Regulatory Affairs

Overview

Strict and rigorous rules apply to the development process, manufacturing, marketing, labelling and advertising of products. You can rely on our highly skilled legal and scientific team for enlightened advice on regulatory compliance of these products.

Our experts have the knowledge to deal with an extensive range of regulatory matters, including:

  • the approval and marketing of:
    • foods and nutraceuticals,
    • drugs and biologicals,
    • cosmetics,
    • natural products,
    • medical instruments, and
    • industrial equipment;
  • lotteries and contests; and
  • the protection of drugs, including:
    • the development of protection strategies combining patents and regulatory protection, 
      obtaining data protection for innovative drugs, and listing on Health Canada’s Patent Register.


Discover our PI services

  1. Cybersecurity and the dangers of the Internet of Things

    While the Canadian government has said it intends to pass legislation dealing with cybersecurity (see Bill C-26 to enact the Critical Cyber Systems Protection Act), many companies have already taken significant steps to protect their IT infrastructure. However, the Internet of Things is too often overlooked in this process. This is in spite of the fact that many devices are directly connected to the most important IT infrastructure for businesses. Industrial robots, devices that control production equipment in factories, and devices that help drivers make deliveries are just a few examples of vulnerable equipment. Operating systems and a range of applications are installed on these devices, and the basic operations of many businesses and the security of personal information depend on the security of the devices and their software. For example: An attack could target the manufacturing equipment control systems on the factory floor and result in an interruption of the company’s production and significant recovery costs and production delays. By targeting production equipment and industrial robots, an attacker could steal the blueprints and manufacturing parameters for various processes, which could jeopardize a company’s trade secrets. Barcode scanners used for package delivery could be infected and transmit information to hackers, including personal information. The non-profit Open Web Application Security Project (OWASP) has released a list of the top ten security risks for the Internet of Things.1 Leaders of companies that use this kind of equipment must be aware of these issues and take measures to manage these risks. We would like to comment on some of the risks which require appropriate policies and good company governance to mitigate them. Weak or unchangeable passwords: Some devices are sold with common or weak initial passwords. It is important to ensure that passwords are changed as soon as devices are set up and to keep tight control over them. Only designated IT personnel should know the passwords for configuring these devices. You should also avoid acquiring equipment that does not allow for password management (for example, a device with an unchangeable password). Lack of updates: The Internet of Things often relies on computers with operating systems that are not updated during their lifetime. As a result, some devices are vulnerable because they use operating systems and software with known vulnerabilities. Good governance includes ensuring that such devices are updated and acquiring only devices that make it easy to perform regular updates. Poor management of the fleet of connected devices: Some companies do not have a clear picture of the Internet of Things deployed in their company. It is crucial to have an inventory of these devices with their role in the company, the type of information they contain and the parameters that are essential to their security. Lack of physical security: Wherever possible, access to these devices should be protected. Too often, devices are left unattended in places where they are accessible to the public. Clear guidelines should be provided to employees to ensure safe practices, especially for equipment that is used on the road. A company’s board of directors plays a key role in cybersecurity. In fact, the failure of directors to monitor risks and to ensure that an adequate system of controls is in place can expose them to liability. Here are some elements of good governance that companies should consider practising: Review the composition of the board of directors and the skills matrix to ensure that the team has the required skills. Provide training to all board members to develop their cyber vigilance and equip them to fulfill their duties as directors. Assess cybersecurity risks, including those associated with connected devices, and establish ways to mitigate those risks. The Act to modernize legislative provisions respecting the protection of personal information sets out a number of obligations for the board of directors, including appointing a person in charge of the protection of personal information, having a management plan and maintaining a register of confidentiality incidents. For more information, you can read the following bulletin: Amendments to Privacy Laws: What Businesses Need to Know (lavery.ca) Lastly, a company must at all times ensure that the supplier credentials, passwords and authorizations that make it possible for IT staff to respond are not in the hands of a single person or supplier. This would put the company in a vulnerable position if the relationship with that person or supplier were to deteriorate. See OWASP top 10

    Read more
  2. Complaint processing: New framework to come for financial institutions and financial intermediaries

    Last September, the AMF published its draft Regulation respecting complaint processing and dispute resolution in the financial sector (the “Draft Regulation”). The consultation period for it ended on December 8, 2021. The AMF is currently reviewing the many comments it received. The Draft Regulation1 aims to harmonize and improve complaint processing in the financial sector by providing for new mechanisms to ensure prompt and efficient complaint processing, among other things. In the insurance industry, only firms and insurers are currently required to adopt and apply a complaint processing and dispute resolution policy. The Draft Regulation will make these obligations apply to independent partnerships and representatives. It also introduces new requirements and restrictions as well as monetary penalties for not including mandatory content in communications to a complainant, for example. Here are some of the Draft Regulation’s new provisions: Broadening of the definition of “complaint” to: Any dissatisfaction or reproach; That cannot be remedied immediately and for which a final response is expected; In respect of a service or product offered by a financial institution or financial intermediary; That is communicated by a person who is a member of the clientele of the institution or intermediary. The Draft Regulation does not contain a requirement that a complaint must be made in writing.2 It does make it mandatory for financial institutions and financial intermediaries to implement a complaint drafting assistance service.3 It also requires that a note be left in each record to indicate whether a complainant requested this service. Prohibition on the use of the term “ombudsman” in any representation or communication intended for the public to refer to the complaint process or to the persons assigned to its implementation.4 Specific requirements as concerns the mandatory content of a complaint processing policy, an acknowledgment of receipt and final response to a complainant, a complaint record and a complaints register.   For each complaint received, the complaint record must include the following information: The complaint Whether the complainant requested the complaint drafting assistance service The complainant’s initial communication A copy of the acknowledgment of receipt sent to the complainant Any document or information used in analyzing the complaint, including any communication with the complainant A copy of the final response provided to the complainant New time limits: Within 10 days of receiving a complaint, the insurer must notify the complainant in writing that they must also file the complaint with any other financial institution, financial intermediary or credit assessment agent involved, and the insurer must provide the complainant with their contact information.5 The complainant must be given 20 days to assess and respond to an offer to resolve the complaint, with sufficient time for the complainant to seek advice for the purpose of making an informed decision.6 If the complainant accepts the offer, the insurer has 30 days to respond.7 Financial institutions and financial intermediaries have a strict 60-day time limit to provide the complainant with a final response.8 There is a new 15-day time limit to send the complaint record to the AMF.9 There is a streamlined process for complaints that are resolved within 10 days of being recorded in the complaints register: The final response serves as an acknowledgment of receipt and must contain the following information: The complaint record identification code The date on which the complaint was received by the insurer or insurance representative The name and contact information of the employee responsible for processing the complaint referred to in section 7 of the Draft Regulation or in the Sound Commercial Practices Guideline A summary of the complaint received The conclusion of the analysis, including reasons, and the outcome of the complaint A reference to the complainant’s right to have the complaint record examined by the AMF The signature of the complaints officer A statement to the effect that the complainant has accepted the offer to resolve the complaint New monetary administrative penalties The Draft Regulation also provides for monetary administrative penalties ranging from $1,000 to $5,000 for failure to comply with certain requirements and prohibitions of the Draft Regulation. For example, the following will be subject to a monetary administrative penalty of $5,000: Attaching a condition to an offer to prevent the complainant from fully exercising their rights. Using the term “ombudsman” or any other similar title in any representation or communication intended for the public to refer to the complaint process or the persons assigned to its implementation to suggest that such persons are not acting on behalf of the financial institution or financial intermediary. In the latter case, a monetary administrative penalty may be imposed even where no complaint is involved, because the prohibition covers “any representation or communication intended for the public.” Insurers and financial intermediaries should review their communications as soon as possible, and especially the summary of their complaint processing policy appearing on their website. It concerns all entities regulated by the AMF, but the bulletin more specifically addresses financial institutions and financial intermediaries in the insurance industry. As currently indicated on the AMF’s website. Draft Regulation, s. 11. Id., s. 26, para. 2. Id., s. 15. Id., s. 13. Id. Id., s. 12, para. 4. Id., s. 25.

    Read more
  3. Bill C-18 (Online News Act): Canada looking to create a level playing field for news media

    Earlier this month, Canadian Heritage Minister Pablo Rodriguez introduced Bill C-18 (Online News Act) in Parliament. This bill, which was largely inspired by similar legislation in Australia, aims to reduce bargaining imbalances between online platforms and Canadian news outlets in terms of how these “digital news intermediaries” allow news content to be accessed and shared on their platforms. If passed, the Online News Act would, among other things, require these digital platforms such as Google and Facebook to enter into fair commercial agreements with news organizations for the use and dissemination of news related content on their platforms. Bill C-18, which was introduced on April 5, 2022, has a very broad scope, and covers all Canadian journalistic organizations, regardless of the type of media (online, print, etc.), if they meet certain eligibility criteria. With respect to the “digital news intermediaries” on which the journalistic content is shared, Bill C-18 specifically targets online communication platforms such as search engines or social media networks through which news content is made available to Canadian users and which, due to their size, have a significant bargaining imbalance with news media organizations. The bill proposes certain criteria by which this situation of bargaining imbalance can be determined, including the size of the digital platform, whether the platform operates in a market that provides a strategic advantage over news organizations and whether the platform occupies a prominent position within its market. These are clearly very subjective criteria which make it difficult to precisely identify these “digital news intermediaries.” Bill C-18 also currently provides that the intermediaries themselves will be required to notify the Canadian Radio-television and Telecommunications Commission (“CRTC”) of the fact that the Act applies to them. The mandatory negotiation process is really the heart of Bill C-18. If passed in its current form, digital platform operators will be required to negotiate in good faith with Canadian media organizations to reach fair revenue sharing agreements. If the parties fail to reach an agreement at the end of the negotiation and mediation process provided for in the legislation, a panel of three arbitrators may be called upon to select the final offer made by one of the parties. For the purposes of enforceability, the arbitration panel’s decision is then deemed, to constitute an agreement entered into by the parties. Finally, Bill C-18 provides digital platforms the possibility of applying to the CRTC for an exemption from mandatory arbitration provided that their revenue sharing agreements meet the following criteria: Provide fair compensation to the news businesses for news content that is made available on their platforms; Ensure that an appropriate portion of the compensation would be used by the news businesses to support the production of local, regional and national news content; Do not allow corporate influence to undermine the freedom of expression and journalistic independence enjoyed by news outlets; Contribute to the sustainability of Canada’s digital news marketplace; Ensure support for independent local news businesses, and ensure that a significant portion of independent local news businesses benefit from the deals; and Reflect the diversity of the Canadian news marketplace, including diversity with respect to language, racialized groups, Indigenous communities, local news and business models. A bill of this scope will certainly be studied very closely by the members of Parliament, and it would not be surprising if significant amendments were made during this process. We believe that some clarifications would be welcome, particularly as to the precise identity of businesses that will be considered “digital information intermediaries” for the purposes of the Online News Act.

    Read more
  4. A False Sense of Cybersecurity?

    Ransomware has wreaked so much havoc in recent years that many people forget about other cybersecurity risks. For some, not storing personal information makes them feeling immune to hackers and cyber incidents. For others, as long as their computers are working, they do not feel exposed to no malware. Unfortunately, the reality is quite different. A new trend is emerging: malware is being released to collect confidential information, including trade secrets, and then such information is being sold to third parties or released to the public.1 The Pegasus software used to spy on journalists and political opponents around the world has been widely discussed in the media, to the point that U.S. authorities decided to include it on their trade blacklist.2 However, the use of spyware is not limited to the political sphere. Recently, a California court ordered a U.S. corporation, 24[7].ai, to pay $30 million to one of its competitors, Liveperson.3 This is because 24[7].ai installed competing technology on mutual client websites where LivePerson’s technology already is installed. Liveperson alleged in its lawsuit that 24[7].ai installed spyware that gathered confidential and proprietary information and data regarding Liveperson’s technology and client relationships. In addition, the software which 24[7].ai allegedly installed removed some features of Liveperson’s technology, including the “chat” button. In doing so, 24[7].ai interfered in the relationship between Liveperson and its clients. This legal saga is ongoing, as another trial is scheduled to take place regarding trade secrets related to a Liveperson client.4 This legal dispute illustrates that cybersecurity is not only about personal information, but also about trade secrets and even the proper functioning of business software. A number of precautions can be taken to reduce the risk of cybersecurity incidents. Robust internal policies at all levels of the business help maintain a safe framework for business operations. Combined with employee awareness of the legal and business issues surrounding cybersecurity, these policies can be important additions to IT best practices. In addition, employee awareness facilitates the adoption of best practices, including systematic investigations of performance anomalies and the use of programming methods that protect trade secrets. Moreover, it may be advisable to ensure that contracts with clients provide IT suppliers with sufficient access to conduct  the necessary monitoring for the security of both parties. Ultimately, it is important to remember that the board of directors must exercise its duty with care, diligence and skill while looking out for the best interests of the business. Directors could be held personally liable if they fail to meet their obligation to ensure that adequate measures are implemented to prevent cyber incidents or if they ignore the risks and are wilfully blind. Thus, board members must be vigilant, be trained in and aware of cybersecurity in order to integrate it into their risk management approach. In an era in which intellectual property has become a corporation’s most important asset, it goes without saying that it is essential to put in place not only the technological tools, but also the procedures and policies required to adequately protect it! Contact Lavery for advice on the legal aspects of cybersecurity. See Page, Carly, “This new Android spyware masquerades as legitimate apps,” Techcrunch, November 10, 2021. https://techcrunch.com/2021/11/10/android-spyware-legitimate-apps; Page, Carly, “FBI says ransomware groups are using private financial information to further extort victims,” Techcrunch, November 2, 2021. https://techcrunch.com/2021/11/02/fbi-ransomware-private-financial-extort. Gardner, Frank, “NSO Group: Israeli spyware company added to US trade blacklist,” BBC News, November 3, 2021. https://www.bbc.com/news/technology-59149651. Claburn, Thomas, “Spyware, trade-secret theft, and $30m in damages: How two online support partners spectacularly fell out,” The Register,June 18, 2021. https://www.theregister.com/2021/06/18/liveperson_wins_30m_trade_secret. Brittain, Blake, “LivePerson wins $30 million from [24]7.ai in trade-secret verdict,”Reuters, June 17, 2021. https://www.reuters.com/legal/transactional/liveperson-wins-30-million-247ai-trade-secret-verdict-2021-06-17.

    Read more