“There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act” – Ontario Information and Privacy Commissioner

Cloud computing and data outsourcing has been embraced by many Canadian companies. In a recent poll, the adoption rate of cloud-based services by Canadian businesses experienced one of the highest year-over-year increases. Data security and concerns over personal information and privacy remain one of the biggest barriers to adoption.

One of the most common concerns raised by businesses who are considering cloud computing is the law known as Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (“PATRIOT Act”). There has been much discussion and some misinformation regarding the PATRIOT Act. For those unfamiliar with the topic, the central concern is that U.S. government authorities may use the provisions of the PATRIOT Act to access the personal information of Canadians where that information is stored in the United States, particularly in the context of outsourcing or cloud-computing.

Overall, a review of recent decisions in Canada shows that these concerns are overstated in light of the risks, and that for private sector businesses there are no prohibitions on outsourcing to the United States in light of the PATRIOT Act, provided (1) reasonable safeguards are built into the outsource contract (including confidentiality, use-restrictions, security, and provisions to meet monitoring and audit requirements), and (2) customers are notified in a clear way when their personal information will be stored or handled outside Canada. It is important to remember that the confidentiality and use-restrictions imposed on the service provider must be tied to the purposes to which the customers originally consented.

“Transparency and security” are watchwords for Canadian businesses considering the cloud.

Industry-specific regulations or guidelines, such as those found in the Insurance Companies Act and the OSFI guidelines applicable to banks and other financial institutions, place certain controls on outsourcing but do not specifically prohibit outsourcing or data-storage outside of Canada.  Canadian laws, as well as the PATRIOT Act and OSFI Guidelines are reviewed below.

1.         Federal Private Sector Legislation

The Personal Information Protection and Electronic Documents Act, (PIPEDA) governs federally-regulated entities, such as insurance companies. PIPEDA is also the default private-sector privacy legislation for provinces which have not passed “substantially similar” privacy legislation. To date, only Alberta, B.C. and Quebec have passed general private-sector privacy legislation that has been deemed “substantially similar” to PIPEDA.

PIPEDA governs the handling of personal information by private businesses such as insurance companies in the course of commercial activities. PIPEDA does not prohibit outsourcing of personal information to the U.S.  In fact, there is a clear decision of the Canadian Privacy Commissioner that PIPEDA does not prevent federally-regulated entities from outsourcing personal information data handling or data processing to the U.S.

2.         Provincial Privacy Legislation

There are multiple layers of regulation at the provincial level, for the public sector, private sector and for personal health information. Let’s have a look at the Alberta law. With respect to outsourcing, under the Alberta Personal Information Protection Act (PIPA) (sections 13 and 13.1), a service provider must notify consumers when personal information is stored by a service provider outside Canada. This includes a notification of the position or title of a person who is able to answer the consumer’s questions about the collection, use, disclosure or storage of personal information by the service providers outside Canada.  This is considered prudent practice for any private-sector organization engaging in outsourcing personal information to U.S. service providers.

Other than these notice requirements relating to storage of personal information outside Canada, there is no prohibition on outsourcing or data processing in the U.S. in private-sector privacy laws.

3.         USA PATRIOT Act

Regarding the PATRIOT Act, the Privacy Commissioner of Canada has stated that: “.. there is a comparable legal risk that the personal information of Canadians held by any organization and its service provider — be it Canadian or American — can be obtained by government agencies, whether through the provisions of U.S. law or Canadian law.” The Ontario Information and Privacy Commissioner has gone further and stated: “There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act. The PATRIOT Act has invoked unprecedented levels of apprehension and consternation – far more than I believe is warranted.”

The PATRIOT Act has been in effect for over 10 years, and during this time the Government of Canada states that there have been no instances where the personal information of a Canadian has been accessed under the PATRIOT Act.

Some public sector laws in B.C., Nova Scotia and Quebec require public bodies to ensure that personal information is stored only in Canada. For example, in B.C. public bodies and their service providers are obliged to notify the government if the public body receives “a foreign demand” for personal information. This is designed specifically to address PATRIOT Act concerns.

In Alberta, the public sector Freedom of Information and Protection of Privacy Act, permits a public body to disclose in response to a “subpoena, warrant or order” issued by a court, as long as the court has “jurisdiction in Alberta.” While no prohibition on outsourcing to the U.S. is explicitly built into the Alberta law, this provision is intended to ensure that the public body is constrained in its ability to disclose to a court of a foreign (U.S.) jurisdiction. Once again, it should be noted that this is public sector legislation.

Several privacy commissioner decisions have directly considered the issues raised by the PATRIOT Act in the context of Canadian public and private sector privacy laws.

• In a 2005 decision, the Privacy Commissioner of Canada decided that PIPEDA does not prohibit the use of foreign-based third-party service providers, but it does oblige Canadian-based organizations to have provisions in place, when using third-party service providers, to ensure a comparable level of protection (including guarantees of confidentiality and security of personal information). The Commissioner’s decision was also clear that, at the very least, a company in Canada that outsources information processing to the U.S. should notify its customers that the information may be available to the U.S. government or its agencies under a lawful order made in that country.
• Again in 2006 and 2008, the Privacy Commissioner of Canada decided that data handling in the U.S., which exposed the personal information to potential PATRIOT Act concerns, did not offend PIPEDA since the Canadian company had implemented comprehensive strategy and techniques to safeguard the personal information.   
• Most recently, a June 2012 decision of the Information and Privacy Commissioner of Ontario reviewed a complaint about PATRIOT Act concerns with the outsourcing of personal information to the U.S. by an Ontario public body (the Ministry of Natural Resources). The Commissioner decided that the Ministry’s collection, use and disclosure of personal information for the purpose of administering the Ministry’s hunting and fishing licensing program was in compliance with the Act.

All of these decisions point to the need for transparency and openness when dealing with customers, to ensure that they are made aware in cases where personal information handling, processing or storage may or will be outsourced to the U.S. Secondly, the service or outsourcing agreement must contain contractual protections ensuring confidentiality, security and compliance with privacy laws, so that service provider provides a comparable level of protection for the personal information.

4.         OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes

OSFI’s Guideline B-10  describes requirements for federally-regulated entities (FREs), such as banks, financial institutions and insurance companies, when engaging in outsourcing. These are the guidelines relevant to the issue of outsourcing to foreign jurisdictions. Generally, these guidelines mandate appropriate security and data confidentiality protections.   

Guideline 7.1.1(j) (“Confidentiality, Security and Separation of Property”) says: “At a minimum, the contract or outsourcing agreement is expected to set out the FRE’s requirements for confidentiality and security. Ideally, the security and confidentiality policies adopted by the service provider would be commensurate with those of the FRE and should meet a reasonable standard in the circumstances. The contract or outsourcing agreement should address which party has responsibility for protection mechanisms, the scope of the information to be protected, the powers of each party to change security procedures and requirements, which party may be liable for any losses that might result from a security breach, and notification requirements if there is a breach of security.”

OSFI also expects “appropriate security and data confidentiality protections to be in place. The service provider is expected to be able to logically isolate the FRE’s data, records, and items in process from those of other clients at all times, including under adverse conditions.”

In Guideline 7.2.2 (“Location of Records”) OSFI indicates that: “In accordance with the federal financial institutions legislation, certain records of entities carrying on business in Canada should be maintained in Canada. In addition, the FRE is expected to ensure that OSFI can access in Canada any records necessary to enable OSFI to fulfill its mandate.” This is intended to cover information such as accounting records, incorporation documents, corporate by-laws, rather than personal information.

Guideline 7.2.4 (“Outsourcing in Foreign Jurisdictions”) indicates the following: “When the material outsourcing arrangement results in services being provided in a foreign jurisdiction, the FRE’s risk management program should be enhanced to address any additional concerns linked to the economic and political environment, technological sophistication, and the legal and regulatory risk profile of the foreign jurisdiction(s).”

Once again, this speaks to the need for enhanced attention to security rather than any outright prohibition on outsourcing to the U.S.

5.         Breaches in Alberta

The Alberta Privacy Commissioner’s 2012 Breach Report shows that a majority (64%) of the 63 reported cases meeting the real risk of significant harm threshold involved human error or lost or stolen unencrypted electronic devices:

• 22 breaches (35%) were caused by human error. These incidents included inappropriate disposal of personal information, misdirected emails or faxes, loss of files and portable media, and unauthorized disclosure of passwords. The most common form of human error was mail and courier errors caused by delivery to the wrong recipient. 
• 18 breaches (29%) were caused by theft, such as office and car break-ins. 
• 14 breaches (22%) were caused by electronic system compromises, typically through targeted attacks by external hackers.
• 9 breaches (14%) were caused by a failure to adequately control access to electronic or paper files.

None of the cases involved a disclosure or breach through the PATRIOT Act. And it should be noted that hackers can access records on both Canadian and U.S. servers, so in that sense no additional risk is associated with outsourcing to the U.S.

Conclusion

Many concerns have been raised about the reach of the PATRIOT Act. It should be remembered that Canadian government authorities have similar powers to access personal information in the course of investigations, and to respond to requests by their allies, such as the U.S. in investigations.

This review of recent decisions in Canada demonstrates that private sector businesses are not prohibited from outsourcing to the United States in light of the PATRIOT Act. However, Canadian companies are well advised to implement reasonable safeguards and build these safeguards into the outsource contract. Secondly, customers should be notified in a clear way when their personal information will be stored or handled outside Canada.

Calgary – 07:00

If you missed the details about the introduction of new generic Top-Level Domains (gTLDs) or need a refresher, see our earlier post here, from October, 2012: An Update on gTLDs. The period for filing formal objections against these new domains has now been extended to 13 March 2013. Once the objection filing period closes, the objections will be processed through a dispute resolution mechanism which will likely run into August 2013.

Note this upcoming webinar hosted by ICANN:

• New gTLD Objection & Dispute Resolution Webinar
  Date: 29 January 2013
  Time: 16:00 – 17:30 UTC (9:00am – 10:30am PST)
  Adobe Connect: https://icann.adobeconnect.com/newgtldwebinar
  Dial In: Dial in numbers are available here [PDF, 22 KB]

  (An overview of the new gTLD objection process, plus a Q&A with Dispute Resolution Service Providers.)

Calgary – 07:00 MST

–

Megaupload Ltd. is alleged to have disseminated copyright protected movies and music and US prosecutors now have the task of gaining access to the company’s servers in a bid to prove their case. In the fascinating Megaupload saga, a Canadian court has been asked to decide what to do with 32 servers belonging to Megaupload which are located in Canada. The servers are packed with information – “100 laptops” worth of data according to the judgement – and the court was asked by the US government to deliver that data to American prosecutors who are pursuing charges against Megaupload for criminal infringement of copyright, conspiracy to infringe copyright, money laundering and racketeering.

In last week’s decision, Canada (United States of America) v. Equinix Inc.  , 2013 ONSC 193, the court denied this request, indicating that the massive volume of data meant that the scope of the investigation should be narrowed to just that information that is the target of the search, rather than the entire contents of the data trove. However, the judge did not deny that the evidence should be delivered. Evidence to implicate Megaupload likely is contained within those servers, and it is only a matter of time and negotiation to determine the scope of the search, rather than an absolute denial of the request. “Given the undisputed conclusion” the judge wrote, “…that there were reasonable grounds to believe that evidence of the offences would be located on the servers in my view the appropriate balance of the state interest in gathering evidence and privacy interests in information can be struck by an order that the servers be brought before the court …so that the court can make an order refining what is to be sent.”

From a cloud computing law perspective, this case raises several important points:

• Canadian courts will order seizure and search of cloud-computing servers – just like they will with any piece of evidence in Canada – pursuant to a request from US authorities in the course of a criminal investigation;
• Privacy interests will be balanced by the court, since the law is developing a sense of when individuals have an expectation of privacy in the contents of computers or servers;
• However, that privacy right is not absolute, but it will be balanced with the interests of governments to conduct investigations.

We can expect another decision to be released before long, where the contents of the servers are indeed delivered to US prosecutors, with some conditions or limitations as to the scope of the search.

Calgary – 07:00 MST

 

My article Click and Copy: Breach of Online License Agreements and Copyright Infringement was published in Canadian Intellectual Property Review in December.  The enforceability of click-through licenses for online software-based services is critical within the information technology industry. Software vendors and cloud-computing service providers require certainty that the licence terms governing these products will be enforceable.

In other words, vendors require certainty that, if there is a breach by a user, the law will provide a remedy, under the law of either contract or copyright, or both. When does a breach of a licence or breach of online terms of use constitute not only a contractual breach but also an infringement of copyright in the software?

The outcome of this question affects whether a vendor or provider would be able to access the infringement remedies under part IV of the Copyright Act, including injunction, damages, accounts, delivery up, and statutory damages. By reviewing some of the recent case law in this area, this article examines the intersection of copyright and contract law in the context of click-through software licences and online terms of use, specifically when a breach of such terms constitutes copyright infringement, giving rise to remedies under the Copyright Act, and when a breach is merely a breach, giving rise to remedies and potential damage awards under contract law.

Calgary – 07:00 MST

 

–

Several recent stories have highlighted the concerns over personal information, privacy and the reach of mobile apps.  Once again, the law is labouring to keep up with technology.

• So-called Cyber-Stalking Apps provide the means to track the location of a phone through an app that is not visible or easily detectable by the phone’s owner. The cloaked app resides on the phone and essentially reports back to the person who installed the app on the user’s whereabouts. In the US, a proposed law has been drafted to make such apps illegal (The Location Protection Privacy Act). This draft legislation moved out of committee and may become law in 2013.
• A number of mobile apps have been criticized for collecting personal information about kids, and selling that info without parents’ consent. To tackle these problems associated with mobile apps directed at children, privacy advocates have been pushing for changes to the rules under COPPA (Children’s Online Privacy Protection Act). The US Federal Trade Commission (FTC) amended the Children’s Online Privacy Protection Rule in December 2012. The Rule now applies to mobile apps and web-based text messaging programs, and requires app developers to get permission from parents before collecting a child’s photographs, videos and geolocational information. The amended Rules will become effective on July 1, 2013.
• It is worth noting that these are both developments under US law.  In Canada, app developers who target children’s personal information would be caught by Canada’s broad private-sector privacy laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, or one of the provincial-level privacy laws, such as the Personal Information Protection Act in Alberta.  Cloaked “cyber-stalking” apps could constitute an invasion of privacy  contrary to Canadian law. However, that would apply to the person who surreptitiously loaded the stalking app, rather than the app developer.

App developers: Make sure you get advice on a properly-drafted privacy policy, terms of use or end-user license, and that you understand the implications of privacy laws when launching mobile apps.

Calgary – 07:00 MST

Update: January 29, 2013: see comment below regarding WhatsApp privacy issues.

–

As mentioned in our previous post, industrial designs protect the visual features of a product (shape, configuration, pattern or ornament). Functional, utilitarian or useful elements are not eligible for protection. This was illustrated in Bodum USA, Inc. v. Trudeau Corporation, 2012 FC 1128 (CanLII), where the court found that Bodum’s double-walled drinking glass design was not infringed, since the competing product was not substantially similar in light of the many variations of double-walled glasses in the marketplace. The designs would have had to be virtually identical to support a finding of infringement.

A second interesting element to this case is the counterclaim by Trudeau Corp., who sued for a declaration that the Bodum design was invalid due to the prior art on the register. The court in Bodum confirmed that to be registrable, an industrial design must be substantially different from prior art. A simple variation is not enough. For a design to be considered original, there must be some “substantial difference” between the new design and what came before. “A slight change of outline or configuration, or an unsubstantial variation is not sufficient to enable the author to obtain registration.” In this case, the Court reviewed a number of other existing designs for double-walled glasses – one of which was designed in 1897 – and decided that Bodum’s design was not original. To come to this conclusion, the Court set aside the utilitarian functions, the materials used, and colours applied, and looked merely at the visual or ornamental features.

In the end, Bodum’s design did not satisfy the requirement of “substantial originality”, and the registration was expunged.

Calgary – 07:00 MST

Industrial designs are like the shy cousins of much sexier patents and copyright. Sure, patents and copyright get all the attention, but industrial design can be a very reliable, useful tool in the intellectual property toolbox.  This category of protection (in the US, known as “design patents”) will protect the visual features of a product (shape, configuration, pattern or ornament). Functional, utilitarian or useful elements cannot be protected. Industrial design protection expires after 10 years, so it does not extend as long as patents or copyrights, but can provide protection for articles that are not eligible for either copyright or patent protection.

In Bodum USA, Inc. v. Trudeau Corporation, 2012 FC 1128 (CanLII), the court considered two competing double-walled drinking glasses, one of which (the design owned by Bodum) was registered as an industrial design. The double-wall configuration itself serves a utilitarian function: it keeps hot drinks hot and cold drinks cold. Thus, the double-walled feature could not be assessed in the infringement analysis. As described in the judgement: “The court has to decide only whether the alleged infringement has the same shape or pattern, and must eliminate the question of the identity of function, as another design may have parts fulfilling the same functions without being an infringement. Similarly, in judging the question of infringement the court will ignore similarities or even identities between the registered design and the alleged infringement which arise from functional matters included within the design.”

According to the Court, the competing product must be characterized as “substantially the same” for there to be infringement. This question must be analyzed by the Court from the point of view of how the informed consumer would see things. In the end, the Court decided that there was no infringement between Bodum’s design and the competing product.

Related Reading:

Industrial Design in Canada & US

Calgary – 07:00 MST

–

Infringement! Litigation! Legislation! There is never a dull moment in the wonderful world of intellectual property law, and 2013 will be no exception. Here’s our list of what to watch in the coming year:

Copyright. If you keep making the same predictions year after year, eventually one of them will come true, right? For the last several years, we predicted that copyright reform would finally come to Canada. 2012 did not disappoint as the year of copyright, with the release of five SCC decisions and the passing of the copyright modernization legislation that had been long awaited.  We expect that 2013 will provide some opportunities to test the new law in court.

Anti-Spam. As with copyright, many have predicted that Canada’s “new” anti-spam law would come into effect for several years. Yes, Parliament passed the Fighting Internet and Wireless Spam Act and it did receive royal assent way back in December, 2010. However, Canada’s anti-spam legislation is still not in force. Industry Canada released draft revised anti-spam regulations last week, and it would be surprising if we didn’t see final regulations in the first half of 2013.

App Law. We predicted in 2011 that app law would develop as regulations and laws fight to keep pace with the explosion of the app economy which is expanding in both business and personal life, along with cloud computing. 2012 provided a number of important developments in app law, mostly in the US. 2013 should continue to provide clarity in this growing area of law.

Apple and Samsung. The litigation that brought patent infringement back into the public consciousness like no case since RIM vs NTP may be resolved in 2013. Even Judge Koh has made a plea for “global peace.”

Calgary – 13:00 MST