The privacy problem with apps has been percolating for some time. Several high-profile reports have brought attention to this issue; Path’s embarassing privacy breach is just one of many cases where app developers have (intentionally or otherwise) harvested private details about app users by dipping into address books and location-data. App developers should take note: Get legal advice on privacy before you launch your app.

In the US, a patch-work of industry-specific privacy laws has made this a confusing area of law. In Canada, the landscape is still complex, but is underpinned by private-sector privacy laws that apply to “personal information” across all industries, at both the federal and provincial level.

This month, the California Attorney General has entered into an agreement with mobile app platform vendors – Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion – to improve privacy protections for app users. This arrangement implements certain “privacy principles” and requires app developers to have a privacy policy, something that would bring app developers in line with Canadian law.  This is not new legislation, merely a loose commitment by the mobile app industry, so it cannot be enforced as law. However, it has helped shine a spotlight on this issue. 

Related Reading:

• Copy of the Signed Agreement (PDF)
• App Law: Update on Privacy

Calgary – 07:00 MST

 

The Ontario Court of Appeal (Jones v. Tsige, 2012 ONCA 32) has recognized the tort of invasion of privacy or “intrusion upon seclusion,” acknowledging a right in Canada to sue when an individual’s privacy is intentionally invaded by another individual.  This case had to do with one bank employee accessing the bank records of another employee, without permission. Ultimately the claimant was awarded damages in the amount of $10,000 for breach of her privacy rights.

Read the full article here from the Field Privacy Group.

Calgary – 07:00 MST

Bill C-22 (Mandatory Reporting of Internet Child Pornography by Persons Who Provide an Internet Service) (the “Act”) was passed in March, 2011 and was proclaimed in force as of December 8, 2011. The Act makes it mandatory for providers of Internet services to report incidents of online child pornography. The Act is quite broad, and businesses providing WiFi access, email services or internet content hosting – including ISPs, as well as colleges, universities, public libraries, cafés, hotels, shopping malls – are caught by the Act and could receive a report about child pornography under the Act.

For more details about reporting obligations, see: This Article.

Calgary – 07:00 MST

 

My recent article can be found here: Canada’s New Anti-Spam Legislation: How can it impact your business?

Related Reading: Canada’s “New” Anti-Spam Law

 

Calgary – 07:00 MST

 

This post is the first in our 3-part employment law series.  Recent cases have again focused the spotlight on this vexing issue: when an employee leaves, do they take their social media contacts with them, or check them at the door?  Once upon a time, social media was something that employers asked you not to do while on the job. Now, Facebook, LinkedIn, Twitter, YouTube and Instagram feeds are not just idle time-burners, they might be part of your job description. In the UK case of Hays Specialist Recruitment (Holdings) Ltd. v. Ions, an employee was ordered to disclose his LinkedIn contacts when he left his employer, and a 2011 case in the US (PhoneDog v. Kravitz, 2011 WL 5415612 (N.D. Ca.; Nov. 8, 2011)) is grappling with this issue, where an employer claims $340,000 in damages from an ex-employee.  Lessons for business?

• Check your own employment policies to see whether this is covered, and if not, consider introducing effective policies to manage social media issues;
• Employees who are hired specifically for social media marketing are the obvious ones to look at, but salespeople, managers or executives should also be considered;
• Theft of trade-secrets is often claimed, but commonly fails on the grounds that the social media contacts are often available for all to see.

Calgary – 07:00 MST

As we reported last January ( Intellectual Property Law in 2011) Canada passed an Anti-Spam Law in December 2010 with the unwieldly title of “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” (… guaranteed to trip up Twitter character limits).

The Anti-Spam Law, getting ready to celebrate its one-year birthday, is not yet in force.  It’s in a bureaucratic holding pattern as the regulations are drafted and redrafted. What this means in practice is that the government is navigating through the demands of various business and industry groups, all of whom want to avoid being saddled with high implementation costs. The law is not expected to take effect until 2012. Stay tuned.

Calgary – 07:00 MDT

 

iOS devices generate a trove of personal information. Do app-developers have access to the personal information of iOS device users? This is the basis of a complaint launched by a US group, as a nationwide class action lawsuit against Apple and a number of iOS app developers. The claim suffered a setback in September when a US judge dismissed the suit (see the PDF; the dismissal makes for interesting reading), with leave to amend.

There are more than 200 million iOS devices in play around the planet, several hundred thousand available apps, and reams of personal info generated by users: address book entries, cell phone numbers, file systems, geolocation data, subscriber identity numbers, keyboard cache, photographs, SIM card numbers, and unique device identifiers.  Who has access to this info, and for what purpose, are questions that have cast a cloud over Apple’s popular ecosystem. 

This story is one that will likely come back through an amended complaint.

Calgary – 07:00 MDT

In our previous post (Privacy & Freedom of Expression: Alberta Court Says Privacy Law is Unconstitutional), we discussed the recent Alberta decision that struck down portions of a provincial privacy law (the Personal Information Protection Act), because of the way it limited protections for organizations other than “pure journalists”. Let me put this another way: collection and use of personal information is regulated by PIPA; in that Act, if you collect personal information for “journalistic purposes” and no other purposes, then you would be exempt from the regulations set out in PIPA. It’s like a get-out-of-jail card for journalists. The hitch is that the collection of personal info has to be “journalistic purposes” and no other purposes. However the court in United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner), 2011 ABQB 415 (CanLII) said that is an infringement of the right to free expression for all those organizations who aren’t “pure journalists” – that is, organizations who might collect personal info for some purpose other than journalism. The Supreme Court of Canada in its 2009 decision of Grant v. Torstar Corp. (2009 SCC 61), defined “journalist” broadly to include bloggers and anyone “publishing material of public interest in any medium”.  So is the effect of these two decisions to create a loophole for anyone to collect personal information so long as they are “publishing material of public interest”? Anyone with an internet connection can set up a blog, Facebook page or Twitter account (or all three) in about 5 minutes, so the barriers to entry to qualify as a “journalist” and start publishing personal information appear low. It appears we have a pretty big hole in Alberta’s privacy laws.   Calgary – 07:00 MDT

A striking union recorded video of a picket-line outside a casino in Edmonton. Photo and video was then posted online at a union protest site. Three people complained that their personal information had been collected in breach of the Personal Information Protection Act (PIPA). A decision by the Privacy Commissioner said that the union’s practice breached PIPA. The union appealed and an Alberta court has handed down a surprising decision that some of the privacy restrictions in PIPA are unconstitutional, because they tread on the right to freedom of expression.

In United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner), 2011 ABQB 415 (CanLII) , the court surveyed the law in this area and focussed on two issues:

• First, what constitutes “publicly available” information? PIPA provides an exception for such information, which is defined in the Regulations and includes such things as information in phone books and directories and records held in public registries. The definition does not cover information that could be collected at public, social or political events. The court decided that this restriction violated the union’s Charter-protected freedom to express itself through video and photos taken at a public political event  
• The other exception examined by the court is the “journalistic purposes” exception in PIPA.  The union argued that PIPA limits the “journalistic purposes” exception to traditional media such as newspapers, magazines and television and excludes “non-traditional media” such as the union, who collect information for purposes other than journalism. Again, the court decided that this restriction violated the union’s freedom to express itself for purposes that may include journalism and other purposes.

Thus, the court quashed the decision of the Privacy Commissioner, and struck down portions of PIPA as being in violation of the Charter of Rights and Freedoms. This leaves some holes in PIPA that will have to be plugged by the government. Either they have to appeal the decision (which is likely) or they have to amend the legislation. This one will be interesting to watch since it touches on all kinds of fascinating topics such as a right to privacy in the Facebook era, what is in public sphere, “citizen journalism” and free expression through posting photos and videos online.

Calgary – 07:00 MDT

This post ( The Legality of Online Anonymity: Two Cases ), reviews two recent Ontario cases which decide when to order the disclosure of identities in the conext of anonymous online comments. Courts will assess these “Warman” factors in deciding when to order disclosure:

• whether the anonymous person could have a reasonable expectation of anonymity in the circumstances; 
• whether the plaintiff could establish a prima facie case against the anonymous person and is acting in good faith;
• whether the plaintiff has taken reasonable steps to identify the anonymous party and has been unable to do so; and
• whether the public interests favouring disclosure outweigh the legitimate interests of freedom of expression and right to privacy of the anonymous person.

Related Reading:

Exposing Online Identities: Another Update 

Is a Website Operator Liable for User Comments?

Calgary – 07:00 MDT

 

In recent privacy decision from the Ontario Court of Appeal (R. v. Cole, 2011 ONCA 218), the court recognized a core right to privacy of personal information which extends into the workplace – in this case, an employer’s laptop that was used by the employee in the course of employment.  The question was whether the employee had a “reasonable expectation of privacy” in the contents of the laptop. The court decided that the circumstances of this case, the employee did enjoy privacy in the contents of the laptop.

 Calgary – 07:00 MDT

When you apply for a bank loan, a credit check is one of the first steps taken by the bank. TransUnion is one of the two major national credit reporting agencies in Canada and when Calgarian Mirza Nammo applied to the Royal Bank (RBC) for a business loan, the RBC ran a credit check through TransUnion.  However, TransUnion had inaccurate information on file for Mr. Nammo; his credit profile was tainted with someone else’s information. RBC turned down his application because of this “bad credit” report. Mr. Nammo eventually determined the source of the problem – that his records were confused with someone else’s information – and launched a complaint based on a violation of Canada’s privacy laws.  The case finally landed in Federal Court and in December the court agreed that TransUnion had violated paragraph 4.6 of Schedule I to Canada’s Personal Information Protection and Electronic Documents Act – the obligation to maintain accurate information about the complainant.

The decision in Mirza Nammo v. TransUnion of Canada Inc. [PDF]    T-246-10 represents the first damage award under this legislation. Mr. Nammo was awarded $5,000 plus costs arising from TransUnion’s violation of the “accuracy principle”.  The court also made clear that a correction of the inaccurate information does not absolve an organization of the original violation of the accuracy principle.

Calgary – 07:00 MST

.

Thanks 2010, intellectual property and internet law had an interesting ride. Here are a few issues to watch in 2011:

Canadian Copyright Reform and Anti-Spam Law:  Around this time last year, we predicted that copyright reform wouldn’t come to Canada until 2011 at the earliest. So far that appears to be holding true. However, Canada did make headway in the anti-spam department, with the passing of the Fighting Internet and Wireless Spam Act (hardly a poetic name, but we’ll take what we can get from Ottawa).  Canada’s anti-spam legislation received royal assent on December 15, 2010.  Meanwhile, the Canadian copyright reform bill was introduced in 2010 and the debate will continue when Parliament resumes at the end of January.

And the courts continue to tackle copyright issues piece by piece. News came in late December that a copyright “fair dealing” case will be going to the Supreme Court of Canada in 2011 (SOCAN v Bell).

Clean Tech Law: 2011 may prove to be a break-out year for Canadian Clean Tech companies, as private investment and government incentives provide a boost to companies in this technology-intense sector.  The law surrounding the uses, protection and licensing of clean technologies in Canada will gain traction in 2011.

App Law: This fascinating area of law shows no signs of slowing, as app developers continue to push the boundaries in their use of copyright materials, trade-marks and personal information of consumers, as the technology gallops forward. In December another iPhone-related class action suit was announced, naming Apple and a number of app developers as defendants (Lalo v. Apple, Inc et al, case 5:10-cv-05878).

Business Method Patents: We predicted that some clarity would come out of the Bilski review (in the US) and the Amazon 1-click patent (in Canada). In the US, the Supreme Court handed down its decision in the Bilski review, generally upholding the lower court decision, but cautioning that the machine-or-transformation test is not the only patentability test to be applied.  In Canada, the decision in October in the Amazon case upheld the patentability of business method patents, but the waters were immediately muddied again, when it was announced in November that the decision was being appealed (See: Amazon Business Method Case to be Appealed).

Calgary – 07:00 MST

 

My article on the Legal Implications of App Development [Download Copy of Article (2MB PDF)] is published in the November 19th edition of The Lawyers Weekly. It discusses “app law“ issues such as end-user licensing, copyright disputes, app-related trade-mark issues, trade-secrets, privacy and app development agreements.  [Link here for a preview of the digital edition]

Calgary – 09:00 MST 

Last year, app-developer Storm8 made headlines when allegations surfaced that it gathered the phone numbers from its end-users’ phones without authorization, through software built into its iPhone apps.  The case of Turner v Storm8 LLC, (Case No. 09-cv-05234-CW) (N.D. Cal.) represented a nationwide class of persons who downloaded and accessed Storm8 games. That class action has now reached Settlement.

Calgary – 09:00 MT

 

ipblog.ca will be taking a break over the summer. We’ll be back in the Fall to pick up developments such as:

• Canadian Copyright Reform (with Parliament breaking for the summer, there will be no further Parliamentary debate on Bill C-32 until September);
• The US Supreme Court’s decision in the Bilski case (relating to patentability of business methods and software);
• Changes to the Canadian rules in assessing patentability for “computer-implemented inventions”;
• The Canadian Intellectual Property Office’s plans to expedite the examination of so-called “green technology” patent applications;
• Developments in licensing, trade-marks, internet law and trade-secret law.

Have a good summer. 

Calgary – 09:00 MT

The government has  introduced proposed amendments to the Personal Information Protection & Electronic Documents Act (PIPEDA). The changes to the federal law are wide-ranging and will have a significant impact on privacy law here in Canada. Here are a few highlights from a business perspective of the proposed changes in Bill C-29, and once it passes into law, we’ll provide an overview: 

• Business Transactions: If you want to disclose personal information during negotiations for a “prospective business transaction”, the proposed changes under Section 7.1 will be of interest since they permit “…organizations that are parties to a prospective business transaction” to “use and disclose personal information without the knowledge or consent of the individual” as long as the organizations have entered into an agreement restricting use, and imposing “security safeguards appropriate to the sensitivity of the information”.  If the transaction does not proceed, then the information must be returned or destroyed.   This moves the federal law into line with the approach taken in Alberta.
• “Business Contact Information” would be specifically excluded from the purview of PIPEDA. This category of personal information refers to an individual’s name, position name or title, work contact details and e-mail address.
• “Employee personal information” will be treated differently under the new law, since the changes make it clear that consent is not required for the collection, use and disclosure of such information as long as it is to “establish, manage, or terminate the employment relationship” as long as the employer has notified the employee. This is best done at the outset of the employment relationship.  Again, this brings PIPEDA in line with the Alberta law.

Calgary – 09:00 MT 

 

When can an internet user remain anonymous?  It depends….

As an update to our recent post about Mosher v. Coast Publishing Ltd., 2010 NSSC 153 (where the identity of anonymous comment-writers was ordered to be disclosed), the recent decision in Warman v. Wilkins-Fournier, [2010] ONSC 2126 (S.C.J.), took an opposite view. 

The recent Wilkins-Fournier decision was an appeal of an earlier decision (See: Online Defamation Update) in which the court ordered the disclosure of all personal information, including name, email and IP address, of eight anonymous posters in a defamation case.  In this new decision, the court reviewed privacy rights and freedom of expression issues, and overturned the disclosure order.  The court indicated that disclosure should not be automatic, and the plaintiff must first demonstrate a prima facie case of defamation before the disclosure of personal identities is ordered.  Interestingly, the court compared this situation to the one in BMG Canada Inc. v. John Doe, where the recording industry sought the disclosure of anonymous alleged copyright infringers. 

Calgary – 09:00 MT

Planning on outsourcing your company’s email to Gmail? Or maybe you’re outsourcing your data storage to a server in the US? Recent changes to Alberta’s Personal Information Protection Act (PIPA) stipulate that organizations must notify people when they will be transferring personal information to a service provider outside of Canada. Take the example of the University of Alberta’s recent plan to use Google as an email provider (though as public body the university falls under FOIP, not PIPA). Such a change involves the hosting of personal information outside of Canada.  In the case of online transactions, which necessarily route credit-card clearing services through the US for approval purposes, there appears to be an exception.

The other major changes include breach reporting and notification obligations, which are a first in Canada. This means that, if a privacy breach occurs and it creates “a real risk of significant harm” to an individual, the organization must make a report to the Privacy Commissioner. 

The changes became law on May 1, 2010.  Information about the amendments and how they work is available at: www.oipc.ab.ca.

Calgary – 08:00 MST

 

You may have seen our recent post on the subject of Apple’s robust trade-secret protection program. Apple grabbed headlines again when a prototype iPhone made its way into the hands of a blogger at Gizmodo, who promptly posted a review of it. It didn’t take long for Apple to flex its trade-secret enforcement tools.  The “Rapid Enforcement Allied Computer Team” (a uniquely Californian computer-crime task force) descended on the blogger and reportedly seized a number of items including a laptop, hard-drive and other personal effects.  The message is unmistakeable: technology companies will go to extraordinary lengths to protect trade-secrets.

Could this happen in Canada?  Search warrants are typically used where a criminal investigation is under way.  In civil cases, a technology company could use an “Anton Piller Order”, which is a form of civil search warrant enabling representatives of a plaintiff to search the defendant’s premises and seize relevant documents and other evidence pertinent to the lawsuit.  It comes from a trade-secret lawsuit from the 1970’s, where a technology company convinced the court to permit a search-and-seizure at the defendant’s premises.  Such an order can only be granted where:

• there is a strong case for the plaintiff and the potential for “very serious” damage to the plaintiff;
• there is convincing evidence that the defendant has “incriminating documents or things”; and
• there is a real possibility that the defendant might destroy the incriminating evidence.

These orders can be set aside, as in this recent Federal Court case involving a copyright infringement claim: Vinod Chopra Films Private Limited v. John Doe, 2010 FC 387 (CanLII).

Calgary – 08:00 MST