Picture
Picture
Name and Title
Peter Murphy
Partner
Partner
Year of Call

1995 (Ontario)

Memberships

Law Society of Ontario

Canadian I.T. Law Association

Toronto Computer Lawyer's Group

Ontario Bar Association Privacy Law Section

Privacy and Access To Information Law Executive, Ontario Bar Association

Board of Trustees, Textile Museum of Canada

Governance Committee, Textile Museum of Canada

Director, Multilingual Community Interpreter Services (On) (MCIS)

Nominations and Governance Committee, MCIS

(Former director) The Coalition for Persons With Disabilities

Publications
Description

Peter Murphy, HBA, JD

November 12, 2020

It appears the wait for Ontario's Not-for-Profit Corporations Act (“ONCA”) will continue into 2021. 

Currently, Ontario not-for-profit corporations are governed by the Corporations Act, R.S.O. 1990.  The Government of Ontario has made a number of amendments to this statute over the years, including recent changes to loosen the rules about how and when AGMs may be held during the COVID-19 emergency period.  While these amendments have been helpful, a major overhaul of the Corporations Act is still widely considered to be necessary. 

The Government of Ontario took steps to replace the Corporations Act back in 2010 when it passed the more modern ONCA.  Although ONCA was passed, it did not come into force – a situation that remains the case today.  The new statute must be proclaimed by the Lieutenant Governor to come into effect.  Until this happens, the Corporations Act continues as the governing legislation for not-for-profits incorporated in Ontario.

Ontario's Ministry of Government and Consumer Services previously indicated that ONCA would take effect in 2020.  However, the Ontario Legislative Assembly recently passed a resolution extending the proclamation period for ONCA until December 31, 2021.

When ONCA comes into force Ontario not-for-profit corporations will have a three-year transition period to conform their governing documents, including their by-laws, to the new law. 

This article is provided as general information and does not constitute legal advice. If you have any particular legal questions, please contact us.

Date_Published
2020-11-12
Description

peter murphy headshotA new law provides Ontario not-for-profit corporations temporary flexibility to schedule and conduct AGMs in the pandemic and post-pandemic period. The new law will expire 120 days after the end of Ontario's current state of emergency. As of the date of this article, Ontario's state of emergency is set to expire on June 30, 2020.

Each not-for-profit incorporated under Ontario law (a "Corporation") must look to its constating documents and the Corporations Act to determine the rules it must follow when scheduling and conducting its annual general meetings (AGM) and directors meetings.

Absent the new law, Corporations are required to hold their AGMs no more than 15 months after their previous AGM, and the financial statements presented at the AGM must be for the last fiscal period which must have ended no more than 6 months ago.

As long as the new law remains in force, however, Corporations must hold their AGMs no more than 15 months after their previous AGM and provide financial statements for the last year ending before the AGM. If this results in the Corporation being required to hold their AGM during Ontario's emergency period, then it may hold its AGM no later than 90 days after the end of Ontario's declared emergency period: Where the 15 month period ends within 30 days after the emergency period is terminated, the AGM must be held no later than the 120th day after the day the emergency period is terminated.

Absent the temporary law, Corporations that want to hold directors' meetings and members' meetings, including AGMs, by telephone or through online platforms like Zoom must ensure their constating documents permit this. Until recently, most Corporations' constating documents did not provide for electronic meetings. Many Corporations' constating documents permit directors' meetings to be held by conference call, but do not extend to new audio-visual online platforms and do not apply to AGMs and special member's meetings.

Under the new law, Corporations may hold members' meetings and directors' meetings electronically, despite any conflicting provisions in the Corporation's constating documents. As a result, no by-law amendments are required for Corporations to hold electronic directors and members meetings, including AGMs, but only as long as the temporary law remains in effect.

Once the new law expires, Corporations will have to ensure their constating documents permit electronic directors and members meetings if they want to continue to hold these meetings electronically. Given that no COVID-19 vaccine is expected to be available for quite some time, Corporations should review their constating documents now and amend them, if necessary, to ensure these meetings may continue to be held electronically after the new law expires.

This article is provided as general information and does not constitute legal advice. If you have any particular legal questions, please contact us.

Date_Published
2020-06-17
Description

peter murphy headshot

In the final instalment of a two-part series on privacy compliance for private-sector cannabis retail, Toronto business lawyer Peter Murphy looks at the privacy commissioner’s guidelines on the subject.

Recreational cannabis retailers will need legal help to balance regulatory compliance and customers’ privacy expectations, says Toronto business lawyer Peter Murphy.

Following the federal government’s recent legalization of the drug for recreational use, the Ontario government unveiled its own framework for its sale at bricks-and-mortar outlets in the Cannabis Statute Law Amendment Act (CSLAA).

Meanwhile, the Office of the Privacy Commissioner of Canada (OPC) released its own guidelines to help private-sector cannabis retailers comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).

In the first part of this series, Murphy, partner with Shibley Righton LLP, explained how the heightened sensitivity of cannabis purchase information raises the standards private operators must satisfy to comply with PIPEDA and to succeed in a market that promises to grow ever more competitive in the coming years.

“Some conflicts arise from the interplay between the heavily regulated environment of cannabis sales, and the demands of privacy law compliance,” he says. “Satisfying both will be a challenge, and retailers should seek expert privacy law and cannabis regulatory advice to assist them.”

Murphy says the OPC guidelines for privacy in cannabis sales are typical of most Canadian government missives on privacy law — written as they are in “broad strokes” and without many specifics requirements.

“While the principles-based guidelines afford retailers some flexibility, they also make it more difficult for retailers to know if they are in compliance,” he says. "Knowledge of how the privacy law has been interpreted and applied in the past is necessary to achieve compliance in the present, particularly in this new industry."

For example, Murphy points out that the OPC's guidelines advise retailers to only collect and use personal information in a way that “a reasonable person would consider to be appropriate in the circumstances.”

“That language reflects PIPEDA, and it’s important for retailers to be aware that this 'reasonable person' standard applies regardless of whether or not the individual consented to the collection or use of the information,” Murphy says.

He says the OPC's guidelines "urge retailers to obtain meaningful consent to the collection and use of customer personal information, by informing customers about what is being collected and why, as well as who it may be disclosed to, and any residual risks of harm," he says.

"Retailers will have to develop procedures with care to ensure consent is obtained in a compliant way."

Murphy says the OPC's guidelines also call for cannabis retailers to use video surveillance only if “less privacy-intrusive measures cannot achieve the same ends,” and requires retailers to notify individuals with clearly visible signage before they enter the store.

He says these guidelines could bump up against Ontario’s cannabis regulations, which require 24-hour video surveillance both inside and outside stores.

“While the cannabis regulations make video surveillance a must for retailers, the privacy law still applies,” Murphy says. “Retailers must have policies and procedures in place to limit employee access to the recordings to those who need it for legitimate purposes, to ensure the information is properly safeguarded and to ensure the videos are retained only as long as they’re needed — keeping in mind the retention requirements in the cannabis regulations.”

Another potential conflict arises in the area of customer identification, he says, because provincial regulations require retailers to check customers’ identification to prove they are over 19 years of age.

"The regulations also require retailers to provide the regulator, on request, with records demonstrating the retailer's compliance with this requirement."

Murphy says retailers may be tempted to keep copies of customer IDs in order to ensure they have the necessary records to satisfy the regulator.

Doing so, he says, "would likely be in breach of privacy laws. For example, the OPC guidelines direct retailer to only collect the least amount of personal information necessary to achieve the retailer's legitimate purpose.

“Customers are not going to be comfortable with retailers keeping copies of their IDs, given the sensitivity of the personal information,” he says. "Retailers should establish some other form of documentation to satisfy the regulator, such as policies and procedures and employee sign-off sheets."

The sensitive nature of buying cannabis also raises concerns about the use of payment cards and where that information will be processed, says Murphy. While PIPEDA does not bar custodians of personal information from processing data on servers outside Canada, the guidelines are clear that it is generally safer to use servers based in this country.

"There is a good chance that payment card information will be processed outside Canada, making that information potentially accessible by foreign law enforcement," he says.

“Retailers should notify customers up front if payments will be processed outside Canada,” Murphy says. “Consumers who are mindful of that fact may choose to patronize retailers who provide an assurance that their information will not be processed at any point outside Canada, or they may wish to limit their purchases to cash transactions.”

The OPC guidelines conclude by noting that organizations must create privacy policies and practices to comply with PIPEDA, including procedures for accepting and responding to complaints from customers. To ensure they are effective, the OPC also recommends training for all staff.

“Retailers should keep in mind that policies are not static documents,” Murphy says. “They must reflect the existing practice of the organization and the current state of both privacy laws and cannabis regulations, which means they need to be regularly updated and consistently followed in practice.”

Click here to read part one, where Murphy discussed the role that privacy will play in the market. 

Date_Published
2019-05-09
Description

peter murphy headshot

In the first instalment of a two-part series on privacy compliance for cannabis retail stores, Toronto business lawyer Peter Murphy looks at the role privacy will play in the market.

Customer privacy policies will become a selling point for recreational cannabis retailers as Ontario’s private market develops, Toronto business lawyer Peter Murphy tells AdvocateDaily.com.

Following the federal government’s recent legalization of the drug for recreational use, the provincial government unveiled its own framework for sales in the Cannabis Statute Law Amendment Act.

While the Ontario Cannabis Store retains a monopoly over online sales, Murphy, partner with Shibley Righton LLP, says the model selected for private-sector bricks-and-mortar retailers has created opportunities for smaller players to enter the market after the new administration abandoned the previous Liberal government’s plans for complete provincial control over sales.

Though only a few stores are officially up and running since winning the licensing lottery, Murphy expects privacy compliance to take centre stage as they attempt to differentiate themselves in an increasingly competitive industry.

“Recreational cannabis consumers prefer retailers who offer the greatest protection of their personal information, and who best limit its use,” he says. “Privacy compliance will not only be a legal necessity in this industry, but also a key competitive factor.

“Cannabis consumers are sensitive about their personal information for a number of reasons, and that sensitivity leads them to focus even more on the retailers' privacy policies and practices.”

For example, Murphy says some employers have banned employees from ever using cannabis. He says cannabis use remains illegal in many jurisdictions outside Canada, most notably in the U.S., where border authorities have threatened to bar Canadians who use the drug or are involved in the cannabis industry from entering the U.S. or from being granted citizenship.

In addition, the Associated Press reports that nations including Japan and South Korea have warned their citizens they could face criminal arrest back home for possession of cannabis while in Canada, despite its legal status here.

Murphy warns that, as a result, the disclosure of payment card or other cannabis purchase information will be a huge concern for many consumers.

"My view is that any cannabis retailer who wants to be successful in the long run will need to demonstrate robust privacy compliance," he says.

“The sensitivity of this information raises the bar on privacy compliance in a number of areas, including the safeguarding necessary to protect that information, the form of consent required for its collection, use and disclosure, and the handling of payment card information," says Murphy.

Stay tuned for part two where Murphy will look at the privacy commissioner’s guidelines on the subject.

 

Date_Published
2019-04-26
Description

peter murphy headshot

Canadian businesses may need to account for the European Union’s wide-reaching General Data Protection Regulation (GDPR) in their processing contracts, Toronto business lawyer Peter Murphy tells AdvocateDaily.com.

The GDPR came into effect in May last year, replacing the looser Data Privacy Directive (DPD) which had governed the handling of personal data within the EU for more than two decades.

Murphy, partner with Shibley Righton LLP, says Canadians may wonder why they must comply with a regulation from a foreign jurisdiction, but he explains that GDPR’s reach is extensive.

"The GDPR applies to any business that engages in data processing related to goods and services offered to EU residents, regardless of where their business is located," he says.

“It also applies to businesses that monitor the behaviour of individuals where the behaviour takes place in the EU,” Murphy adds. “Where the GDPR applies, Canadians may be surprised by some of the resulting requirements.”

Whatever difficulties that compliance with the new regulation imposes on data processing businesses in this country, Murphy says they can’t afford to ignore the GDPR, thanks to the eye-watering nature of its potential penalties. Under the GDPR, fines for non-compliance may be imposed in amounts up to the larger of four per cent of an organization’s global turnover, or 20 million euros — about $30 million Canadian.

“That’s way beyond any fines that may be awarded under Canadian privacy laws,” Murphy says.

Although companies that are currently in compliance with Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) face a smaller jump than their counterparts south of the border, Murphy says there is still a significant gap they will need to bridge to achieve GDPR compliance.

“Canadian privacy laws are more onerous than the American ones, but they still tend to be principle-based and open to interpretation, whereas the GDPR is more prescriptive and specific in terms of the obligations it imposes,” he says.

For example, Murphy says the GDPR divides its data processing requirements into two categories: those for “data controllers” who determine the purpose and means of processing certain personal data, and a separate set for “data processors,” who process data on behalf of controllers.

“It’s important to understand the distinction,” says Murphy, adding that the GDPR lays out specific requirements for inclusion in contracts concerning the processing of personal data. These requirements include the following:

  • Data processors must be obligated to process personal data based only on a documented instructions from the data controller: “Every instruction must be documented, so those given orally may not be sufficient,” Murphy says.

  • Persons authorized to process data must be subject to confidentiality requirements.

  • Data controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which may include the use of encryption, the ability to restore the availability and access to personal data in the event of a physical technical incident and a method for security testing and assessment.

  • The contract must stipulate that the data processor will assist the data controller by the appropriate technical and organizational means to respond to requests concerning the data subject’s rights, which includes their rights of access, rectification of errors, data portability, and to be forgotten. “These requirements are not only more explicit than in PIPEDA but go beyond the requirements in that legislation,” Murphy says.

  • Processors must be obligated to assist controllers in complying with their data protection impact assessments and breach notification obligations under the GDPR, both to government authorities and individual data subjects.

  • Data processors must be obliged to delete or return all personal data to the controller after the end of their provision of service, at the data controller’s request.

  • Data processors must be required to make available all the information necessary for a data controller to demonstrate compliance with these GDPR requirements and allow for compliance audits.

Murphy says that covering the GDPR properly in data processing contracts is more than just an exercise in legal compliance.

"Complying with these requirements may impose unanticipated costs on one or more parties to these agreements,” Murphy says. “Taking the GDPR's requirements into account is of great importance now that the GDPR is in force, not only to avoid fines but also to properly allocate obligations arising from compliance and related costs among the parties to data processing contracts.”

Date_Published
2019-03-06
Description

peter murphy headshot

The responsibilities of an estate trustee, who administers the personal and financial affairs of a deceased person, can be greater than expected, says Toronto estates lawyer Peter Murphy.

Murphy, partner with Shibley Righton LLP, says it can be enormously helpful for an estate trustee, or executor, to become acquainted with all that’s involved before agreeing to take on the job.

“Being an estate trustee takes a fair bit of time and effort, and it often involves more than people realize unless they have experience in this area,” he tells AdvocateDaily.com.

The obligations include administering the estate according to provincial law, as well as federal requirements such as the Income Tax Act, Murphy says.

The process begins with examining the will to confirm who the estate trustee is. Murphy says it could be more than one person, which could allow them to split up the work.

"However, having multiple trustees can make decision-making more difficult," he says.

"The first responsibility," he says, "is usually working with a funeral director to take care of burial or cremation and ceremonial arrangements."

Murphy says the estate trustee must also:

  • Determine who the beneficiaries are, then find and notify them
  • Identify the assets of the estate
  • Set up a bank account for estate finances
  • Determine, settle and pay the estate's debts
  • File tax return, pay taxes and obtain a clearance certificate for the estate
  • Deal with any claims against the estate, including dependent's relief and Family Law Act claims
  • Distribute the estate's assets to beneficiaries according to the will

“When you’re looking at these obligations to pay debts and taxes, it’s often useful for the estate trustee to retain professional services like an accountant,” Murphy says. "Legal advice is also recommended, particularly for interpreting the will, understanding the estate trustee's duties, and applying to the court for probate, where necessary."

Some, but not all estates, will require probate, he says.

Depending on the nature of the assets, an estate left to the deceased's surviving spouse may not need to go through probate, says Murphy.

"Even where the sole beneficiary is the deceased's spouse, probate will be required where real estate was not held jointly with the beneficiary," he says.

“It depends on the assets in the estate, the will, the requirements of third parties, and who the beneficiaries are,” Murphy says.

“If it’s necessary, the will and other required documentation will have to be submitted to the court with an application for probate. The application is for the court to approve the will and certify the appointment of the estate trustee, who will be able to use the certificate when transferring the assets from the estate to the beneficiaries.”

Estate trustees are required to maintain detailed accounts of the estate's assets, including all amounts received, invested and disbursed," he says.

"In some cases, the trustee will be required to submit these records to the court for approval."

Murphy says people are often surprised by the extent of the record-keeping obligations.

"Not every estate trustee will have the time, knowledge and skills necessary to properly keep the required accounts," he says.

“Many trustees, particularly for larger estates, will retain professional services to assist with the detailed record-keeping that they’re obliged to do,” Murphy says.

“A substantial amount of time and effort is involved. Many people do not fully appreciate this until they find themselves in that situation,” he says.

“The appropriate time to ensure a future estate trustee is aware of everything that’s involved is during the estate-planning process,” says Murphy. “That way, the person can have an appreciation of their responsibilities and be confident acting as estate trustee when the time comes.”

Date_Published
2019-01-30
Description

peter murphy headshot

In the final instalment of a two-part series, Toronto business lawyer Peter Murphy discusses the unique issues facing landlords of cannabis stores.

Landlords should seek legal advice when negotiating leases with prospective cannabis retailers, Toronto business lawyer Peter Murphy tells AdvocateDaily.com.

Murphy, partner with Shibley Righton LLP, explains that prospective cannabis retailers in Ontario are rushing to secure leases long before they are licensed due to the timing of the provincial government’s framework for selling the drug in shops across the province.

“We’re in a new gold rush,” Murphy says, adding the Cannabis Licence Act (CLA) opened up opportunities for a multitude of players in the bricks-and-mortar retail market after Premier Doug Ford's new administration abandoned the former Liberal government’s plans for a provincial monopoly over recreational cannabis sales.

“Prospective cannabis retailers want to secure leases to lock up the best locations in Ontario now so that they’re in a good position when retail licensing begins,” he says.

However, Murphy says landlords are at risk of leasing their space to a prospective cannabis retailer who might not have a viable business by the time the market finally starts in 2019.

For example, municipalities still have until Jan. 22 to opt out of cannabis retail sales.

Meanwhile, the Alcohol and Gaming Commission of Ontario (AGCO), which will oversee the licensing regime for private retailers, has not started accepting licence applications.

"Landlords should be aware that the viability of a cannabis retailer's business remains uncertain — at least until all the necessary licences are granted and zoning is confirmed," says Murphy.

He says landlords will be opening themselves up to the AGCO's scrutiny by agreeing to lease their premises to a prospective retailer of recreational cannabis. He explains that the CLA allows AGCO officers to investigate the “character, financial history and competence” of persons, including landlords, as part of their licensing decisions. The law also makes it an offence to “hinder, obstruct or interfere” with an investigation under certain circumstances.

Murphy says some landlords may find their tenants selling cannabis without a licence, pointing to the recent spate of illegal dispensary closures, which were swiftly followed by re-openings.

“The regulations under the CLA provide that anyone who sells cannabis illegally after Oct. 17, 2018 will be denied a licence. However, the potential profits of selling before the licensed market starts are so lucrative, that many dispensaries are open for business anyway,” he says.

Murphy says landlords could be on the hook if their tenants are caught operating illegally because Ontario's recreational cannabis laws create specific offences for landlords who “knowingly permit” their premises to be used for unlicensed sales of marijuana. The resulting penalties for landlords include large fines and up to two years in jail.

“To defend this charge, landlords would have to show they took reasonable actions to prevent such activity, and that starts with carefully addressing the issue in leases,” he says.

"Landlords will not be able to rely on a technique known as 'distraint' that allows them to seize other types of inventory and sell it to cover rent arrears," says Murphy.

“The remedy of distraint will not be possible here, because the sale of this particular inventory would be illegal without the proper licences. As a result, landlords should expect to have more limited remedies for defaults on the lease," he explains.

"When entering into leases or offers to lease with prospective cannabis retailers, landlords should carefully consider the new cannabis laws and regulations and ensure appropriate protections are obtained," says Murphy.

For part one, where Murphy discussed the issues facing cannabis store retailers, click here.

Date_Published
2018-11-26
Description

peter murphy headshot

In the first instalment of a two-part series, Toronto business lawyer Peter Murphy looks at the issues facing cannabis store retailers.

Prospective cannabis retailers need to proceed carefully as a new gold rush gets underway in the market for bricks-and-mortar sales of the newly legal drug, Toronto business lawyer Peter Murphy tells AdvocateDaily.com.

Following the federal government’s recent legalization of cannabis for recreational use, the provincial government unveiled its own framework for licensing retailers in the Cannabis Licence Act (CLA).

And Murphy, partner with Shibley Righton LLP, says the province’s private sector model for retail stores has sparked a scramble for the best locations.

“Cannabis retail in Ontario is the new gold rush,” he says. “There’s a huge potential opportunity here, and many new businesses are going to be getting into this.”

While the former Liberal government had planned a provincial monopoly over the retail sales of cannabis, similar to the LCBO, Premier Doug Ford's Tory administration has established a licensing regime for private retailers overseen by the Alcohol and Gaming Commission of Ontario (AGCO).

However, the AGCO is not yet accepting licence applications and doesn’t expect to be ready to receive any before December. When it is up and running, the CLA's two-stemmed approach will require businesses to obtain a retail operating licence, plus a retail store authorization for every location they plan to operate. A third type of licence, for cannabis retail managers, will also be required for every individual responsible for a store's management and compliance.

Regulations under the CLA provide additional requirements that must be met before licences may be obtained, Murphy says.

“For example, the regulations under the CLA say that retail stores will not be allowed within 150 metres of a school,” he says. “You can bet prospective retailers are looking at Google maps and starting to lock up the best locations.

“Cannabis retail is going to be heavily regulated, and anyone getting into the retail business should be prepared to bear related costs. Advertising and promotion are already heavily restricted at the federal level, and the CLA requires every individual hired to work in a cannabis retail store to complete AGCO-approved training programs,” Murphy says.

He also says the Ontario Cannabis Retail Corporation has the exclusive right to sell cannabis to authorized retailers, which will limit their ability to competitively source inventory.

Another potential problem for retailers is that municipalities still have until Jan. 22 to opt out of cannabis retail sales. Richmond Hill and Markham have already taken advantage of the opportunity, but Murphy says individual retailers could be left exposed if they agree to lease a particular location in a municipality that subsequently joins the list of non-cannabis jurisdictions.

To mitigate their risks, Murphy says cannabis retail hopefuls looking to enter into a lease should consider negotiating for a refundable deposit and the ability to walk away if zoning or licensing permits do not come through.

“You don’t want to be locked into a long-term lease without a viable business, either because of zoning or other surprises,” he says.

Stay tuned for part two, where Murphy will discuss the unique issues facing landlords of cannabis stores.

Date_Published
2018-11-19
Description

peter murphy

Canada’s corporate law regime provides a welcoming environment for the growing number of businesses recasting themselves as public benefit corporations, says Toronto corporate lawyer Peter Murphy.

B Lab, the organization that administers the B Corp certification bestowed on for-profit companies that demonstrate a commitment to sustainability and environmental responsibility, reports that there are now more than 200 Canadian companies operating in accordance with its values.

To gain B Corp certification, B Lab requires companies to alter their articles of incorporation to reflect a commitment to certain societal values, as well as a number of further assessments that score businesses for their accountability and transparency. They are then subject to recertification every two years and a failure to satisfy B Lab they are keeping up their end of the bargain could result in decertification.

But Murphy, a partner with Shibley Righton LLP, says companies don’t necessarily need the B Lab endorsement in order to reap the rewards of presenting themselves as a “public benefit corporation.”

“When a company hardwires social and environmental concerns into its DNA, it can help attract and retain customers and employees, and, in some cases, it may also have the effect of attracting additional investment,” he tells AdvocateDaily.com. “There are external benefits, but it may also have legitimate internal benefits by bringing these issues into the boardroom.

“People expect businesses to be looking at broader concerns than pure profit-making,” Murphy adds.

He says the development of “public interest corporation” has its roots in the United States, where it was controversial due to the requirement in U.S. law that corporations act in the best interests of shareholders.

By contrast, he says the Supreme Court of Canada has affirmed that the general duty of company directors to act in the best interests of the corporation may extend beyond the best interests of shareholders to encompass broader stakeholders.

“Essentially, the Supreme Court held that directors can consider factors other than maximizing corporate profits when making decisions in the best interests of the corporation, which is closer to the public benefit corporation model than the general duty of directors under U.S. law,” Murphy explains.

As a result, he says Canadian for-profit corporations can embrace the public interest corporation model by amending their articles of incorporation to include language “expressly permitting directors to consider the interests of other stakeholders in addition to those of the shareholders when acting in the corporation's best interests.”

Murphy says this permissive approach mitigates the risk of legal action accusing directors of straying beyond their mandates when considering issues other than profit in the course of corporate decision-making.

“I don’t think directors are looking for greater levels of risk, because they already face pretty significant accountability with derivative actions and oppressive remedies that provide strong means for various stakeholders to assert themselves,” he says.

"By taking a permissive approach, a public benefit corporation can establish that the directors shall consider the interests of the broader community, including the environment, when making decisions that are in the best interests of the corporation."

Date_Published
2018-09-27
Description

The federal government's proposed changes to rules for the taxation of private corporations have changed since they came out last summer, Toronto corporate lawyer Peter Murphy tells AdvocateDaily.com.

In July 2017, the Ministry of Finance released proposals to change the rules in four areas:

1. to extend the tax on split income rules to spouses, adult children and other family members;

2. to limit family business owners' access to the lifetime capital gains exemption (LCGE);

3. to prevent private corporations from converting amounts that would otherwise be payable to shareholders as dividends into lower-taxed capital gains; and

4. to develop ways to neutralize the tax benefits of retaining passive benefits inside a private corporation.

But after consultations and written submissions, the government has since backed down on some of the measures, including putting aside the proposals relating to the conversion of income into capital gains and those limiting access to the LCGE, says Murphy, a partner with Shibley Righton LLP.

"The income conversion to capital gains and LCGE changes would have had a big impact on the taxation of intergenerational transfers of family-held businesses and on intergenerational estate planning.

“The government came to realize that these proposals would have imposed tax burdens that are not currently present on the intergenerational transfers of family-held businesses, so they backed off on that.”

At the same time, he says, the government has indicated that it plans to continue a dialogue with business owners this year in order to develop changes that would better accommodate the intergenerational transfers of businesses while achieving the goal of “more fairness for the tax system.”

“We do expect that they will come back with new rules regarding conversion of private corporations earnings into capital gains some time in 2018,” he says.

Owners of private corporations also voiced concerns about the proposal that passive investments in a private corporation would receive different tax treatment, says Murphy.

“In many cases, holders of private corporations will retain their earnings within the corporation in the form of investments — almost like an RRSP. While in the corporation, the investments generate revenue, passive income, in a tax beneficial way. The government is proposing to increase the taxation to minimize the tax benefit to holders of private corporations generating passive investment income in the corporation.”

After some pushback, the government announced that it would be moving forward with measures to limit tax deferral opportunities related to passive investments, with details of the plan to be included in the 2018 budget.

“We don’t know exactly what those are going to be, but we know they plan to make some changes to increase the taxation on passive investments held in private corporations,” says Murphy.

"We expect the details to be released with the 2018 federal budget," he says.

In the fall, the government also clarified its proposal to further limit the tax benefits of income sprinkling — namely, the process for paying a private corporation's earnings to family members to benefit from their lower overall tax rates.

"The government issued bright lines tests to determined whether adult family members are sufficiently involved in the business and, therefore, entitled to be excluded from the tax on split income (TOSI), that would otherwise apply to tax dividends and interest they receive from the business at the highest marginal tax rate," says Murphy.

"According to the government, the adult family member must have made a 'regular, continuous and substantial' contribution to the business to be excluded from TOSI."

The government's guidance on the application of the split income rules for adults can be found here.

Murphy says owners of private corporations should consider taking steps now in order to get ahead of the changes.

“In the case of the changes to the tax on split-income, owners of private corporations should ensure their companies are set up so that if owned by family members, they own different classes of shares so that dividends can be paid to various shareholders and not to all shareholders at the same time, which might trigger TOSI,” he says.

“That’s something they should definitely consider if all of their shares are held within the same class,” he adds.

"In addition, it might be appropriate to get those family members on the payroll now so they receive a salary instead of dividends from the company."

Date_Published
2018-03-01
Description

Peter Murphy Head Shot

Toronto lawyer Peter Murphy knows first hand how easy it can be to avoid making a will.

Despite having a lawyer in the family, Murphy’s own parents were well into their 70s before his mother asked him about preparing her will — and only after she was prompted by a friend.

“This friend was a little surprised that my mother hadn't completed her estate planning, and I was a little chagrined to think it was something that we had never focused on,” Murphy, a partner with Shibley Righton LLP, tells AdvocateDaily.com.

“We immediately started the process of estate planning and drawing up wills and powers of attorney for my mother and father.”

Murphy says his parents’ experience is far from unique.

“I think many people don’t understand the importance of having a will and powers of attorney. They tend to put off thinking about these types of issues,” he says.

Even if they appreciate the importance of estate planning, it’s easy to avoid taking action.

“People see it as an expense they would prefer not to incur," says Murphy. "They don't realize that estate planning will often save money and a great deal of aggravation in the long run. Every adult should have their will and powers of attorney in place.”

Murphy says the savings on taxes alone more than justify the cost.

"Steps can be taken to ensure certain assets will not be subject to estate administration tax, which, in Ontario, is the highest in the country," he says.

"The estate planning process can also identify and take advantage of other opportunities for tax planning, minimizing the amount of taxes that will have to be paid out on death.”

Dying without a will can lead to court proceedings to sort out the appointment of executors and guardians, which could have been simply directed in a will.

"Without a will, additional time-consuming procedures may be necessary, which can really be a problem for beneficiaries who depend on the deceased financially," Murphy says. "People can avoid unnecessary aggravation and expense by taking the time now to ensure their affairs are in order."

Murphy says that by drawing up a will, testators can also ensure their wishes are carried out after death.

“If you die without a will, the government decides how your estate will be divided,” he says. “Those results may not be what you intended, particularly if you were separated after marriage, or have a common-law spouse.

"If you have minor children, a process will have to be carried out to decide who becomes their guardian. Most people will achieve peace of mind knowing they have made arrangements for their wishes to be carried out, particularly when dependents are involved," Murphy adds.

He says a lawyer can also offer guidance to individuals on choosing the best person to act as executor of an estate.

“People tend to underestimate the responsibilities and time involved in the role. A lawyer can help you make an informed decision,” Murphy says.

In addition to tax planning and will preparation, an estate plan usually includes drawing up powers of attorney for health care and property, he says.

“These are documents that authorize someone to make decisions on your behalf if you ever become incapable of governing your own affairs, so it’s important to get these in place while you’re still of sound mind,” he says. “You can’t grant powers of attorney or make a valid will once you’re no longer mentally capable, and unfortunately, loss of mental capacity can happen at any time, without warning.”

In the case of Murphy’s parents, the timing of their estate planning was fortunate. His mother fell ill unexpectedly a few years later and, after a period in hospital, died. Her hospitalization revealed health issues suffered by Murphy’s father, who was soon diagnosed with dementia.

Although it was a difficult time for the family, Murphy says things would have been much worse had his parents not completed their wills and powers of attorney in advance.

“My parents' health deteriorated much more rapidly than we would ever have expected, so it was fortunate that our legal planning was in place,” he says. “The whole experience drove the message home to me that everyone needs to prepare for these kinds of issues," he says.

"I take pride in knowing that by assisting clients with their estate planning, I am helping them achieve some peace of mind that will be a real help to their loved ones in the future when they need it most," says Murphy.

Date_Published
2018-01-29
Description

The European Union's new privacy regulations could have a big impact on Canadian businesses, Toronto corporate lawyer Peter Murphy tells AdvocateDaily.com.

The EU's General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, replacing the Data Privacy Directive (DPD) with more comprehensive data privacy rules.

“Many Canadian companies assume this new European regulation will not apply to them,” says Murphy, a partner with Shibley Righton LLP, “but actually, it has a broad reach that will extend to many Canadian organizations. It imposes significant new requirements that are more stringent than what Canadian organizations are used to, and the penalties for violations are potentially very severe.”

“Canadian organizations should be preparing for this now to ensure they will comply by May 25, 2018,” he adds.

The reach of the GDPR will not be limited to organizations with an establishment in the EU. It will also apply to organizations outside the EU that collect or process personal information about EU residents.

“Whether your organization collects personal information on EU residents, or processes it on behalf of someone else, it will have to comply,” Murphy says.

The new regulation also takes an expansive approach when it comes to fines for non-compliance, which can reach as high as the larger of four per cent of an organization’s global turnover and 20 million euros.

“Class actions will also be available for enforcement of the GDPR,” Murphy says. “This creates another element of risk that Canadian companies need to be aware of.”

He says companies that currently comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) can't assume that means they will be in compliance with the GDPR once May 2018 rolls around.

“Adhering to PIPEDA will make them somewhat compliant, but the GDPR is more stringent in a number of ways,” Murphy explains.

For example, data controllers and processors will be required to carry out privacy security assessments to test their technical and organizational security measures under the GDPR. In addition, affected companies will be required to conduct privacy impact assessments before carrying out data processing that may pose a high level of risks to the individuals concerned.

“Data processors will be required to use encryption and to keep a register of their activities,” Murphy adds.

The GDPR also incorporates new rights for individuals whose personal information has been collected, such as the right to be forgotten, which allows people to object to, and request the deletion of, information about themselves under certain circumstances.

The GDPR’s data portability rules will also pose new requirements for subject Canadian organizations. PIPEDA already requires Canadian organizations to provide individuals with access to the information the organization holds about them. In certain circumstances, the GDPR will also require subject organizations to provide the information to the individual, on request, in a format that allows them to use it in another database.

“It’s not a carte blanche right for everyone, but it’s still something that will require businesses to update their infrastructure in order to be able to comply if needed,” Murphy says.

Like its predecessor DPD, the GDPR allows data to flow out of the EU to other jurisdictions whose privacy control regimes are deemed adequate. For the moment, Canada is among the approved countries, but Murphy says there’s no guarantee that it will retain its status indefinitely.

“There is a risk that the EU will consider Canadian privacy protection inadequate at some point, so organizations will have to be prepared for that eventuality,” he says.

Murphy says the implementation of what the GDPR calls “binding corporate rules” or contracts with “standard contractual clauses” is one way Canadian companies will be able to insulate themselves in the event the EU changes its mind on Canadian privacy practices.

Date_Published
2017-12-27
Description

Peter Murphy Head Shot

The Ontario government has proposed immediate changes to the rules for not-for-profit corporations, says Toronto corporate lawyer Peter Murphy.

If enacted, the changes will bring some much-needed modernization to the statute governing the sector in the short term, says Murphy, a partner with Shibley Righton LLP.

Bill 154, the Cutting Unnecessary Red Tape Act, 2017, which passed second reading, is an omnibus bill that allows for amendments to various pieces of legislation. It proposes changes to the Ontario Corporations Act that would apply while the sector waits for the new legislation, Ontario Non-for-Profit Corporations Act (ONCA), to come into force, Murphy tells AdvocateDaily.com.

Bill 154 is now before the Standing Committee on Justice.

The ONCA was passed by Ontario's legislature in 2010, but has not yet been proclaimed. Until it is, the Ontario Corporations Act will continue to apply to not-for-profit organizations incorporated in Ontario.

The Act will not be proclaimed until the government completes related upgrades to its administrative technology, says Murphy.

"They advised the sector that at least 12 months' notice will be given before the Act comes into force and that notice has not been given yet," he says.

Once the ONCA is in force, Ontario's existing not-for-profits will have three years to adopt the new legislation. Murphy says the current law will continue to apply during that period as well, making the proposed changes even more welcome.

"These are useful upgrades to the existing statute that continues to apply until we get to the ONCA regime," Murphy says.

A fundamental change proposed in the bill would extend ONCA's objective standard of care for directors to the existing legislation, he explains.

"The new standard would require directors to act honestly and in good faith with a view to the best interests of the corporation and to exercise the care, diligence and skill that a reasonable, prudent person would exercise in comparable circumstances. Until the changes come into effect, a common-law subjective standard of care applies. That standard requires a director to exhibit a degree of skill in his or her duties that may reasonably be expected from a person of his or her knowledge and experience."

The bill would modernize the standard of care for directors in line with modern corporate statutes, says Murphy.

Another change Murphy welcomes is that a director would no longer be required to be a member of the not-for-profit corporation. This would allow for more flexible member structures, he says.

Other proposed changes would allow meetings to be held electronically or by telephone and permit meeting notices to be distributed electronically. While these changes should be welcomed by most Ontario not-for-profits, Murphy says proposed changes for removing a director are even more important.

Under the existing legislation, a director can only be removed if the organization's bylaws allow for it. Even with the necessary bylaw provision, the existing law requires a membership vote of two-thirds to remove a director, Murphy says.

The bill proposes that a majority of the members that elected the director can remove him or her. This lowers the voting threshold and would apply even where an organization's bylaw is silent on the matter, he says.

Murphy says the bill also contains positive changes to audit requirements.

"Currently, every not-for-profit is required to obtain audited financial statements, except where the corporation's annual income is under $100,000 and all the members consent to not having them," Murphy says.

"The change would lower the consent requirement to 80 per cent of the votes cast by members and the annual revenue of the organization would have to be no more than $100,000," he says.

"That's significant. To get 100 per cent of your members to consent is pretty tough — even for small organizations that can't afford an audit. The proposed change would give them 20 per cent wiggle room which would be welcomed, I'm sure, by many of the smaller not-for-profits."

Date_Published
2017-10-26
Description

On June 7, the federal government announced that it is suspending the implementation of the private right of action under Canada’s anti-spam legislation (CASL). The move was in response to concerns raised by Canadian businesses, charities and the not-for-profit sector.

The suspended provisions of CASL were scheduled to come into force on July 1, 2017 and would have allowed any interested person to file lawsuits for alleged violations of the legislation.

The government has not stated how long this indefinite suspension will last. The legislation will be submitted to a parliamentary committee for review.

According to the press release issued by Innovation, Science and Economic Development Canada, “Canadians deserve an effective law that protects them from spam and other electronic threats that lead to harassment, identity theft and fraud. At the same time, Canadian businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation.”

The government claimed it is committed to striking the right balance between protection from spam and Canadians’ reasonable use of electronic communication. It also said it “supports a balanced approach that protects the interests of consumers while eliminating any unintended consequences for organizations that have legitimate reasons for communicating electronically with Canadians.”

CASL came into effect on July 1, 2014. The law prohibits individuals and organizations from sending commercial electronic messages to Canadians without their consent. Penalties for the most serious violations of the legislation can be issued up to a maximum of $1 million for individuals and $10 million for businesses.

The private right of action promised to extend enforcement of CASL beyond government agencies to all interested persons. The suspended right would have permitted interested persons to file lawsuits, starting July 1, 2017, seeking actual and statutory damages for alleged breaches of CASL. Statutory damages would have amounted to $200 per occurrence, up to $1 million per day. It is widely expected that the CASL private right of action, if implemented, will lead to class-action lawsuits joining the recipients of infringing electronic messages into large group lawsuits.

Canadians should keep in mind that, despite the indefinite suspension of the private right of action, CASL remains in force and significant fines can still be issued for breaches. Since CASL came into effect, the CRTC (Canadian Radio-television and Telecommunications Commission) has issued numerous fines, including one case where the penalty exceeded $1 million.

Date_Published
2017-06-26
Description

It's rare for an entirely new market to open for business in Canada. So it's no surprise the government's plan for legalizing recreational cannabis has created a rush of businesses positioning themselves to claim a piece of this new, lucrative market.

Understanding the rules around the recreational cannabis industry will be imperative when making investment and marketing decisions. A detailed appreciation of the rules will also be necessary to ensure industry participants comply with the law.

Canada's proposed Cannabis Act — if enacted without change — will distinguish legal activity from actions that warrant a lengthy prison stay by a hair's width. For example, an individual will be permitted to grow up to four cannabis plants at home, provided they are no more than 100 cm in height. If they grow just one millimetre taller, the grower could face 14 years in prison.

The act may change before coming into force, given much of it is subject to regulations that have not yet been drafted. Based on the current wording, however, we can expect several significant restrictions on the promotion of cannabis, accessories and related services.

Blanket Prohibition

Unless otherwise stated, the act will prohibit:

(a) communicating information about its price or distribution;

(b) promotion that could reasonably be believed to be appealing to young persons;

(c) promotion that uses testimonial or endorsement, however displayed or communicated;

(d) promotion that depicts a person, character or animal, whether real or fictional; or

(e) presenting the product in a manner that associates it with a way of life that includes glamour, recreation, excitement, vitality, risk or daring.

Point of Sale

Authorized cannabis vendors and those selling marijuana accessories or related services will be allowed to promote the products at the point of sale if the information is limited to availability and price.

The act will prohibit authorized vendors from selling it in a package or with a label:

(a) if there are reasonable grounds to believe the package or label could be appealing to young persons;

(b) that sets out a testimonial or endorsement, however displayed or communicated;

(c) that includes a depiction of a person, character or animal, whether real or fictional;

(d) that associates the cannabis or one of its brand elements with a way of life that includes glamour, recreation, excitement, vitality, risk or daring; or

(e) that contains any information that is false, misleading or deceptive or that is likely to create an erroneous impression about the characteristics, value, quantity, composition, strength, concentration, potency, purity, quality, merit, safety, health effects or health risks of the cannabis. Similar restrictions apply to the sale of cannabis accessories.

Branding

Authorized marijuana producers, vendors and distributors may promote cannabis, accessories and related services by means of brand-preference promotion or informational promotion, but only if the promotion meets one of the following criteria:

(a) it must be made in a communication addressed and sent to an individual 18 years or older who is identified by name;

(b) it must be in a place where young persons are not permitted by law; or

(c) it must be communicated by means of a telecommunication, where the person responsible for the content of the promotion has taken reasonable steps to ensure that the message cannot be accessed by a young person.

Brand-preference promotion is defined as promotion of cannabis, a marijuana accessory or a related service by means of its brand characteristics.

A person will be permitted to promote marijuana — or related accessories or services — by displaying a brand element of something that is not cannabis or a cannabis accessory, other than:

(a) something associated with young people (under 18 years old);

(b) something that could be appealing to young people; or

(c) something associated with a way of life that includes glamour, recreation, excitement, vitality, risk or daring.

The act specifically contemplates regulations that will prohibit the use of specified terms, expressions, logos, symbols or illustrations in the promotion of cannabis, or related accessories or services.

Celebrity and Event Promotions

The act will prohibit the display — in the sponsorship of a person, entity, event, activity or facility — of the following:

(a) a brand element of cannabis, of a cannabis accessory or of a service related to cannabis; or

(b) the name of a person that (i) produces, sells or distributes cannabis, (ii) sells or distributes a cannabis accessory, or (iii) provides a service related to cannabis.

The act will ban the following from being displayed at a facility used for a sports or a cultural event or activity:

(a) a brand element of cannabis, or a related accessories or services;

(b) the name of a person that (i) produces, sells or distributes cannabis, (ii) sells or distributes a cannabis accessory, or (iii) provides a service related to cannabis.

Giveaways and Inducements

The act will prohibit a person who sells cannabis or related accessories from doing so:

(a) without monetary consideration or in consideration of the purchase of any good or service;

(b) with any inducement for the purchase of cannabis or a cannabis accessory, including a right to participate in a game, draw, lottery or contest; or

(c) as an inducement for the purchase of cannabis or a cannabis accessory.

Misleading Advertising

The act will also prohibit the promotion of cannabis or related accessories in a false, misleading or deceptive manner that is likely to create an erroneous impression about its characteristics, value, quantity, composition, strength, concentration, potency, purity, quality, merit, safety, health effects or health risks.

Date_Published
2017-05-15
Description

Business leaders may fail to uphold their legal responsibilities if they don't take reasonable steps to prepare their companies for cyberattacks and information security breaches, says Toronto technology and business lawyer Peter Murphy, who has acted as counsel on some of Canada’s most notorious privacy breaches.

The impact can be as debilitating to an organization as a major product liability lawsuit, he tells AdvocateDaily.com.

Given the importance of data in business today, "we have reached the point where the failure to take reasonable steps to protect information in the possession or control of the organization may be a breach of the fiduciary duties owed by senior officers and board of directors of the organization," Murphy points out.

He advises firms to craft and implement policies and procedures around information protection and security incident response, as the risk of a data breach is “huge.”

"Businesses must take prudent steps to protect against loss or unauthorized use of data — and even then, they won’t be able to completely eliminate the risk of an incident. Hackers and the tools available to them are too sophisticated. So the question is not so much if a cyber breach will occur, but when.

"If a data security incident does occur, will the board and management be seen to have acted responsibly? When they respond to the incident, will they follow best management practices and comply with all legal obligations?” says Murphy, a partner with Shibley Righton LLP.

Privacy law in Canada requires companies to use physical, technical and administrative safeguards to protect the personal information they hold. That includes having locked doors and cabinets and controlled physical entry, while technical protections involve passwords and encryption, Murphy explains.

Administrative safeguards are the broadest category, and may involve tracking of data access, user background checks and other controls, as well as the implementation of security policies, plans and protocols, he adds.

"Many smaller or medium-sized organizations might be reluctant to prepare data protection and incident response policies and plans because of the time and effort required, but this exercise should not pose a material drain on resources if it is incorporated into the organization’s strategic and overall governance planning," Murphy says.

He says the responsibility to develop policies begins with the board of directors and top management, but that staff at all levels throughout the organization should be involved in cybersecurity planning.

"It's a common mistake for organizations to think that data protection is just an IT problem," Murphy stresses. "All staff need to have input and bear responsibility to comply with the resulting policies.

"The assistance of experienced legal counsel is highly recommended to ensure the policies reflect the organization’s obligations and, if implemented, will place it in an advantageous legal position.”

Murphy suggests firms start by identifying the information they possess and ranking it in value and importance.

“Then they should assess their vulnerabilities. From there, a data security policy can be created to ensure the necessary safeguards are applied,” he says.

Recording the cyber trails of staff who use the system is a useful precaution, Murphy points out.

“Even more important is exercising control over information access by former employees and contractors. Many incidents I see involve a former employee or independent contractor whose password was never turned off,” he says.

Once a data security policy has been created, the organization should prepare a data breach response policy, so it has a clear and effective response plan available to implement in the event an incident occurs, Murphy adds.

“This plan will cover breach identification and immediate IT response, creation of a management response team, breach investigation, notification, public relations, involvement of law enforcement authorities where appropriate, the offering of data theft services, and steps to ensure the breach never happens again.

"Legal counsel should be involved to ensure the plan reflects the organization’s privacy breach-reporting obligations and places the organization in the best possible position when responding to a data breach,” he says.

Murphy points out there has been phenomenal growth in class-action lawsuits against companies that experienced cyber breaches in recent years.

“The involvement of legal counsel early in the process can help the organization prepare for resulting litigation. A lawyer is best positioned to manage its relationship with privacy authorities and to ensure its disclosure obligations are followed.

“In addition, having a lawyer conduct breach-investigation interviews with staff may invoke legal privilege for those discussions. If the organization is sued for a privacy breach, that protection may be crucial,” he says.

Institutions that take action to mitigate harm to clients — such as providing identity theft services for those affected — could reduce the damages awarded against them, Murphy says.

“In a number of cases, courts have viewed the offering of identity theft services as a very important step," he says.

Organizations should also consider adding cyber-insurance to their risk-mitigation strategies, Murphy says.

Finally, he warns that organizations should not think this exercise ends when the policies and plans are completed.

“A policy is worthless if not properly implemented. That involves staff training, compliance assessment and regular policy review. Cyber security is a new aspect of management that must be attended to regularly. These issues are not going away anytime soon,” Murphy says.

Date_Published
2017-02-17
Description

Businesses should ensure their online marketing activities comply with Canada's Anti-Spam Law (CASL), says Toronto technology and business lawyer Peter Murphy.

CASL, which applies to promotional emails, instant or text messages, and other electronic information platforms, will extend to social media communications in certain circumstances, he tells AdvocateDaily.com.

"There are exceptions, but the anti-spam provisions are for commercial messages that are sent to electronic addresses. A promotional post on a business or professional's Facebook wall would not amount to a commercial electronic message under CASL because it's not being sent to any particular recipient's electronic address," Murphy says. "Similarly, posting a photo on social media, liking a post or tweeting would not fall under CASL, even if done as part of a business promotion because the communications are not sent to the recipients' electronic address.

He says CASL will apply if the social media app is used to send a promotional message to specific users' electronic addresses, provided one of the exceptions doesn't apply.

"Personal messages sent to a particular electronic address through a social media app's messaging function are subject to CASL if they're sent to encourage participation in a commercial activity, provided an exception does not apply," he explains, adding that Canadian businesses must ensure they comply with CASL if their use of social media expands into this area.

One of the goals of this legislation is to prevent spam or commercial electronic messaging that the recipient hasn’t consented to, notes Murphy, a partner at Shibley Righton LLP.

"This law made significant penalties available to the CRTC to combat spam and, as of July 1, 2017, complainants will have the right to sue infringers in court. I think most Canadians agree that outlawing spam was overdue when CASL was enacted," he says.

Murphy says law-abiding Canadian businesses have raised concerns about the time and effort required for them to navigate the complicated layers of regulation imposed by CASL.

"The root of the problem lies in the approach the Government of Canada took when drafting CASL and its regulations. Instead of defining what will be prohibited as spam with clarity, the government decided to do the opposite. CASL says you cannot send any commercial electronic message unless the numerous yet often vague provisions of CASL and its regulations permit it," he says.

For example, commercial marketers must collect express consent from their list of email recipients in a way that complies with CASL's rules, Murphy points out.

"If express consent is not obtained, senders of commercial electronic messages must be able to prove consent is implied or that an exemption is available under CASL given the circumstances of each message and its recipients. Companies must maintain tracking and records of compliance, and include an unsubscribe function and detailed identifying information in their commercial electronic messages," he adds.

Compliance requires a concerted effort to understand the regulations and to apply them to the particular electronic marketing messages, Murphy says.

"CASL enforcements have been issued against a number of companies, including Rogers Media and Porter Airlines. These are major Canadian companies with huge teams of staff lawyers, yet they were found to be in violation of CASL. If they can't or won't comply with CASL, what is a small- or mid-sized Canadian business to do?"

Marketers' email subscription lists are an invaluable asset that must be managed accordingly and, where possible, they should make it easy for potential customers to give their consent in a CASL-compliant way, Murphy says.

"Records of all consents should be retained for CASL purposes. If you wish to rely on an exemption or implied consent under CASL, ensure the specific category you rely on applies and document this for each recipient. Build systems of tracking customer activity to establish CASL-implied consents. Compliance requires the implementation of a comprehensive plan that addresses the particular marketing activities of the business and applies CASL to them," he adds.

Murphy says there is a silver lining for organizations that invest the time and effort to comply with CASL.

"In addition to avoiding significant penalties for non-compliance, they are left with more valid email lists. This provides a tool for the business to build and manage relationships with customers and prospective customers. That’s at the heart of online marketing, and is a crucial part of good management in pretty much every business today," Murphy says.

Date_Published
2017-02-02
Description

Businesses have less than seven months to get their houses in order before Canada’s Anti-Spam Legislation's (CASL) private right of action provisions come into effect next summer, according to Toronto technology and business lawyer Peter Murphy.

Although most of CASL's anti-spam provisions have been on the books since 2014, CASL's private right of action was given a three-year phase-in period, he tells AdvocateDaily.com.

"CASL’s private right of action provisions will kick in on July 1, 2017, enabling any person to launch lawsuits against violating organizations,” says Murphy, a partner at Shibley Righton LLP. "In addition to actual damages suffered for a breach of CASL's anti-spam and anti-malware provisions, courts will be able to award applicants statutory damages of $200 for each contravention of CASL up to $1 million for each day on which a contravention occurred. This is separate from the CRTC's power to issue administrative monetary penalties of up to $10,000,000 against offending corporations, which has been in place since July 1, 2014."

CASL generally prohibits the sending of commercial electronic messages without the recipient's consent, including email messages, text messages and personal electronic messages sent to social networking accounts. According to Murphy, any electronic message that is sent in or to Canada may be subject to CASL if one of its purposes is the encouragement of participation in a commercial activity. Even routine non-promotional emails can be caught, he says, if they include an advertisement or some promotional wording in the message.

"Understanding the range of electronic messages the organization sends is the first step," Murphy explains. ”The sender must determine if CASL will apply to the electronic messages it wishes to send, and if so, whether an exemption or an implied consent will be present under CASL. If the electronic message is neither exempt from CASL nor the beneficiary of an implied consent, the sender will need the express, opt-in consent of the recipient."

The onus is on the sender to prove they have the necessary consents, so organizations will need a tracking mechanism if they don’t already have one, he points out.

“They must keep records of their consents — including how the consent was granted or, where CASL permits, why a consent is implied,” Murphy notes.

The collection of express consent must follow particular requirements under CASL, he adds.

“Web sites and forms that allow users to sign up for electronic promotional updates must identify what the sender plans to do with the user’s email address,” Murphy tells AdvocateDaily.com. “They must also identify who will use the email addresses and inform the email address holders they can withdraw their consent at any time.”

Companies need to ensure they have effective unsubscribe functions for email messaging, and that they act on those requests in a timely manner, Murphy says. Organizations that send commercial electronic messages without an unsubscribe function that meets CASL requirements may also be subject to the private right of action.

"Much of the enforcement activity of the CRTC to date has focused on insufficient unsubscribe functions, so we can expect this will be reflected in private rights of action,” Murphy notes. “Insufficient unsubscribe functionality is something that really bugs people, perhaps even more than receiving an unsolicited email. And the repeated receipt of an unsolicited message really bothers people because they feel helpless to stop receiving them.”

Organizations that still haven’t implemented a CASL compliance program, including tracking of consents and maintaining records to back them up, should be very concerned about the upcoming private right of action, Murphy warns.

“For example, organizations that send promotional emails to customers who previously purchased a good or service from them have an implied consent under CASL, but that only lasts for a two-year period from their last purchase,” he explains. “Organizations that don’t have express consent from these recipients must track the time period from when they last purchased the sender's product or service and cease sending them commercial electronic messages when the implied consent expires,” he says. "For many organizations, establishing this kind of record keeping is a real challenge."

Ignoring CASL is not an option, says Murphy.

“Directors, officers and agents of an organization that breaches CASL can be held personally liable for the breach where they directed, authorized, assented to, acquiesced in or participated in the contravention,” he says. “Every director in Canada should be concerned if their corporation is not following a comprehensive CASL compliance plan."

Looking to the future, Murphy says the private right of action will be exercised in situations where a breach of CASL makes it economical for someone to do so, and that will open the door to the possibility of class actions.

“Being on the losing end of a CASL enforcement will also have negative repercussions as far as publicity,” he adds. “Consumers have come to expect good electronic messaging practices from the organizations they interact with. That's just good business.”

Date_Published
2016-11-17
Description

Toronto technology and business lawyer Peter Murphy admits many law firms could benefit from new information technologies, but he doesn’t advise them to rush into projects without aligning them to the firm's objectives through a solid business case.

Murphy, a partner with Shibley Righton LLP, says when he started out, email was the new kid on the legal technology block. Much has changed over the last two decades, but because of the nature of their profession, lawyers often view new developments in technology with suspicion.

“The legal industry may be slower than others when it comes to adopting new technologies, and that may have to do with the fact our profession is built on looking backward at the common law that’s developed over time,” he tells AdvocateDaily.com.

“A senior lawyer once told me about when the first photocopier arrived in his office," Murphy says. "He had his associates check each copy against the original because he didn’t trust the photocopier's accuracy."

Fears tend to fade once the technology has proven to be reliable, but it’s fair to say that lawyers and the legal industry in general are not early adopters, he admits. Still, there are many examples of how digital advances have changed the legal landscape in the 20 years Murphy has been practising.

“Gone are the days of going through paper-based consolidations,” he says. “Now plenty of online databases are available, making legal research much more efficient. Computer database technology is now crucial for the efficient management of evidence in litigation files, and on-line data rooms make the due diligence process of commercial transactions much easier. Project management software is being customized for lawyers to use to manage their progress on larger files."

One area where in-house counsel can benefit from new software is in time tracking and billing, which lends itself to improvement through information technology, adds Murphy.

“Billing management software packages are available to make the billing process more efficient," he says. "These applications help in-house counsel keep up-to-date on the progress of files and helps them gather and process the information necessary to manage their legal budgets more closely."

Technology can help firms run more efficiently, but investing in it without a solid business case is never a sound strategy, Murphy suggests. IT projects face particular challenges: many don’t finish on time or on budget, and absent a clear business case they face the risk of not solving the problems the organization truly requires the technology to solve. It’s important to understand the perceived business benefits and risks before moving ahead.

“A key concern is client confidentiality and data safeguarding," says Murphy. "We have all seen the news stories involving unauthorized access to organizational data, including the files of Panamanian law firm Mossack Fonseca. It is imperative that law firms employ comprehensive data security policies and precautions throughout the firm, and in particular to new technologies they implement."

Murphy expects in the future, advancements in artificial intelligence might make light work of what is today labour-intensive research and analysis for lawyers.

"Leveraging cutting-edge software may assist in legal analysis such as application of the Income Tax Act and regulations," he says. "When implemented properly, technology will continue to offer us new ways to add value for clients."

Date_Published
2016-10-19
Description

OTTAWA – Companies that lose personal customer data should be required to directly notify affected people — with limited exceptions — about the nature and date of the lapse along with steps taken to reduce the harm, says the federal privacy watchdog.

The Trudeau government plans to introduce breach-notification regulations in coming months to improve transparency and help consumers.

Several large businesses have been stung by hackers in recent years, causing embarrassment for proprietors and potential headaches for customers whose personal and financial details are suddenly circulating in cyberspace.

Legislation passed last year laid the groundwork for mandatory reporting of private-sector breaches that pose a “real risk of significant harm'' to individuals.

The government recently asked the public and interested parties for comment on shaping the regulations and determining what companies and other private organizations will have to do in the event of a lapse.

The office of federal privacy commissioner Daniel Therrien says companies should directly notify those affected by a breach through means such as telephone calls, emails or mailed letters.

The notice should tell people about the circumstances, the date of the breach (or at least an estimate), a description of the personal information, steps taken to control the harm, measures those affected can take and the contact information of someone at the company who can answer questions.

Setting out the requirements in regulation would “provide important clarity and certainty about the type of information that organizations should communicate to individuals,'' the commissioner's office says in its submission to the government.

It also urges the government to give thought to cases in which affected people live outside Canada.

In its submission, the Canadian Bar Association also recognizes the importance of providing meaningful notice to individuals of data breaches. “The regulations should avoid being overly prescriptive, however, in the form and manner of notifications. Organizations should have flexibility to determine whether direct or indirect notification is most suitable.''

The privacy commissioner says organizations should be allowed to notify individuals indirectly only when:

- Direct notification is likely to cause undue further harm, for instance by informing family members of the person's purchase of a confidential product or service;

- Giving direct notification to every affected person on an individual basis would involve prohibitive costs;

- Contact information for affected individuals is out of date, incomplete or inaccurate.

Under the new system, organizations covered by Canada's private-sector privacy law would also have to report significant lapses to the privacy commissioner, which would allow his office to determine whether appropriate actions were indeed being taken.

In addition, organizations that experienced a breach would have to keep a record of the data breach and make these records available to the privacy commissioner upon request.

One of the thornier issues to be decided in the regulatory scheme is whether data breaches in which the information is encrypted — encoded so as to make it indecipherable without a digital key — should be considered “low risk'' events.

The privacy commissioner says encryption may indeed play a role in reducing or even eliminating risk of harm.

However, it cautions that as algorithms evolve, encryption standards once deemed strong “may be eventually be rendered decipherable.'' Alternatively, an organization's key management system might be compromised.

“In either case, personal information could then be easily decrypted.''

In an interview with AdvocateDaily.com, Toronto privacy lawyer Peter Murphy says the privacy commissioner’s comments are not surprising.

“We have been waiting for the Digital Privacy Act's notification provisions to come into effect since this legislation was enacted in June 2015. As the Privacy Commissioner of Canada indicates, the regulations with respect to breach notification are an opportunity for the legislator to provide much needed clarity,” says Murphy, a partner with Shibley Righton LLP.

For example, he says, the new rules require that notice of a privacy breach be given where there is a real risk of significant harm to an individual whose personal information was affected.

“As the privacy commissioner has pointed out, it would be useful if the regulations provide some guidance as to what will be considered a real risk of significant harm,” he says.

The Personal Information Protection and Electronic Documents Act, which applies to the private sector in Ontario and many other Canadian provinces and territories, does not expressly require organizations to notify affected individuals or privacy regulators where there has been a breach of privacy, Murphy says.

“This will change once regulations have been issued and the Digital Privacy Act notice requirements are brought into force,” he tells the online legal publication.

Murphy says when it comes to notice requirements for privacy breaches, the United States is out in front of Canada.

“Almost every state in the U.S. has some form of mandatory privacy breach notice requirement,” he notes. “In California, organizations that experience a privacy breach are required, in certain circumstances, to supplement notification to affected individuals by providing them with identity theft prevention and mitigation services – at the organization's cost, for at least 12 months.”

Date_Published
2016-07-22
Experience
More About

Speaking Engagements & Media Attention

Hosted The Commons Institute's LawFM series Corporate Law Broadcast, January 2017

Interviewed in Blockchain Breaks New Ground by Geoff Kirbyson, published in Forensic Accounting & Fraud, vol.6 no. 2, 2016

Interviewed in Cybersecurity Starts at Top, CEOs Must Have Action Plan by Jeff Buckstein, published in Forensic Accounting & Fraud, vol. 5 no. 1,  2016

Quoted in Law Times article "Telecoms told review of third-party needed" – 2016-06-06

Quoted in Law Times article "Jury out on impact of anti-spam legislation" – 2016-05-16

Presenter/Speaker – Privacy and Anti-Spam Law in Canada – LexWork Conference – 2016-05-13

Presenter/Speaker - Data Breaches, Privacy Risks and Obligations – Advanced Intellectual Property Program – Institute of Law Clerks of Ontario -2016-04-13

Presenter/Speaker – How Does CASL Affect Charities and Non-for-Profits? – Commons Institute's Charities, Non-Profits and the Law webinar – 2015-11-13

Presenter/Speaker – Nuclear Technology Agreements – Nuclear Lawyer's Association Annual Meeting – 2015, 11

Quoted in OPC's Annual Report Focuses On Online Privacy Transparency –E-Commerce Law & Policy, The Monthly Journal for Online Business – 2014-09

Quoted in CBC.ca  – "Canada's new anti-spam law: Can it really clean up your inbox?" – 2014-07-01

Quoted as one of Canada's leading commercial lawyers in The Globe and Mail – 2010-04-10 and 2010 -01-08

Quoted as one of Canada's leading commercial lawyers in The Financial Post – 2010 -03-06

Comments have appeared in articles about CASL in Bloomberg News and CBC.ca

Presenter/Speaker – Employee Privacy – 17th Annual Fraud Conference – The Association of Certified Forensic Investigators of Canada (ACFI)

Presenter/Speaker/Co-Chairman – Service Level Agreements – 6th Annual Federated Press Service Level Agreements Conference

Presenter/Speaker – Canadian Legal Update, Notification Obligations and Risk Mitigation – client seminars in Toronto and Ottawa

Presenter/Speaker – Doing Business in Canada – Canadian Trade Commissioner's Symposium in Atlanta, Georgia

Presenter/Speaker – Managing Intellectual Property Under Service Level Agreements – 5th Annual Federated Press Service Level Agreements Conference, Toronto

Presenter/Speaker – Technology Partnerships – Government of Ontario's Asia Pacific Global Export Forum

Presenter/Speaker – Canadian Anti-Spam Law – International Quality and Productivity Centre's Contact Centre Summit

Presenter/Speaker – CASL Compliance – Direct Marketing Association of Canada's CASL Compliance Event

Co-Host/Speaker – Preparing Your Organization for CASL's Commercial Electronic Messages Requirements – live webinar

Co-Chair/Speaker – Convergence of Electricity Distributors and Telecommunications Companies – Smart Grid in Ontario Conference

BIO

Peter Murphy is a partner in Shibley Righton LLP's Toronto office, with over twenty years of business, technology and privacy law experience. His practice includes commercial contracts and transactions, intellectual property law, privacy and data protection, marketing law, and will and estate planning.


Acting as business law counsel to a wide variety of organizations, Peter's clients include nuclear operators, universities, chartered banks, electricity distributors, municipalities, software companies and healthcare organizations. He also advises not-for-profit organizations and private businesses on a broad range of legal issues, including corporate governance.


Peter has extensive experience with corporate transactions including debt and equity financing, mergers and acquisitions, supply and services agreements and RFP documentation. He drafts shareholders agreements and structures corporations, partnerships and joint ventures.

For example, Peter advised a Canadian chartered bank on the creation of an online banking joint venture. He also advised Infrastructure Ontario and the Province of Ontario on the RFP documentation and related contracts for the engineering, procurement and construction of a two-unit nuclear power plant.


His extensive technology and intellectual property law experience includes drafting and negotiating licensing, outsourcing, development, implementation and support, cloud computing and e-commerce agreements. He provides advice on all types of intellectual property law issues including copyright, reverse engineering, trade secrets, confidentiality, patent and trade-mark law. He is an expert on Canada's anti-spam law and frequently advises clients on marketing, advertising and consumer law. Peter's practice has a strong focus on privacy and data protection law. He advises Ontario municipalities, government institutions, businesses, film festivals and international sporting events on all aspects of privacy law. He has acted as lead privacy counsel on some of Canada's most notorious data breaches, and has represented clients before Canada’s Privacy Commissioner. He acted as privacy counsel on the merger of two hospitals and their charitable foundations and for a chartered bank on the launch of a consumer credit card product. He also carried out a privacy audit of one of Ontario's largest statutory Boards which included the delivery of a comprehensive report to the responsible Minister.


Peter advises individual clients on will and estate planning. He has advised some of Canada's premier artists on estate planning issues including planning for post mortem administration of their artistic legacies.


A frequent public speaker and writer on business law and regulatory matters, Peter's articles and interviews have been printed in Canadian and international news media.

Contact Information

T: 416.214.5216
F: 416.214.5416
E: peter.murphy@shibleyrighton.com

vCard
Education

University of Toronto Faculty of Law, J.D., 1993
Richard Ivey School of Business, H.B.A., 1990

Featured