–

The club of Canadian provinces with private-sector privacy legislation welcomes a new member this year: Manitoba has passed the The Personal Information Protection and Identity Theft Prevention Act (PIPITPA), joining B.C., Alberta and Quebec. In other provinces, the federal Personal Information Protection and Electronic Documents Act governs private sector privacy. Of course, most provinces have enacted some form of public sector privacy law, and many also have health-information laws. The Manitoba private-sector law follows the consent-based privacy regime of other Canadian provinces.

This law has yet to be proclaimed into law. Stay tuned.

Calgary – 07:00 MDT

–

Concerned about departing employees who might have confidential information about your business and clients? Or maybe you are the ex-employee and you are unsure of where the line is drawn when departing one job to start another.

In Plaza Consulting Inc. v. Grieve et al , 2013 ONSC 5338 (CanLII), the court addressed an injunction application by QA Consultants, a Canadian company offering software testing and quality assurance services, against former employees and consultants who started a competing business. The court provides some guidance on how these matters are held, when ex-employees are accused of misappropriating confidential information and poaching customers. In this case, the court says:

• Whether dealing with employees who allegedly misappropriate their former employer’s business methods in breach of a restrictive covenant or in breach of fiduciary duties, the employer must at the very least establish that it “has a proprietary interest that is entitled to protection.” Aon Consulting Inc. v Watson Wyatt & Co., 2005 CarswellOnt 3706, at para 16 (SCJ). Here, the court concludes that the confidential information in question is “highly generic”. Remember that “[a] trade secret cannot be within the realm of general skills or knowledge.”

• A party who receives allegedly confidential information and who is accused of misusing it must have done so to the detriment of the party that provided the information in the first place. International Corona Resources Ltd. v Lac Minerals Ltd. 1989 CanLII 34 (SCC), (1989), 26 CPR (3d) 97, at 103(SCC). In this case, the court found that the information in question was not used to the detriment of the plaintiff.

• In the case of the allegations of solicitation of former clients or employees of QA Consultants, the court indicated that, in these agreements, the restrictive covenants were sufficiently vague that the allegations made against the ex-employees were not “clear” breaches of those covenants. The vague definition in the agreements did not help the case. Ultimately, the injunction application was dismissed.

Remember to get advice on the restrictive covenants in employment agreements. Both employees, consultants and employers should understand the scope of confidentiality obligations and non-solicitation restrictions.

Calgary – 07:00 MDT
No comments

–

The criminal defence lawyers have their TV shows and movies. What about those humble lawyers who draft online agreements and terms of use all day long? It’s not every day that this kind of legal fine print gets time on the silver screen. Check out this documentary Terms and Conditions May Apply.

Playing next weekend at the Vancouver International Film Festival and Hot Docs Canadian International Documentary Festival.

Calgary – 07:00 MDT

–

Consider this: A service organization we’ll call CloudCo collects and compiles personal information from its corporate customer. The individual whose personal information is being collected has a relationship directly with the corporate customer, but not with CloudCo. The personal information has been shared with CloudCo without the individual’s knowledge or consent. Sound familiar?

Many cloud service providers host personal information without any direct relationship with the individual. Maybe they rely on assurances from their own customer. Or they may simply collect personal information without thinking through the privacy implications. 

This recent decision of the Information & Privacy Commissioner of Alberta (Professional Drivers Bureau of Canada Inc. Case File Number P1884) deals with the collection of personal information of truck drivers by a private service company, called the “Professional Drivers Bureau”. This company collected personal information about drivers from trucking companies, created a database of information, and then offered a search service, by which trucking companies paid a fee for a report on the driver. In that report, the personal information about the driver was disclosed to the trucking company. The personal information was gleaned and compiled into a database over a long period of time, and it became clear during the Commissioner’s investigation that the individuals never consented to this collection, use and disclosure. The Commissioner ultimately decided that the “Professional Drivers Bureau” was in breach of Alberta privacy laws because it never obtained consent directly from the individual truck drivers.

What can other service companies – including cloud service providers – take away from this case?

• Cloud service providers should consider if they are “collecting” any personal information themselves, or merely providing a service which allows their customer to store information in the cloud. When a service provider collects personal information, it must obtain consent. In this case, the service provider did not provide any notice to the individual of its collection of her personal information, did not indicate its purposes, did not provide the name of someone who could answer her questions. It apparently did not inform the trucking companies about its purposes in collecting the personal information. All of this was in contravention of privacy laws.
• If a service provider is merely providing space on a server, the terms of service should address privacy issues, and make it clear that no personal information is collected, used or disclosed by the cloud provider. 
• Termination issues should also be addressed in the agreement. What happens to that data when the service relationship ends?
• Consider the position of the trucking company: in this case, the trucking company shared personal information about individuals with the “Bureau”. When personal information is disclosed in such a way, the trucking company should be asking: Was this disclosure authorized by the individual? What is the purpose of the disclosure? What contractual restrictions are placed on the recipient, to ensure that the personal information is used in accordance with the consent from the individual. In the cloud context, this means contractual terms that directly address the privacy issues.
• Get privacy advice when entering into cloud-based service agreements.

Calgary – 11:00 MDT

- 

License agreements often contain indemnities. An indemnity is a contractual obligation to step in and reimburse some financial obligation such as a liability, loss, or damage. In essence, the party giving the indemnity will make the injured party “whole” by recompensing losses and expenses.

The court in Coastal Contacts Inc. v. Elastic Path Software Inc., 2013 BCSC 133 reviewed the meaning and scope of an indemnity for intellectual property infringement, which is a common clause in many intellectual property (IP) license agreements. This is what’s known as an IP indemnity clause. What obligations does a software vendor take on, when they give an IP indemnity? For the full article, click here: Software Licenses and Indemnities: What Obligations Are You Taking On?

Calgary – 11:00

–

When a user dies, who owns the contents of that user’s account?

In Ajemian v. Yahoo Inc.  (May 7, 2013), a Massachusetts court considered this question. Two brothers, who administered their brother John’s estate, brought a lawsuit against Yahoo for access to email messages of their deceased brother, and a declaration that the email account was property of John’s estate. The court considered the Yahoo Terms of Service, which included this clause: “You agree that your Yahoo! account is non-transferable and any rights to your Yahoo! ID or contents within your account terminate upon your death. Upon receipt of a copy of a death certificate, your account may be terminated and all contents therein permanently deleted.”

The court looked at the central question of whether these terms – in particular, this “No Right of Survivorship and Non-Transferability” clause described above – was reasonably communicated to the user. The terms were amended before the time of death but the evidence was unclear on whether the deceased user had assented to this particular amendment. Because of the weak evidence on this point, the court decided that Yahoo could not rely on the forum selection clause which would have deflected the case to California.

The court took the view that the deceased user was a Massachusetts resident and courts in that state had a strong interest in the outcome of the case as it related to the assets of a deceased resident, as opposed to the nature of Yahoo’s services. The ultimate decision was remanded to the lower court, but we can take away a few important lessons:

1. The method of implementing Terms of Use and (just as important) amendments to those terms should be carefully reviewed by any Canadian company conducting business online. This includes everything from an email service like Yahoo, to cloud-computing service providers, online retailers, ebook sellers and software vendors.
2. Corporate accounts may not impacted by the death of a user, but anyone making consumer sales should review their online terms to address survivorship issues. And there are many cases where even a “corporate” user is signing up as an individual, without any clarity on what happens to that account as an “asset” of the business after death.

Get advice from our licensing and internet law experts in this complex area.

Related Reading: Is There Life After Death for Your Digital Assets?

Calgary – 07:00 MDT

–

“The world has changed dramatically in the last two decades… An entity may now have a profound impact upon a foreign jurisdiction solely through its virtual projection via the Internet.”

This statement from the New York Court of Appeals in the recent decision in Overstock v. New York Taxation and Finance (PDF) paved the way for an interesting conclusion on the taxing power of New York State – and by extension, the sales tax that may be applied to many online sales, including sales by Canadian online business into the US market.

Traditionally, a state’s taxing authority was based on “economic activities” by the seller, for example, through its employees or sales agents in that state. The question faced by the court in this case was whether click-through links on a “local website” (that is, a website owned by a local state owner) would qualify to establish “economic activities” in that state. For example, a link to Amazon from a local New York State website has the effect of driving sales to Amazon. The court decided that by compensating the local New York State website owner who has signed-on to an affiliate agreement, Amazon is deemed to have established an “in-state sales force”.  The site which hosts the link is paid a commission, flat fee or price-per-click, and this was considered enough to create a “substantial nexus” to the state. Passive advertisements, by contrast, would not by themselves create a substantial nexus.

It is not clear whether Overstock.com and Amazon will appeal the decision.

In other news, the U.S. Senate voted 74-20 to put The Marketplace Fairness Act of 2013 to a final vote, an Act which would allow states to collect online sales taxes. The OECD is also preparing guidelines on how to handle international value-added taxes, to deal with the current “uncertainty and risks of double taxation and unintended non-taxation”. The 2013 draft of the OECD Guidelines derives from the “neutrality” principle (the notion that value-added tax is a tax on final consumption that should be neutral for business), and the so-called “destination” principle (that tax should be paid in the jurisdiction of consumption).

In the meantime, Canadian online retailers selling into the US marketplace should consider reviewing their affiliate click-through agreements and assess sales-tax collection policies with tax advisors.

Related Reading: New York’s Highest Court Affirms Constitutionality of Click-Through Nexus

Calgary- 07:00 MDT

–

When a cloud privacy breach occurs in Canada, what happens? In some cases, businesses are subject to mandatory breach notification requirements. This means that a privacy breach – whether as a result of a hacker, a lost USB or some other human error – must by law be reported to the commissioner and to affected individuals. Ontario has implemented mandatory breach notification under its Personal Health Information Protection Act. In Alberta, organizations subject to the Personal Information Protection Act (PIPA) are required to report a breach to the commissioner “without unreasonable delay” where a “reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure”.

The “real risk of significant harm” requires some analysis in the event of a breach and the Alberta commissioner’s Mandatory Breach Reporting Tool (PDF) has been released recently, to assist organizations determine if they are required to report a breach under section 34.1 of PIPA. This area of law may be changing further: a private members bill  was recently introduced in Parliament to implement mandatory data breach reporting in the federal personal information protection law.

Here’s a recent case that illustrates the pitfalls of a cloud privacy breach in Canada:

• In the recently released decision relating to WhatsApp (Report of Findings: Investigation into the personal information handling practices of WhatsApp Inc.), the Canadian and Dutch privacy authorities investigated WhatsApp Inc. a US company operating “WhatsApp Messenger”, a cloud-based cross-platform mobile messaging app allowing the exchange of messages for iOS, BlackBerry, and Android platforms.
• The Commissioner launched an exhaustive review of the privacy aspects of the service after complaints regarding WhatsApp’s information-handling procedures, including the collection of more information than was necessary, the potential for privacy breach, the lack of encryption.
• While the story generated damaging headlines, WhatsApp did work with the Commissioner to resolve many of the privacy concerns.
• This investigation also shows the extent to which international privacy watchdogs will work together to launch an investigation that concerns personal information that crosses international borders.

The privacy lessons are clear: get advice on privacy implications of the cloud-based service, and don’t underestimate the importance of well-drafted privacy policies and user terms. Cloud service providers should also take time to understand the breach notification protocols that would apply in the event of a privacy breach.

Calgary – 07:00 MDT

–

The Canadian Intellectual Property Office has released guidance on “Computer-Implemented Inventions” as planned, in the wake of the Federal Court of Appeal decision in Amazon.  While “software” is technically not patentable, a “computer-implemented invention” is.  Such an invention could fall into one of several categories: a method (art, process or method of manufacture), machine (generally, a device that relies on a computer for its operation), or product (an article of manufacture). As before, computer programs, data structures and computer-generated signals alone are not patent-eligible.

Calgary – 07:00 MDT

 

–

In 2012, LinkedIn made headlines as a result of a significant data breach. The passwords and email addresses of over 6 million LinkedIn users were hacked and posted online. Encryption and security was improved by LinkedIn in the wake of this breach. A class action lawsuit was commenced in the United States based on claims by LinkedIn “premium” users (who paid a monthly or yearly fee for upgraded services). The claim relied on an alleged breach of the terms of LinkedIn’s privacy policy which included fairly standard language about protection of personal information “with industry standard protocols and technology.” In the decision In re LinkedIn User Privacy Litigation , 2013 WL 844291 (N.D. Cal. Mar. 5, 2013), a US court has shut down the claim, deciding the plaintiffs lack standing. The claims were based on a “benefit of the bargain” concept – an argument that the claimants were allegedly entitled to security as paying customers and LinkedIn breached this promise.

The court rejected the claims since there was no indication that the extra service paid for by premium users included enhanced security or encryption, since “paid” users and “free” users received the same level of security. It is clear that claims based on breach of privacy will face a uphill battle in the US, and this decision together with the decision in last year’s iPhone class action claim demonstrate the complexities and difficulties of this class of claims.

Calgary – 7:00 MDT

–

Are APIs protected by copyright?

In the long-running litigation (and hey, is there any litigation that isn’t “long-running”?) between Oracle and Google, a US court decided in 2012 that APIs in this case were not eligible for copyright protection. See our earlier post. This meant a complete loss for Oracle in its lawsuit against Google for infringement of the Java APIs used in Google’s Android software.

Copyright protects only original expression. Applied to software code (including API protocols), the law of copyright tells us that certain elements are not protectable by copyright since they lack originality. The US trial level decision in Oracle vs. Google has been appealed and the parties are now filing briefs in the US Federal Court of Appeals (a copy of Oracle’s brief is here). The briefs make fascinating reading for those interested in the finer points of copyright law and the history of the Java programming.

Oracle’s brief opens by sketching a scene: “Ann Droid wants to publish a bestseller. So she sits down with an advance copy of Harry Potter and the Order of the Phoenix  —the fifth book—and proceeds to transcribe. She verbatim copies all the chapter titles—from Chapter 1 (“Dudley Demented”) to Chapter 38 (“The Second War Begins”). She copies verbatim the topic sentences of each paragraph, starting from the first (highly descriptive) one and continuing, in order, to the last, simple one (“Harry nodded.”). She then paraphrases the rest of each paragraph. She rushes the competing version to press before the original under the title: Ann Droid’s Harry Potter 5.0. The knockoff flies off the shelves.”

Does this constitute copyright infringement?

One of the big issues on appeal will be whether the appeals court accepts the notion that copyright infringement can occur without any actual direct copying of code. This is the so-called SSO argument – that the “structure, sequence and organization” of the software can attract copyright protection, regardless of whether specific code is cut-and-paste. As illustrated in the Harry Potter example above.

Stay tuned. This is one to watch in 2013.

Calgary – 07:00 MST

Photo credit: Google, Inc.

–

Social media law was not a topic on offer when I went to law school. Now, it’s a subject that’s hard to avoid for any business that has a consumer-facing social media presence. Here are two recent cases that illustrate the potential pitfalls as this area of law becomes more complex and more interesting:

Last week, HMV’s Twitter feed was hijacked by an employee who live-tweeted employee terminations from the company’s official Twitter account. Perhaps “hijacked” isn’t the right word, since the employee apparently had access to the account as part of her employment duties, though that position likely did not involve posting descriptions of firings as “Mass execution of loyal employees”. The next day the ex-employee (“Poppy Rose”) helpfully tweeted a reminder to the company that “you need to go to ‘settings’ and revoke my account access as an admin“. The lessons for business?

• Many companies are slow to grasp the power of social media. Don’t underestimate the viral nature – both good and bad – of this tool. Though the offending tweets were deleted by the company, this became a national story within a few minutes. From the company’s perspective, it required careful handling to avoid any brand damage.
• This highlights the need for a Social Media Policy for employees, to deal with the legal pitfalls of social media and particularly those employees who are engaged directly in social media sphere on behalf of the company. The ownership and control of corproate social media accounts is a simple but important element of such a policy.

Related Reading: Who Owns Social Media Contacts: Employers or Employees?

Calgary – 07:00 MST

–

The Alberta, British Columbia and Canadian privacy commissioners have released guidance on Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations. These documents are designed for practical application to small business, including the issues around transborder data flow.

Related Reading:

• The OPC’s Guidelines for Processing Personal Data Across Borders (PDF);

• Outsourcing by Canadian Companies: Another Look at the USA PATRIOT Act
• Cloud Computing Law: Balancing Privacy and Investigation

Related Event:

Next month, on March 11 and 12, the Canadian Cloud Council’s Cloud Matters conference takes place in beautiful Banff, Alberta. Check out the conference program. I will be attending as a member of the Canadian Cloud Council.

Calgary – 07:00 MST

“There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act” – Ontario Information and Privacy Commissioner

Cloud computing and data outsourcing has been embraced by many Canadian companies. In a recent poll, the adoption rate of cloud-based services by Canadian businesses experienced one of the highest year-over-year increases. Data security and concerns over personal information and privacy remain one of the biggest barriers to adoption.

One of the most common concerns raised by businesses who are considering cloud computing is the law known as Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (“PATRIOT Act”). There has been much discussion and some misinformation regarding the PATRIOT Act. For those unfamiliar with the topic, the central concern is that U.S. government authorities may use the provisions of the PATRIOT Act to access the personal information of Canadians where that information is stored in the United States, particularly in the context of outsourcing or cloud-computing.

Overall, a review of recent decisions in Canada shows that these concerns are overstated in light of the risks, and that for private sector businesses there are no prohibitions on outsourcing to the United States in light of the PATRIOT Act, provided (1) reasonable safeguards are built into the outsource contract (including confidentiality, use-restrictions, security, and provisions to meet monitoring and audit requirements), and (2) customers are notified in a clear way when their personal information will be stored or handled outside Canada. It is important to remember that the confidentiality and use-restrictions imposed on the service provider must be tied to the purposes to which the customers originally consented.

“Transparency and security” are watchwords for Canadian businesses considering the cloud.

Industry-specific regulations or guidelines, such as those found in the Insurance Companies Act and the OSFI guidelines applicable to banks and other financial institutions, place certain controls on outsourcing but do not specifically prohibit outsourcing or data-storage outside of Canada.  Canadian laws, as well as the PATRIOT Act and OSFI Guidelines are reviewed below.

1.         Federal Private Sector Legislation

The Personal Information Protection and Electronic Documents Act, (PIPEDA) governs federally-regulated entities, such as insurance companies. PIPEDA is also the default private-sector privacy legislation for provinces which have not passed “substantially similar” privacy legislation. To date, only Alberta, B.C. and Quebec have passed general private-sector privacy legislation that has been deemed “substantially similar” to PIPEDA.

PIPEDA governs the handling of personal information by private businesses such as insurance companies in the course of commercial activities. PIPEDA does not prohibit outsourcing of personal information to the U.S.  In fact, there is a clear decision of the Canadian Privacy Commissioner that PIPEDA does not prevent federally-regulated entities from outsourcing personal information data handling or data processing to the U.S.

2.         Provincial Privacy Legislation

There are multiple layers of regulation at the provincial level, for the public sector, private sector and for personal health information. Let’s have a look at the Alberta law. With respect to outsourcing, under the Alberta Personal Information Protection Act (PIPA) (sections 13 and 13.1), a service provider must notify consumers when personal information is stored by a service provider outside Canada. This includes a notification of the position or title of a person who is able to answer the consumer’s questions about the collection, use, disclosure or storage of personal information by the service providers outside Canada.  This is considered prudent practice for any private-sector organization engaging in outsourcing personal information to U.S. service providers.

Other than these notice requirements relating to storage of personal information outside Canada, there is no prohibition on outsourcing or data processing in the U.S. in private-sector privacy laws.

3.         USA PATRIOT Act

Regarding the PATRIOT Act, the Privacy Commissioner of Canada has stated that: “.. there is a comparable legal risk that the personal information of Canadians held by any organization and its service provider — be it Canadian or American — can be obtained by government agencies, whether through the provisions of U.S. law or Canadian law.” The Ontario Information and Privacy Commissioner has gone further and stated: “There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act. The PATRIOT Act has invoked unprecedented levels of apprehension and consternation – far more than I believe is warranted.”

The PATRIOT Act has been in effect for over 10 years, and during this time the Government of Canada states that there have been no instances where the personal information of a Canadian has been accessed under the PATRIOT Act.

Some public sector laws in B.C., Nova Scotia and Quebec require public bodies to ensure that personal information is stored only in Canada. For example, in B.C. public bodies and their service providers are obliged to notify the government if the public body receives “a foreign demand” for personal information. This is designed specifically to address PATRIOT Act concerns.

In Alberta, the public sector Freedom of Information and Protection of Privacy Act, permits a public body to disclose in response to a “subpoena, warrant or order” issued by a court, as long as the court has “jurisdiction in Alberta.” While no prohibition on outsourcing to the U.S. is explicitly built into the Alberta law, this provision is intended to ensure that the public body is constrained in its ability to disclose to a court of a foreign (U.S.) jurisdiction. Once again, it should be noted that this is public sector legislation.

Several privacy commissioner decisions have directly considered the issues raised by the PATRIOT Act in the context of Canadian public and private sector privacy laws.

• In a 2005 decision, the Privacy Commissioner of Canada decided that PIPEDA does not prohibit the use of foreign-based third-party service providers, but it does oblige Canadian-based organizations to have provisions in place, when using third-party service providers, to ensure a comparable level of protection (including guarantees of confidentiality and security of personal information). The Commissioner’s decision was also clear that, at the very least, a company in Canada that outsources information processing to the U.S. should notify its customers that the information may be available to the U.S. government or its agencies under a lawful order made in that country.
• Again in 2006 and 2008, the Privacy Commissioner of Canada decided that data handling in the U.S., which exposed the personal information to potential PATRIOT Act concerns, did not offend PIPEDA since the Canadian company had implemented comprehensive strategy and techniques to safeguard the personal information.   
• Most recently, a June 2012 decision of the Information and Privacy Commissioner of Ontario reviewed a complaint about PATRIOT Act concerns with the outsourcing of personal information to the U.S. by an Ontario public body (the Ministry of Natural Resources). The Commissioner decided that the Ministry’s collection, use and disclosure of personal information for the purpose of administering the Ministry’s hunting and fishing licensing program was in compliance with the Act.

All of these decisions point to the need for transparency and openness when dealing with customers, to ensure that they are made aware in cases where personal information handling, processing or storage may or will be outsourced to the U.S. Secondly, the service or outsourcing agreement must contain contractual protections ensuring confidentiality, security and compliance with privacy laws, so that service provider provides a comparable level of protection for the personal information.

4.         OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes

OSFI’s Guideline B-10  describes requirements for federally-regulated entities (FREs), such as banks, financial institutions and insurance companies, when engaging in outsourcing. These are the guidelines relevant to the issue of outsourcing to foreign jurisdictions. Generally, these guidelines mandate appropriate security and data confidentiality protections.   

Guideline 7.1.1(j) (“Confidentiality, Security and Separation of Property”) says: “At a minimum, the contract or outsourcing agreement is expected to set out the FRE’s requirements for confidentiality and security. Ideally, the security and confidentiality policies adopted by the service provider would be commensurate with those of the FRE and should meet a reasonable standard in the circumstances. The contract or outsourcing agreement should address which party has responsibility for protection mechanisms, the scope of the information to be protected, the powers of each party to change security procedures and requirements, which party may be liable for any losses that might result from a security breach, and notification requirements if there is a breach of security.”

OSFI also expects “appropriate security and data confidentiality protections to be in place. The service provider is expected to be able to logically isolate the FRE’s data, records, and items in process from those of other clients at all times, including under adverse conditions.”

In Guideline 7.2.2 (“Location of Records”) OSFI indicates that: “In accordance with the federal financial institutions legislation, certain records of entities carrying on business in Canada should be maintained in Canada. In addition, the FRE is expected to ensure that OSFI can access in Canada any records necessary to enable OSFI to fulfill its mandate.” This is intended to cover information such as accounting records, incorporation documents, corporate by-laws, rather than personal information.

Guideline 7.2.4 (“Outsourcing in Foreign Jurisdictions”) indicates the following: “When the material outsourcing arrangement results in services being provided in a foreign jurisdiction, the FRE’s risk management program should be enhanced to address any additional concerns linked to the economic and political environment, technological sophistication, and the legal and regulatory risk profile of the foreign jurisdiction(s).”

Once again, this speaks to the need for enhanced attention to security rather than any outright prohibition on outsourcing to the U.S.

5.         Breaches in Alberta

The Alberta Privacy Commissioner’s 2012 Breach Report shows that a majority (64%) of the 63 reported cases meeting the real risk of significant harm threshold involved human error or lost or stolen unencrypted electronic devices:

• 22 breaches (35%) were caused by human error. These incidents included inappropriate disposal of personal information, misdirected emails or faxes, loss of files and portable media, and unauthorized disclosure of passwords. The most common form of human error was mail and courier errors caused by delivery to the wrong recipient. 
• 18 breaches (29%) were caused by theft, such as office and car break-ins. 
• 14 breaches (22%) were caused by electronic system compromises, typically through targeted attacks by external hackers.
• 9 breaches (14%) were caused by a failure to adequately control access to electronic or paper files.

None of the cases involved a disclosure or breach through the PATRIOT Act. And it should be noted that hackers can access records on both Canadian and U.S. servers, so in that sense no additional risk is associated with outsourcing to the U.S.

Conclusion

Many concerns have been raised about the reach of the PATRIOT Act. It should be remembered that Canadian government authorities have similar powers to access personal information in the course of investigations, and to respond to requests by their allies, such as the U.S. in investigations.

This review of recent decisions in Canada demonstrates that private sector businesses are not prohibited from outsourcing to the United States in light of the PATRIOT Act. However, Canadian companies are well advised to implement reasonable safeguards and build these safeguards into the outsource contract. Secondly, customers should be notified in a clear way when their personal information will be stored or handled outside Canada.

Calgary – 07:00

–

Megaupload Ltd. is alleged to have disseminated copyright protected movies and music and US prosecutors now have the task of gaining access to the company’s servers in a bid to prove their case. In the fascinating Megaupload saga, a Canadian court has been asked to decide what to do with 32 servers belonging to Megaupload which are located in Canada. The servers are packed with information – “100 laptops” worth of data according to the judgement – and the court was asked by the US government to deliver that data to American prosecutors who are pursuing charges against Megaupload for criminal infringement of copyright, conspiracy to infringe copyright, money laundering and racketeering.

In last week’s decision, Canada (United States of America) v. Equinix Inc.  , 2013 ONSC 193, the court denied this request, indicating that the massive volume of data meant that the scope of the investigation should be narrowed to just that information that is the target of the search, rather than the entire contents of the data trove. However, the judge did not deny that the evidence should be delivered. Evidence to implicate Megaupload likely is contained within those servers, and it is only a matter of time and negotiation to determine the scope of the search, rather than an absolute denial of the request. “Given the undisputed conclusion” the judge wrote, “…that there were reasonable grounds to believe that evidence of the offences would be located on the servers in my view the appropriate balance of the state interest in gathering evidence and privacy interests in information can be struck by an order that the servers be brought before the court …so that the court can make an order refining what is to be sent.”

From a cloud computing law perspective, this case raises several important points:

• Canadian courts will order seizure and search of cloud-computing servers – just like they will with any piece of evidence in Canada – pursuant to a request from US authorities in the course of a criminal investigation;
• Privacy interests will be balanced by the court, since the law is developing a sense of when individuals have an expectation of privacy in the contents of computers or servers;
• However, that privacy right is not absolute, but it will be balanced with the interests of governments to conduct investigations.

We can expect another decision to be released before long, where the contents of the servers are indeed delivered to US prosecutors, with some conditions or limitations as to the scope of the search.

Calgary – 07:00 MST

 

My article Click and Copy: Breach of Online License Agreements and Copyright Infringement was published in Canadian Intellectual Property Review in December.  The enforceability of click-through licenses for online software-based services is critical within the information technology industry. Software vendors and cloud-computing service providers require certainty that the licence terms governing these products will be enforceable.

In other words, vendors require certainty that, if there is a breach by a user, the law will provide a remedy, under the law of either contract or copyright, or both. When does a breach of a licence or breach of online terms of use constitute not only a contractual breach but also an infringement of copyright in the software?

The outcome of this question affects whether a vendor or provider would be able to access the infringement remedies under part IV of the Copyright Act, including injunction, damages, accounts, delivery up, and statutory damages. By reviewing some of the recent case law in this area, this article examines the intersection of copyright and contract law in the context of click-through software licences and online terms of use, specifically when a breach of such terms constitutes copyright infringement, giving rise to remedies under the Copyright Act, and when a breach is merely a breach, giving rise to remedies and potential damage awards under contract law.

Calgary – 07:00 MST

 

–

Several recent stories have highlighted the concerns over personal information, privacy and the reach of mobile apps.  Once again, the law is labouring to keep up with technology.

• So-called Cyber-Stalking Apps provide the means to track the location of a phone through an app that is not visible or easily detectable by the phone’s owner. The cloaked app resides on the phone and essentially reports back to the person who installed the app on the user’s whereabouts. In the US, a proposed law has been drafted to make such apps illegal (The Location Protection Privacy Act). This draft legislation moved out of committee and may become law in 2013.
• A number of mobile apps have been criticized for collecting personal information about kids, and selling that info without parents’ consent. To tackle these problems associated with mobile apps directed at children, privacy advocates have been pushing for changes to the rules under COPPA (Children’s Online Privacy Protection Act). The US Federal Trade Commission (FTC) amended the Children’s Online Privacy Protection Rule in December 2012. The Rule now applies to mobile apps and web-based text messaging programs, and requires app developers to get permission from parents before collecting a child’s photographs, videos and geolocational information. The amended Rules will become effective on July 1, 2013.
• It is worth noting that these are both developments under US law.  In Canada, app developers who target children’s personal information would be caught by Canada’s broad private-sector privacy laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, or one of the provincial-level privacy laws, such as the Personal Information Protection Act in Alberta.  Cloaked “cyber-stalking” apps could constitute an invasion of privacy  contrary to Canadian law. However, that would apply to the person who surreptitiously loaded the stalking app, rather than the app developer.

App developers: Make sure you get advice on a properly-drafted privacy policy, terms of use or end-user license, and that you understand the implications of privacy laws when launching mobile apps.

Calgary – 07:00 MST

Update: January 29, 2013: see comment below regarding WhatsApp privacy issues.

–

Infringement! Litigation! Legislation! There is never a dull moment in the wonderful world of intellectual property law, and 2013 will be no exception. Here’s our list of what to watch in the coming year:

Copyright. If you keep making the same predictions year after year, eventually one of them will come true, right? For the last several years, we predicted that copyright reform would finally come to Canada. 2012 did not disappoint as the year of copyright, with the release of five SCC decisions and the passing of the copyright modernization legislation that had been long awaited.  We expect that 2013 will provide some opportunities to test the new law in court.

Anti-Spam. As with copyright, many have predicted that Canada’s “new” anti-spam law would come into effect for several years. Yes, Parliament passed the Fighting Internet and Wireless Spam Act and it did receive royal assent way back in December, 2010. However, Canada’s anti-spam legislation is still not in force. Industry Canada released draft revised anti-spam regulations last week, and it would be surprising if we didn’t see final regulations in the first half of 2013.

App Law. We predicted in 2011 that app law would develop as regulations and laws fight to keep pace with the explosion of the app economy which is expanding in both business and personal life, along with cloud computing. 2012 provided a number of important developments in app law, mostly in the US. 2013 should continue to provide clarity in this growing area of law.

Apple and Samsung. The litigation that brought patent infringement back into the public consciousness like no case since RIM vs NTP may be resolved in 2013. Even Judge Koh has made a plea for “global peace.”

Calgary – 13:00 MST

–

US companies seeking to enforce intellectual property rights against Canadians face certain challenges. First, a US company would commence a lawsuit in a US court, and must serve the Canadian person or entity in Canada. A US plaintiff would serve a Canadian under the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters (known as the “Hague Convention”). Under this Convention, there is a Central Authority designated federally and for each province and territory. In Alberta, this is done through Alberta Justice, Office of the Sheriff (Civil Enforcement) in Edmonton or Calgary. The normal procedure for service in Canada is personal service, and in Alberta this is through a “process server”. Once served, the Canadian then has to decide whether to respond to the US lawsuit.

In some case, the Canadian decides to ignore the US lawsuit. This happened in Blizzard v. Simpson, 2012 ONSC 4312 (CanLII), where Blizzard Entertainment sued Michael Simpson, a developer who was alleged to have authored and sold a “maphack” for Blizzard’s popular multiplayer game known as StarCraft II – Wings of Liberty. Mr. Simpson was served in Canada but failed to file any defence to the California lawsuit. As a result, Blizzard took default judgement in which Mr. Simpson was ordered to pay statutory damages of $150,000 legal fees and costs of $45,000. A permanent injunction was also ordered to prevent further infringement of Blizzard’s StarCraft II copyright or violation of the StarCraft II End User License Agreement (“EULA”) and Battle.net terms of use (“TOU”), among other things.

Blizzard then came to Canada to enforce their US judgement against Mr. Simpson. This required a second lawsuit (in Ontario, where Mr. Simpson resided). A Canadian court assesses the jurisdiction of the original court (by applying Canadian conflict of laws rules), and verifies that there are no defences of fraud, breach of natural justice, or public policy, which would cause the Canadian court to refuse to enforce the US judgement.

In this case, Mr. Simpson elected to defend the lawsuit in Canada. But by that time it was too late, since the court was not considering the merits of the copyright infringement case, but rather was reviewing the enforcement of a foreign judgement that had already been granted. Mr. Simpson attempted a novel defence by alleging that it was Blizzard who breached the terms of Mr. Simpson’s own website (terms that prohibited access by employees or lawyers of Blizzard). The court found this argument “untenable”, and concluded by entering the California judgement as a judgement of the Ontario court.

It is worth noting that defences to the copyright infringement claim may have been available in the California lawsuit - it is clear in both Canadian and US law that a breach of the terms of use does not (by itself) infringe copyright. It is not clear whether any copyright infringement actually occurred, but Blizzard won that argument by default.

Related Reading: Apps, Bots and Workarounds

Lessons for Canadian business: don’t ignore US lawsuits!

Calgary – 07:00 MST

–

“Great Fun” is a service offered by a company called Trilegiant. Trilegiant offers certain discounts to Great Fun members based on a monthly membership fee. Problem is, some members didn’t realize they were members until they saw the membership fee on their credit card statement. In Schnabel v. Trilegiant Corporation & Affinion, Inc. , Court of Appeals, 2nd Circuit (September 2012), the court considered whether terms could be considered enforceable if the terms were sent by email after the formation of the online contract.

In this case, there were online terms in the sign-up page, but for a variety of reasons, Trilegiant couldn’t rely on these terms, and was obliged to argue that the emailed terms were binding. Trilegiant asserted that the members assented to an arbitration clause by signing up, and receiving the emailed terms at a later date, and then failing to cancel their membership during the “free trial period”. The Second Ciruit Court of Appeals took a dim view of this approach. In the U.S., a consumer may receive “actual notice” of the online terms, or “inquiry notice”. “Inquiry notice” occurs when the consumer has actual notice of circumstances where a prudent person would be on guard to the existence of terms. It’s a stretch, but can still result in enforceable terms. The court concluded that neither “actual notice” nor “inquiry notice” were provided by means of the emailed terms. The court concluded:

“We do not think that an unsolicited email from an online consumer business puts recipients on inquiry notice of the terms enclosed in that email and those terms’ relationship to a service in which the recipients had already enrolled, and that a failure to act affirmatively to cancel the membership will, alone, constitute assent.”

Lessons for business? Get advice on your online terms and sign-up process for any online contracting: including cloud-computing contracts, software-as-a-service, online products sales, license agreements and terms-of-use.

Related Reading:

• Facebook App: Dispute Resolution Terms Upheld

• Changing Online Terms Midstream

Calgary – 07:00