By Richard Stobbe

A recent EU decision by the Court of Justice of the European Union (CJEU) has generated a lot of press since it involves a high profile company – Google – and a tantalizing concept of a “right to be forgotten”. The story stems from the efforts by a Spanish man to compel Google to remove search results that referred to the man’s prior financial history – in fact the references were to bankruptcy-related notices published by a Spanish newspaper years earlier. The online newspaper publication remains in place, but the CJEU’s decision touches on the indexing and display of the results in a Google search, which refer back to that online newspaper publication.

So what does this mean for Canada?

There has, as far as I am aware, no equivalent privacy-related decision relating to removal of search results by search engines in Canada. However, there are analogous rights in Canada for individuals to compel an organization to correct or delete personal information. And that would apply to the organization that has “collected, used or disclosed” the personal information.

In Canada, PIPEDA does contemplate the correction of personal information, the withdrawal of consent, and the deletion of personal information that has been collected. Those provisions still require the individual to make a request or a complaint in order to get a remedy.

In that sense the EU organization (in the EU context) in Google’s position then has to decide on the merits of that request or complaint, so the “right” may be subject to the interpretation of these subjective questions by a Google employee, considering all the different criteria that the EU decision has listed.

In Canada (in the PIPEDA context), the organization does not have to make the same kinds of assessments or value judgements – the question is simply whether the individual is withdrawing consent, or correcting information.

In the EU, the organization has to decide if “in all the circumstances” the info appears to be “inadequate, irrelevant or no longer relevant, or excessive” which requires the exercise of a lot more judgement. And more scope for disagreement.

How this is handled by Google, and how it may influence Canadian decisions on requests for removal of personal information, remains to be seen.

Calgary – 07:00 MST

–

Most Canadian businesses will have heard of the incoming Canadian Anti-Spam Law (referred to as CASL, which joins the Canadian pantheon of legislative acronyms like PIPEDA and PIPA). The consent requirements for sending commercial electronic messages (CEMs) is covered elsewhere (See here, and see this upcoming event on March 18 and 20, 2014). Those requirements come into effect July 1, 2014.

The software-related regulations are getting less press. Why? Possibly because CASL is being implemented in phases, and the software-related rules are not expected to be in full force until January 15, 2015. And possibly because the software-related regs are complicated and at times confusing.

This element of CASL is designed to control surreptitious installation of software, particularly “invasive software”. Generally, express, clear consent is required. Installation of invasive software imposes additional requirements. Implied consent (or “deemed express consent”) may be relied upon in other cases:

• cookies, HTML code, Java scripts;
• upgrades for telecom network security;
• “reasonable” installs – where it is reasonable to expect that the user would consent.

Software vendors should take note of these incoming obligations, to assess and plan for any updates that will be required for CASL compliance. Get advice on how these regulations apply to your software products.

Calgary – 07:00 MST

–

In a recent decision released by the Canadian Privacy Commissioner (PIPEDA Report of Findings #2014-001), the commissioner investigated a complaint that Google pitched ads to an individual based on medical information that he disclosed while surfing various health-related websites. The commissioner’s office took the position that “meaningful consent” is required for the delivery of this kind of targeted advertising. Implied consent might be acceptable in certain circumstances, where the information is limited to “non-sensitive“ information (which would avoid medical, financial or health information).

In this case, the individual who initiated the complaint was using Google to search for information related to a medical device used to treat a specific medical condition. Google used this sensitive personal health information (as the commissioner described it, the “online activities and viewing history of health related websites”) to target ads to that individual. When Google relied on implied consent for the use of this sensitive personal health information, it contravened Principles 4.3 and 4.3.6 of the Act. Express consent is required for use of this kind of sensitive personal information.

Calgary – 07:00 MST

In the case of Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, released last Friday, the Supreme Court of Canada has declared the Alberta Personal Information Protection Act (PIPA) invalid in its entirety.

This case pits constitutional rights against privacy rights. The court reviewed a claim of privacy rights infringement arising from a long strike during which both the Union and the employer recorded and photographed individuals crossing the picketline. Some of those who were photographed crossing the picketline filed privacy complaints when the Union posted those pictures online.

As a consent-based privacy law, PIPA establishes a general requirement to obtain consent for any collection, use or disclosure of personal information. According to the court: “The central issue is whether PIPA achieves a constitutionally acceptable balance between the interests of individuals in controlling the collection, use and disclosure of their personal information and a union’s freedom of expression. PIPA does not include any mechanisms by which a union’s constitutional right to freedom of expression may be balanced with the interests protected by the legislation.” Thus, in the end, the entire Act has been declared constitutionally invalid, and in a unique way of avoiding a gap in the law, the court’s declaration has been suspended for 1 year, to allow the Alberta legislature to fix the law.

Stay tuned.

Calgary – 07:00 MST

–

The club of Canadian provinces with private-sector privacy legislation welcomes a new member this year: Manitoba has passed the The Personal Information Protection and Identity Theft Prevention Act (PIPITPA), joining B.C., Alberta and Quebec. In other provinces, the federal Personal Information Protection and Electronic Documents Act governs private sector privacy. Of course, most provinces have enacted some form of public sector privacy law, and many also have health-information laws. The Manitoba private-sector law follows the consent-based privacy regime of other Canadian provinces.

This law has yet to be proclaimed into law. Stay tuned.

Calgary – 07:00 MDT

–

The criminal defence lawyers have their TV shows and movies. What about those humble lawyers who draft online agreements and terms of use all day long? It’s not every day that this kind of legal fine print gets time on the silver screen. Check out this documentary Terms and Conditions May Apply.

Playing next weekend at the Vancouver International Film Festival and Hot Docs Canadian International Documentary Festival.

Calgary – 07:00 MDT

–

Consider this: A service organization we’ll call CloudCo collects and compiles personal information from its corporate customer. The individual whose personal information is being collected has a relationship directly with the corporate customer, but not with CloudCo. The personal information has been shared with CloudCo without the individual’s knowledge or consent. Sound familiar?

Many cloud service providers host personal information without any direct relationship with the individual. Maybe they rely on assurances from their own customer. Or they may simply collect personal information without thinking through the privacy implications. 

This recent decision of the Information & Privacy Commissioner of Alberta (Professional Drivers Bureau of Canada Inc. Case File Number P1884) deals with the collection of personal information of truck drivers by a private service company, called the “Professional Drivers Bureau”. This company collected personal information about drivers from trucking companies, created a database of information, and then offered a search service, by which trucking companies paid a fee for a report on the driver. In that report, the personal information about the driver was disclosed to the trucking company. The personal information was gleaned and compiled into a database over a long period of time, and it became clear during the Commissioner’s investigation that the individuals never consented to this collection, use and disclosure. The Commissioner ultimately decided that the “Professional Drivers Bureau” was in breach of Alberta privacy laws because it never obtained consent directly from the individual truck drivers.

What can other service companies – including cloud service providers – take away from this case?

• Cloud service providers should consider if they are “collecting” any personal information themselves, or merely providing a service which allows their customer to store information in the cloud. When a service provider collects personal information, it must obtain consent. In this case, the service provider did not provide any notice to the individual of its collection of her personal information, did not indicate its purposes, did not provide the name of someone who could answer her questions. It apparently did not inform the trucking companies about its purposes in collecting the personal information. All of this was in contravention of privacy laws.
• If a service provider is merely providing space on a server, the terms of service should address privacy issues, and make it clear that no personal information is collected, used or disclosed by the cloud provider. 
• Termination issues should also be addressed in the agreement. What happens to that data when the service relationship ends?
• Consider the position of the trucking company: in this case, the trucking company shared personal information about individuals with the “Bureau”. When personal information is disclosed in such a way, the trucking company should be asking: Was this disclosure authorized by the individual? What is the purpose of the disclosure? What contractual restrictions are placed on the recipient, to ensure that the personal information is used in accordance with the consent from the individual. In the cloud context, this means contractual terms that directly address the privacy issues.
• Get privacy advice when entering into cloud-based service agreements.

Calgary – 11:00 MDT

–

When a user dies, who owns the contents of that user’s account?

In Ajemian v. Yahoo Inc.  (May 7, 2013), a Massachusetts court considered this question. Two brothers, who administered their brother John’s estate, brought a lawsuit against Yahoo for access to email messages of their deceased brother, and a declaration that the email account was property of John’s estate. The court considered the Yahoo Terms of Service, which included this clause: “You agree that your Yahoo! account is non-transferable and any rights to your Yahoo! ID or contents within your account terminate upon your death. Upon receipt of a copy of a death certificate, your account may be terminated and all contents therein permanently deleted.”

The court looked at the central question of whether these terms – in particular, this “No Right of Survivorship and Non-Transferability” clause described above – was reasonably communicated to the user. The terms were amended before the time of death but the evidence was unclear on whether the deceased user had assented to this particular amendment. Because of the weak evidence on this point, the court decided that Yahoo could not rely on the forum selection clause which would have deflected the case to California.

The court took the view that the deceased user was a Massachusetts resident and courts in that state had a strong interest in the outcome of the case as it related to the assets of a deceased resident, as opposed to the nature of Yahoo’s services. The ultimate decision was remanded to the lower court, but we can take away a few important lessons:

1. The method of implementing Terms of Use and (just as important) amendments to those terms should be carefully reviewed by any Canadian company conducting business online. This includes everything from an email service like Yahoo, to cloud-computing service providers, online retailers, ebook sellers and software vendors.
2. Corporate accounts may not impacted by the death of a user, but anyone making consumer sales should review their online terms to address survivorship issues. And there are many cases where even a “corporate” user is signing up as an individual, without any clarity on what happens to that account as an “asset” of the business after death.

Get advice from our licensing and internet law experts in this complex area.

Related Reading: Is There Life After Death for Your Digital Assets?

Calgary – 07:00 MDT

–

When a cloud privacy breach occurs in Canada, what happens? In some cases, businesses are subject to mandatory breach notification requirements. This means that a privacy breach – whether as a result of a hacker, a lost USB or some other human error – must by law be reported to the commissioner and to affected individuals. Ontario has implemented mandatory breach notification under its Personal Health Information Protection Act. In Alberta, organizations subject to the Personal Information Protection Act (PIPA) are required to report a breach to the commissioner “without unreasonable delay” where a “reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure”.

The “real risk of significant harm” requires some analysis in the event of a breach and the Alberta commissioner’s Mandatory Breach Reporting Tool (PDF) has been released recently, to assist organizations determine if they are required to report a breach under section 34.1 of PIPA. This area of law may be changing further: a private members bill  was recently introduced in Parliament to implement mandatory data breach reporting in the federal personal information protection law.

Here’s a recent case that illustrates the pitfalls of a cloud privacy breach in Canada:

• In the recently released decision relating to WhatsApp (Report of Findings: Investigation into the personal information handling practices of WhatsApp Inc.), the Canadian and Dutch privacy authorities investigated WhatsApp Inc. a US company operating “WhatsApp Messenger”, a cloud-based cross-platform mobile messaging app allowing the exchange of messages for iOS, BlackBerry, and Android platforms.
• The Commissioner launched an exhaustive review of the privacy aspects of the service after complaints regarding WhatsApp’s information-handling procedures, including the collection of more information than was necessary, the potential for privacy breach, the lack of encryption.
• While the story generated damaging headlines, WhatsApp did work with the Commissioner to resolve many of the privacy concerns.
• This investigation also shows the extent to which international privacy watchdogs will work together to launch an investigation that concerns personal information that crosses international borders.

The privacy lessons are clear: get advice on privacy implications of the cloud-based service, and don’t underestimate the importance of well-drafted privacy policies and user terms. Cloud service providers should also take time to understand the breach notification protocols that would apply in the event of a privacy breach.

Calgary – 07:00 MDT

–

In 2012, LinkedIn made headlines as a result of a significant data breach. The passwords and email addresses of over 6 million LinkedIn users were hacked and posted online. Encryption and security was improved by LinkedIn in the wake of this breach. A class action lawsuit was commenced in the United States based on claims by LinkedIn “premium” users (who paid a monthly or yearly fee for upgraded services). The claim relied on an alleged breach of the terms of LinkedIn’s privacy policy which included fairly standard language about protection of personal information “with industry standard protocols and technology.” In the decision In re LinkedIn User Privacy Litigation , 2013 WL 844291 (N.D. Cal. Mar. 5, 2013), a US court has shut down the claim, deciding the plaintiffs lack standing. The claims were based on a “benefit of the bargain” concept – an argument that the claimants were allegedly entitled to security as paying customers and LinkedIn breached this promise.

The court rejected the claims since there was no indication that the extra service paid for by premium users included enhanced security or encryption, since “paid” users and “free” users received the same level of security. It is clear that claims based on breach of privacy will face a uphill battle in the US, and this decision together with the decision in last year’s iPhone class action claim demonstrate the complexities and difficulties of this class of claims.

Calgary – 7:00 MDT

–

The use of social means to engage in defamation is nothing new. Indeed, defamation requires the very social element of publication. Social media – Facebook pages or posts, tweets, blogs and online comments – merely make defamation easier and more pervasive.

Canadian courts have struggled to balance the interests of free speech with the interests of individuals who wish to challenge and find redress for defamatory statements. A recent Ontario case has framed the issue as follows:

     “There are few things more cowardly and insidious than an anonymous blogger who posts spiteful and defamatory comments about reputable member of the public and then hides behind the electronic curtain provided by the Internet. The Defendant confuses freedom of speech with freedom of defamation. There are, undoubtedly, legitimate anonymous Internet posts: persons critical of autocratic or repressive regimes, for example, or legitimate whistleblowers. The Defendant is not one of those people. The law will afford his posts all the protection that they deserve, which is to say none.”  Manson v. John Doe , 2013 ONSC 628 (CanLII),

The test laid out by the Supreme Court of Canada (Grant v. Torstar Corp., 2009 SCC 61 (CanLII)) is as follows: In order to establish a claim for defamation a plaintiff must establish that:

a)   the impugned words are defamatory, in the sense that they would tend to lower the plaintiff’s reputation in the eyes of a reasonable person;

b)   the words in fact refer to the plaintiff; and

c)   the words were published, i.e., that they were communicated to at least one person other than the plaintiff.

In Manson, the court ordered the defendant to pay damages of $100,000 plus aggravated damages of $50,000 and costs. However, the defenant remains anonymous.

Another recent decision in Baglow v. Smith, 2012 ONCA 407 (CanLII), hints at the court’s willingness to permit parties to engage in a heated online political debate, without crossing the line of defamation. In that case, the court observed: “Commentators engaging in the cut and thrust of political discourse in the internet blogosphere can be fervent, if not florid, in the expression of their views.” In the lower court, the statements made in this “cut and thrust” were determined not to constitute defamation. However, on appeal, the court decided the matter was suitable for a full trial and overturned the lower court findings. This is one case to watch.

Related Reading: ipblog’s Defamation Archive

Calgary – 07:00 MST

–

The Alberta, British Columbia and Canadian privacy commissioners have released guidance on Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations. These documents are designed for practical application to small business, including the issues around transborder data flow.

Related Reading:

• The OPC’s Guidelines for Processing Personal Data Across Borders (PDF);

• Outsourcing by Canadian Companies: Another Look at the USA PATRIOT Act
• Cloud Computing Law: Balancing Privacy and Investigation

Related Event:

Next month, on March 11 and 12, the Canadian Cloud Council’s Cloud Matters conference takes place in beautiful Banff, Alberta. Check out the conference program. I will be attending as a member of the Canadian Cloud Council.

Calgary – 07:00 MST

“There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act” – Ontario Information and Privacy Commissioner

Cloud computing and data outsourcing has been embraced by many Canadian companies. In a recent poll, the adoption rate of cloud-based services by Canadian businesses experienced one of the highest year-over-year increases. Data security and concerns over personal information and privacy remain one of the biggest barriers to adoption.

One of the most common concerns raised by businesses who are considering cloud computing is the law known as Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (“PATRIOT Act”). There has been much discussion and some misinformation regarding the PATRIOT Act. For those unfamiliar with the topic, the central concern is that U.S. government authorities may use the provisions of the PATRIOT Act to access the personal information of Canadians where that information is stored in the United States, particularly in the context of outsourcing or cloud-computing.

Overall, a review of recent decisions in Canada shows that these concerns are overstated in light of the risks, and that for private sector businesses there are no prohibitions on outsourcing to the United States in light of the PATRIOT Act, provided (1) reasonable safeguards are built into the outsource contract (including confidentiality, use-restrictions, security, and provisions to meet monitoring and audit requirements), and (2) customers are notified in a clear way when their personal information will be stored or handled outside Canada. It is important to remember that the confidentiality and use-restrictions imposed on the service provider must be tied to the purposes to which the customers originally consented.

“Transparency and security” are watchwords for Canadian businesses considering the cloud.

Industry-specific regulations or guidelines, such as those found in the Insurance Companies Act and the OSFI guidelines applicable to banks and other financial institutions, place certain controls on outsourcing but do not specifically prohibit outsourcing or data-storage outside of Canada.  Canadian laws, as well as the PATRIOT Act and OSFI Guidelines are reviewed below.

1.         Federal Private Sector Legislation

The Personal Information Protection and Electronic Documents Act, (PIPEDA) governs federally-regulated entities, such as insurance companies. PIPEDA is also the default private-sector privacy legislation for provinces which have not passed “substantially similar” privacy legislation. To date, only Alberta, B.C. and Quebec have passed general private-sector privacy legislation that has been deemed “substantially similar” to PIPEDA.

PIPEDA governs the handling of personal information by private businesses such as insurance companies in the course of commercial activities. PIPEDA does not prohibit outsourcing of personal information to the U.S.  In fact, there is a clear decision of the Canadian Privacy Commissioner that PIPEDA does not prevent federally-regulated entities from outsourcing personal information data handling or data processing to the U.S.

2.         Provincial Privacy Legislation

There are multiple layers of regulation at the provincial level, for the public sector, private sector and for personal health information. Let’s have a look at the Alberta law. With respect to outsourcing, under the Alberta Personal Information Protection Act (PIPA) (sections 13 and 13.1), a service provider must notify consumers when personal information is stored by a service provider outside Canada. This includes a notification of the position or title of a person who is able to answer the consumer’s questions about the collection, use, disclosure or storage of personal information by the service providers outside Canada.  This is considered prudent practice for any private-sector organization engaging in outsourcing personal information to U.S. service providers.

Other than these notice requirements relating to storage of personal information outside Canada, there is no prohibition on outsourcing or data processing in the U.S. in private-sector privacy laws.

3.         USA PATRIOT Act

Regarding the PATRIOT Act, the Privacy Commissioner of Canada has stated that: “.. there is a comparable legal risk that the personal information of Canadians held by any organization and its service provider — be it Canadian or American — can be obtained by government agencies, whether through the provisions of U.S. law or Canadian law.” The Ontario Information and Privacy Commissioner has gone further and stated: “There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act. The PATRIOT Act has invoked unprecedented levels of apprehension and consternation – far more than I believe is warranted.”

The PATRIOT Act has been in effect for over 10 years, and during this time the Government of Canada states that there have been no instances where the personal information of a Canadian has been accessed under the PATRIOT Act.

Some public sector laws in B.C., Nova Scotia and Quebec require public bodies to ensure that personal information is stored only in Canada. For example, in B.C. public bodies and their service providers are obliged to notify the government if the public body receives “a foreign demand” for personal information. This is designed specifically to address PATRIOT Act concerns.

In Alberta, the public sector Freedom of Information and Protection of Privacy Act, permits a public body to disclose in response to a “subpoena, warrant or order” issued by a court, as long as the court has “jurisdiction in Alberta.” While no prohibition on outsourcing to the U.S. is explicitly built into the Alberta law, this provision is intended to ensure that the public body is constrained in its ability to disclose to a court of a foreign (U.S.) jurisdiction. Once again, it should be noted that this is public sector legislation.

Several privacy commissioner decisions have directly considered the issues raised by the PATRIOT Act in the context of Canadian public and private sector privacy laws.

• In a 2005 decision, the Privacy Commissioner of Canada decided that PIPEDA does not prohibit the use of foreign-based third-party service providers, but it does oblige Canadian-based organizations to have provisions in place, when using third-party service providers, to ensure a comparable level of protection (including guarantees of confidentiality and security of personal information). The Commissioner’s decision was also clear that, at the very least, a company in Canada that outsources information processing to the U.S. should notify its customers that the information may be available to the U.S. government or its agencies under a lawful order made in that country.
• Again in 2006 and 2008, the Privacy Commissioner of Canada decided that data handling in the U.S., which exposed the personal information to potential PATRIOT Act concerns, did not offend PIPEDA since the Canadian company had implemented comprehensive strategy and techniques to safeguard the personal information.   
• Most recently, a June 2012 decision of the Information and Privacy Commissioner of Ontario reviewed a complaint about PATRIOT Act concerns with the outsourcing of personal information to the U.S. by an Ontario public body (the Ministry of Natural Resources). The Commissioner decided that the Ministry’s collection, use and disclosure of personal information for the purpose of administering the Ministry’s hunting and fishing licensing program was in compliance with the Act.

All of these decisions point to the need for transparency and openness when dealing with customers, to ensure that they are made aware in cases where personal information handling, processing or storage may or will be outsourced to the U.S. Secondly, the service or outsourcing agreement must contain contractual protections ensuring confidentiality, security and compliance with privacy laws, so that service provider provides a comparable level of protection for the personal information.

4.         OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes

OSFI’s Guideline B-10  describes requirements for federally-regulated entities (FREs), such as banks, financial institutions and insurance companies, when engaging in outsourcing. These are the guidelines relevant to the issue of outsourcing to foreign jurisdictions. Generally, these guidelines mandate appropriate security and data confidentiality protections.   

Guideline 7.1.1(j) (“Confidentiality, Security and Separation of Property”) says: “At a minimum, the contract or outsourcing agreement is expected to set out the FRE’s requirements for confidentiality and security. Ideally, the security and confidentiality policies adopted by the service provider would be commensurate with those of the FRE and should meet a reasonable standard in the circumstances. The contract or outsourcing agreement should address which party has responsibility for protection mechanisms, the scope of the information to be protected, the powers of each party to change security procedures and requirements, which party may be liable for any losses that might result from a security breach, and notification requirements if there is a breach of security.”

OSFI also expects “appropriate security and data confidentiality protections to be in place. The service provider is expected to be able to logically isolate the FRE’s data, records, and items in process from those of other clients at all times, including under adverse conditions.”

In Guideline 7.2.2 (“Location of Records”) OSFI indicates that: “In accordance with the federal financial institutions legislation, certain records of entities carrying on business in Canada should be maintained in Canada. In addition, the FRE is expected to ensure that OSFI can access in Canada any records necessary to enable OSFI to fulfill its mandate.” This is intended to cover information such as accounting records, incorporation documents, corporate by-laws, rather than personal information.

Guideline 7.2.4 (“Outsourcing in Foreign Jurisdictions”) indicates the following: “When the material outsourcing arrangement results in services being provided in a foreign jurisdiction, the FRE’s risk management program should be enhanced to address any additional concerns linked to the economic and political environment, technological sophistication, and the legal and regulatory risk profile of the foreign jurisdiction(s).”

Once again, this speaks to the need for enhanced attention to security rather than any outright prohibition on outsourcing to the U.S.

5.         Breaches in Alberta

The Alberta Privacy Commissioner’s 2012 Breach Report shows that a majority (64%) of the 63 reported cases meeting the real risk of significant harm threshold involved human error or lost or stolen unencrypted electronic devices:

• 22 breaches (35%) were caused by human error. These incidents included inappropriate disposal of personal information, misdirected emails or faxes, loss of files and portable media, and unauthorized disclosure of passwords. The most common form of human error was mail and courier errors caused by delivery to the wrong recipient. 
• 18 breaches (29%) were caused by theft, such as office and car break-ins. 
• 14 breaches (22%) were caused by electronic system compromises, typically through targeted attacks by external hackers.
• 9 breaches (14%) were caused by a failure to adequately control access to electronic or paper files.

None of the cases involved a disclosure or breach through the PATRIOT Act. And it should be noted that hackers can access records on both Canadian and U.S. servers, so in that sense no additional risk is associated with outsourcing to the U.S.

Conclusion

Many concerns have been raised about the reach of the PATRIOT Act. It should be remembered that Canadian government authorities have similar powers to access personal information in the course of investigations, and to respond to requests by their allies, such as the U.S. in investigations.

This review of recent decisions in Canada demonstrates that private sector businesses are not prohibited from outsourcing to the United States in light of the PATRIOT Act. However, Canadian companies are well advised to implement reasonable safeguards and build these safeguards into the outsource contract. Secondly, customers should be notified in a clear way when their personal information will be stored or handled outside Canada.

Calgary – 07:00

–

Megaupload Ltd. is alleged to have disseminated copyright protected movies and music and US prosecutors now have the task of gaining access to the company’s servers in a bid to prove their case. In the fascinating Megaupload saga, a Canadian court has been asked to decide what to do with 32 servers belonging to Megaupload which are located in Canada. The servers are packed with information – “100 laptops” worth of data according to the judgement – and the court was asked by the US government to deliver that data to American prosecutors who are pursuing charges against Megaupload for criminal infringement of copyright, conspiracy to infringe copyright, money laundering and racketeering.

In last week’s decision, Canada (United States of America) v. Equinix Inc.  , 2013 ONSC 193, the court denied this request, indicating that the massive volume of data meant that the scope of the investigation should be narrowed to just that information that is the target of the search, rather than the entire contents of the data trove. However, the judge did not deny that the evidence should be delivered. Evidence to implicate Megaupload likely is contained within those servers, and it is only a matter of time and negotiation to determine the scope of the search, rather than an absolute denial of the request. “Given the undisputed conclusion” the judge wrote, “…that there were reasonable grounds to believe that evidence of the offences would be located on the servers in my view the appropriate balance of the state interest in gathering evidence and privacy interests in information can be struck by an order that the servers be brought before the court …so that the court can make an order refining what is to be sent.”

From a cloud computing law perspective, this case raises several important points:

• Canadian courts will order seizure and search of cloud-computing servers – just like they will with any piece of evidence in Canada – pursuant to a request from US authorities in the course of a criminal investigation;
• Privacy interests will be balanced by the court, since the law is developing a sense of when individuals have an expectation of privacy in the contents of computers or servers;
• However, that privacy right is not absolute, but it will be balanced with the interests of governments to conduct investigations.

We can expect another decision to be released before long, where the contents of the servers are indeed delivered to US prosecutors, with some conditions or limitations as to the scope of the search.

Calgary – 07:00 MST

–

Several recent stories have highlighted the concerns over personal information, privacy and the reach of mobile apps.  Once again, the law is labouring to keep up with technology.

• So-called Cyber-Stalking Apps provide the means to track the location of a phone through an app that is not visible or easily detectable by the phone’s owner. The cloaked app resides on the phone and essentially reports back to the person who installed the app on the user’s whereabouts. In the US, a proposed law has been drafted to make such apps illegal (The Location Protection Privacy Act). This draft legislation moved out of committee and may become law in 2013.
• A number of mobile apps have been criticized for collecting personal information about kids, and selling that info without parents’ consent. To tackle these problems associated with mobile apps directed at children, privacy advocates have been pushing for changes to the rules under COPPA (Children’s Online Privacy Protection Act). The US Federal Trade Commission (FTC) amended the Children’s Online Privacy Protection Rule in December 2012. The Rule now applies to mobile apps and web-based text messaging programs, and requires app developers to get permission from parents before collecting a child’s photographs, videos and geolocational information. The amended Rules will become effective on July 1, 2013.
• It is worth noting that these are both developments under US law.  In Canada, app developers who target children’s personal information would be caught by Canada’s broad private-sector privacy laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, or one of the provincial-level privacy laws, such as the Personal Information Protection Act in Alberta.  Cloaked “cyber-stalking” apps could constitute an invasion of privacy  contrary to Canadian law. However, that would apply to the person who surreptitiously loaded the stalking app, rather than the app developer.

App developers: Make sure you get advice on a properly-drafted privacy policy, terms of use or end-user license, and that you understand the implications of privacy laws when launching mobile apps.

Calgary – 07:00 MST

Update: January 29, 2013: see comment below regarding WhatsApp privacy issues.

–

Not so fast. In 1999, the CEO of Sun Microsystems famously said: “You have zero privacy anyway. Get over it.”  The Supreme Court of Canada apparently disagrees.

The Supreme Court of Canada (SCC) released their decision in R. v. Cole last week. While this does stray from our usual review of intellectual property law, it is an important decision impacting the overlapping areas of privacy and technology. The SCC has decided that it’s reasonable for Canadians to expect privacy in the information contained on computers used for personal purposes “at least where personal use is permitted or reasonably expected.” In this analysis, ownership of the computer or laptop (or tablet, smartphone, etc.) factors into the decision of what’s reasonable, but is not conclusive. Similarly, an employer’s policies may be taken into consideration, but won’t be determinative. In other words, regardless of who owns the hardware or what the policy says, courts will consider “the totality of the circumstances in order to determine whether privacy is a reasonable expectation in the particular situation.”

Even where the laptop is owned by the employer and the workplace policy informs employees that their use will be monitored – these factors may result in a lower expectation of privacy but the expectation of privacy, according to the SCC, does not disappear as easily as you might think.

Lessons for business? Employers must tread carefully and get advice when monitoring or accessing the personal information of employees on workplace computers, laptops, tablets, smartphones and virtual systems.

Related Reading: Our earlier post: Privacy in a workplace laptop, reviewing the Ontario Court of Appeal decision in R. v. Cole, 2011 ONCA 218.

Calgary – 07:00 MDT

`

.

Bookmark ipblog.ca on your iPhone, iPad, Android tablet or mobile device for updates and developments in Canadian intellectual property law, including practical information and commentary on intellectual property business issues, technology commercialization and developments in the law, copyright and patent questions, trade-mark law, software and IT outsourcing, and related areas including privacy and cleantech licensing.

ipblog has been published since 2006.  In 2009, we added applaw.ca to our site, covering legal developments in the growing mobile application industry.

We have surpassed 1 million page-views from readers around the world. It’s hard to compete against YouTube cats… but we try.

Thanks to all of our readers. We’ll be taking a break during the month of August, and will resume in September, 2012.

Calgary – 07:00 MDT

.

A California court has approved a nationwide class action lawsuit against Apple, based on claims that the device has tracked user location and movements without their consent. This is the same claim that was dismissed once, with leave to amend (see App Law: Update on Privacy). The plaintiffs amended and came back for round two. In a partial win for Apple, the privacy claims were dismissed. However, the remainder of the claims have been permitted to proceed. Apple’s defence is that its terms of service and user agreements will provide cover. The court has indicated that there is some ambiguity about whether the terms cover the scope of information that was collected.

For Apple’s lawyers, this is not a new phenomenon. These lawsuits are also in the works:

• A class action lawsuit related to iPods;
• Customers are trying to get a class-action for iTunes refunds;
• A class action based on false-advertising claims related to Siri.

However, the user-tracking lawsuit looks like the most interesting of the bunch, and may put Apple’s app store terms and conditions to the test.

Calgary – 07:00 MDT

 

This post by my colleague Dan Carroll provides a great review of the many issues in online defamation, including civil and criminal liability. 

Related Reading:

• Online Defamation: Injunctions Against Google in Canada
• SCC Defamation Decision
• Update: Canadian Online Defamation & Hyperlink Case

Calgary – 07:00 MDT

 

If your kids use Facebook, are they bound by the online terms?

This question was recently reviewed in a US decision in which certain minor children, resident in Illinois, were users of facebook.com. They alleged that Facebook’s practice of misappropriating their names and likenesses for “commercial endorsements” without their consent was a violation of their privacy rights. Facebook resisted by invoking the “forum-selection” clause in its Terms of Service (TOS). That clause effectively punts all disputes into California, Facebook’s home turf. The Illinois court had to decide whether the case could proceed in Illinois, or whether the forum-selection clause dictated that the case must proceed in California.

In E.K.D. v. Facebook, Inc., 3:12-cv-01216-JCS (S.D. Ill. March 8, 2012), the Court concluded that the minors could not avoid the forum-selection clause in Facebook’s TOS. A mandatory forum-selection clause is, under US law, valid on its face, and should be enforced “unless enforcement is shown by the resisting party to be ‘unreasonable’ under the circumstances.” Canadian law is similar. However, the courts look at a number of factors in determining what they consider “reasonable”, and online vendors or licensors must take care if they want to ensure the clause will be upheld.

Calgary – 07:00 MDT