That’s the title of my Slaw post for today.  It reads as follows.

The Canadian government introduced two important new bills yesterday. Bill C-29 amends PIPEDA – I’ll leave commentary on that to David Fraser.

Bill C-28 is the “Fighting Internet and Wireless Spam Act” or FISA.  It is essentially the same as the “Electronic Commerce Protection Act” that was proposed previously. Here is Industry Canada’s news release, and the bill itself.

It targets the sending of what we would typically call spam, or unwanted commercial email, as well as spyware and phishing.

From the news release:

The proposed FISA is intended to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help drive spammers out of Canada.

The proposed FISA legislation provides a comprehensive regulatory regime that uses economic disincentives to protect electronic commerce and is modelled on international best practices. To enforce the legislation, the bill would use the expertise, and expand the mandates, of the three enforcement agencies: the Canadian Radio-television and Telecommunications Commission, Competition Bureau Canada and the Office of the Privacy Commissioner of Canada.

Industry Canada will act as a national coordinating body to increase consumer and business awareness and education, to further coordinate work with the private sector and to conduct research and intelligence gathering.

The bill is quite long and detailed. Monetary penalties are significant ($1 million for individuals, $10 million for businesses). A private right of action will allow anyone to take civil action against violators.

The bill essentially defines spam as a commercial message sent via email, IM, phone, or similar method. Sending spam is prohibited unless the recipient has consented, and the message contains certain prescribed information identifying the sender and how to unsubscribe.

That definition is extremely broad, and would capture things no one would consider spam  – so it goes on to describe several exceptions, such as providing requested information, or warranty or product recall information, or where there is a specifically defined “existing business relationship”.

One thing I find interesting is that the volume of the messages does not seem to be important. In other words, 1 email or text message to 1 recipient can be considered spam.

One of the exceptions is a message “that is sent by or on behalf of an individual to another individual with whom they have a personal or family relationship, as defined in the regulations. “

The bill clearly applies to what we all call spam. Hopefully it will be an effective tool to help reduce spam that comes from Canada.

We can’t, though, simply think that the bill only applies to spamers, and that we don’t have to pay attention to it. 

We will have to consider carefully how it applies to what we as lawyers and our clients do that will be caught by this. To some extent, the regulations will be important. For example, will a “personal relationship” include a situation where I meet someone at a social or networking event or meeting who might be a potential client, and then follow up later with an email to that person?

When the bill gets passed (from what I’ve seen there is a good chance it will be), and the regulations get drafted, we will have to take some time to figure out in more detail how this affects things that well intentioned businesses (and lawyers) do that they don’t consider to be spam.

That’s the title of my Slaw post for today.   It reads as follows:

Tom Jenkins of Open Text spoke at the London TechAlliance “Gearing Up For Growth” conference yesterday about digital media in Canada.    He likened the current position of traditional media (TV, newspapers) to town criers at the advent of the printing press.  Here’s one of his slides.

Many are predicting the end of the newspaper.  Newspapers are struggling trying to find a business model they can use in the digital world.   It’s not uncommon for newspapers to try to erect paywalls, which require a paid subscription or a pay per view to read their content.

But that’s not going to work.  Its just too easy to get similar content elsewhere.

For example, a few days ago I saw a link to a Wall Street Journal article about the U.K. police request that Internet cafes monitor customer use and alert police to unusual activity.  The WSJ required payment to read any more than the first paragraph.

My response?  I googled the headline, and within seconds was reading essentially the same article elsewhere.

Makes one wonder how this will affect legal services.  What will people do themselves for free that lawyers traditionally charge for?

For the London Free Press – March 29, 2010

Read this on Canoe

Three Google executives were convicted of data privacy violations over a video they neither created nor posted.

The international legal community was shocked when four Google executives had criminal charges filed against them in Italy a few years ago. The alleged crime was allowing a video to be posted on Google Video (the precursor to Google acquiring YouTube), which featured kids bullying a boy with Down syndrome.

That shock recently turned to outrage as three of the Google executives were convicted on data privacy violations. Peter Fleischer, David Drummond and George De Los Reyes were acquitted of defamation charges but were given six months suspended jail sentences for the privacy violations. Google product manager Arvind Desikan was acquitted on all charges.

This decision has been highly criticized as it calls into question who ultimately ought to be held accountable for Internet content.

The former information commissioner of the United Kingdom, Richard Thomas, said this case gives privacy laws a “bad name” and that the outcome of the case was “ridiculous.”

David Drummond, one of the convicted executives and chief legal officer at Google, has said he will appeal the decision.

Shortly after Google became aware of the video, the video was taken off the site. The teens from Turin, Italy, who were responsible for creating and posting the video were prosecuted and the video was used as evidence in their criminal proceedings.

Prosecutors in the Google executives’ case claimed Google had “notice” of the video before the police brought it to their attention. The notice was purportedly in the form of comments that had been posted on the website in relation to the video.

Italian prosecutors are pursuing other similar cases against such other huge Internet magnates as eBay, Yahoo, and Facebook.

While the law in Italy has been strictly applied in the Google case, it is still somewhat unclear whether EU law allows for directors of companies to be held personally responsible for what is posted on their websites. Italian laws must comply with EU law.

It does not make sense to have liability for Google on facts such as these, and certainly not findings of personal liability for executives. The company merely provided the forum for the data to be shared – it did not create or share it themselves. And it removed the video once aware of it.

The focus should be on whomever created or posted the video.

The ramifications of this decision are far-reaching. If directors of international companies can be held personally responsible for every last item posted on their websites, this could create a climate of censorship preventing any possibly controversial posts. It is simply impossible to abide by that standard, and impossible for any business to actively monitor or review every post before it goes live.

In addition to taking a critical look at public policy behind Italian privacy laws, EU privacy laws ought to be clarified to explain what constitutes official “notice.” Surely video comments, which would number in the hundreds of thousands a day worldwide, cannot qualify.

For the London Free Press – March 15, 2010

Read this on Canoe

Canada’s privacy commissioner calls for modernized laws to address evolution of cyberspace

Last month, Canada’s privacy commissioner, Jennifer Stoddart, gave an address titled “The Future of Privacy Regulation” at the 11th annual Privacy and Security Conference in Victoria.

Describing herself as the “village elder” in the privacy community, her speech detailed many of the changes that have occurred in cyberspace over the last decade.

The advent of Facebook, Twitter, Flickr, YouTube, Google Street View, and iPods all occurred during the last seven years of her tenure.

She also identified “real-time globalization” and “instantaneous worldwide flow of data” as changing the terrain of privacy regulation.

These developments have resulted in significant challenges for administering th e regulations that protect the privacy of Canadians’ personal information.

“In light of these colossal changes over the past decade alone, it would be foolish to try to predict what the next decade will hold,” she said.

“But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is being sorely tested.

“We have bent and stretched it in many different ways,” she added. “And if we don’t want it to snap, we need to figure out how to fortify it for the decade ahead.”

Stoddart recognized that the Privacy Act, which governs the federal public sector, and the Personal Information and Electronic Documents Act, which governs the private sector, need to be modernized so we are properly equipped to meet future changes.

Stoddart noted the technology we now use has created a previously unheard-of market for businesses following consumer behaviour. This creates difficulties for regulators in terms of what information the average consumer knowingly consents to share.

The challenge of new technology is compounded by the increasingly global scope of data flows across borderless virtual communities. When our personal information ends up in countries lacking strong privacy regulation, Canadians may not have the privacy rights they enjoy in Canada.

Despite the challenges, Stoddart said Canada’s business community works closely with privacy regulators to ensure they comply with the rules.

Canada is also seeking to work more closely with other countries to create common rules and standards and to ensure uniform enforcement.

Efforts underway include the Spanish Initiative, a draft international privacy standard put forward by an international working group and endorsed in Madrid, which Stoddart calls a “valuable first step towards a harmonized approach to data protection.”

The Asia-Pacific Economic Co-operation (APEC) group as been working to protect information flowing into Asian countries. APEC is developing cross-border privacy rules to govern international information flow and facilitate co-operation between national authorities.

While acknowledging that “a single, enforceable global standard for privacy won’t materialize overnight — if ever,” Stoddart stressed that Canada must continue to actively pursue standardized regulations to protect Canadians’ privacy rights.

For the London Free Press – March 1, 2010

Read this on Canoe

Companies have been sent a clear message — deal with complaints because dispute resolution is too impractical to pursue.

A recent Ontario Court of Appeal ruling confirms an evolving trend to protecting consumers from enforcement of mandatory arbitration clauses in consumer agreements.

The plaintiff in Griffin v. Dell Canada alleged Dell had sold computers with latent defects that made them prone to overheating, power failure, inability to “boot up” and unexpected shutdowns.

Griffin sought certification of the case as a class action. In reply, Dell moved to stay the proceeding in favour of private individual arbitration under the mandatory arbitration clause in each consumer contract. The arbitration clause directed that complaints must be taken to the (now defunct) National Arbitration Forum in Minnesota.

Dell relied on sec. 7(1) of the Ontario Arbitration Act, which requires the court to stay a proceeding where there is a valid mandatory arbitration clause.

A lower court had dismissed Dell’s motion and conditionally certified the case as a class action. The appeal court dismissed Dell’s appeals and refused to stay the class proceeding.

The appeal court relied on provisions of the Consumer Protection Act that invalidate mandatory arbitration clauses in consumer contracts. These provisions took effect in 2005, after the consumer contracts with Dell were entered into. But the court chose to rely on them because damages did not arise until after the provisions took effect.

Interestingly, the court also ensured the rights of non-consumers within the class were protected. The Consumer Protection Act restricts the definition of a “consumer” to an individual who “acts for personal, family or household purposes and does not include a person who is acting for business purposes”. But the court found it unreasonable to separate the claims of consumers and non-consumers.

In applying the consumer protection law, the appeal court made a point of noting that Dell’s mandatory arbitration clauses were simply unfair to Canadian consumers.

Writing for the court, Justice Robert Sharpe said: “In my view, it is clear beyond any serious doubt on this record that staying any claims advanced in the action will not result in any of the stayed claims being arbitrated. I agree with the motion judge that there is a lack of reality to Dell’s argument that the claim should proceed by way of arbitration. There will be no arbitration. The choice is not between arbitration and class proceeding; the real choice is between clothing Dell with immunity from liability for defective goods sold to non-consumers and giving those purchasers the same day in court afforded to consumers by way of the class proceeding.”

The appeal court has sent a clear message that consumer rights must be taken seriously. Large corporations will now have more difficulty avoiding responsibility for addressing consumer complaints by making dispute resolution too impractical to pursue.

That’s the title of my Slaw post for today.  It reads as follows:

The annual Ted conference always has thought provoking presentations.   One of the presentations this year was entitled “Four ways to fix a broken legal system“.   Its worth taking the 19 minutes to watch.

The basic proposition of the presenter, Philip K. Howard, is that the legal system has become so complex that it instills fear to act.  People become so self-conscious of  their judgments that it skews behaviour towards failure. 

We should not just dismiss this as being unique to the American legal system.  The Canadian system may not be as extreme in this regard – but many of his issues are still relevant.

Technology advances have often challenged existing laws – which can get in the way of progress, or be inadequate to address new issues.

A book has just been published (which I have not read) entitled The Laws of Disruption that   ”explores, ten years into the Internet revolution, what has happened to social, political, and legal systems that now lag dangerously far behind.”

Laws have always lagged behind technology advances – that’s just a natural result.  But technology advances are happened much faster than ever before.   See, for example, the stats in this popular Socialnomics video.

Consider issues that arise from such things as pervasive public surveillance, Google street, access to huge amounts of information on anything and anyone, communication tools like twitter, skype, and Google voice, cloud computing, cheap terabyte drives, mobile computing, crowdsourcing, music and video sharing.   These advances, and others, challenge not only laws (such as privacy, ownership, copyright) – but business models (such as how to make money selling music when it is no longer a scarce commodity), how we govern ourselves, how we interact with each other (consider what being a “friend” now means), how we learn, and who we trust.

The challenge is to keep the current rules (legal and other) in mind when dealing with anything new – but at the same time not being blindly tied to those rules so tightly that we fail to understand the implications and issues in the context of what is different.   As I’ve commented before, precedent is context, not an operating manual.

This is a short article that Tim Hogan, a colleague of mine, wrote to explain the new Ontario ban on the use of cell phones while driving.  It explains the details, the exceptions, and points out that there is the potential for employer liability if its employees don’t comply.

That’s my Slaw post for today.   It reads as follows:

I was reading my usual RSS feeds this morning, partly to see if I could find some inspiration for my Slaw post for today, and found the following post on Techdirt. I couldn’t agree more – and since this is one of those “like he said” posts that I can’t really improve on – I’ve simply reproduced it below. I know the author, Mike Masnick, won’t mind so long as I don’t take credit for writing it.

The Rule Of Law Over The Rule Of Reason

from the stop-the-insanity dept

While not directly a tech/business related story, Jonny sent in this rather disturbing story of a grandmother arrested in Indiana for buying two whole boxes of cold medicine in less than a week. As you’re probably aware, most states have greatly limited the ability to buy cold medicine that contains pseudoephedrine, the ingredient that makes most cold medicines effective — but also a key ingredient used in making meth. So, rather than deal with the growing meth problem head on, many politicians sought to annoy pretty much anyone with a serious cold by making it quite difficult to get any drug that actually contains useful medicine.

Apparently, the Indiana law forbids buying more than 3.0 grams of the stuff in a single week, and the two boxes of cold medicine exceeded that amount. The end result? Police show up at the woman’s house and arrest her — and then keep defending the arrest, citing meth abuse, even as everyone admits that this woman was not making meth:

         “I feel for her, but if she could go to one of the area hospitals and see a baby born to a meth-addicted mother …”

It’s difficult to see what that has to do with anything considering that everyone knows this woman had no intention of making meth. The whole thing is ridiculous, but is symptomatic of a problem that we’re seeing all too often, where the focus is on enforcing poorly thought out laws, to ridiculous consequences, with no attempt to ever look at the negative consequences and seeing if the original law made any sense in the first place.

We’ve discussed this in the past with regards to other laws as well. In business, if you plan a new initiative, you have metrics and you check to see if you accomplish them, and you monitor negative effects of what you do as well. So why don’t politicians ever do this? When they pass a law to ban spam, increase copyright duration or take away privacy for some reason or another, why are politicians never asked to put in place benchmarks to see if the laws actually do what they promise? Why aren’t there any plans for a change or a removal of the law if it turns out to do more harm than good? Certainly, by this point in time, there’s a better process to creating regulations than simply saying what they’re intended to do without ever bothering to check to see if those goals are achieved?

I’ve written before about how the notion that “there ought to be a law against that” can lead to ineffective laws with unintended consequences.  The same can happen in the courts when it is perceived that someone has done something wrong – but it doesn’t fit neatly into the charges.

That appears to be what happened in the Lori Drew conviction.  That’s the tragic case where a teenage girl committed suicide after an online ”friend” turned on her.  But the “friend” was really an adult perpetrating a hoax.

Drew was convicted of criminal charges for her actions, but it has been pointed out that she was essentially convicted because her actions were inconsistent with the terms of use of her mySpace account, ie she did not use here real name.

While I understand the desire to do something here – the conviction makes a bad precedent.  Its not unusual for people to use aliases online.  And making it a criminal offense to violate terms of service is scary.

Techdirt has some good postings on the topic - follow through the Techdirt links for more detail.  The latest post points to a post pointing out that the law as interpreted by the conviction would allow any site owner to make anyone they wanted be a criminal merely by the way the terms of use are drafted – such as saying you can’t use the site if your middle name is Ralph.