Canadian Technology & IP Law

Canadian Bankers Association charges ahead on mobile wallets

Stikeman Elliott LLP — Wed, 16 May 2012 13:37:51 -0500

On May 14, 2012, the Canadian Bankers Association (CBA) published a set of voluntary guidelines to govern Canada’s emerging mobile payments marketplace. The guidelines, titled the Canadian NFC Mobile Payments Reference Model, establish a series of recommendations on mobile phone payment functionality, security features and the logistics of processing near field communication (NFC) payments, also known as “tap-and-go” technology.

Mobile phone payment systems, also known as mobile wallets, are capable of storing a user’s credit and banking information on chips known as SIM cards, and may also store other personal information, such as driver’s licenses, library cards and transit passes. Mobile wallets can enable users to make purchases through phone software, or by physically tapping their phones against NFC receivers to make automatic purchases without requiring signatures or PIN numbers. Such systems have become increasingly popular outside of Canada. By illustration, statistics published by Forbes indicate that U.S. mobile payments on “Black Friday” in 2011 soared by 538% in comparison to the previous year.

Mobile wallets and other alternative payment systems are allowing new entrants to compete in a field traditionally dominated by banks and credit cards. Rogers Telecommunications and CIBC have recently announced a partnership whereby CIBC will pay Rogers to store Visa and MasterCard information on Rogers’ phones. The arrangement will allow Rogers to essentially “rent” space on a user’s SIM card. Separately, Rogers has also applied for a banking licence to become a credit card issuer, signalling its potential to further develop its role in the payment processing industry.

While mobile wallets present a number of convenient features, they have also given rise to security, risk and privacy concerns. The CBA’s guidelines address some of these issues, including who may access data stored on mobile wallets, such as loyalty points information, coupons, transaction amounts, transaction times and transaction locations. However, while the CBA guidelines remain voluntary and address NFC phones only, the federal government has indicated that greater regulation of mobile and digital payments may not be far away.

BC Court requires active personal injury plaintiff to divulge Facebook photos

Stikeman Elliott LLP — Wed, 02 May 2012 13:16:35 -0500

David Elder & Robert Mysicka -

A recent decision by the British Columbia Supreme Court has led to yet another case of “Facebook Remorse” for a Plaintiff with an active social media presence.

The case also further confirms the trend in Canadian civil courts to require disclosure of “private” social media postings where relevant to the case at hand.

In Fric v. Gersham the Plaintiff, who is a recent law school graduate, is claiming damages resulting from injuries suffered in a motor vehicle collision that occurred in 2008. The action, which is scheduled to proceed to trial in May, 2013, involves claims by the Plaintiff of loss and damages, including pain and suffering, loss of amenities of life, past and future loss of earning capacity, and other damages alleged to have been caused by the Defendants, who were involved in the motor vehicle accident with the Plaintiff.

The Defendants in the case brought an application for an order requiring the Plaintiff to produce a copy of the Plaintiff’s Facebook page, including a number of photographs which allegedly show the Plaintiff on vacation, hiking, scuba diving, wakeboarding and participating in the Law Games, a social and sports event held annually for students enrolled in law schools across Canada.

The Defendants submitted that the photographs are relevant to the Plaintiff’s claim for ongoing physical impairment and loss of amenities of life, and might contradict the Plaintiff’s claim that she has suffered from ongoing physical injury and loss of amenities of life as a result of the accident.

In opposing the application, the Plaintiff claimed that the Defendant’s request was overly broad and not substantiated by the evidence. The Plaintiff noted that she was not totally disabled by the accident, and has continued to function at school, work and socially, albeit with pain and fatigue. She argued that the photographs would not help refute her claim, as they reveal only snapshots in time and without a proper context. Finally, she argued that her right to privacy outweighed the probative value of the information sought to be disclosed.

Master Bouck, who presided over the Defendants’ pre-trial application for disclosure of the photographs and metadata, considered two issues in her ruling: (i) whether the Facebook photographs and metadata might be material and relevant to the Plaintiff’s claim; and (ii) whether the Plaintiff’s right to privacy might override disclosure obligations to the Defendants.

Citing a number of prior cases in BC and Ontario, Master Bouck paid particular attention to the issue of “physical impairment” and found that when such impairment is being alleged, in distinction to cognitive impairment, “the relevancy of photographs showing the plaintiff engaged in activities that require some physical effort seems rather clear.”

Master Bouck concluded that since the Plaintiff claims that her diminished capacity was the result of physical injuries, her Facebook photograph, which show her engaging in a variety of sporting or physical recreational activities, and related metadata (including time, date and caption information) are relevant in discovering the extent of her damages since the accident, including claims of physical impairment and social withdrawal. Accordingly, he required this material to be included in an amended list of documents accessible to the Defendants.

Although some of the material was found to be relevant to the case at hand, Master Bouck attempted to balance the privacy concerns of the Plaintiff and her Facebook friends with the interests of the Defendants by limiting disclosure to the most relevant material and allowing for the protection of other private postings and the postings of third parties.

In this regard, Master Bouck narrowed the required disclosure of the Plaintiff’s huge photo collection, including those posted on Facebook, to only those relating to the Law Games held and vacations taken after the accident giving rise to the claim. She also declined to order the Plaintiff disclose any comments posted on her Facebook site, finding that the probative value of such commentary was outweighed by the competing interest of protecting the private thoughts of the Plaintiff and third parties. Finally, she allowed the photographs to be edited in order to protect other individuals who may appear in them.

It is worth noting that the photographs and metadata were ordered to be disclosed only as part of the pre-trial discovery process. The Plaintiff will still be entitled to argue that the disclosed material should be inadmissible at trial on the basis that the prejudicial effect outweighs the probative value.

CRTC clarifies anti-spam regulations: consent can include electronic forms

Stikeman Elliott LLP — Thu, 29 Mar 2012 14:50:43 -0500

David Elder -

Following the registration, three weeks ago, of its new anti-spam regulations, the CRTC has issued a regulatory policy explaining the changes made to the draft regulations that it had originally proposed, as well as providing some guidance as to how some of the requirements will be interpreted.

In Telecom Regulatory Policy CRTC 2012-183, issued to coincide with the publication of the Electronic Commerce Protection Regulations (CRTC) in the Canada Gazette, the Commission notes that many of the changes to the originally proposed version of the Regulations were made in response to public comments, and in most cases were amendments intended to be less prescriptive and more technology neutral.

In an earlier post, we had summarized the main changes in the final regulations. Helpfully, the new Regulatory Policy appears to clarify several uncertainties that had been raised by these changes.

Perhaps most significantly, the Commission explicitly indicates in the Regulatory Policy that consent obtained “in writing” includes electronic forms of consent, putting to rest one of the more significant concerns of companies operating over the internet. In other contexts, the Commission has accepted electronic forms of consent where a user signifies agreement through some positive action, such as clicking on an “I agree” box.

Although in their final form, the Regulations are not yet in force. They will come into force on the day on which the core sections of Canada’s Anti-Spam Law come into force, which is expected to occur later this year.

CRTC tweaks anti-spam regulations

Stikeman Elliott LLP — Mon, 12 Mar 2012 14:33:22 -0500

David Elder -

Final regulations made by the CRTC under Canada’s Anti-Spam Law (CASL) include a number of revisions that respond to concerns raised by Canadian businesses; but while some additional flexibility has been provided, the Commission appears to have left a number of other concerns unanswered.

On 7 March 2012, the CRTC registered its Electronic Commerce Protection Regulations (CRTC), a final version of draft regulations that were originally proposed in June 2011. Those regulations, and the related Electronic Commerce Protection Regulations that were proposed by Industry Canada, attracted significant criticism from the business community, which expressed concern that the regulations omitted some important clarifications of the requirements of the law, failed to provide exemptions for certain business and behaviours that should not be caught by the legislation and imposed unworkable and unnecessary requirements that may have had a disproportionate impact on technologies such as text messaging.

Those hoping for significant additions to the CRTC Regulations will be disappointed, as the revised Regulations remain in the same form, and appear intended to accomplish the same end, as the earlier version: namely clarifying the sender identity and contact information that must be included in commercial electronic messages and requests for consent to send such messages. However, to be fair to the CRTC, this narrow focus is consistent with the scope of the regulation-making power provided to the Commission under CASL.

The final Regulations include the following changes from those originally proposed:

Clarification that persons sending a message, or persons on whose behalf a message is sent, must identify themselves by the name by which they carry on business.
Greater choice with respect to the contact information to be provided. Senders, and those seeking consent to send messages, may now provide either a telephone number providing access to an agent or a voice messaging system, an email address or a web address. The original proposal seemed to require the provision of all of these, as well as a physical address.
Revised requirements that web-based information be “readily accessible” and that the required unsubscribe mechanism must “be able to be readily performed.” The original proposed Regulations specified these requirements with reference to a maximum number of “clicks.”
The revised Regulations now indicate that consent for the receipt of a commercial electronic message may be obtained orally, as well as in writing, as the original proposed regulations provided; however, the Regulations do not provide certainty as to whether electronic forms of consent will be considered to be “in writing,” which was the chief concern of many stakeholders with this requirement. See our earlier post for a discussion of this issue.
The Regulations still require that when seeking consent, requestors must include a statement indicating that consent can be withdrawn, but no longer requires the requestor to specify through which avenues such a withdrawal of consent could be made.

The publishing of the CRTC Regulations puts the country one step closer to CASL being proclaimed in force. The other shoes to drop include finalization of the Industry Canada Regulations (a revised version of which is expected to be published in the near future) and the selection of a vendor to run the Spam Reporting Centre contemplated by the Act.

Personal data protection: implications for the corporate arena

Stikeman Elliott LLP — Fri, 09 Mar 2012 16:07:51 -0500

In an increasingly digital age, data protection has become a key component of business risk management. Companies in every industry are understandably keen to protect their trade secrets, clients list and other company data. To that end, companies routinely include confidentiality and related provisions in employment contracts, and maintain policies and procedures regarding the protection of business-related information within and outside the workplace. Further, employers now more commonly monitor employees’ use of electronic technology, such as email.

Recent decisions from the U.S. and Canada, however, demonstrate that there remains a potentially uncertain balance between the ability for law enforcement to investigate potential crimes and the rights of individuals and employees.

For example, the recent case of United States v. Doe dealt with the seizure of the defendant’s laptops and drives as part of an investigation into child pornography. Law enforcement was unable to view the encrypted portions of the drives and a Florida court held the defendant in contempt of court for refusing to produce the unencrypted data. Ultimately, the 11th Circuit found that the lower court had violated the defendant’s Fifth Amendment right against self-incriminating when the lower court ordered the production of the unencrypted data.

As some commentators have noted, while the computers in question did not belong to the defendant’s employer in the Doe case, a similar situation could occur in a corporate context. What if an employee were to encrypt data on a company-provided laptop? Would the employer be prohibited from forcing an employee to produce the unencrypted data should a suspected violation of laws occur? Would employment policies claiming corporate ownership over all data residing on company-owned machines skew the legal analysis in a different direction?

The Doe decision is particularly interesting in light of a Canadian decision handed down last year. As we discussed in a previous post, in R. v. Cole, the Ontario Court of Appeal held that a teacher had a reasonable expectation of privacy with respect to personal files stored on his work laptop in relation to the search and seizure of those files by the police. In that case, a school technician that was monitoring traffic on the school network discovered nude images of a student on the teacher’s laptop and subsequently copied the images onto a disk for the school’s principal and copied temporary internet files found in the laptop’s browsing history onto another disk to transfer to the police. The Court found that neither the technician’s search, the subsequent search and seizure by the principal and school board, nor the transfer to the police of the disk constituted a Charter violation. The appellant's privacy rights under section 8 of the Charter were found to have been violated, however, by the warrantless police search and seizure of the laptop itself.

While it is not clear how the Doe decision (a criminal case) would apply in the employer context, the Cole decision does offer some guidance on reasonable expectations of privacy. Provided employers have clear privacy policies in place, which afford employers the right to monitor employee personal activities in the workplace, a reasonable expectation of privacy will likely not be found to exist. Employers should monitor subsequent rulings on this issue in the United States to assess whether a similar approach would be taken there.

This post has been edited after initial publication to provide further information on the decision in R. v. Cole.

Law Society of B.C.'s Report to stay afloat of cloud computing

Stikeman Elliott LLP — Thu, 16 Feb 2012 11:25:49 -0500

The Law Society of British Columbia’s Cloud Computing Working Group issued its Final Report on Cloud Computing on January 27, 2012, amending an earlier consultation report approved by the “Benchers” on July 15, 2011. The report is prepared in response to the increasing use by lawyers of cloud computing technology to store and process records and conduct due diligence. In its report, the Working Group outlined due diligence guidelines, best practices and also made a series of recommendations to modernize the Law Society’s Rules.

Some of the key issues explored by the report are:

jurisdictional issues of ascertaining where a user’s data is located;
lawyers’ abilities to promptly produce, and the Law Society’s ability to quickly access and copy, records during an audit or investigation; and
security issues of data and the protection of personal client information when records are entrusted to a third party.

At the heart of the discussion were the tensions of how the new cloud computing technology affects lawyers’ abilities to discharge their professional obligations and how the same technology may challenge the Law Society’s ability to carry out its regulatory function. Overall, the Working Group’s Report sends a message to lawyers that while advances in technology, such as cloud computing, may appear as an attractive, seamless and more integrative way of conducting their practice, lawyers must be conscientious of the challenges they place on their adherence to the Law Society’s codes of conduct.

Canada's own controversy over copyright legislation

Stikeman Elliott LLP — Tue, 14 Feb 2012 11:59:07 -0500

Last month, the Stop Online Piracy Act (SOPA) and PROTECT IP Act (PIPA) became household names in the United States, as internet and technology giants like Wikipedia and Google engaged in a widely publicised day of protest and persuaded many Americans to petition their congressional representatives. Now, Canada’s own proposed Copyright Act amendments in Bill C-11 are garnering some comparisons to SOPA. “Can Canada’s version of SOPA be stopped?” asked journalist Peter Nowak in a recent Globe and Mail opinion piece.

We described Bill C-11 in an earlier post. The main opposition to Bill C-11 targets provisions that would make it illegal to break “digital locks,” i.e. measures that restrict how digital content can be used, even if the user has purchased the content legally. Critics say that these provisions essentially gut all of the other changes in the bill to liberalise users’ rights (e.g. expanded fair dealing exceptions, and inclusion of format-shifting, time-shifting and user generated content provisions, which would allow users to copy copyrighted materials in a variety of ways for non-commercial purposes), because users could not enjoy their right to copy or transform copyrighted material if bypassing the digital lock on the material is itself illegal. As outlined in Nowak’s article, critics have suggested a compromise that makes it illegal to break digital locks only in cases of willful copyright infringement.

Despite some opposition, Bill C-11 has not garnered nearly the same attention in Canada as SOPA has in the U.S. The one-day voluntary blackout by Wikipedia and other online protests against SOPA led 8 million users to look up their U.S. congressional representatives from Wikipedia, 4.5 million to sign Google’s online petition against SOPA, 2.4 million to post comments on Twitter, and enough to exert pressure on politicians that many proponents of the bill withdrew their support. By contrast, the Stop Bill C-11 Facebook page currently has only 3,000 members, and only 40 people turned up to a recent protest in Montreal.

New Google privacy policy and user data merge

Stikeman Elliott LLP — Mon, 30 Jan 2012 15:15:41 -0500

Effective March 1, 2012, Google will put in place a unified privacy policy that will replace over 60 different privacy policies across Google and cover multiple products and features. The move, while presented as an upgrade in order to “create one beautifully simple and intuitive experience across Google”, is necessitated by Google’s new plan to link user data collected across 60 Google products such as Gmail, YouTube and web searches. The data merge is scheduled to take effect on March 1, 2012 and users will not be allowed to opt out of the change. The merger of data collected across Google’s email, video and social-networking services will allow Google to target search results and advertising.

Many critics have raised privacy concerns over Google’s new data merge practices and privacy policy, including some U.S. lawmakers. As internet companies try to gleam more information from their users, they are likely to be met with increased scrutiny from regulators who are concerned about consumer privacy. Some Google senior executives believe the regulators have gone too far in proposing certain measures which could “break the internet”. At the World Economic Forum in Davos, Google’s chief legal officer raised concerns about the EU’s proposed privacy directive requiring explicit user consent to be obtained by website operators for the use of cookies.

A number says a thousand words: Data Privacy Day 2012

Stikeman Elliott LLP — Fri, 27 Jan 2012 08:45:58 -0500

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, recently issued a press release warning consumers that new technology has the potential to build individually-detailed profiles based on IP addresses, social insurance numbers and even license plates. Her comments highlight a growing trend that the anonymity of personal information is becoming increasingly scarce, especially for online consumers.

The Commissioner’s comments are timely considering that Data Privacy Day is January 28, 2012, a day when awareness of online privacy and data protection is brought to the forefront. Recognized in Canada, the United States and most of Europe, Data Privacy Day is organized by the National Cyber Security Alliance, who seeks to educate the general public about data privacy and to encourage dialogue about data protection among consumers, businesses and governments.

Banking your secrets just got safer - invasion of privacy tort recognized

Stikeman Elliott LLP — Fri, 20 Jan 2012 09:51:23 -0500

On January 18, for the first time, the Ontario Court of Appeal in Jones v. Tsige explicitly recognized the tort of invasion of personal privacy. In July 2009, Sandra Jones discovered that her co-worker, Winnie Tsige, had been surreptitiously viewing her bank records for four years. Although Jones did not know or directly work with Tsige, Tsige and Jones’ ex-husband were in a common-law relationship. As an employee of the Bank of Montreal (where Jones maintained her primary bank account), Tsige had full access to Jones’ banking information. Contrary to the bank’s policy, Tsige accessed Jones’ banking records at least 174 times. Sharpe J.A. allowed the appeal, ruled that Tsige committed the tort of “intrusion upon seclusion” and granted Jones $10,000 in damages.

The Court of Appeal defined the tort “intrusion upon seclusion”:

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

The Court noted that proof of actual loss is not required and gave examples of private matters that can objectively be described as highly offensive: one’s financial or health records, sexual practices and orientation, employment or private correspondence. Tsige was able to access Jones’ banking transaction details, as well as personal information such as date of birth, marital status and address.

Despite the absence of any statutory private right of action between individuals in Ontario (unlike in a number of other Canadian, American and Commonwealth jurisdictions), privacy has long been recognized as an important underlying and animating value of various traditional common law causes of action to protect personal and territorial privacy. The Court pointed to the explicit recognition of a right to privacy underlying certain Charter rights and freedoms, and to the principle that the common law should be developed in a manner consistent with Charter values in choosing to expand the common law.

According to the Court,

[i]t is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order.

Sharpe J.A. ruled that damages for intrusion upon seclusion in cases where the plaintiff has suffered no monetary loss should be modest but sufficient to mark the wrong that has been done. He fixed the range at up to $20,000 on a sliding scale loosely based on factors including the nature of the wrongful act, the effect on the plaintiff’s health, social, business or financial position, any relationship between the parties, any distress, annoyance or embarrassment suffered, and the conduct of the parties including any apology made by the defendant. In the present case, since Tsige’s actions were deliberate and arose from a complex web of domestic arrangements likely to provoke animosity and did, but Jones suffered no public embarrassment or harm to her health, social, business or financial position and Tsige apologized for her conduct, the mid-point of the range was chosen.

Wikipedia, Google and many others protest proposed U.S. Stop Online Piracy Act

Stikeman Elliott LLP — Wed, 18 Jan 2012 15:24:33 -0500

The proposed Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA) discussed in a prior blog post is garnering some very negative reactions from internet and technology companies, culminating in a day of protest by many websites to draw attention to the bills, which are making their way through the U.S. House of Representatives and Senate. Today, Wikipedia has blocked all of its English-language pages and Google has blacked out its U.S. home page logo (see sopastrike.com for a full list of the SOPA protest participants). Late last year, a group of nine technology companies (AOL, Ebay, Facebook, Google, Linkedin, Mozilla, Twitter, Yahoo and Zynga) took out a full-page ad in the New York Times voicing their concern that “the bills as drafted would expose law-abiding U.S. Internet and technology companies to new and uncertain liabilities, private rights of action, and technology mandates that would require monitoring of websites.” Both bills have been the subject of controversy because of the severe measures that can be invoked relatively quickly and easily to block access to, or financially cripple, allegedly infringing websites.

2011 in Review - Top 10 Technology & IP Law Developments

Stikeman Elliott LLP — Mon, 16 Jan 2012 16:47:05 -0500

The arrival of 2012 marked the end of a year filled with numerous developments in technology and IP law. Taking a cue from the Canadian Communications Law blog, we’ve decided that this would be an excellent time to reflect on the past year and review some of its more notable developments. To that end, we’ve put together a list of the top 10 technology and IP law developments from the past year.

Without further ado, here are our picks for the top 10:

Court of Appeal recognizes reasonable expectation of privacy in contents of work computer - In R. v. Cole, a teacher discovered with nude images of a student on his work laptop was found by the Ontario Court of Appeal to have a reasonable expectation of privacy with respect to his personal files on that laptop.
No liability for defamation for basic hyperlinks, says Supreme Court - In a decision that came as a relief to bloggers, tweeters, webpage owners and other providers and hosts of internet content, the Supreme Court of Canada clarified in Crookes v. Newton that merely providing hyperlinks to defamatory content will not lead to liability for defamation.

Ontario Court of Appeal holds that domain names constitute personal property - In a landmark decision, the Ontario Court of Appeal ruled in Tucows.Com Co. v. Lojas Renner S.A. that a registered domain name constituted intangible personal property. The court found that the bundle of rights associated with a domain name were sufficient to characterize domain names as “a new type of personal property.”
That’s a wrap: BC Supreme Court enforces website terms of use and validates “browse wrap” agreements in Century 21 v Zoocasa - In Century 21 Canada Limited Partnership v Rogers Communications Inc., the BC Supreme Court found that “browse wrap” agreements, in the form of a website’s posted terms of service, can form valid contracts even if not brought to the attention of users, and without any requirement of review or acknowledgement by users.
Rolling the dice: Alberta court invalidates certain PIPA provisions - The Alberta Court of Queen’s Bench struck down certain provisions in Alberta’s Personal Information Protection Act as being contrary to the Charter in United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner). The impugned provisions, which are mirrored in the federal PIPEDA legislation, were found to unduly restrict the use of images recorded at a public demonstration.
Leon’s to ho ho hold onto customer information: SCC dismisses Privacy Commissioner’s appeal - In Information and Privacy Commissioner of Alberta v. Leon’s Furniture Limited, the Supreme Court of Canada dismissed an application for leave to appeal a ruling which found that “reasonable” collection of personal information does not necessarily mean that an organization must employ the “best” or “least intrusive” methods.
Fourth time lucky? Government introduces copyright reform bill—again - Industry Minister Christian Paradis tabled Bill C-11, An Act to Amend the Copyright Act, in the fourth attempt since 2005 to revise the Copyright Act. At its introduction the bill was identical to Bill C-32, which was introduced in June 2010 but died on the order paper at the end of the parliamentary session.
Federal Court of Appeal says broadcasting policy trumps copyright law: CRTC has power to allow local broadcasters to demand fee for carriage - The Federal Court of Appeal issued a split decision in Reference re the Canadian Radio-television and Telecommunications Commission’s Broadcasting Regulatory Policy CRTC 2010-167 and Broadcasting Order CRTC 2010-168 affirming the scope of the powers of the CRTC. The majority of the court found that the Copyright Act permits the CRTC to limit the statutory retransmission rights of broadcasters such as cable companies by imposing any regulatory or licensing condition that is consistent with the CRTC’s authority under the Broadcasting Act.
Nothing up in the air about privacy: foreign airline must comply with Canadian law - In a Report of Findings, the Office of the Privacy Commissioner of Canada confirmed that foreign businesses which operate or provide services in Canada will be subject to all requirements of Canadian privacy law, regardless of the scope of the privacy regimes in their home countries.
Who was that masked man? Court protects anonymity of Internet users - In Morris v. Johnson, the Ontario Superior Court of Justice refused to order the disclosure of the identities of three individuals who posted under pseudonyms to an online forum. The court affirmed that in cases of alleged defamation by anonymous parties, plaintiffs are required to prima facie establish the elements of defamation before courts will consider ordering the production of identity information.

Panning for gold in the mud: the availability of privacy damages under PIPEDA

Stikeman Elliott LLP — Thu, 22 Dec 2011 10:50:09 -0500

More than 10 years after the introduction of federal private sector privacy legislation in Canada, damage awards for breaches of the law have been few and far between -- and where such awards have been made, the dollar amounts awarded have been modest.

In light of the sometimes confusing, and even contradictory judgments to date, there is also considerable uncertainty as to when such damages might be awarded, and what evidentiary test a complainant might have to meet.

In Panning for gold in the mud: the availability of privacy damages under PIPEDA, in the December 2011 edition of the Canadian Privacy Law Review, David Elder of our Privacy and Data Protection Group, attempts to knit together the existing case law into a coherent analytic framework for the availability of privacy damages in Canada.

Article reproduced with permission of the publisher from Canadian Privacy Law Review, Vol. 9, No. 1, December 2011.

Leon's to ho ho hold onto customer information: SCC dismisses Privacy Commissioner's appeal

Stikeman Elliott LLP — Thu, 01 Dec 2011 08:44:26 -0500

Late last week, the Supreme Court of Canada (SCC) passed on a chance to shed some light on what it considers to be “reasonable” collection of personal information. It dismissed the Alberta Information and Privacy Commission’s appeal of an Alberta Court of Appeal decision that found “reasonable” collection of personal information to not necessary mean an organization must employ the “best” or the “least intrusive” methods.

As we noted in an earlier post, the Alberta Court of Appeal overturned the Commissioner’s ruling and stated that Leon’s Furniture Limited was justified in collecting driver’s licence and licence plate information from customers picking up furniture. Leon’s argued that the observance of such policy was for fraud prevention and deterrence purposes only and that it assisted police in any ensuing fraud investigations. The Commissioner claimed that Leon’s policy was a violation of Alberta’s Personal Information Protection Act (PIPA or Act), as collection of the disputed information was not “reasonable” under section 11 of the Act and it constituted a “condition of supplying a product or service” under section 7(2) of the Act. Both claims were rejected.

In deciding in favour of Leon’s, the Alberta Court of Appeal made a few notable findings:

The court recognized that the privacy statute identifies two competing values, the right to protect information and the need to use it – one does not trump the other and a balancing is called for.
The “reasonableness” standard imposed under Section 11 of PIPA only requires organizations to collect personal information to the extent it is reasonable for meeting the purposes for which the information is collected, and “[i]t is not open to the [Commissioner] to change ‘reasonableness’ to either ‘necessity’, ‘minimal intrusive’, or ‘best practices’. These are not interpretations that are available given the plain wording of the statue.”
The “reasonableness” standard does not require business to defer, in all instances, its interest to that of an individual’s privacy interest. “[The Commissioner] is not empowered to direct an organization to change the way it does business, just because the [Commissioner] thinks he has identified a better way. So long as the business is being conducted reasonably, it does not matter that there might also be other reasonable ways of conducting the business”.

The Court of Appeal’s decision is an important win for private sector businesses, and needless to say, the Alberta Privacy Commissioner Frank Work was dismayed with the SSC’s dismissal of its appeal. In his news release, the Commissioner expressed his concern that the decision “could be used to challenge what were thought to be reasonable, nationally accepted limits on the collection of personal information by private sector organizations. We are moving backwards.”

Overall, the Court of Appeal’s interpretation of the privacy act is an important one for business in Alberta and B.C., which has privacy legislation similar to PIPA. Although the privacy legislations governing personal information differ across the provinces, territories and federally, the message from Alberta may translate into other jurisdictions to limit the Commissioner’s discretion. Whether this judgment alters the decisions of privacy commissioners in future dealings with businesses remains to be seen.

Privacy lessons learned: do your homework about home work

Stikeman Elliott LLP — Wed, 09 Nov 2011 09:54:56 -0500

David Elder -

A recently publicized privacy breach by a Canada Revenue Agency (CRA) employee underlines the need for all organizations to impose strict controls and safeguards respecting the ability of employees to remove sensitive data from the workplace.

In a widely reported story, it was recently discovered, through a request under the Access to Information Act, that confidential material respecting Canadian taxpayers, contained in hundreds of documents and tens of thousands of email messages sent and received by a CRA employee, were downloaded in unencrypted form to CDs taken home and retained by a CRA auditor, at least some of which were subsequently copied to a third party’s laptop. While the CDs have been recovered, the laptop – thought to contain the tax files of at least 2,700 Canadians – is still missing.

Although the incident in question raises concerns with respect to the Privacy Protection Policy issued to government institutions under the Privacy Act, it also provides important lessons for private sector organizations, which are subject to similar legal requirements. All Canadian private sector privacy laws, both federal and provincial, include data protection requirements that require private organizations to protect personal information with appropriate security safeguards, including physical, organizational and technical measures.

The first - and most obvious – lesson from the CRA case is to minimize the ability of employees and consultants to remove personal information from company premises. The less data that leaves the building or the company servers/network, the less the risk that it may be lost, stolen or otherwise disclosed to unauthorized parties.

Recognizing that, in today’s mobile and networked world, it is unavoidable that work will be done by some employees outside the office, the second lesson is to employ robust safeguards to protect the personal data that must be accessed and used outside company premises.

One approach is to have clear policies respecting removal from the office of personal information and required practices for the protection of devices on which it is stored. Such policies should be readily available and regularly communicated to employees; however, such “soft” controls are not, by themselves, a complete solution. Policies will always be breached by some employees (which, in fact, is what occurred in the CRA case) and organizations will likely still be accountable for such breaches.

Another, more reliable, layer of protection is to use “hardwired” security: robust physical, and particularly, technological measures that keep personal information secure and confidential.

One of the best technological protections for data on portable storage media and devices is encryption, since strongly encrypted data remains inaccessible to most third parties, even if the device itself falls into the wrong hands, which tends to happen frequently with portable devices such as laptops and flash drives. Encryption has been strongly endorsed by privacy commissioners across Canada, and is generally considered to the required standard of protection for personal information stored on portable devices. In the health information context, he Ontario Information and Privacy Commissioner has gone so far as to suggest that the loss or theft of a device containing encrypted personal information would not generally be considered to be a loss or theft of personal information.

Other important technological solutions would include configuring most computerized corporate equipment to block the ability to download content to portable storage devices, logging and retaining each incident of such activity for the few devices for which such downloading may be permitted (such as those accessible by senior IT and security professional). However, even this kind of encryption scheme is not foolproof, as there is still room for inappropriate action by IT and security employees. In fact, in the CRA case, the data in question was actually copied to the unencrypted CDs by a Government IT technician, contrary to Government policy.

Recognizing such vulnerabilities, another technological solution adopted by many companies with a mobile workforce is to host all records on company controlled servers, using a “virtual desktop” solution to allow employees to access workplace files remotely via a secure internet connection. Such a solution eliminates entirely the need for storage on portable devices, as all documents and data are stored in the corporate system.

A final lesson here is to consider notifying the appropriate federal or provincial privacy commissioner(s) of any material data breaches, even if there is no legal requirement to do so (while federal legislation including such a requirement is currently before Parliament, at present only the Province of Alberta requires breach notification by private sector organizations). Such notification was apparently not done in the CRA case, depriving the CRA of potentially useful advice as to appropriate taxpayer notifications or other remedial action – as well as leaving the Office of the Privacy Commissioner flat-footed when contacted by media about the breach.

This post is part of an occasional series highlighting the lessons that businesses can learn from recent news items and events.

US considers tough legislation to cripple foreign sites that infringe US IP

Stikeman Elliott LLP — Tue, 08 Nov 2011 13:27:23 -0500

Stuart McCormack and Lindsay Gwyer -

Recently, a controversial new bill was introduced in the United States House of Representatives. The new bill, entitled the Stop Online Piracy Act, aims to undercut the business model of websites who sell or distribute pirated American products or works by imposing obligations on third parties who deal with the sites. Its purpose is to indirectly target foreign websites that may be outside the direct reach of American law.

One of the main components of the Stop Online Piracy Act is section 103, which provides IP owners with a tool to enforce their rights against sites “dedicated to theft of U.S. property.” Under this section, an IP rights-holder can notify a payment network provider (defined as an entity that directly or indirectly provides the proprietary services, infrastructure, and software to effect or facilitate a debit, credit, or other payment transaction) or company that provides internet advertising services of IP infringement by a particular site. Providing that the notification meets the requirements set out in the section, the recipient must respond with “technically feasible and reasonable measures” within 5 days to essentially cutting off the infringing site from its services. For payment network providers this would generally entail preventing the completion of transactions involving American customers and the infringing website, and for advertisers it would mean ceasing to advertise the website or provide advertisements to the website.

The owner of the allegedly infringing site can respond with a “counter-notification,” which requires that the site accept the jurisdiction of US courts. This allows the IP owner to bring a claim directly against the infringing site. Once a counter notification is provided, the payment networks and advertisers can return to dealing with the site. Companies that cease to deal with allegedly infringing sites cannot be held liable for doing so.

The bill also gives the US Attorney General the ability to get a court-ordered injunction, which would impose similar obligations on payment network providers and advertisers dealing with a foreign infringing site. In addition, the injunction would require Internet Service Providers and search engines to take reasonable measures essentially preventing access to the site, in the case of ISPs, and preventing search results from linking to the site, in the case of search engines. The injunction would be modified if the site removed the illegal activity.

In addition, the bill provides increased penalties for certain piracy-related criminal offences, including streaming of copyrighted works. It also contains several sections which call for ongoing study and consultation between various US government bodies and stake-holders on the issue of protecting US IP from foreign infringers.

The House’s bill is similar to the Protect IP Act of 2011 introduced last month by the Senate. Both bills have been the subject of controversy because of the severe measures that can be invoked relatively quickly and easily to block access to, or financially cripple, allegedly infringing websites. Both bills are still in the early stages of the legislative process, making it far from certain that either will be passed in its current form. However, if and when any such legislation becomes law it will have significant implications not only for websites that may contain potentially infringing content, but also for many legitimate companies that have dealings with these websites.

Lady Gaga and fansite caught in a bad romance

Stikeman Elliott LLP — Tue, 08 Nov 2011 13:23:10 -0500

Stuart McCormack and Lindsay Gwyer -

A string of number one hits and worldwide notoriety weren’t enough to bring Lady Gaga success in a domain name dispute over the use of her stage name. Earlier this fall Lady Gaga, whose real name is Stefani Germanotta, failed to convince an arbitration panel that the domain name ladygaga.org was being used illegitimately by one of the singer’s fan sites.

Domain names are allocated through accredited registries that use a central registry system overseen by the Internet Corporation for Assigned Names and Numbers (ICANN). Disputes over domain names are resolved in accordance with ICANN’s Uniform Domain Name Dispute Resolution Policy (the Policy). In order for a domain name to be cancelled or ordered to be transferred under the Policy a complainant must show that: the domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; the respondent has no rights or legitimate interests in respect of the domain name; and the domain name has been registered and is being used in bad faith.

Lady Gaga managed to successfully convince the arbitration panel that the ladygaga.org domain name was identical to the trade-mark “Lady Gaga,” in which she has rights. She relied on three registrations filed with the United States Patent and Trade-mark Office, the earliest of which were registered in October 2009, as evidence or her rights in the mark. The Panel refused to accept that she had acquired common law rights in the mark as early as September 2006, when she claimed to have first used the mark. Nonetheless, the Panel conceded that at some point she had acquired common law rights in the mark Lady Gaga, even if it could not pinpoint the exact time. It also found that that the domain name in question was identical to the trade-mark, despite the lack of space between the two words and the addition of the “.org.”

It was the second element that proved fatal to Lady Gaga’s claim. The Panel held decisively that the non-commercial fan site was a bona fide offering of goods or services, or a legitimate non-commercial or fair use of the domain name. The Panel was particularly swayed by the fact that there were multiple notices on the website indicating that it was an unofficial site. Nonetheless, the driving consideration was clearly that the Respondent had no intent to profit from the website. The Panel warned that any future, profit-driven changes to the website might cause the dispute to be decided differently in future. Having found that the domain name was being used for a legitimate purpose, it was unnecessary to consider whether the Respondent had acted in bad faith.

SEC releases guidance for the disclosure of cybersecurity incidents

Stikeman Elliott LLP — Fri, 28 Oct 2011 08:42:32 -0500

In the wake of a number of high-profile cybersecurity incidents, the SEC’s Division of Corporation Finance recently released disclosure guidance on the topic of cybersecurity. While the guidance creates no new legal obligations, it is intended to provide clarity regarding the forms of disclosure that registrants may have to make. In the release, the Division of Corporation Finance recognized that while no current disclosure requirements explicitly refer to cybersecurity, there are a number of existing disclosure obligations that may require registrants to disclose cybersecurity risks or incidents.

Such cyber incidents may be deliberate or unintentional, and include gaining unauthorized access to digital systems for the purpose of misappropriating assets or sensitive information, causing operational disruption or corrupting data. Meanwhile, the concept of a cyber attack also includes actions that don’t require unauthorized access to a computer system, such as denial-of-service attacks on websites. Cyber attacks may be carried out by insiders or third parties, and may use sophisticated technology to circumvent network security, or more traditional techniques like guessing or stealing a password to gain access to a computer network.

Ultimately, the guidance considers six areas in which disclosure of cybersecurity risks or incidents may be required under current regulations:

Risk Factors: The guidance provides that registrants “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” In making this determination, registrants should look at the severity and frequency of past cyber incidents, and should consider the probability and potential costs and other consequences of future incidents. Registrants should also consider the adequacy of any protective measures which are in place.
The guidance also states that in order to place the discussion of cybersecurity risks in context, registrants may need to disclose known cyber attacks or threats, instead of simply stating that these events may occur. The guidance notes, however, that there is no requirement to disclose information that would compromise a registrant’s cybersecurity.
Management’s Discussion and Analysis (MD&A): Where the consequences of a known cyber incident (or the risk of a potential incident) represent a material event, trend or uncertainty that is likely to have a material effect on the registrant’s financial condition or other elements of the registrant’s reported financial results, this should be discussed in the registrant’s MD&A.
Description of Business: The guidance provides that registrants should disclose any cyber incidents which materially affect the registrant’s “products, services, relationships with customers or suppliers, or competitive conditions” in the registrant’s Description of Business.
Legal Proceedings: If a registrant is party to a material pending legal proceeding that involves a cyber incident, this may need to be disclosed in the registrant’s Legal Proceedings disclosure.
Financial Statement Disclosures: The guidance outlines several ways in which cyber incidents may impact financial statement disclosures. Registrants will need to ensure that prevention costs, contingent losses, and customer incentives provided in the wake of an incident are properly recognized. A cyber incident may also result in diminished future cash flows and an accompanying impairment of assets such as goodwill, trademarks, or patents. Further, the reassessment of assumptions underlying the estimates made in preparing financial statements may be required, and registrants must explain the risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to financial statements.
Disclosure Controls and Procedures: Finally, where cyber incidents pose a risk to a registrant’s ability to record, process or report information required in SEC filings, a registrant may consider whether this risk renders the registrant’s disclosure controls and procedures ineffective. As an example, the guidance highlights the situation where “if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting a registrant’s information systems, a registrant may conclude that its disclosure controls are ineffective.”

Ultimately, the guidance underscores the important role that cybersecurity plays in business and the potential impact should cybersecurity be compromised. Given the number of ways in which cybersecurity threats or incidents may materially impact a business, registrants must carefully consider whether they are obligated to disclose such incidents through one or more of the six categories above.

No liability for defamation for basic hyperlinks, says Supreme Court

Stikeman Elliott LLP — Fri, 21 Oct 2011 07:53:50 -0500

David Elder and Lindsay Gwyer -

Bloggers, tweeters, webpage owners and other providers and hosts of internet content can breathe a little easier today following a decision of the Supreme Court of Canada that ruled that merely providing hyperlinks to defamatory content cannot make them liable for defamation.

That said, while the decision provides clear support from the highest court in the land for both free expression and the preservation of the nature and benefits of the internet as whole, it stops short of giving hyperlinkers a “Get Out of Jail Free” card for all uses and presentations of links to defamatory material.

The much-anticipated decision in Crookes v. Newton, 2011 SCC 47concerned a defamation action grounded on the posting by a website operator of two simple hyperlinks to defamatory content located on other sites. The website operator refused to remove the links upon request by the plaintiff, and the plaintiff brought an action in defamation in British Columbia, where he was unsuccessful both at trialand at a subsequent appeal to the B.C. Court of Appeal. At issue before the Supreme Court was the question of whether a simple hyperlink reference to defamatory information could constitute a “publication,” a key element of the tort of libel.

The case had been very closely watched by the internet community, as a negative ruling had the potential to impose an unprecedented chilling effect on the way content is shared online, effectively subverting one of the fundamental underpinnings of the design of the World Wide Web.

While the majority acknowledged in their judgement that the internet is a potentially powerful vehicle for defamatory expression, they also explicitly recognized the indispensability of hyperlinks in facilitating access to online information, and ruled so as to preserve the ability of users to provide basic links to third party content without fearing that they will become legally responsible for that content. The majority likened simple hyperlinks (which merely reference the existence and location of content) to footnotes or references, noting that both are necessarily content-neutral, with the poster having no control over the content to which they refer, and that both require some act on the part of the reader before the content can be accessed. This type of basic link, the Court ruled, does not amount to an expression of meaning and cannot possibly be a publication of defamatory material.

While the decision provides clear immunity for providing simple hyperlinks to defamatory content, the three separate judgements that underlie the decision (either concurring or concurring in the result) leave the door open to potential liability for hyperlinking in other ways and contexts. Moreover, the decision may have significant implications with respect to liability for hyperlinking other types of prohibited or unauthorized content

Beyond the scenario of simple hyperlinking, which the Court found will not attract liability, things get murkier. The majority appears to conclude that for those hyperlinking to third party content, only repetition of the defamatory statement in the link or associated text will attract liability; however, in joint concurring reasons, Chief Justice McLachlan and Justice Fish purported to “clarify” that, notwithstanding the apparent bright line test set out in the majority judgement, defamation would also be possible where the text indicates adoption or endorsement of the hyperlinked content, even if it doesn’t repeat the defamatory statement. In a separate judgement that concurred in the result, Justice Deschamps favoured a more nuanced approach, where content posters would attract liability for defamation if they deliberately make the defamatory information readily available to a third party in a comprehensible form (although the defence of innocent dissemination may still be available). In light of these varying approaches, it will be interesting to see how Canadian courts may deal with hyperlinking liability issues on different facts and in different contexts.

The majority also noted that, in an era of rapidly evolving technologies, it may become necessary to consider in the future the liability that could be attracted by other types of links, which are or may become available, such as embedded or automatic links. (The facts before the Court involved one “shallow” link to a site’s homepage and one “deep” link to a specific page further down in the site’s hierarchy of content).

Finally, while the Crookes decision dealt exclusively with publication in the context of defamation, it may have broader implications for liability for hyperlinking to other types of prohibited or unauthorized content. For example, some commentators have argued that the Court’s interpretation of publication may have implications for the meaning of “publication” or “reproduction” under the Copyright Act.

The approach could also conceivably raise implications for criminal liability. For example, the offence of public incitement of hatred focuses on the act of “communicating statements” in a public place.Bill C-51, introduced in the last session or Parliament, but yet to be reintroduced, following the spring election, included a provision that would have amended the offence to indicate that “communicating” would include “making available,” which, as pointed out by the accompanying Legislative Summary, would include providing a hyperlink to the offending material.

Although the Crookes ruling is an important victory for content posters and internet supporters generally, there are still many aspects of the legal implications of linking to unauthorized or illegal content that remain to be definitively settled in Canadian law.

Fourth time lucky? Government introduces copyright reform bill -- again.

Stikeman Elliott LLP — Mon, 03 Oct 2011 13:01:14 -0500

Alexandra Stockwell and Robert Mysicka -

The Canadian Government is giving copyright reform another try, reintroducing what is essentially the same copyright bill that died last spring with the dissolution of Parliament.

But while the text may be the same, one thing has clearly changed: this time, the ruling Conservatives have a legislative majority, significantly increasing the likelihood that the new bill will actually become law, either in its current form or with amendments introduced at Committee.

Industry Minister Christian Paradis formally tabled Bill C-11, entitled An Act to Amend the Copyright Act, in the House of Commons on September 29, 2011, also holding a press conference to discuss the main features of the bill and the Government’s plans for its passage. During that event, Heritage Minister James Moore stated that Bill C-11 is identical to Bill C-32, the version introduced in June 2010, which died on the order paper when the parliamentary session ended last spring.

That said, the bill apparently won’t stay “identical” for long. The Minster has already indicated that “technical amendments” to the just-introduced Bill are already being contemplated. These will likely be introduced by Government members of the House Committee tasked with studying the new bill.

The new bill represents the fourth time since 2005 that the Government has introduced a bill to implement revisions to the Copyright Act. Potential changes to the Copyright Act have been the focus of intensive discussion and debate between stakeholders for a number of years—although there seems to be little dispute that change is necessary to update the Act, which was last amended before many of the digital technologies that are commonplace today were introduced.

The Government seems intent on swift passage of the bill. Earlier in September, Heritage Minister James Moore indicated that the government wished to resume work on the copyright bill, and noted that groups who had already appeared before the legislative committee studying Bill C-32 would not be invited to re-appear. The Minister noted the huge investment of time that had already gone into Bill C-32 and the urgency to reform the law to keep up with current technology. During the C-11 press conference, the Heritage Minister went so far as to say that he hoped the bill could clear the House of Commons by Christmas, aided by a special committee assembled to focus only on the copyright bill.

Accordingly, while observers might have reasonably speculated that further work on Bill C-11 could also be influenced by the potential outcome of a cluster of copyright cases that were recently granted leave to appeal to the Supreme Court of Canada (one of which will consider the scope of the “fair dealing” exception, a provision that would itself be amended by the new bill), the majority Government’s apparent timeline, even in the face of these pending appeals, would appear to make this unlikely, since the cases would not be heard until December 2011, with the judgements unlikely to be rendered for many months thereafter.

Highlights of Bill C-11 include the following:

Protection of Digital Rights Management (DRM). Also known as “technical protection measures” or, more commonly, as “digital locks”, DRM is built into digital music, DVDs, and other media and technology products to ensure that they are not subject to unauthorized copying. The proposed amendments include anti-circumvention provisions that prohibit the removal or tampering with DRM. Bill C-11 also proposes protection for Rights Management Information (RMI), which is used to identify the rights holders of an original work or to outline restrictions on use of the copyrighted work. The bill would prevent the removal of, or tampering with, RMI.
"Reproduction for private purposes” provisions would allow individual Canadians to make copies of music and other copyrighted material if the original copy is not an infringing copy, the individual legally obtained the original copy other than by borrowing it or renting it, and the individual owns or is authorized to use the medium or device onto which the copy is reproduced (such as a computer, iPod or MP3 player) as long as a digital lock is not picked in making the copy. The reproduction may only be used for private purposes and cannot be given away, sold or rented without first destroying all reproductions of the original copy. In addition, these provisions would not apply if the reproduction is made onto a medium that is governed by the private copying provisions currently found at Part VIII of the Copyright Act, such as CD-Rs.
Education exemptions would make it legal for students at schools and higher learning institutions to download copyrighted information for the purpose of study and research. Schools will also be allowed to transmit materials used in classrooms to students located off-campus to facilitate learning, as long as the material is restricted to students. In addition, teachers and students will be allowed to use copyrighted material in lessons conducted over the Internet. This applies both to teachers and students in a physical classroom and those who may be viewing recordings of the lessons over the Internet at a later time. Teachers will also be allowed to digitally deliver course content to students, subject to fair compensation to copyright owners. The provisions currently found in the Copyright Act allowing parts of a work to be copied for display to students will be amended so that they are technologically neutral.
Time-shifting provisions allow for the making of one recording of communication signals or programs for private purposes. The time-shifting recording must be obtained from a legal source and used only for private purposes. As well, technical protection measures could not be circumvented to make the recording, and the recording cannot be kept “longer than is reasonably necessary in order to listen to or view the program at a more convenient time”.
A “Notice and Notice” regime for Internet Service Providers (ISPs), whereby ISPs, after being notified of infringement allegations by a rights holder, would be obligated to notify the relevant subscriber of the allegations received. ISPs would also be obliged to retain records that would enable the identification of the subscriber allegedly engaged in the infringing activity for a period of six months (or one year, if infringement proceedings are commenced in respect of the claimed infringement within six months of the initial notice from the rights holder). The government has emphasized that this is a more balanced approach and appropriate approach than the “Notice and Take Down” approach taken in some countries such as the United States, or the “Three Strikes” approaches advocated in other jurisdictions, where alleged infringers could be deprived of internet access.
A change to the provisions on statutory damages for non-commercial infringement from a current maximum of $20,000.00 for infringement of each protected work, to a maximum of $5,000.00 in respect of all infringements involved in the proceedings for all works or other subject-matter. Moreover, if a plaintiff elects statutory damages for non-commercial infringements, it will be barred from collecting statutory damages from that defendant for any other non-commercial infringements occurring before the proceeding began, and no other copyright owner may elect statutory damages against that defendant for non-commercial infringements that were done before the initiation of the proceedings in which statutory damages were elected.
Fair dealing exceptions, which permit use of a copyrighted work without permission of the copyright owner, have been expanded to include uses for the purposes of education, parody or satire in addition to the current reference to research or private study. While procedurally, a defendant is required to prove that his or her dealing with a work has been fair, the Supreme Court of Canada has noted that the current fair dealing exception is a user's right, and should not be interpreted restrictively. In Alberta (Minister of Education) v. Canadian Copyright Licensing Agency, one of the cases to be heard by the Supreme Court of Canada in December 2011 (which we wrote about here), the Court will be considering the application of the current fair dealing exceptions to photocopies made in educational institutions. It is unclear how the addition of the word “education” into the fair dealing exception would impact the application of the tariffs considered in that case.
A “Mash-up” exemption, exempting from copyright infringement the use of pre-existing works to create new non-commercial works, defined as “user-generated content”. This exemption is only available, however, if the use of the copyrighted work is done solely for non-commercial purposes, does not have a substantial adverse effect (financial or otherwise) on the exploitation of the existing work (including that the new work isn’t a substitute for the existing one), and a requirement (if it is reasonable in the circumstances) to mention the sources of the works incorporated in the new work.
The amendments make it clear that temporary reproductions for technological processes are not copyright infringements if the reproduction is essential to the technological process, exists only for the duration of that process, and the only purpose of the reproduction is to facilitate a use that isn’t an infringement of copyright. Similarly, the amendments make clear that an Internet service provider who caches a work to make the telecommunication of the work more efficient, does not, by virtue of that act alone, infringe copyright.

The government has characterized Bill C-11 as a “balanced” approach to copyright, and that assessment will likely be critically evaluated and commented on by various stakeholders in the coming months. We will continue to review and monitor the progress of this proposed legislation, and will provide you with further updates as the bill progresses through the legislative process.