For the London Free Press – November 7, 2011 – Read this on Canoe

The Canadian government recently introduced Bill C-12 (the Safeguarding Canadians’ Personal Information Act) that contains amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The PIPEDA privacy legislation charted new territory when it was enacted a few years ago. Most of these amendments are a result of things learned since then, and have been contemplated for some time.

For example, the new bill amends the “business card exemption” to make it clear that one’s business e-mail address is not personal information.

It was a glaring error when a person’s business telephone number and physical address was deemed not to be personal information, but their business e-mail address was considered personal information.

Provisions are included to govern privacy issues when personal information is transferred during corporate mergers and acquisitions. That includes things such as customer information. This was another glaring error that needed to be corrected.

One of the controversial sections of PIPEDA was the ability (but not the obligation) to provide personal information to government authorities if they provide the custodian of the information with proof of its “lawful authority.”

The meaning of “lawful authority” has been debated over the years. Out of an abundance of caution, many organizations simply required a subpoena or court order before they would turn personal information over to police.

The proposed amendments contain a provision saying that lawful authority means something other than a subpoena or court order. But this addition is not helpful in describing what lawful authority is.

The amendments contain lengthy provisions that will, for the first time, require disclosure of privacy breaches. When enacted, these provisions will require certain breaches to be reported to either the privacy commissioner, to individuals who may be affected, or both.

Not all privacy breaches must be disclosed. The amendments list various factors to determine whether a breach is material and thus must be disclosed to the commissioner.

Factors include the sensitivity of the personal information, the number of individuals affected, and whether the breach indicates there is a systemic problem.

The test to determine whether a breach must be disclosed to individuals is slightly different, being whether “the breach creates a real risk of significant harm to the individual.”

The tests to determine when the thresholds have been reached to require disclosure to the commissioner or the public are somewhat subjective. No doubt the privacy commissioner will interpret the thresholds to be lower than some entities facing a breach would interpret it.

It will be interesting to see how the breach disclosure sections work in practice. Some entities have been very forthright about disclosing privacy breaches. They may consider it the right thing to do, or fear the headline risk if the fact there was a breach is disclosed by another source.

Of course, we may not know how many privacy breaches have not been disclosed that these sections will now require to be disclosed.

For the London Free Press – October 24, 2011 – Read this on Canoe

Are Browse-wrap agreements binding?

Most web sites contain a link at the bottom of the page to “terms of use”. But are they binding on those who use the website? A recent Canadian case says they are.

Despite the prevalence of terms of use linked to the bottom of web pages, Canadian courts have not spent much time discussing whether they are binding the same way that “click-wrap” agreements are.

The Ontario Superior Court decision in Century 21 Canada Limited Partnership versus Rogers Communications Inc. shed some light on this issue. The case discussed the evolution of agreements as software sales have shifted from boxed software purchases to online.

“Shrink wrap” agreements are contracts that are entered into by the purchaser when they tear open the shrink wrap of a software purchase. Implicit in the opening of the packaging is the idea that the user is agreeing to be bound by the terms of use.

“Click wrap” agreements are when users are required to indicate their agreement by clicking on an “I Agree” box. Implicit in the “click” is the idea that the user is agreeing to be bound by the terms of use.

A “browse wrap” agreement does not require the user to click an “I Agree” box, instead the mere use of the website on which it appears may lead to a finding that the user is bound by the terms of use.

Click wrap agreements are binding in Canada pursuant to case law and legislation. The difficulty in “browse wrap” agreements is that the user may not realize a website contains terms of use, and even if the user is aware of the terms of use, the user may not agree to be bound.

But being bound by agreements one has not read is not a new concept. There are a series of ticket cases where fine print on the back of a ticket or document were held to be binding, provided that it is brought to the person’s attention. It doesn’t matter if the person actually read it, provided they could have easily read it if they wanted to.

Zoocasa, a subsidiary of Rogers Communications Inc., was “scraping” online real estate listings from Century 21′s website and reposting them on its own site with additional information. Zoocasa admits it had knowledge of Century 21′s terms of use, which included a term prohibiting scraping. The court found Zoocasa’s access and use of the website following actual notice of the terms of use constituted acceptance of the terms of use. Part of the court’s decision turned on the fact that Zoocasa is a sophisticated business entity and is therefore familiar with the concept of terms of use within a website.

The court did not have to determine if Zoocasa had clear notice of the terms of use because this fact was admitted.

Given that it is common practice for websites to have links to terms of use at the bottom of its pages, it would be logical to assume that would be sufficient to constitute notice.

For the London Free Press – October 3, 2011

Read this on Canoe

ONLINE: ONTARIO SUPERIOR COURT DECISION DOES NOT MEAN YOU CAN SAY WHATEVER YOU WANT WITH IMPUNITY

The Ontario Superior Court recently decided that a blog comment must pass a higher threshold before it’s considered defamatory than statements made in other places.

Defamation is the communication to third parties of a false statement that tends to injure the reputation of an individual. Slander is oral defamation. Libel is written defamation.

The reasoning in the case of Baglow v. Smith includes the thought that an ongoing blogging thread is akin to a debate. The person who felt wronged by a comment has an opportunity to reply to set the record straight and lessen the impact on his reputation of the original statement.

That makes sense if the two parties were already both involved in the online banter. But might be less applicable if the aggrieved party had not been involved in the debate prior to the comment.

Another thought was that given the nature of the online forum, readers would be less likely to interpret comments such as in this case — which suggested the person was a Taliban supporter — as being intended to be factual.

It probably didn’t help the complainant’s case that he had made some derogatory comments of his own in the comment thread. To determine if a statement is defamatory, it must be looked at in the context of the conversation or publication as a whole, and not as an isolated statement.

But this decision doesn’t mean the Internet is a defamation- free zone and that one can say whatever one wants with impunity. It just means the analysis as to whether particular comments on the Internet amount to defamation considers the nature of the medium. That makes sense, as defamation is about what the public thinks as a result of the comment.

Earlier defamation decisions about material posted on the Internet have awarded higher damage awards than if it had been published on paper. The rationale is there is a broader distribution of the comment.

So we could be in the position where a defamatory comment in an article on the Internet or in a blog post or on some form of social media might have a risk of a higher damage award — but the threshold for being considered defamatory in the first place is higher. In other words, more potential damages, but less risk of being found defamatory in the first place.

And the risk of a comment being considered defamatory might be less if discussion ensues, especially if the aggrieved party is involved in the discussions.

The bottom line — if someone makes a comment online about you that you think might affect your reputation, you should think carefully about what to do about it.

On the one hand, it might not attract enough attention to do any real harm, and the wrong reaction might just bring more attention to it. On the other hand, its online nature gives the opportunity for a measured, rational reply to set the record straight.

For the London Free Press – September 19, 2011 – Read this on Canoe

Whether a domain name (such as www.harrisonpensa.com) is property that one owns — or just “a bundle of rights” — has been the subject of legal debate. The Ontario Court of Appeal recently said it is property.

The domain-name-as-property position makes sense in a world where, for example, in the early 2000s, wallstreet.com sold for more than $1 million and wine.com for more than $3 million.

Domain names are registered on a first-come, first-serve basis. The individual or company that registers the name receives the exclusive right to use the name, for which it pays a fee of a few dollars per year.

Registrars accredited by the Internet Corporation for Assigned Names and Numbers act as overlord, allowing domain registrants to use the domain name subject to any restrictions they may impose.

If a domain name is a licence, clauses may be included in a service agreement that might, for example, impose restrictions on assignment. If a domain name is property, such restrictions may be hard to uphold. If a domain name is property, a registrant will have rights relating to the domain name which include the right to use, convey, develop, exclude, bequeath, profit from, assign and dispose of, with or without consideration.

A licence is a special permission to do something on, or with somebody else’s property which, were it not for the licence, could be legally prevented or give rise to legal action.

Conversely, property is the right to control how and by whom a particular thing may be used. If a domain name is a licence, registrants are at the mercy of the registrar to determine how the domain name will be used. If a domain name is property, the registrants are free to use the domain name in any manner they like and cannot be legally prevented from doing so by the registrar.

In the recent Ontario Court of Appeal decision, Tucows.Com Co v. Lojas Renner S.A. (2009), the court settled the licence/property debate, at least in Ontario.

Tucows.Com Co. (“Tucows”) is the registrant of more than 30,000 domain names. Lojas Renner (“Renner”) is a Brazilian subsidiary of JC Penny and has registered the trademark Renner in Brazil and other states. Renner made a complaint to the Internet Corporation for Assigned Names and Numbers regarding Tucows’ registration of the domain name “Renner.” In response, Tucows initiated its own action in Ontario for ownership of the domain name.

The Ontario Court of Appeal examined the traditional common-law attributes of property, specifically whether there exists “a collection of rights over things that can be enforced against others.” The court found the rights associated with a domain name include those rights.

As a result, the Ontario Court of Appeal found the domain name, as a business asset of Tucows, was intangible property.

This decision won’t have dramatic impact on the day-to-day use of domain names, but helps clarify their legal status for many issues ranging from ownership disputes to the right to bequeath them to heirs.

For the London Free Press – August 22, 2011 - Read this on Canoe

The increasing use of e-signatures raises several questions about their suitability for legal documents

Adobe recently announced the acquisition of EchoSign, a web-based provider of electronic signatures and signature automation. If ink was used to finalize the deal, it had not even dried yet when RPost, a self-proclaimed pioneer of e-signatures, launched a lawsuit against Adobe and EchoSign for patent infringement.

News coverage of the lawsuit described how millions of individuals and businesses worldwide have been using this technology to remotely automate the entire signature process with the click of a button. This is all fine in theory, but, when parties to a contract are relying on it, will an e-signature hold up in court?

According to the Ontario Electronic Commerce Act (ECA), a legal requirement that a document be signed (with a very few exceptions, such as wills, powers of attorney for individuals, documents for land transfer, and negotiable instruments) is satisfied by an electronic signature. The question then is: what is required to meet the definition of a legally binding e-signature?

The act defines “electronic signature” as “electronic information that a person creates or adopts in order to sign a document and that is in, attached to or associated with the document.”

Similarly, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines “electronic signature” as “a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document.”

Although it’s possible to digitize handwriting so that it’s displayed as an image, an electronic signature doesn’t need to look like a handwritten signature or even contain the letters of the signatory’s name, as long as it’s “associated with” the document.

There are two basic legal requirements concerning the reliability of an e-signature that must be satisfied. It must be reliable to identify the person, and to associate the e-signature with the relevant electronic document.

So how do services such as EchoSign do that? Essentially, you load the document to be signed on to the EchoSign service, along with the email address of the person who is to sign it. The person identifies themself by logging in to an existing social media account, and clicks to sign the document. The service returns the document, along with details about the signature, including the date, the email account used by the signatory who created the document, where it was sent, who viewed it, how the signatory’s signature was verified, and to whom and when the signed document was returned.

If, for example, the signatory identified themselves with their Twitter account, it includes their Twitter identity and the image they use for their account.

While we may be used to actual handwritten signatures, one has to ask whether this type of process might be more reliable, and less prone to fraud than the traditional method, particularly where the parties are not together when it’s signed.

For the London Free Press – August 8, 2011 – Read this on Canoe

The Internet Corporation for Assigned Names and Numbers (ICANN) recently approved a new program for registering generic top-level domain names (gTLDs). The door has opened to allow for almost anything.

The current most commonly recognized TLD is .com, followed by .org.

By 2013, Internet users can expect to see an influx of new internet domain extensions, such as .bank, or ones using major brand names.

The new program will open up the Internet domain market for businesses, organizations and individuals who wish to distinguish themselves or their products in the virtual world by having a personalized domain extension. ICANN anticipates many of the new domain extensions will be registered by cities and other geographic locations, by corporations and by special interest groups.

Those who wish to register a gTLD must submit an application to ICANN and pay a $185,000 application fee. ICANN will begin accepting applications between Jan. 12, 2012 and April 12, 2012. After the application deadline, ICANN will review each application and assess whether the proposed domain extension will be appropriate.

ICANN has introduced a list of conditions and qualifications that must be met by gTLD applicants to ensure they have sufficient financial, technical and operational capabilities to administrate and maintain their gTLD. For example, applicants are first required to undergo background screening of their general business diligence and criminal history to validate the legitimacy of their application and prevent cyber-fraud.

If an applicant passes the background screening, it will be subject to several assessments and evaluations to determine whether their proposed gTLD is feasible. This includes a review to determine whether it will create user confusion or too closely resembles another gTLD. There is a process to determine which applicant will prevail if there are multiple applicants for the same gTLD.

Administrating a gTLD involves a huge commitment and the responsibility to ensure security, ease of access and uninterrupted use. Unlike registering a website domain, such as google.com,a gTLD can accommodate thousands of different websites with the same domain extension.

ICANN’s decision to expand the gTLD registry presents some potential challenges and concerns that must be addressed. For example, gTLDs are border-less but the entities that own the rights to administer a gTLD are confined to the country in which they reside.

A Canadian entity might, for example, acquire the right to administer the domain extension . bank and restrict its use to legitimate banks. However, other countries with different laws about what constitutes a bank may also wish to use the . bank domain extension. Such a situation may give rise to conflicts and liabilities if not adequately prepared for in advance.

The expansion of the gTLD will certainly make the Internet a more interesting place to explore as businesses and individuals seek to distinguish themselves and their products or services online. More information about the ICAN gTLD application process is in its Applicant Guidebook on its website at icann.org.

For the London Free Press – July 18, 2011 – Read this on Canoe

The Canadian privacy commissioner, in her 2010 annual report to Parliament, commented on what she believes to be the future of privacy law in Canada.

Jennifer Stoddart mentions three things that need to happen for Canadians to secure a future that is private. They are enforcing privacy laws and ensuring they remain modern and relevant, increasing co-operation between privacy authorities and ensuring that privacy literacy matches our online literacy.

With respect to modern legislation, the privacy commissioner posed the following question: “laws designed for a bricks-and-mortar world up to the task of protecting privacy in the online context?”

The privacy commissioner views it as crucial to the future of Canadians that privacy laws are constantly updated to meet current and future challenges. The drafters of the Personal Information Protection and Electronic Documents (PIPEDa) – which is the cornerstone of Canadian privacy law – created the legislation in a way that mandated a review of the act by Parliament every five years. The first review occurred in 2006. The next review is scheduled to begin in 2011.

Perhaps the most interesting recommendation arising from the report is not something from the commissioner herself, but rather from two legal scholars involved in the preparation of the latest PIPEDa review.

The scholars – Sossin, dean of Hall law school, and Prof. France Houle of the of Montreal – recommended the office of the privacy commissioner should acquire limited power to make orders, including the ability to impose penalties such as fines. They also proposed explicit guideline-making power to assist with the fair and transparent implementation of new order-making powers. This controversial suggestion would significantly increase the power and authority of the privacy commissioner and will no doubt be the subject of debate during the 2011 review.

The increased popularity of the commissioner over the years is remarkable.

The commissioner opened a second office in 2010 in Toronto. The office is targeted at the business, industrial and academic sector located in the GTa. The office of the privacy commissioner determined that almost 44.5% of respondent organizations were located in Toronto or in the GTA.

The privacy commissioner’s office received 200 requests to present speeches and attended and delivered 150 speeches and presentations in 2010. The commissioner also received more than 250 media requests; launched a blog, youth website and youth blog; sent out 700 tweets and attracted almost 2,000 followers on Twitter.

It is ironic to note the privacy commissioner uses various types of social media – such as Facebook and Twitter – to warn Canadians of the privacy dangers of using social media.

Even in the digital age, the paper publications of the privacy commissioner have remained quite popular. The office distributed almost 15,500 publications in 2010 – including pamphlets, guidance documents, fact sheets, guides for businesses and individuals and annual reports.

For the London Free Press -  July 4, 2011 – Read this on Canoe

You have designed the perfect logo for your business. Before investing more time and money in using and promoting your new logo, you want to make sure you have the right to use this trademark for a long time and you’re not infringing someone else’s existing trademark.

You start by doing a search of existing registered trademarks in the database of trademark registrations on the Canadian Intellectual Property Office (CIPO) website.

The search doesn’t turn up any similar marks relating to the wares and services you provide, so you file a trademark application. A few months later a CIPO examiner approves your application. CIPO then publishes your application in the Trademarks Journal to allow the public an opportunity to oppose it.

Two months pass without a challenge to your application and the trademark is successfully registered.

You are now the first person to register that trademark in Canada for your wares and services. You now have exclusive Canada-wide rights to use this logo for the next 15 years. Or do you?

In a recent decision from the Supreme Court of Canada, the registered trademarks of a retirement company in Ottawa were invalidated because of the likelihood of confusion with similar unregistered trademarks of a company in Calgary that had used them before the Ottawa company.

The Trademarks Act prohibits the registration of a trademark that is confusing with a trademark previously used in Canada, regardless of whether that trademark has been registered.

However, some people thought the test for confusion took into account the geographic region of the operations associated with the trademark. For example, if a Calgary-based retirement residence did not operate in Ontario, its trademarks would not be considered confusing with trademarks of a retirement residence in Ottawa.

The Supreme Court in Masterpiece v Alvida determined the Trademarks Act affords Canada-wide rights even if a trademark is only used locally.

The test is based on the assumption both trademarks under consideration are used in the same area. It was irrelevant the operations of the companies were in different provinces.

The companies had similar trademarks in the same industry, so the trademarks were deemed confusing. Since the unregistered trademark was used prior to registration and use of the registered mark, the registration was expunged.

This demonstrates importance of conducting searches for unregistered trademarks before filing a trademark application. It may be difficult to locate every potentially confusing unregistered trademark throughout Canada, but search services are available that perform reasonably comprehensive searches.

The case also demonstrates the usefulness of registering trademarks as early as possible. In this case, if the Calgary company had registered its marks when it first used them, it would have prevented the Ottawa company from registering its mark, thus avoiding a costly and time-consuming court battle.

For the London Free Press – June 20, 2011 – Read this on Canoe

The Ontario Privacy Commissioner’s recently released annual report talks about protecting personal information on mobile devices and the privacy by design concept for the creation of new technology.

An enormous amount of private information is processed, transferred and stored via handheld devices and portable media. Personal cellphones, PDAs, iPads, USB thumb-drives, MP3 players and laptop computers each have the potential to make personal and work-related tasks more efficient and convenient.

A USB flash drive or laptop allows the busy person to work from home. Instead of lugging around boxes of paper, portable media allows the busy person to transport and access the information on the go. Instead of trying to remember intricate details about events or appointments, hand-held devices create a virtual memory warehouse that can be accessed with the flick of a finger.

Despite the benefits of hand-held devices, they have the potential to create immense difficulties when they are misplaced, stolen or sold in a used condition. The transfer of a hand-held device from one person to another, by whatever method, includes the transfer of information unless the information is deleted beforehand. Serious problems and legal liabilities occur when unsecured private or confidential information can be accessed by outsiders. There have been many instances where hard drives and USB sticks containing personal information have gone missing.

Commissioner Ann Cavoukian states, “personal health information must never be stored on mobile devices such as laptops, PDAs and USB keys, unless it is absolutely necessary. And when it is, the data must be encrypted — Full Stop.”

The commissioner provided an update on her “privacy by design” initiative. The privacy by design initiative is focused on embedding privacy safeguards into new technologies at the earliest stages of development. The idea is it is far easier and more effective to design devices, software and services with privacy in mind from the ground up, than to add it on later.

For example, the Ontario Lottery and Gaming Commission recently adopted the privacy by design initiative in facial recognition technology that identifies problem gamblers at various gaming sites. The facial recognition software was embedded with privacy safeguards so that data about non-problem gamblers will never be permanently stored. And data about problem gamblers cannot be accessed unless the problem gambler appears and is visually identified in person at a gambling site.

Another example where the concept was used was Ontario’s smart grid that has the potential to erode privacy from the collection of detailed household electricity consumption information.

The privacy by design philosophy is a laudable one, and ought to result in more privacy-friendly products. But that does not detract from the responsibility we have to ensure that we understand and exercise our own privacy options. Nor does it detract from the obligations of those in possession of our personal information to take adequate steps to protect it.

The Commissioner’s report is available at www.ipc.on.ca.

For the London Free Press – May 30, 2011 - Read this on Canoe

The recent Ontario Court of Appeal decision in R v. Cole establishes that employees have a reasonable expectation of privacy in the personal use and contents of their work-provided laptop computers.

The case involved a Sudbury high school teacher whose work-provided laptop was investigated by a school board computer technician after a higher than normal amount of network use was noticed. The technician accessed the content on the teacher’s laptop through the school server and found sexually explicit images of a student on the hard drive. The school obtained the laptop and turned it and two discs over to the police who searched both without a warrant and charged the teacher with possession of child pornography and unauthorized use of a computer.

The Court of Appeal ruled that the teacher had a reasonable expectation of privacy in the personal use of his work laptop and in the contents of his personal files on the hard drive. Even though the laptop was owned by the school board and issued for work purposes, the court found that a reasonable expectation of privacy existed.

The Court of Appeal ordered a new trial and that certain of the evidence obtained without a warrant could not be used.

While this decision is regarded by some as a game changer for employee privacy rights, its real impact may be limited by two significant factors. First, the court’s finding of a reasonable expectation of privacy was based on specific facts which may not be typical of all workplace situations. In Cole, the teachers were provided with laptops for use in teaching but they were also explicitly allowed to use the laptops for personal use.

Second, the impact of the decision is tempered by a finding that the teacher did not have an expectation of privacy with respect to access to his hard drive by the school board’s computer technician for the limited purposes of maintaining the technical integrity of the school’s information network and the laptop.

While some commentators are heralding this decision as a significant change in the law, it really doesn’t stray far from conventional wisdom. It may, however, make employers more cautious in how they treat their employees’ personal use of work technology. For those employers who have not implemented a comprehensive technology use policy, this decision should be the impetus for them to do so.