Ask in-house counsel and other business leaders what keeps them up at night and they will more than likely say that the growing regulatory and compliance burden has become the number one thing that consumes their thoughts, especially as they relate to cross-border business and the ability to protect their organizations from harm.
As one in-house counsel remarked recently, “Change is often good, but politics continues to get in the way of a stable business climate.”
As businesses try to grow and innovate, it seems government finds more ways to complicate life and raise issues around risk mitigation. With the increased use of technology and in light of data breaches such as that experienced by Equifax, organizations have become acutely aware of the corresponding threats that come from cyberattacks that can seriously threaten reputation, not only for the company directly involved but their business partner clients as well.
Increasingly, too, business is under pressure from greater government say on employee rights with at least three provinces in Ontario taking increased measures to boost minimum wage and worker benefits. Then there is the July 1, 2018 deadline to legalize marijuana use in Canada.
Some lingering regulatory matters such as Canada’s Anti-Spam Law remain a constant concern for businesses.
In the following pages, we take a look at four areas of regulatory compliance that remain a top concern for in-house counsel and the business units they serve.
1. Private right of action suspended but CASL still vexing companies
In June, those in charge of ensuring compliance around Canada’s Anti-Spam law drew a collective deep breath and exhaled hard on June 7 as the federal government issued an order-in-council delaying the coming into force date of CASL’s proposed private right of action until completion of a parliamentary review.
The suspension was issued “in order to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk.”
The looming PRA had created a sense of urgency with businesses to make sure they were compliant with CASL. It was anticipated that the PRA could provide fertile ground for class action lawsuits, especially given the statutory damages allowed for under the law — it allowed for the combination of individual actions into class actions with high penalties up to $1 million a day.
“It is entirely possible now that they have delayed the coming into force of the private right of action they will conveniently ignore it for a couple more years; I think that’s possible,” says Molly Reynolds, senior associate at Torys LLP who focuses on privacy litigation and anti-spam. “But I don’t think we’re going to see extensive legislative reform — I don’t see the political wins the government would get from entirely eliminating the provision for the private right of action.”
While many companies get external advice on CASL, much of the day-to-day compliance is handled in-house and interpreting it has been perplexing for many. But just because the PRA has been put on hold doesn’t mean it’s gone away or that the government is backing off on CASL enforcement, say lawyers who advise on the issue.
CASL first came on the scene in July 2014, with a three-year transitional period planned for commercial electronic messages. In January 2015, consent and notice rules for installation of computer programs came into force with its own three-year transitional period specific to computer programs. The third and final step was scheduled for July 1, with the PRA coming into force, the first three-year period for CEMs coming to an end and a mandatory review of CASL triggered.
“Even though the private right of action has gone away for the moment, companies are aware of the regular enforcement by the CRTC and they are working on making sure their marketing departments comply,” says Steve Szentesi of Szentesi Law Corporation. “However, I’m not seeing a lot of awareness among U.S. companies.”
Reynolds says there are a few lessons learned from the first three years of CASL where in-house counsel could be re-focusing their efforts in the regulatory enforcement area. For example, record keeping has been a huge focus and can be the easiest problem to solve, but it is the least appealing because it takes internal resources and time to create a proper record-keeping system.
“Instead of just saying, ‘Well, we only used implied consent and only contact by email or electronic message our existing customers, so we don’t have to worry,’ organizations really should be keeping a database on when they received the consent and what the basis for the consent is for every person on their email list,” says Reynolds.
Based on the regulatory investigations to date, Reynolds says, it’s one of the factors pushing companies to settle for administrative penalties that they may not actually deserve. “The conduct may not be nearly as offside as some of the published decisions suggest, but because they didn’t have the ability to re-create the records for the production requests, they chose a settlement that was a quicker and easier way of resolving the situation. But it does come with some reputational risk and a fine,” Reynolds says.
With every enforcement action that comes out, and there have been nine so far, Tricia Kuhl of Blake Cassels & Graydon LLP in Montreal says there is “a bit more clarity” as to how the CRTC is enforcing the law. “We’re able to provide more specific guidance on what is considered compliance. We also advise our clients on what might be considered a best practice and what might be considered acceptable practice. There are ways of communicating with people by properly understanding the exemptions and exceptions and also being creative in directing people to your website to sign up for promotions and newsletters.”
Another area that is easy to fix but doesn’t get as much attention is responding to customer complaints. Under the CASL regime, it’s easy for a recipient to send a complaint to the spam reporting centre, but for many organizations, that won’t be the first step — the individual will hit the unsubscribe button first, so it had better work.
“All the regulatory investigations we’ve seen so far have focused on whether the unsubscribe mechanism actually works and whether it’s being fulfilled in the 10-day time period,” says Reynolds. To date, experts say the regulatory investigations have been largely fuelled by the volume of complaints the CRTC receives about an entity. “If organizations spent a bit more time arming their customer-facing employees with how to respond and internally how to fix issues for those who don’t want to receive messages, they could actually be lowering the complaints significantly and lower risk of getting an investigation,” says Reynolds.
Another area where CASL is rearing its ugly head is mergers and acquisitions and the amount of focus on CASL compliance during diligence questionnaires and management calls in the M&A process.
“We didn’t see it in 2014 — it’s taken a little while for this regulatory piece to trickle over to the M&A side. In 2016-2017, [we’ve] seen a lot more focus on it,” Reynolds says.
To mitigate that risk, the solution comes back to the same steps organizations should be taking for compliance and to protect themselves against regulatory investigations.
For buyers asking for all the documentation that companies have internally, is there an internal CASL policy? What is the basis for consent and how many complaints have been received? Have you been subject to a regulatory investigation? Concerns do arise when companies aren’t able to provide that documentation. “In many cases, the concern isn’t that the organization has been subject to a CRTC investigation but that they cannot prove their compliance through sufficient documentation,” says Reynolds.
What she’s seeing as a consequence is buyers asking for specific CASL compliance reps (representations), which is more specific, and on the seller side more concerning, than the typical compliance with applicable law representation or material compliance. “It’s more concerning because the company has to pay more attention that the rep is accurate and pay attention to what the indemnity or breach of representation consequence is.”
Especially for startups engaged in digital marketing, it’s a really important part of the valuation of the business, but they may not have the internal compliance documentation.
2. Labour and employment: more rights for workers
This past spring, the Ontario government revamped its provincial employment legislation and created the Fair Workplaces, Better Jobs Act, 2017, which includes a wide range of amendments to the Employment Standards Act and Labour Relations Act.
The goal is to create greater certainty for workers across Ontario, but some suggest the proposed changes in Bill 148 could create significant competitive issues.
With the stated goals of creating more opportunity and security for workers, key amendments, if enacted, will:
• Raise the minimum wage to $15 per hour by Jan. 1, 2019;
• Require employers to pay part-time, temporary and seasonal workers the same rate as regular full-time employees;
• Allow employees to request schedule changes or even refuse shifts if asked to work with insufficient notice, effective Jan. 1, 2019;
• Increase to minimum vacation entitlements to three weeks per year for employees with five or more years of service;
• Give all employees in Ontario paid personal emergency leave days, not just those with 50 or more employees. A minimum number of those 10 have to be paid days. Previously, all 10 were unpaid. Employers can no longer ask for doctor’s notes;
• Make it easier for unions to obtain bargaining rights;
• Increased fines and penalties for non-compliance.
“There seems to be a lack of economic data to justify that increase,” says Richard Charney of Norton Rose Fulbright LLP. “For those advocates who say it shouldn’t have an impact on employment, that’s naïve. The concern is it might discourage further or continued employment.”
More complicated, says Charney, is the “equal pay for equal work” provisions in Bill 148 that would come into effect April 1, which isn’t about gender-based pay equity. “We’re talking about a fairly radical step of prohibiting employers from paying part–time casual and seasonal employees a rate lower than full-time employees.
“I understand the policy behind it — to try and benefit traditionally disadvantaged workers — but what this legislation fails to take into account is the lack of experience these folks may have compared to full-time employees. It will also require employers to engage in costly and time-consuming reviews of all the roles and wages to determine whether the jobs fall under that,” says Charney.
The changes should prompt employers to review their employment policies to ensure they are in line with the new minimum requirements, says Daryl Cukierman, partner at Blake Cassels & Graydon LLP in Toronto.
Of course, also impacting employers next year will be the introduction of cannabis legalization in Canada. “We’re starting to get more calls on it and absolutely I think it’s going to be a function of being clear in setting expectations and reminding employees of expectations around drug and alcohol use in the workplace and that may require employers to take a look at current policies and make sure they still read how they want in light of the new legislation coming down and provide refresher training on expectations,” says Cukierman. “The expectation should be employees come to work fit to perform their duties.”
He recommends employers take a proactive approach given that cannabis will no longer be an “illegal” drug.
“It is possible that employee attitudes about what constitutes acceptable workplace behaviour may shift, so I’m advising employers to get ahead of the curve and proactively deal with potential misunderstandings and look at code of conduct and occupational health and safety polices related to smoking at work and workplace impairment and vehicle use policies,” he says.
An extension of that are client or social and entertainment policies.
“Most employers will allow an employee to take a client out for dinner and drinks, but what about when marijuana becomes legal? Despite its legality, are employers going to take a different line on that?”
And Ontario is not the only province looking to revamp its employment laws.
In British Columbia, the relatively still new NDP government is looking at changes to the labour relations code that would allow for moving from a secret ballot to a card system for union certification. Employers are concerned that a secret ballot system prevents employees from being intimidated by co-workers into certification.
“What the NDP would like to do is move to a card-only system so, if a union is capable of getting more than 50 per cent of the employees from the bargaining unit to sign cards, there would be an automatic certification without a vote,” says Michael Howcroft, partner with Blake Cassels & Graydon LLP in Vancouver.
As well, B.C.’s minimum wage will increase effective Sept. 15 to $11.35 per hour from $10.85. It’s the first step in a plan to raise the minimum wage to $15 per hour by 2021.
The wage increases apply to employees in four categories: live-in support worker; live-in camp leader; resident caretaker; farm workers; and liquor servers.
Premier John Horgan has also announced the intention to re-establish a human rights commission that was dismantled 15 years ago. Right now, B.C. has a model allowing complaints to be taken right to the B.C. Human Rights Tribunal. Other provinces such as Ontario and for federal employees, complaints must go through an investigation process with a human rights commission.
In Alberta, the NDP government introduced Bill 17: Fair and Family-friendly Workplaces Act, which proposes the biggest changes to Alberta’s Employment Standards Code and Labour Relations Code in decades. It will affect all provincially regulated employers and most of the amendments are expected to be passed into law on Jan. 1, 2018.
“It makes it easier for unions to organize and is a distinct disadvantage to employers being able to argue against the benefits of a union certification. Definitely, the employer community is concerned,” says Howcroft.
The amendments to the Employment Standards Code include increases to leave entitlements and changes to qualifying periods of unpaid leaves of absence. Employees will be eligible for leaves after 90 days of employment (it used to be 52 weeks).
Bill 17 would also create a new administrative penalty system to fine employers who contravene the Employment Standards Act. In addition, it would extend the period in which the government could bring a prosecution against an employer to two years from one year.
3. Privacy: data breach notifications
On Sept. 1, the federal government released proposed text for regulations to govern mandatory breach reporting and notification under Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act, or PIPEDA.
Mandatory data breach reporting and notification at the federal level was introduced with amendments to the federal private sector privacy law — PIPEDA — enacted by the Digital Privacy Act. Bill S-4 came into force on June 18, 2015, but the new breach reporting and notification provisions will not come into effect until regulations are passed to govern the new requirements.
Under PIPEDA’s mandatory reporting and notification regime, organizations that experience a data breach must report the incident to the Office of the Privacy Commissioner of Canada and notify affected individuals.
Naïm Antaki of Gowling WLG (Canada) LLP says clients have asked what it all means. From a business standpoint, compliance is top of mind, but how do you translate it into operational efficiency?
“It’s very rare businesses will be organized on a geographical basis. Often, it is by business lines that cover various jurisdictions, so the question is what more do I need to be doing than I’m already doing?”
It will require collaboration from not only the legal department but also the IT department, risk management — it will be a team effort, says Antaki.
Notification is required in all circumstances where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual,” which is defined to include humiliation, damage to reputation or relationships and identity theft.
PIPEDA indicates that the notice must be given in the “prescribed format,” which is now outlined within the proposed regulations. The report to the commissioner and notification to the affected individual will contain:
• Description of the circumstances of the breach (and in the case of the report to the commissioner, if known, the cause);
• The day on which or period during which the breach occurred;
• A description of the personal information that is the subject of the breach;
• A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
• A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm (and in the case of the report to the commissioner, a description of the steps the organization has taken to reduce the risk of harm).
For the notification to individuals, the organization must provide a toll-free number or email address for the affected individual to obtain further information, and it must provide information about the organization’s internal complaint process and the affected individual’s right to file a complaint with the commissioner.
For the report to the commissioner, the organization must provide an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm, a description of the steps that the organization has taken or intends to take to notify each affected individual and the name and contact information of a person at the organization who can respond to questions about the breach.
While big organizations have largely been working toward this for some time, it’s the smaller organizations that will do it when they have to, but now is a good time to start getting procedures in place, as there is potential civil liability just for failing to notify now.
“That’s a new thing for plaintiff side counsel to play with that we haven’t had before,” says Brent Arnold, partner with Gowling WLG.
“There’s a greater compliance cost than there would be without the reporting regimen. Some organizations get hit with hundreds of thousands of breaches a year so, for some organizations, this will be something that ends up being a full-time job for some people. Get ready is what my overall advice would be.”
Antaki says small organizations can look at things broadly such as IT policies and contracts and make sure third-party providers notify you if something happens with them.
“One of the key things is the concept of control — it’s not necessarily who has custody of the information but who has the control of the information based on the principles already in PIPEDA. If you outsource some of those obligations, you have to make sure you have the contractual obligations in place in order to respond to what you need to do,” he says.
Insurance is another important element. From a cybersecurity standpoint, do you need to consider getting cyber-insurance?
4. Environment: climate change initiatives
The interest in addressing climate change has historically been cyclical, most recently going back to former U.S. vice president Al Gore’s An Inconvenient Truth in 2006, but environmental lawyers believe interest is gearing back up, in some part due to increasingly extreme weather events as we saw this past summer, causing more momentum at the regulatory level.
“I think there is a growing understanding that what we’re seeing in short-term weather patterns is unusual. People haven’t experienced these types of weather events so severely or so close together in the past, and I think that is at least driving a conversation,” says Tyson Dyck, partner in the environmental practice at Torys LLP. “There’s been more of an appetite for government regulation only to see it fall away.”
Ontario plans to join the Québec-California carbon market as of Jan. 1, 2018, under a harmonization and integration agreement announced on Sept. 22. The Ontario Ministry of the Environment and Climate Change has also proposed changes to its cap-and-trade regulations. This will allow all three governments to hold joint auctions of greenhouse gas emissions allowances and to harmonize regulations and reporting.
“It’s been a steep learning curve, but there has been a lot of successes in the Ontario program so far. They had a short timeline to get that program up and running so the way it’s rolled out has been quite smooth,” says Dyck.
“I think a lot of clients are looking to the horizon and seeing some changes to the program and asking what it will mean for their business,” he says.
Ontario’s program is approaching some key milestones, but across Canada, various climate change initiatives are taking off. Alberta, for example, launched its Climate Leadership last year and a series of initiatives are being rolled out over a couple of years. Federally, the government has proposed a national price on carbon to work with various provinces to ensure they are living up to the federal benchmark.
It will be interesting to see if Saskatchewan starts its own climate change initiatives with Premier Brad Wall stepping down.
“To date, they have been fairly resistant to the federal government in terms of climate change regulations. With new leadership in that party, there may be changes afoot there, too,” he says.
Dyck says most of the U.S. clients he advises are looking at some operations in Canada, whether actually operating facilities or looking in companies already regulated and trying to figure out what it means.
“Some of the clients in the U.S. we work with have their own experience there, over the last year where you see states like California moving forward with relatively aggressive models to regulate greenhouse gases and at the same time a big pullback at the federal level with the Trump administration — it’s that tension between the state and federal level our clients are seeing,” he says.
One example is the tailpipe emissions standards for vehicles that the Obama administration implemented and Trump administration has threatened to roll back, which California wants to keep in place, and a lot of auto companies are wondering which way this is going to go.
“That whole discussion ultimately flows up to Canada because it’s one big North American market,” he says.
Dyck says what he hears from clients is that once regulations are in place they’re actually able to live with them and integrate them into their business models because the regulations provide at least some degree of certainty around costs they will face and have to manage their operations. That may mean new pollution control equipment, for example.
“What I think concerns some clients is the uncertainty around where those costs might go in the future. What we see with the cap-and-trade programs in Ontario and Quebec and California that are supposed to link together starting in 2018, a plan to escalate the cost of carbon in those markets so the costs of complying with those regulations in those jurisdictions over time. That’s the same approach the federal government has started with their pan-Canadian framework; the idea being that as it becomes more expensive people have to make different decisions,” he says.
Where those prices will go is a bit of a question mark. Ontario, for example, has been grappling with the issue and put some containment over where the price can go over time and has been looking to California as to how it’s been done in that jurisdiction and take some of those lessons and bring them to Canada.
“The federal government plan is a little less clear on how they are going to contain the price moving forward. They have initial plans to move it up in increments over the next four to five years, but beyond that, it’s a question mark,” says Dyck, adding that the more regulation there is, the more people will understand it’s a way of doing business.