In June, 2022, the Government introduced Bill C-27, an Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. A major component of this proposed legislation is a brand new law on artificial intelligence. This will be, if passed, the first Canadian law to regulate AI systems.

The stated aim of the Artificial Intelligence and Data Act (AIDA) is to regulate international and interprovincial trade and commerce in artificial intelligence systems. The Act requires the adoption of measures to mitigate “risks of harm” and “biased output” related to something called “high-impact systems“.

Ok, so how will this work? First, the Act (since it’s federal legislation) applies to “regulated activity” which refers to specific activities carried out in the course of international or interprovincial trade and commerce. That makes sense since that’s what falls into the federal jurisdiction. Think banks and airlines, for sure, but the scope will be wider than that since any use of a system by private sector organizations to gather and process data across provincial boundaries will be caught. The regulated activities are defined as:

• (a) processing or making available for use any data relating to human activities for the purpose of designing, developing or using an artificial intelligence system;
• (b) designing, developing or making available for use an artificial intelligence system or managing its operations.

That is a purposely broad definition which is designed to catch both the companies that use these systems, and providers of such systems, as well as data processors who deploy AI systems in the course of data processing, where such systems are used in the course of international or interprovincial trade and commerce.

The term “artificial intelligence system” is also broadly defined and captures any “technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.”

For anyone carrying out a “regulated activity” in general, there are record keeping obligations, and regulations regarding the handling of anonymized data that is used in the course of such activities.

For those who are responsible for so-called “high-impact systems“, there are special requirements. First, a provider or user of such a system is responsible to determine if their system qualifies as a “high-impact system” under AIDA (something to be defined in the regulations).

Those responsible for such “high-impact systems” must, in accordance with the regulations, establish measures to identify, assess and mitigate the risks of harm or biased output that could result from the use of the system, and they must also monitor compliance with these mitigation measures.

There’s more: anyone who makes a “high-impact system” available, or who manages the operation of such a system, must also publish a plain-language description of the system that includes an explanation of:

• (a) how the system is intended to be used;
• (b) the types of content that it is intended to generate and the decisions, recommendations or predictions that it is intended to make; and
• (c) the mitigation measures.
• (d) Oh, and any other information that may be prescribed by regulation in the future.

The AIDA sets up an analysis of “harm” which is defined as:

• physical or psychological harm to an individual;
• damage to an individual’s property; or
• economic loss to an individual. 

If there is a risk of material harm, then those using these “high-impact systems” must notify the Minister. From here, the Minister has order-making powers to:

• Order the production of records
• Conduct audits
• Compel any organization responsible for a high-impact system to cease using it, if there are reasonable grounds to believe the use of the system gives rise to a “serious risk of imminent harm”.

The Act has other enforcement tools available, including penalties of up to 3% of global revenue for the offender, or $10 million, and higher penalties for more serious offences, up to $25 million.

If you’re keeping track, the Act requires an assessment of:

• plain old “harm” (Section 5),
• “serious harm to individuals or harm to their interests” (Section 4),
• “material harm” (Section 12),
• “risks of harm” (Section 8),
• “serious risk of imminent harm” (Sections 17 and 28), and
• “serious physical or psychological harm” (Section 39).

All of which is to be contrasted with the well-trodden legal analysis around the term “real risk of significant harm” which comes from privacy law.

I can assure you that lawyers will be arguing for years over the nuances of these various terms: what is the difference between “harm” and “material harm”, “risk” versus “serious risk”? and what is “serious harm” versus “material harm” versus “imminent harm”? …and what if one of these species of “harm” overlaps with a privacy issue which also triggers a “real risk of significant harm” under federal privacy laws? All of this could be clarified in future drafts of Bill C-27, which would make it easier for lawyers to advise their clients when navigating the complex legal obligations in AIDA

Stay tuned. This law has some maturing to do, and much detail is left to the regulations (which are not yet drafted).

Calgary – 16:30 MT

.

By Richard Stobbe

Sierra Trading Post is an Internet retailer of brand-name outdoor gear, family apparel, footwear, sporting goods. Sierra lists comparison prices on its site to show consumers that its goods are competitively priced.

Chen, the plaintiff, sued Sierra, claiming the website’s comparison prices were false, deceptive, or misleading. The internet retailer defended by asserting that the lawsuit should be dismissed: Sierra pointed out that users of its site agreed to binding arbitration in the Terms of Use.  Chen countered, arguing that he had never seen the Terms of Use and so they were not binding.

In Chen v. Sierra Trading Post, Inc., 2019 WL 3564659 (W.D. Wash. Aug. 6, 2019), a US court decision, the court reviewed the issues. There was no disagreement that the choice-of-law and arbitration clauses appeared in the Terms of Use. The question, as with so many of these cases, is around the set-up of Sierra’s check-out screen. Were the Terms of Use brought to the attention of the user, so that the user consented to those terms at the point of purchase, thus evidencing a mutual agreement between the parties to be bound by those terms?

Both Canadian and US cases have been tolerant of a range of possibilities for a check-out procedure, and the placement of “click-through” terms. This applies equally to e-commerce sites, software licensing, subscription services, or online waivers. Ideally, the terms are made available for the user to read at the point of checkout, and the user or consumer has a clear opportunity to indicate assent to those terms. In some cases, the courts have accepted terms that are linked, where assent is indicated by a check-box.

While there is no specific bright-line test, the idea is to make it as easy as possible for a consumer to know (1) that there are terms and (2) that they are taking a positive step to agree to those terms.

In this case, STP claimed that Chen would have had notice of the Terms of Use via the website’s “Checkout” page where, a few lines below the “Place my order” button, a line says “By placing your order you agree to our Terms & Privacy Policy”. The court noted that “The Consent line contains hyperlinks to STP’s TOU and Privacy Policy.”

On balance, the court agreed to uphold the Terms of Use and compel arbitration.  While this was a win for Sierra, the click-through process could easily have been much more robust. For example, rather than “Place my order”, the checkout button could have said said “By Placing my order I agree to the Terms of Use” or a separate radio button could have been placed beside the Terms of Use and Privacy Policy to indicate assent.

Internet retailers, online service providers, software vendors and anyone imposing terms through click-through contracts should ensure that their check-out process is reviewed: make it as easy as possible for a court to agree that those terms are binding.

Calgary – 07:00 MST

By Richard Stobbe

A streaming service known as “GoldTV” was in the business of rebroadcasting television programing through online broadcasting or streaming services to Canadian consumers. This had the effect of eating into the core business model of traditional Canadian broadcasters such as Bell Media and Rogers. Can a broadcast company fight back against this type of streaming service by seeking a site-blocking order?

Based on copyright infringement allegations, the broadcasters took GoldTV to court and obtained interim court orders.  Despite the issuance of the interim and interlocutory injunctions directly against GoldTV, some of the offending services remained accessible, and the alleged infringement continued. Basically, GoldTV remained anonymous and (practically speaking) beyond the reach of the Canadian courts.  Bell Media and Rogers then sought an order to compel Canadian ISPs to block access to GoldTV’s sites.

We know that, under Canadian law, non-party actors can be ordered by a Canadian court to take certain steps. In Google Inc. v. Equustek Solutions Inc., 2017 SCC 34 (CanLII), the Supreme Court of Canada approved a court order that required Google to globally de-index the websites of a company in breach of several court orders.  The Court affirmed that injunctions can be issued against someone who is not a party to the underlying litigation.

In this recent decision, Bell Media Inc. v. GoldTV.Biz, 2019 FC 1432 (CanLII),  the court confirmed that it can order ISPs, such as Bell Canada, Fido, Telus and Shaw, to block the offending GoldTV sites. Although there are obvious analogies to the Equustek case, the court in GoldTV indicated an order of this nature has not previously issued in Canada but has in other jurisdictions, including the United Kingdom. Equustek involved de-indexing from a search engine, whereas the GoldTV case involves site-blocking. The court issued the site-blocking order, with a 2-year sunset clause.

Teksavvy Solutions (one of the ISPs bound by the order) has appealed this decision to the Federal Court of Appeal (PDF).

Stay tuned.

Calgary – 07:00 MST

By Richard Stobbe

It’s time to update our 2015 post about copyright in survey plans!  In the course of their work, land surveyors in Ontario prepare a survey document, and that document is routinely scanned into the province’s land registry database. Copies of survey documents can be ordered from the registry for a fee.

Land surveyors commenced a copyright class action lawsuit against Teranet Inc., the manager of the land registry system in Ontario.  The case travelled all the way up to Canada’s top court and in Keatley Surveying Ltd. v. Teranet Inc.  2019 SCC 43 the Supreme Court of Canada (SCC) rendered a decision on the appeal: Copyright in plans of survey registered or deposited in the land registry office belongs to the Province of Ontario under s. 12 of the Copyright Act.

Section 12 of the Copyright Act provides a statutory basis for Crown copyright.

Under this section, the Crown holds copyright in any work “prepared or published by or under the direction or control of Her Majesty”.

The court aimed to balance the rights of the Crown in works that are prepared or published under the control of the Crown, where it’s necessary to guarantee the authenticity, accuracy and integrity of the works. However, the scope of Crown copyright should not expropriate the copyright of creators and authors.

Basically, Crown copyright applies where:

1. The work is prepared by a Crown employee in the course of his or her employment or
2. The Crown determines whether and how a work will be made, even if the work is produced by an independent contractor.

In both situations, the Crown exercises “direction and control” for the purposes of Section 12 of the Act.

In the Teranet case, the main question was whether the registered and deposited survey plans were published by or under the “direction or control” of the Crown. The court concluded that “When either the Crown or Teranet publishes the registered or deposited plans of survey, copyright vests in the Crown because the Crown exercises direction or control over the publication process.”

Applying the principle of technological neutrality, the court indicated that the province’s use of new technologies (after digitization of the survey plans and publication process) did not change the court’s assessment of whether the Crown has copyright by virtue of s. 12. Finally, because the Crown owns copyright in the survey plans pursuant to s. 12 of the Act, there could be no infringement under the electronic registry system, and the class action was dismissed.

Background Reading:

Copyright in Survey Plans

Calgary – 07:00 MST

.

By Richard Stobbe

The idea of a ‘smart contract’ has been a lot of things: it’s upheld as the next big thing, a beacon of change for society, a nail in the coffin of an inefficient legal services profession, and it’s criticized as a misnomer for ‘dumb code’.  Our review of smart contracts continues with this question:  Are ‘smart contracts’ in need of specific laws and regulations in Canada?

In other words, is ‘smart contract’ law broken and in need of fixing?

(Need a quick primer on smart contracts? Can Smart Contracts Really be Smart?)

For those who may recall, the advent of other technologies has caused similar hand-wringing. For example the courts have, over the years, dealt with contract formation involving the telephone, radio, telex and fax … and email … yes, and the formation of contracts by tapping “I accept” on a screen.

There is a very good argument that the existing electronic transactions laws in Canada adequately cover the most common situations where so-called ‘smart contracts’ would be used in commercial relationships. For example, the Alberta Electronic Transactions Act (a piece of legislation that was introduced almost 20 years ago, when people talked about the “information superhighway”), was intentionally designed to be technology neutral.

The term “electronic signature” is defined in that law as “electronic information that a person creates or adopts in order to sign a record and that is in, attached to or associated with the record”. It’s so broad that the term can arguably apply to any number of possible applications, including situations where someone approves a transactional step within a smart contract work flow. Of course, this still has to be tested in court, where a judge would apply the law in an assessment of the specific facts of a particular dispute.

Does that create uncertainty? Yes, to a degree.

But the risks associated with that approach are preferable to the alternative. The alternative is to go the way of Arkansas, or other jurisdictions who have decided to wade in by prescriptively defining “smart contracts”.   For example, a 2019 law in Arkansas – “An Act Concerning Blockchain Technology” HB 1944 – amends that state’s electronic transactions law by defining “blockchain distributed ledger technology,” “blockchain technology” and “smart contract.”  By imposing specific definitions, these laws may have the unintended effect of excluding certain technologies that should be included, or catching use cases that were not intended to be caught.  This would be the equivalent of trying, in 2001, to define an electronic transaction by looking at  Amazon’s 1-click checkout. Sure, it was innovative at that time, but to peg a legal definition to that technology would have been short-sighted and unnecessarily constraining.

A second problem is a lack of standardization or uniformity in how different jurisdictions are choosing to define these technologies. This creates more uncertainty than a reliance on existing electronic transactions laws.

As blockchain and smart contract technology develops, the rush to have legal definitions cast in stone is premature and unwarranted.

Related Reading:

Blockchain Legislation – Too Soon?

Calgary – 07:00 MST

By Richard Stobbe

An obituary aggregation site – yes, there is such a thing – was in the business of reposting obituaries, both text and photos, taken from the sites of Canadian funeral homes and newspapers.  This database of obituaries was a way to attract visitors who could then buy flowers and ‘virtual candles’ on the same page as the obituary, to generate profits.

Not surprisingly, someone complained.

Thomson v. Afterlife Network Inc., 2019 FC 545 (CanLII) was a class action lawsuit against the obituary aggregation company, Afterlife, for copyright infringement, based on the unauthorized copying and publication of over a million obituaries. Shortly after the class action lawsuit was launched, the Afterlife site shut itself down.

Class action members expressed that “an obituary they had written for a family member, often accompanied by a photograph, had been posted on Afterlife’s website without their permission. The evidence of many Class Members is that they had written the obituaries in a personal way and that their discovery that the obituaries had been reproduced with the addition of sales of candles and other advertising was an emotional blow to them. In some cases, inconsistent information was added, for example, inaccurate details about the deceased or options to order flowers where the family had specifically discouraged flowers. The Class Members also describe Afterlife’s conduct, in seeking to profit from their bereavement and in conveying to the public that the families were benefiting from sales of virtual candles or other advertising, as reprehensible, outrageous and exploitative.”

The court had no trouble in establishing copyright protection for the obituaries as well as the photos.

The court also quickly concluded that Afterlife has republished this content without the permission of the original authors.

Damages need not be proven where statutory damages are invoked.  Since statutory damages (Section 38.1 of the Copyright Act) allow for not less than $500 and not more than $20,000 per infringement, the court saw that the minimum of $500 multiplied by the estimated two million separate infringements (at least one photo plus a block of text in each of the 1 million copied obituaries), would result in a minimum damage award of around $1 billion.  Seeing this as grossly disproportionate, the court awarded $10 million in statutory damages, and another $10 million in aggravated damages, which can be awarded for compensatory purposes.  Strangely, the court did not award punitive damages for this case of “obituary piracy”, that the court agreed was high-handed, reprehensible and “represents a marked departure from standards of decency”.

Although this case may be noted for its significant statutory damage award, it also deal with a moral rights claim by the original authors of the obituaries. Under Canadian copyright law, “moral rights” protect the integrity of a work and are engaged where the author’s honour or reputation is prejudiced by the distortion or modification of the original work, or by using the work in association with a product, service, cause or institution.

The court struggled to find a moral rights infringement, since it was given evidence of the subjective elements of the infringement (the authors expressed that they were understandably mortified that others would think that they were somehow profiting from bereavement). However, the court noted that there is both a subjective and objective aspect in order to establish infringement of moral rights. The objective element was missing here.

In the end, a $20 million damage award was granted against Afterlife.

Calgary – 07:00 MT

.

By Richard Stobbe

In February 2019, we reviewed the story of QuadrigaCX, and raised the question of how this would impact the adoption of cryptocurrencies or other tokens that are powered by the same blockchain or distributed ledger technologies (DLT) that underpin BitCoin. In particular we suggested that some regulatory oversight might be warranted. See: QuadrigaCX and the Missing Millions: A Crypto Cautionary Tale .

In March 2019 the Joint Canadian Securities Administrators (CSA) and IIROC (Investment Industry Regulatory Organization of Canada) issued a Proposed Framework for Crypto-Asset Trading Platforms (PDF). From a regulator’s perspective, many of these crypto-questions fall into the crack between CSA and IIROC.

Setting the stage to close that gap with regulatory engagement in Canada, the report notes that there are over 2,000 “crypto assets” in the wild, some trading for fiat currencies and others for various types of crypto-tokens, using over 200 different platforms. “Many of these Platforms,” say the report’s authors, “operate globally and without any regulatory oversight.”

There are a variety of crypto assets but currently they can generally be categorized from a regulatory perspective in one of two ways:

1. Either they are akin to a commodity or currency, often referred to as “utility tokens”, which are created to allow holders to access or purchase goods or services on a DLT network. Crypto assets that are a “form of payment or means of exchange on a decentralized network, such as bitcoin”, says the report, “are not currently in and of themselves, securities or derivatives. Instead, they have certain features that are analogous to existing commodities such as currencies and precious metals”;
2. Alternatively, crypto assets can be more akin to tokenized versions of traditional securities, derivatives or investment contracts, in the sense that they operate like shares in a company, or an interest in assets. If the crypto assets mimic the features of securities or derivatives, and are traded on an exchange platform, then that platform should be subject to existing securities regulatory requirements.

One of the regulatory problems is that the feature-sets of many crypto assets continually blur the lines between “currency” and “security”. Existing securities legislation may still apply to exchange platforms that offer trading of crypto assets even if those are tokens more like commodities, particularly where the investor’s contractual right to the cryptocurrency asset behaves like a security or derivative. Among the challenges that are unique to crypto exchange platforms is that these tokens and coins trade on a global basis, both on exchange platforms and off, both inside and outside regular trading hours, without any central source for pricing or reliable reference data. The values are “illiquid and highly volatile”. From a market surveillance point of view, this makes the regulatory enforcement uniquely challenging.

Essentially, the CSA/IIROC proposed platform framework would apply to “Crypto-Asset Trading Platforms” that are subject to securities legislation and that may not otherwise fit into other existing regulatory categories. Among the recommendations in the paper, crypto-trading platforms may have to become registered as investment dealers and meet compliance requirements for IIROC dealer and marketplace members.

Notably, this regulatory scheme would apply both to Platforms that operate in Canada and to those that have Canadian participants.

Enforcement is not really addressed here, but that’s another debate altogether.

The comment period is open until May 15, 2019.

Additional Reading: CSA Staff Notice 46-307 Cryptocurrency Offerings and CSA Staff Notice 46-308 Securities Law Implications for Offerings of Tokens, NI 21-101 Marketplace Operation, NI 23-101 Trading Rules and NI 23-103 Electronic Trading and Direct Access to Marketplaces.

Calgary – 07:00 MST

By Richard Stobbe

Here’s a familiar picture:  You are a Canadian business and you use a service provider outside of the country to process data. Let’s say this data includes personal information. This could be as simple as using Gmail for corporate email, or using Amazon Web Services (AWS) for data hosting, or hiring a UK company for CRM data processing services. 

Until now, the Federal Office of the Privacy Commissioner (OPC) has taken the position that data processing of this type is a “use” of personal information by the entity that collected the data for the purposes of the Personal Information Protection and Electronic Documents Act (PIPEDA).  Such use would require the consent of the individual for the initial collection, but would not require additional consent for the data processing by an out-of-country service provider, provided there was consent for that use at the time the information was first collected.  

The privacy laws of some provinces contain notification requirements in certain cases, though not express consent requirements, for the use of service providers outside of Canada.  For example, Alberta’s Personal Information Protection Act, Section 13.1, indicates that an organization that transfers personal information to a service provider outside Canada must notify the individual in question. 

The OPC’s guidance, dating from 2009, took a similar approach, allowing Canadian companies to address the cross-border data processing through notification to the individual.  In many cases, a company’s privacy policy might simply indicate in a general way that personal information may be processed in countries outside of Canada by foreign service providers. In the words of the commissioner in 2009:  “[a]ssuming the  information is being used for the purpose it was originally collected, additional consent for the transfer is not required.”  As long as consumers were informed of transborder transfers of personal information, and the risk that local authorities will have access to information, the organization was meeting its obligations under PIPEDA. 

A recent consultation paper published by the OPC has signalled a potential change to that approach.  If the changes are adopted by the OPC, this will represent a significant shift in data-handling practices for many Canadian companies. 

Draft guidance from the OPC, issued April 9, 2019, indicates that recent high profile cross-border data breaches, such as the incident involving Equifax, have inspired a stricter consent-based approach.  Today, the OPC issued a supplementary discussion document to explain the reasons for the proposed changes. (See: Consultation on Transborder Dataflows)

Reversing 10 years of guidance on this issue, the OPC now explains that a transfer of personal information between one organization and another should be understood as a “disclosure” according to the common understanding of that term in privacy laws. 

If the draft guidelines are adopted by the OPC, any cross-border transfers of personal data to an outsourced service provider would be considered a “disclosure”, mandating a new consent, as opposed to a “use” which could be covered by the initial consent at the time of collection.  Depending on the circumstances, the type of disclosure and the type of information, this could require express consent, and it’s not clear how this would apply to existing transborder data-processing agreements, or whether additional detail would  be required for consent purposes, or if the specific names of the service providers would be required as part of the consent. This could significantly impact data-processing, e-commerce operations, and the consent practices of many Canadian businesses. 

Consultations are open until June 4, 2019. Please stay tuned for further updates on this issue and if you want to seek advice on your company’s privacy obligations, please contact us.

Calgary – 16:00 MST

.

By Richard Stobbe

Go-karting in Saskatchewan as an internet law case?  Yes, and you’ll see why. In Quilichini v Wilson’s Greenhouse, 2017 SKQB 10 (CanLII), a go-kart participant is injured and sues the service provider. The service provider holds up the waiver as a complete defence, saying it contains a release of all claims.

In this case, the waiver is  provided to all participants through a kiosk system, where an electronic waiver is presented in a series of electronic pages on a computer screen. Participants have to click “next” to move from one page to the next; and finally click the “I agree” button on the electronic waiver before they can participate in the activity.

Variations of this happen everyday across Canada when users click “I agree”, “I accept” or some variation of a click, tap or swipe to indicate assent to a set of terms.

• Can legally binding contracts be formed in this way?
• And another question, even if it works for common-place transactions like a shopping-cart check-out, does it work for something as important as a release and waiver of the right to sue for personal injury?

The answer is a clear yes, according to the facts of this case. The judge in Quilichini had no trouble finding that the participant’s electronic agreement was just as effective as a signed hard-copy of the agreement. The participant had a full opportunity to read the waiver, and there was nothing obscure in the presentation of the waiver, or the choice whether or not to accept it. The court concluded: “there can be no question but that when the plaintiff clicked ‘I agree’, he was intending to accept and assume responsibility for any possible risk involved and knew he was agreeing to discharge or release the defendants from all claims or liabilities arising, in any way, from his participation.”

This conclusion is based in part on Canadian provincial laws such as Alberta’s Electronic Transactions Act, SA 2001, c E-5.5, (there’s an equivalent in Saskatchewan and other provinces), which generally indicate that if there is a legal requirement that a record be signed, that requirement is satisfied by an electronic signature. There are exceptions of course, such as wills or transfers of land.

In the Quilichini  decision, the court didn’t look outside the Saskatchewan Electronic Information and Documents Act, 2000. But there are other authorities to support the proposition that binding contracts can be formed online in a number of ways. Decisions such as Kanitz v. Rogers Cable Inc., 2002 CanLII 49415 (ON SC), even deal with passive assent, where a user is deemed to be bound by something even absent a formal “click-through” button. Kanitz dealt with the question of whether internet service subscribers were bound by a subscription agreement, where that agreement was amended, then merely posted to the service provider’s site, rather than requiring a new signature or a fresh “click-through”. The subscribers were bound by the terms merely by continuing to use the service after the amended terms were posted.

In considering this, the Court in Kanitz said: “…we are dealing in this case with a different mode of doing business than has heretofore been generally considered by the courts. [remember… this was 2002] We are here dealing with people who wish to avail themselves of an electronic environment and the electronic services that are available through it. It does not seem unreasonable for persons who are seeking electronic access to all manner of goods, services and products, along with information, communication, entertainment and other resources, to have the legal attributes of their relationship with the very entity that is providing such electronic access, defined and communicated to them through that electronic format. I conclude, therefore, that there was adequate notice given to customers of the changes to the user agreement which then bound the plaintiffs when they continued to use the defendant’s service.” [Emphasis added]

This is not to say that ALL electronic contracts are always enforceable, or that all amendments will be enforceable even without a proper mechanism to collect the consent of users. However, it does provide a measure of confidence for Canadian internet business, that the underlying legal foundation will support the enforceability of contractual relationships when business is conducted online.

Want to review your own internet agreements and electronic contracting workflows to ensure they are binding and enforceable? Contact Richard Stobbe.

Calgary – 07:00 MST

.

E-commerce Legal Review (Part 1): Uber’s Arbitration Clause Struck Down

By Richard Stobbe

Today we start a three-part series reviewing e-commerce agreements, click-through agreements, and online ‘terms of service’ or ‘terms of use’. Users agree to these terms every day.  What’s the current state of the law in Canada on internet contracts?  

Almost a year ago, we wrote about a case where Uber drivers challenged Uber’s user online terms.  (See: Uber vs. Drivers: Canadian Court Upholds App Terms). Uber drivers claimed that they should have the benefit of local laws which protect employees. This case was at the centre of the debate about whether Uber’s drivers are customers, independent contractors, or employees. Uber’s counter argument was that the drivers’ claim should not proceed because, under the terms of use, all of the drivers agreed to settle disputes by arbitration in the Netherlands.

So the court had to wrestle with this question:  Should the arbitration clause in the terms of use be upheld? Or should the drivers be entitled to have their day in court in Canada? 

The original class-action case was decided in favour of Uber. The court upheld the app terms of service, and deferred this dispute to an arbitrator in the Netherlands. The court applied the Supreme Court of Canada reasoning in Seidel v. TELUS Communications Inc. (applying the competence-competence analysis). The first Heller decision was appealed.

In the second Heller decision ( Heller v. Uber Technologies Inc., 2019 ONCA 1 (CanLII)), the Ontario Court of Appeal struck down Uber’s mandatory arbitration clause for several reasons:

1. The arbitration clause was found to be invalid on the basis of unconscionability. On this point, the court noted that the cost to initiate the mandatory arbitration process under Uber’s terms would cost a driver more than USD$14,000 (noting that the average Uber driver might earn $400 – $600 per week ).
2. The court agreed that if the arbitration clause was valid, then the claim would fall within that clause. However, the court said this case fell one step prior to that: the validity of the arbitration clause itself was in issue. In that light, the competence-competence principle had no application to this case. The arbitration clause was not valid, the court decided, therefore the jurisdiction issue did not even arise.
3. The court reasoned that employers (with Uber standing in the position of employer for these purposes) should not be entitled to contract out of the Employment Standards Act  (ESA) on behalf of their employees. The choice to proceed by way of arbitration should be in the hands of the employee. “It is [the employee’s] choice whether to take that route,” said the Court, “and he is only barred from making a complaint if he chooses to take it. The Arbitration Clause essentially transfers that choice to Uber who then forces the appellant (and all other drivers) out of the complaints process.”
4. The court raised a number of public policy considerations – including the problems regarding the result that would come out of the arbitration process in the Netherlands, the problems associated with an arbitration ruling that would not benefit others for a determination of the underlying issues. In other words, other drivers in the class would be deprived of a remedy if each driver was forced through arbitration, whereas a complaint under the Ontario Employment Standards Act would set a precedent that others could rely on. “The issue of whether persons, in the position of the appellant, are properly considered independent contractors or employees is an important issue for all persons in Ontario,” said the Court. “The issue of whether such persons are entitled to the protections of the ESA is equally important. Like the privacy issue raised in Douez, the characterization of these persons as independent contractors or employees for the purposes of Ontario law is an issue that ought to be determined by a court in Ontario.”

In the final result, the Court concluded that the mandatory arbitration clause amounted to an illegal contracting out of an employment standard, contrary to the Employment Standards Act (Ontario), assuming the drivers are indeed employees. Separately, the Court decided the arbitration clause was unconscionable at common law, and therefore invalid under the (Ontario) Arbitration Act.

Lessons for business?

• The court of appeal sent a clear message that expensive and unwieldy mandatory arbitration clauses such as the one used by Uber will risk being struck down for unconcsionability.
• Aside from the issue of unconscionability, such clauses are at risk on other public policy  grounds, where local courts wish to assert local laws. In this case, it was the ESA. Courts have shown themselves to be wary of permitting platform providers (such as Uber and Facebook) to use the terms of service to contract out of local laws. See Douez v. Facebook, Inc., [2017] 1 SCR 751, 2017 SCC 33 (CanLII), where the SCC found that Facebook’s forum selection clause was unenforceable, although for a set of confusing reasons (the majority in Douez did not address the issue of unconscionability). In Douez, it was a local privacy law that was at issue (British Columbia’s Privacy Act).

Get advice on your online contracts to ensure that they will not be at risk of being struck down based on this latest guidance from the Court.

Calgary – 07:00 MST

.

By Richard Stobbe

As we’ve reviewed before, the term “smart contract” is a misnomer. (For background, see Smart Contracts (Part 3): Opportunities & Limits of Smart Contracts.) The so-called smart contract isn’t really a “contract” at all : it’s the portion of the transaction that can be automated and executed through software code. Hence, we prefer the term “programmatically executed transactions” — not as catchy, but maybe more accurate.

The written legal prose, or what we might think of as a ‘traditional contract’, sets out a bunch of contract terms, usually in arcane legalese, that describe certain elements of the relationship. Parts of that ‘traditional contract’ can be automated and delegated to software. However, once concluded, the traditional legal contract usually sits in one silo, and the software code is developed and sits in another silo, completely divorced one from the other.

The evolution of research and software tools has permitted the so-called Ricardian contract to function as a bridge between these silos. Based on the work of Ian Grigg, a Ricardian contract is conceived as a single document that has a number of elements that permit it (1) to function as a “contract” in the way the law would recognize a contract, so the thing has legal integrity, (2) to be readable by humans, in legal prose, (3) to be readable by software, like software reads a database or a input fields, (4) to be signed digitally, and (5) to be integrated with cryptographic identifiers that imbue the transaction process with technical integrity and verifiability. This is where blockchain or distributed ledger technology comes in handy.

The document should be readable by both humans and machines. It integrates the ‘traditional contract’ with the ‘smart contract’, since the elements or parameters that can be automated and implemented by software are read into the code straight from the contract terms.

Can this form the basis for software developers and lawyers to play in the same sandbox?

There are a number of developments in this arena where “legal” and “software” overlap, and Ricardian contracts are merely one iteration of this concept: for more background, Meng Wong’s presentation on Computable Contracts is a must-see.  His Legalese contracts are intended to allow legal terms and conditions to be represented in machine-understandable way, with or without a blockchain deployment. OpenLaw is another version of this approach : blockchain-enabled contracts that delegate certain functions to software. There are a whole range of options and variations of this.

In theory, this sets up an “Internet of Agreements” system that is designed to execute deals and transactions automatically with distributed ledger ecommerce technology through interwoven contracts and software across disparate platforms.

How far away is this legal-techno-dream?

For some applications, particularly in financial services, it’s much closer. Versions of these technologies are being beta-tested and implemented by global banks.  Since many of these implementations will be between entities in back rooms of the financial services industry, they will be invisible to the average consumer.  For many sectors – let’s say for example, the development of a full-stack land transfer technology - where smart contracts have to interface with existing immovable legal or institutional structures, this is a long way off.

Calgary – 07:00

By Richard Stobbe

For those who want blockchain-enabled cryptocurrencies to be deployed in mature, mainstream industry sectors (energy, insurance, financial services), it doesn’t help to have headlines like “How crypto exchange QuadrigaCX lost access to $190 million of customers’ money” (from Global News), or “Crypto CEO Dies Holding Only Passwords That Can Unlock Millions in Customer Coins” (that one from Bloomberg).

But let’s face it: those headlines appear to capture the essence of the current cloud of uncertainty that shrouds QuadrigaCX, a well-known Vancouver-based cryptocurrency exchange.

The company recently filed for creditor protection in a Nova Scotia court, after the reported sudden death of founder and CEO Gerald Cotten.  From reports of the company’s court filings, Mr. Cotten died with the recovery codes to the offline “cold storage” vaults containing access to customers’ cryptocurrency assets.

On February 5, 2019, the Nova Scotia court granted bankruptcy protection under the CCAA (Companies’ Creditors Arrangement Act) and appointed Ernst & Young as monitors to investigate the accessibility of any funds to reimburse the approximately 115,000 customers. A 30-day stay of proceedings was ordered, effectively shielding the company from further lawsuits as this investigation continues.

If no-one knows the access codes aside from the deceased founder, then the offline accounts, which reportedly hold millions of dollars worth of crypto assets, may be irretrievably lost.

What does this mean for the adoption of cryptocurrencies or other tokens that are powered by the same blockchain technologies that underpin BitCoin?

Cryptocurrency had a spotty reputation to begin with, and the current speculation and various internet-fuelled conspiracy theories surrounding QuadrigaCX do not give a person confidence.  You mean, I can take a risk by buying cryptocurrency hoping it’s going to rise in value, and then face the added risk that even if the value does increase, the multimillion dollar asset might suddenly disappear because one person held all the passwords? Apparently, yes.

Can one also lose millions in highly regulated industries by buying stocks or investing with Ponzi schemes?  Undoubtedly, yes. Somehow, the loss of traditional dollars does not shake investor confidence the way the collapse of QuadrigaCX might shake consumer confidence in BitCoin.

Maybe that’s because the history of crypto is a blip when compared to fiat currency. And maybe it’s because banks and others who handle consumer investments are subject to complex regulation, insurance requirements, registration requirements, securities commissions, financial superintendents, regulatory reporting and compliance obligations, and a system of censure in the case of a breach of those regulations.  After all, the QuadrigaCX exchange was not so much an investment vehicle; it was more akin to a bank.  When banks fail, confidence is understandably shaken.

The real cautionary tale may be that a mature and measured approach to cryptocurrency regulation may help instill confidence in the sector, and this may help pave the way for the strategic use of distributed-ledger technologies that are associated with cryptocurrency coins and tokens.

Calgary – 07:00 MST

.

By Richard Stobbe

The National Data Protection Commission (CNIL), France’s data protection authority, came down on Google with a €50 million penalty for breach of the EU’s General Data Protection Regulation (“GDPR”).

CNIL was responding to complaints from two privacy advocacy groups who called out Google for lacking a valid legal basis to process the personal data of EU users of Google services, particularly for ads personalization purposes. Although Google’s European headquarters are situated in Ireland, that country did not take the role of “lead authority” for DPA purposes, since processing of EU users’ data occurred through Google’s U.S. operations, rather than through its Irish division. This left the field open for France to take over the file and render a decision on the complaint.

The GDPR establishes a “one-stop-shop” which is designed for greater certainty for those organizations doing business in the EU. A business should only have to deal with the Data Protection Authority (“DPA”) of the country where its “main establishment” is located.

A DPA is, under the GDPR regime, an independent public authority tasked with supervising enforcement of data protection laws, with investigative powers and corrective authority. There is one DPA in each EU member state.

Google, according to CNIL, failed on two main counts based on the GDPR principles of transparency, information and consent:

• First, Google’s explanation of data processing purposes is not clear nor comprehensive. “Users are not able to fully understand the extent of the processing operations carried out by GOOGLE,” says CNIL, and Google’s processing operations are “massive and intrusive” due to the sheer scope of the company’s services and the high volume of data which is collected and processed by Google.
• Second, consent was not validly obtained, because the specific uses are not made clear to the user. This is the case even though the user of Google’s services can modify some options and configure some features of personalized ads. Just because some user configuration is allowed, that does not mean Google is in compliance with GDPR requirements.
• CNIL was not impressed with the configuration options for ads personalization. To the extent configuration is made available to Google’s users, the choices are “pre-ticked”. The GDPR requires “unambiguous” consent, requiring a specific affirmative action from the user (for example, by clicking a non-pre-ticked box ). At the point of account creation, when a user clicks “I agree to the processing of my information as described above and further explained in the Privacy Policy“, the user gives consent in full, for all processing operations. However the CNIL notes that “the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.”

This is the first penalty issued by France’s DPA.

Should Canadian companies be concerned? Any company that is engaged in processing of EU resident data will be subject to the GDPR, not just those who have a permanent establishment in the EU.

Calgary – 07:00 MST

.

By Richard Stobbe

In Part 1 (Can Smart Contracts Really be Smart?), we looked at “smart contracts”, what might be called “programmatically executed transactions” or PETs. This concept refers to computers programmed to automatically executes certain transaction steps, provided certain conditions are met, illustrated by the vending machine analogy.

In Part 2 (Smart Contracts (Part 2): Intermediaries? We Don’t Need No Stinkin’ Intermediaries!), we pointed out that users of private shared (DLT) ledger systems must be aware of the attendant costs of switching to new intermediaries, and the legacy costs of continued dependence on old intermediaries.  To borrow a phrase from The Who, “Meet the new boss… same as the old boss.”  In other words, don’t be fooled into thinking that intermediaries will disappear; they merely change. Managing the intermediaries remains a challenge.

In this final instalment of our series, we look at the opportunities and limits of smart contracts. I want to emphasize a few points:

1. Placing Smart Contracts in Context: First, it’s worth emphasizing that smart contracts or PETs are merely one element of the whole DLT permissioned ledger ecosystem. The smart contract enables and implements certain important transactional steps, but those steps fit within the broader context of a matrix of contractual relations between the participants. Many of those relationships will be governed by “traditional” contracts. This traditional contract architecture enables the smart contract workflow.  The take-home point here is that traditional contracts will remain a part of these business relationships, just as intermediaries will remain part of business relations. Let me provide an example: the Apple iTunes ecosystem contains a number of programmatically executed transactions. When a consumer chooses a movie rental, a song download or a music subscription, the order fulfilment and payment processing is entirely automated by software. However, users cannot participate in that ecosystem, nor can Apple obtain content from content producers, without an overarching set of traditional contracts: end user license agreements, royalty agreements, content licenses, agreements with payment providers. Those traditional contracts enable the PET, just as the PET enables the final transaction fulfillment.
2. Changing Smart Contracts:  Once a PET is set loose, we think of it as a self-actuating contract: it cannot be changed or altered or stopped by humans.  The inability of humans to intervene is seen as a positive attribute - it removes the capriciousness of individuals and guarantees a specific pre-determined machine-driven outcome. But what if the parties decide (humans being humans) that they want the contract to be suspended or altered? Where humans control the progression of steps, they can decide to change, stop or reverse at any point in the workflow. Of course we’re assuming that this is a change or reversal to which both parties agree. But what is the mechanism to hit “pause”, or change a smart contract once it’s in midflight?  That remains a challenge of smart contracts, particularly as PET workflows gain complexity using blockchain-based technologies.
   • One solution may be found within those traditional contracts, which can be drafted in such a way that they allow for a remedy in the event of a change in circumstances to which both sides agree, even after the PET has started executing the steps it was told to execute. In other words, the machine may complete the tasks it was told to do, but the humans may decide (contractually) to control the ultimate outcome, based on a consensus mechanism that can override the machine after the fact.  This does have risks – it injects uncertainty into the final outcome. It also carries benefits – it adds flexibility to the process.
   • Another solution may be found in the notion of “hybrid contracts” which are composed in both machine-readable form (code) and human-readable form (legal prose).  This allows the parties to implement the consensus using a smart contract mechanism, and at the same time allows the parties to open up and change the contract terms using more traditional contract methods.
3. Terminating Smart Contracts:  Finally, consider how one party might terminate the smart contract relationship. If the process is delegated to self-executing blockchain code, how can the relationship be terminated?  Again, where one party retains the ability to unilaterally terminate a PET, the final outcome is uncertain, and one of the chief benefits of smart contracts is lost. Too much flexibility will undermine the integrity of the process.  On the other hand, too much rigidity might slow adoption of certain smart-contract workflows, especially as transaction value increases. A multilateral permissioned mechanism to terminate the smart contract must be considered within the system. Participants in a smart contract permissioned ledger will also have to consider what happens with the data that sits on the (permanent, immutable) ledger after termination. When building the contract matrix, consider what is “ledgerized”, what remains in non-ledgerized participant databases, and what happens to the ledgerized data after contract termination.

If you need advice in this area, please get in touch with our Emerging Technology Group.

Calgary – 07:00 MST

.

By Richard Stobbe

A seemingly simple dispute lands on the desk of a judge in Vancouver, BC. By analogy, it could be described like this:

• A Canadian purchased 530 units of foreign currency #1 from a Singapore-based currency trader.
• By mistake, the currency trader transferred 530 units of currency #2 to the account of the Canadian.
• It turns out that 530 units of currency #1 are worth $780.
• You guessed it, 530 units of currency #2 are worth $495,000.
• Whoops.
• The Singaporean currency trader immediately contacts the Canadian and asks that the currency be returned, to correct the mistake.

Seems simple, right? The Canadian is only entitled to keep the currency worth $780, and he should be ordered to return the balance.

Now, let’s complicate matters somewhat. The recent decision in Copytrack Pte Ltd. v Wall, 2018 BCSC 1709 (CanLII), one of the early decisions dealing directly with blockchain rights, addresses this scenario but with a few twists:

Copytrack is a Singapore-based company which has established a service to allow copyright owners, such as photographers, to enforce their copyrights internationally. Copyright owners do this by registering their images with Copytrack, and then deploying software to detect instances of online infringement. When infringement is detected, the copyright owner extracts a payment from the infringer, and Copytrack earns a fee.  This copyright enforcement business is not new. However, riding the wave of interest in blockchain and smart contracts, Copytrack has launched a new blockchain-based copyright registry coupled with a set of cryptocurrency tokens, to permit the tracking of copyrights using a blockchain ledger, and payments using blockchain-based cryptocurrency.  Therefore, instead of traditional fiat currency, like US dollars and Euros, which is underpinned by a highly regulated international financial services industry, this case involves different cryptocurrency tokens.

When Copytrack started selling CPY tokens to support their new system, a Canadian, Mr. Wall, subscribed for 580 CPY tokens at a price of about $780.  Copytrack transferred 580 Ether tokens to his online wallet by mistake, enriching the account with almost half a million dollars worth of cryptocurrency.  Mr. Wall essentially argued that someone hacked into his account and transferred those 530 Ether tokens out of his virtual wallet.  Since he lacked control over those units of cryptocurrency, he was unable to return them to Copytrack.

The argument by Copytrack was based in an old legal principle of conversion – this is the idea that an owner has certain rights in a situation where goods (including funds) are wrongfully disposed of, which has the effect of denying the rightful owner of the benefit of those goods.  With a stretch, the court seemed prepared to apply this legal principle to intangible cryptocurrency tokens, even though the issue was not really argued, legal research was apparently not presented, the proper characterization of cryptocurrency tokens was unclear to the court, the evidentiary record was inadequate, and in the words of the judge the whole thing “is a complex and as of yet undecided question that is not suitable for determination by way of a summary judgment application.”

Nevertheless, the court made an order on this summary judgement application. Perhaps this illustrates how usefully flexible the law can be, when it wants to be. The court ordered “that Copytrack be entitled to trace and recover the 529.8273791 Ether Tokens received by Wall from Copytrack on 15 February 2018 in whatsoever hands those Ether Tokens may currently be held.”

How, exactly, this order will be enforced remains to be seen. It is likely that the resolution of this particular dispute will move out of the courts and into a private settlement, with the result that these issues will remain complex and undecided as far as the court is concerned. A few takeaways from this decision:

1. As with all new technologies, the court requires support and, in some cases, expert evidence, to understand the technical background and place things in context. This case is no different, but the comments from the court suggest something was lacking here: “Nowhere in its submission did Copytrack address the question of whether cryptocurrency, including the Ether Tokens, are in fact goods or the question of if or how cryptocurrency could be subject to claims for conversion and wrongful detention.”
2. It is interesting to note that blockchain-based currencies, such as the CPY and Ether tokens at issue in this case, are susceptible to claims of hacking. “The evidence of what has happened to the Ether Tokens since is somewhat murky”, the court notes dryly. This flies in the face of one of the central claims advanced by blockchain advocates: transactions are stored on an immutable open ledger that tracks every step in a traceable, transparent and irreversible record. If the records are open and immutable, how can there be any confusion about these transfers? How do we reconcile these two seemingly contradictory positions?  The answer is somewhere in the ‘last mile’ between the ledgerized tokens (which sit on a blockchain), and the cryptocurrency exchanges and virtual wallets (using ‘non-blockchain’ user-interface software for the trading and management of various cryptocurrency accounts). It may be infeasible to hack blockchain ledgers, but it’s relatively feasible to hack the exchange or wallet. This remains a vulnerability in existing systems.
3. Lastly, this decision is one of the first in Canada directly addressing the enforcement of rights to ownership of cryptocurrency. Clearly, the law in this area requires further development – even in answering the basic questions of whether cryptocurrency qualifies as an asset covered by the doctrines of conversion and detinue (answer: it probably does). This also illustrates the requirement for traditional dispute resolution mechanisms between international parties, even in disputes involving a smart-contract company such as Copytrack. The fine-print in agreements between industry players will remain important when resolving such disputes in the future.

Seek experienced counsel when confronting cryptocurrency issues, smart contracts and blockchain-based rights.

Calgary – 07:00 MST

.

By Richard Stobbe

Can a hashtag constitute defamation?

In an Ontario case involving a music collaboration gone wrong, the answer apparently is yes. The dispute involved Mr. Johnson, who was allegedly a songwriter and music producer. Ms. Rakhmanova was also a song writer and signer. The two musicians collaborated on several tracks which were later the subject of a bitter dispute.

According to the judgement, Mr. Johnson released the tracks online, over the objections of Ms. Rakhmanova. At one point, after the songs were mixed and mastered, Ms. Rakhmanova requested that Mr. Johnson sign a recording contract, to memorialize the joint-authorship and ownership of the tracks, including equal publishing credit. Mr. Johnson refused to sign the contract since, according to the judgement, he intended to claim sole ownership over the three songs. Ms. Rakhmanova withdrew her consent to the release of her melodies and vocal tracks.  By then, however, the track had already been released online.  Mr. Johnson failed to properly account for any revenue or royalties, and did not include proper attribution of Ms. Rakhmanova’s contributions: her picture and name were omitted from certain track names.

Ms. Rakhmanova then launched a series of online communications – through emails, Facebook, Twitter, Instagram accounts and SoundCloud posts – demanding removal of the content, and generally calling out Mr. Johnson for his conduct that, in her view, could be described as “…#stealing“, “infringing of my copyright“, “#piracy” “#plagiarism“, “#Infringement“, “#Illegal“, and characterizing Mr. Johnson as akin to “con artists who shamelessly peddle stolen acappellas“…

In Johnson v. Rakhmanova, 2018 ONSC 5258 (CanLII), the Court reviewed a defamation claim by Mr. Johnson, based on comments of this type. Interestingly, the Court flagged the defamatory elements in the various extracts, specifically highlighting certain hashtags such as “#piracy” “#plagiarism”, “#Infringement”, “#Illegal”. While none of the social media posts consisted of only hashtags (there was always more content included in the post), it is worth noting that, for certain posts, the judge highlighted the hashtag alone as constituting the only defamatory element. This suggests that, in the right context, a well-placed hashtag can constitute a defamatory statement.

A finding of defamation raises a presumption that the words complained of were false, that they were communicated with malice and that the plaintiff suffered damage.  That presumption of falsity is rebutted by the defendant proving truth or justification.  In the end, the Court took the view that most of these defamatory statements were accurate and truthful and therefore justified. And therefore not defamatory. The court dismissed Mr. Johnson’s defamation claim in any event, and awarded costs to Ms. Rakhmanova.

Calgary -7:00 MST

.

By Richard Stobbe

When a copyright owner seeks to enforce against online copyright infringement, it often faces a problem: who is engaging in the infringing activity?  If the old adage holds true – on the internet, nobody knows you’re a dog – then the corollary is that there must be a lot of canines engaged in online copyright infringement.

Of course a copyright owner can only enforce its rights against online infringement if it knows the identity of the infringer.  The Canadian solution, which is enshrined in the Copyright Act,  is the so-called “notice-and-notice” regime, which allows a copyright holder to send a notice to the ISP (internet service provider), and the ISP is obliged by the Copyright Act to send that notice to the alleged infringer, who still remains anonymous.  The notice of infringement is passed along… but the infringing content remains online.  Since the “notice-and-notice” regime is not much of an enforcement tool, the path eventually leads copyright holders to seek a court order (called a Norwich order) to disclose the identity of those alleged infringers.  (See our previous articles about Norwich Orders for background.)

In Rogers Communications Inc. v. Voltage Pictures, LLC, 2018 SCC 38, a film production company (Voltage) alleged copyright infringement by certain anonymous internet users. Allegedly, films were being shared using peer-to-peer file sharing networks. Yes, apparently peer-to-peer file sharing networks are still a thing. Voltage sued one anonymous alleged infringer and brought a motion for a Norwich order to compel the ISP (Rogers) to disclose the identity of the infringer.

Now we get to a practical problem: who pays for the disclosure of these records?

Pointing to sections 41.25  and 41.26  of the Copyright Act, Voltage argued that the disclosure order be made without anything payable to Rogers. In essence, Voltage argued that the “notice and notice” regime does two things: it creates a statutory obligation to forward the notice of claimed infringement to the anonymous infringer. The Act also prohibit ISPs from charging a fee for complying with these “notice-and-notice” obligations. In response, Rogers argued that there is a distinction between sending the notice to the anonymous infringer (for which it cannot charge a fee) and disclosing the identity of that (alleged) infringer pursuant to a Norwich order. The Act does not specify that ISPs are prohibited from charging a fee for this step.

The Supreme Court of Canada (SCC) agreed that there is a distinction to be made: on the one hand, an ISP has obligations under the Copyright Act  to ensure the accuracy of its records for the purposes of the notice and notice regime, and on the other hand, an ISP may be obliged, under a Norwich order to actually identify a person from its records. In a nutshell, the court reasoned that ISPs must retain records under the Act, in a form and manner that permits an ISP to identify the name and address of the person to whom notice is forwarded for the “notice-and-notice” purposes. But the Act does not require that these records be kept in a form and manner which would permit a copyright owner or a court to identify that person.  The copyright owner would only be entitled to receive that kind of information from an ISP under the terms of a Norwich order. The Norwich order is a process that falls outside the ISP’s obligations under the notice and notice regime. In the end, an ISP can recover its costs of compliance with a Norwich order, but ISPs cannot be compensated for every cost that it incurs in complying with such an order:

“Recoverable costs must be reasonable and must arise from compliance with the Norwich order. Where costs should have been borne by an ISP in performing its statutory obligations under the notice and notice regime, these costs cannot be characterized as either reasonable or as arising from compliance with a Norwich order, and cannot be recovered.”

According to Rogers, there are eight steps in its process to disclose the identity of one of its subscribers in response to a Norwich order.  The SCC made reference to this eight-step process, but wasn’t in a position to decide which of these steps overlap with Rogers’ obligations under the Act (for which Rogers was not entitled to reimbursement) and the steps which are “reasonable costs of compliance” (for which Rogers was entitled to reimbursement). The question was returned to the lower court for determination.

For copyright owners, its clear that ISPs will not shoulder the entire cost of disclosing the identity of subscribers at the Norwich stage. How much of that cost will have to borne by copyright holders is, unfortunately, still not very clear.  For ISPs, this decision is a mixed bag – Rogers makes a solid argument that the costs of compliance with Norwich orders are relatively high, compared with the automated notice-and-notice procedures. While it will benefit ISPs to be able to charge some of these fees to the copyright owner, we don’t have clear guidance on the specifics.  The matter will have to be determined on a case-by-case basis, depending on the ISP and their own internal procedures.

Looking for advice on Norwich orders and enforcement against online copyright infringement? Look for experienced counsel to guide you through this process.

Calgary – 7:00 MST

By Richard Stobbe

Canada’s Anti-Spam Law (affectionately known as CASL) is best known as a means to combat unwanted email and other commercial electronic messages, but the law also contains anti-malware provisions. We first reviewed those software-related provisions in 2014, when the legislation was being rolled out. Essentially, you can’t install software onto someone’s computer or device without getting their consent.

The CRTC recently announced an enforcement action against two Ontario companies, Datablocks and Sunlight Media, and assessed a Notice of Violation carrying penalties of $250,000, for allegedly aiding in the installation of malware through the distribution of online advertising. The penalty can be disputed by the two companies.

This recent notice of a possible penalty comes hot on the heels of a search warrant which was executed in January, 2016.  So, that means the legislation came into force in January, 2015… the first search warrant was in 2016… the first penalties were assessed in July 2018. Not exactly an enforcement blitz.

Perhaps the take-home message from this case is that the companies in question are alleged to have accepted anonymous clients who then deployed malware to the computer systems of Canadians using the infrastructure and operations of Datablocks and Sunlight Media.  It may be good practice for vendors to implement some version of the “know your client” rules that currently apply to banks, financial advisors, lawyers and other professional advisors. At a minimum, compliance should involve written agreements with clients or customers, and according to the CRTC, neither Datablocks nor Sunlight had written contracts in place with their clients regarding compliance with CASL, or monitoring measures in place to guard against this risk.

Calgary – 07:00

By Richard Stobbe

In Part 1 (Can Smart Contracts Really be Smart?), we looked at smart contracts, and how “smart” they really are – if you need some background, start there.

Smart contracts (or “programmatically executed transactions”) have been touted as a possible solution to a range of business problems, as well as the death knell for intermediaries. By deploying DLT on a private shared ledger, the power of the blockchain is harnessed to leapfrog past traditional intermediaries. This enables more efficient transactions, free from the constraints and incremental expenses imposed by banks, auditors, governments, regulators, lawyers, accountants and others who take a pound of flesh from the transaction workflow.

By shuffling off the intermediaries, the smart contract is free to move efficiently in the economy, saving time and money for participants. To adapt a phrase from the Humphrey Bogart vehicle The Treasure of Sierra Madre: Intermediaries? We don’t need no stinkin’ intermediaries! At least… that’s the current hope for blockchain-powered smart contracts.

Are there any concerns with this vision?  One of the current constraints in the smart contract ecosystem is the gap between tokenized indicators of value on the ledger, and the almighty dollar. Or the euro. The pound sterling. The yen. The yuan. Or whatever fiat currency you may wish to use to transact business in the real world. As much as we’d like to envision a post-money world, the reality is like the QWERTY keyboard. Or the Microsoft operating system. It may not be the best. But it’s got massive market penetration. In the case of the QWERTY keyboard, we’ve been stuck with it since the 1800s. In the case of  money as a currency, since the 11th century.

Ten centuries of market inertia is not easy to shift.

That gap – between the digital representations of value, and real world money – must be efficiently closed for smart contracts to gain widespread traction. Maybe eventually we’ll move past “money” in the way voice-activation moves past the QWERTY keyboard. But that’s a long way off.

In the meantime, smart contracts powered by DLT will have to peg a tokenized “dollar” to a real dollar in the sense that the token is backed by the dollar: this is the concept of a fiat-collateralized digital representation of a real dollar, or a stablecoin.  “You deposit dollars into a bank account and issue stablecoins 1:1 against those dollars.” This has obvious advantages over a crypto-collateralized coin, which suffers from wildly unpredictable price fluctuations. A stablecoin is simple and resistant to price-volatility. However, “It requires centralization in that you have to trust the custodian, so the custodian must be trustworthy. You’ll also want auditors to periodically audit the custodian, which can be expensive.”

But wait, we already have a trusted centralized custodian of collateralized digital representations of value: It’s called a bank!

As noted in Blockchain and Shared Ledgers: “You could say that the technology service provider is replacing the traditional third party intermediary on a private shared ledger – in the way that they are maintaining and operating the shared ledger technology systems …” (My emphasis).

To put this another way, does this mean software companies are the new banks? The concern here is that users of private shared ledgers will not shuffle off intermediaries; rather they’ll swap one intermediary for another.

I’m just as happy as the next guy to grumble about banks, but they will likely be with us for a while, complete with the government regulatory environment, the industry watchdogs, the legacy payment rails, and centuries of inertia. I’m not saying the banks can’t be disrupted. But the disruptors will also take their pound of flesh.

Ok, maybe we do need intermediaries after all. Users of private shared ledger systems must be aware of the attendant costs of switching to new intermediaries, and the legacy costs of continued dependence on old intermediaries.  Where smart contracts on private shared ledger platforms can efficiently bridge the gap with traditional payment ecosystems , there will be some fruitful opportunities.

Looking for legal advice on smart contracts, DLT and private ledger consortium? Contact the Field Law Emerging Technology Group.

Calgary – 07:00 MT

By Richard Stobbe

How far can Canadian courts reach when making orders that seek to control the conduct of foreign companies outside of Canada? This controversial question is still being decided, bit by bit, in both Canadian and US courts.  In our past posts we have written about a 2014 pre-trial temporary court order that required Google to de-index certain sites from Google’s worldwide search results, based on an underlying lawsuit that the plaintiff, Equustek, brought against the defendants back in 2011.  Google challenged the order requiring it to delist worldwide search results, and fought this order all the way up to the Supreme Court of Canada… where Google lost.

On July 24, 2017, approximately one month after the SCC decision, Google filed a complaint in US Federal Court, seeking an order that the injunction issued by the BC court is unlawful and unenforceable in the United States. That order was granted, first on a preliminary application on November 2, 2017 and then in a final ruling on December 14, 2017. With that US court decision in hand, Google came back to the BC court which had issued the original order, to vary the scope of that order.

On April 16, 2018, in Equustek Solutions Inc. v Jack, 2018 BCSC 610 (CanLII), the BC court again rejected Google’s requests. The BC court said that the US decision (which was in Google’s favour) did not establish that the injunction requires Google to violate American law. And without any significant change in circumstances, the court reasoned, there was no reason to change the original order.  As a result, the temporary order against Google – which has been in place since 2014 – remains in place, pending outcome of the trial.

The outcome of that trial will be closely watched. As I mentioned in my earlier article, there has been very little analysis of Equustek’s IP rights by any of the different levels of court. Since this entire case involved pre-trial remedies, the merits of the underlying allegations and the strength of Equustek’s IP rights have never been tested at trial. In order for the injunction to make sense, one must assume that the IP rights were valid. Even if they are valid, it is questionable whether Equustek’s rights are worldwide in nature since there was no evidence of any worldwide patent rights or international trademark portfolio.  We can only hope that the trial decision, and Google’s decision to appeal the latest BC court decision, will clarify these issues.

Calgary – 07:00 MDT