Canadian Technology & IP Law

New Google privacy policy and user data merge

Stikeman Elliott LLP — Mon, 30 Jan 2012 15:15:41 -0500

Effective March 1, 2012, Google will put in place a unified privacy policy that will replace over 60 different privacy policies across Google and cover multiple products and features. The move, while presented as an upgrade in order to “create one beautifully simple and intuitive experience across Google”, is necessitated by Google’s new plan to link user data collected across 60 Google products such as Gmail, YouTube and web searches. The data merge is scheduled to take effect on March 1, 2012 and users will not be allowed to opt out of the change. The merger of data collected across Google’s email, video and social-networking services will allow Google to target search results and advertising.

Many critics have raised privacy concerns over Google’s new data merge practices and privacy policy, including some U.S. lawmakers. As internet companies try to gleam more information from their users, they are likely to be met with increased scrutiny from regulators who are concerned about consumer privacy. Some Google senior executives believe the regulators have gone too far in proposing certain measures which could “break the internet”. At the World Economic Forum in Davos, Google’s chief legal officer raised concerns about the EU’s proposed privacy directive requiring explicit user consent to be obtained by website operators for the use of cookies.

A number says a thousand words: Data Privacy Day 2012

Stikeman Elliott LLP — Fri, 27 Jan 2012 08:45:58 -0500

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, recently issued a press release warning consumers that new technology has the potential to build individually-detailed profiles based on IP addresses, social insurance numbers and even license plates. Her comments highlight a growing trend that the anonymity of personal information is becoming increasingly scarce, especially for online consumers.

The Commissioner’s comments are timely considering that Data Privacy Day is January 28, 2012, a day when awareness of online privacy and data protection is brought to the forefront. Recognized in Canada, the United States and most of Europe, Data Privacy Day is organized by the National Cyber Security Alliance, who seeks to educate the general public about data privacy and to encourage dialogue about data protection among consumers, businesses and governments.

Banking your secrets just got safer - invasion of privacy tort recognized

Stikeman Elliott LLP — Fri, 20 Jan 2012 09:51:23 -0500

On January 18, for the first time, the Ontario Court of Appeal in Jones v. Tsige explicitly recognized the tort of invasion of personal privacy. In July 2009, Sandra Jones discovered that her co-worker, Winnie Tsige, had been surreptitiously viewing her bank records for four years. Although Jones did not know or directly work with Tsige, Tsige and Jones’ ex-husband were in a common-law relationship. As an employee of the Bank of Montreal (where Jones maintained her primary bank account), Tsige had full access to Jones’ banking information. Contrary to the bank’s policy, Tsige accessed Jones’ banking records at least 174 times. Sharpe J.A. allowed the appeal, ruled that Tsige committed the tort of “intrusion upon seclusion” and granted Jones $10,000 in damages.

The Court of Appeal defined the tort “intrusion upon seclusion”:

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

The Court noted that proof of actual loss is not required and gave examples of private matters that can objectively be described as highly offensive: one’s financial or health records, sexual practices and orientation, employment or private correspondence. Tsige was able to access Jones’ banking transaction details, as well as personal information such as date of birth, marital status and address.

Despite the absence of any statutory private right of action between individuals in Ontario (unlike in a number of other Canadian, American and Commonwealth jurisdictions), privacy has long been recognized as an important underlying and animating value of various traditional common law causes of action to protect personal and territorial privacy. The Court pointed to the explicit recognition of a right to privacy underlying certain Charter rights and freedoms, and to the principle that the common law should be developed in a manner consistent with Charter values in choosing to expand the common law.

According to the Court,

[i]t is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order.

Sharpe J.A. ruled that damages for intrusion upon seclusion in cases where the plaintiff has suffered no monetary loss should be modest but sufficient to mark the wrong that has been done. He fixed the range at up to $20,000 on a sliding scale loosely based on factors including the nature of the wrongful act, the effect on the plaintiff’s health, social, business or financial position, any relationship between the parties, any distress, annoyance or embarrassment suffered, and the conduct of the parties including any apology made by the defendant. In the present case, since Tsige’s actions were deliberate and arose from a complex web of domestic arrangements likely to provoke animosity and did, but Jones suffered no public embarrassment or harm to her health, social, business or financial position and Tsige apologized for her conduct, the mid-point of the range was chosen.

Wikipedia, Google and many others protest proposed U.S. Stop Online Piracy Act

Stikeman Elliott LLP — Wed, 18 Jan 2012 15:24:33 -0500

The proposed Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA) discussed in a prior blog post is garnering some very negative reactions from internet and technology companies, culminating in a day of protest by many websites to draw attention to the bills, which are making their way through the U.S. House of Representatives and Senate. Today, Wikipedia has blocked all of its English-language pages and Google has blacked out its U.S. home page logo (see sopastrike.com for a full list of the SOPA protest participants). Late last year, a group of nine technology companies (AOL, Ebay, Facebook, Google, Linkedin, Mozilla, Twitter, Yahoo and Zynga) took out a full-page ad in the New York Times voicing their concern that “the bills as drafted would expose law-abiding U.S. Internet and technology companies to new and uncertain liabilities, private rights of action, and technology mandates that would require monitoring of websites.” Both bills have been the subject of controversy because of the severe measures that can be invoked relatively quickly and easily to block access to, or financially cripple, allegedly infringing websites.

2011 in Review - Top 10 Technology & IP Law Developments

Stikeman Elliott LLP — Mon, 16 Jan 2012 16:47:05 -0500

The arrival of 2012 marked the end of a year filled with numerous developments in technology and IP law. Taking a cue from the Canadian Communications Law blog, we’ve decided that this would be an excellent time to reflect on the past year and review some of its more notable developments. To that end, we’ve put together a list of the top 10 technology and IP law developments from the past year.

Without further ado, here are our picks for the top 10:

Court of Appeal recognizes reasonable expectation of privacy in contents of work computer - In R. v. Cole, a teacher discovered with nude images of a student on his work laptop was found by the Ontario Court of Appeal to have a reasonable expectation of privacy with respect to his personal files on that laptop.
No liability for defamation for basic hyperlinks, says Supreme Court - In a decision that came as a relief to bloggers, tweeters, webpage owners and other providers and hosts of internet content, the Supreme Court of Canada clarified in Crookes v. Newton that merely providing hyperlinks to defamatory content will not lead to liability for defamation.

Ontario Court of Appeal holds that domain names constitute personal property - In a landmark decision, the Ontario Court of Appeal ruled in Tucows.Com Co. v. Lojas Renner S.A. that a registered domain name constituted intangible personal property. The court found that the bundle of rights associated with a domain name were sufficient to characterize domain names as “a new type of personal property.”
That’s a wrap: BC Supreme Court enforces website terms of use and validates “browse wrap” agreements in Century 21 v Zoocasa - In Century 21 Canada Limited Partnership v Rogers Communications Inc., the BC Supreme Court found that “browse wrap” agreements, in the form of a website’s posted terms of service, can form valid contracts even if not brought to the attention of users, and without any requirement of review or acknowledgement by users.
Rolling the dice: Alberta court invalidates certain PIPA provisions - The Alberta Court of Queen’s Bench struck down certain provisions in Alberta’s Personal Information Protection Act as being contrary to the Charter in United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner). The impugned provisions, which are mirrored in the federal PIPEDA legislation, were found to unduly restrict the use of images recorded at a public demonstration.
Leon’s to ho ho hold onto customer information: SCC dismisses Privacy Commissioner’s appeal - In Information and Privacy Commissioner of Alberta v. Leon’s Furniture Limited, the Supreme Court of Canada dismissed an application for leave to appeal a ruling which found that “reasonable” collection of personal information does not necessarily mean that an organization must employ the “best” or “least intrusive” methods.
Fourth time lucky? Government introduces copyright reform bill—again - Industry Minister Christian Paradis tabled Bill C-11, An Act to Amend the Copyright Act, in the fourth attempt since 2005 to revise the Copyright Act. At its introduction the bill was identical to Bill C-32, which was introduced in June 2010 but died on the order paper at the end of the parliamentary session.
Federal Court of Appeal says broadcasting policy trumps copyright law: CRTC has power to allow local broadcasters to demand fee for carriage - The Federal Court of Appeal issued a split decision in Reference re the Canadian Radio-television and Telecommunications Commission’s Broadcasting Regulatory Policy CRTC 2010-167 and Broadcasting Order CRTC 2010-168 affirming the scope of the powers of the CRTC. The majority of the court found that the Copyright Act permits the CRTC to limit the statutory retransmission rights of broadcasters such as cable companies by imposing any regulatory or licensing condition that is consistent with the CRTC’s authority under the Broadcasting Act.
Nothing up in the air about privacy: foreign airline must comply with Canadian law - In a Report of Findings, the Office of the Privacy Commissioner of Canada confirmed that foreign businesses which operate or provide services in Canada will be subject to all requirements of Canadian privacy law, regardless of the scope of the privacy regimes in their home countries.
Who was that masked man? Court protects anonymity of Internet users - In Morris v. Johnson, the Ontario Superior Court of Justice refused to order the disclosure of the identities of three individuals who posted under pseudonyms to an online forum. The court affirmed that in cases of alleged defamation by anonymous parties, plaintiffs are required to prima facie establish the elements of defamation before courts will consider ordering the production of identity information.

Panning for gold in the mud: the availability of privacy damages under PIPEDA

Stikeman Elliott LLP — Thu, 22 Dec 2011 10:50:09 -0500

More than 10 years after the introduction of federal private sector privacy legislation in Canada, damage awards for breaches of the law have been few and far between -- and where such awards have been made, the dollar amounts awarded have been modest.

In light of the sometimes confusing, and even contradictory judgments to date, there is also considerable uncertainty as to when such damages might be awarded, and what evidentiary test a complainant might have to meet.

In Panning for gold in the mud: the availability of privacy damages under PIPEDA, in the December 2011 edition of the Canadian Privacy Law Review, David Elder of our Privacy and Data Protection Group, attempts to knit together the existing case law into a coherent analytic framework for the availability of privacy damages in Canada.

Article reproduced with permission of the publisher from Canadian Privacy Law Review, Vol. 9, No. 1, December 2011.

Leon's to ho ho hold onto customer information: SCC dismisses Privacy Commissioner's appeal

Stikeman Elliott LLP — Thu, 01 Dec 2011 08:44:26 -0500

Late last week, the Supreme Court of Canada (SCC) passed on a chance to shed some light on what it considers to be “reasonable” collection of personal information. It dismissed the Alberta Information and Privacy Commission’s appeal of an Alberta Court of Appeal decision that found “reasonable” collection of personal information to not necessary mean an organization must employ the “best” or the “least intrusive” methods.

As we noted in an earlier post, the Alberta Court of Appeal overturned the Commissioner’s ruling and stated that Leon’s Furniture Limited was justified in collecting driver’s licence and licence plate information from customers picking up furniture. Leon’s argued that the observance of such policy was for fraud prevention and deterrence purposes only and that it assisted police in any ensuing fraud investigations. The Commissioner claimed that Leon’s policy was a violation of Alberta’s Personal Information Protection Act (PIPA or Act), as collection of the disputed information was not “reasonable” under section 11 of the Act and it constituted a “condition of supplying a product or service” under section 7(2) of the Act. Both claims were rejected.

In deciding in favour of Leon’s, the Alberta Court of Appeal made a few notable findings:

The court recognized that the privacy statute identifies two competing values, the right to protect information and the need to use it – one does not trump the other and a balancing is called for.
The “reasonableness” standard imposed under Section 11 of PIPA only requires organizations to collect personal information to the extent it is reasonable for meeting the purposes for which the information is collected, and “[i]t is not open to the [Commissioner] to change ‘reasonableness’ to either ‘necessity’, ‘minimal intrusive’, or ‘best practices’. These are not interpretations that are available given the plain wording of the statue.”
The “reasonableness” standard does not require business to defer, in all instances, its interest to that of an individual’s privacy interest. “[The Commissioner] is not empowered to direct an organization to change the way it does business, just because the [Commissioner] thinks he has identified a better way. So long as the business is being conducted reasonably, it does not matter that there might also be other reasonable ways of conducting the business”.

The Court of Appeal’s decision is an important win for private sector businesses, and needless to say, the Alberta Privacy Commissioner Frank Work was dismayed with the SSC’s dismissal of its appeal. In his news release, the Commissioner expressed his concern that the decision “could be used to challenge what were thought to be reasonable, nationally accepted limits on the collection of personal information by private sector organizations. We are moving backwards.”

Overall, the Court of Appeal’s interpretation of the privacy act is an important one for business in Alberta and B.C., which has privacy legislation similar to PIPA. Although the privacy legislations governing personal information differ across the provinces, territories and federally, the message from Alberta may translate into other jurisdictions to limit the Commissioner’s discretion. Whether this judgment alters the decisions of privacy commissioners in future dealings with businesses remains to be seen.

Privacy lessons learned: do your homework about home work

Stikeman Elliott LLP — Wed, 09 Nov 2011 09:54:56 -0500

David Elder -

A recently publicized privacy breach by a Canada Revenue Agency (CRA) employee underlines the need for all organizations to impose strict controls and safeguards respecting the ability of employees to remove sensitive data from the workplace.

In a widely reported story, it was recently discovered, through a request under the Access to Information Act, that confidential material respecting Canadian taxpayers, contained in hundreds of documents and tens of thousands of email messages sent and received by a CRA employee, were downloaded in unencrypted form to CDs taken home and retained by a CRA auditor, at least some of which were subsequently copied to a third party’s laptop. While the CDs have been recovered, the laptop – thought to contain the tax files of at least 2,700 Canadians – is still missing.

Although the incident in question raises concerns with respect to the Privacy Protection Policy issued to government institutions under the Privacy Act, it also provides important lessons for private sector organizations, which are subject to similar legal requirements. All Canadian private sector privacy laws, both federal and provincial, include data protection requirements that require private organizations to protect personal information with appropriate security safeguards, including physical, organizational and technical measures.

The first - and most obvious – lesson from the CRA case is to minimize the ability of employees and consultants to remove personal information from company premises. The less data that leaves the building or the company servers/network, the less the risk that it may be lost, stolen or otherwise disclosed to unauthorized parties.

Recognizing that, in today’s mobile and networked world, it is unavoidable that work will be done by some employees outside the office, the second lesson is to employ robust safeguards to protect the personal data that must be accessed and used outside company premises.

One approach is to have clear policies respecting removal from the office of personal information and required practices for the protection of devices on which it is stored. Such policies should be readily available and regularly communicated to employees; however, such “soft” controls are not, by themselves, a complete solution. Policies will always be breached by some employees (which, in fact, is what occurred in the CRA case) and organizations will likely still be accountable for such breaches.

Another, more reliable, layer of protection is to use “hardwired” security: robust physical, and particularly, technological measures that keep personal information secure and confidential.

One of the best technological protections for data on portable storage media and devices is encryption, since strongly encrypted data remains inaccessible to most third parties, even if the device itself falls into the wrong hands, which tends to happen frequently with portable devices such as laptops and flash drives. Encryption has been strongly endorsed by privacy commissioners across Canada, and is generally considered to the required standard of protection for personal information stored on portable devices. In the health information context, he Ontario Information and Privacy Commissioner has gone so far as to suggest that the loss or theft of a device containing encrypted personal information would not generally be considered to be a loss or theft of personal information.

Other important technological solutions would include configuring most computerized corporate equipment to block the ability to download content to portable storage devices, logging and retaining each incident of such activity for the few devices for which such downloading may be permitted (such as those accessible by senior IT and security professional). However, even this kind of encryption scheme is not foolproof, as there is still room for inappropriate action by IT and security employees. In fact, in the CRA case, the data in question was actually copied to the unencrypted CDs by a Government IT technician, contrary to Government policy.

Recognizing such vulnerabilities, another technological solution adopted by many companies with a mobile workforce is to host all records on company controlled servers, using a “virtual desktop” solution to allow employees to access workplace files remotely via a secure internet connection. Such a solution eliminates entirely the need for storage on portable devices, as all documents and data are stored in the corporate system.

A final lesson here is to consider notifying the appropriate federal or provincial privacy commissioner(s) of any material data breaches, even if there is no legal requirement to do so (while federal legislation including such a requirement is currently before Parliament, at present only the Province of Alberta requires breach notification by private sector organizations). Such notification was apparently not done in the CRA case, depriving the CRA of potentially useful advice as to appropriate taxpayer notifications or other remedial action – as well as leaving the Office of the Privacy Commissioner flat-footed when contacted by media about the breach.

This post is part of an occasional series highlighting the lessons that businesses can learn from recent news items and events.

US considers tough legislation to cripple foreign sites that infringe US IP

Stikeman Elliott LLP — Tue, 08 Nov 2011 13:27:23 -0500

Stuart McCormack and Lindsay Gwyer -

Recently, a controversial new bill was introduced in the United States House of Representatives. The new bill, entitled the Stop Online Piracy Act, aims to undercut the business model of websites who sell or distribute pirated American products or works by imposing obligations on third parties who deal with the sites. Its purpose is to indirectly target foreign websites that may be outside the direct reach of American law.

One of the main components of the Stop Online Piracy Act is section 103, which provides IP owners with a tool to enforce their rights against sites “dedicated to theft of U.S. property.” Under this section, an IP rights-holder can notify a payment network provider (defined as an entity that directly or indirectly provides the proprietary services, infrastructure, and software to effect or facilitate a debit, credit, or other payment transaction) or company that provides internet advertising services of IP infringement by a particular site. Providing that the notification meets the requirements set out in the section, the recipient must respond with “technically feasible and reasonable measures” within 5 days to essentially cutting off the infringing site from its services. For payment network providers this would generally entail preventing the completion of transactions involving American customers and the infringing website, and for advertisers it would mean ceasing to advertise the website or provide advertisements to the website.

The owner of the allegedly infringing site can respond with a “counter-notification,” which requires that the site accept the jurisdiction of US courts. This allows the IP owner to bring a claim directly against the infringing site. Once a counter notification is provided, the payment networks and advertisers can return to dealing with the site. Companies that cease to deal with allegedly infringing sites cannot be held liable for doing so.

The bill also gives the US Attorney General the ability to get a court-ordered injunction, which would impose similar obligations on payment network providers and advertisers dealing with a foreign infringing site. In addition, the injunction would require Internet Service Providers and search engines to take reasonable measures essentially preventing access to the site, in the case of ISPs, and preventing search results from linking to the site, in the case of search engines. The injunction would be modified if the site removed the illegal activity.

In addition, the bill provides increased penalties for certain piracy-related criminal offences, including streaming of copyrighted works. It also contains several sections which call for ongoing study and consultation between various US government bodies and stake-holders on the issue of protecting US IP from foreign infringers.

The House’s bill is similar to the Protect IP Act of 2011 introduced last month by the Senate. Both bills have been the subject of controversy because of the severe measures that can be invoked relatively quickly and easily to block access to, or financially cripple, allegedly infringing websites. Both bills are still in the early stages of the legislative process, making it far from certain that either will be passed in its current form. However, if and when any such legislation becomes law it will have significant implications not only for websites that may contain potentially infringing content, but also for many legitimate companies that have dealings with these websites.

Lady Gaga and fansite caught in a bad romance

Stikeman Elliott LLP — Tue, 08 Nov 2011 13:23:10 -0500

Stuart McCormack and Lindsay Gwyer -

A string of number one hits and worldwide notoriety weren’t enough to bring Lady Gaga success in a domain name dispute over the use of her stage name. Earlier this fall Lady Gaga, whose real name is Stefani Germanotta, failed to convince an arbitration panel that the domain name ladygaga.org was being used illegitimately by one of the singer’s fan sites.

Domain names are allocated through accredited registries that use a central registry system overseen by the Internet Corporation for Assigned Names and Numbers (ICANN). Disputes over domain names are resolved in accordance with ICANN’s Uniform Domain Name Dispute Resolution Policy (the Policy). In order for a domain name to be cancelled or ordered to be transferred under the Policy a complainant must show that: the domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; the respondent has no rights or legitimate interests in respect of the domain name; and the domain name has been registered and is being used in bad faith.

Lady Gaga managed to successfully convince the arbitration panel that the ladygaga.org domain name was identical to the trade-mark “Lady Gaga,” in which she has rights. She relied on three registrations filed with the United States Patent and Trade-mark Office, the earliest of which were registered in October 2009, as evidence or her rights in the mark. The Panel refused to accept that she had acquired common law rights in the mark as early as September 2006, when she claimed to have first used the mark. Nonetheless, the Panel conceded that at some point she had acquired common law rights in the mark Lady Gaga, even if it could not pinpoint the exact time. It also found that that the domain name in question was identical to the trade-mark, despite the lack of space between the two words and the addition of the “.org.”

It was the second element that proved fatal to Lady Gaga’s claim. The Panel held decisively that the non-commercial fan site was a bona fide offering of goods or services, or a legitimate non-commercial or fair use of the domain name. The Panel was particularly swayed by the fact that there were multiple notices on the website indicating that it was an unofficial site. Nonetheless, the driving consideration was clearly that the Respondent had no intent to profit from the website. The Panel warned that any future, profit-driven changes to the website might cause the dispute to be decided differently in future. Having found that the domain name was being used for a legitimate purpose, it was unnecessary to consider whether the Respondent had acted in bad faith.

SEC releases guidance for the disclosure of cybersecurity incidents

Stikeman Elliott LLP — Fri, 28 Oct 2011 08:42:32 -0500

In the wake of a number of high-profile cybersecurity incidents, the SEC’s Division of Corporation Finance recently released disclosure guidance on the topic of cybersecurity. While the guidance creates no new legal obligations, it is intended to provide clarity regarding the forms of disclosure that registrants may have to make. In the release, the Division of Corporation Finance recognized that while no current disclosure requirements explicitly refer to cybersecurity, there are a number of existing disclosure obligations that may require registrants to disclose cybersecurity risks or incidents.

Such cyber incidents may be deliberate or unintentional, and include gaining unauthorized access to digital systems for the purpose of misappropriating assets or sensitive information, causing operational disruption or corrupting data. Meanwhile, the concept of a cyber attack also includes actions that don’t require unauthorized access to a computer system, such as denial-of-service attacks on websites. Cyber attacks may be carried out by insiders or third parties, and may use sophisticated technology to circumvent network security, or more traditional techniques like guessing or stealing a password to gain access to a computer network.

Ultimately, the guidance considers six areas in which disclosure of cybersecurity risks or incidents may be required under current regulations:

Risk Factors: The guidance provides that registrants “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” In making this determination, registrants should look at the severity and frequency of past cyber incidents, and should consider the probability and potential costs and other consequences of future incidents. Registrants should also consider the adequacy of any protective measures which are in place.
The guidance also states that in order to place the discussion of cybersecurity risks in context, registrants may need to disclose known cyber attacks or threats, instead of simply stating that these events may occur. The guidance notes, however, that there is no requirement to disclose information that would compromise a registrant’s cybersecurity.
Management’s Discussion and Analysis (MD&A): Where the consequences of a known cyber incident (or the risk of a potential incident) represent a material event, trend or uncertainty that is likely to have a material effect on the registrant’s financial condition or other elements of the registrant’s reported financial results, this should be discussed in the registrant’s MD&A.
Description of Business: The guidance provides that registrants should disclose any cyber incidents which materially affect the registrant’s “products, services, relationships with customers or suppliers, or competitive conditions” in the registrant’s Description of Business.
Legal Proceedings: If a registrant is party to a material pending legal proceeding that involves a cyber incident, this may need to be disclosed in the registrant’s Legal Proceedings disclosure.
Financial Statement Disclosures: The guidance outlines several ways in which cyber incidents may impact financial statement disclosures. Registrants will need to ensure that prevention costs, contingent losses, and customer incentives provided in the wake of an incident are properly recognized. A cyber incident may also result in diminished future cash flows and an accompanying impairment of assets such as goodwill, trademarks, or patents. Further, the reassessment of assumptions underlying the estimates made in preparing financial statements may be required, and registrants must explain the risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to financial statements.
Disclosure Controls and Procedures: Finally, where cyber incidents pose a risk to a registrant’s ability to record, process or report information required in SEC filings, a registrant may consider whether this risk renders the registrant’s disclosure controls and procedures ineffective. As an example, the guidance highlights the situation where “if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting a registrant’s information systems, a registrant may conclude that its disclosure controls are ineffective.”

Ultimately, the guidance underscores the important role that cybersecurity plays in business and the potential impact should cybersecurity be compromised. Given the number of ways in which cybersecurity threats or incidents may materially impact a business, registrants must carefully consider whether they are obligated to disclose such incidents through one or more of the six categories above.

No liability for defamation for basic hyperlinks, says Supreme Court

Stikeman Elliott LLP — Fri, 21 Oct 2011 07:53:50 -0500

David Elder and Lindsay Gwyer -

Bloggers, tweeters, webpage owners and other providers and hosts of internet content can breathe a little easier today following a decision of the Supreme Court of Canada that ruled that merely providing hyperlinks to defamatory content cannot make them liable for defamation.

That said, while the decision provides clear support from the highest court in the land for both free expression and the preservation of the nature and benefits of the internet as whole, it stops short of giving hyperlinkers a “Get Out of Jail Free” card for all uses and presentations of links to defamatory material.

The much-anticipated decision in Crookes v. Newton, 2011 SCC 47concerned a defamation action grounded on the posting by a website operator of two simple hyperlinks to defamatory content located on other sites. The website operator refused to remove the links upon request by the plaintiff, and the plaintiff brought an action in defamation in British Columbia, where he was unsuccessful both at trialand at a subsequent appeal to the B.C. Court of Appeal. At issue before the Supreme Court was the question of whether a simple hyperlink reference to defamatory information could constitute a “publication,” a key element of the tort of libel.

The case had been very closely watched by the internet community, as a negative ruling had the potential to impose an unprecedented chilling effect on the way content is shared online, effectively subverting one of the fundamental underpinnings of the design of the World Wide Web.

While the majority acknowledged in their judgement that the internet is a potentially powerful vehicle for defamatory expression, they also explicitly recognized the indispensability of hyperlinks in facilitating access to online information, and ruled so as to preserve the ability of users to provide basic links to third party content without fearing that they will become legally responsible for that content. The majority likened simple hyperlinks (which merely reference the existence and location of content) to footnotes or references, noting that both are necessarily content-neutral, with the poster having no control over the content to which they refer, and that both require some act on the part of the reader before the content can be accessed. This type of basic link, the Court ruled, does not amount to an expression of meaning and cannot possibly be a publication of defamatory material.

While the decision provides clear immunity for providing simple hyperlinks to defamatory content, the three separate judgements that underlie the decision (either concurring or concurring in the result) leave the door open to potential liability for hyperlinking in other ways and contexts. Moreover, the decision may have significant implications with respect to liability for hyperlinking other types of prohibited or unauthorized content

Beyond the scenario of simple hyperlinking, which the Court found will not attract liability, things get murkier. The majority appears to conclude that for those hyperlinking to third party content, only repetition of the defamatory statement in the link or associated text will attract liability; however, in joint concurring reasons, Chief Justice McLachlan and Justice Fish purported to “clarify” that, notwithstanding the apparent bright line test set out in the majority judgement, defamation would also be possible where the text indicates adoption or endorsement of the hyperlinked content, even if it doesn’t repeat the defamatory statement. In a separate judgement that concurred in the result, Justice Deschamps favoured a more nuanced approach, where content posters would attract liability for defamation if they deliberately make the defamatory information readily available to a third party in a comprehensible form (although the defence of innocent dissemination may still be available). In light of these varying approaches, it will be interesting to see how Canadian courts may deal with hyperlinking liability issues on different facts and in different contexts.

The majority also noted that, in an era of rapidly evolving technologies, it may become necessary to consider in the future the liability that could be attracted by other types of links, which are or may become available, such as embedded or automatic links. (The facts before the Court involved one “shallow” link to a site’s homepage and one “deep” link to a specific page further down in the site’s hierarchy of content).

Finally, while the Crookes decision dealt exclusively with publication in the context of defamation, it may have broader implications for liability for hyperlinking to other types of prohibited or unauthorized content. For example, some commentators have argued that the Court’s interpretation of publication may have implications for the meaning of “publication” or “reproduction” under the Copyright Act.

The approach could also conceivably raise implications for criminal liability. For example, the offence of public incitement of hatred focuses on the act of “communicating statements” in a public place.Bill C-51, introduced in the last session or Parliament, but yet to be reintroduced, following the spring election, included a provision that would have amended the offence to indicate that “communicating” would include “making available,” which, as pointed out by the accompanying Legislative Summary, would include providing a hyperlink to the offending material.

Although the Crookes ruling is an important victory for content posters and internet supporters generally, there are still many aspects of the legal implications of linking to unauthorized or illegal content that remain to be definitively settled in Canadian law.

Fourth time lucky? Government introduces copyright reform bill -- again.

Stikeman Elliott LLP — Mon, 03 Oct 2011 13:01:14 -0500

Alexandra Stockwell and Robert Mysicka -

The Canadian Government is giving copyright reform another try, reintroducing what is essentially the same copyright bill that died last spring with the dissolution of Parliament.

But while the text may be the same, one thing has clearly changed: this time, the ruling Conservatives have a legislative majority, significantly increasing the likelihood that the new bill will actually become law, either in its current form or with amendments introduced at Committee.

Industry Minister Christian Paradis formally tabled Bill C-11, entitled An Act to Amend the Copyright Act, in the House of Commons on September 29, 2011, also holding a press conference to discuss the main features of the bill and the Government’s plans for its passage. During that event, Heritage Minister James Moore stated that Bill C-11 is identical to Bill C-32, the version introduced in June 2010, which died on the order paper when the parliamentary session ended last spring.

That said, the bill apparently won’t stay “identical” for long. The Minster has already indicated that “technical amendments” to the just-introduced Bill are already being contemplated. These will likely be introduced by Government members of the House Committee tasked with studying the new bill.

The new bill represents the fourth time since 2005 that the Government has introduced a bill to implement revisions to the Copyright Act. Potential changes to the Copyright Act have been the focus of intensive discussion and debate between stakeholders for a number of years—although there seems to be little dispute that change is necessary to update the Act, which was last amended before many of the digital technologies that are commonplace today were introduced.

The Government seems intent on swift passage of the bill. Earlier in September, Heritage Minister James Moore indicated that the government wished to resume work on the copyright bill, and noted that groups who had already appeared before the legislative committee studying Bill C-32 would not be invited to re-appear. The Minister noted the huge investment of time that had already gone into Bill C-32 and the urgency to reform the law to keep up with current technology. During the C-11 press conference, the Heritage Minister went so far as to say that he hoped the bill could clear the House of Commons by Christmas, aided by a special committee assembled to focus only on the copyright bill.

Accordingly, while observers might have reasonably speculated that further work on Bill C-11 could also be influenced by the potential outcome of a cluster of copyright cases that were recently granted leave to appeal to the Supreme Court of Canada (one of which will consider the scope of the “fair dealing” exception, a provision that would itself be amended by the new bill), the majority Government’s apparent timeline, even in the face of these pending appeals, would appear to make this unlikely, since the cases would not be heard until December 2011, with the judgements unlikely to be rendered for many months thereafter.

Highlights of Bill C-11 include the following:

Protection of Digital Rights Management (DRM). Also known as “technical protection measures” or, more commonly, as “digital locks”, DRM is built into digital music, DVDs, and other media and technology products to ensure that they are not subject to unauthorized copying. The proposed amendments include anti-circumvention provisions that prohibit the removal or tampering with DRM. Bill C-11 also proposes protection for Rights Management Information (RMI), which is used to identify the rights holders of an original work or to outline restrictions on use of the copyrighted work. The bill would prevent the removal of, or tampering with, RMI.
"Reproduction for private purposes” provisions would allow individual Canadians to make copies of music and other copyrighted material if the original copy is not an infringing copy, the individual legally obtained the original copy other than by borrowing it or renting it, and the individual owns or is authorized to use the medium or device onto which the copy is reproduced (such as a computer, iPod or MP3 player) as long as a digital lock is not picked in making the copy. The reproduction may only be used for private purposes and cannot be given away, sold or rented without first destroying all reproductions of the original copy. In addition, these provisions would not apply if the reproduction is made onto a medium that is governed by the private copying provisions currently found at Part VIII of the Copyright Act, such as CD-Rs.
Education exemptions would make it legal for students at schools and higher learning institutions to download copyrighted information for the purpose of study and research. Schools will also be allowed to transmit materials used in classrooms to students located off-campus to facilitate learning, as long as the material is restricted to students. In addition, teachers and students will be allowed to use copyrighted material in lessons conducted over the Internet. This applies both to teachers and students in a physical classroom and those who may be viewing recordings of the lessons over the Internet at a later time. Teachers will also be allowed to digitally deliver course content to students, subject to fair compensation to copyright owners. The provisions currently found in the Copyright Act allowing parts of a work to be copied for display to students will be amended so that they are technologically neutral.
Time-shifting provisions allow for the making of one recording of communication signals or programs for private purposes. The time-shifting recording must be obtained from a legal source and used only for private purposes. As well, technical protection measures could not be circumvented to make the recording, and the recording cannot be kept “longer than is reasonably necessary in order to listen to or view the program at a more convenient time”.
A “Notice and Notice” regime for Internet Service Providers (ISPs), whereby ISPs, after being notified of infringement allegations by a rights holder, would be obligated to notify the relevant subscriber of the allegations received. ISPs would also be obliged to retain records that would enable the identification of the subscriber allegedly engaged in the infringing activity for a period of six months (or one year, if infringement proceedings are commenced in respect of the claimed infringement within six months of the initial notice from the rights holder). The government has emphasized that this is a more balanced approach and appropriate approach than the “Notice and Take Down” approach taken in some countries such as the United States, or the “Three Strikes” approaches advocated in other jurisdictions, where alleged infringers could be deprived of internet access.
A change to the provisions on statutory damages for non-commercial infringement from a current maximum of $20,000.00 for infringement of each protected work, to a maximum of $5,000.00 in respect of all infringements involved in the proceedings for all works or other subject-matter. Moreover, if a plaintiff elects statutory damages for non-commercial infringements, it will be barred from collecting statutory damages from that defendant for any other non-commercial infringements occurring before the proceeding began, and no other copyright owner may elect statutory damages against that defendant for non-commercial infringements that were done before the initiation of the proceedings in which statutory damages were elected.
Fair dealing exceptions, which permit use of a copyrighted work without permission of the copyright owner, have been expanded to include uses for the purposes of education, parody or satire in addition to the current reference to research or private study. While procedurally, a defendant is required to prove that his or her dealing with a work has been fair, the Supreme Court of Canada has noted that the current fair dealing exception is a user's right, and should not be interpreted restrictively. In Alberta (Minister of Education) v. Canadian Copyright Licensing Agency, one of the cases to be heard by the Supreme Court of Canada in December 2011 (which we wrote about here), the Court will be considering the application of the current fair dealing exceptions to photocopies made in educational institutions. It is unclear how the addition of the word “education” into the fair dealing exception would impact the application of the tariffs considered in that case.
A “Mash-up” exemption, exempting from copyright infringement the use of pre-existing works to create new non-commercial works, defined as “user-generated content”. This exemption is only available, however, if the use of the copyrighted work is done solely for non-commercial purposes, does not have a substantial adverse effect (financial or otherwise) on the exploitation of the existing work (including that the new work isn’t a substitute for the existing one), and a requirement (if it is reasonable in the circumstances) to mention the sources of the works incorporated in the new work.
The amendments make it clear that temporary reproductions for technological processes are not copyright infringements if the reproduction is essential to the technological process, exists only for the duration of that process, and the only purpose of the reproduction is to facilitate a use that isn’t an infringement of copyright. Similarly, the amendments make clear that an Internet service provider who caches a work to make the telecommunication of the work more efficient, does not, by virtue of that act alone, infringe copyright.

The government has characterized Bill C-11 as a “balanced” approach to copyright, and that assessment will likely be critically evaluated and commented on by various stakeholders in the coming months. We will continue to review and monitor the progress of this proposed legislation, and will provide you with further updates as the bill progresses through the legislative process.

Where does copyright law end and broadcasting regulation begin? Supreme Court to hear appeal on "Value for Signal"

Stikeman Elliott LLP — Thu, 29 Sep 2011 15:37:49 -0500

David Elder and Lindsay Gwyer -

The long road for local broadcasters wanting to charge fees to cable and satellite companies for rebroadcasting their signals just got a little longer, as the Supreme Court of Canada has granted leave to hear an appeal a Federal Court of Appeal decision that upheld the ability of the Canadian Radio-television and Telecommunications Commission (CRTC) to establish such a regime.

The “Value for Signal” (VFS) regime was authorized by the CRTC in its 2010 group licensing framework decision, and was intended “to remove unnecessary barriers to the continued viability of private broadcasters and to ensure that broadcasters are able to obtain, through market-based negotiations, fair value of the programming they broadcast.”

However cable and satellite broadcasting distribution undertakings (BDUs) raised questions as to whether the CRTC had the jurisdiction to implement a VFS regime pursuant to the powers and authority granted under the Broadcasting Act. Recognizing the significance of the issue, the CRTC referred the question to the Federal Court of Appeal. As we noted in an earlier post, that Court ruled earlier this year in Reference re the Canadian Radio-television and Telecommunications Commission’s Broadcasting Regulatory Policy CRTC 2010-167 and Broadcasting Order CRTC 2010-168, 2011 FCA 64, that the Act did provide the CRTC with the authority to impose fee for carriage charges on broadcast distribution undertakings (BDUs).

As discussed in detail in our earlier post, one of the key issues that faced the Federal Court of Appeal was whether the right granted under s. 31(2) of the Copyright Act, which gives BDUs the ability to retransmit signals without payment of licence fees, was subject to limitations imposed by the CRTC pursuant to its mandate under the Broadcasting Act. The majority found that it was subject to such limitations, but a dissent from Nadon, J. reasoned that the VFS regime was ultra vires the CRTC because it conflicts with Parliament’s clear intention in the Copyright Act that royalties must be paid only for the retransmission of off-air television signals outside the geographic area in which the signal can be received off-air, not for retransmission within the local broadcasting area. This question will also be at the heart of the arguments to be made before the Supreme Court.

Leave to appeal the Federal Court of Appeal’s decision was sought by some of Canada’s largest cable and satellite BDUs, which have long opposed VFS on the basis such a fee is unnecessary, would have a negative impact on consumers, BDUs and specialty broadcasters, and would be inappropriate in view of the regulatory advantages that local broadcasters receive, such as mandated carriage by BDUs.

For their part, private broadcasters lobbied for many years for the right to negotiate fair local retransmission fees with the BDUs, in order to allow broadcasters to continue to meet Canadian content and service obligations in an era of increasing challenges to the business model for conventional broadcasting.

Citing a lack of evidence that fee for local signal carriage was necessary or beneficial to the broadcasting system, the CRTC rejected the concept in 2007, and again in 2008, before finding, in 2009, that conventional, advertisement-based revenue models were no longer sufficient for local broadcasters operating in increasingly fragmented markets. Following a public hearing in the Fall of 2009 to determine the best method of implementing a new revenue system for private broadcasters, the Commission created the VFS regime that is now under appeal.

It is worth noting, however, that the broadcasting landscape has changed in important ways since the Commission’s decision to allow for VFS.

In this regard, the most recent financial results reported by the CRTC show that for the 2010 broadcast year, revenues for private conventional television grew substantially, putting local TV as a whole back in the black (although just barely). The Commission’s most recent “Convergence Report” suggests that that the declines of 2008 and 2009 should be seen as short-term trends only and that TV advertising will see continued growth in the years ahead. In addition, increased industry consolidation of BDUs and local broadcasters into ownership groups has resulted in some BDUs dropping their opposition to the VFS and aligning with their broadcaster affiliates.

In addition, the terms of 5 of the current CRTC Commissioners are scheduled to end in 2012, including Chairman von Finckenstein, whose term will apparently not be extended. Accordingly, by the time that the Supreme Court rules on the VFS appeal, the CRTC may be a very differently constituted body.

In light of these and other potential developments, beyond the important legal question of the CRTC’s legal authority to mandate a VFS regime, for some there may continue to linger the equally important policy question of the continued appropriateness of VFS against the backdrop of an ever-evolving Canadian broadcasting market.

That's a wrap: BC Supreme Court enforces website terms of use and validates "browse wrap" agreements in Century 21 v Zoocasa

Stikeman Elliott LLP — Tue, 27 Sep 2011 08:48:15 -0500

Amy Hu and Michael D. Smith -

In Century 21 Canada Limited Partnership v Rogers Communications Inc., the BC Supreme Court upheld the validity of the so-called “browse wrap” agreements and awarded damages against Zoocasa and its parent Rogers for Zoocasa’s breach of the Century 21 website terms of use when it pulled listings from the Century 21 website for use on its own real estate listing search engine. The BC court confirmed that industry standard browse wrap agreements (i.e. a website’s posted terms of service) can form valid contracts without being brought to the attention of users or requiring any review/acknowledgement by the user before accessing the website.

The conflict between the parties arose in 2008 when Zoocasa, a search engine and aggregator of real estate listings, began “scraping” images, descriptions, and property details from the Century 21 website and reproducing them on its own site. Century 21 claimed that Zoocasa’s scraping was in breach of the terms of use of its website (the Terms of Use), and made additional claims that Zoocasa had both trespassed and violated Century 21’s copyright over the images and descriptions.

The court found Zoocasa liable for copyright infringement and for breach of contract, and dismissed Zoocasa’s claim that the Terms of Use lacks proper acceptance or consideration, ingredients which make a contract valid. Unlike its shrink wrap and click wrap predecessors, browse wrap agreements such as the Terms of Use lack the “click-through” license (e.g. in click wrap agreements, user acceptance is indicated by clicking on the “yes” or “accept” bottom) or active step taken by the user (e.g. in shrink wrap agreements, users signal their acceptance of software licensing terms by removing the plastic wrap from a software package) which signal the user’s acceptance of the terms of use. Zoocasa argued that there is no proper acceptance for browse wrap agreements and claimed that the terms of use on a website were like a billboard, where the user has no opportunity to accept or reject the terms. The court rejected this analogy, finding that “[t]here is nothing the observer of a billboard does that is capable of indicating consent. The observer merely views the billboard. A user of a website can respond by accessing deeper layers (pages) of the website.”

The court in Century 21 v Zoocasa found there to be proper acceptance in browse wrap agreements where there is continued access of a website by a user with notice of the terms of use, thereby indicating its acceptance of those terms. Century 21 also gave consideration by providing access to the information on its web site. The court specifically noted that Zoocasa is a sophisticated commercial entity who has not only been given notice of the Terms of Use, but who had also relied on similar terms of use on its own website with the knowledge that such terms were the industry standard. Zoocasa’s scraping of the Century 21 website after notice of these terms of use was found to be a breach of its contract with Century 21.

Century 21 was awarded a permanent injunction against Zoocasa preventing further breaches of the Terms of Use, damages of $1,000 for breach of contract, and $32,000 for copyright infringement ($250 per infringement for 128 infringements). While the decision marks an important step in the evolution of browse wrap agreements, the facts of this case were somewhat unique: Zoocasa was a sophisticated internet business which was aware of the terms of use, and the court recognized that those terms were reasonable. Whether the courts will be as willing to find the existence of a contract between a less sophisticated individual, or perhaps in a situation of more egregious terms of use, remains to be seen.

Nothing up in the air about privacy: foreign airline must comply with Canadian law

Stikeman Elliott LLP — Mon, 26 Sep 2011 07:45:47 -0500

David Elder -

When in Rome, do as the Romans do. Similarly, when doing business in Canada, do as Canadian privacy law requires.

That is the lesson learned by a foreign-based airline following a finding by the Office of the Privacy Commissioner (OPC) of Canada that the carrier had violated Canadian privacy law, even though the company operates in compliance with European privacy requirements. The decision further confirms the fact that foreign businesses that operate or provide services in Canada will be subject to all requirements of Canadian privacy law, regardless of the scope of the privacy regimes in their home countries.

In a Report of Findings recently posted by the OPC, Netherlands-based KLM Royal Dutch Airlines (KLM) was found to have breached several provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), including failing to respond in a timely way to a request by a customer for access to records containing personal information; failing to implement practices to ensure that the requirements of the Act; and failure to make available to the public its policies respecting the management of personal information.

In a preliminary report of findings, the OPC had recommended that KLM develop a clear and simple access to information request procedure and ensure that the privacy policy posted on the Canadian version of its website comply with PIPEDA.

KLM took the position that the Dutch Data Protection Authority supervises KLM in the security of personal data under the Dutch Personal Data Protection Act, including requirements respecting transparency and the manner in which access to information requests must be processed. The airline further noted that Dutch law does not require further transparency of policies and practices, and only allows individuals to view their personal information, not to access it. KLM questioned the OPC’s jurisdiction over KLM.

Relying on the Federal Court’s decision in Lawson v. Accusearch Inc., which had earlier found that the OPC had jurisdiction to investigate complaints respecting the collection by foreign organizations of personal information about Canadian residents, the OPC confirmed that it had jurisdiction in the complaint against KLM because there was a real and substantial connection to Canada. In this regard, the OPC noted that:

The complainant seeking access to his personal information was a Canadian resident
KLM offers services in Canada, and has employees at several Canadian airports
KLM operates a Canadian version of its website, which actively targets Canadians, and through which Canadians may reserve flights
KLM operates scheduled non-stop flights to and from Canadian cities (and in fact, the complainant originally booked a KLM flight departing from Toronto);
KLM needs to collect personal information from Canadian passengers to offer air travel to those passengers.

In the circumstances, and in view of judgement in the Accusearch case, the finding of Canadian jurisdiction over the handling of the personal information in question may not be particularly surprising: it was collected from Canadians, in Canada, with respect to a service provided - at least in part - in Canada.

However, many businesses may be surprised that compliance with a European data protection law will not guarantee compliance with Canadian law – despite the fact that the European Data Protection Directive (on which member state privacy laws are based) and PIPEDA were derived from the same set of essential privacy principles, and even though European data protection laws tend to be viewed in some jurisdictions as being particularly stringent.

Although Canadian privacy laws are in broad accord with many international data protection regimes, there are often subtle differences between these foreign laws and Canadian privacy requirements. Accordingly, foreign organization doing business in Canada should not assume that practices and policies that comply with the law of their home country will necessarily suffice when collecting, using and disclosing information in Canada.

Rolling the dice: Alberta court invalidates certain PIPA provisions

Stikeman Elliott LLP — Mon, 19 Sep 2011 11:04:18 -0500

Paul Karvanis and Joel Freudman -

A recent decision by the Court of Queen’s Bench of Alberta to strike down provisions in Alberta’s Personal Information Protection Act (PIPA) could have ramifications nationwide as the offending provisions are mirrored in the federal Personal Information Protection and Electronic Documents Act (PIPEDA). In United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner) the Court declared several narrow exemptions in the Alberta legislation to be unconstitutional.

In 2006, the United Food and Commercial Workers, Local 401 (the Union) set up picket lines around the West Edmonton Mall casino, where some of their members worked. The Union video-taped and photographed the picketing in order to publicize images of certain individuals who had crossed the picket lines. Several of these people complained to the Information and Privacy Commissioner (the Commissioner).

One of the Commissioner’s adjudicators found that the Union, having collected personal information, was therefore subject to PIPA, which applies to all organizations and generally prohibits the collection, use and disclosure of personal information without an individual’s consent. The adjudicator held that the Union had violated PIPA by not obtaining consent to use the images of the individuals passing the picket lines.

The Union appealed to the Court of Queen’s Bench. While conceding that it had collected personal information and used it intentionally, the Union argued that it was exercising its right to freedom of expression and that certain exemptions in PIPA were unconstitutional to the extent the provisions were too narrowly-defined and infringed on its Charter right to freedom of expression.

The Union focused on two exemptions to the application of PIPA, specifically where the information collected, used or disclosed is:

1) “publicly available”; or

2) “for journalistic purposes and for no other purpose”.

The Union argued that recordings of its picket lines should have been exempted from PIPA because any passing individuals could not have had a reasonable expectation of privacy given that they were recorded in public. The Union also argued that the fact that it had an interest in the outcome of the strike (and thus an interest in the collection, use and disclosure of the information beyond simple journalism) should not prevent it from being able to rely on the exemption for journalistic purposes.

The judge held that a narrow definition of “publicly available” information would infringe the Union’s Charter rights by precluding the Union not only from collecting images in a public setting, but by preventing the Union “from describing in words what happens in public” if the information contained personal information.

According to the Court, the complainants in this case had no reasonable expectation of privacy. “They were at not just a public place, but a public demonstration with important political and social implications.” As such, the judge found that there was no rational connection between the goal of the protection of individual privacy and the method of restricting the recording of images at a public demonstration. By way of contrast, she noted that privacy legislation in British Columbia contained exemptions for personal images recorded at voluntarily attended public gatherings (e.g. sporting events).

The judge also found the phrase “and for no other purpose” in the journalistic exemption too restrictive and therefore unconstitutional. Any non-media organization, such as the Union, that engaged in journalism would have some other additional purpose and would never fall within the exception. The judge noted that “the requirement that an organization’s only purpose be journalistic is an extreme, almost draconian, limitation on freedom of the press.”

Unable to read the impugned provisions in a manner consistent with Charter values, or to find any Charter justification for these breaches, the judge quashed the adjudicator’s decision to the extent that it relied on the impugned provisions. She further issued a suspended declaration of invalidity with respect to the “publicly available” exemption, with an immediate carve-out for information gathered at trade union picket lines, and declared the phrase “and for no other purpose” in the journalistic exemption to be invalid.

This decision is especially interesting as PIPEDA contains very similar exemptions for the collection, use and disclosure of personal information: (i) when the information is publicly available, or (ii) when the information is used for journalistic purposes and not for any other purpose.

Supreme Court to hear five appeals concerning copyright tariffs

Stikeman Elliott LLP — Fri, 16 Sep 2011 13:07:31 -0500

David Elder & Robert Mysicka

In an unprecedented cluster of cases focusing on copyright, the Supreme Court of Canada has recently granted leave to appeal in five separate cases involving tariffs approved by the Copyright Board.

The cases, at least four of which will be heard on December 6 and 7, 2011, will consider tariffs dealing with online music, photocopying by teachers for instructional purposes and music in movie soundtracks.

Copies of educational material by schools

The first case concerns a revised tariff, with significantly increased fees for the reproduction of literary, dramatic and artistic works – including books, newspapers and magazines - by primary and secondary educational institutions outside Québec.

At issue in Alberta (Minister of Education) v. Canadian Copyright Licensing Agency (Access Copyright) is the application of the “fair dealing” exception to copyright infringement, found in section 29 of the Copyright Act, which allows copies to be made for research, private study, criticism and review. The Copyright Board found that copies made by instructors for student use were made for the purposes of instruction or non-private study, and therefore did not qualify as fair dealing. The Federal Court of Appeal upheld the Board’s decision.

Leave to appeal was sought by the Ministries of Education for each of the affected provinces, together will all of the Ontario school boards, which contend that a majority of the reproductions purported to be covered by the tariff qualify for the fair dealing exception.

The Court will likely build upon the fair dealing test it developed in a 2004 case dealing with the photocopy service provided to lawyers by the Great Library at Osgoode Hall: CCH Canadian Ltd. v. Law Society of Upper Canada. In that decision, the Court pronounced that the fair dealing exception was a user’s right, and should therefore be given a large and liberal interpretation.

The Court is also likely to consider the application of the educational exemptions found in sections 29.4 to 30 of the Act, which were raised by the Applicants at the Board and at the Federal Court of Appeal -- particularly the exception allowing works to be reproduced for the purpose of a test or examination.

A similar Access Copyright tariff, which proposes significant increases to fees charged to post-secondary educational institutions for photocopied material, has resulted in apparent turmoil in the education community. A number of colleges and universities have reportedly pulled out of the tariff arrangement, resulting in confusion among professors as to copyright liability, and the elimination of some course material.

Communication to the public

Three of these cases to be heard by the Court relate to the Board’s approval of Tariff 22A, a tariff for the communication of musical works over the Internet. The tariff, originally filed in 1996, has already been the subject of several preliminary proceedings relating to jurisdiction, including judicial review by the Federal Court of Appeal and an earlier appeal to the Supreme Court of Canada.

In two of the Tariff 22A appeals, the Court will examine whether the streaming or downloading of copyrighted content, through distinct point to point transmissions of individual files to consumers, constitute communication “to the public” and thus fall within the scope of copyright protection afforded by section 3(1)(f) of the Act, such that a tariffed royalty is payable.

The first case, Rogers Communications Inc. et al. v. Society of Composers, Authors and Music Publishers of Canada, dealt with the approval of a tariff that imposed copyright liability for transmission of musical works by a range of “telecommunications services”, including websites providing music downloads and streaming and the Internet Service Providers who provide access to the Internet. The second case, Entertainment Software Assn. v. Society of Composers, Authors and Music Publishers of Canada concerned liability for similar transmission of video games which contain background music.

The Federal Court of Appeal dismissed these applications, finding that a communication is “to the public” when the communicator intends the communication to be received by the public. The number of persons who actually receive the communication was not considered to be relevant.

In the Entertainment Software case, the court below also rejected the Applicant’s argument that a de minimis rule exists preventing the imposition of a tariff in a situation where a musical work constitutes only a marginal component of a particular video game, finding that the download of a video game which includes music is a communication to the public within the meaning of section 3(1)(f) of the Act and is thus subject to a tariff.

Previews

Another of the cases stemming from the Tariff 22A decision concerns whether the tariff that would require the payment of royalties with respect to online music previews, which consist of short extracts of musical works provided to assist consumers in deciding to purchase the works in question.

In Society of Composers, Authors and Music Publishers of Canada v. Bell Canada, copyright collective SOCAN sought judicial review of the Board’s refusal to certify a tariff for previews. The Board had concluded that users listening to previews were entitled to avail themselves of the fair dealing exception, as are those that make such previews available to users, as listening to the previews constituted research of a purchasing decision. In doing so, the Board applied another aspect of the earlier ruling in CCH, where the Supreme Court noted that research was not limited to non-commercial or private contexts. The Federal Court of Appeal upheld the Board’s decision, and SOCAN sought leave to appeal to the Supreme Court.

Sound recordings in soundtracks

Finally, and most recently, the Supreme Court granted leave to hear the appeal of Re: Sound v. Motion Picture Theatre Associations of Canada, which concerns whether a tariff can be imposed for the communication to the public through telecommunication of a sound recording, where the recording is part of a soundtrack that accompanies a motion picture or a television program being communicated to the public by telecommunication.

The Copyright Board refused to approve such a tariff, noting that the Act defines “sound recording” so as to exclude “any soundtrack of a cinematographic work where it accompanies the cinematographic work.” Section 17 provides that where a performer authorizes the inclusion of a musical performance in a cinematographic work, they may no longer exercise their rights with respect to communication to the public by telecommunication, although they may contract separately to obtain royalties for such telecommunication from the studio with the rights to the cinematographic work.

On appeal to the Federal Court of Appeal, the applicant performance right copyright collective, Re: Sound, sought to draw a distinction between a “soundtrack” and its component parts, however the Court rejected the argument, finding that there was no legal basis for the tariffs proposed by Re: Sound since its interpretation of soundtrack would require adding words to the definition of “sound recording” found in the Act.

Conclusion

The Supreme Court’s review of these key provisions in the existing Copyright Act will be timely given the federal government’s recent announcement that it would be reintroducing Bill C-32, An Act to Amend the Copyright Act. The Bill, which died upon Parliament’s dissolution in March of this year, contains important new prohibitions on the circumvention of “digital locks” as well as reforms of the fair dealing provisions found in the Copyright Act. The proposed fair dealing reforms, which would include new explicit exceptions for “education, parody or satire,” were explicitly referenced by the Federal Court of Appeal in the Access Copyright case.

Copyright owners, users and commentators will be watching both Parliament and the Supreme Court in the coming months, as the potential for significant reform of Canada’s copyright framework looms on the immediate horizon.

PIPEDA for the Practice of Law

Stikeman Elliott LLP — Thu, 08 Sep 2011 09:01:43 -0500

The Canadian Privacy Commissioner released guidelines for lawyers seeking to understand the Personal Information Protection and Electronic Documents Act (PIPEDA) at the Canadian Bar Association convention on August 16, 2011. Entitled “PIPEDA and Your Practice: A Privacy Handbook for Lawyers”, it provides an overview of PIPEDA requirements as they apply to lawyers and law firms in private practice as well as corporate counsel.

Whereas lawyers already must keep client information confidential, PIPEDA introduced additional requirements that are highlighted in the handbook. For example, conducting a credit check on a potential client requires prior informed consent, and the Commissioner recommends similarly obtaining informed consent for all information collected for litigation purposes (despite this latter point still not clear in the case law). Also, at a client’s request, information about the client must be provided within 30 days at no charge, and irrespective of whether or not a solicitor’s lien exists.

The Commissioner can make non-binding recommendations either following a complaint or on its own initiative, and the complainant or Commissioner may subsequently proceed to Federal Court for enforcement. The Commissioner’s website offers lawyers a Self-Assessment Tool to promote compliance with PIPEDA.

Federal Court muddies the waters on privacy damages

Stikeman Elliott LLP — Fri, 26 Aug 2011 08:14:54 -0500

David Elder -

In a problematic judgement, the Federal Court of Canada has awarded damages against a bank for the wrongful disclosure by one of its employees of account information in response to a subpoena.

This is only the second case in which the Court has awarded damages for non-compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA); and like the first damage award under the statute, the amount awarded was minimal. The case is also perplexing, because it seems to contradict the reasoning in an earlier decision by the same court, which established that to be eligible for an award of damages, the alleged injury must result directly from a breach of the Act.

In the case of Landry v. Royal Bank of Canada, the husband in a divorce proceeding sent a subpoena duces tecum1 to the bank, ordering one of the bank’s employees to appear before the court and bring certain records concerning the account records of his wife. In violation of the bank’s own policy, which requires the consent of the account holder before account information can be released to a third party, an employee of the bank disclosed the records in question directly to counsel for the husband.

Not surprisingly, the Court readily found that the disclosure was in breach of the bank’s obligations under PIPEDA. What was surprising was that any damages at all were awarded on the facts of the case.

In this regard, the record revealed that the applicant wife had, in the last years of her marriage, opened a bank account without her husband’s knowledge and built a nest egg. In the divorce proceeding, she concealed the existence of the account in question from both her husband and the court, despite a clear legal obligation to make a full and honest disclosure of assets and despite being asked repeatedly under oath about the existence of such an account. As a result of the subpoena, the account records were properly provided by the bank to the divorce court, which later placed the information on the public record and took it into account in rendering judgement. The divorce judgement itself made pointed reference to the applicant’s secretive behaviour and denials under oath.

In her pleadings, the applicant had claimed that the bank’s disclosure had done great harm to her personal life, and that she now had problems with her family and friends “as a result of the conduct of her ex-husband, who was using certain passages of the divorce judgement to harm her reputation.”

In earlier cases, the Court seemed to have established the principles that damage awards under PIPEDA should only be made “in the most egregious situations” and that to be eligible for an award from the court, the applicant would have to establish damages flowing directly from the privacy breach itself, rather than from some concealed behaviour that only came to light through the privacy breach.

For example, in the case of Stevens v. SNF Maritime Metal Inc., the Court found that the applicant’s claim for damages flowed from the loss of his employment, and implicitly, that the employment had been lost due to a fraud he committed against his employer. Although the Court found that, although the fraud may not have come to light except through the privacy breach of a third party, it was the fraud itself, and not the disclosure thereof, that gave rise to the damages.

By contrast, in Landry, the Court seems to have taken the opposite approach. Despite the Court’s explicit acknowledgement that the bank had acted properly in filing the applicant’s account information with the divorce court pursuant to the subpoena, and its implicit finding that the alleged damages stemmed from public dissemination of the resulting divorce judgement by the husband, the Court nevertheless awarded damages – albeit minimal damages -- to the Applicant, noting that the bank’s error remained serious, even when these factors were taken into account.

Although the applicant sought damages totalling $100,000, including $25,000 in exemplary damages, she was awarded only a token $ 4,500. Although she was also awarded her costs, plus interest, the resulting damage award likely pales in comparison to the amount that the applicant would have incurred in legal fees, which would not be covered by the cost award.

While the Landry decision shows that the court may not been entirely consistent in its approach to damage awards under PIPEDA, one thing seems certain: litigants are unlikely to receive any substantial damage awards under the statute unless they can demonstrate significant, tangible losses.

[1] A subpoena duces tecum is a court summons ordering a named party to appear before the court and bring with them specified documents or other tangible evidence for use by the court; however, it does not require that the evidentiary material in question be provided at that time to the party requesting the subpoena; rather, it contemplates that during the proceedings, the court will determine whether the material in question should be disclosed, weighing such factors as the right to privacy and the existence of privilege.