Moving Online: Virtual Considerations for Start-ups
For many small businesses, COVID-19 has likely brought about a shift toward virtual operations. This post outlines some considerations for start-ups in Alberta as they navigate the trend toward virtual and electronic operations.
The COVID-19 pandemic created a need for many Canadian corporations to host virtual meetings in order to avoid risks presented by in-person meetings and obey public health orders. Although some challenges remain, virtual meetings can present various benefits for companies, especially in current circumstances, and they may be here to stay.
Alberta corporations are required to hold annual shareholder meetings within specified time ranges. Recently-incorporated Alberta corporations must also hold an organizational meeting of directors. Due to COVID-19, the provincial government suspended these statutory requirements to hold in-person meetings for a limited time in 2020. However, this suspension is no longer in effect and companies may need to consider virtual platforms and other options for holding required meetings as well as other company business.
Companies that would like to host corporate meetings virtually may need to check their corporate documents to ensure they are able to do so. Shareholders of Alberta corporations can participate in shareholders’ meetings electronically, as long as all participants are able to communicate with each other, but only if allowed under the corporation’s bylaws or by the consent of all of the shareholders entitled to vote at the meeting (subject to the bylaws). Similarly, an entire shareholders’ meeting may be held electronically if provided for in the bylaws. Shareholders can also vote electronically if the corporation makes electronic means of voting available, and as long as the bylaws do not prohibit electronic voting. Corporations legislation also allows directors to participate in board meetings electronically, but only if this is allowed under the corporate bylaws or where all of the directors provide consent. Additionally, certain communications related to corporate meetings, such as notices to shareholders or directors, may be sent by electronic means.
As an alternative to holding meetings, matters can generally be passed by a resolution signed in writing by all directors or shareholders entitled to vote on the resolution, as applicable, and this will be as effective as passing the matter by a vote at a board meeting or shareholder meeting.
Alberta law provides for the use of electronic documents in business settings, which may help facilitate companies’ transitions to virtual operations.
“Functional equivalency” rules provide that legal requirements for information to be in writing can generally be fulfilled by using or providing information electronically, as long as it is in an accessible form and can be further referenced and/or retained by the people receiving it. Requirements for records to be signed can be satisfied with electronic signatures, although additional considerations may apply to ensure reliability of the signature.
Agreements and contracts can also be formed online by providing information in electronic form, or by taking actions “intended to result in electronic communication” (for example, clicking an icon can show a person’s intent to electronically communicate acceptance of a contract offer).
Companies that execute signed contracts virtually may consider whether contracts include a “counterparts” clause. These are standard clauses that may be used where parties to a contract do not sign the document while together. A counterparts clause generally provides that the agreement may be executed in separate parts that are electronically circulated, and those parts together will be considered to form the same agreement.
Companies shifting toward virtual operations may begin to share more documents electronically and use electronic document storage and sharing platforms to manage files. This can raise considerations for companies related to privacy law and data breach concerns.
Under Canadian privacy laws, organizations remain responsible for personal information (any information that can be used to identify an individual) that they transfer to third parties. This may apply for organizations using online platforms or “cloud computing services” to share, store, or back up files containing personal information. Privacy commissioners suggest that organizations review the terms of service for cloud computing providers to ensure personal information is handled by the provider in a way that is meets the organization’s privacy obligations. Federal privacy law, where applicable, specifically requires organizations to use “contractual or other means to provide a comparable level of protection” for information being processed by a third party. Companies considering transitioning files and sharing information using online service providers may consider conducting a review of these and other privacy law obligations to ensure they are prepared for virtual business operations.
Additionally, businesses transitioning files, meetings, and communications online may consider the risk of data breach when using virtual platforms. Movement of business operations online often involves use of virtual private networks and cloud computing and raises concerns of increased cybersecurity risk. As noted by the Canadian Centre for Cyber Security, “the more Internet-connected assets an organization has, the greater the cyber threat it faces”. Businesses may consider their information security policies and how to manage risk of data breach and meet any obligations in the event of a breach. Under privacy laws, organizations must protect personal information by using “security safeguards” or “reasonable security arrangements” to prevent unauthorized access and other risks. If there is a breach of an organization’s security safeguards and it is reasonable in the circumstances to think there is a “real risk of significant harm to an individual”, then the organization must report the breach to the relevant privacy commissioner, and it may be required to notify the affected individuals. A previous blog post from the Business Venture Clinic discusses data breach preparedness in more detail.
 See, e.g., federal government recognition of the risks of corporate meetings in Corporations Canada, “Annual meetings of federal businesses, not-for-profits and cooperatives during COVID-19 in 2021” (last modified 30 December 2020), online: Government of Canada <http://www.ic.gc.ca/eic/site/cd-dgc.nsf/eng/cs08888.html>.
 See Dan Healing, “More corporate meetings to go virtual after success during pandemic” (3 August 2020), online: <www.ctvnews.ca>.
 Business Corporations Act, RSA 2000, c B-9, s 132(1) [ABCA].
 Ibid, s 104(1).
 Service Alberta, Ministerial Order no. 009/2020 (9 April 2020), s 5(1), available online: <https://open.alberta.ca/dataset/ministerial-order-no-sa-009-2020-service-alberta>.
 ABCA, supra note 3, s 131(3).
 Ibid, s 131(3.1).
 Ibid, s 140(4), (5).
 Ibid, s 114(9).
 Ibid, s 255(5), see also s 258(2).
 Ibid, ss 117, 141.
 Electronic Transactions Act, SA 2001, c E-5.5, ss 10-13.
 Ibid, s 16.
 Ibid, s 27.
 Personal Information Protection and Electronic Documents Act, SC 2000, c 5, Part 1, Schedule 1, ss 4.1, 4.1.3 [PIPEDA]; Personal Information Protection Act, SA 2003, c P-6.5, s 5(1) and (2) [PIPA]. For the definition of personal information, see PIPEDA, s 2(1); PIPA, s 1(1); Office of the Privacy Commissioner of Canada, “Summary of privacy laws in Canada” (last revised January 2018), online: <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/>.
 Office of the Information and Privacy Commissioner of Alberta, Office of the Privacy Commissioner of Canada, and Office of the Information & Privacy Commissioner for British Columbia, “Cloud computing for small and medium-sized enterprises” (June 2012), online: <https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/online-privacy/cloud-computing/gd_cc_201206/>.
 PIPEDA, supra note 15, Schedule 1, s 4.1.3.
 See, e.g., Canadian Centre for Cyber Security, Cyber Threat Bulletin: Impact of COVID-19 on Cyber Threat Activity (last modified 10 June 2020), online: Government of Canada <https://cyber.gc.ca/en/guidance/cyber-threat-bulletin-impact-covid-19-cyber-threat-activity>; Canadian Centre for Cyber Security, CYBER THREAT BULLETIN: Impact of COVID-19 on Cyber Threat Activity (2020) at 4, online (pdf): Government of Canada <https://cyber.gc.ca/sites/default/files/publications/COVID_19_Continued_Impact_Threat_Bulletin_TLPWHITE-1.eng_.pdf>.
 Canadian Centre for Cyber Security, National Cyber Threat Assessment 2020 (2020) at 21, online (pdf): Government of Canada <https://cyber.gc.ca/en/guidance/cyber-threats-canadian-organizations>.
 PIPEDA, supra note 15, Schedule 1, s 4.7; see also PIPA, supra note 15, s 34.
 PIPEDA, ibid, s 10.1(1); PIPA, ibid, s 34.1; Federal privacy law also requires notification to the individual (PIPEDA, s 10.1(3)) and Alberta privacy law may require notification at the discretion of the privacy commissioner (PIPA, s 37.1).
 “Preparing for the (Inevitable) Data Breach” (23 February 2020), available online: BLG Business Venture Clinic <http://www.businessventureclinic.ca/blog>.
Blog posts are by students at the Business Venture Clinic. Student bios appear under each post.