On April 4, 2023, Fasken held its hybrid IT Symposium, a half-day seminar that covered a variety of topics that are vital to your business and practice, all presented by our leading subject matter experts. The following is a brief summary of the content of each of the topics. A link to the symposium agenda and videos of the presentations can be found at the bottom of this bulletin.

Outsourcing: An Ever Evolving and Adaptable Business Strategy (Andrew Alleyne, Paul Burbank)

Enterprise-wide outsourcing arrangements require considerable commitment in time and resources. Achieving the full benefits of adaptability and flexibility of outsourcing requires bridging commercial and legal challenges and narrowing focus on the associated solutions. This presentation emphasized the following considerations for successful outsourcing arrangements:

  • Cloud services/sourcing: Cloud outsourcing presents "opportune tensions" for service providers and customers alike. Navigating these tensions requires special attention to the levers of control available to each party (e.g. service-level agreements, flexible subscription models) and ensuring those mechanisms translate effectively to the cloud environment.
  • Geography: Whether it is to meet statutory andregulatory requirements (e.g. data residency) or respond to geopolitical developments (e.g. COVID-19), customer requirements for location of services are increasing; look to core concepts like termination and transition rights to provide that needed flexibility when it is required.
  • Governance: Modern outsourcing arrangements require attention to detail and moving past boilerplate committee structures and meeting schedules to governance structures that are tailored to the unique expectations and contain binding and meaningful obligations for cooperation and information sharing.
  • New Technology: Recent emphasis on cybersecurity, for example, has given rise to a wide-range of new service offerings, such as cyber-as-a-service and artificial intelligence and machine learning (AI/ML). Leveraging new technologies requires both aspirational commitments (e.g. productivity gain sharing) and attention to ownership of intellectual property.

Principles of Risk Management – OSFI Guideline B-10: Third-Party Risk Management

Although formally applicable only to regulated financial services organizations, OSFI's recently released Guideline B-10: Third-Party Risk Management serves as a useful framework for evaluating and managing risk associated with outsourcing arrangements (regardless of your industry). Find Fasken's complete review on this important development in third-party risk management here.

Staying Ahead of the Curve: Legal Issues and Developments Relating to Emerging Technologies (Andrew Nunes, Julie He)

This presentation discussed the legal issues and developments relating to emerging technologies, particularly artificial intelligence (AI) and Web3. On the AI front, we discussed the recent surge in awareness of generative AI applications (such as ChatGPT) and the risks and considerations associated with generative AI, with a focus on the intellectual property (IP) rights in the data that is used to train AI algorithms and the data generated by those algorithms. These IP issues are reflected in recent lawsuits in the US and Canada, which were also discussed.

In addition to IP rights concerns, users and vendors of AI systems are recommended to also consider the nature of AI technologies when making representations and warranties, establishing limitations of liability, setting service levels and providing for indemnities in the legal agreements.

The presentation also provided an overview and updates concerning the newly proposed Canadian Artificial Intelligence and Data Act, its application, requirements and enforcement mechanisms.

With respect to Web3, we discussed the decentralized nature of the three building blocks of Web3 - blockchain, digital assets (specifically non-fungible tokens -"NFTs") and smart contracts, with a deep dive into the key legal considerations in interacting with NFTs. We highlighted several licensing models commonly used by NFT projects and offered analysis on the ownership of digital tokens versus the underlying intellectual property. The presentation further touched on the uncertainty regarding the validity and enforceability of smart contracts and concluded with best practice tips for stakeholders when engaging with these emerging technologies.

A Crash Course in Canadian Consumer Protection Law (Gabriel Stern, Shan Arora)

Consumer protection law in Canada is predominantly a subject of provincial and territorial jurisdiction, with each province and territory having its own specific consumer protection laws in force (in Ontario, consumer protection law is governed by the Ontario Consumer Protection Act). Generally, consumer protection laws apply to companies transacting with consumers if the company is located in Canada or supplies products or services to consumers in Canada. Consequently, e-commerce sellers are usually caught by consumer protection laws regardless of their location if they sell to consumers in Canada.

Effectively managing consumer protection issues is complicated by requirements depending on the type of agreement (e.g., internet agreement, future performance agreement), type of offering (e.g., gift cards, unsolicited goods/services), or contractual provision (e.g., warranties, mandatory arbitration, governing law and jurisdiction, class action waiver). Therefore, it is essential to review the contracting process and consider if any potential exclusions apply. Other ancillary considerations may trigger a broader consumer protection review, including Canada's Anti-Spam Legislation (CASL) (e.g. electronic message and software installation issues), privacy compliance, competition and marketing law, and electronic contracting/signature considerations.

Non-compliance with consumer protection laws may expose an organization to significant risk, including class action lawsuits, fines (including for directors), reputational damage, and may allow a consumer to cancel a contract and obtain a refund. Accordingly, managing consumer protection issues must be a prospective exercise that occurs during service design.

On February 6, 2023, the Ontario Ministry of Public and Business Service Delivery released a consultation paper entitled "Modernizing Consumer Protection in Ontario" and sought feedback on proposed amendments to the OCPA. The consultation period ended on March 17, 2023, and the proposals are currently under consideration.

It's Not Me, It's You: The Prime and Sub Contractors Finger-point as to who is Responsible for an ERP Implementation Failure in Agilisys Ltd v CGI IT UK Ltd (John Beardwood)

Agilisys Ltd v CGI IT UK Ltd. provides a useful case study of the breakdown in the relationship, and the resulting litigation, between CGI IT UK Ltd, as prime contractor ("CGI"), and Agilsys Ltd, as the subcontractor to CGI, in connection with a failed ERP implementation for a third party client. Among the lessons learned from this case study were:

  1. Be clear on the Project Management role.Simply allocating the "project management" role to one party in a RACI chart (or equivalent), without further definition of that role, (a) may not provide sufficient clarity of the scope of that role, and (b) where the role of the project management office ("PMO") is assigned to the other party, can lead to questions as to where the scope of the PMO ends and the scope of the project management role begins.
  2. Document, document, document.It is critically important to document performance failures as they occur; the court in this case drew adverse conclusions from the failure of CGI to issue any documentation raising their concerns to Agilisys regarding their failures, until significantly after the fact. As the court put it, if Agilisys' failures had caused a major roadblock for CGI, then why was there not contemporaneous documentation wherein CGI expressed these concerns?In response to CGI's explanation as to this absence of documentation – i.e. that CGI was being "conciliatory" and did not want to apportion blame – the court was bluntly dismissive:"the relationship between CGI and Agilisys was a purely commercial one. Because you want to be conciliatory, take a partnership attitude, make things work and move things along does in no way stop the raising of, what are now said to be major issues, with the other party."

The first lesson will help avoid project failures while, in the case of a project failure occurring, the second lesson will help the non-failing party to prevail in any resulting dispute.

Keeping Pace with Federal Privacy Law Modernization (Daniel Fabiano, Christopher Ferguson, Summer Lewis)

This presentation explored the modernization of the federal privacy regime in Bill C-27, the Digital Charter Implementation Act, 2022. Bill C-27 subsequently passed second reading on April 24, 2023 and was referred to the Standing Committee on Industry and Technology.

Given the new Commissioner powers and new financial penalties under the proposed legislation, companies should review their current privacy practices and policies and consult with legal counsel to ensure they are compliant with the proposed requirements. The key considerations we highlighted for private-sector companies are:

  • Reviewing existing collections, uses and disclosures of personal information. In addition to a general review as an inventory to support compliance, companies should specifically conduct an "appropriate purposes analysis".Companies must only collect, use and disclose personal information for appropriate purposes and conduct such analysis regardless of whether an individual has provided consent to those purposes.
  • Developing and deploying privacy management programs. A review of existing policies and practices to identify gaps will be required. Consider overlooked topics like record retention and video surveillance.
  • Updating public-facing privacy statements. Include information regarding automated decision systems (if applicable), retention periods related to sensitive personal information, how personal information is used (including how consent exceptions are applied), and the types of organizations to which personal information is disclosed.
  • Reviewing practices related to de-identified and anonymized personal information. The proposed requirements have new distinctions (e.g., anonymization should be done in accordance with generally accepted best practices; de-identified information is subject to restrictions on use or disclosure without consent).
  • Reviewing contracts with service providers. Using standard questionnaires in the vetting process and exercising audit rights may help companies to ensure that service providers are compliant with the proposed requirements (e.g., ensuring an equivalent level of protection is used for the personal information).

Please see a link to the IT Symposium agenda and videos of the presentations here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.