If someone engages in online defamation, online copyright infringement or any number of other illegal acts on the internet, the first question is who is actually committing the act in question? One of the main issues facing litigants in Canada is the identity of anonymous actors who are shielded by mysterious usernames, aliases or cryptic email addresses. 

In a recent decision in Nova Scotia, a judge ordered Google and a local paper to disclose the identity of individuals who are alleged to have posted defamatory statements on a local website.  The judge declared: “The court doesn’t condone the conduct of anonymous Internet users who make defamatory comments. They, like other people, have to be accountable for their actions.” The decision flies in the face of other Canadian court decisions where judges have erred on the side of caution by protecting the identity of online users.

In an online defamation case on the other side of the country, the BC Court of Appeal decision in Crookes v. Newton (see our previous post) is heading to the Supreme Court of Canada (SCC).  Leave to appeal was granted earlier this month and the decsion of the SCC should clarify this area of law, particularly the extent of liability for hyperlinks to defamatory content. 

Calgary – 08:00 MST

Former basketball star Ed O’Bannon and former quarterback Sam Keller have now joined forces in a multimillion-dollar federal class action lawsuit that is proceeding in the US against the National Collegiate Athletic Association (NCAA). The lawsuit has been joined by 15 former NCAA basketball and football athletes.  Collegiate sports is big business in the US and the NCAA generates significant revenues from merchandising and licensing. The NCAA’s defence is that athletes like O’Bannon waived all their commercials rights when they signed a form authorizing the NCAA to use their images for promotional activities.  The lawsuit alleges that the NCAA is improperly profiting by using athletes’ images in video games such as the Electronic Arts title NCAA Basketball ’09. 

If you are considering using any personality or likeness in a video game or smartphone app, ensure you get proper legal advice on well-drafted written authorizations.

Link to: Consolidated Class Action Complaint (PDF) 

Related Reading: Video Games & Free Speech  

Calgary – 07:00 MST

Two recent cases illustrate the limits of employee rights in connection with their use of technology related to the workplace. Although these are extreme examples, they reinforce some basic rules about employee “Acceptable Use” policies, and employee use of technology:

• Employee Blog: In the case of Alberta Union of Provincial Employees v. Alberta QB 2009 ABQB 208 (Nielsen, J.) the court dealt with a union employee who was dismissed on the basis of blog-postings which were critical and contemptous of fellow employees and management.  While the case was sent back to the labour arbitrator because of procedural irregularities (the employer failed to follow the collective agreement in the course of disciplining the employee), it is important to note that the decision to dismiss the employee was not overturned by the court. In short, there are circumstances where an employee can be dismissed for cause due to blog-postings that expose fellow workers to contempt and riducule.
• Reasonable Expectation of Privacy: In the case of R. v. Cole, 2009 CanLII 20699 (ON S.C.), an Ontario high-school teacher was charged with possession of child-pornography, on the basis of images found in a hidden file on a laptop assigned to him, but owned by his employer.  He complained that he had a right to privacy over the contents of the laptop, and therefore the search of his hard-drive was an unreasonable invasion of privacy. The court rejected this argument, saying that by agreeing to the School Board’s “Acceptable Use Agreement“, the accused clearly knew that the data and information on the laptop were not private.  The terms of the Acceptable Use policy were important in establishing the limits of the employee’s right to privacy.

Lessons for business?

1. Employee privacy issues have to be handled carefully and with sound legal advice in accordance with workplace policies;
2. Dismissing an employee based on the contents of a public blog, Facebook page or other online posting is not a trivial matter and must be undertaken after careful consideration of the employer’s procedures and the nature of the online comments;
3. If you don’t have an acceptable use policy, then you should consider having one prepared for your employees. 

Related reading: Employer Access to Employee Gripe Site

Calgary 11:45 MST

Online defamation has always been about two issues: there’s the legal question of whether the online comments are “defamatory” according to the standard legal tests, but before you get to that stage, you need to know who is writing the defamatory comments.

That’s often where the inquiry starts and stops. Since online anonymity is so hard to pierce, the identity of the poster of defamatory comments is never known, and the person who is defamed has no-one to sue for defamation.  A court order on Monday has shed some light on the process of getting over that anonymity hurdle.  In the case of Cohen v. Google Inc., Index No. 100012/09 (N.Y. Co. August 17, 2009) (Madden, J., J.S.C.) (related story), a Canadian model has obtained an order compelling Google to disclose the identity of the author of the alleged defamatory comments.  “Pre-complaint disclosure” is not new, but this case has attracted attention because of the elements: a New York model, Google, and blogging.

In Canada, similar orders have been made in online defamation cases. In a 2009 decision in the case of Warman v. Fournier, the Ontario Superior Court of Justice ordered the disclosure of all personal information, including name, email and IP address, of eight anonymous posters in a defamation case.

Calgary – 14:00 MST

In the good old days, the boss overheard you complain at the pub after work.  Now, employees have more sophisticated methods of dishing the dirt. And employers must walk a careful line when navigating the issue of employee privacy.  

• In Pietrylo v. Hillstone Restaurant Group, Docket No. 2:06-cv-05754 (D.N.J. 2008), a US court decided that employees enjoyed a certain amount of privacy over a gripe-page they created on MySpace.  The pages were designed to be accessed by invitation-only, and provided a place for employees of the Houston’s restaurant chain to rant about their employment. Management heard about it, and asked one of the employees for the password to the site. The employer then promptly fired the 2 employees who had established the site.  When the employees sued their former employer, the court found in favour of the employees, on the basis of invasion of privacy and ordered payment of back-pay.
• While there has been no similar case yet in Canada, the issues were discussed in University of British Columbia (Re), 2007 CanLII 42407 (BC I.P.C.) where the employer secretly installed spyware on an employee’s workplace desktop to monitor his internet use. The Information and Privacy Commissioner investigated and found that the employer was in breach of public-sector privacy rules by surreptitiously monitoring its employee when it had “less intrusive means to manage the complainant’s employment.”

Related reading: Our post on workplace surveillance cases 

Calgary – 15:30 MST

Call it the “Facebook Factor”.  The way people use the internet and social media is colliding with litigation in ways that couldn’t have been foreseen even a few years ago:

• In a recent Nova Scotia case, a judge considered evidence of a plaintiff’s Facebook page in a personal injury lawsuit, and the evidence contradicted the plaintiff’s claim;
• In Murphy v Perger [2007] OJ No. 5511 (QL), a defence lawyer successfully forced production of post-accident Facebook pictures showing the plaintiff engaging in various social activities – pictures that were located on a private portion of the Facebook site;
• In Leduc v. Roman, 2009 CanLII 6838 (ON S.C.), the court permitted cross-examination of the plaintiff on the content he posted on his Facebook profile;
• In Australia and New Zealand, the courts have approved service of documents via a Facebook account (story: here and here);
• In the US, there have been a rash of similar cases (see links here, here, and here) leading to a mistrial in a drug-trafficking case (when jurors admitted that they researched the case via their iPhones and BlackBerrys), chaos in the federal corruption trial of a former state senator (jurors had posted updates on the case on Twitter and Facebook), and problems in a criminal case (a juror tried to “Friend” one of the witnesses).

Related content: free online webcast summit on “Copyright War,” June 9, 2009, including “Online Legal Issues: Facebook, MySpace, Twitter, YouTube, Blogs” 

Calgary – 10:30 MST

On Friday, the federal government introduced long-overdue draft anti-spam legislation, the Electronic Commerce Protection Act. The law would allow civil lawsuits against spammers, and is designed to target email spam, as well as spam directed to cellphones and mobile devices. The proposed law would be enforced by the Privacy Commissioner, the Competition Bureau, and the CRTC, which raises questions about effective coordination of enforcement across multiple branches of government and quasi-government bodies. The law contemplates fines of up to $1 million for individuals and $10 million for corporate offenders.

Calgary – 20:45 MST

A few weeks ago, Facebook attempted to revise its Terms of Service – the online contract that governs the relationship with Facebook users.  Revising a contract can be tricky at the best of times, let alone an online contract with 175 million users from around the world. 

When word leaked that someone had actually read the fine print, and the fine print extended Facebook’s rights to user content, there was a groundswell of protest, and a quick retreat by Facebook.  Yesterday the company reverted to its old Terms of Service, and users claimed victory.  However, the fine print, even in the old Terms of Service, still permits Facebook to use your photos, profiles (including name, image, and likeness), messages, notes, text, information etc. “for any purpose, commercial, advertising, or otherwise, on or in connection with the Site or the promotion thereof...”  This expires when you remove your content, but millions of users have still granted Facebook extremely broad rights to their personal information and images, so it is interesting that these terms are being considered a triumph. (What was that one about the frog in boiling water?)

Under Canadian and US law, a company must be very careful to ensure that amendments to online contracts are enforceable (see: Online Contract Amendment Not Binding).

Calgary – 10:35 MST

In January, the federal Privacy Commissioner released Guidelines for Processing Personal Data Across Borders (PDF Copy of Guidelines). These guidelines set out the Commissioner’s view of how the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) will be applied to transfers of personal information across borders. It’s worth noting that the document does not review obligations for public sector entities.  Transborder transfers of personal data would include transfers across provincial as well as national boundaries since PIPEDA does not distinguish between domestic and international transfers of data.  So if your organization is outsourcing data handling to a service provider in another province or another country, these guidelines will be applicable.

Calgary – 10:30 MST

What do nursing homes and nightclubs have in common? In these 2 decisions, they both collect biometric data on their employees.

Biometric data can be anything that records “measurable characteristics” of an individual – from thumbprints to voice-prints to DNA. Organizations will collect and use this data with greater frequency as tracking technology becomes less costly and more reliable. So what do privacy laws say about this kind of information?

Two recent decisions from the Information & Privacy Commissioner of Alberta tackle biometric data collection issues head-on.

In Report of an investigation on the use of a hand recognition system, (August 7, 2008) the Commissioner investigated a nursing home in Calgary. The nursing home phased out employee swipe-cards, and introduced a hand-scanner as a way of tracking employee arrival and departure. The Commissioner decided that hand-scan data (measurements of a person’s hand to generate a unique identifier) does qualify as “personal information” under the Freedom of Information and Protection of Privacy Act (FOIPPA), and that the employer’s collection practices did not meet the requirements of that Act.

In Report of an Investigation into the Collection and Use of Personal Information, (August 27, 2008) the Commissioner looked into a complaint by an employee of an Edmonton nightclub, who was obliged to use a thumbprint sign-in system at the beginning of every shift. This time, the Commissioner made its analysis under the Personal Information Protection Act (PIPA) since the employer was a private sector organization. The employer did not collect thumb-prints but rather “unique numeric identifiers which represent distinct attributes of thumbprints” – a difference that should have been made clear to employees. This data qualified as “personal information” within the meaning of that Act, and in this case, by failing to explain its privacy policy, and thereby failing to obtain informed consent, the employer did not meet the requirements of PIPA.

The lessons for business? In both cases, the employers stumbled, but not on the type of data collected – the Commissioner accepted the employers’ argument that biometric data collection was reasonable and justified – but rather the employers both failed to adequately explain the collection process, answer questions and alleviate employee concerns. As the Commissioner stated: “Employers …have a heightened responsibility to be open and transparent about their practices as they relate to employees…”

Calgary – 10:00 MST

The Canadian Do-Not-Call List (DNCL) goes into effect tomorrow. 

The CRTC (Canadian Radio-television & Telecommunications Commission) is coordinating the DNCL and starting September 30, Canadian consumers can register their telephone numbers on the DNCL for free.  The DNCL is designed to reduce the number of telemarketing calls and faxes directed to consumers, and is to be financed from telemarketers’ subscription fees. 

If consumers still receive telemarketing calls 31 days after registering on the DNCL, they may file a complaint, and violations may give rise to fines of up to $1,500 for individuals and $15,000 for corporations.  In practice, it is often difficult for consumers to determine which organization is calling, so complaints will likely be limited to situations where the telemarketer is easily identifiable.

Of course, there are limitations. Consumers must renew their registration every three years if they want their number(s) to stay on the National DNCL.  Exempt telemarketers include:

• registered charities seeking donations;
• newspapers looking for subscriptions;
• political parties and their candidates;
• companies that have an existing business relationship with a consumer (within the previous 18 months); and
• organizations directing calls and faxes to businesses.

Also, this is unlikely to prevent annoying calls from American telemarketers who will be beyond the reach of the CRTC. 

However, it is a good step forward.  Now the government needs to tackle national anti-spam legislation.

Calgary – 10:30 MST

In the current copyright battle between Viacom and Google, the users (including you, if you’ve ever watched a YouTube video) are caught in the cross-fire. 

Viacom and other broadcasters launched a lawsuit against Google last year, alleging $1-billion in damages. The lawsuit claims that thousands of clips of Viacom television programming are available on Google’s YouTube. In the latest salvo, Viacom won a federal court ruling in the US, in which Google was ordered to deliver up its database of records associated with every YouTube clip that users have viewed.  Whenever a YouTube clip is viewed, YouTube’s database apparently collects information about those who viewed it: including log-in names (for users with YouTube accounts), and IP addresses (for viewers without accounts).

Predictably, there was an outcry; even Ontario’s Privacy Commissioner weighed in with an open letter to Google citing the privacy risks for Canadian users. Ultimately, the parties were able to come to an agreement to anonymize certain data elements to make it more difficult to identify individual users.

Two points are worth raising:

• In today’s borderless culture, the jurisdiction of US courts over Canadian personal information is not an academic question. It’s an unavoidable reality – Canadians leave their personal digital fingerprints all over the US whenever they use the internet;
• Secondly, someone should be asking… why is YouTube collecting all this data in the first place? 

Calgary – 13:45 MST

What happens when a resident of B.C. posts defamatory comments on a usenet group about a resident of Australia?

In this case, two men were engaged in a protracted and ugly name-calling session in the usenet group “alt.suicide.holiday”, described as a discussion forum for persons who were feeling depressed and suicidal. In Griffin v. Sullivan, 2008 BCSC 827, a BC court has reviewed the issues around online defamation and breach of privacy.  The decision resulted in an award of damages for defamation of $150,000 and an award of $25,000 in damages for breach of privacy as well as a permanent injunction against the B.C. man.

The claim for breach of privacy arose when the B.C. man published the name and address of the plaintiff Australian man.  Names and addresses are often considered public information; however, the court found that the disclosure constituted breach of privacy (under the very seldom-used B.C. Privacy Act) since the Australian man had previously maintained his anonymity in the usenet group, and group members often shared sensitive information about themselves.

The other interesting element of the decision is that the court did not review the fundamental question of whether anyone in B.C. (or anywhere else in Canada) actually read the defamatory postings.   In Crookes v. Yahoo, 2008 BCCA 165, the Court of Appeal made it clear that merely alleging that something has been posted on the internet is not, on its own, sufficient to show that publication can be presumed, as we reported earlier.

Names can never hurt you… but they can result in significant damage awards.

Calgary – 14:30 MST

In a story we posted last year, eBay lost when the Canada Revenue Agency compelled disclosure of its records – specifically, records showing how much money was earned in Canada by so-called “PowerSellers”. 

The Federal Court of Appeal (eBay Canada Limited vs. The Minister of National Revenue, 2008 FCA 141) has now upheld that lower court decision, and ordered eBay Canada Ltd. to produce the names, addresses, phone numbers, e-mail addresses as well as gross sales figures for all Canadian PowerSellers.  eBay’s argument that the records were stored in the US and did not reside in Canada, was not accepted by the Court and this decision has implications on a number of levels – the right to privacy for anonymous eBay sellers, as well as the production of documents by US and other foreign companies doing business in Canada.

 Calgary – 10:15 MST

Some of the common issues facing Canadian businesses today are: ensuring compliance with e-commerce laws, handling employee surveillance issues and protecting brands online. The following links relate to online contracting and e-commerce in Alberta, as well as employee surveillance issues and online brand strategies for Canadian business:

• E-Commerce: Alberta Internet Sales Contract Regulation
• E-Commerce & Privacy: Alberta Investigation Report P2007-IR-007 – A case in which Ticketmaster contravened PIPA by requiring on-line customers to consent to the use of personal information for event provider’s marketing purposes as a condition of ticket sales transactions.
• Video Surveillance (Federal Case): Eastmond v Canadian Pacific Railway, 2004 FC 852 – in this case, the Federal Court reviewed video surveillance under federal privacy laws and articulated a four-part test.
• Video Surveillance (Provincial Case): Talisman Centre For Sport and Wellness Order P2006-008 (Alberta) – in this case, the Alberta Privacy Commissioner reviewed video surveillance under provincial privacy laws and confirms a three-part test for reviewing the appropriateness of video surveillance.
• Video Surveillance (Provincial Case): R.J. Hoffman Holdings Ltd. Investigation Report P2005-IR-004 (Alberta) – in this case, the Alberta Privacy Commissioner reviewed video surveillance in an employment context, under provincial privacy laws.
• Domain Name Decision: Neteller PLC vs Prostoprom – in this recent decision, Neteller successfully challenged the registration of a domain name under the UDRP rules, and the panel reviewed a number of common issues that were all present in this case: confusing similarity, likelihood of confusion, commercial use when using affiliate advertising programs or pay-per-click advertising, and the use of disclaimers.
• Community Trade Mark (EU): Regulations

Calgary – 20:00 MST

Alberta Premier Ed Stelmach is in good company: he joins Julia Roberts, Kevin Spacey and Mick Jagger, not to mention lesser celebrities such as one-time federal MPs Don Boudria and David McGuinty. This club can boast of the price that comes with celebrity in an internet age, since they’ve all had their personal names registered by someone else as domain names. In 2000, Julia Roberts fought and won a domain name dispute case over juliaroberts.com, paving the way for other celebrities and politicians to win back their domain names, including Mick Jagger and Kevin Spacey. In those cases, the panelists did not have trouble finding that celebrities have rights to their own names, even though the dispute resolution policy does not specifically say as much.
The dispute resolution procedure for dot-ca domain names (CDRP) is not identical to the UDRP which applies to dot-com domain name disputes. And further, a personal name has not yet been the subject of a dot-ca dispute under the CDRP. This means any attempt to run this dispute through the CDRP will break new ground.
Calgary – 23:30 MST

Four intellectual property topics to watch in the new year:

Canadian Copyright Changes

The government’s announcement of new copyright legislation has generated considerable debate in Canada in the last few weeks – when copyright reform hits the front page of the Globe and Mail, then you know something is up.  So far all of the media interest, including a Facebook group of several tens of thousands of concerned citizens, seems to have triggered a review of the proposed legislation.  We will be watching to see what the bill looks like.

Filesharing

We are hoping to see some clarity in this area in 2008.  The recording industry seems to be pushing for an opportunity to litigate, and the proposed copyright legislation may address this issue, providing guidance to content-providers, musicians, users and industry alike.

US Patent Reform

The proposed patent reform bill in the US is currently making its way through Capitol Hill and the changes effected by the new law will undoubtedly transform the patent landscape.  We’ll keep an eye on these developments south of the border because of their impact on so many Canadian patent holders and inventors.

Privacy Online

Privacy issues will continue to play a central role in the conduct of online business.  Massive privacy breaches have become almost common-place – announcements of lost data or hacked credit card info now seem to be weekly occurences - and Canadian law in this area is changing as new decisions and investigations try and produce guidelines for business.  Watch for this area to continue to evolve over the next year.

 

Calgary – 10:35 MST

If you earn your living on eBay, then the tax collector is interested in you.  In another case which raises privacy questions in the world of e-commerce, the Canada Revenue Agency sought and won a Federal Court order forcing eBay to disclose the names, addresses, phone numbers and e-mail addresses of all its high-volume sellers, even though that data resides in servers located in the US.  eBay initially resisted the request on the basis that eBay Canada did not “own” or “possess” any such information in Canada.  The court decided that eBay Canada has access to the information and this was enough to permit the order for disclosure. 

Calgary – 11:50 MST

 

There is something fascinating and unsettling about Street View, a relatively new offering from Google with help from Calgary-based Immersive Media. If you enjoyed finding your own house on Google Earth, then wait until you see yourself strolling down a side-walk on Street View. At the moment, the service is offered for New York, San Francisco and a handful of other US cities. But it doesn’t take long to see the potential for this to be rolled-out in cities around the world.  Reportedly, Vancouver, Calgary, Toronto, Ottawa, Montreal and Quebec City have already been “imaged”.

In anticipation of this coming soon to a street corner in Canada, the Canadian Privacy Commissioner has raised a few questions about the privacy implications of recognizing individuals on the street – in other words, collecting personal information without consent and then selling it.

The law regarding surveillance video will be helpful in the analysis, but this is a new twist on an old problem.  Once again, technology, intellectual property and privacy rights have intersected to stir-up some interesting issues and the law will have to catch-up and sort out the implications. 

Calgary – 10:30 MST

A Canadian company with a database of customer information including names, email addresses and account information, wants to find a service provider to handle the information. A US company seems to provide the best solution and so the Canadian company hires the US provider to host, manage and handle all of the customer data. What should the Canadian company be aware of? Do privacy laws apply?

The trans-border outsourcing of personal-information is becoming more common and requires an awareness of privacy law implications. The easy answer is yes, privacy laws apply. The more complex question is which privacy laws apply?

Canadian privacy laws and recent decisions by Privacy Commissioners at both the federal and provincial level make it clear that companies are responsible for ensuring that they maintain contractual control over personal information handling practices by external service providers. The trans-border nature of the data flow does not mean that Canadian laws won’t apply or that Canadian companies can simply opt out of Canadian jurisdiction. In fact, the Federal Court has recently decided that the Privacy Commissioner can and should investigate complaints relating to the trans-border flow of personal information.

The outsourcing of services to the US raises concerns about the US Government’s ability to access that information under the USA PATRIOT Act. In a 2005 investigation into the outsourcing of financial services to the US, the Privacy Commissioner of Canada noted that:

“[T]he Act cannot prevent U.S. authorities from lawfully accessing the personal information of Canadians held by organizations in Canada or in the United States, nor can it force Canadian companies to stop outsourcing to foreign-based service providers. What the Act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means.”

In a 2006 decision involving a Canadian security company’s handling of personal information by its U.S.-based parent company, the Commissioner was satisfied that the outsourcing of personal information was handled appropriately. The company informed its customers of the practice and permitted customers to opt-out of the outsourcing. The fact that the disclosure was between parent-subsidiary relationship meant that the personal information was not technically disclosed to a third-party, and these factors resulted in the Commissioner approving the handling of personal information in this case.

Careful management of the privacy issues allows Canadian businesses to handle outsourcing and reduce the risks of a customer complaint or investigation by the Commissioner.

 

Calgary – 10:25 MST