The Free Press has revamped Biz Monday.  Welcome to new columnists Gerry Macartney who will write about business and politics, and Andrea Halwa who will write about business and the arts.  

Columns will now run bi-weekly instead of weekly, including my column, and Allison Graham’s column.

Another new addition will be a full page spread on a local business leader.  Today’s article is about David Taylor, president and CEO of Pacific & Western Bank.

From the Data Privacy Day web site:

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information.  In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it  – with whom are they sharing it?  Most of all, individuals are asking ‘How can I protect my information from being misused?’  These are reasonable questions to ask – we should all want to know the answers.

Some events happening today can be found here.

The Canadian Privacy Commissioner, Jennifer Stoddart, has a page worth reading, including some tips, and a contest.  As she says in her news release,  ”Protect your personal information, because the Internet never forgets.”

That’s the title of my Slaw post for today.  It reads as follows.

I just finished listening to another IT-Can teleconference on the anti-spam act, this one presented by Barry Sookman and Lorne Salzman of McCarthy Tetrault.  For those wanting more detail, slides will be posted soon on the IT-Can website, the McCarthy Tetrault website, and Barry’s blog.

It reinforced my earlier concerns that this legislation is going to affect almost every business or organization.  Many of its provisions strike me as a sledgehammer to kill a fly approach.  Some of the highlights from the teleseminar are as follows:

Why be concerned?

There are large penalties for violations.  They include extensive awards for private actions, including class actions.

There is broad vicarious liability – which extends to mere acquiescence, including  officer and director liability .

It will be important to have policies and processes to mitigate, and to look at D&O insurance to see if it is covered.

The act applies where there is any connection to Canada – even just routing through Canada or accessing from Canada brings conduct under the act.

The act is a significant departure from other spam legislation in other countries, so foreign entities can’t rely on processes they have developed to comply with other spam legislation.

Various definitions, eg “electronic message”, are open ended non-exclusive lists.

It is thus crucial to think about various forms of electronic messaging, such as social networking, text messaging, etc.  Different solutions may be required for different platforms.

Where consent is required or obtained  – need to express both the purpose and yet to be prescribed information.  But sending a message to get consent is itself considered spam.

Consents obtained for PIPEDA may not be good enough for this.  “Implied” means something different here than in PIPEDA.

The spyware sections deal with any software – good or bad – installed on someone’s computer.  Applies to computer programs and computer systems as defined in Criminal code – which is very broad.  Would include smartphones, e-book readers, cars. etc.

There is a minimum disclosure required for normal programs.  If it crosses the spyware threshold – more prominent and explicit disclosure is required.  There is an exception for non-harmful things that would automatically load – like Javascript.

The e-mail collection (harvesting) sections alter PIPEDA.  These sections are not tied to spam related activity.  Need to look at to what extent email addresses are collected for any reason.  Damages are attached  to this – which is not otherwise the case in PIPEDA.

It amends Competition Act to add specific provisions for electronic communications to deceptive marketing practices regime that already exists. 

Adds 4 new deceptive marketing practices:

1. if make false or misleading misrepresentation in electronic message in a material respect
2. if make false or misleading  misrepresentation in sender portion
3. if include false or misleading information in subject area
4. if there is false or misleading  misrepresentation in locator (eg url).

It is noteworthy that only # 1 says “in a material respect”.  Also that there is no notion of these needing to go to the public – so numbers sent and the type of recipient doesn’t matter.  There is no notion of consent or pre-existing relationship here.

Consider e.g. an email that says “fly from X to Y for $200”, with a body that goes on to set limits on time, taxes, extras, etc.  Is that a contravention?  Or “lose 20 pounds in 4 weeks” –  or “our best sale of the year”.

CRTC will deal with spam and spyware aspects of the Act.  It will designate enforcement officers (aka “spam police”).  They have broad powers to investigate and enforce.

Undertakings  (a negotiated settlement) may be common.

Due diligence defenses are available – but unclear what would be required to meet that.

The penalties are “per violation”.  Not clear what a violation is – eg. If send the same email more than once, are they separate violations?

The Act includes language that could replace the do not call phone regime with this.  The feeling is that this is there in case this is desired in the future, but that there are no current plans to do that.

Private right of action can apply to any misconduct under the Act, including the amended provisions in PIPEDA or the Competition Act.  Remedies include compensation for loss and expenses, “private fines” (statutory damages) really as a bonus for pursuing the action.  Up to a $ 1,000,000 per day, or $1,000,000 per event for some things.

For the London Free Press – January 24, 2011

Read this on Canoe

When a government employee uses his or her workplace e-mail address to send and receive personal e-mails unrelated to their work, are those e-mails subject to disclosure to members of the public who request them under freedom of information legislation?

Despite that these e-mails are generated on government computers, stored on government servers and often composed on government time, a Ontario court decision (the City of Ottawa versus the Information and Privacy Commissioner and John Dunn) held that such e-mails are not subject to freedom of information legislation.

Like many employers, the City of Ottawa permits incidental personal use of its e-mail system by its employees.

In 2007, Rick O’Connor worked for the City of Ottawa as in house counsel. He also volunteered on the board of directors of the Children’s Aid Society (CAS).

O’Connor took advantage of the City of Ottawa’s policy and often used his work e-mail to send and receive CAS related correspondence. These were saved in a separate personal folder stored on the City’s e-mail server.

John Dunn made a request under the Municipal Freedom of Information & Protection of Privacy Act (the “Act”) for disclosure by the city of all correspondence sent or received by Mr. O’Connor to and from anyone at CAS. The city refused, arguing the emails were not within its custody or control.

Mr. Dunn appealed the City’s decision to the Information and Privacy Commissioner (IPC).

Although the e-mails in question all pertained to CAS matters and did not relate to City of Ottawa business, the IPC arbitrator held that the communications were within the custody or control of the City and subject to the Act.

This decision did not require the City of Ottawa to disclose Mr. O’Connor’s personal e-mails per se, but did require the City to process the freedom of information request.

Under the Act, disclosure requests may be refused based on a number of exemptions, such as personal privacy. The IPC ruling essentially would have required the City to go through each e-mail and exempt them one by one.

With the thousands of civil servants who work in government offices, this decision had the potential to divert a great deal of public resources into the processing of access requests that had little to do with government transparency.

The City of Ottawa successfully appealed the IPC’s decision to the Ontario Superior Court. The Court held providing access to communications between the CAS, an agency not subject to the Act, and Mr. O’Connor, an individual acting in his own personal capacity, would not advance public participation in the democratic process.

The Court also said the fact Mr. O’Connor’s e-mails were segregated in a separate folder was not determinative. Private e-mails comingled with work e-mails will most likely not be subject to the Act either. The IPC has appealed the decision .

David Fraser has a post worth reading entitled Investigating and Preventing Criminal Electronic Communications Act bill one step closer to (warrantless) surveillance state.

The bill has been called “lawful access” , or “awful access” depending on your perspective.  It will give more power to government authorities to get information from telecommunications service providers without a warrant.

David uses the example of secret police in Belarus who used this kind of power to identify people at an anti-government demonstration.

As he puts it “If we’re shocked at what repressive regimes are doing to their citizens, we shouldn’t be giving our own governments tools to be repressive.”

That’s the title of my Slaw post for today.  It reads as follows.

I just listened to a teleseminar by the Canadian IT-Law Association on the Anti-spam act, primarily discussing the CRTC’s role.  Here are a few points that were raised.

The act is expected to come into force in September.  Regulations may be published for comment as early as late February or March.

The regulations will be crucial.  It will be important to look at them during draft stage and comment where necessary.

There will be an overlap in jurisdiction between the CRTC, Privacy Commissioner, and Competition Bureau, though CRTC is primary.

The CRTC role as enforcer is fairly new.  The do not call list was its first real enforcement mandate, as opposed to a supervisory and licensing role.

CRTC has power to issue preservation demands to telecommunication service providers, to issue production orders, and warrants for entry and inspection.

Penalties are AMPs, or Administrative Monetary Penalties.  They can be imposed by the CRTC without going to court.  The Act says they are not intended to punish, but to deter.  AMPs have in the past been described as unconstitutional.

CRTC can apply to court for an injunction, can issue a restraining order, and can enter into undertakings (i.e. a form of settlement).  Are also some offences under act, e.g. if fail to comply with an order.

A private right of action is included in the Act.  For actual damages – or for statutory damages.  Class actions are possible.

Once an undertaking is entered into, it restricts all other actions, including the private right of action.  (It will be interesting to see if a defendant in a class action would immediately go to the CRTC and try to enter into an undertaking.)

The CRTC will have a significant budget for enforcement.

Privacy Zuckering v.   Creating intentionally confusing privacy policies —à la Mark Zuckerberg—to sucker users of social networking sites like Facebook into exposing valuable personal information.

From Wired magazine  Jargon Watch

For the London Free Press – Jan 17, 2011

Read this on Canoe

The sheer volume of digital information that we create is fast outstripping our ability to manage it all, report warns

The sheer volume of digital information continues to rapidly increase. According to a report by IDC entitled The Digital Universe Decade – Are You Ready?, commissioned by storage vendor EMC, the projected growth of the digital universe could outpace our ability to manage it, creating new challenges and opportunities.

Every time we send an e-mail, take a digital photo, blog, upload a video or download a song, we are contributing digital content. The report uses the term “digital universe” to mean the amount of digital information created and replicated each year.

This content is growing and is expected to increase exponentially. In 2009, the digital universe grew by a staggering 62% to about 800,000 petabytes (a million gigabytes).

In 2010, the digital universe was expected to grow to 1.2 million petabytes and reach 35 trillion gigabytes by 2020. That would fill a stack of DVDs that would reach half way to Mars.

The report says that over the course of the next 20 years, the digital universe will grow by 44 times, while the personnel and investment in resources to manage it will only grow by 1.4 times. This discrepancy will have real implications for both the organizations tasked with dealing with digital content and regular users and contributors to the digital universe.

Issues that arise include the amount of physical storage needed to contain all this data. This is in part attributable to the fact that only 25% of digital content being created is unique – the other 75% consists of things such as forwarded e-mails and other copies.

And backing up all that data so it won’t be lost if something goes wrong faces challenges from the sheer volume, and managing the most effective and cost-effective ways of doing that.

Individuals will use higher-capacity hard drives in their computers, external hard drives, and the cloud to store and back up their personal material.

The report suggests an increasing amount of data will be housed in the cloud. This goes beyond keeping our files or backups stored at Internet-based locations. Examples include watching on-demand Internet-based TV, such as Netflix online, instead of using DVDs, and using cloud-based software rather than installing and running it on our PCs.

Finding what we need in all this data will require continued advances in ways to manage it. That includes ways to know when to delete data, and search tools to find what we need.

The report also says that the amount of data that needs protecting will increase at even a faster rate. This includes confidential and personal information, such as financial and health data. It claims that less than 10% of the information about an individual is created by the individual – such as taking photos, using social media, sending e-mails, and getting cash from an ABM. The rest is created by others, such as credit records, surveillance photos and web-use histories.

Managing the security and privacy of all this will continue to be a challenge.

David Fraser has a post entitled Your smartphone could be your most dangerous possession, so secure it. 

David states, in part

After a decision out of California which found that police are able to rummage through all your portable electronics incident to arrest, much attention has been focused on how much data people carry around with in their portable electronics. CNN Money is running a story with the descriptive title: Your smartphone could be your most dangerous possession.

David and I have commented before about the ability of customs agents to go though all your electronics.  The California decision was based on the notion that the police looking at the contents of someone’s phone incidental to an arrest is no different than looking in their trunk or pockets.  But with the amount of information that can be on our phones, it’s much more intrusive than that.  Its more like looking through all one’s personal files, banking records, phone records, etc.

And its not just about what police and customs agents can look it, its the risk of losing a phone with all that personal information on it.

Take a look at David’s post for a link to an article about securing your phone.

That’s the title of my Slaw post for today.  It reads as follows:

The anti-spam bill – Bill C-28 – was recently passed, and is expected to be in force sometime later this year.

If you think it won’t affect you because you don’t send mass emails trying to sell random products, and don’t infest other people’s computers with spyware, you would be wrong.

It applies to the sending of commercial electronic messages that many of us would not consider to be spam.  An email to just one person that you consider a potential customer or client who you met at an event may fall into the prohibitions.  And it applies to other forms of electronic communications, such as instant messages, and various kinds of social media.

It can also apply to software updates in certain circumstances.

So while the intention is to control what we all understand as spam and spyware, it has the potential to affect many things that we may not intuitively consider spam or spyware.  Similar to privacy legislation, this Act will no doubt lead to situations where our first reaction is to label it spam or spyware if we receive it, but not consider the same thing spam or spyware if we send it.

There are details that will be covered in yet to be drafted regulations.  Personally, I would like to see some kind of volume threshold where it is deemed not to be spam if it’s a targeted message sent to a small number of individuals.

Until we see the regulations, it is going to be hard to give specific advice to a typical business or organization as to what they must do to comply.  Many things that could potentially affect a typical business fit threshold situations that might result in a different answer depending on the regulations.  The penalties are significant, so it’s not legislation to be taken lightly.  Remedies include fines of up to $1,000,000 for individuals, $10,000,000 for others, and private rights of action.

Some things are “reviewable conduct”, meaning that it is subject to the investigatory and order making powers of the Privacy or Competition Commissioners.

The act is long and complex, and includes amendments to four existing acts – the CRTC Act, Competition Act, PIPEDA, and Telecommunications Act.

Directors and officers can be personally liable if they authorized or acquiesced in the offence.  Employers are vicariously liable for the actions of their employees acting within the scope of their authority.

While we await the regulations, here are some things to ponder for those who don’t consider themselves spammers.

The act starts with a broad definition of “commercial electronic message”, and says that you can’t send them unless it fits within a specific exemption.  One of the keys will be to figure out what the boundaries are of “commercial activity”.

“Electronic message” is broadly defined to include a message to email, instant message, phone, or “any similar account”.  That could include things like a twitter direct message – but I would think not a general tweet to people who choose to follow you.

In some circumstances you can send the message, but must include accurate information about the sender, and a way to opt out of future messages.

It is not spam if the recipient consented to receive the message.  The Act has extensive provisions defining what amounts to explicit or implicit consent.  It includes things we might expect, such as on ongoing business, personal or family relationship – some of which have two year windows.  Also exempted are messages to those who publish their address or have provided you with their address – so long as the message is relevant.  I suspect that means that since my email address is published on our firm web site and other places, you will be able to email me with anything relevant to the practice of law – but you won’t be able to email me trying to sell me a trip.

Or if I hand you my business card, the same applies.

It is up to the sender to show that they have consent if there is a complaint.  So will we need to track that to be safe, i.e. somehow track that you got my address from our web site, or the card I handed you?

Directors and officers personal liability will be tempered if they can show diligence.  Since almost everyone in an organization routinely sends email, tweets, etc., organizations may want to set up policies and training programs to educate employees and reduce potential corporate, director and officer liability.

Exemptions for an “existing non-business relationship” includes donations, volunteer work, or memberships – with a two year window.  Charities will need to review these provisions carefully, as they will affect how they approach prospective donors and volunteers.

One example to think about is a press release.  Those sending a press release will need to think about the purpose of the release, and who is on the email list.  Is it being sent beyond traditional news services?  Does the fact that a recipient has published their email address on their firm’s website mean that they can or cannot get the release depending on the content of the release?  Does the fact, for example, that my email address is listed on my newspaper column mean I can be sent emails that could not be sent if my address was only on our firm web site?  Does it make a difference that I may be listed somewhere on a list of journalists because I write a newspaper column?  Are bloggers considered the same as journalists?  Does it make a difference if my address is disclosed on various social media platforms, such as Facebook, LinkedIn, Twitter, or .tel?  

Am I restricted from sending personalized individual emails to a handful of influential people active on social media who I hope will spread whatever message I want to get out?  Am I going to have to analyse each recipient to see how close or distant a connection they have under the exemptions, or how their email address has been published?

Will the answer be different if I send it to them as direct message on twitter, rather than by email?

How will senders possibly track all this, or find the time to do so?

Those creating and selling software will need to consider how this affects them.  The Act adopts the broad definitions of “computer program” and “computer system” from the criminal code.  It thus applies to any electronic instructions that execute to perform a function, on any device capable of executing them.  That would include phones and tablets.  And since almost everything includes some kind of computing power these days – might some of these provisions affect things such as PVR’s or cars?

The Act has provisions that affect software that collects personal information.  Certain functions will require specific permission, such as anything that changes or interferes with settings, interferes with a user’s control, or causes it to communicate with another computer.  Consider, for example, how that might apply to software that is licensed for a specific term that automatically stops working at the end, or allows the vendor to cripple it for non-payment.

Software vendors may have to amend their EULA’s to comply.  And some circumstances will require specific permission with full disclosure before the change can be made, regardless of the contents of a EULA.  So software vendors will have to think through how their software works, how the Act might come into play, and what permissions are required. 

Another thought for software vendors is whether changing from a traditional installed software model to a hosted SAAS or cloud model will avoid some of these issues.

Stay tuned for more as the regulations are drafted and we come to grips with the ramifications.  There will no doubt be a lot written about this over the next few months, as well as educational opportunities.