Foreign interference regulation and the employment sector

This article, part of a series on foreign interference regulation in Canada, focuses on the intersection between an organization’s employment obligations and compliance with evolving regulatory expectations to combat foreign interference. We examine how emerging foreign interference responsibilities in the private sector can be balanced with employers’ obligations under human rights and privacy laws.

How does foreign interference intersect with employment law?

In May 2024, the federal government introduced comprehensive legislation focused on foreign interference in Canada¹, which we examined in the first article in our foreign interference series. While much of the guidance on combatting foreign interference is targeted to the public sector, private sector responsibilities are also emerging.

Organizations have an interest in protecting their assets and operations against foreign interference and, with the introduction of new legislation and guidelines, they have increasing obligations to do so. In light of this, businesses may be considering taking measures to proactively monitor for foreign interference (for example, by enhancing employee monitoring tactics). However, it is important to navigate these issues in a manner that is consistent with their legal obligations to their employees—most notably, the obligation not to discriminate against employees on the basis of citizenship, ethnicity and other protected grounds.

Human rights considerations

Each jurisdiction in Canada has human rights legislation that prohibits discrimination (i.e., differential treatment) in employment based on certain protected characteristics. For example, Ontario’s Human Rights Code prohibits discrimination in employment on the basis of citizenship, place of origin, ethnic origin and ancestry, among others. Similar protected characteristics are recognized in other provinces. Treating employees differently based on where they are from (e.g., by specifically monitoring those employees using enhanced tactics) therefore raises risks under human rights laws, subject to certain exceptions and defences.

An otherwise discriminatory action or rule is not held to be discriminatory if the employer can show that it is a bona fide occupational requirement: that is, it is (i) adopted for a purpose rationally connected to the performance of the job; (ii) adopted in the honest belief that it is necessary to fulfil a legitimate work-related purpose; and (iii) is in fact reasonably necessary to accomplish the legitimate work-related purpose, bearing in mind the requirement to accommodate employees to the point of undue hardship. We note that in Ontario, this defence may only be available in cases of “indirect” discrimination (i.e., where the rule does not directly discriminate on the basis of a protected characteristic but results in differential treatment of a group of people identified by a protected characteristic). This defence may offer some protection to employers, depending on the factual circumstances (including any applicable legal obligations imposed on the employer).

Employee privacy considerations

In addition to human rights protections, federal and provincial laws govern how personal information may be used by employers and how workplace activity may be monitored. Employers must be transparent about how they monitor employees’ use of company infrastructure for legal compliance purposes, and the use of this information must be proportional to the impact on employees’ privacy.

OSFI Integrity and Security Guideline

One regulatory framework addressing foreign interference risk in the financial sector is the Office of the Superintendent of Financial Institution’s (OSFI’s) Integrity and Security Guideline (the Guideline). The Guideline, which we examined in our article on foreign interference and financial institutions, requires employers subject to OSFI regulation to detect and manage foreign interference-related risks. The Guideline includes requirements for ensuring the “good character” of board members and senior leadership, conducting employee background checks, and controlling access to buildings and other key infrastructure. It also sets expectations for reporting incidents related to undue influence, foreign interference or malicious activity to law enforcement.

The expectations and limitations of the Guideline provide a helpful example of how companies can balance their duty to protect assets and operations from foreign interference with their responsibilities under employment law. The obligations imposed by the Guideline are reasonably general in nature and do not require companies to violate employment or privacy law. However, companies need to be careful in how they implement those obligations.

Among other things, the Guideline requires companies to develop policies and procedures to detect foreign interference. However, it does not prescribe specific policies and procedures, meaning that companies have some flexibility to determine the policies and procedures most appropriate to their circumstances.

Companies need to consider their human rights obligations when developing policies and procedures to comply with the Guideline. For example, enhanced monitoring of employees from particular backgrounds (which is not specifically required by the Guideline) may raise risks under Canadian human rights legislation. As an alternative means of detecting foreign interference (and complying with the Guideline), financial institutions may wish to consider adjusting existing complaint investigation processes to include processes to investigate allegations of foreign interference in an evidence-based manner. Similarly, data loss prevention and access control tools could be reviewed for their ability to detect suspicious activities indicative of foreign interference for all employees, without targeting particular groups. Financial institutions may also consider reviewing remote work policies and updating lists of countries where temporary work is permitted.

Implementing a foreign interference program

In taking steps to better protect their business from foreign interference, organizations should consider the following:

• Review applicable regulatory obligations. Organizations should ensure they are aware of any applicable legal obligations or regulatory expectations pertaining to foreign interference (e.g., the OSFI Guideline is applicable to financial institutions).
• Map regulatory obligations to existing security measures. Once any applicable legal obligations or regulatory expectations have been identified, organizations should map those obligations and expectations onto existing employee screening, security and data loss prevention practices, and consider where enhancements might be necessary.
• Identify additional procedures. Determine whether additional tools or steps may be available (or required) to meet regulatory expectations. If so, consider whether they can be applied to all employees and how those procedures will be monitored for effectiveness, bias, and privacy compliance. Businesses may wish to conduct risk assessments (e.g., a privacy impact assessment) prior to implementing these new measures.
• Update policies and procedures. If additional measures are adopted (or existing measures are modified), update internal and employee-facing policies and procedures and, depending on the scope of the changes, consider whether further employee-facing communications are needed to explain the changes and their purpose.
• Determine appropriate expertise. Determine whether there is sufficient internal expertise to investigate suspicions of foreign interference arising from alerts or complaints. If not, consider retaining external advisors for such matters.