68 | LEXPERT • June 2018 | www.lexpert.ca/usguide
extreme weather events, causing more mo-
mentum at the regulatory level.
"People haven't experienced these types
of weather events so severely or so close
together in the past, and I think that is at
least driving a conversation," says Tyson
Dyck, partner in the environmental prac-
tice at Torys LLP in Toronto. "There's
been more of an appetite for government
regulation only to see it fall away."
Ontario joined the Québec-California
carbon market this year under a harmo-
nization and integration agreement. The
Ontario Ministry of the Environment
and Climate Change has also proposed
changes to its cap-and-trade regulations.
This will allow all three governments
to hold joint auctions of greenhouse gas
emissions allowances and to harmonize
regulations and reporting.
Ontario's program is approaching some
key milestones, but across Canada, vari-
ous climate change initiatives are taking
off. Alberta, for example, launched its
Climate Leadership in 2016 and a series
of initiatives are being rolled out over a
couple of years.
Dyck says most of the US clients he
advises are looking at some operations in
Canada, whether actually operating fa-
cilities or looking in companies already
regulated and trying to figure out what
it means.
Dyck hears from clients that once regu-
lations are in place, they're actually able
to live with them and integrate them into
their business models because the regula-
tions provide at least some degree of cer-
tainty around costs they will face and have
to manage their operations. That may
mean new pollution control equipment,
for example.
"What I think concerns some clients is
the uncertainty around where those costs
might go in the future."
Where those prices will go is a bit of
a question mark. Ontario, for example,
has put some containment over where
the price can go over time and has been
looking to California as to how it's been
done there.
"The federal government plan is a little
less clear on how they are going to contain
the price moving forward," says Dyck.
"What I think concerns
some clients is the
uncertainty around where
those costs might go
in the future." Where
those prices will go is
a bit of a question mark.
Tyson Dyck, Torys LLP
Regulatory
tions to govern mandatory breach re-
porting and notification under Canada's
federal privacy legislation, the Personal In-
formation Protection and Electronic Docu-
ments Act (PIPEDA).
Under PIPEDA's mandatory reporting
and notification regime, organizations
that experience a data breach must report
the incident to the Office of the Privacy
Commissioner of Canada and notify af-
fected individuals.
From a business standpoint, compli-
ance is top of mind, but how do you trans-
late it into operational efficiency?
Naïm Antaki of Gowling WLG (Can-
ada) LLP in Montréal says "It's very rare
businesses will be organized on a geo-
graphical basis. Often, it is by business
lines that cover various jurisdictions, so
the question is what more do I need to be
doing than I'm already doing?"
It will require collaboration from not
only the legal department but also the IT
department, risk management — a team
effort, says Antaki.
Notification is required in all circum-
stances where it is reasonable to believe
that the breach creates a "real risk of sig-
nificant harm to the individual," defined
to include humiliation, damage to reputa-
tion or relationships and identity theft.
PIPEDA indicates that the notice
must be given in the "prescribed format,"
which is now outlined within the pro-
posed regulations.
While big organizations have largely
been working toward this for some time,
it's the smaller organizations that will do
it when they have to, but now is a good
time to start getting procedures in place, as
there is potential civil liability just for fail-
ing to notify now.
This is new for plaintiff-side counsel,
says Brent Arnold, a Toronto partner with
Gowling WLG. "Some organizations
get hit with hundreds of thousands of
breaches a year so, for some organizations,
this will be something that ends up being a
full-time job for some people."
Antaki says small organizations can
look at things broadly such as IT policies
and contracts and make sure third-party
providers notify you if something happens
with them. "It's not necessarily who has
custody of the information but who has
the control of the information based on
the principles already in PIPEDA. If you
outsource some of those obligations, you
have to make sure you have the contractual
obligations in place in order to respond to
what you need to do," he says.
Another important element is, from a
cybersecurity standpoint, do you need to
consider getting cyber-insurance?
3. Environment:
climate change initiatives
Environmental lawyers believe interest
in addressing climate change is gearing
back up, in some part due to increasingly
