Name and Title
Peter Murphy
Year of Call

1995 (Ontario)


Law Society of Ontario

Canadian I.T. Law Association

Toronto Computer Lawyer's Group

Ontario Bar Association Privacy Law Section

Privacy and Access To Information Law Executive, Ontario Bar Association

Board of Trustees, Textile Museum of Canada

Governance Committee, Textile Museum of Canada

Director, Multilingual Community Interpreter Services (On) (MCIS)

Nominations and Governance Committee, MCIS

(Former director) The Coalition for Persons With Disabilities


Peter Murphy Head ShotOn June 15, 2022, the Government of Canada introduced Bill C-27 which proposes the first artificial intelligence (AI) systems legislation to apply in Canada, amongst other things.  If enacted, this legislation will make very severe penalties available for non-compliance.

The successor to Bill C-11, Bill C-27 reintroduces the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA) in modified form.  Bill C-27 goes further by also proposing a new statute - the Artificial Intelligence and Data Act (AIDA) - to regulate the development and use of artificial intelligence (AI) systems.

AIDA will apply throughout Canada, excluding federal government institutions as defined in the Privacy Act R.S.C., 1985, c. P-21.  Additional federal and provincial government departments and agencies may be excluded by regulation.

Under AIDA, an artificial intelligence (AI) system is any technological system that, autonomously or partly autonomously, processes data related to human activities in order to generate content or make decisions, recommendations or predictions.  The meaning of “autonomously or partly autonomously”, which is not defined in AIDA, will be crucial when determining if a system is an “AI system”.

AIDA will require any person who designs or develops an AI system, makes an AI system available for use, or manages the operation of an AI system to determine if it is a “high-impact system”.  AIDA will define “high-impact systems” in forthcoming regulations. 

If the AI system is a high-impact system, the person will be required to establish measures:

  • to identify, assess and mitigate the risks of harm or biased output (as defined in AIDA) that could result from the use of the AI system, and
  • to monitor compliance with such measures and their effectiveness.

The person will also be required to notify the designated Minister, as soon as feasible, if the use of the high impact system results in, or is likely to result in, material harm.

Under AIDA, each person who makes a high-impact system available for use or who manages the operation of a high-impact system will be required to publish on a publicly available website a plain-language description of the high impact system, including:

  • an explanation of how the system is used or intended to be used,
  • the types of content that it generates or is intended to generate,
  • the decisions, recommendations or predictions that it makes or is intended to make,
  • the mitigation measures established to identify, assess and mitigate the risks of harm or biased output that could result from the use of the system, and
  • any other information that may be prescribed by regulation.

AIDA also applies to the following regulated activity if it is carried out in the course of international or interprovincial trade and commerce:

  • processing, or making available for use, any data relating to human activities for the purpose of designing, developing or using an AI system; or
  • designing, developing or making available for use an AI system or managing its operations.

Under AIDA, anyone who carries out regulated activity and who processes anonymized data or makes anonymized data available for use in the course of regulated activity will be required to establish measures with respect to how the data is anonymized and the use or management of the anonymized data.

Each person who carries out a regulated activity will be required to keep records describing, in general terms, the measures they have taken as required by AIDA, including measures they have taken with respect to a high impact system and the reasons supporting their assessment as to whether their AI system is a high impact system. 

It is important to note that a person is not to be found guilty of an offence for violating the requirements outlined above if they establish they exercised due diligence to prevent the offence.

AIDA will give the applicable Minister powers to obtain copies of records required to be maintained under AIDA, to conduct audits with respect to possible contraventions of AIDA, and to make certain rectifying orders. 

In addition to a breach of the requirements outlined above, AIDA provides that it is an offence to possess or use personal information for the purpose of designing, developing, using or making available for use an AI system, while knowing or believing that the information is obtained or derived, directly or indirectly, as a result of:

  • the commission in Canada of an offence under federal or provincial law; or
  • an act or omission anywhere that, if it had occurred in Canada, would have constituted such an offence.

Further, every person will be considered to commit an offence under AIDA if the person:

  • without lawful excuse and knowing that or being reckless as to whether the use of an artificial intelligence system is likely to cause serious physical or psychological harm to an individual or substantial damage to an individual’s property, makes the artificial intelligence system available for use and the use of the system causes such harm or damage; or
  • with intent to defraud the public and to cause substantial economic loss to an individual, makes an artificial intelligence system available for use and its use causes that loss.

Organizations that violate AIDA’s statutory requirements may face a fine of up to the greater of $25,000,000 and 5% of the organization’s gross global revenues in its immediately preceding financial year, depending on the type of violation.  Individuals who commit such an offence may face a fine in the discretion of the court or to imprisonment of up to five years less a day, or both, depending on the violation. 

Aside from Canadian federal government institutions, anyone who designs, develops, makes available, manages or operates a technological system in Canada that, autonomously or partly autonomously, processes data related to human activities in order to generate content or make decisions, recommendations or predictions should pay attention to this proposed law and start planning to comply with it.

Peter Murphy can be contacted at Peter.Murphy@shibleyrighton.com.

For more information, visit https://www.shibleyrighton.com/Lawyers/Lawyers_List/~393


Peter Murphy Head Shot

On June 14, 2022, Bill C-26 was introduced into the House of Commons of Canada. Bill C-26 proposes to enact the Critical Cyber Systems Protection Act (CCSPA), among other things, which would make certain federally-regulated private-sector organizations subject to new legal requirements regarding their cyber infrastructure.

The CCSPA’s purpose is to “protect critical cyber systems in order to support the continuity and security of vital services and vital systems”. If enacted, it will apply to designated operators that own, control or operate critical cyber systems.

A cyber system is considered “critical” where a compromise of the cyber system’s confidentiality, integrity or availability could affect the continuity or security of a vital service or a vital system.

“Vital services and vital systems” are listed in Schedule 1 of the CCPSA, which currently include:

• nuclear energy systems;
• interprovincial or international pipeline or power line systems;
• telecommunications systems;
• federally-regulated transportation systems;
• banking systems; and
• clearing and settlement systems.

“Designated operators” will be listed in Schedule 2 of the CCSPA, by order of the Governor in Council. Designated operators will be required to establish and maintain a cybersecurity plan that sets out the designated operator’s reasonable steps to do the following:

• identify and manage risks to its critical cyber system, including risks associated with the designated operator’s supply chain and its use of third-party products and services;
• protect its critical cyber systems from being compromised;
• detect any cybersecurity incidents affecting, or having the potential to affect, its critical cyber systems;
• minimize the impact of cybersecurity incidents affecting its critical cyber systems; and
• do anything else that is prescribed by the regulations.

In addition, designated operators will be required to:

• conduct cybersecurity program annual reviews;
• mitigate cybersecurity threats arising from the supply chain or from third party products or services;
• share their cybersecurity programs with the appropriate regulators;
• report cybersecurity incidents to the Canadian Security Establishment;
• comply with cybersecurity directions from the Governor-in-Council; and
• maintain related records.

The CCSPA will apply regardless of whether personal information is involved. As a result, the CCSPA will impose cyber security requirements on subject organizations separately from the requirements of Canadian private sector privacy law, in a manner that is similar to the Office of the Superintendent of Financial Institutions’ cybersecurity guidelines that currently apply to Canada’s federally regulated financial institutions.

The CCPSA contains significant enforcement provisions. Regulators of designated operators will be given investigatory, auditing and order-making powers, including the ability to enter into compliance agreements. They will also be empowered to issue administrative monetary penalties of up to $1,000,000 per day for individuals and up to $15,000,000 per day for organizations. In addition, the Federal Court will be given jurisdiction to issue fines against, or order the imprisonment of, designated operators and their directors and officers.

Click here to download a PDF copy of this article. 


Peter Murphy Head Shot

After an eleven-year wait, the Ontario government has announced the Not-for-profit Corporations Act, 2010 (ONCA) will come into force on October 19, 2021. 

Currently, the Corporations Act (the OCA) governs Ontario's non-share capital corporations, except for certain corporations created by statute.  The OCA dates back to 1907 and is badly in need of replacement.  When in force, ONCA will automatically take over as the governing statute for Ontario's non-share capital corporations, subject to certain exceptions (such as corporations under Ontario's Co-operative Corporations Act). 

Subject non-share capital corporations will have three years to amend their letters patent, any supplementary letters patent, by-laws and special resolutions to conform with ONCA.  After the three-year transition period, any provisions in these documents that are inconsistent with ONCA will be deemed to be amended to comply with ONCA (with a few limited exceptions).

Corporations should not rely on the deemed amendment of their corporate documents after the three year period passes.  This would result in a confusing gap between the corporation's governing documents, as written, and the actual rules that govern the corporation. 

Further, ONCA makes certain new opportunities available to subject corporations in some circumstances.  For example, ONCA provides a new opportunity for corporations to carry out "review engagements" instead of obtaining audited financial statements, where certain conditions apply. 

Existing Ontario non-share capital corporations are encouraged to begin reviewing their letters patent, supplemental letters patent (if any), by-laws and special resolutions to identify the changes that will be required to bring their corporation in line with ONCA prior to the end of the three-year transition period, and to identify any new opportunities under ONCA that may benefit the corporation.  Once complete, they should prepare a time line to obtain the necessary approvals and to put resulting changes into effect.

Please click here to download a copy of the article


December 7th, 2020

The Canadian government has proposed the most significant changes to Canadian privacy law since the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law, came into force in April, 2000.

The changes are set out in the new Bill C-11, which proposes the enactment of two new statutes: the Consumer Privacy Protection Act (CPPA), and the Personal Information and Data Protection Tribunal Act (PIDPTA). If these new laws are passed, the privacy provisions of PIPEDA will be replaced and a new Personal Information and Data Protection Tribunal (Tribunal) will be established. These laws will apply to a wide range of entities that collect, use and disclose personal information in the course of commercial activities inside Canada or across the borders of Canada or its provinces.

Bill C-11 will have to successfully pass through a long legislative process before becoming law.. Subject organizations should be aware of it now, however, to start preparing for the changes it may bring. The following summarizes the key changes that will be made to Canadian privacy law if the CPPA and PIDPTA are enacted.


The CPPA will grant the Office of the Privacy Commissioner of Canada (OPC) new powers to make orders regarding CPPA non-compliance. The OPC will also receive new powers to make recommendations to the Tribunal that it impose fines on an organization, up to the greater of $10,000,000 or 3% of the organization’s global gross revenues for the previous fiscal year, where the organization has violated the CPPA’s key provisions. The most egregious CPPA violations will constitute offences punishable, upon prosecution, with a fine up to $25,000,000 or 5% of the organization’s global gross revenues.

The CPPA will also introduce a new private right of action whereby an individual may bring a claim against an organization for damages for loss or injury suffered as a result of the organization's contravention of the CPPA, provided the Tribunal determined the organization contravened the CPPA, or the OPC found the organization contravened the CPPA and the finding may no longer be appealed.


Consent to collect, use or disclose personal information will remain at the core of Canada's privacy law. New exceptions to the consent requirement will be established such that organizations will be permitted to collect or use personal information without the individual's consent:

  • to provide the individual a requested product or service;
  • to exercise due diligence or reduce the organization's commercial risk;
  • to carry out an activity that is necessary for the organization's information system or network security;
  • to carry out an activity that is necessary for the safety of a product or service that the organization provides or delivers; or
  • to carry out an activity where obtaining the individual's consent would be impracticable because the organization does not have a direct relationship with the individual.

These exceptions will not apply where the personal information is collected or used to influence an individual's behaviour or decisions. Further, as is currently the law under PIPEDA, an organization will not be permitted to collect a person's electronic address through a computer program without their knowledge or consent.

New Individual Rights

In addition to the private right of action described above, the CPPA will grant individuals a number of rights they do not currently have under PIPEDA. These include rights to:

  • be informed of automated decision-making;
  • require organizations to delete personal information about the individual that was collected from them; and
  • direct an organization to transfer the individual's personal information to another organization under limited circumstances.

Automated Decision-Making

The CPPA will require organizations to make information readily available to individuals that explains the organization's use of automated decision systems to make predictions, recommendations or decisions about them that could have significant impacts on them.

Privacy Management Programs

The CPPA will require each organization to implement a “privacy management program” that includes the policies, practices, and procedures the organization implements to fulfil its CPPA obligations. These policies will have to address the organization's:

  • protection of personal information;
  • handling of inquiries and complaints;
  • training of staff on policies and procedures; and
  • development of materials to explain the policies and procedures.

When developing its privacy management program, each organization will be required to consider the volume and sensitivity of the personal information under its control. The CPPA will also require each organization to give the OPC access to its policies and procedures upon request.

Business Transactions

If passed as currently proposed, the CPPA may create problems for business mergers and acquisitions. Unlike the broad exception under section 7.2(1) of PIPEDA, the CPPA will permit organizations to use and disclose an individual’s personal information without the individual's knowledge or consent for purposes of a proposed business transaction only if the information has been de-identified. This may be problematic for purchasing businesses where value is placed on specific human resource assets. It is unclear how this requirement will work along with the new consent exception for due diligence purposes outlined above.

Codes of Practice and Certification Programs

The CPPA will enable organizations to create “codes of practice” and “certification programs” for approval by the OPC. The OPC may approve these codes and programs only if they provide the same, or greater, level of protection as the CPPA requires. Compliance with such a code or program will not relieve the organization from its obligations under the CPPA.

Peter Murphy is a partner at Shibley Righton LLP in Toronto.


Peter Murphy, HBA, JD

November 12, 2020

It appears the wait for Ontario's Not-for-Profit Corporations Act (“ONCA”) will continue into 2021. 

Currently, Ontario not-for-profit corporations are governed by the Corporations Act, R.S.O. 1990.  The Government of Ontario has made a number of amendments to this statute over the years, including recent changes to loosen the rules about how and when AGMs may be held during the COVID-19 emergency period.  While these amendments have been helpful, a major overhaul of the Corporations Act is still widely considered to be necessary. 

The Government of Ontario took steps to replace the Corporations Act back in 2010 when it passed the more modern ONCA.  Although ONCA was passed, it did not come into force – a situation that remains the case today.  The new statute must be proclaimed by the Lieutenant Governor to come into effect.  Until this happens, the Corporations Act continues as the governing legislation for not-for-profits incorporated in Ontario.

Ontario's Ministry of Government and Consumer Services previously indicated that ONCA would take effect in 2020.  However, the Ontario Legislative Assembly recently passed a resolution extending the proclamation period for ONCA until December 31, 2021.

When ONCA comes into force Ontario not-for-profit corporations will have a three-year transition period to conform their governing documents, including their by-laws, to the new law. 

This article is provided as general information and does not constitute legal advice. If you have any particular legal questions, please contact us.


peter murphy headshotA new law provides Ontario not-for-profit corporations temporary flexibility to schedule and conduct AGMs in the pandemic and post-pandemic period. The new law will expire 120 days after the end of Ontario's current state of emergency. As of the date of this article, Ontario's state of emergency is set to expire on June 30, 2020.

Each not-for-profit incorporated under Ontario law (a "Corporation") must look to its constating documents and the Corporations Act to determine the rules it must follow when scheduling and conducting its annual general meetings (AGM) and directors meetings.

Absent the new law, Corporations are required to hold their AGMs no more than 15 months after their previous AGM, and the financial statements presented at the AGM must be for the last fiscal period which must have ended no more than 6 months ago.

As long as the new law remains in force, however, Corporations must hold their AGMs no more than 15 months after their previous AGM and provide financial statements for the last year ending before the AGM. If this results in the Corporation being required to hold their AGM during Ontario's emergency period, then it may hold its AGM no later than 90 days after the end of Ontario's declared emergency period: Where the 15 month period ends within 30 days after the emergency period is terminated, the AGM must be held no later than the 120th day after the day the emergency period is terminated.

Absent the temporary law, Corporations that want to hold directors' meetings and members' meetings, including AGMs, by telephone or through online platforms like Zoom must ensure their constating documents permit this. Until recently, most Corporations' constating documents did not provide for electronic meetings. Many Corporations' constating documents permit directors' meetings to be held by conference call, but do not extend to new audio-visual online platforms and do not apply to AGMs and special member's meetings.

Under the new law, Corporations may hold members' meetings and directors' meetings electronically, despite any conflicting provisions in the Corporation's constating documents. As a result, no by-law amendments are required for Corporations to hold electronic directors and members meetings, including AGMs, but only as long as the temporary law remains in effect.

Once the new law expires, Corporations will have to ensure their constating documents permit electronic directors and members meetings if they want to continue to hold these meetings electronically. Given that no COVID-19 vaccine is expected to be available for quite some time, Corporations should review their constating documents now and amend them, if necessary, to ensure these meetings may continue to be held electronically after the new law expires.

This article is provided as general information and does not constitute legal advice. If you have any particular legal questions, please contact us.


peter murphy headshot

In the final instalment of a two-part series on privacy compliance for private-sector cannabis retail, Toronto business lawyer Peter Murphy looks at the privacy commissioner’s guidelines on the subject.

Recreational cannabis retailers will need legal help to balance regulatory compliance and customers’ privacy expectations, says Toronto business lawyer Peter Murphy.

Following the federal government’s recent legalization of the drug for recreational use, the Ontario government unveiled its own framework for its sale at bricks-and-mortar outlets in the Cannabis Statute Law Amendment Act (CSLAA).

Meanwhile, the Office of the Privacy Commissioner of Canada (OPC) released its own guidelines to help private-sector cannabis retailers comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).

In the first part of this series, Murphy, partner with Shibley Righton LLP, explained how the heightened sensitivity of cannabis purchase information raises the standards private operators must satisfy to comply with PIPEDA and to succeed in a market that promises to grow ever more competitive in the coming years.

“Some conflicts arise from the interplay between the heavily regulated environment of cannabis sales, and the demands of privacy law compliance,” he says. “Satisfying both will be a challenge, and retailers should seek expert privacy law and cannabis regulatory advice to assist them.”

Murphy says the OPC guidelines for privacy in cannabis sales are typical of most Canadian government missives on privacy law — written as they are in “broad strokes” and without many specifics requirements.

“While the principles-based guidelines afford retailers some flexibility, they also make it more difficult for retailers to know if they are in compliance,” he says. "Knowledge of how the privacy law has been interpreted and applied in the past is necessary to achieve compliance in the present, particularly in this new industry."

For example, Murphy points out that the OPC's guidelines advise retailers to only collect and use personal information in a way that “a reasonable person would consider to be appropriate in the circumstances.”

“That language reflects PIPEDA, and it’s important for retailers to be aware that this 'reasonable person' standard applies regardless of whether or not the individual consented to the collection or use of the information,” Murphy says.

He says the OPC's guidelines "urge retailers to obtain meaningful consent to the collection and use of customer personal information, by informing customers about what is being collected and why, as well as who it may be disclosed to, and any residual risks of harm," he says.

"Retailers will have to develop procedures with care to ensure consent is obtained in a compliant way."

Murphy says the OPC's guidelines also call for cannabis retailers to use video surveillance only if “less privacy-intrusive measures cannot achieve the same ends,” and requires retailers to notify individuals with clearly visible signage before they enter the store.

He says these guidelines could bump up against Ontario’s cannabis regulations, which require 24-hour video surveillance both inside and outside stores.

“While the cannabis regulations make video surveillance a must for retailers, the privacy law still applies,” Murphy says. “Retailers must have policies and procedures in place to limit employee access to the recordings to those who need it for legitimate purposes, to ensure the information is properly safeguarded and to ensure the videos are retained only as long as they’re needed — keeping in mind the retention requirements in the cannabis regulations.”

Another potential conflict arises in the area of customer identification, he says, because provincial regulations require retailers to check customers’ identification to prove they are over 19 years of age.

"The regulations also require retailers to provide the regulator, on request, with records demonstrating the retailer's compliance with this requirement."

Murphy says retailers may be tempted to keep copies of customer IDs in order to ensure they have the necessary records to satisfy the regulator.

Doing so, he says, "would likely be in breach of privacy laws. For example, the OPC guidelines direct retailer to only collect the least amount of personal information necessary to achieve the retailer's legitimate purpose.

“Customers are not going to be comfortable with retailers keeping copies of their IDs, given the sensitivity of the personal information,” he says. "Retailers should establish some other form of documentation to satisfy the regulator, such as policies and procedures and employee sign-off sheets."

The sensitive nature of buying cannabis also raises concerns about the use of payment cards and where that information will be processed, says Murphy. While PIPEDA does not bar custodians of personal information from processing data on servers outside Canada, the guidelines are clear that it is generally safer to use servers based in this country.

"There is a good chance that payment card information will be processed outside Canada, making that information potentially accessible by foreign law enforcement," he says.

“Retailers should notify customers up front if payments will be processed outside Canada,” Murphy says. “Consumers who are mindful of that fact may choose to patronize retailers who provide an assurance that their information will not be processed at any point outside Canada, or they may wish to limit their purchases to cash transactions.”

The OPC guidelines conclude by noting that organizations must create privacy policies and practices to comply with PIPEDA, including procedures for accepting and responding to complaints from customers. To ensure they are effective, the OPC also recommends training for all staff.

“Retailers should keep in mind that policies are not static documents,” Murphy says. “They must reflect the existing practice of the organization and the current state of both privacy laws and cannabis regulations, which means they need to be regularly updated and consistently followed in practice.”

Click here to read part one, where Murphy discussed the role that privacy will play in the market. 


peter murphy headshot

In the first instalment of a two-part series on privacy compliance for cannabis retail stores, Toronto business lawyer Peter Murphy looks at the role privacy will play in the market.

Customer privacy policies will become a selling point for recreational cannabis retailers as Ontario’s private market develops, Toronto business lawyer Peter Murphy tells AdvocateDaily.com.

Following the federal government’s recent legalization of the drug for recreational use, the provincial government unveiled its own framework for sales in the Cannabis Statute Law Amendment Act.

While the Ontario Cannabis Store retains a monopoly over online sales, Murphy, partner with Shibley Righton LLP, says the model selected for private-sector bricks-and-mortar retailers has created opportunities for smaller players to enter the market after the new administration abandoned the previous Liberal government’s plans for complete provincial control over sales.

Though only a few stores are officially up and running since winning the licensing lottery, Murphy expects privacy compliance to take centre stage as they attempt to differentiate themselves in an increasingly competitive industry.

“Recreational cannabis consumers prefer retailers who offer the greatest protection of their personal information, and who best limit its use,” he says. “Privacy compliance will not only be a legal necessity in this industry, but also a key competitive factor.

“Cannabis consumers are sensitive about their personal information for a number of reasons, and that sensitivity leads them to focus even more on the retailers' privacy policies and practices.”

For example, Murphy says some employers have banned employees from ever using cannabis. He says cannabis use remains illegal in many jurisdictions outside Canada, most notably in the U.S., where border authorities have threatened to bar Canadians who use the drug or are involved in the cannabis industry from entering the U.S. or from being granted citizenship.

In addition, the Associated Press reports that nations including Japan and South Korea have warned their citizens they could face criminal arrest back home for possession of cannabis while in Canada, despite its legal status here.

Murphy warns that, as a result, the disclosure of payment card or other cannabis purchase information will be a huge concern for many consumers.

"My view is that any cannabis retailer who wants to be successful in the long run will need to demonstrate robust privacy compliance," he says.

“The sensitivity of this information raises the bar on privacy compliance in a number of areas, including the safeguarding necessary to protect that information, the form of consent required for its collection, use and disclosure, and the handling of payment card information," says Murphy.

Stay tuned for part two where Murphy will look at the privacy commissioner’s guidelines on the subject.



peter murphy headshot

Canadian businesses may need to account for the European Union’s wide-reaching General Data Protection Regulation (GDPR) in their processing contracts, Toronto business lawyer Peter Murphy tells AdvocateDaily.com.

The GDPR came into effect in May last year, replacing the looser Data Privacy Directive (DPD) which had governed the handling of personal data within the EU for more than two decades.

Murphy, partner with Shibley Righton LLP, says Canadians may wonder why they must comply with a regulation from a foreign jurisdiction, but he explains that GDPR’s reach is extensive.

"The GDPR applies to any business that engages in data processing related to goods and services offered to EU residents, regardless of where their business is located," he says.

“It also applies to businesses that monitor the behaviour of individuals where the behaviour takes place in the EU,” Murphy adds. “Where the GDPR applies, Canadians may be surprised by some of the resulting requirements.”

Whatever difficulties that compliance with the new regulation imposes on data processing businesses in this country, Murphy says they can’t afford to ignore the GDPR, thanks to the eye-watering nature of its potential penalties. Under the GDPR, fines for non-compliance may be imposed in amounts up to the larger of four per cent of an organization’s global turnover, or 20 million euros — about $30 million Canadian.

“That’s way beyond any fines that may be awarded under Canadian privacy laws,” Murphy says.

Although companies that are currently in compliance with Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) face a smaller jump than their counterparts south of the border, Murphy says there is still a significant gap they will need to bridge to achieve GDPR compliance.

“Canadian privacy laws are more onerous than the American ones, but they still tend to be principle-based and open to interpretation, whereas the GDPR is more prescriptive and specific in terms of the obligations it imposes,” he says.

For example, Murphy says the GDPR divides its data processing requirements into two categories: those for “data controllers” who determine the purpose and means of processing certain personal data, and a separate set for “data processors,” who process data on behalf of controllers.

“It’s important to understand the distinction,” says Murphy, adding that the GDPR lays out specific requirements for inclusion in contracts concerning the processing of personal data. These requirements include the following:

  • Data processors must be obligated to process personal data based only on a documented instructions from the data controller: “Every instruction must be documented, so those given orally may not be sufficient,” Murphy says.

  • Persons authorized to process data must be subject to confidentiality requirements.

  • Data controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which may include the use of encryption, the ability to restore the availability and access to personal data in the event of a physical technical incident and a method for security testing and assessment.

  • The contract must stipulate that the data processor will assist the data controller by the appropriate technical and organizational means to respond to requests concerning the data subject’s rights, which includes their rights of access, rectification of errors, data portability, and to be forgotten. “These requirements are not only more explicit than in PIPEDA but go beyond the requirements in that legislation,” Murphy says.

  • Processors must be obligated to assist controllers in complying with their data protection impact assessments and breach notification obligations under the GDPR, both to government authorities and individual data subjects.

  • Data processors must be obliged to delete or return all personal data to the controller after the end of their provision of service, at the data controller’s request.

  • Data processors must be required to make available all the information necessary for a data controller to demonstrate compliance with these GDPR requirements and allow for compliance audits.

Murphy says that covering the GDPR properly in data processing contracts is more than just an exercise in legal compliance.

"Complying with these requirements may impose unanticipated costs on one or more parties to these agreements,” Murphy says. “Taking the GDPR's requirements into account is of great importance now that the GDPR is in force, not only to avoid fines but also to properly allocate obligations arising from compliance and related costs among the parties to data processing contracts.”


peter murphy headshot

The responsibilities of an estate trustee, who administers the personal and financial affairs of a deceased person, can be greater than expected, says Toronto estates lawyer Peter Murphy.

Murphy, partner with Shibley Righton LLP, says it can be enormously helpful for an estate trustee, or executor, to become acquainted with all that’s involved before agreeing to take on the job.

“Being an estate trustee takes a fair bit of time and effort, and it often involves more than people realize unless they have experience in this area,” he tells AdvocateDaily.com.

The obligations include administering the estate according to provincial law, as well as federal requirements such as the Income Tax Act, Murphy says.

The process begins with examining the will to confirm who the estate trustee is. Murphy says it could be more than one person, which could allow them to split up the work.

"However, having multiple trustees can make decision-making more difficult," he says.

"The first responsibility," he says, "is usually working with a funeral director to take care of burial or cremation and ceremonial arrangements."

Murphy says the estate trustee must also:

  • Determine who the beneficiaries are, then find and notify them
  • Identify the assets of the estate
  • Set up a bank account for estate finances
  • Determine, settle and pay the estate's debts
  • File tax return, pay taxes and obtain a clearance certificate for the estate
  • Deal with any claims against the estate, including dependent's relief and Family Law Act claims
  • Distribute the estate's assets to beneficiaries according to the will

“When you’re looking at these obligations to pay debts and taxes, it’s often useful for the estate trustee to retain professional services like an accountant,” Murphy says. "Legal advice is also recommended, particularly for interpreting the will, understanding the estate trustee's duties, and applying to the court for probate, where necessary."

Some, but not all estates, will require probate, he says.

Depending on the nature of the assets, an estate left to the deceased's surviving spouse may not need to go through probate, says Murphy.

"Even where the sole beneficiary is the deceased's spouse, probate will be required where real estate was not held jointly with the beneficiary," he says.

“It depends on the assets in the estate, the will, the requirements of third parties, and who the beneficiaries are,” Murphy says.

“If it’s necessary, the will and other required documentation will have to be submitted to the court with an application for probate. The application is for the court to approve the will and certify the appointment of the estate trustee, who will be able to use the certificate when transferring the assets from the estate to the beneficiaries.”

Estate trustees are required to maintain detailed accounts of the estate's assets, including all amounts received, invested and disbursed," he says.

"In some cases, the trustee will be required to submit these records to the court for approval."

Murphy says people are often surprised by the extent of the record-keeping obligations.

"Not every estate trustee will have the time, knowledge and skills necessary to properly keep the required accounts," he says.

“Many trustees, particularly for larger estates, will retain professional services to assist with the detailed record-keeping that they’re obliged to do,” Murphy says.

“A substantial amount of time and effort is involved. Many people do not fully appreciate this until they find themselves in that situation,” he says.

“The appropriate time to ensure a future estate trustee is aware of everything that’s involved is during the estate-planning process,” says Murphy. “That way, the person can have an appreciation of their responsibilities and be confident acting as estate trustee when the time comes.”


peter murphy headshot

In the final instalment of a two-part series, Toronto business lawyer Peter Murphy discusses the unique issues facing landlords of cannabis stores.

Landlords should seek legal advice when negotiating leases with prospective cannabis retailers, Toronto business lawyer Peter Murphy tells AdvocateDaily.com.

Murphy, partner with Shibley Righton LLP, explains that prospective cannabis retailers in Ontario are rushing to secure leases long before they are licensed due to the timing of the provincial government’s framework for selling the drug in shops across the province.

“We’re in a new gold rush,” Murphy says, adding the Cannabis Licence Act (CLA) opened up opportunities for a multitude of players in the bricks-and-mortar retail market after Premier Doug Ford's new administration abandoned the former Liberal government’s plans for a provincial monopoly over recreational cannabis sales.

“Prospective cannabis retailers want to secure leases to lock up the best locations in Ontario now so that they’re in a good position when retail licensing begins,” he says.

However, Murphy says landlords are at risk of leasing their space to a prospective cannabis retailer who might not have a viable business by the time the market finally starts in 2019.

For example, municipalities still have until Jan. 22 to opt out of cannabis retail sales.

Meanwhile, the Alcohol and Gaming Commission of Ontario (AGCO), which will oversee the licensing regime for private retailers, has not started accepting licence applications.

"Landlords should be aware that the viability of a cannabis retailer's business remains uncertain — at least until all the necessary licences are granted and zoning is confirmed," says Murphy.

He says landlords will be opening themselves up to the AGCO's scrutiny by agreeing to lease their premises to a prospective retailer of recreational cannabis. He explains that the CLA allows AGCO officers to investigate the “character, financial history and competence” of persons, including landlords, as part of their licensing decisions. The law also makes it an offence to “hinder, obstruct or interfere” with an investigation under certain circumstances.

Murphy says some landlords may find their tenants selling cannabis without a licence, pointing to the recent spate of illegal dispensary closures, which were swiftly followed by re-openings.

“The regulations under the CLA provide that anyone who sells cannabis illegally after Oct. 17, 2018 will be denied a licence. However, the potential profits of selling before the licensed market starts are so lucrative, that many dispensaries are open for business anyway,” he says.

Murphy says landlords could be on the hook if their tenants are caught operating illegally because Ontario's recreational cannabis laws create specific offences for landlords who “knowingly permit” their premises to be used for unlicensed sales of marijuana. The resulting penalties for landlords include large fines and up to two years in jail.

“To defend this charge, landlords would have to show they took reasonable actions to prevent such activity, and that starts with carefully addressing the issue in leases,” he says.

"Landlords will not be able to rely on a technique known as 'distraint' that allows them to seize other types of inventory and sell it to cover rent arrears," says Murphy.

“The remedy of distraint will not be possible here, because the sale of this particular inventory would be illegal without the proper licences. As a result, landlords should expect to have more limited remedies for defaults on the lease," he explains.

"When entering into leases or offers to lease with prospective cannabis retailers, landlords should carefully consider the new cannabis laws and regulations and ensure appropriate protections are obtained," says Murphy.

For part one, where Murphy discussed the issues facing cannabis store retailers, click here.


peter murphy headshot

In the first instalment of a two-part series, Toronto business lawyer Peter Murphy looks at the issues facing cannabis store retailers.

Prospective cannabis retailers need to proceed carefully as a new gold rush gets underway in the market for bricks-and-mortar sales of the newly legal drug, Toronto business lawyer Peter Murphy tells AdvocateDaily.com.

Following the federal government’s recent legalization of cannabis for recreational use, the provincial government unveiled its own framework for licensing retailers in the Cannabis Licence Act (CLA).

And Murphy, partner with Shibley Righton LLP, says the province’s private sector model for retail stores has sparked a scramble for the best locations.

“Cannabis retail in Ontario is the new gold rush,” he says. “There’s a huge potential opportunity here, and many new businesses are going to be getting into this.”

While the former Liberal government had planned a provincial monopoly over the retail sales of cannabis, similar to the LCBO, Premier Doug Ford's Tory administration has established a licensing regime for private retailers overseen by the Alcohol and Gaming Commission of Ontario (AGCO).

However, the AGCO is not yet accepting licence applications and doesn’t expect to be ready to receive any before December. When it is up and running, the CLA's two-stemmed approach will require businesses to obtain a retail operating licence, plus a retail store authorization for every location they plan to operate. A third type of licence, for cannabis retail managers, will also be required for every individual responsible for a store's management and compliance.

Regulations under the CLA provide additional requirements that must be met before licences may be obtained, Murphy says.

“For example, the regulations under the CLA say that retail stores will not be allowed within 150 metres of a school,” he says. “You can bet prospective retailers are looking at Google maps and starting to lock up the best locations.

“Cannabis retail is going to be heavily regulated, and anyone getting into the retail business should be prepared to bear related costs. Advertising and promotion are already heavily restricted at the federal level, and the CLA requires every individual hired to work in a cannabis retail store to complete AGCO-approved training programs,” Murphy says.

He also says the Ontario Cannabis Retail Corporation has the exclusive right to sell cannabis to authorized retailers, which will limit their ability to competitively source inventory.

Another potential problem for retailers is that municipalities still have until Jan. 22 to opt out of cannabis retail sales. Richmond Hill and Markham have already taken advantage of the opportunity, but Murphy says individual retailers could be left exposed if they agree to lease a particular location in a municipality that subsequently joins the list of non-cannabis jurisdictions.

To mitigate their risks, Murphy says cannabis retail hopefuls looking to enter into a lease should consider negotiating for a refundable deposit and the ability to walk away if zoning or licensing permits do not come through.

“You don’t want to be locked into a long-term lease without a viable business, either because of zoning or other surprises,” he says.

Stay tuned for part two, where Murphy will discuss the unique issues facing landlords of cannabis stores.


peter murphy

Canada’s corporate law regime provides a welcoming environment for the growing number of businesses recasting themselves as public benefit corporations, says Toronto corporate lawyer Peter Murphy.

B Lab, the organization that administers the B Corp certification bestowed on for-profit companies that demonstrate a commitment to sustainability and environmental responsibility, reports that there are now more than 200 Canadian companies operating in accordance with its values.

To gain B Corp certification, B Lab requires companies to alter their articles of incorporation to reflect a commitment to certain societal values, as well as a number of further assessments that score businesses for their accountability and transparency. They are then subject to recertification every two years and a failure to satisfy B Lab they are keeping up their end of the bargain could result in decertification.

But Murphy, a partner with Shibley Righton LLP, says companies don’t necessarily need the B Lab endorsement in order to reap the rewards of presenting themselves as a “public benefit corporation.”

“When a company hardwires social and environmental concerns into its DNA, it can help attract and retain customers and employees, and, in some cases, it may also have the effect of attracting additional investment,” he tells AdvocateDaily.com. “There are external benefits, but it may also have legitimate internal benefits by bringing these issues into the boardroom.

“People expect businesses to be looking at broader concerns than pure profit-making,” Murphy adds.

He says the development of “public interest corporation” has its roots in the United States, where it was controversial due to the requirement in U.S. law that corporations act in the best interests of shareholders.

By contrast, he says the Supreme Court of Canada has affirmed that the general duty of company directors to act in the best interests of the corporation may extend beyond the best interests of shareholders to encompass broader stakeholders.

“Essentially, the Supreme Court held that directors can consider factors other than maximizing corporate profits when making decisions in the best interests of the corporation, which is closer to the public benefit corporation model than the general duty of directors under U.S. law,” Murphy explains.

As a result, he says Canadian for-profit corporations can embrace the public interest corporation model by amending their articles of incorporation to include language “expressly permitting directors to consider the interests of other stakeholders in addition to those of the shareholders when acting in the corporation's best interests.”

Murphy says this permissive approach mitigates the risk of legal action accusing directors of straying beyond their mandates when considering issues other than profit in the course of corporate decision-making.

“I don’t think directors are looking for greater levels of risk, because they already face pretty significant accountability with derivative actions and oppressive remedies that provide strong means for various stakeholders to assert themselves,” he says.

"By taking a permissive approach, a public benefit corporation can establish that the directors shall consider the interests of the broader community, including the environment, when making decisions that are in the best interests of the corporation."


The federal government's proposed changes to rules for the taxation of private corporations have changed since they came out last summer, Toronto corporate lawyer Peter Murphy tells AdvocateDaily.com.

In July 2017, the Ministry of Finance released proposals to change the rules in four areas:

1. to extend the tax on split income rules to spouses, adult children and other family members;

2. to limit family business owners' access to the lifetime capital gains exemption (LCGE);

3. to prevent private corporations from converting amounts that would otherwise be payable to shareholders as dividends into lower-taxed capital gains; and

4. to develop ways to neutralize the tax benefits of retaining passive benefits inside a private corporation.

But after consultations and written submissions, the government has since backed down on some of the measures, including putting aside the proposals relating to the conversion of income into capital gains and those limiting access to the LCGE, says Murphy, a partner with Shibley Righton LLP.

"The income conversion to capital gains and LCGE changes would have had a big impact on the taxation of intergenerational transfers of family-held businesses and on intergenerational estate planning.

“The government came to realize that these proposals would have imposed tax burdens that are not currently present on the intergenerational transfers of family-held businesses, so they backed off on that.”

At the same time, he says, the government has indicated that it plans to continue a dialogue with business owners this year in order to develop changes that would better accommodate the intergenerational transfers of businesses while achieving the goal of “more fairness for the tax system.”

“We do expect that they will come back with new rules regarding conversion of private corporations earnings into capital gains some time in 2018,” he says.

Owners of private corporations also voiced concerns about the proposal that passive investments in a private corporation would receive different tax treatment, says Murphy.

“In many cases, holders of private corporations will retain their earnings within the corporation in the form of investments — almost like an RRSP. While in the corporation, the investments generate revenue, passive income, in a tax beneficial way. The government is proposing to increase the taxation to minimize the tax benefit to holders of private corporations generating passive investment income in the corporation.”

After some pushback, the government announced that it would be moving forward with measures to limit tax deferral opportunities related to passive investments, with details of the plan to be included in the 2018 budget.

“We don’t know exactly what those are going to be, but we know they plan to make some changes to increase the taxation on passive investments held in private corporations,” says Murphy.

"We expect the details to be released with the 2018 federal budget," he says.

In the fall, the government also clarified its proposal to further limit the tax benefits of income sprinkling — namely, the process for paying a private corporation's earnings to family members to benefit from their lower overall tax rates.

"The government issued bright lines tests to determined whether adult family members are sufficiently involved in the business and, therefore, entitled to be excluded from the tax on split income (TOSI), that would otherwise apply to tax dividends and interest they receive from the business at the highest marginal tax rate," says Murphy.

"According to the government, the adult family member must have made a 'regular, continuous and substantial' contribution to the business to be excluded from TOSI."

The government's guidance on the application of the split income rules for adults can be found here.

Murphy says owners of private corporations should consider taking steps now in order to get ahead of the changes.

“In the case of the changes to the tax on split-income, owners of private corporations should ensure their companies are set up so that if owned by family members, they own different classes of shares so that dividends can be paid to various shareholders and not to all shareholders at the same time, which might trigger TOSI,” he says.

“That’s something they should definitely consider if all of their shares are held within the same class,” he adds.

"In addition, it might be appropriate to get those family members on the payroll now so they receive a salary instead of dividends from the company."


Peter Murphy Head Shot

Toronto lawyer Peter Murphy knows first hand how easy it can be to avoid making a will.

Despite having a lawyer in the family, Murphy’s own parents were well into their 70s before his mother asked him about preparing her will — and only after she was prompted by a friend.

“This friend was a little surprised that my mother hadn't completed her estate planning, and I was a little chagrined to think it was something that we had never focused on,” Murphy, a partner with Shibley Righton LLP, tells AdvocateDaily.com.

“We immediately started the process of estate planning and drawing up wills and powers of attorney for my mother and father.”

Murphy says his parents’ experience is far from unique.

“I think many people don’t understand the importance of having a will and powers of attorney. They tend to put off thinking about these types of issues,” he says.

Even if they appreciate the importance of estate planning, it’s easy to avoid taking action.

“People see it as an expense they would prefer not to incur," says Murphy. "They don't realize that estate planning will often save money and a great deal of aggravation in the long run. Every adult should have their will and powers of attorney in place.”

Murphy says the savings on taxes alone more than justify the cost.

"Steps can be taken to ensure certain assets will not be subject to estate administration tax, which, in Ontario, is the highest in the country," he says.

"The estate planning process can also identify and take advantage of other opportunities for tax planning, minimizing the amount of taxes that will have to be paid out on death.”

Dying without a will can lead to court proceedings to sort out the appointment of executors and guardians, which could have been simply directed in a will.

"Without a will, additional time-consuming procedures may be necessary, which can really be a problem for beneficiaries who depend on the deceased financially," Murphy says. "People can avoid unnecessary aggravation and expense by taking the time now to ensure their affairs are in order."

Murphy says that by drawing up a will, testators can also ensure their wishes are carried out after death.

“If you die without a will, the government decides how your estate will be divided,” he says. “Those results may not be what you intended, particularly if you were separated after marriage, or have a common-law spouse.

"If you have minor children, a process will have to be carried out to decide who becomes their guardian. Most people will achieve peace of mind knowing they have made arrangements for their wishes to be carried out, particularly when dependents are involved," Murphy adds.

He says a lawyer can also offer guidance to individuals on choosing the best person to act as executor of an estate.

“People tend to underestimate the responsibilities and time involved in the role. A lawyer can help you make an informed decision,” Murphy says.

In addition to tax planning and will preparation, an estate plan usually includes drawing up powers of attorney for health care and property, he says.

“These are documents that authorize someone to make decisions on your behalf if you ever become incapable of governing your own affairs, so it’s important to get these in place while you’re still of sound mind,” he says. “You can’t grant powers of attorney or make a valid will once you’re no longer mentally capable, and unfortunately, loss of mental capacity can happen at any time, without warning.”

In the case of Murphy’s parents, the timing of their estate planning was fortunate. His mother fell ill unexpectedly a few years later and, after a period in hospital, died. Her hospitalization revealed health issues suffered by Murphy’s father, who was soon diagnosed with dementia.

Although it was a difficult time for the family, Murphy says things would have been much worse had his parents not completed their wills and powers of attorney in advance.

“My parents' health deteriorated much more rapidly than we would ever have expected, so it was fortunate that our legal planning was in place,” he says. “The whole experience drove the message home to me that everyone needs to prepare for these kinds of issues," he says.

"I take pride in knowing that by assisting clients with their estate planning, I am helping them achieve some peace of mind that will be a real help to their loved ones in the future when they need it most," says Murphy.


The European Union's new privacy regulations could have a big impact on Canadian businesses, Toronto corporate lawyer Peter Murphy tells AdvocateDaily.com.

The EU's General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, replacing the Data Privacy Directive (DPD) with more comprehensive data privacy rules.

“Many Canadian companies assume this new European regulation will not apply to them,” says Murphy, a partner with Shibley Righton LLP, “but actually, it has a broad reach that will extend to many Canadian organizations. It imposes significant new requirements that are more stringent than what Canadian organizations are used to, and the penalties for violations are potentially very severe.”

“Canadian organizations should be preparing for this now to ensure they will comply by May 25, 2018,” he adds.

The reach of the GDPR will not be limited to organizations with an establishment in the EU. It will also apply to organizations outside the EU that collect or process personal information about EU residents.

“Whether your organization collects personal information on EU residents, or processes it on behalf of someone else, it will have to comply,” Murphy says.

The new regulation also takes an expansive approach when it comes to fines for non-compliance, which can reach as high as the larger of four per cent of an organization’s global turnover and 20 million euros.

“Class actions will also be available for enforcement of the GDPR,” Murphy says. “This creates another element of risk that Canadian companies need to be aware of.”

He says companies that currently comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) can't assume that means they will be in compliance with the GDPR once May 2018 rolls around.

“Adhering to PIPEDA will make them somewhat compliant, but the GDPR is more stringent in a number of ways,” Murphy explains.

For example, data controllers and processors will be required to carry out privacy security assessments to test their technical and organizational security measures under the GDPR. In addition, affected companies will be required to conduct privacy impact assessments before carrying out data processing that may pose a high level of risks to the individuals concerned.

“Data processors will be required to use encryption and to keep a register of their activities,” Murphy adds.

The GDPR also incorporates new rights for individuals whose personal information has been collected, such as the right to be forgotten, which allows people to object to, and request the deletion of, information about themselves under certain circumstances.

The GDPR’s data portability rules will also pose new requirements for subject Canadian organizations. PIPEDA already requires Canadian organizations to provide individuals with access to the information the organization holds about them. In certain circumstances, the GDPR will also require subject organizations to provide the information to the individual, on request, in a format that allows them to use it in another database.

“It’s not a carte blanche right for everyone, but it’s still something that will require businesses to update their infrastructure in order to be able to comply if needed,” Murphy says.

Like its predecessor DPD, the GDPR allows data to flow out of the EU to other jurisdictions whose privacy control regimes are deemed adequate. For the moment, Canada is among the approved countries, but Murphy says there’s no guarantee that it will retain its status indefinitely.

“There is a risk that the EU will consider Canadian privacy protection inadequate at some point, so organizations will have to be prepared for that eventuality,” he says.

Murphy says the implementation of what the GDPR calls “binding corporate rules” or contracts with “standard contractual clauses” is one way Canadian companies will be able to insulate themselves in the event the EU changes its mind on Canadian privacy practices.


Peter Murphy Head Shot

The Ontario government has proposed immediate changes to the rules for not-for-profit corporations, says Toronto corporate lawyer Peter Murphy.

If enacted, the changes will bring some much-needed modernization to the statute governing the sector in the short term, says Murphy, a partner with Shibley Righton LLP.

Bill 154, the Cutting Unnecessary Red Tape Act, 2017, which passed second reading, is an omnibus bill that allows for amendments to various pieces of legislation. It proposes changes to the Ontario Corporations Act that would apply while the sector waits for the new legislation, Ontario Non-for-Profit Corporations Act (ONCA), to come into force, Murphy tells AdvocateDaily.com.

Bill 154 is now before the Standing Committee on Justice.

The ONCA was passed by Ontario's legislature in 2010, but has not yet been proclaimed. Until it is, the Ontario Corporations Act will continue to apply to not-for-profit organizations incorporated in Ontario.

The Act will not be proclaimed until the government completes related upgrades to its administrative technology, says Murphy.

"They advised the sector that at least 12 months' notice will be given before the Act comes into force and that notice has not been given yet," he says.

Once the ONCA is in force, Ontario's existing not-for-profits will have three years to adopt the new legislation. Murphy says the current law will continue to apply during that period as well, making the proposed changes even more welcome.

"These are useful upgrades to the existing statute that continues to apply until we get to the ONCA regime," Murphy says.

A fundamental change proposed in the bill would extend ONCA's objective standard of care for directors to the existing legislation, he explains.

"The new standard would require directors to act honestly and in good faith with a view to the best interests of the corporation and to exercise the care, diligence and skill that a reasonable, prudent person would exercise in comparable circumstances. Until the changes come into effect, a common-law subjective standard of care applies. That standard requires a director to exhibit a degree of skill in his or her duties that may reasonably be expected from a person of his or her knowledge and experience."

The bill would modernize the standard of care for directors in line with modern corporate statutes, says Murphy.

Another change Murphy welcomes is that a director would no longer be required to be a member of the not-for-profit corporation. This would allow for more flexible member structures, he says.

Other proposed changes would allow meetings to be held electronically or by telephone and permit meeting notices to be distributed electronically. While these changes should be welcomed by most Ontario not-for-profits, Murphy says proposed changes for removing a director are even more important.

Under the existing legislation, a director can only be removed if the organization's bylaws allow for it. Even with the necessary bylaw provision, the existing law requires a membership vote of two-thirds to remove a director, Murphy says.

The bill proposes that a majority of the members that elected the director can remove him or her. This lowers the voting threshold and would apply even where an organization's bylaw is silent on the matter, he says.

Murphy says the bill also contains positive changes to audit requirements.

"Currently, every not-for-profit is required to obtain audited financial statements, except where the corporation's annual income is under $100,000 and all the members consent to not having them," Murphy says.

"The change would lower the consent requirement to 80 per cent of the votes cast by members and the annual revenue of the organization would have to be no more than $100,000," he says.

"That's significant. To get 100 per cent of your members to consent is pretty tough — even for small organizations that can't afford an audit. The proposed change would give them 20 per cent wiggle room which would be welcomed, I'm sure, by many of the smaller not-for-profits."


On June 7, the federal government announced that it is suspending the implementation of the private right of action under Canada’s anti-spam legislation (CASL). The move was in response to concerns raised by Canadian businesses, charities and the not-for-profit sector.

The suspended provisions of CASL were scheduled to come into force on July 1, 2017 and would have allowed any interested person to file lawsuits for alleged violations of the legislation.

The government has not stated how long this indefinite suspension will last. The legislation will be submitted to a parliamentary committee for review.

According to the press release issued by Innovation, Science and Economic Development Canada, “Canadians deserve an effective law that protects them from spam and other electronic threats that lead to harassment, identity theft and fraud. At the same time, Canadian businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation.”

The government claimed it is committed to striking the right balance between protection from spam and Canadians’ reasonable use of electronic communication. It also said it “supports a balanced approach that protects the interests of consumers while eliminating any unintended consequences for organizations that have legitimate reasons for communicating electronically with Canadians.”

CASL came into effect on July 1, 2014. The law prohibits individuals and organizations from sending commercial electronic messages to Canadians without their consent. Penalties for the most serious violations of the legislation can be issued up to a maximum of $1 million for individuals and $10 million for businesses.

The private right of action promised to extend enforcement of CASL beyond government agencies to all interested persons. The suspended right would have permitted interested persons to file lawsuits, starting July 1, 2017, seeking actual and statutory damages for alleged breaches of CASL. Statutory damages would have amounted to $200 per occurrence, up to $1 million per day. It is widely expected that the CASL private right of action, if implemented, will lead to class-action lawsuits joining the recipients of infringing electronic messages into large group lawsuits.

Canadians should keep in mind that, despite the indefinite suspension of the private right of action, CASL remains in force and significant fines can still be issued for breaches. Since CASL came into effect, the CRTC (Canadian Radio-television and Telecommunications Commission) has issued numerous fines, including one case where the penalty exceeded $1 million.


It's rare for an entirely new market to open for business in Canada. So it's no surprise the government's plan for legalizing recreational cannabis has created a rush of businesses positioning themselves to claim a piece of this new, lucrative market.

Understanding the rules around the recreational cannabis industry will be imperative when making investment and marketing decisions. A detailed appreciation of the rules will also be necessary to ensure industry participants comply with the law.

Canada's proposed Cannabis Act — if enacted without change — will distinguish legal activity from actions that warrant a lengthy prison stay by a hair's width. For example, an individual will be permitted to grow up to four cannabis plants at home, provided they are no more than 100 cm in height. If they grow just one millimetre taller, the grower could face 14 years in prison.

The act may change before coming into force, given much of it is subject to regulations that have not yet been drafted. Based on the current wording, however, we can expect several significant restrictions on the promotion of cannabis, accessories and related services.

Blanket Prohibition

Unless otherwise stated, the act will prohibit:

(a) communicating information about its price or distribution;

(b) promotion that could reasonably be believed to be appealing to young persons;

(c) promotion that uses testimonial or endorsement, however displayed or communicated;

(d) promotion that depicts a person, character or animal, whether real or fictional; or

(e) presenting the product in a manner that associates it with a way of life that includes glamour, recreation, excitement, vitality, risk or daring.

Point of Sale

Authorized cannabis vendors and those selling marijuana accessories or related services will be allowed to promote the products at the point of sale if the information is limited to availability and price.

The act will prohibit authorized vendors from selling it in a package or with a label:

(a) if there are reasonable grounds to believe the package or label could be appealing to young persons;

(b) that sets out a testimonial or endorsement, however displayed or communicated;

(c) that includes a depiction of a person, character or animal, whether real or fictional;

(d) that associates the cannabis or one of its brand elements with a way of life that includes glamour, recreation, excitement, vitality, risk or daring; or

(e) that contains any information that is false, misleading or deceptive or that is likely to create an erroneous impression about the characteristics, value, quantity, composition, strength, concentration, potency, purity, quality, merit, safety, health effects or health risks of the cannabis. Similar restrictions apply to the sale of cannabis accessories.


Authorized marijuana producers, vendors and distributors may promote cannabis, accessories and related services by means of brand-preference promotion or informational promotion, but only if the promotion meets one of the following criteria:

(a) it must be made in a communication addressed and sent to an individual 18 years or older who is identified by name;

(b) it must be in a place where young persons are not permitted by law; or

(c) it must be communicated by means of a telecommunication, where the person responsible for the content of the promotion has taken reasonable steps to ensure that the message cannot be accessed by a young person.

Brand-preference promotion is defined as promotion of cannabis, a marijuana accessory or a related service by means of its brand characteristics.

A person will be permitted to promote marijuana — or related accessories or services — by displaying a brand element of something that is not cannabis or a cannabis accessory, other than:

(a) something associated with young people (under 18 years old);

(b) something that could be appealing to young people; or

(c) something associated with a way of life that includes glamour, recreation, excitement, vitality, risk or daring.

The act specifically contemplates regulations that will prohibit the use of specified terms, expressions, logos, symbols or illustrations in the promotion of cannabis, or related accessories or services.

Celebrity and Event Promotions

The act will prohibit the display — in the sponsorship of a person, entity, event, activity or facility — of the following:

(a) a brand element of cannabis, of a cannabis accessory or of a service related to cannabis; or

(b) the name of a person that (i) produces, sells or distributes cannabis, (ii) sells or distributes a cannabis accessory, or (iii) provides a service related to cannabis.

The act will ban the following from being displayed at a facility used for a sports or a cultural event or activity:

(a) a brand element of cannabis, or a related accessories or services;

(b) the name of a person that (i) produces, sells or distributes cannabis, (ii) sells or distributes a cannabis accessory, or (iii) provides a service related to cannabis.

Giveaways and Inducements

The act will prohibit a person who sells cannabis or related accessories from doing so:

(a) without monetary consideration or in consideration of the purchase of any good or service;

(b) with any inducement for the purchase of cannabis or a cannabis accessory, including a right to participate in a game, draw, lottery or contest; or

(c) as an inducement for the purchase of cannabis or a cannabis accessory.

Misleading Advertising

The act will also prohibit the promotion of cannabis or related accessories in a false, misleading or deceptive manner that is likely to create an erroneous impression about its characteristics, value, quantity, composition, strength, concentration, potency, purity, quality, merit, safety, health effects or health risks.


Business leaders may fail to uphold their legal responsibilities if they don't take reasonable steps to prepare their companies for cyberattacks and information security breaches, says Toronto technology and business lawyer Peter Murphy, who has acted as counsel on some of Canada’s most notorious privacy breaches.

The impact can be as debilitating to an organization as a major product liability lawsuit, he tells AdvocateDaily.com.

Given the importance of data in business today, "we have reached the point where the failure to take reasonable steps to protect information in the possession or control of the organization may be a breach of the fiduciary duties owed by senior officers and board of directors of the organization," Murphy points out.

He advises firms to craft and implement policies and procedures around information protection and security incident response, as the risk of a data breach is “huge.”

"Businesses must take prudent steps to protect against loss or unauthorized use of data — and even then, they won’t be able to completely eliminate the risk of an incident. Hackers and the tools available to them are too sophisticated. So the question is not so much if a cyber breach will occur, but when.

"If a data security incident does occur, will the board and management be seen to have acted responsibly? When they respond to the incident, will they follow best management practices and comply with all legal obligations?” says Murphy, a partner with Shibley Righton LLP.

Privacy law in Canada requires companies to use physical, technical and administrative safeguards to protect the personal information they hold. That includes having locked doors and cabinets and controlled physical entry, while technical protections involve passwords and encryption, Murphy explains.

Administrative safeguards are the broadest category, and may involve tracking of data access, user background checks and other controls, as well as the implementation of security policies, plans and protocols, he adds.

"Many smaller or medium-sized organizations might be reluctant to prepare data protection and incident response policies and plans because of the time and effort required, but this exercise should not pose a material drain on resources if it is incorporated into the organization’s strategic and overall governance planning," Murphy says.

He says the responsibility to develop policies begins with the board of directors and top management, but that staff at all levels throughout the organization should be involved in cybersecurity planning.

"It's a common mistake for organizations to think that data protection is just an IT problem," Murphy stresses. "All staff need to have input and bear responsibility to comply with the resulting policies.

"The assistance of experienced legal counsel is highly recommended to ensure the policies reflect the organization’s obligations and, if implemented, will place it in an advantageous legal position.”

Murphy suggests firms start by identifying the information they possess and ranking it in value and importance.

“Then they should assess their vulnerabilities. From there, a data security policy can be created to ensure the necessary safeguards are applied,” he says.

Recording the cyber trails of staff who use the system is a useful precaution, Murphy points out.

“Even more important is exercising control over information access by former employees and contractors. Many incidents I see involve a former employee or independent contractor whose password was never turned off,” he says.

Once a data security policy has been created, the organization should prepare a data breach response policy, so it has a clear and effective response plan available to implement in the event an incident occurs, Murphy adds.

“This plan will cover breach identification and immediate IT response, creation of a management response team, breach investigation, notification, public relations, involvement of law enforcement authorities where appropriate, the offering of data theft services, and steps to ensure the breach never happens again.

"Legal counsel should be involved to ensure the plan reflects the organization’s privacy breach-reporting obligations and places the organization in the best possible position when responding to a data breach,” he says.

Murphy points out there has been phenomenal growth in class-action lawsuits against companies that experienced cyber breaches in recent years.

“The involvement of legal counsel early in the process can help the organization prepare for resulting litigation. A lawyer is best positioned to manage its relationship with privacy authorities and to ensure its disclosure obligations are followed.

“In addition, having a lawyer conduct breach-investigation interviews with staff may invoke legal privilege for those discussions. If the organization is sued for a privacy breach, that protection may be crucial,” he says.

Institutions that take action to mitigate harm to clients — such as providing identity theft services for those affected — could reduce the damages awarded against them, Murphy says.

“In a number of cases, courts have viewed the offering of identity theft services as a very important step," he says.

Organizations should also consider adding cyber-insurance to their risk-mitigation strategies, Murphy says.

Finally, he warns that organizations should not think this exercise ends when the policies and plans are completed.

“A policy is worthless if not properly implemented. That involves staff training, compliance assessment and regular policy review. Cyber security is a new aspect of management that must be attended to regularly. These issues are not going away anytime soon,” Murphy says.

More About

Speaking Engagements & Media Attention

Hosted The Commons Institute's LawFM series Corporate Law Broadcast, January 2017

Interviewed in Blockchain Breaks New Ground by Geoff Kirbyson, published in Forensic Accounting & Fraud, vol.6 no. 2, 2016

Interviewed in Cybersecurity Starts at Top, CEOs Must Have Action Plan by Jeff Buckstein, published in Forensic Accounting & Fraud, vol. 5 no. 1,  2016

Quoted in Law Times article "Telecoms told review of third-party needed" – 2016-06-06

Quoted in Law Times article "Jury out on impact of anti-spam legislation" – 2016-05-16

Presenter/Speaker – Privacy and Anti-Spam Law in Canada – LexWork Conference – 2016-05-13

Presenter/Speaker - Data Breaches, Privacy Risks and Obligations – Advanced Intellectual Property Program – Institute of Law Clerks of Ontario -2016-04-13

Presenter/Speaker – How Does CASL Affect Charities and Non-for-Profits? – Commons Institute's Charities, Non-Profits and the Law webinar – 2015-11-13

Presenter/Speaker – Nuclear Technology Agreements – Nuclear Lawyer's Association Annual Meeting – 2015, 11

Quoted in OPC's Annual Report Focuses On Online Privacy Transparency –E-Commerce Law & Policy, The Monthly Journal for Online Business – 2014-09

Quoted in CBC.ca  – "Canada's new anti-spam law: Can it really clean up your inbox?" – 2014-07-01

Quoted as one of Canada's leading commercial lawyers in The Globe and Mail – 2010-04-10 and 2010 -01-08

Quoted as one of Canada's leading commercial lawyers in The Financial Post – 2010 -03-06

Comments have appeared in articles about CASL in Bloomberg News and CBC.ca

Presenter/Speaker – Employee Privacy – 17th Annual Fraud Conference – The Association of Certified Forensic Investigators of Canada (ACFI)

Presenter/Speaker/Co-Chairman – Service Level Agreements – 6th Annual Federated Press Service Level Agreements Conference

Presenter/Speaker – Canadian Legal Update, Notification Obligations and Risk Mitigation – client seminars in Toronto and Ottawa

Presenter/Speaker – Doing Business in Canada – Canadian Trade Commissioner's Symposium in Atlanta, Georgia

Presenter/Speaker – Managing Intellectual Property Under Service Level Agreements – 5th Annual Federated Press Service Level Agreements Conference, Toronto

Presenter/Speaker – Technology Partnerships – Government of Ontario's Asia Pacific Global Export Forum

Presenter/Speaker – Canadian Anti-Spam Law – International Quality and Productivity Centre's Contact Centre Summit

Presenter/Speaker – CASL Compliance – Direct Marketing Association of Canada's CASL Compliance Event

Co-Host/Speaker – Preparing Your Organization for CASL's Commercial Electronic Messages Requirements – live webinar

Co-Chair/Speaker – Convergence of Electricity Distributors and Telecommunications Companies – Smart Grid in Ontario Conference


Peter Murphy is a partner in Shibley Righton LLP's Toronto office, with over twenty years of business, technology and privacy law experience. His practice includes commercial contracts and transactions, intellectual property law, privacy and data protection, marketing law, and will and estate planning.

Acting as business law counsel to a wide variety of organizations, Peter's clients include nuclear operators, universities, chartered banks, electricity distributors, municipalities, software companies and healthcare organizations. He also advises not-for-profit organizations and private businesses on a broad range of legal issues, including corporate governance.

Peter has extensive experience with corporate transactions including debt and equity financing, mergers and acquisitions, supply and services agreements and RFP documentation. He drafts shareholders agreements and structures corporations, partnerships and joint ventures.

For example, Peter advised a Canadian chartered bank on the creation of an online banking joint venture. He also advised Infrastructure Ontario and the Province of Ontario on the RFP documentation and related contracts for the engineering, procurement and construction of a two-unit nuclear power plant.

His extensive technology and intellectual property law experience includes drafting and negotiating licensing, outsourcing, development, implementation and support, cloud computing and e-commerce agreements. He provides advice on all types of intellectual property law issues including copyright, reverse engineering, trade secrets, confidentiality, patent and trade-mark law. He is an expert on Canada's anti-spam law and frequently advises clients on marketing, advertising and consumer law. Peter's practice has a strong focus on privacy and data protection law. He advises Ontario municipalities, government institutions, businesses, film festivals and international sporting events on all aspects of privacy law. He has acted as lead privacy counsel on some of Canada's most notorious data breaches, and has represented clients before Canada’s Privacy Commissioner. He acted as privacy counsel on the merger of two hospitals and their charitable foundations and for a chartered bank on the launch of a consumer credit card product. He also carried out a privacy audit of one of Ontario's largest statutory Boards which included the delivery of a comprehensive report to the responsible Minister.

Peter advises individual clients on will and estate planning. He has advised some of Canada's premier artists on estate planning issues including planning for post mortem administration of their artistic legacies.

A frequent public speaker and writer on business law and regulatory matters, Peter's articles and interviews have been printed in Canadian and international news media.

Contact Information

T: 416.214.5216
F: 416.214.5416
E: peter.murphy@shibleyrighton.com


University of Toronto Faculty of Law, J.D., 1993
Richard Ivey School of Business, H.B.A., 1990