On November 8, 2019, the Canada Border Services Agency initiated an antidumping and subsidy case against certain corrosion resistant (galvanized) steel from Turkey, the united Arab Emirates and Vietnam.  This is the second corrosion resistant steel case in 18 months.  The last corrosion resistant steel case was against China, Taiwan, South Korean and India.  In the 2018 case, the Canadian International Trade Tribunal did not find past injury but found that there was a threat of injury over the next 12-18 months.

It is also important to note that the CBSA previously determined that the United Arab Emirates’ level of subsidization of the carbon steel welded pipe industry was de minimis and terminated the subsidy case.  The CBSA also recently determined that the Government of Vietnam did not influence the prices of carbon steel welded pipe.

Covered Goods/ Excluded Goods

The subject goods in the current case are defined by the CBSA as:

“corrosion-resistant flat‑rolled steel sheet products of carbon steel including products alloyed with the following elements:

  • Boron (B) not more than 0.01%,
  • Niobium (Nb) not more than 0.100%,
  • Titanium (Ti) not more than 0.08%, or
  • Vanadium (V) not more than 0.300%

in coils or cut lengths, in thicknesses up to 0.168 in. (4.267 mm) and widths up to 72 inch (1,828.8 mm) with all dimensions being plus or minus allowable tolerances contained in the applicable standards, with or without passivation and/or anti-fingerprint treatments, originating in or exported from the Republic of Turkey, the Socialist Republic of Vietnam, and the United Arab Emirates, and excluding:

  • corrosion-resistant steel sheet products for use in the manufacture of passenger automobiles, buses, trucks, ambulances or hearses or chassis therefor, or parts thereof, or accessories or parts thereof;
  • steel products for use in the manufacture of aeronautic products;
  • steel sheet that is coated or plated with tin, lead, nickel, copper, chromium, chromium oxides, both tin and lead (“terne plate”), or both chromium and chromium oxides (“tin free steel”);
  • stainless flat-rolled steel products;
  • corrosion-resistant steel sheet products that have been pre-painted, including with lacquers or varnishes, or permanently coated in plastic;
  • galvanized armouring tape, which is narrow flat steel tape of 3 in. or less, that has been coated by a final operation with zinc by either the hot-dip galvanizing or the electrogalvanizing process so that all surfaces, including the edges, are coated;
  • perforated steel,
  • and tool steel.”

H.S. Classifications

The subject goods are usually imported under the following tariff classification numbers:

  • 7210.30.00.00
  • 7210.49.00.10
  • 7210.49.00.20
  • 7210.49.00.30
  • 7210.61.00.00
  • 7210.69.00.10
  • 7210.69.00.20
  • 7212.20.00.00
  • 7212.30.00.00
  • 7212.50.00.00
  • 7225.91.00.00
  • 7225.92.00.00


There are four separate proceedings in a typical Canadian antidumping or countervailing duty proceeding:

1) The CBSA conducts an antidumping investigation.  Within the first 90 days, the CBSA sends Exporter Requests for Information that must be filed on or before the specified deadline.  The CBSA may send supplemental requests for information.  The Requests for Information permit the CBSA to calculate preliminary dumping margins.  It is preferable to obtain a company-specific dumping margin – especially if an exporter has not dumped goods into Canada;

2) The CITT conducts a Preliminary Injury Inquiry within the first 60 days.  See our post on What is a Preliminary Interest Inquiry? In the Preliminary Injury Inquiry, the CITT looks at whether the complaint discloses a reasonable indication of injury.  Normally, the CITT will consider issues on (1) scope, (2) classes of goods and (3) evidentiary issues.  Since this is a regional case, arguments about test for regional cases and whether this is an appropriate regional case will likely be very relevant.  Companies should participate early and raise relevant issues with the CITT. The CBSA conducts a Preliminary Dumping Investigation within the first 90 days (the period overlaps with the CITT Preliminary Injury Inquiry);

3) The CBSA conducts Final Dumping and Subsidy Investigations: After 90 or 135 days have elapsed, the CBSA starts final investigations. During this period, on-site verifications take place. This process takes 90 days; and

4) After the CBSA issued Preliminary Determinations, the CITT conducts a Final Injury Inquiry.  The process takes 90 days.  On or about the 90th day, the CITT starts a hearing.

At this time, we will focus on the CBSA preliminary determinations phase. It is very important to start completing the questionnaires as quickly as possible.   Importers complete the Importers RFI. Exporters must complete (1) the Exporter Dumping RFI and (2) the Exporter Subsidy RFI. The CBSA is also distributing Industry Profit Surveys to obtain information of what amount is a reasonable profit.


The CBSA’s timeline of important dates is as follows:

  • December 2, 2019: CBSA: Importer RFIs are due;
  • December 16, 2019: CBSA: Exporter RFIs are due and Government responses are due;
  • February 6, 2019: CBSA: CBS make its preliminary determination of dumping/subsidization;
  • March 17, 2020 at noon: CBSA Closing of the record date;
  • March 24, 2020 at noon: CBSA: Case Briefs are due;
  • March 31, 2020 at noon: CBSA: Reply submissions are due; and
  • May 6, 2020: CBSA will issue final determination.

It is important for exporters to participate in the CBSA investigations. We recently posted an article entitled “Exporters Who Receive De Minimis Dumping Margins in Canadian AD Cases Now Being Excluded From Final Orders” in which we highlight the benefits of participating in a Canadian antidumping case.  If an exporter can achieve a de minimis dumping margin (less than 2%), the dumping investigation will be terminated against that exporter.  This would allow that exporter to continue to sell to importers in Canada.

We achieved a 0% dumping margin for Conares in the Carbon Steel Welded Pipe 2 case and they have been excluded from the Tribunal’s injury Order.  We also achieved a 0% dumping margin for Cintasa in the Fabricated Industrial Steel Components case and they too have been excluded from the Tribunal’s injury Order.

The CITT’s timeline for the preliminary injury inquiry is as follows:

  • November 21, 2019: CITT Notices of Participation are due;
  • December 6, 2019: CITT: Submissions by parties against the complaint (e.g., importers, foreign producers) are due;
  • December 13, 2019: CITT: Reply submissions of domestic industry are due; and
  • January 7, 2020: CITT will issue the preliminary injury decision.

The CITT has indicated that the submissions of parties opposing the complaint “should include evidence, e.g. documents and sources that support the factual statements in the submissions and argument concerning the questions of:

  • whether there are goods produced in Canada, other than those identified in the CBSA’s statement of reasons for initiating the investigations, that are like goods to the subject goods;
  • whether the subject goods comprise more than one class of goods;
  • which domestic producers of like goods comprise the domestic industry; and
  • whether the information before the Tribunal discloses a reasonable indication that the alleged dumping and subsidizing of the subject goods have caused injury or retardation, or are threatening to cause injury.”

It is important to note that the CITT has indicated that it will not consider product exclusion requests during the preliminary injury proceedings.

If you require any assistance, please contact Cyndee Todgham Cherniak at 416-307-4168 or cyndee@lexsage.com.  For more articles about Canada’s AD/CVD regime or proceedings, go to the LexSage website.


On October 25, 2019, the Canada Border Services Agency (“CBSA”) announced that they were modernizing NEXUS kiosks across Canada, starting with Vancouver airport, to use facial recognition technology.  Hidden in the announcement is the following significant NEXUS Program rule change:

“It is also important to note that declarations will not be completed at the new kiosks. If you have something to declare you must do so verbally, to an officer, at a clearly marked area in the customs hall after using the kiosk.”

Since this announcement had been sent to all NEXUS members with an email address, the CBSA is likely to enforce the rule change immediately – that is now.

What this means that if you purchased, acquired or received anything, anything at all, NEXUS members MUST go to a CBSA officer and declare the item.  If you took the coffee or soaps from your hotel room, you must now see a CBSA Officer.  If you purchased goods valued at less than the personal exemption limit, you must go and speak to a CBSA Officer. If you have tobacco or alcohol within your personal exemption limit, you must go and speak to a CBSA Officer.  If you received a complimentary item at a conference you attended (even a single pen or pad of paper on which you wrote your notes), you must go and speak to a CBSA Officer.  If you have food, you must go any speak to a CBSA Officer. According to the CBSA, if you have any prescription medications, you must go and speak to a CBSA Officer.  If you have unaccompanied goods, you have to go and speak to a CBSA Officer. Essentially, only travelers who acquired nothing outside Canada (and who do not normally carry food or prescription medications) will not have to speak with a CBSA Officer.

Simply put, this NEXUS Program rule change guts the benefits of the NEXUS Program.  The NEXUS line-ups will likely become very long.  Every diabetic will have to report their insulin.  Every senior will have to report their prescription medications (regardless of whether the medications were acquired in Canada). Every traveler who acquired anything will have to speak with a CBSA Officer.

If you do not stop to speak with a CBSA Officer, then if you are sent to the Secondary Inspection Area and anything is located that should have been declared, you will be fined and you will lose your NEXUS Card.

This is a crazy change to the NEXUS Program and NEXUS members should seriously consider using their NEXUS Card only for airport security screening purposes.  It might be best to use the non-NEXUS lane when returning to Canada and the lanes may move more quickly than the NEXUS lane.

We have seen many cases where the CBSA has taken enforcement action against NEXUS travelers who were within their personal exemption limit, but had acquired something.  Often, the NEXUS traveler did not have an exact calculation because they thought it was not necessary when answering the “YES/NO” question at the NEXUS kiosk.  As a result of the NEXUS Program rule change that has been announced, the CBSA will be looking out for NEXUS travelers and NEXUS travelers should organize all of their receipts and allocate values to the complimentary items and gifts.

For more information, please contact Cyndee Todgham Cherniak at 416-307-4168 or at Cyndee@LexSage.com.  We have posted a number of articles about NEXUS on the LexSage website.


The original Canada-Israel Free Trade Agreement (known as the “CIFTA”) entered into effect on January 1, 1997.  It was a limited free trade agreement. The CIFTA was previously amended on July 5, 2002 and November 1, 2003.  On May 28, 2018, Canada and Israel again amended the CIFTA by signing the Canada-Israel Free Trade Amending Protocol 2018. On May 27, 2019, Bill C-85: An Act to amend the Canada-Israel Free Trade Agreement Implementation Act and to make related amendments to other Acts entered into effect.  Bill C-85 (and the changes to the CIFTA) entered into effect on September 1, 2019.

The September 1, 2019 CIFTA reduces tariffs to 0% or 4% on a number of goods in Chapter 1, 2, 3, 4, 5, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 22, and 23, (and a few items in Chapters 24, 28, 3, 35, 69 and 71) of the Customs Tariff Schedule.

More significantly the transshipment rule in the CIFTA has been expanded beyond the United States.  Now, goods that are transshipped through Jordan, Iceland, Liechtenstein, Norway, and Switzerland, the European Union and Mexico may be entitled to the preferential CIFTA tariff rates when imported into Canada so long as only minor processing occurs in the intermediate country.  Canada has updated the Proof of Origin of Imported Goods Regulations, Free Trade Agreement Advance Rulings Regulations, Part 5 of the Refund of Duties Regulations and the Declaration of Minor Processing (Form E669) to reflect this expanded list of countries.  To benefit from the preferential tariff treatment, effective September 1, 2019, the amended Declaration of Minor Processing (Form E669) must be completed for CIFTA-eligible goods that have undergone minor processing in the territory of a non-Party prior to entering Canada.  This form must be completed if qualifying goods entered the commerce of the territory of a non-Party (e.g., the United States) or are otherwise not subject to a through bill of lading from Israel to Canada or from Canada to Israel. If the goods are passing through the territory of a non-Party (e.g., the United States) to Canada/Israel on a through bill of lading, the form does not have to be completed.  If goods are shipped to Canada directly from Israel, the Free Trade Agreement – Certificate of Origin (Form B239) must be completed.

If is also important to note that new chapters were added to CIFTA, including:

  • Electronic commerce;
  • Intellectual property;
  • Sanitary and phytosanitary measures;
  • Technical barriers to trade;
  • Trade and environment;
  • Trade and labour;
  • Trade facilitation;
  • Trade and gender;
  • Trade and small and medium enterprises (SMEs);and
  • Corporate social responsibility.

These chapters will be discussed in other blog articles.

For more information, please contact Cyndee Todgham Cherniak at 410-307-4168 or at Cyndee@LexSage.com.  There is more information about Canada’s free trade agreements on the LexSage website.



The answer is “possibly”.  It is possible that the Canada Border Services Agency (“CBSA”) will confiscate your NEXUS membership if the Primary CBSA Officer or a Secondary CBSA Officer smells cannabis in your vehicle.  Even though cannabis can be sold legally in Canada and in many U.S. states, it is not legal to import cannabis into Canada unless you are a licensed producer (and they do not import cannabis in their cars). Even if you have a legal prescription for cannabis, you cannot import it into Canada.

If you roll down your window and a CBSA officer smells cannabis, you will likely be sent to the Secondary Inspection Area.  Sometimes the CBSA roves the lines of cars with drug-sniffing dogs and if they signal at your car, you will be sent to the Secondary Inspection Area.

Just because there is a smell does not mean that cannabis is actually in the vehicle. Sometimes the smell of cannabis is in the vehicle because a joint was smoked in the vehicle (by a driver, a passenger or the passenger’s kids when they borrowed the car last night).  Sometimes the smell of cannabis is on a person’s clothing because they wore the clothing to a party recently and cannabis was available at the party.  The smell on the clothing becomes aromatic in the vehicle.

It is important to remember that smells can linger, and care should be taken when crossing the border into Canada.  Be careful what you wear. Businesspeople should ask their children to not smoke cannabis in the vehicle.

If the CBSA searches your vehicle and finds cannabis or seeds, CBD oil, CBD lotions or topicals, other drugs/narcotics, drug paraphernalia or even a container that contains trace amounts of narcotics (e.g., a film cannister), you may have your NEXUS Card confiscated (and you could be detained, handcuffed, but in a holding cell or arrested).

If you are going to cross the border into Canada, clean your vehicle. The CBSA takes the position that you should know everything that is in your vehicle.  This includes seeds and anything that might be under the seat.  The CBSA also takes the position that you should know everything that is contained within imported goods.  This means you should look at ingredient lists and not import goods with CBD in any form.

If you get stopped and your vehicle tests positive for cannabis or any other prohibited narcotics, the CBSA will likely confiscate your NEXUS membership card.  We even have had one client whose NEXUS card was seized based upon a CBSA Officer saying that he smelled cannabis (the traveler said that he did not smell anything).

If you have had your NEXUS card confiscated on the basis that the CBSA smelled cannabis or located trace amounts in your vehicle, please contact Cyndee Todgham Cherniak at 416-307-4168 or at Cyndee@LexSage.com if you would like to file an appeal.

Persons who are registered with the Controlled Goods Directorate must notify the Minister of Public Services and Procurement of any actual or potential data breach within 3 days of discovery of the breach.  Since the requirement includes potential data breaches, Controlled Goods Registrants should report any hacking incidents, potential data breaches, employees taking company data, loss of USB keys with controlled information, etc.  Most companies know about reporting requirements under the Privacy Act, but do not know there is a reporting requirement under the Controlled Goods Regulations.

Paragraph 10(h) of the Controlled Goods Regulations states that:

“Every registration of a person [under the Defence Production Act] is subject to the following conditions: … (h) that the person advise the Minister of any actual or potential security breach in relation to controlled goods within three days after the day on which they discover the breach…”

Failure to report a data breach could result in the suspension of a Controlled Goods registration and shows that the registrant does not know their reporting obligations.

Paragraph 2.8 of the Guideline on Controlled Goods Program registration provides guidance as to what is expected of registrants:

“Registrants must contact the Controlled Goods Program within three days upon discovering a potential security breach. Security breaches must be properly investigated by the registrant’s security organization and corrective action must be taken to prevent any re-occurrence. The registrant is best placed to determine the nature of a security incident and whether it constitutes a breach. Security breaches can be categorized as loss, destruction, modification, removal or disclosure, of a controlled good. For example, a security breach can be a known theft or disappearance, appearance of willful damage to or tampering with a controlled good and/or the witnessing of unauthorized persons examining controlled goods.

Any breach of a criminal nature that can be subject to conviction under the Criminal Code must be reported immediately to the authorities having jurisdiction, and in turn, within three days upon discovery to the program.

The security breach report must include at minimum the information listed below:

  • date, time and place of the security breach;
  • name and contact information (phone, address, fax) of the person making the report;
  • nature of event (for example, theft);
  • detailed description of incident;
  • list of controlled goods involved, including name, description, the controlled goods list entry to the most accurate sub-entry, any identifiers and the quantity involved;
  • name and contact information of the person or organization investigating the incident; and
  • remedial action taken.

The program will use the information provided to track the incident and take corrective action as required.”

Reporting is required because of the nature of the goods – they are Controlled Goods and this means that the information is sensitive.  Controlled Goods are goods on the Controlled Goods List, which is a schedule to the Defence Production Act. Controlled Goods are primarily goods, including components and technical data (including blueprints and technical specifications in paper or electronic format) that have military or national security significance.  The Controlled Goods List includes (a) a good of U.S-origin that is a defense article as defined in section 120.6 of the International Traffic in Arms Regulations of the United States Code of Federal Regulations,  and (b) a good, other than a good of United States origin, that is manufactured using technical data of United States origin, as defined in section 120.10 of the International Traffic in Arms Regulations of the United States Code of Federal Regulations, (if the technical data is a defense article).

For more information, please contact Cyndee Todgham Cherniak at 416-307-4168 or at Cyndee@lexsage.com. We have posted many articles about export controls, economic sanctions, trade restrictions and controlled goods on the LexSage website.

Yes, it is possible that the Canada Border Services Agency (“CBSA”) or the United States Customs and Border Protection (“USCBP”) will cancel your NEXUS membership for up to 6 years if you are the importer of counterfeit goods. As a result, you should be careful when ordering goods online.

We are raising this issue now because many people have started their holiday shopping and buy goods online.  You must be careful and if a deal is too good to be true, it may be counterfeit.  Look to see if the goods are being sold from a foreign vendor and will be imported into Canada under your name.  Be careful that you buy from reputable sources – but even, then there is no guarantee.

Ask yourself before confirming any online order – Are you willing to lose your NEXUS membership (and ability to get into shorter airport security line ups) to save a few dollars on a gift for yourself or someone else?  If not, buy from an authorized dealer.

This is a growing issue.  Recently, we were contacted by a client who purchased goods on Amazon and the goods were shipped to him at a Canadian address.  The package was opened by the CBSA and they seized he goods as counterfeit.  He did not know that the goods were counterfeit when he ordered the goods (but should have asked a few questions given the price of the goods).  He became aware that his NEXUS membership was cancelled due to the seizure of the shipment when the CBSA posted a letter on his Trusted Traveler Program account and sent him a letter.  We successfully appealed the NEXUS cancellation.

In another recent case, a client returning from China was sent to the secondary inspection area because the CBSA saw that she had an expensive handbag.  The CBSA wanted to ensure that the traveler declared the handbag.  The CBSA believed the handbag to be genuine until the traveler produced a receipt (she had the receipt with her).  Given the price of the handbag, the CBSA determined that the handbag was counterfeit and seized the handbag.  The CBSA also seized her NEXUS membership card even though it is common for travelers to purchase goods at the Pearl Market in Beijing.  This appeal is underway.

In another recent case. a client returned from Asia with gifts from business colleagues.  The gifts were Burberry scarves.  The traveler declared the scarves based upon what she believed the gift to be worth. The CBSA assumed the scarves were counterfeit based on the values provided.  The CBSA went online and found the retail selling price for the scarves.  While the goods were not seized as counterfeit, they were seized because the CBSA valued the goods at full price and took the position that the goods were undervalued. The traveler successfully appealed.  The traveler contacted her work colleagues to obtain a copy of the receipt.  The scarves had been purchased at a warehouse sale for 25% of the suggested retail selling price.  The goods had not been undervalued.

If you have imported goods and they have been seized as counterfeit or if your NEXUS membership has been revoked, please contact Cyndee Todgham Cherniak at 416-307-4168 or at cyndee@lexsage.com.  We have posted many articles about NEXUS issues on the LexSage website.  Some helpful articles include:

Can I get my NEXUS Card back in less than six years?

What were the Top 10 Reasons for NEXUS Card Cancellations in 2017?

Do Not Pass GO: Forgetting Your Receipts Gets You A Ticket To CBSA Secondary Inspection

How Can I Get My NEXUS Card Back When It is Cancelled/ Confiscated By The CBSA?

On October 29, 2019, the Canada Border Services Agency announced the start of the expiry review (Canada’s sunset review process) of the antidumping and countervailing duty order against carbon steel fasteners from China (AD/CVD) and Taiwan (only AD). The AD/CVD duties have been in effect since January 2005.  We were involved in the original investigation and the expiry reviews.  This is the third expiry review proceeding.

The case is generally known to be against carbon steel screws. However, some fasteners that are called “bolts” (e.g., lag bolts, grain bin bolts) were listed as screws in the original proceedings and the AD/CVD duties apply to those items.  That being said, the original case included nuts and bolts and the Canadian International Trade Tribunal (“CITT”) terminated the proceeding against nuts and bolts in 2005.

There are two parts to any expiry review process in Canada:

  1. The CBSA determines whether resumption or continuation of dumping or subsidization is likely;
  2. If the CBSA makes a positive determination (they always do), then the CITT determines whether the rescission of the order will cause material injury to the domestic industry.

The expiry review schedule is as follows:

  • November 28, 2019: CBSA: Submission of notices of representation and disclosure undertakings due and CBSA exhibits available;
  • December 5, 2019: CBSA: Questionnaire responses and other information due – domestic producer, importers, exporters and Government of China;
  • December 18, 2019, at noon: CBSA: Closing of the record date;
  • December 19, 2019: CBSA: Finalized CBSA import statistics and market tables available;
  • January 7, 2020, by noon: CBSA: January 7, 2020, by noon: Case briefs due from all parties arguing that continued or resumed dumping and/or subsidizing is likely or not likely;
  • January 21, 2020, by noon: CBSA: Reply submissions due from all parties in respect of the case briefs;
  • March 26, 2020: CBSA: CBSA Determination to be released;
  • March 27, 2020: CITT: Initiate expiry review injury proceedings;
  • April 14, 2020: CITT: Notices of Participation are due;
  • April 17, 2020: CITT: Replies to Tribunal expiry review questionnaires are due;
  • May 19, 2020: CITT: Distribution of Tribunal exhibits, including information transferred from the CBSA, and investigation report;
  • May 19-26, 2019: CITT: Requests for information (RFIs);
  • May 22, 2020: CITT: Investigation report teleconference (if required);
  • May 25, 2020, by noon: CITT: Product Exclusion Requests are due;
  • May 26, 2020, by noon: CITT: Cases of parties in support of a continuation of the order are due;
  • May 29, 2020, by noon: CITT: Objections to RFIs are due;
  • June 1, 2020, by noon: CITT:  Domestic producers’ responses to requests for product exclusions are due AND Tribunal decisions on RFIs will be issued;
  • June 2, 2020, by noon: CITT: Cases of parties in opposition to a continuation of the order  are due;
  • June 9, 2020, by noon: CITT: Requesters’ replies to domestic producers’ responses to requests for product exclusions are due AND Replies to RFIs are due;
  • June 10, 2020, by noon: CITT: Reply submissions of parties in support of a continuation of the order are due:
  • June 22, 2020: CITT: Public hearing commences (may be a number of days depending on the number of participants); and
  • September 2, 2020: CITT: CITT decision.

The CITT will consider well-documented requests or product exclusions during an expiry review injury inquiry and has issued a number of product exclusions for fasteners over the years.  The effect of the product exclusion process is to remove goods from coverage and permit the items to enter Canada without payment of antidumping and countervailing duties.  The CITT expiry review proceedings is a good time to make product exclusion requests if goods are not produced by Leland Industries in Canada. While there are other small fastener producers in Canada, Leland Industries was the main complainant and respondent in the last expiry review proceeding.

The CITT will not grant product exclusions if the domestic industry does not consent AND there are identical or substitutable domestic products. If it can be demonstrated that the domestic industry will not suffer material injury should the product exclusion be granted, the CITT may grant the request. For this reason, product exclusion requests should be strategized early and not at the last minute.

If you require assistance, please contact Cyndee Todgham Cherniak at 416-307-4168 or at cyndee@lexsage.com. The following articles on the LexSage website might be helpful:

Process Steps in a Canadian Antidumping Expiry Review (Sunset) Proceeding

What is the Canadian International Trade Tribunal?

Who Is The Exporter For Special Import Measures Act (SIMA) Purposes?

Options for an Importer/Exporter/Foreign Producer to Restrict the Scope in an Antidumping Case

On October 15, 2019, Global Affairs Canada informed reporters that new export permits of military equipment and technology and brokering permits in respect of goods destined for Turkey would not be approved.  There was not a formal Notice of Exporters (possibly because Canada’s federal election campaign was underway – election was held on October 21st). Canada also did not impose any formal restrictions under the Export and Import Permits Act or Special Economic Measures Act or Justice for Victims of Corrupt Foreign Officials Act. Canad did not mention the period of time for this “temporary” export restriction.

The export restrictions were in response to Turkey’s unilateral incursion into Northern Syria.  The United States had announced export restrictions, which have subsequently been reversed.  Canada has not made any further announcements.

Canadian businesses currently engaged in or contemplating export activities involving Turkey should monitor developments and ensure that contracts limit liability if Global Affairs Canada refuses to issue future export permits.

For more information about Canada’s export controls, please contact Cyndee Todgham Cherniak at 416-307-4168 or at Cyndee@lexsage.com. We have many articles posted on the LexSage website.

Canadian companies whose business operations involve Controlled Goods must report changes to their Controlled Goods Directorate registration before an acquisition. This means that companies and their in-house and outside lawyers must ensure that the closing checklist includes the Controlled Goods Directorate reporting requirement. The due diligence checklist should also include questions about Controlled Goods registrations so that the reporting requirement is included on the closing checklist.

Subsection 9(2) of the Controlled Goods Regulations provides as follows:

“A registered person shall, by the later of 32 business days before the date of an acquisition or one business day after the day on which they become aware of an acquisition, advise the Minister of the name and address of any person that will, as a result of the acquisition, own 20% or more of the outstanding voting shares or interests of the business.”

The requirement to report is based upon the Controlled Goods Registration.  The target does not have to have a Controlled Goods registration to trigger the reporting requirement if the Buyer is a registrant.  If the target is a registrant, then the Seller has a reporting requirement.  If both companies are registrants, both have reporting requirements.

The primary requirement is for notification to occur not later than 32 days before the closing date of the acquisition. However, if the registrant misses this notification deadline, the registrant is still in compliance so long as the reporting occurs no later than one day after the day they became aware of an acquisition – this means within one day of the closing date.  It is going to be difficult for a registered Canadian company to persuade the Controlled Goods Directorate that the officers and directors on file did not know about an acquisition. As a result, any failure to notify the Controlled Goods Directorate that extend after the closing date will be scrutinized and will likely be considered to be a failure to comply with the reporting requirement.  Therefore, it is very important that the parties to M&A transactions to be aware of the reporting requirement and take all necessary steps to comply on time.

Controlled Goods are goods on the Controlled Goods List, which is a schedule to the Defence Production Act. Controlled Goods are primarily goods, including components and technical data (including blueprints and technical specifications in paper or electronic format) that have military or national security significance.  The Controlled Goods List includes (a) a good of U.S-origin that is a defense article as defined in section 120.6 of the International Traffic in Arms Regulations of the United States Code of Federal Regulations,  and (b) a good, other than a good of United States origin, that is manufactured using technical data of United States origin, as defined in section 120.10 of the International Traffic in Arms Regulations of the United States Code of Federal Regulations, (if the technical data is a defense article).

Failure to report as required can lead to the suspension or revocation of a registration.  If a person transferred Controlled Goods when their registration is suspended or revoked, this could lead to fine of at least $25,000.  Depending on the seriousness of the situation, the fine can be as high as $2,000,000.00.

An officer or a director, or an agent or a mandatary, of a corporation that commits an offence under the Defence Production Act may be prosecuted if he or she directed, authorized, assented to, acquiesced in or participated in the commission of the offence.  Information about the key officers and directors is provided to the Controlled Goods Directorate in the application and regular updates – so there is a list of persons who should provide notification of changes in ownership of the company of file at the Controlled Goods Directorate.  The personal liability can include fines up to $2,000,000 and/or a prison term of up to 10 years if the individual is convicted.

For more information, please contact Cyndee Todgham Cherniak at 416-307-4168 or at Cyndee@lexsage.com.  We often work with law firms to update their due diligence checklists to include customs, export controls, economic sanctions, Magnitsky sanctions, and other international trade questions.

In Part 1, see https://www.canada-usblog.com/2019/10/23/california-consumer-privacy-act-are-you-ready-part-1/, we summarized the recent legislative changes regarding the California Consumer Privacy Act (“CCPA”). Bearing in mind the CCPA takes effect on January 1, 2020 and the Attorney General is required to issue regulations by July 1, 2020, these regulations both meet that timeframe, but also seek to provide much-needed guidance to industry.

Most of the legislative changes focused on narrowing the definition of personal information, clarified the timeframe which applies when a consumer demands information the business possesses about him or her, and also confirmed the CCPA applies to businesses, not non-profits or government entities. In this Alert, we summarize the regulations which were recently issued. However, even in the regulatory context, the starting point remains the same. Companies should begin by asking the following questions:

  • Is our annual gross revenue at least $25 million (not limited to California income alone)?
  • Do we have the personal information of at least 50,000 California consumers, households or devices?
  • Do we sell* the personal data we have of those California consumers, households or devices? If so, do we derive 50% or more of our annual revenues from those sales?
  • Even if we do not sell that personal data, do we disclose* any portion of it to any third parties?

* Definitions for both “sell” and “disclose” appear below.

The term “consumer” has been defined from the outset as anyone who lives in California. Devices are defined at Civil Code § 1798.140(j) as “any physical object that is capable of connecting to the internet, directly or indirectly, or to another device.”

The regulations finally provide a definition for household at proposed Civil Code § 999.301(h) to mean “a person or group of people occupying a single dwelling.” The term “privacy policy” is also expanded at proposed Civil Code § 999.301(m) to mean a statement the business provides describing its practices on and off line regarding the “collection, use, disclosure and sale of personal information and of the rights of consumers regarding their own personal information.”

For regulatory purposes, the following questions should be added to the list:

  • Does our website serve all our users or do we have a California only facing section of our website?
  • Do we have a privacy policy on our website? If so, it is conspicuously displayed?
  • Do we currently track when users accept our terms and conditions**?
  • Do we keep a record of the changes we make to our terms and conditions** each time we update?
  • Is the means we use to receive acceptance of our privacy policy by users adequate to meet our current and future needs?

** While we are focused on the privacy policy for CCPA compliance purposes, the same general concept of tracking acceptances for terms of use applies. Do you retain versions that are updated and replaced? Do you apply version numbers or dates to track changes? Do you track acceptance by users when new versions are posted? If so, how long do you retain those records? Do you rely on click-through acceptance or other means? Do you notify users by email when terms and conditions are updated?

The reason for these questions will become apparent as we discuss the new regulations. See  here for the full regulatory details. The starting point is these regulations were issued as a proposal. The deadline to comment is 5:00 p.m. on December 6, 2019 (to PrivacyRegulations@doj.ca.gov or Privacy Regulations Coordinator, California Office of the Attorney General, 300 S. Spring St., First Floor, Los Angeles, CA 90013). Public hearings will also be held on December 2 (Sacramento), December 3 (Los Angeles), December 4 (San Francisco), and December 5 (Fresno).

The regulations focus on permitting consumers to obtain the basic information called for in the CCPA:

  • What specific pieces of personal information the business collected;
  • The categories of personal information collected and sold about that consumer;
  • The purpose for which the personal information was collected or sold; and
  • The categories of third parties to whom the business sold or disclosed that data.

The business must provide two or more means by which the consumer may submit a request for information, one must be a toll-free phone number and, if the business has it, a website (if no website, the business must find other acceptable means of giving notice). The information must be provided within 45 days (an additional 45 days is possible for good cause, but does not extend the time within which the first response must be given). The data must be provided free of charge, the business may impose reasonable means to verify the identity of the recipient, and, when providing the data, it must be in an easily transferrable format. If the company declines to act on the request, such as because it cannot verify the requestor, it must still respond within the first 45 days, and explain the applicable appeal rights. The response process is discussed again below where more specifics are provided.

When it comes to verification, as noted, the method must be reasonable. The regulations define reasonable to include a consideration as to the sensitivity of the information and the risk of harm to the consumer from unauthorized access or deletion. If the consumer has a password protected account, that account may be used to provide the notice and also to detect any fraud. When it comes to non-account holders, at least two data points must be matched, and the result must yield a high degree of certainty. In some cases, a third data element can be required along with a signed declaration under penalty of perjury. When it comes to deletions, companies would be well advised to consider whether to rely on the password protected account, or more data points, depending again on the sensitivity of the data and the risk of harm to the consumer by unauthorized deletion.

The consumer data disclosed is for the 12 months preceding the date of receipt. Consumers may not make more than two (2) such requests in any 12 month period. The business may charge the consumer only if the requests are unfounded or excessive. If the consumer requests deletion of his or her records, that request is also subject to the 45 day rule. However, there are some exceptions. Companies may retain the data in order to:

1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, perform actions reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.

3) Debug to identify and repair errors that impair existing intended functionality.

4) Exercise free speech, ensure another consumer’s right to exercise free speech, or exercise another right provided for by law.

5) Comply with the California Electronic Communications Privacy Act.

6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.

7) Enable solely internal uses reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.

8) Comply with a legal obligation.

9) Use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

It is reasonable to anticipate that those businesses whose function is not platform related are most likely going to primarily rely on (1) completing the intended transaction, (7) use the data as expected, and (9) use the information in a lawful manner (see points above). This means companies must be careful how they describe why they are collecting the data and what they intend to do with it. This means, for example, that if one of the routine actions your company takes with consumer data is to distribute marketing materials, your privacy policy will now need to specifically mention that use. The Privacy Policy itself must also be posted online through a conspicuous link using the word “Privacy” which must be positioned on the home page of the website or the landing page of the mobile app.

The CCPA also includes the right to opt-out, which is why determining in advance what exactly is done with the data collected is critical. If you share that data with any third parties, you are obligated to provide an opt-out option. That is the case because the definition of “selling” includes “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration”. See Civil Code § 1798.140(t).

The rules about minors are unchanged. For minors under the agent of 13, the consent of a guardian or parent is required for all purposes, including consent to sell. If the minor is between 13 and 16, the minor must give consent for all purposes.

Businesses may not discriminate against consumers who exercise their CCPA rights. Discrimination is broadly described to include denying goods or services, charging different prices or rates, or providing a different level of service or quality of goods. However, such differences are permitted, including financial incentives, if that difference is reasonably related to the value provided to the business by the consumer’s data. More on this topic can also be found later.

There are specific disclosures also required:

  • At or before the point of collection, the business must inform the consumer as to the categories of personal information collected and the purposes for which that data is collected. If the business later decides it wants more data or it wants to put the existing data to different uses, it must first obtain the consumer’s consent.
  • The method and means by which the consumer may opt-out. This includes the need to have a “clear and conspicuous” link on the website titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The Attorney General intends to provide a recommended logo format, but wants input before finalizing the design. This notice is to appear on the home page of the website or the landing page of the mobile app.
  • Any financial incentives which are offered must be stated.
  • The privacy policy must also include a description of the consumer’s rights under the CCPA, how he or she may submit requests for disclosure, deletion and opting-out, and, of course, additional information about data collection and sharing practices. This would seem to mean the same data would appear in two places – once at sign-up and once in the Privacy Policy itself. However, elsewhere, there is an indication notice may be provided through a link to the relevant section of the online privacy policy.
  • Training is also required of the individuals responsible for handling consumer requests, to include directing consumers to how they may exercise their CCPA rights. The Attorney General has interpreted this provision to apply only once the business handles 4 million or more consumer records. Such entities will also be required to post online the number of requests to know, delete and opt-out received in the previous calendar year, and the median number of days in which they took to respond.

Other recommendations from the Attorney General include being sure to use “plain, straightforward language, a format that draws the consumers’ attention to the notice, and providing the notice in the languages in which the business providers consumer contracts, and other things” which mirrors the requirements of proposed Civil Code § 999.305(a)(2). Those requirements include access for those with disabilities. The regulations underscore that notice must be given prior to the collection of any information, but the notice itself may be given by providing a link to the relevant section of the online privacy policy.

If the business receives the data strictly from other sources, it need not give notice of collection to the consumer but must either contact the consumer directly and provide that notice or contact the source of the information and confirm the source has provided the required notice and obtain a signed attestation from that source describing how the source gave notice, to include a copy of the notice. These attestations are to be retained for at least 2 years and made available to consumers upon request.

In the documents supporting the proposed regulations, the Attorney General acknowledges the regulatory cost to the State will be $4.7 million for FY 2019-2020 and $4.6 million for FY 2020-2021. The estimated cost to business between 2020 and 2030 is said to be $467 million to $16,454 million. The documentation goes on to acknowledge there is a potential competitive disadvantage for California companies (the estimate is 15,000 to 400,000 businesses will be impacted) to companies which operate outside California and are not otherwise subject to the CCPA. For that reason, submissions proposing alternate means of implementation are requested which address the following topics:

i) The establishment of differing compliance or reporting requirements or timetables that take into account the resources available to businesses.

ii) Consolidation or simplification of compliance and reporting requirements for businesses.

iii) The use of performance standards rather than prescriptive standards.

iv) Exemption or partial exemption from the regulatory requirements for businesses.

A business is exempt if it does not and will not sell (bearing in mind the broad definition of “sell”) consumer personal data and so states in its privacy policy. If exempt, the opt-out logo is not required.

If a company has a loyalty or other financial incentive program, those are still permitted, but there are specific notice requirements which generally mirror the criteria mentioned above regarding what must be included in the notice and how those incentives are to be explained. Similarly, if any cost or service differences do apply, they must meet the standard and also provide a “good-faith estimate” of the value of the consumer data which forms the basis for the differential, and also a description of the method used to calculate the value stated.

Given these regulatory mandates, here are some additional factors for business to consider:

  1. How will you give the required notice to consumers?
  2. What form will the update to your privacy policy take?
  3. Are you required to provide an opt-out option and the corresponding logo?
  4. Do you reflect the last date updated on your privacy policy?
  5. Do you provide a contact for more information?
  6. The requirement is two or more designated methods for the consumer to request data, to include a toll free telephone number, a link or form on the website, a designated email address, a form submitted in person or a form submitted through the mail. Which of these do you currently provide? How does the business usually interact with consumers? Where on the list of methods of notice do your usual means of consumer interaction fall?
  7. Deletion requests are subject to two steps; first, the consumer submits the deletion request and then separately confirms deletion is desired. How will you implement this process?
  8. If the consumer submits a request in other than a proscribed method, the company must decide whether it will treat the request as properly submitted or provide instructions to the consumer as to how to submit his/her request or remedy any deficiency. Which will you opt for?
  9. Businesses must respond to requests within 45 days, but must confirm receipt within 10 days and confirm how the business will process the request and when it expects to provide a substantive respond. While verification of the identity of the requestor is permitted, the response time clock starts at time of receipt, not when the verification is completed. Businesses are barred from disclosing a Social Security, driver’s license, or other government issued identification number, along with the financial account, health insurance or medical identification number, an account password or security questions and answers. Generally individualized responses are required. How will you implement this mandate?
  10. If the request is to delete, the business may respond by erasing the data from its systems or by de-identifying or aggregating the data unless the business determines to not comply with the request. If so, it is then necessary to provide that response to the consumer along with the grounds for refusal. The business may also offer the consumer the ability to delete selected portions only if the global option is also offered and more prominently displayed. How will you implement this requirement?

The CCPA regulations also go on to address the use of service providers (third parties) which owe duties of indemnity and compliance to the businesses which hire them (and conversely the business owes a duty of indemnity to that service provider), dealing with the collection and use of the data collected. There are also general rules for verification of consumers, password protected accounts, non-account holders and authorized agents.

Clearly these regulations are complex and demanding. Companies would, therefore, be well-served to first make sure as to the specifics of their business model, the nature and extent of the personal data collected, and how that data is used and shared. A refresher to be sure the information in hand is current is recommended before proceeding further. Once all of that is clear, a carefully study of the requirements of the CCPA regulations is in order, so as to compare those requirements with current practices, and then, of course, update accordingly.

Bearing in mind individual and class action lawsuits are now permitted, someone is going to be the poster child for having messed up compliance. Whether you handle implementation yourself or we or another advisor assist you, getting it right the first time is critical to having a peaceful holiday season! Will you be ready?