptocurrency trading
- Entrepreneurs who are interested in launching initial coin offerings or creating storage and custodial enterprises for digital assets
UNSCRAMBLING DIGITAL LAWS AND CYBERSECURITY
The rapid rise in data collection means robust cybersecurity solutions are no longer an option, they’re an imperative. What should Canadian businesses be thinking about when it comes to fortifying their defenses?
The growing importance of data—as well as recent high-profile security breaches—are pushing many nations, including Canada, to review and bolster data protection laws. This is welcome, but even with improved protections, there are no simple answers when it comes to cybersecurity.
As technology evolves, the laws, regulations and standards that shape its use are also changing. There is a broad array of standards that can inform what an organization must do to be compliant. New legislation, regulations, guidance documents and industry-specific recommendations are coming out all the time in Canada. But cross-border data flows and cloud storage mean that foreign laws may also apply.
This evolving regulatory and risk environment can impact different organizations quite differently. The standards that a charity or university will be held to are likely different from those for a bank. This is why it’s critical to take a tailored approach to every security scenario.
Data hacks have become one of the biggest risks to an organization hoping to realize the benefits of big data. They can ruin a company’s reputation, decimate its stock price and trigger costly legal and regulatory consequences, including class action lawsuits, which are on the rise in Canada.
The good news is that most cyberattacks are relatively unsophisticated. While there have been recent fears about hackers using artificial intelligence to breach cybersecurity defenses, the reality is it doesn’t take AI to crack a weak system. A dangerous hack can start with a simple phishing scam, in which an employee is fooled into clicking on a link in an email.
Increasingly, stolen data are being encrypted and held for ransom. If the ransom isn’t paid, hackers release the information or destroy it.
The effects of a data breach can be wide-ranging and long-lasting. Yahoo Inc. experienced a number of massive breaches in 2014, including one by a Russian spy agency. Personal data—names, addresses, telephone numbers and encrypted passwords—for 500 million accounts were stolen.
Altaba, the company then operating Yahoo’s email and search-engine service, was fined US$35 million by the US Securities and Exchange Commission. In a settlement reached in a class action lawsuit, Altaba and Verizon, which was in the process of buying Yahoo, agreed to pay US$50 million to up to 200 million users, with affected individuals getting a maximum of US$375 US each.
A holistic approach to cybersecurity is essential. This means implementing both preventative and remedial tactics:
Before an Incident
- Know what “crown jewels” your organization has and what are the key informational assets
- Adopt best-in-class technology and implement all security updates and patches to render your systems reasonably secure and put your organization in a defensible position
- Understand the potential liabilities and evolving standards of care around big data to mitigate the legal risks of data breaches or misuse of information
- Have cybersecurity and incident response plans in place, as well as the requisite expertise (both internal and external) on a fully constituted response team
After an Incident
- Immediately implement the incident response plan and convene the response team
- Retain an experienced cybersecurity lawyer to serve as “breach coach,” manage the response team, and ensure that legal privilege is protected to the maximum extent
- Ensure that evidence of the wrongdoing is preserved in the remediation process
- Be consistent in public communications and reports made to regulators and law enforcement
A breach should be viewed as creating enterprise-wide risk. For that reason, stakeholders from across the organization are often involved in managing it. Their responses need to be coordinated from start to finish. Here’s just one example of why:
If a company’s servers are infected with a virus, the IT department may want to take them offline, wipe them and rebuild them. But in doing so, it may inadvertently destroy evidence that is critical in establishing how the breach occurred and who’s responsible. That evidence could also prove essential in defending against legal and regulatory proceedings.
SMART CITIES: ARE THERE PRIVACY POTHOLES AHEAD?
Technology is making urban areas smarter, safer and more sustainable. But as cities collect more and more data about their citizens, legal questions are beginning to emerge.
As urbanization gains momentum around the globe, cities are increasingly looking to technology to improve the lives of their citizens. And the tool they’re turning to most often is the Internet of Things.
For cities, the benefits are undeniable: Fewer redundancies, lower costs and streamlined deployment of staff are just a few. But for the technology companies that collect the data, and the governments and service providers that use it, there are risks that need to be considered.
While smart city technology has the potential to solve many urban issues, its implementation has actually created one: The right to privacy in an era when almost everything we do can be turned into a data point.
In England, face-recognition technology and vast networks of CCTV cameras help law enforcement quickly identify suspects in crimes. But there is also growing public concern over how the government will use the billions of images it has collected. Can legislators reconcile privacy protection with the public good?
The monitoring of real-time data also presents new evidentiary and legal challenges—and may even open the door to new forms of criminal activity. The IoT technologies that optimize water and sewage systems could be vulnerable to cyberattacks designed to cause flooding or even contamination.
Commercial interests have an obvious profit motive in collecting smart city data. If municipalities partner with IoT companies to adopt smart city tools, the government must ensure it has developed both the technical and legal capacity to face any legal challenges stemming from alleged improper data use.
Increasingly, there are questions from both IoT companies and governments about the legal ramifications of smart city technologies. In the absence of a strong regulatory framework, it may well be litigation in Canadian courts that, to a degree, shapes the guidance and rules needed to protect individuals and businesses as cities become more connected.
This evolving legislative framework means two things for those behind smart city projects and services. First, this is a challenging and exciting time with ample opportunity to influence the city of the future. And second, careful legal guidance is an imperative.
AUTOMATED VEHICLES: THE INNOVATION HUB FOR CROSS INDUSTRY DISRUPTION
The past five years have been marked by tremendous growth in the autonomous vehicle industry. While many jurisdictions continue to jostle for leadership in the space, an even greater number of original equipment manufacturers, technology companies and start-ups are fast-tracking new Connected and Autonomous Vehicle (CAV) technology with an eye to the huge profits to be made.
Moving forward, legislators will be tasked with balancing several competing needs: protecting the public, safeguarding data and privacy, ensuring safety standards and creating regulatory certainty, while leaving room for innovation in this highly competitive industry.
Following the 2018 introduction of testing guidelines from Transport Canada and the Canadian Council of Motor Transport Administrators, a new and robust regulatory framework will assist in the safe development and deployment of CAVs on Canadian roads.
In Ontario, as of January 1, 2019, the ban on operating CAVs in Ontario has been lifted in respect of vehicles equipped with SAE Level 3 automation. A Level 3 vehicle is in full control of all driving functions in some situations, monitors the road and traffic, and will inform the driver when he or she must take control
In just the last year, autonomous shuttle buses have been tested in the provinces of Alberta and Québec and there are plans for similar tests in Ontario. As of January 1st, the framework for AV testing in Ontario changed significantly, allowing for the possibility of testing fully driverless Level 4 and Level 5 vehicles on Ontario’s roads without a driver (or even a passenger) and introducing guidelines for tests in truck platooning, a potential game-changer in the freight industry.
The introduction of CAVs is forcing insurers and governments everywhere to reconsider their approach to automobile liability. Notably, the Insurance Bureau of Canada endorsed the UK approach when it recently proposed a single policy to cover both human error and automated-technology malfunction, including cybersecurity breaches. If Canada is to adopt an approach similar to the UK model in 2019, collaboration between government, insurers and manufacturers will be key.
The more autonomous the vehicle, the more data that it uses and gathers to learn how to drive better. CAVs are equipped with multiple cameras, radar, LIDAR (a radar-like system using lasers), sonar and GPS. As the level of automation increases, so too do the data demands of CAVs. This leads to big questions, like what type of data is being collected? Where and how is it being stored? Who has access to the data and what are they using it for?
The artificial intelligence at the core of CAV learns from the data so this data is crucial as the technology evolves. In the event of accidents, insurers and relevant parties involved in such disputes, will most likely require information on what the various systems of the CAV and the driver were doing at the time of the accident to understand and apportion responsibility.
For the legal community and those clients touched by this transportation revolution, self-driving technologies pose many fascinating legal questions. The hardest part at this early stage of the AV game is discerning which ones are critical.
WILL CHANGING POLITICAL WINDS RESHAPE RENEWABLES?
Policy updates and technological advancements both have a role to play in the success of Canada’s renewable energy sector.
As growing public demand for greener energy intersects with technological advances that are making renewables increasingly cost effective, the outlook for the clean energy sector should be bright. And it is true, major opportunities exist for renewable energy companies, both here at home and internationally.
But all is not smooth sailing. There have been dramatic shifts in green energy policy in a number of provinces. The sector, if it is to be successful for the long-term, must take great care to understand regulatory regimes that are not only complex, but subject to wholesale change, as well.
Starting in the late 1990s, Canada’s renewable energy companies enjoyed large-scale government support through tax incentives, subsidies and favourable pricing via feed-in tariffs.
A number of those industry-building policies have since been rolled back. Most notably, Ontario’s recently elected Progressive Conservative government has moved quickly to:
- Cancel that province’s Green Energy Act, introduced in 2009 to grow solar- and wind-generated electricity supply
- Wind down the province’s feed-in tariff program that guaranteed wind- and solar-energy providers better prices for their clean electricity
- Terminate 758 renewable energy contracts
One of those cancelled contracts was for the 18.5-megawatt White Pines Wind Project, which had been in development for 10 years. The legislation that terminated it—the White Pines Wind Project Termination Act—went two steps further, limiting compensation the province must pay to the developer, German-owned wpd Canada Corporation, and preventing wpd Canada from suing the government. At the point of cancellation, the developer had spent $100 million on the project.
These unusual moves have reverberated throughout the renewable energy sector, and they raise an important question: What is the position of the law with respect to the enforceability of contracts after changes of government?
Growing uncertainty here means it is now more important than ever for renewable energy developers to have skilled, experienced advocates guiding them during complex contract negotiations with governments.
The Alberta government’s decision to shut down coal-fired electricity plants by 2030 is putting the focus on renewables in that province, as well. Alberta has completed two procurements for 600 megawatts of wind power as part of its Renewable Energy Program and intends to add 5,000 megawatts more in an effort to get 30 per cent of its electricity from renewable sources. According to one government-funded study, that could attract as much as $8.3 billion in investments for new wind energy projects over the next 12 years.
New technology should play a major role in growing our offshore wind industry, as well. There are efforts already being made off the east and west coasts to develop wind projects, though they are not yet commercially viable.
Robust offshore wind development in Germany, the UK, Netherlands and Ireland— where some projects are so successful, they are now subsidy-free—could open doors here as well. And then there’s Asia. China, the world leader in wind power generation, is looking to increase renewable energy capacity and Taiwan brought in a feed-in tariff program for wind energy a few years ago. All of these advancements bode well for a growing green-energy industry here.
Despite all the advancements though, renewable energy has obstacles to overcome. Electricity storage is a significant one. In Ontario, wind power is often generated at night when demand is lower. At the moment, there is no reliable, cost-effective way to store that excess power until it’s needed. But when that breakthrough comes, it will be a game-changer—for the industry and the planet.
In the long term, Canada will likely continue to increase focus on renewable energy because that’s what the public wants: An environmentally sound approach to the production of electricity.
For the legal community and those touched by these rapidly evolving industries, technologies pose many fascinating legal questions.
With the regulators catching up and greater technological developments occurring each day, our job at BLG is to get out in front of any associated legal issues or liabilities. We are thinking about these challenges far in advance and helping to inform policy development in Canada so we can eliminate or mitigate those emerging risks for our clients.