Contributed By Fasken
There are no private sector laws of general application focused primarily on the provision of cloud services to the private sector in Canada, but other Canadian laws will apply to the provision of such cloud services. Applicable laws include those relating to the protection of personal information and some which impose industry-specific requirements – such as requirements governing the use of cloud services by federally regulated financial organisations, and requirements that certain records of federally regulated financial organisations be located in Canada.
In December 2018, the federal Minister for Public Safety and Emergency Preparedness hinted that Canada may introduce new legislation that would set cybersecurity standards for Canadian companies.
The Office of the Superintendent of Financial Institutions (OSFI) is the Canadian federal regulator that supervises and regulates federally registered banks and insurers, trust and loan companies and private pension plans subject to federal oversight. OSFI has issued Guideline B-10, 'Outsourcing of Business Activities, Functions and Processes', which specifies certain OSFI expectations for federally regulated entities (FREs) that outsource one or more of their business activities to a service provider. OSFI has advised that these expectations also apply in respect of cloud services. Under this Guideline, FREs are expected to:
The Guideline also contains a list of specific terms that OSFI expects the FRE to address in the cloud service contract. While Guideline B-10 is directed to federal entities, it has also been voluntarily adopted by many provincially regulated entities in the financial sector.
Under the Bank Act (Canada), the Trust and Loan Companies Act (Canada), the Insurance Companies Act (Canada) and the Cooperative Credit Associations Act (Canada), certain records of federally regulated financial organisations carrying on business in Canada must be maintained in Canada. In addition, an FRE is expected to ensure that OSFI can access in Canada any records necessary to enable OSFI to fulfil its mandate.
In Canada, privacy and personal information are regulated by both federal and provincial legislation.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private sector organisations. The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with PIPEDA. The OPC has issued a number of guidelines and case summaries that provide non-binding guidance on the OPC’s interpretation of the PIPEDA obligations.
PIPEDA applies in all provinces and territories in Canada, except where a province or territory has enacted substantially similar legislation. British Columbia, Alberta and Quebec have their own legislation that regulates the collection, use and disclosure of personal information. In addition, Ontario, New Brunswick, Nova Scotia and Newfoundland have provincial legislation that regulates the collection, use and disclosure of personal health information. Each of these provinces has a regulator that oversees compliance with the provincial legislation.
Every aspect of privacy legislation might have some impact on the provision or use of cloud services. A comprehensive review of all privacy obligations is beyond the scope of this summary. Some key principles and cloud service issues are discussed below. The comments are based on PIPEDA and OPC guidance. A review of provincial laws and related guidance is beyond the scope of this summary.
PIPEDA became law in 2000. It is intended to protect the privacy of Canadians, and was originally designed to enable Canada to obtain an adequacy ruling under the 1995 European Union Data Protection Directive. Practitioners who are familiar with the Directive will find similar concepts in PIPEDA.
Under PIPEDA, personal information means information about an identifiable individual, other than business contact information that an organisation uses solely for the purpose of communicating with the individual in relation to the individual’s employment, business or profession.
The essence of PIPEDA is that, with some limited exceptions, the knowledge and consent of the individual are required for the collection, use or disclosure of personal information. The purposes for which personal information is collected must be identified at or before the time of collection. The collection must be limited to only that personal information which is necessary for the identified purposes. Personal information can be retained only for as long as necessary for the fulfilment of those purposes. Personal information must be as accurate, complete and up to date. Personal information must be protected by appropriate security safeguards. An organisation must be open about its policies and practices with respect to the management of personal information. Individuals have rights to access and correct their personal information, and to challenge an organisation’s compliance with these obligations.
It is a principle of PIPEDA that an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. An organisation that transfers personal information to a cloud service provider remains primarily responsible for that personal information, and will want to ensure that the cloud services contract contains appropriate provisions to address all of the organisation’s responsibilities in relation to the personal information transferred to or processed by the cloud service provider.
In its guidance, the OPC states that: “Regardless of where the information is being processed - whether in Canada or in a foreign country - the organization must take all reasonable steps to protect it from unauthorized uses and disclosures while it is in the hands of the third party processor. The organization must be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times. It should also have the right to audit and inspect how the third party handles and stores personal information, and exercise the right to audit and inspect when warranted.”
It is a principle of PIPEDA that personal information must be protected by security safeguards appropriate to the sensitivity of the information. The security safeguards must protect personal information against loss or theft, as well as unauthorised access, disclosure, copying, use or modification. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The methods of protection should include:
An organisation will want to address the detail of a service provider’s security safeguards in the cloud services contract.
Under PIPEDA, if there is any breach of security safeguards involving personal information under an organisation’s control and if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual, then the organisation must report the breach:
An organisation is also required to keep a record of every breach of security safeguards involving personal information under its control (even if the breach does not create a real risk of significant harm to an individual). (The Alberta privacy legislation also has its own separate data breach notification obligations.)
An organisation will want to address the possibility of a breach of security safeguards within a service provider’s environment in the cloud services contract.
In Canada, there is some sensitivity to the possibility that foreign governments may be able to obtain access to personal information that is transmitted, processed or stored outside Canada. For example, under the USA Patriot Act the US government might be able to access personal information of Canadians that is transmitted, processed or stored in the United States.
PIPEDA does not prohibit private sector organisations in Canada from transferring personal information to an organisation in another jurisdiction for processing. However, the OPC expects that organisations must assess the risks that could jeopardise the integrity, security and confidentiality of customer personal information when it is transferred to third-party service providers operating outside Canada. The OPC also expects that organisations will advise their customers that their personal information may be sent to another jurisdiction for processing and that - while the information is in another jurisdiction - it may be accessed by the courts, law enforcement and national security authorities of that jurisdiction. (Alberta has additional specific notice requirements if personal information is transferred to a service provider outside Canada.)
For some cloud services, there may also be concerns about whether meaningful informed consent has been or can be obtained, and about the possible use of data by cloud service providers for purposes that are not anticipated by individuals when the data is provided.
The main legal challenges for our clients when launching or using blockchain technology in our jurisdiction are broadly similar to those legal challenges of other software research and development companies (ie, fundraising, intellectual property strategies and protection and the recruitment, retention and incentivisation of talent).
One key distinction are the legal challenges that surround a blockchain company seeking to sell cryptographic tokens to raise proceeds to fund the development of the project, to create a captive economy of native digital assets or to connect with and establish a community of would-be users of the to be developed blockchain protocol. In many cases the purpose of the sale of the tokens is all three outcomes, although that is becoming less common as the ecosystem of Canadian blockchain companies continues to adapt to the evolving regulatory and commercial environments surrounding Canadian blockchain projects.
When we are called upon to advise a Canadian blockchain company on its proposed sale of cryptographic tokens our advice has principally focused on the determination as to whether or not the token will be considered a 'security' for the purposes of Canadian securities laws. In order to provide such advice we have concentrated primarily on:
To properly determine whether or not a specific token is a security for the purposes of the Securities Act (British Columbia) (the 'Securities Act'), we would have to apply the test laid out in the Supreme Court of Canada in Pacific Coast Coin Exchange of Canada Ltd v Ontario Securities Commission (1978) 2 SCR 112, (1977) 2 BLR 212, 80 DLR (3d) 529 (SCC) (the 'Pacific Coast Coin Test'). The Pacific Coast Coin Test is also used by the Canadian securities regulators (such as the British Columbia Securities Commission) to determine whether or not an instrument issued to a purchaser by an issuer is an 'investment contract' within the definition of a 'security' under the Securities Act.
The specific matters to be determined under the Pacific Coast Coin Test as to whether or not an 'investment contract' exists for the purposes of the Securities Act are as follows: there is an investment of money; in a common enterprise; with the expectation of profit; and the expectation of profit comes significantly from the efforts of others. If only one of the limbs of the Pacific Coast Coin Test is definitely not satisfied, then the Canadian securities regulators should (emphasis on should) determine that the token in question is not a 'security', and they will have no jurisdiction.
In addition, in making such a determination with respect to the tokens in question we would have to consider the contents of CSA Staff Notice 46-307 – Cryptocurrency Offerings (SN 46-307) and CSA Staff Notice 46-308 – Securities Law Implications for Offerings of Tokens (SN 46-308).
With respect to the guidance set forth in SN 46-307 and SN 46-308, we have frequently been called upon to review specific tokens and blockchain projects to make a determination on the particular characteristics of such token in light of the guidance set forth in SN 46-307. The primary purpose of such review is typically to determine which characteristics of the token in question would set it apart from what is considered a 'security' (as such term is defined in the Securities Act and considered by members of the BCSC staff in conjunction with the Pacific Coast Coin Test). An example of a token that might be distinguishable from a 'security' in reliance on the guidance set forth in SN 46-307 is a token which is effectively an application programming interface key allowing token holders to access and consume the application services on a blockchain platform (similar to a coin or token that allows a token holder to access and pay for a video game on a platform).
Further, when we are called upon to consider the guidance set forth in SN 46-308 in respect of specific tokens, there is a list of 14 indicators of the existence (or not) of a 'security', which list of 14 indicators has become somewhat of a companion test to the Pacific Coast Coin Test. We are frequently called up to assess each individual token, the proposed token sale mechanics and the blockchain protocol in line with the guidelines set forth in SN 46-308 and have found that as the Canadian blockchain industry has evolved, there are more and more examples of tokens that do not appear to be 'securities'.
By contrast, many more Canadian blockchain companies are voluntarily invoking the Securities Act and self-selecting as a 'security' in the hopes of treading a more certain regulatory path. Such companies are proposing to conduct what they are calling an STO (or a Securities Token Offering). The reality is that the industry and its participants are quickly realising that a token with a singular or even a binary purpose is less attractive to purchasers and less useful in the long run, and it does not realise on the full capabilities of what a cryptographic asset on the blockchain could represent.
If a token proposed to be issued to a purchaser by our client is determined to be an 'investment contract' within the definition of a 'security' under the Securities Act, our client would have to issue the 'security' in connection with a filed prospectus or in connection with an exemption from the requirement to prepare and file a prospectus. If there is no prospectus filed or exemption from the requirement to prepare and file a prospectus in connection with such a distribution of tokens, it would be considered an unlawful distribution of securities by the relevant Canadian securities regulators.
Penalties for conducting unlawful distributions of securities by a company are considered to be a breach under Section 155(1)(b) of the Securities Act and the company and the employees, officers, directors or agents of that company who authorise, permits or acquiesces in such unlawful distribution will be deemed to have committed the same breach pursuant to Section 155(4) of the Securities Act. Section 155(2) of the Securities Act states that the maximum liability for such a breach is a fine of not more than CAD3 million or up to three years’ imprisonment or both.
Notwithstanding the maximum liability under the Securities Act and depending on the severity of the breach, the British Columbia Securities Commission will more typically seek an Enforcement Order which, among other things, will result in the sanctioning and banning of directors and officers involved in the breach from acting as directors, officers or being engaged in investment activities, the cease trading of the securities of the company and some form of disgorgement of the proceeds of the sale of the securities in question (typically involving the rescission and/or associated refund of the token sales).
In a decentralised network where intellectual property is contributed by the 'community' users and participants in a particular blockchain’s ecosystem, the ownership of such intellectual property could definitely be called into question. In particular, the ownership with respect to the data sets shared by the 'community' and for the development work conducted on the network is currently difficult to ascertain. Further, given the transparent nature of blockchain technology, the availability of the data stored on a particular blockchain or the access points to internally developed code with respect to a particular network will open up the opportunity for the infringement of intellectual property on the blockchain.
At the core, blockchain technology is the concept of decentralisation which enables the 'trustless' sharing of data. One of the key advantages of blockchain technology is that once the data gathered is stored on a particular chain, it cannot be altered. On the other hand, a key disadvantage is that such data may contain personal information or sufficient data to identify an individual, and because of the nature of blockchain, such data is available to all the contributors to such blockchain. The key legal challenge in the data privacy space with respect to blockchain technology is that the inherent decentralisation and transparency of transactions on any one chain are not easily compatible with data privacy laws.
Blockchain is an immature technology. Consistent with the nascent nature of such technology, service levels and performance standards are improving. However, transaction speeds still remain relatively slow and the computing power required to process such transactions remains relatively high and, therefore, more costly. For blockchain to achieve the level of ubiquity it is destined for in the business world and financial services industry, blockchain will require a higher degree of confidence in the quality and stability of the services.
Blockchain will also need to evolve and develop to a stage where it can offer the appropriate level of data security and protection to customers and participants in its ecosystem (similar to that provided by cloud providers).
Blockchain is inherently cross-jurisdictional. The decentralised nature of the technology requires participating nodes spread around the world. In most transactions by blockchain companies, simply identifying the governing law of such transactions might be a challenge. However, the majority of advice we give on jurisdictional issues to Canadian blockchain companies relates to proposed sales of cryptographic tokens to Canadians or from Canada to non-Canadians.
Rather than be subject to the scrutiny of the Canadian securities regulators, many Canadian blockchain companies decide to adopt an offshore corporate structure to conduct the sale of their cryptographic tokens. The Canadian securities regulators will have a say in this. For example, the British Columbia Securities Commission bases its jurisdictional determination on the location of a token issuer’s 'mind and management' in applying the test contained in BC Instrument 72-702 - Distribution of Securities to Persons Outside of British Columbia (BCI 72-702). The following passage from BCI 72-702 is critical to any assertion of jurisdiction over sales of cryptographic tokens:
“A distribution of securities by an issuer with connections to British Columbia may, depending on the facts and circumstances surrounding the transaction, be subject to the Securities Act even if the initial purchaser is not located in British Columbia. There are two primary circumstances where an issuer must comply with the requirements of the Securities Act in making a distribution to a person outside the province. These are:
1. A Distribution from the Province – Where an issuer distributes securities from British Columbia, it must comply with the registration and prospectus requirements of the Securities Act or rely on exemptions from those requirements;”
The following passages from BCI 72-702 are also critical to a determination that a sale of cryptographic tokens would represent a 'distribution of securities from the Province':
“The onus is on an issuer and its counsel to determine whether a distribution of securities to a person outside British Columbia is made from the province, based on the facts and circumstances of each particular transaction. The existence of any of the following factors would generally indicate that the distribution is made from British Columbia:
(i) the issuer’s mind and management is primarily located within British Columbia. This may be indicated if, for example, the issuer's head office or the residences of the issuer’s key officers and directors are located in the province;
(ii) the business of the issuer is administered from, and the operations of the issuer are conducted in, British Columbia; or
(iii) acts, advertisements, solicitations, conduct or negotiations in furtherance of the distribution take place in British Columbia (including any underwriting or investor relations activities).
The above examples are indicative of the types of factors that an issuer should consider in determining whether it is making a distribution from British Columbia. However, they should not be viewed as an exhaustive list.”
If the client company does decide to incorporate offshore and if we determine that such company’s token sale is likely to be considered an offering from British Columbia for the purposes of BCI 72-702 (ie, “mind and management” of the offshore company is still considered to be primarily resident in Canada), there are applicable prospectus exemptions for the such token sale. In particular, BCI 72-702 contains the following relevant passage:
“Where an issuer makes a distribution from the province, it may rely on the general registration and prospectus exemptions in the Securities Act and Securities Rules. In certain circumstances, an issuer may also rely on special exemptions provided under BCI 72-503 and BCI 72-504.”
We have had success in such a context when employing the prospectus exemption contained in British Columbia Instrument 72-503 - Distribution of Securities Outside British Columbia (BCI 72-503) to offer cryptographic tokens to purchasers resident outside of Canada. The prospectus exemption contained in BCI 72-503 applies to issuers located in British Columbia (or outside British Columbia, but whose 'mind and management' is inside British Columbia for the purposes of BCI 72-702) seeking to distribute securities outside of the province.
In order to rely on the prospectus exemption contained in section 3 of BCI 72-503 to effect a token sale, the client company would be required to fulfil the following conditions (which have been edited for relevancy):
In order to comply with the conditions set forth above and the filing requirements, the client company will need to determine with a commercially reasonable degree of comfort that the sale of a token into a particular jurisdiction complies with the securities laws of such jurisdiction.
In addition to the conditions set forth above, the client company would also have to ensure that no later than ten days after the token sale is closed, it files with the British Columbia Securities Commission a report of exempt distribution in Form 45-106F1 and delivers to the British Columbia Securities Commission any offering material that client company is required to file with the securities regulatory authority in any of the jurisdictions where the purchasers of tokens are located.
The Telecommunications Act regulates telecommunications common carriers and telecommunications service providers. It does not regulate technologies. The Radiocommunication Act regulates spectrum and the Minister of Innovation, Science and Economic Development (ISED) is empowered to issue radio or spectrum licences, or to exempt frequencies from the requirement for a licence.
The Telecommunications Act defines a telecommunications common carrier as a person who owns or operates a transmission facility used by that person or another person to provide telecommunications services to the public for compensation.
A transmission facility means “any wire, cable, radio, optical or other electromagnetic system, or any similar technical system for the transmission of intelligence between network termination points, but does not include an exempt transmission apparatus” (defined to include switches, routers, etc).
A telecommunications service means a service provided by means of telecommunications facilities, which in turn is broadly defined to include any facility or thing that is used or capable of being used for telecommunications or for any operation directly connected with telecommunications, including a transmission facility.
The Telecommunications Act is therefore technology-agnostic. There are no restrictions on the use of new technologies by carriers or service providers. Certain services are however subject to compliance with regulatory requirements, and registration requirements. For example, non-dominant carriers and resellers must register with the CRTC, international service providers must obtain a Basic International Telecommunications Services licence which is available as of right from the CRTC, providers of VoIP services must obtain approval of their 911 emergency calling arrangements and Competitive Local Exchange Carriers (CLECs) must obtain approval of their interconnection arrangements with other carriers, as well as their provision of certain services to persons with disabilities, and privacy and consumer protection provisions, all of which have been standardised.
If the provider of the RFID tag service requires licensed spectrum to provide the service, a spectrum licence will have to be obtained from ISED. If the spectrum is used to provide the service, registration with the CRTC as a non-dominant carrier will be required. An application is required to obtain licensed spectrum and a licence fee applies. No licence or licence fee is required if licence-exempt spectrum is used, such as certain Wi-Fi frequencies. Radio apparatus must be certified to meet ISED standards. Certifications from specified countries can be used as the basis for the Canadian certification. The CRTC does not charge for registering a non-dominant carrier but it operates a “contribution fund” to which carriers and TSPs are required contribute based on a per cent of their Canadian telecommunications revenues once they are generating CAD10 million or more in revenues. Money from this fund is used to finance video relay services and the extension of broadband facilities to rural and remote parts of Canada. A subsidy of telephone service in high-cost service areas is being phased out.
VoIP service providers that provide access or egress to or from the public switched telephone network (PSTN), and that use the North American Numbering Plan (NANP) telephone numbers to route calls, require CRTC approval of their 911 emergency services. They also need to register with the CRTC as a non-dominant carrier or reseller depending on whether they own a transmission facility. A BITS licence is also required which entails an application to the CRTC. No fees are applicable for these registrations, approvals or licences other than contribution to the fund referenced above. If the VoIP service does not provide access to or egress from the PSTN, and does not use NANP telephone numbers for routing calls, it is not subject to regulation.
The provision of instant messaging will be regulated if it involves the use of telecommunications transmission facilities owned or leased by the carrier or TSP. Registration as a reseller or non-dominant carrier will be required. A BITS licence will also be required. No fees are applicable other than contribution to the fund referenced above. If the service simply uses the Internet for transmission purposes and if a third party provides the Internet access, the instant messaging service will not be subject to regulation. The provision of an App without transmission services is not regulated.
All traditional audiovisual services (television, radio, cable etc) operating in Canada are required to be licensed or exempt from licensing by the Canadian Radio-television and Telecommunications Commission (CRTC) under the Broadcasting Act. The CRTC issues licences for terms not exceeding seven years and makes those licences subject to conditions related to the circumstances of the licensee that it deems appropriate for the implementation of Canada’s broadcasting policy. Television and radio stations that use radio spectrum are also required to obtain authorisation from the Department of Innovation, Science and Economic Development Canada (ISED) in accordance with the Radiocommunication Act. Applications to obtain a broadcasting licence must be filed with the CRTC and the CRTC is required to hold a public hearing to consider the application. The process typically takes between eight and 18 months to conclude. In order to be eligible to hold a broadcasting licence, a company must be owned and effectively controlled by Canadians. Broadcasting licensees are generally required to pay two types of licence fees (Part 1 and Part 2 fees) under the Broadcasting Licence Fee Regulations. The Part 1 fee is a licensee’s pro rata share of the annual cost of the CRTC’s operations. The Part 2 fee is established by the Canadian government using a complex formula and paid on a pro rata basis by each licensee.
The CRTC also has the authority to exempt classes of broadcasting undertakings from holding a licence and has exercised this authority in number of circumstances, including with respect to small satellite-to-cable (discretionary) services and small cable distributors. The exemption order issued by the CRTC contains terms and conditions that apply to an entire class of broadcasting undertaking and does not require a company to pay any licence fee or to obtain any further authorisation from the CRTC.
Individuals and companies that operate online video channels (including use-generated content) in Canada do so in accordance with a CRTC exemption order called the exemption order for digital media broadcasting undertakings. To operate under this exemption order, an online video channel must comply with minimal obligations, which include a prohibition on granting undue preferences or disadvantages and a requirement to submit to the CRTC’s dispute resolution process. There are no licence fees or Canadian ownership and control requirements applicable to online video channels.