“There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act” – Ontario Information and Privacy Commissioner

Cloud computing and data outsourcing has been embraced by many Canadian companies. In a recent poll, the adoption rate of cloud-based services by Canadian businesses experienced one of the highest year-over-year increases. Data security and concerns over personal information and privacy remain one of the biggest barriers to adoption.

One of the most common concerns raised by businesses who are considering cloud computing is the law known as Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (“PATRIOT Act”). There has been much discussion and some misinformation regarding the PATRIOT Act. For those unfamiliar with the topic, the central concern is that U.S. government authorities may use the provisions of the PATRIOT Act to access the personal information of Canadians where that information is stored in the United States, particularly in the context of outsourcing or cloud-computing.

Overall, a review of recent decisions in Canada shows that these concerns are overstated in light of the risks, and that for private sector businesses there are no prohibitions on outsourcing to the United States in light of the PATRIOT Act, provided (1) reasonable safeguards are built into the outsource contract (including confidentiality, use-restrictions, security, and provisions to meet monitoring and audit requirements), and (2) customers are notified in a clear way when their personal information will be stored or handled outside Canada. It is important to remember that the confidentiality and use-restrictions imposed on the service provider must be tied to the purposes to which the customers originally consented.

“Transparency and security” are watchwords for Canadian businesses considering the cloud.

Industry-specific regulations or guidelines, such as those found in the Insurance Companies Act and the OSFI guidelines applicable to banks and other financial institutions, place certain controls on outsourcing but do not specifically prohibit outsourcing or data-storage outside of Canada.  Canadian laws, as well as the PATRIOT Act and OSFI Guidelines are reviewed below.

1.         Federal Private Sector Legislation

The Personal Information Protection and Electronic Documents Act, (PIPEDA) governs federally-regulated entities, such as insurance companies. PIPEDA is also the default private-sector privacy legislation for provinces which have not passed “substantially similar” privacy legislation. To date, only Alberta, B.C. and Quebec have passed general private-sector privacy legislation that has been deemed “substantially similar” to PIPEDA.

PIPEDA governs the handling of personal information by private businesses such as insurance companies in the course of commercial activities. PIPEDA does not prohibit outsourcing of personal information to the U.S.  In fact, there is a clear decision of the Canadian Privacy Commissioner that PIPEDA does not prevent federally-regulated entities from outsourcing personal information data handling or data processing to the U.S.

2.         Provincial Privacy Legislation

There are multiple layers of regulation at the provincial level, for the public sector, private sector and for personal health information. Let’s have a look at the Alberta law. With respect to outsourcing, under the Alberta Personal Information Protection Act (PIPA) (sections 13 and 13.1), a service provider must notify consumers when personal information is stored by a service provider outside Canada. This includes a notification of the position or title of a person who is able to answer the consumer’s questions about the collection, use, disclosure or storage of personal information by the service providers outside Canada.  This is considered prudent practice for any private-sector organization engaging in outsourcing personal information to U.S. service providers.

Other than these notice requirements relating to storage of personal information outside Canada, there is no prohibition on outsourcing or data processing in the U.S. in private-sector privacy laws.

3.         USA PATRIOT Act

Regarding the PATRIOT Act, the Privacy Commissioner of Canada has stated that: “.. there is a comparable legal risk that the personal information of Canadians held by any organization and its service provider — be it Canadian or American — can be obtained by government agencies, whether through the provisions of U.S. law or Canadian law.” The Ontario Information and Privacy Commissioner has gone further and stated: “There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act. The PATRIOT Act has invoked unprecedented levels of apprehension and consternation – far more than I believe is warranted.”

The PATRIOT Act has been in effect for over 10 years, and during this time the Government of Canada states that there have been no instances where the personal information of a Canadian has been accessed under the PATRIOT Act.

Some public sector laws in B.C., Nova Scotia and Quebec require public bodies to ensure that personal information is stored only in Canada. For example, in B.C. public bodies and their service providers are obliged to notify the government if the public body receives “a foreign demand” for personal information. This is designed specifically to address PATRIOT Act concerns.

In Alberta, the public sector Freedom of Information and Protection of Privacy Act, permits a public body to disclose in response to a “subpoena, warrant or order” issued by a court, as long as the court has “jurisdiction in Alberta.” While no prohibition on outsourcing to the U.S. is explicitly built into the Alberta law, this provision is intended to ensure that the public body is constrained in its ability to disclose to a court of a foreign (U.S.) jurisdiction. Once again, it should be noted that this is public sector legislation.

Several privacy commissioner decisions have directly considered the issues raised by the PATRIOT Act in the context of Canadian public and private sector privacy laws.

• In a 2005 decision, the Privacy Commissioner of Canada decided that PIPEDA does not prohibit the use of foreign-based third-party service providers, but it does oblige Canadian-based organizations to have provisions in place, when using third-party service providers, to ensure a comparable level of protection (including guarantees of confidentiality and security of personal information). The Commissioner’s decision was also clear that, at the very least, a company in Canada that outsources information processing to the U.S. should notify its customers that the information may be available to the U.S. government or its agencies under a lawful order made in that country.
• Again in 2006 and 2008, the Privacy Commissioner of Canada decided that data handling in the U.S., which exposed the personal information to potential PATRIOT Act concerns, did not offend PIPEDA since the Canadian company had implemented comprehensive strategy and techniques to safeguard the personal information.   
• Most recently, a June 2012 decision of the Information and Privacy Commissioner of Ontario reviewed a complaint about PATRIOT Act concerns with the outsourcing of personal information to the U.S. by an Ontario public body (the Ministry of Natural Resources). The Commissioner decided that the Ministry’s collection, use and disclosure of personal information for the purpose of administering the Ministry’s hunting and fishing licensing program was in compliance with the Act.

All of these decisions point to the need for transparency and openness when dealing with customers, to ensure that they are made aware in cases where personal information handling, processing or storage may or will be outsourced to the U.S. Secondly, the service or outsourcing agreement must contain contractual protections ensuring confidentiality, security and compliance with privacy laws, so that service provider provides a comparable level of protection for the personal information.

4.         OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes

OSFI’s Guideline B-10  describes requirements for federally-regulated entities (FREs), such as banks, financial institutions and insurance companies, when engaging in outsourcing. These are the guidelines relevant to the issue of outsourcing to foreign jurisdictions. Generally, these guidelines mandate appropriate security and data confidentiality protections.   

Guideline 7.1.1(j) (“Confidentiality, Security and Separation of Property”) says: “At a minimum, the contract or outsourcing agreement is expected to set out the FRE’s requirements for confidentiality and security. Ideally, the security and confidentiality policies adopted by the service provider would be commensurate with those of the FRE and should meet a reasonable standard in the circumstances. The contract or outsourcing agreement should address which party has responsibility for protection mechanisms, the scope of the information to be protected, the powers of each party to change security procedures and requirements, which party may be liable for any losses that might result from a security breach, and notification requirements if there is a breach of security.”

OSFI also expects “appropriate security and data confidentiality protections to be in place. The service provider is expected to be able to logically isolate the FRE’s data, records, and items in process from those of other clients at all times, including under adverse conditions.”

In Guideline 7.2.2 (“Location of Records”) OSFI indicates that: “In accordance with the federal financial institutions legislation, certain records of entities carrying on business in Canada should be maintained in Canada. In addition, the FRE is expected to ensure that OSFI can access in Canada any records necessary to enable OSFI to fulfill its mandate.” This is intended to cover information such as accounting records, incorporation documents, corporate by-laws, rather than personal information.

Guideline 7.2.4 (“Outsourcing in Foreign Jurisdictions”) indicates the following: “When the material outsourcing arrangement results in services being provided in a foreign jurisdiction, the FRE’s risk management program should be enhanced to address any additional concerns linked to the economic and political environment, technological sophistication, and the legal and regulatory risk profile of the foreign jurisdiction(s).”

Once again, this speaks to the need for enhanced attention to security rather than any outright prohibition on outsourcing to the U.S.

5.         Breaches in Alberta

The Alberta Privacy Commissioner’s 2012 Breach Report shows that a majority (64%) of the 63 reported cases meeting the real risk of significant harm threshold involved human error or lost or stolen unencrypted electronic devices:

• 22 breaches (35%) were caused by human error. These incidents included inappropriate disposal of personal information, misdirected emails or faxes, loss of files and portable media, and unauthorized disclosure of passwords. The most common form of human error was mail and courier errors caused by delivery to the wrong recipient. 
• 18 breaches (29%) were caused by theft, such as office and car break-ins. 
• 14 breaches (22%) were caused by electronic system compromises, typically through targeted attacks by external hackers.
• 9 breaches (14%) were caused by a failure to adequately control access to electronic or paper files.

None of the cases involved a disclosure or breach through the PATRIOT Act. And it should be noted that hackers can access records on both Canadian and U.S. servers, so in that sense no additional risk is associated with outsourcing to the U.S.

Conclusion

Many concerns have been raised about the reach of the PATRIOT Act. It should be remembered that Canadian government authorities have similar powers to access personal information in the course of investigations, and to respond to requests by their allies, such as the U.S. in investigations.

This review of recent decisions in Canada demonstrates that private sector businesses are not prohibited from outsourcing to the United States in light of the PATRIOT Act. However, Canadian companies are well advised to implement reasonable safeguards and build these safeguards into the outsource contract. Secondly, customers should be notified in a clear way when their personal information will be stored or handled outside Canada.

Calgary – 07:00

 

My article Click and Copy: Breach of Online License Agreements and Copyright Infringement was published in Canadian Intellectual Property Review in December.  The enforceability of click-through licenses for online software-based services is critical within the information technology industry. Software vendors and cloud-computing service providers require certainty that the licence terms governing these products will be enforceable.

In other words, vendors require certainty that, if there is a breach by a user, the law will provide a remedy, under the law of either contract or copyright, or both. When does a breach of a licence or breach of online terms of use constitute not only a contractual breach but also an infringement of copyright in the software?

The outcome of this question affects whether a vendor or provider would be able to access the infringement remedies under part IV of the Copyright Act, including injunction, damages, accounts, delivery up, and statutory damages. By reviewing some of the recent case law in this area, this article examines the intersection of copyright and contract law in the context of click-through software licences and online terms of use, specifically when a breach of such terms constitutes copyright infringement, giving rise to remedies under the Copyright Act, and when a breach is merely a breach, giving rise to remedies and potential damage awards under contract law.

Calgary – 07:00 MST

 

–

Several recent stories have highlighted the concerns over personal information, privacy and the reach of mobile apps.  Once again, the law is labouring to keep up with technology.

• So-called Cyber-Stalking Apps provide the means to track the location of a phone through an app that is not visible or easily detectable by the phone’s owner. The cloaked app resides on the phone and essentially reports back to the person who installed the app on the user’s whereabouts. In the US, a proposed law has been drafted to make such apps illegal (The Location Protection Privacy Act). This draft legislation moved out of committee and may become law in 2013.
• A number of mobile apps have been criticized for collecting personal information about kids, and selling that info without parents’ consent. To tackle these problems associated with mobile apps directed at children, privacy advocates have been pushing for changes to the rules under COPPA (Children’s Online Privacy Protection Act). The US Federal Trade Commission (FTC) amended the Children’s Online Privacy Protection Rule in December 2012. The Rule now applies to mobile apps and web-based text messaging programs, and requires app developers to get permission from parents before collecting a child’s photographs, videos and geolocational information. The amended Rules will become effective on July 1, 2013.
• It is worth noting that these are both developments under US law.  In Canada, app developers who target children’s personal information would be caught by Canada’s broad private-sector privacy laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, or one of the provincial-level privacy laws, such as the Personal Information Protection Act in Alberta.  Cloaked “cyber-stalking” apps could constitute an invasion of privacy  contrary to Canadian law. However, that would apply to the person who surreptitiously loaded the stalking app, rather than the app developer.

App developers: Make sure you get advice on a properly-drafted privacy policy, terms of use or end-user license, and that you understand the implications of privacy laws when launching mobile apps.

Calgary – 07:00 MST

Update: January 29, 2013: see comment below regarding WhatsApp privacy issues.

–

Infringement! Litigation! Legislation! There is never a dull moment in the wonderful world of intellectual property law, and 2013 will be no exception. Here’s our list of what to watch in the coming year:

Copyright. If you keep making the same predictions year after year, eventually one of them will come true, right? For the last several years, we predicted that copyright reform would finally come to Canada. 2012 did not disappoint as the year of copyright, with the release of five SCC decisions and the passing of the copyright modernization legislation that had been long awaited.  We expect that 2013 will provide some opportunities to test the new law in court.

Anti-Spam. As with copyright, many have predicted that Canada’s “new” anti-spam law would come into effect for several years. Yes, Parliament passed the Fighting Internet and Wireless Spam Act and it did receive royal assent way back in December, 2010. However, Canada’s anti-spam legislation is still not in force. Industry Canada released draft revised anti-spam regulations last week, and it would be surprising if we didn’t see final regulations in the first half of 2013.

App Law. We predicted in 2011 that app law would develop as regulations and laws fight to keep pace with the explosion of the app economy which is expanding in both business and personal life, along with cloud computing. 2012 provided a number of important developments in app law, mostly in the US. 2013 should continue to provide clarity in this growing area of law.

Apple and Samsung. The litigation that brought patent infringement back into the public consciousness like no case since RIM vs NTP may be resolved in 2013. Even Judge Koh has made a plea for “global peace.”

Calgary – 13:00 MST

–

US companies seeking to enforce intellectual property rights against Canadians face certain challenges. First, a US company would commence a lawsuit in a US court, and must serve the Canadian person or entity in Canada. A US plaintiff would serve a Canadian under the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters (known as the “Hague Convention”). Under this Convention, there is a Central Authority designated federally and for each province and territory. In Alberta, this is done through Alberta Justice, Office of the Sheriff (Civil Enforcement) in Edmonton or Calgary. The normal procedure for service in Canada is personal service, and in Alberta this is through a “process server”. Once served, the Canadian then has to decide whether to respond to the US lawsuit.

In some case, the Canadian decides to ignore the US lawsuit. This happened in Blizzard v. Simpson, 2012 ONSC 4312 (CanLII), where Blizzard Entertainment sued Michael Simpson, a developer who was alleged to have authored and sold a “maphack” for Blizzard’s popular multiplayer game known as StarCraft II – Wings of Liberty. Mr. Simpson was served in Canada but failed to file any defence to the California lawsuit. As a result, Blizzard took default judgement in which Mr. Simpson was ordered to pay statutory damages of $150,000 legal fees and costs of $45,000. A permanent injunction was also ordered to prevent further infringement of Blizzard’s StarCraft II copyright or violation of the StarCraft II End User License Agreement (“EULA”) and Battle.net terms of use (“TOU”), among other things.

Blizzard then came to Canada to enforce their US judgement against Mr. Simpson. This required a second lawsuit (in Ontario, where Mr. Simpson resided). A Canadian court assesses the jurisdiction of the original court (by applying Canadian conflict of laws rules), and verifies that there are no defences of fraud, breach of natural justice, or public policy, which would cause the Canadian court to refuse to enforce the US judgement.

In this case, Mr. Simpson elected to defend the lawsuit in Canada. But by that time it was too late, since the court was not considering the merits of the copyright infringement case, but rather was reviewing the enforcement of a foreign judgement that had already been granted. Mr. Simpson attempted a novel defence by alleging that it was Blizzard who breached the terms of Mr. Simpson’s own website (terms that prohibited access by employees or lawyers of Blizzard). The court found this argument “untenable”, and concluded by entering the California judgement as a judgement of the Ontario court.

It is worth noting that defences to the copyright infringement claim may have been available in the California lawsuit - it is clear in both Canadian and US law that a breach of the terms of use does not (by itself) infringe copyright. It is not clear whether any copyright infringement actually occurred, but Blizzard won that argument by default.

Related Reading: Apps, Bots and Workarounds

Lessons for Canadian business: don’t ignore US lawsuits!

Calgary – 07:00 MST

We recently flagged the regulatory risks faced by app developers in Canada and the US. China also presents certain unique challenges for app developers (and Apple itself), as shown by these examples:

• The Encyclopedia of China Publishing House successfully sued Apple Inc for copyright infringement arising out of a Chinese encyclopedia app for iPhone and iPad. A court in Beijing reportedly ordered Apple to pay $80,250 in compensation to the publisher, whose work was allegedly copied by the app developer;
• Apple has also reportedly faced patent infringement allegations in China over its FaceTime app. A Taiwanese inventor claims that the app violates his patent rights in an earlier invention.
• Siri is not exactly an app, but recent complaints about Siri in China illustrate the public relations risks associated with apps in China. Concerns have been raised about Siri providing links to “prostitution places”…. as though a person couldn’t search and find offensive materials on a iPhone or iPad without the aid of Siri. Technology permits people to access all sorts of unsavoury sites online, but these complaints suggest that Siri should engage in some self-censorship to avoid offending users who ask it to search for offensive material.
• This recent article highlights the trade-mark issues for Windows 8 app developers whose popular Windows 7 app names are being reserved by others in China, forcing them to negotiate with the squatters or go through the lengthy process of obtaining registered trade-mark rights in China. Microsoft is reportedly working on a policy to address app name disputes.

The usual array of issues faces app developers in China – including potential trade-mark, copyright and patent disputes. App developers are advised to get advice if their apps are to be directed to the Chinese market.

Calgary – 07:00

Canadian app developers must take care to avoid sanction from regulators both in Canada and in other countries – particularly in the U.S. – when launching apps.

California’s Attorney General recently began notifying  dozens of app developers that they run afoul of the California Online Privacy Protection Act by failing to post their privacy policies. Developers were given 30 days to comply or face fines of up to $2,500 for each download of a non-compliant app. In Canada, federal and provincial privacy laws also mandate the disclosure of privacy policies and the use of a privacy officer, though the legislation is broadly applicable to the private sector and is not targetted specifically at mobile app developers.

Today the Washington Post ran a story about the FTC’s crack down on apps that make “flimsy” claims  about the health effects of certain apps which claim to cure various ills through cellphone sound, light from the screen, or phone vibrations. Some app developers have been hit with fines (see related article below). The FDA is reportedly preparing draft regulations to regulate health claims made in mobile apps.

In Canada, another app developer faced the ire of the CRTC  (the Canadian Radio-television and Telecommunications Commission, Canada’s telecommunications regulator). The CRTC’s objection to the TrapCall mobile app was apparently based on privacy concerns and the protection of subscriber data, though it is likely prompted by pressure from telecos. TrapCall circumvents the paid call-blocking products offered by telcos, and disrupts a revenue stream – after all, who will pay for call-blocking if ubiquitous mobile apps can unblock calls? But it reflects a wider issue regarding technological innovation in the mobile app space that is colliding with established industry practices and (at times) an outdated regulatory environment.

Lessons for app developers?

• We’ve said it before: Get advice on privacy before you launch your app.
• Ensure that your claims do not offend regulatory requirements in the countries where your customers reside – whether the requirements are health related, safety regulations, or other advertising /marketing regulations.
• Well-drafted end-user license agreements (EULAs), privacy policies or terms of use can assist in mitigating risk in this area.

Related Reading: When an iPhone App Makes False Claims

Update: Dec. 3: This is another example of regulatory problems, this time for Uber, a popular, well-financed taxi-summoning app.

Calgary – 07:00 MST

–

Copying and selling counterfeit software can be a risky proposition if Microsoft, Adobe and Rosetta Stone team up against you.

A Toronto man sold pirated software on Kijiji and Craigslist and three software vendors combined forces to sue him for copyright infringement by way of summary judgment, a truncated procedure that avoids the need for a full trial. Last month, the Canadian Federal Court found that the man’s conduct was “on the negative side” of “outrageous” and “highly unreasonable”. This conduct added $105,000 to the overall damage award of $445,000 for copyright infringement, made up of statutory damages, punitive damages, costs, plus pre- and post-judgment interest. A few interesting points about this decision:

1. Statutory damages under the Copyright Act range from $500 to $20,000. Here, the judge awarded maximum statutory damages of $20,000 per infringed work.
2. The court reviewed when punitive damages are appropriate: “when a party’s conduct has been malicious, oppressive and high-handed, offends the court’s sense of decency, and represents a marked departure from ordinary standards of decent behaviour”. In this case, the court was convinced that a significant punitive damage award was warranted.

The case is: Adobe Systems Inc. et al v. Dale Thompson dba Appletree Solutions 2012 FC 1219.

Calgary – 07:00 MDT

–

“Great Fun” is a service offered by a company called Trilegiant. Trilegiant offers certain discounts to Great Fun members based on a monthly membership fee. Problem is, some members didn’t realize they were members until they saw the membership fee on their credit card statement. In Schnabel v. Trilegiant Corporation & Affinion, Inc. , Court of Appeals, 2nd Circuit (September 2012), the court considered whether terms could be considered enforceable if the terms were sent by email after the formation of the online contract.

In this case, there were online terms in the sign-up page, but for a variety of reasons, Trilegiant couldn’t rely on these terms, and was obliged to argue that the emailed terms were binding. Trilegiant asserted that the members assented to an arbitration clause by signing up, and receiving the emailed terms at a later date, and then failing to cancel their membership during the “free trial period”. The Second Ciruit Court of Appeals took a dim view of this approach. In the U.S., a consumer may receive “actual notice” of the online terms, or “inquiry notice”. “Inquiry notice” occurs when the consumer has actual notice of circumstances where a prudent person would be on guard to the existence of terms. It’s a stretch, but can still result in enforceable terms. The court concluded that neither “actual notice” nor “inquiry notice” were provided by means of the emailed terms. The court concluded:

“We do not think that an unsolicited email from an online consumer business puts recipients on inquiry notice of the terms enclosed in that email and those terms’ relationship to a service in which the recipients had already enrolled, and that a failure to act affirmatively to cancel the membership will, alone, constitute assent.”

Lessons for business? Get advice on your online terms and sign-up process for any online contracting: including cloud-computing contracts, software-as-a-service, online products sales, license agreements and terms-of-use.

Related Reading:

• Facebook App: Dispute Resolution Terms Upheld

• Changing Online Terms Midstream

Calgary – 07:00

–

You may recall the announcement that new domains are coming - everything from .AAA to .ZULU. These proposed domains  are inching their way through the ICANN process. We have been monitoring the implementation of new gTLDs and note that the period for filing formal objections against a newly applied-for gTLD began on June 13, 2012 and is scheduled to run until January 2013. If you are interested in filing an objection against a proposed new top-level domain, you should contact trade-mark counsel right away.

Comments are also being solicited on the draft version of the Trademark Clearinghouse Requirements.

See: Reveal Day for New Top-Level-Domains

Calgary – 07:00 MDT

–

In a Facebook app called “SuperPoke! Pets”, players adopted virtual pets and acquired or purchased virtual currency to buy things for their virtual pets. As one of the first Facebook apps, the game took off in popularity after its launch in 2008. The game was acquired by Google in 2010, but was eventually discontinued at the end of 2011, leaving users without access to their accumulated virtual pets, currency and pet accessories. Users attempted a class-action suit against Google for “elimination of users’ money, goods and property.”

Google defended the class action by citing the dispute resolution clause, which compelled arbitration. In Abreu v. Slide, Inc., 12 0042 WHA (N.D. Cal.; July 12, 2012), the court confirmed that for an arbitration clause to be unenforceable, it must be both “procedurally” and “substantively” unconscionable. Essentially this means that an unenforceable clause would be oppressive due to unequal bargaining power between the parties, or would lead to “overly harsh or one-sided results.” As the court phrased it, the clause must be so one-sided as to “shock the conscience.”

In this case, the clause was upheld, and the dispute was sent to arbitration to be resolved.

Lessons for business?

• When drafting online terms, ensure you get advice on the dispute resolution options.
• An app developer or game publisher may be tempted to stack the “Terms of Use” in their favour, but these terms must be balanced. The inclusion of harsh or shocking terms in the fine-print may put the entire agreement at risk of being declared invalid and unenforceable by the courts.

Calgary – 07:00 MDT

–

Last week, the ruling in Apple’s patent infringement lawsuit was released. Once upon a time the public was captivated by things like sensational celebrity trials. Now we have live-blogging of patent infringement verdicts. Oh, for simpler times!

In case you missed it, in a landmark decision that is certain to be appealed, Samsung was ordered to pay damages of over $1 billion for multiple infringements of Apple’s design and utility patents for smartphones and tablets. The infringement ruling covers trade-dress, design patents and utility patents including user-interface functions such as the now familiar pinch-and-zoom gesture, and the “rubberbanding” effect at screen margins.

What does this ruling mean? Here are a few thoughts:

• Experts have estimated that the average smartphone relies on 250,000 patented technologies that are in-licensed from various device and technology manufacturers around the world. While many patents are at issue in this lawsuit, Apple’s ‘915 patent (Patent No. US 7,844,915, Filing date: 7 Jan 2007)  for pinch-and-zoom and related scrolling gestures was central to Apple’s infringement claims. Pinch-and-zoom has become such an intuitive gesture that I’ve seen kids try and perform it on the screens of portable DVD players and seat-back TVs. This particular ruling will impact smartphone and tablet makers who rely on Android. But it’s important to remember that this is not an appeal-level decision, nor does it extend beyond the US, so time will tell how other smartphone makers respond in Canada or globally.
• The Android operating system would not offend Apple’s design and trade-dress rights (which cover the shape or appearance of the hardware), and Android has designed around the rubberbanding effect, so Android would not offend those claims of Apple’s patents. However, there is no doubt that Android smartphones and tablets all use pinch-and-zoom. The options are for Android (read: Google) to take a license from Apple, or design around with some alternate gesture. Invalidating the ‘915 patent would be another logical avenue. However, if that tactic had a good chance of success, Samsung would have succeeded by now.
• The jury form was so complex (have a look for yourself: Jury Form , courtesy of Groklaw) that observers were surprised at how quickly the jury returned a verdict. The jury’s findings and instructions will very likely be the subject of the appeal process.
• For a patent-by-patent, device-by-device breakdown of the verdict in this case, see this excellent review (courtesy of NDTV).
• Interestingly, the jury found that Samsung’s devices did NOT infringe Apple’s ‘889 design patent (see our earlier post: Apple and Samsung: The Design Patent Wars Continue).

Calgary – 07:00 MDT
No comments

`

.

Bookmark ipblog.ca on your iPhone, iPad, Android tablet or mobile device for updates and developments in Canadian intellectual property law, including practical information and commentary on intellectual property business issues, technology commercialization and developments in the law, copyright and patent questions, trade-mark law, software and IT outsourcing, and related areas including privacy and cleantech licensing.

ipblog has been published since 2006.  In 2009, we added applaw.ca to our site, covering legal developments in the growing mobile application industry.

We have surpassed 1 million page-views from readers around the world. It’s hard to compete against YouTube cats… but we try.

Thanks to all of our readers. We’ll be taking a break during the month of August, and will resume in September, 2012.

Calgary – 07:00 MDT

In late June, Apple won one of the many battles that it is waging against one of its fiercest rivals – South Korea’s Samsung, manufacturer of the Galaxy line of smartphones and tablets. Riding the wave of Google’s Android platform, Samsung has emerged as the world’s biggest handset maker, and arguably Apple’s biggest rival. Apple and Samsung are entagled in more ways than one, since Samsung also manufactures the A5 chipset that powers the latest models of iPad and iPhone. As the saying goes “Keep your friends close and keep your enemies closer.”

Apple’s latest win resulted in an injunction barring sales of Samsung’s Galaxy Tab in the US. That decision is being appealed. Meanwhile in the UK, Apple was ordered to publish a notice that Samsung did not copy the iPad. That decision is being appealed too. All of this is part of a global war (including Australia, Germany and the Netherlands) that stems from Apple’s claims that Samsung copied the design of the iPad. This is one of the most interesting aspects of the case – that worldwide IP infringement claims can be based on the design of a consumer product, not its function. And it’s a design that is successful precisely because of its clean, minimalist simplicity that eschews ornamental features of any kind. Check out this design patent (PDF) (Apple’s D504,889 design patent), filed in 2004, upon which the US injunction is based, in part. The two companies are currently headed to a jury trial in the US.

Lessons for business?

• Don’t forget to review relatively simple forms of intellectual property in your IP strategy. In this case, a simple industrial design (or in the US, a “design patent”) has provided ammunition in a battle between two of the most sophisticated technology companies on the planet.

Calgary – 07:00 MDT
No comments

`

In October, I will be presenting at the 5th Cloud Computing Law Conference in Calgary, Alberta (October 9 and 10, 2012). Check out the brochure for a full description, including the topic “ALLOCATING IP RISKS IN THE CLOUD”: Service providers often seek to impose standard form contracts for the provision of cloud computing services containing standards of services that are often on an “as-is” basis. This session will explore the process of negotiating warranties, indemnification and limitation of liability clauses to satisfactorily allocate risks, including: scope of warranties; service vs. product warranties; remedies available for breach of warranties; and scope of customary indemnification obligations.

Readers of ipblog.ca are eligible for a 15% discount (Email me for the registration discount code).

Relating Reading: ipblog’s Cloud Computing library of articles, including “The Cloud: What goes up must come down” and “Online Agreements: Click-Through Upheld“.

Calgary – 07:00 MDT

`

Apps are not just for Angry Birds anymore. The licensing of mobile apps is becoming more common for business-to-business software vendors who are extending the reach of their enterprise applications to take advantage of opportunities in mobile and cloud computing. If you are a vendor of enterprise software and you want to add mobile functionality, here are a few of the most important legal issues to consider:

1. Check the EULA:

Compared to the full suite of desktop functionality, the mobile app may represent a small piece of your overall software product. But even a mobile app needs an end-user license agreement (EULA). Cloud computing service providers may have service terms that are designed for web access to their software, and they may not perceive the need for a “traditional” EULA, but in the case of a mobile app, remember that this is a “traditional” license where a copy of the application resides on the user’s device and system. So point number 1 is to check the EULA.

Software vendors should understand that apps launched on the iOS platform will come with a “ready-made” EULA courtesy of Apple. Other platforms will come with other license terms. Software vendors should consider developing a custom EULA if there are good reasons for doing so after a risk assessment. A few other points to note: If you prepare your own EULA on the iOS platform, take note of Apple’s “mandatory terms” that must be included in every license. Under the Android Market Developer Distribution Agreement, the default terms grant a “non-exclusive, worldwide, and perpetual license”. If you don’t want to grant such a broad license, then consider a custom-made EULA.

2. Review Privacy:

App developers should get legal advice on privacy issues. The privacy problem with apps has been percolating for some time and several high-profile reports have brought attention to this issue. In several cases, app developers have (intentionally or otherwise) harvested private details about app users by dipping into address books and location-data. In Canada, the privacy landscape is complex, but is underpinned by private-sector privacy laws that apply to “personal information” across all industries, at both the federal and provincial level.

In the US, the California Attorney General recently entered into an agreement with mobile app platform vendors – Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion – to improve privacy protections for app users. This arrangement implements certain “privacy principles” and requires app developers to have a privacy policy, something that would bring app developers in line with Canadian law. If you don’t have a privacy policy, then consider developing one along with the launch of your mobile app. It can be a useful exercise to determine what information is being collected, from whom, for what purpose.

3. Check the Data:

Ownership and control of data is a critical issue for end-users. In the case of mobile apps that are an add-on for broader enterprise or cloud-based software offerings, the data issue is even more complicated. Who owns it? Who is responsible for it? Where does the data reside? On the device, on customer’s server, on the vendor’s server, or with a third-party host in the cloud? These issues can be addressed within the app EULA, or it may be possible to cover them within the EULA for the enterprise software application. Data escrow may also be appropriate in some cases.

4. Distribution:

Consider where and how the mobile app will be distributed? For example, in some cases, mobile apps can be contained within a “closed” system, which permits distribution within a company. However, if you are a vendor wishing to distribute your mobile app to all of your customers, the easiest method of distribution may be, for example, through Apple’s App Store. This means the app will be available to users in over 60 jurisdictions around the world. Consider the jurisdictional issues – for example, one app developer realized that its marketing materials offended advertising rules of the Federal Trade Commission in the United States, which triggered an FTC complaint and ultimately a fine.

5. Integration:

It goes without saying that your mobile app should be integrated with the other services or software products (whether these are desktop, virtualised or web-based services). But consider this both from a technical perspective as well as a legal perspective. Does the app EULA dovetail with the EULA for your enterprise software applications? What promises, warranties or limitations are available under each document? Does one agreement pick “Alberta law” while the other one falls under “California law”? Consider the situation where the enterprise EULA makes promises or guarantees that user-generated data will be archived by the licensor and provided in a particular format to the customer on request. If that data is collected through the mobile app, and resides on devices of users, then this promise may be difficult or impossible to perform.

6. Brands and Trade-marks:

Lastly, the marketing of mobile apps deserves particular attention. You may have secured trade-mark rights for your enterprise software, but you should also consider trade-mark rights for the app itself. Apple’s App Store is still something of a wild-west when it comes to trade-mark rights. Consider treating the mobile app just like you would any other product – branding and brand protection should be considered in the most important jurisdictions where your customers will be downloading and using the app.

This article was initially published on Corporate LiveWire.

Calgary – 07:00 MDT

For copyright fans, today kicks off a frenzy of reading Supreme Court decisions. Judgments in the 5 copyright cases which were heard last December were released today:

1. ESAC v. SOCAN
2. Rogers v. SOCAN
3. SOCAN v. Bell
4. Alberta v. Access Copyright
5. Re:Sound

IPOsgoode’s exellent summary appears here. Michael Geist’s review appears here. Further coverage to follow.

Calgary – 07:00 MDT

.

Bill C-11, the long-awaited and long-debated Copyright Modernization Act has received Royal Assent… but is not yet in force. For an overview of the Act, see the government’s legislative summary.

Calgary – 11:00 MDT

It is a fundamental feature of copyright law that it protects only original expression, not ideas. Applied to software, the law of copyright tells us that certain elements of a computer program are not protectable by copyright. For example, purely functional elements such as the structure of a library, or database, or elements dictated by the operating system, can fall outside the scope of copyright protection, since those elements lack the originality necessary for copyright.

In Tetris Holding LLC v. Xio Interactive, Inc., an app developer was found to have infringed copyright in the famous Tetris game.  The puzzle game Mino was, by the defendant’s own admission, inspired by Tetris. However, the defendant maintained that it only copied unprotected elements, a conclusion that the developer reached after researching copyright law. The court did not agree. After an exhaustive review of the idea-expression dichotomy (40-pages worth of anaylsis, if you want to read more), the court decided that Mino did infringe the protectable “look and feel” of Tetris. According to this case, you shouldn’t assume that expression is unprotectible merely because it is related to a game rule or game function.

UPDATE: In the Oracle v Google case (see our earlier coverage here), the judge decided that APIs in this case were not eligible for copyright protection. This amounts to a complete loss for Oracle in its suit against Google for infringement of the Java APIs used in Google’s Android software. This case is expected to go up to appeal.

Calgary – 07:00 MDT

.

The House of Commons has now passed Bill C-11, An Act to Amend the Copyright Act, with only minor amendments at the committee stage. The Bill has been sent up to the Senate where it has passed First Reading. Second Reading could commence as soon as today.

After years of ponderous debate, this quick pace suggests the Bill will progress through the Senate efficiently. However, the Senate rises for the summer at the end of June, leaving little more than a week to push the legislation through. If the Bill does not become law by the end of June, then it will be pushed into the fall calendar. The Senate returns from the summer recess on September 17th … (wish we were all so lucky).

Stay tuned.

Calgary – 2:00 MDT