A recent US Federal Court case, CollegeNET, Inc. v. XAP Corp., 2007 WL 927946 (D. Or.), involved two rivals in the competitive college application business.  CollegeNET sued XAP for patent infringement in 2003, and then added an unfair competition claim in 2004.  A jury returned a verdict in favour of CollegeNET.  What’s interesting is that the unfair competition claim resulted in a damage award of $4.5 million for a deceptive privacy policy (compared with the $4 million patent infringement award). 

XAP’s privacy policy stated that personal data wouldn’t be released to third parties “without the user’s express consent and direction.” In the XAP online application process students were asked the following opt-in question: “Are you interested in receiving information about student loans and financial aid?” If the students answered “yes,” XAP forwarded the students’ personal information to its third-party “partners” for a fee.

This was considered to constitute unfair competition, since students were lured away from CollegeNET to use the free XAP system, not realizing that their personal information was being sold to financial institutions and others.

There are two lessons:

• First, for Canadian companies doing business online with US customers, a well-drafted privacy policy is critical; the pitfalls are not only within the realm of Canadian privacy laws but also in US privacy and trade laws;
• Second, IP lawyers should think creatively about the possible claims as they did here: a successful intellectual property infringement claim was bolstered and (in terms of the damage award) surpassed by an unfair competition award based on the privacy policy.   

The decision can be accessed here.

 

Calgary – 15:30 MST 

On Friday a proposed Federal surveillance law (Bill C-416) was introduced in Parliament. The bill is designed to require ISPs and other telecommunications service providers to establish and maintain surveillance capabilities to permit interception of online communications. The proposed law also requires ISPs to “provide basic information about their subscribers to the Royal Canadian Mounted Police, the Canadian Security Intelligence Service” and provincial police services.

Calgary – 20:44 MST

It is hard to guage how proposed ISP tracking legislation will impact Canadian ISPs if the new bill is passed in the US. Certainly, Canadians who use US-based ISPs would be impacted.

The bill was introduced in the US Congress last week, and if passed, it would compel internet service providers (ISPs) to track their customers’ online activities to aid police in possible future investigations. ISPs who fail to retain the data could face fines and their employees could even face prison terms. There doesn’t seem to be any time limit on the data retention obligations, nor does there seem to be constrains on the scope of the data covered: CNET speculates that data which records details of web browsing, instant messages, or e-mail exchanges might all be fair game under the proposed law.

Calgary – 15:43 MST

As I’ve noted in past posts, privacy and internet law often overlap. In a very interesting Federal Court decision on Monday, the Privacy Commissioner of Canada has been ordered to re-open its investigation into the privacy practices of an American company. A Canadian complainant asked the Privacy Commissioner to investigate Accusearch Inc. for possible violations of the Personal Information Protection and Electronic Documents Act (PIPEDA). In 2005, the Privacy Commissioner’s office closed its file after concluding that it lacked the jurisdiction to investigate a foreign company. In coming to this decision, the Commissioner stated that “Canadian legislation will only apply to the persons, property, juridical acts and events that occur within the territorial boundaries of the enacting body’s jurisdiction.” That decision was appealed to the Federal Court, resulting in Monday’s judgement.

The Federal Court disagreed with the Commissioner and clearly stated that “PIPEDA gives the Privacy Commissioner jurisdiction to investigate complaints relating to the transborder flow of personal information.” The court also noted that absent an investigation and a corresponding report, the complainant’s avenue to an award of damages would be closed. Citing Pro Swing v. Elta, the court noted that “A money judgment may be enforced in another jurisdiction.” This is a curious observation, since Pro Swing is a Canadian decision about enforcement of a foreign judgement in Canada, and any possible order against Accusearch would involve the enforcement of a Canadian judgment in the US, a matter for a U.S. court to decide. This decision will open the door to investigations of foreign companies and will result in some interesting enforcement challenges.

Calgary – 21:28 MST

In what is the first jury conviction of a “phisher” under the US CAN-SPAM Act of 2003, Jeffrey Goodin faces significant jail time when the case goes to sentencing in June, 2007.  Goodin used an elaborate phishing scheme to defraud AOL users out of sensitive credit card and personal information.  Aside from the obvious financial harm done to victims whose credit card information is harvested and misused, this kind of scheme invariably includes trade-mark infringement and other intellectual property rights violations.  In this case, Goodin sent authentic-looking email (displaying the AOL trade-mark) to AOL customers posing as AOL’s billing department.  Victims were directed to a fraudulent web page (also displaying AOL trade-marks), where their credit card information was collected.

While there is no anti-spam legislation in Canada, the problem is just as pervasive here as it is south of the border.  A few weeks ago, the Federal Department of Finance issued a news release warning of an email fraud scheme in which a phisher tried to lure victims to disclose personal financial information through a “tax refund request” form.  This is just one example among many of the overlap of privacy rights, internet law and intellectual property law in the world of phishing.

Calgary – 22:28 MST

Seemingly benign technologies can be pressed into service as privacy offenders. 

Internet-based companies are slowly becoming aware of the importance of maintaining customer confidence in the handling of personal information.  Even traditional companies are waking up to privacy issues.  A stolen laptop is the easiest way to understand the risks: a commonly-used piece of technology loaded with customer data makes mobile employees more productive; it can also present a public relations nightmare if the laptop is pinched while your employee is grabbing a coffee.

Whether the technology is simple (such as data loaded onto a laptop) or complex (cloaked software which conducts surreptitious surveillance on users), the issue is the same: personal information must be safeguarded in the face of “function creep”.   Function creep is the phenomenon of a particular technology’s function to “creep” beyond its original scope, to include other nefarious purposes.  The temptation to use the technology to harvest valuable personal information is seemingly irresistible.  The Sony Rootkit case is a classic example where efforts at copyright protection crossed the line into privacy violation. 

In Canada, the Federal Privacy Commissioner recently considered this issue in a complaint by employees that their employer was conducting surveillance on them via a GPS system installed in company vehicles.  Interestingly, the Privacy Commissioner found that the data collected by the GPS system did qualify as “personal information” under the relevant Act, even though the system only collected metrics about the use of the vehicle – speed, location, start and stop-times, etc.  The system did not collect any information about the identity of the person driving it, although company records could be used to determine who used which vehicle.  In the end the complaint was resolved in the employer’s favour since the purpose of the technology (safety, productivity and asset management) could be balanced effectively against the potential invasion of employee privacy.

Calgary – 10:48 MST

4 comments