Teresa Scassa - Blog

Teresa Scassa

Teresa Scassa

A recent news story from the Ottawa area raises interesting questions about big data, smart cities, and citizen engagement. The CBC reported that Ottawa and Gatineau have contracted with Strava, a private sector company to purchase data on cycling activity in their municipal boundaries. Strava makes a fitness app that can be downloaded for free onto a smart phone or other GPS-enabled device. The app uses the device’s GPS capabilities to gather data about the users’ routes travelled. Users then upload their data to Strava to view the data about their activities. Interested municipalities can contract with Strava Metro for aggregate de-identified data regarding users’ cycling patterns over a period of time (Ottawa and Gatineau have apparently contracted for 2 years’ worth of data). According to the news story, their goal is to use this data in planning for more bike-friendly cities.

On the face of it, this sounds like an interesting idea with a good objective in mind. And arguably, while the cities might create their own cycling apps to gather similar data, it might be cheaper in the end for them to contract for the Strava data rather than to design and then promote the use of theirs own apps. But before cities jump on board with such projects, there are a number of issues that need to be taken into account.

One of the most important issues, of course, is the quality of the data that will be provided to the city, and its suitability for planning purposes. The data sold to the city will only be gathered from those cyclists who carry GPS-enabled devices, and who use the Strava app. This raises the question of whether some cyclists – those, for example, who use bikes to get around to work, school or to run errands and who aren’t interested in fitness apps – will not be included in planning exercises aimed at determining where to add bike paths or bike lanes. Is the data most likely to come from spandex-wearing, affluent, hard core recreational cyclists than from other members of the cycling community? The cycling advocacy group Citizens for Safe Cycling in Ottawa is encouraging the public to use the app to help the data-gathering exercise. Interestingly, this group acknowledges that the typical Strava user is not necessarily representative of the average Ottawa cyclist. This is in part why they are encouraging a broader public use of the app. They express the view that some data is better than no data. Nevertheless, it is fair to ask whether this is an appropriate data set to use in urban planning. What other data will be needed to correct for its incompleteness, and are there plans in place to gather this data? What will the city really know about who is using the app and who is not? The purchased data will be deidentified and aggregated. Will the city have any idea of the demographic it represents? Still on the issue of data quality, it should be noted that some Strava users make use of the apps’ features to ride routes that create amusing map pictures (just Google “strava funny routes” to see some examples). How much of the city’s data will reflect this playful spirit rather than actual data about real riding routes is a question also worth asking.

Some ethical issues arise when planning data is gathered in this way. Obviously, the more people in Ottawa and Gatineau who use this app, the more data there will be. Does this mean that the cities have implicitly endorsed the use of one fitness app over another? Users of these apps necessarily enable tracking of their daily activities – should the city be encouraging this? While it is true that smart phones and apps of all variety are already harvesting tracking data for all sorts of known and unknown purposes, there may still be privacy implications for the user. Strava seems to have given good consideration to user privacy in its privacy policy, which is encouraging. Further, the only data sold to customers by Strava is deidentified and aggregated – this protects the privacy of app users in relation to Strava’s clients. Nevertheless, it would be interesting to know if the degree of user privacy protection provided was a factor for either city in choosing to use Strava’s services.

Another important issue – and this is a big one in the emerging smart cities context – relates to data ownership. Because the data is collected by Strava and then sold to the cities for use in their planning activities, it is not the cities’ own data. The CBC report makes it clear that the contract between Strava and its urban clients leaves ownership of the data in Strava’s hands. As a result, this data on cycling patterns in Ottawa cannot be made available as open data, nor can it be otherwise published or shared. It will also not be possible to obtain the data through an access to information request. This will surely reduce the transparency of planning decisions made in relation to cycling.

Smart cities and big data analytics are very hot right now, and we can expect to see all manner of public-private collaborations in the gathering and analysis of data about urban life. Much of this data may come from citizen-sensors as is the case with the Strava data. As citizens opt or are co-opted into providing the data that fuels analytics, there are many important legal, ethical and public policy questions which need to be asked.

 

The Federal Court has released a decision in a case that raises important issues about transparency and accountability under Canada’s private sector privacy legislation.

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs privacy with respect to the collection, use and disclosure of personal information by private sector organizations. Under PIPEDA, individuals have the right to access their personal information in the hands of private sector organizations. The right of access allows individuals to see what information organizations have collected about them. It is accompanied by a right to have incorrect information rectified. In our datified society, organizations make more and more decisions about individuals based upon often complex profiles built with personal information from a broad range of sources. The right of access allows individuals to see whether organizations have exceeded the limits of the law in collecting and retaining personal information; it also allows them the opportunity to correct errors that might adversely impact decision-making about them. Unfortunately, our datified society also makes organizations much more likely to insist that the data and algorithms used to make decisions or generate profiles, along with the profiles themselves, are all confidential business information and thus exempt from the right of access. This is precisely what is at issue in Bertucci v. Royal Bank of Canada.

The dispute in this case arose after the Bertuccis – a father and son who had banked with RBC for 35 and 20 years respectively, and who also held business accounts with the bank – were told by RBC that the bank would be closing their accounts. The reason given for the account closure was that the bank was no longer comfortable doing business with them. Shortly after this, the Bertuccis made a request, consistent with their right of access under PIPEDA, to be provided with all of their personal information in the hands of RBC, including information as to why their bank accounts were closed. RBC promptly denied the request, stating that it had already provided its reason for closing the accounts and asserting that it had a right under its customer contracts to unilaterally close accounts without notice. It also indicated that it had received no personal information from third parties about the Bertuccis and that all of the information that they sought was confidential commercial information.

RBC relied upon paragraph 9(3)(b) of PIPEDA, which essentially allows an organization to refuse to provide access to personal information where “to do so would reveal confidential commercial information”. On receiving RBC’s refusal to provide access, the Bertuccis complained to the Office of the Privacy Commissioner. The OPC investigated the complaint and ultimately sided with RBC, finding that it was justified in withholding the information. In reaching this conclusion, the OPCC relied in part on an earlier Finding of the Privacy Commissioner which I have previously critiqued, precisely because of its potential implications for transparency and accountability in the evolving big data context.

In reaching it conclusion on the application of paragraph 9(3)(b) of PIPEDA, the OPC apparently accepted that the information at issue was confidential business information, noting that it was “treated as confidential by RBC, including information about the bank’s internal methods for assessing business-related risks.” (At para 10)

After having their complaint declared unfounded by the OPC, the applicants took the issue to the Federal Court. Justice Martineau framed the key question before the court in these terms: “Can RBC refuse to provide access to undisclosed personal information it has collected about the applicants on the grounds that its disclosure in this case would reveal confidential commercial information” (at para 16)

RBC’s position was that it was not required to justify why it might close an account. It argued that if it is forced to disclose personal information about a decision to close an account, then it is effectively stripped of its prerogative to not provide reasons. It also argued that any information that it relied upon in its risk assessment process would constitute confidential business information. This would be so even if the information were publicly available (as in the case of a newspaper article about the account holder). The fact that the newspaper article was relied upon in decision-making would be what constituted confidential information – providing access to that article would de facto disclose that information.

The argument put forward by RBC is similar to the one accepted by the OPC in its earlier (2002) decision which was relied upon by the bank and which I have previously criticized here. It is an argument that, if accepted, would bode very ill for the right of access to personal information in our big data environment. Information may be compiled from all manner of sources and used to create profiles that are relied upon in decision-making. To simply accept that information used in this way is confidential business information because it might reveal how the company reaches decisions slams shut the door on the right of access and renders corporate decision-making about individuals, based upon the vast stores of collected personal information, essentially non-transparent.

The Bertuccis argued that PIPEDA – which the courts have previously found to have a quasi-constitutional status in protecting individual privacy – makes the right of access to one’s personal information the rule. An exception to this rule would have to be construed narrowly. The applicants wanted to know what information led to the closure of their accounts and sought as well to exercise their right to have this information corrected if it was inaccurate. They were concerned that the maintenance on file of inaccurate information by RBC might continue to haunt them in the future. They also argued that RBC’s approach created a two-tiered system for access to personal information. Information that could be accessed by customers whose accounts were not terminated would suddenly become confidential information once those accounts were closed, simply because it was used in making that decision. They argued that the bank should not be allowed to use exceptions to the access requirement to shelter itself from embarrassment at having been found to have relied upon faulty or inadequate information.

Given how readily the OPC – the guardian of Canadians’ personal information in the hands of private sector organizations – accepted RBC’s characterization of this information as confidential, Justice Martineau’s decision is encouraging. He largely agreed with the position of the applicants, finding that the exceptions to the right to access to one’s personal information must be construed narrowly. Significantly, Justice Martineau found that courts cannot simply defer to a bank’s assertion that certain information is confidential commercial information. He placed an onus on RBC to justify why each withheld document was considered confidential. He noted that in some circumstances it will be possible to redact portions of reports, documents or data that are confidential while still providing access to the remainder of the information. In this case, Justice Martineau was not satisfied that the withheld information met the standard for confidential commercial information, nor was he convinced that some of it could not have been provided in redacted form.

Reviewing the documents at issue, Justice Martineau began by finding that a list of the documents relied upon by the bank in reaching its decision was not confidential information, subject to certain redactions. He noted as well that much of what was being withheld by the bank was “raw data”. He distinguished the raw data from the credit scoring model that was found to be confidential information in the 2002 OPC Finding mentioned above. He noted as well that the raw data was not confidential information and had not, when it was created, been treated as confidential information by the bank. He also noted that the standard for withholding information on an access request was very high.

Justice Martineau gave RBC 45 days to provide the applicants with all but a few of the documents which the court agreed could be withheld as confidential commercial information. Although the applicants had sought compensatory and punitive damages, he found that it was not an appropriate case in which to award damages.

Given the importance of this decision in the much broader big data and business information context, RBC is likely to appeal it to the Federal Court of Appeal. If so, it will certainly be an important case to watch. The issues it raises are crucial to the future of transparency and accountability of corporations with respect to their use of personal information. In light of the unwillingness of the OPC to stand up to the bank both in this case and in earlier cases regarding assertions of confidential commercial information, Justice Martineau’s approach is encouraging. There is a great deal at stake here, and this case will be well worth watching if it is appealed.

 

 

 

 

The department formerly known as Industry Canada (now Innovation, Science and Economic Development or ISED) has just released a discussion paper that seeks public input on the regulations that will accompany the new data breach notification requirements in the Personal Information Protection and Electronic Documents Act (PIPEDA).

The need to require private sector organizations in Canada to report data breaches was first formally identified in the initial review of PIPEDA carried out in 2007. The amendments to the statute were finally passed into law in June of 2015, but they will not take effect until regulations are enacted that provide additional structure to the notification requirements. The discussion paper seeks public input prior to drafting and publishing regulations for comment and feedback, so please stop holding your breath. It will still take a while before mandatory data breach notification requirements are in place in Canada.

The new amendments to the legislation make it mandatory for organizations to report data breaches to the Privacy Commissioner if those breaches pose “a real risk of significant harm to an individual”. (s. 10.1) An organization must also notify any individuals for whom the breach poses “a real risk of significant harm (s. 10.1(3). The form and contents of these notifications remain to be established by the regulations. A new s. 10.2 of PIPEDA will also require an organization that has suffered a reportable breach to notify any other organization or government institution of the breach if doing so may reduce the risk of harm. For example, such notifications might include ones to credit reporting agencies or law enforcement officials. The circumstances which trigger this secondary notification obligation remain to be fleshed out in the regulations. Finally, a new s. 10.3 of PIPEDA will require organizations to keep records of all data breaches not just those that reach the threshold for reporting to the Privacy Commissioner. In theory these records might enable organizations to detect flaws in their security practices. They may also be requested by the Commissioner, providing potential for oversight of data security at organizations. The content of these records remains to be determined by the new regulations.

From the above, it is clear that the regulations that will support these statutory data breach reporting requirements are fundamentally important in setting its parameters. The ISED discussion paper articulates a series of questions relating to the content of the regulations on which it seeks public input. The questions relate to how to determine when there is a “real risk of significant harm to an individual”; the form and content of the notification that is provided to the Commissioner by an organization that has experienced a breach; the form, manner and content of notification provided to individuals; the circumstances in which an organization that has experienced a breach must notify other organizations; and the form and content or records kept by organizations, as well as the period of time that these records must be retained.

There is certain that ISED will receive many submissions from organizations that are understandably concerned about the impact that these regulations may have on their operations and legal obligations. Consumer and public interest advocacy groups will undoubtedly make submissions from a consumer perspective. Individuals are also welcome contribute to the discussion. Some questions are particularly relevant to how individuals will experience data breach notification. For example, if an organization experiences a breach that affects your personal information and that poses a real risk of harm, how would you like to receive your notification? By telephone? By mail? By email? And what information would you like to receive in the notification? What level of detail about the breach would you like to have? Do you want to be notified of measures you can take to protect yourself? Do you want to know what steps the organization has taken and will take to protect you?

Anyone with an interest in this issue, whether personally or on behalf of a group or an organization has until May 31, 2016 to provide written submission to This e-mail address is being protected from spambots. You need JavaScript enabled to view it . The discussion paper and questions can be found here.

Technology has enabled the collection and sharing of personal information on a massive scale, and governments have been almost as quick as the private sector to hoover up as much of it as they can. They have also been as fallible as the private sector – Canada’s federal government, for example, has a substantial number of data breaches in the last few years.

What has not kept pace with technology has been the legislation in place to protect privacy. Canada’s federal Privacy Act, arguably a ground-breaking piece of legislation when it was first enacted in 1983, has remained relatively untouched throughout decades of dramatic technological change. Despite repeated calls for its reform, the federal government has been largely unwilling to update this statute that places limits on its collection, use and disclosure of personal information. This may be changing with the new government’s apparent openness to tackling the reform of both this statute and the equally antiquated Access to Information Act. This is good news for Canadians, as each of these statutes has an important role to play in holding a transparent government accountable for its activities.

On March 10, 2016 Federal Privacy Commissioner Daniel Therrien appeared before the Standing Committee on Access to Information, Privacy and Ethics, which is considering Privacy Act reform. The Commissioner’s statement identified some key gaps in the statute and set out his wish list of reforms.

As the Commissioner pointed out, technological changes have made it easier for government agencies and departments to share personal information – and they do so on what he describes as a “massive” scale. The Privacy Act currently has little to offer to address these practices. Commissioner Therrien is seeking amendments that would require information sharing within the government to take place according to written agreements in a prescribed form. Not only would this ensure that information sharing is compliant with legal obligations to protect privacy, it would offer a measure of transparency to a public that has a right to know whether and in what circumstances information they provide to one agency or department will be shared with another.

The Commissioner is also recommending that government institutions be explicitly required under the law to safeguard the personal information in their custody, and to report data breaches to the Office of the Privacy Commissioner. It may come as a surprise to many Canadians that such a requirement is not already in the statute – its absence is a marker of how outdated the law has become. Since 2014, the Treasury Board of Canada, in its Directive on Privacy Practices has imposed mandatory breach reporting for all federal government institutions, but this is not a legislated requirement, nor is there recourse to the courts for non-compliance.

The Commissioner is also seeking more tools in his enforcement toolbox. Under the Privacy Act as it currently stands, the Commissioner may make recommendations to government institutions regarding their handling of personal information. These recommendations may then be ignored. While he notes that “in the vast majority of cases, government departments do eventually agree to implement our recommendations”, it is clear that this can be a long, drawn out process with mixed results. Currently, the only matters that can be taken to court for enforcement are denials by institutions to provide individuals with access to their personal information. The Commissioner is not seeking the power to directly compel institutions to comply with its recommendations; rather, he recommends that an institution that receives recommendations from the Office of the Privacy Commissioner have two choices. They may implement the recommendations or they may go to court for a declaration that they do not need to comply. On this model, relatively prompt compliance would presumably become the default.

The Commissioner is also seeking an amendment that would require government institutions to conduct privacy impact assessments before the launch of a new program or where existing programs are substantially modified. Again, you would think this would be standard practice by now. It does happen, but the Commissioner diplomatically describes current PIAs as being “sometimes uneven” in both their quality and timeliness. The Commissioner would also like to see a legislated requirement that government bills that will have an impact on privacy be sent to the OPC for review before being tabled in Parliament.

The Commissioner seeks additional amendments to improve transparency in relation to the government’s handling of personal information. Currently, the Commissioner files an annual report to Parliament. He may also issue special reports. The Commissioner recommends that he be empowered under the legislation “to report proactively on the practices of government”. He also recommends extending the Privacy Act to all government institutions. Some are currently excluded, including the Prime Minister’s Office and the offices of Ministers. He also recommends allowing all individuals whose personal information is in the hands of a federal government institution to have a right of access to that information (subject, of course, to the usual exceptions). Currently on Canadian citizens and those present in Canada have access rights.

This suite of recommendations is so reasonable that most Canadians would be forgiven for assuming these measures were already in place. Given the new government’s pre- and post-election commitments to greater transparency and accountability, there may be reason to hope we will finally see the long-overdue reform of the Privacy Act.

 

The Fédération Étudiante Collégiale du Québec has succeeded in its opposition to a Quebec entrepreneur’s attempt to register its symbol of protest, the carré rouge (which means “red square”), as a trademark for use in association with T-shirts, posters, cups, wristbands, and other paraphernalia. While this decision offers some protection from the appropriation and commercialization of a protest symbol, it also reveals the limits of such protection.

The carré rouge – essentially a small square of red fabric attached to clothing by a gold safety pin – was adopted by the Fédération in January of 2011 as a symbol of a massive strike that was about to be launched to protest proposed tuition fee hikes in Quebec. Members of the Fédération – which included over 65,000 students – were encouraged to wear the symbol on their clothing and to participate in the series of organized rallies and protests across the province. The student demonstrations received a great deal of media attention and the carré rouge quickly became a public symbol associated with the student unrest.

Very shortly after the last of the major demonstrations in 2012, Raymond Drapeau sought to register as a trademark a design consisting of a red square with a gold pin. The Fédération opposed this registration. While they had clearly been the first to adopt and use the carré rouge as a symbol, they had not used it as a trademark – in other words, they had not used it to distinguish their goods or services from those of others. Absent a prior commercial use, they could not rely on grounds of opposition based upon their greater entitlement to the registration of the mark. This was confirmed by the Trade-marks Opposition Board (TMOB) in its December decision.

The Fédération was, however, successful with its argument that the carré rouge could not be distinctive of Drapeau’s goods because the public would associate the symbol with the Fédération and its protests, and not with Drapeau. The quintessential characteristic of a trademark is its capacity to distinguish its owner as the source of the goods or services in association with which it is used. This quality is referred to as distinctiveness. The TMOB found that the size of the student protests and the degree of media coverage was such that the symbol would be associated with the Fédération’s protest movement. It was therefore not capable of distinguishing Drapeau as a trade source. The application for trademark registration was therefore refused.

The Fédération’s victory is an important one, but it is not one that should allow activist or protest groups to feel complacent. It is important because the TMOB was prepared to recognize the link between a protest group and its symbol as being of a kind that can make the symbol difficult for others to appropriate for commercial purposes. However, the decision of the TMOB merely denies registration of the mark. It does not prevent Drapeau (or others) from using the symbol as an unregistered trademark. Use in this way might actually lead to acquired distinctiveness; which could, in turn, be a basis for eventual trademark registration. Indeed, the TMOB observed that “substantial evidence of use of the Mark by the Applicant might possibly have supported an argument that the Mark had become distinctive as of the relevant date.” (at para 40). It also noted that “a symbol can be a trade-mark if it can serve to identify the source of the goods and services associated with it.” (at para 43)

A protest movement that wishes to acquire the kind of goodwill in its mark or symbol that will give rise to its own trademark rights will need to use the mark in association with goods or services. This type of commercial use might well go against the movement’s ideology – and might, in any event, be too complicated within the context of a spontaneous movement; particularly one that gathers more momentum than initially anticipated at the outset. Copyright law offers a possible source of protection: an original design can be protected by copyright law – and it is possible to oppose the registration of a trademark that would infringe the copyright of another. But the carré rouge as used by the students is not a “work” in which copyright subsisted. In this case, the simplicity of the symbol, while contributing to its uptake and use, undermined its capacity to be “owned” by the Fédération and in turn controlled by it. Of course, the whole concept of private ownership of public symbols runs against the spirit of the protests, and the Fédération maintained throughout that the carré rouge was in the public domain and thus not capable of private ownership. They were successful on the facts as they stood, but the TMOB decision reminds us that even symbols in the so-called public domain may be appropriated in certain circumstances.

 

I was at the United Nations last week for an Expert Group Meeting on Moving from commitments to results in building effective, accountable and inclusive institutions at all levels. On February 18, 2016, I gave a presentation on balancing privacy with transparency in open government. This is a challenging issue, and one that is made even more so by digitization, information communication technologies and the big data environment.

Openness access to government information and data serve the goals of greater transparency and greater public trust in government. They are essential in fighting corruption, but they are also important in holding governments to account for their decision-making and for their spending of public funds. However, transparency must also be balanced against other considerations, including privacy. Privacy is a human right, and it protects the dignity, autonomy and integrity of individuals. Beyond this, however, the protection of privacy of personal information in the hands of governments also enhances public trust in governments and can contribute to citizen engagement.

How, then, does one balance privacy with transparency when it comes to information in the hands of government? There are no easy answers. My slides from my presentation can be found here, and these slides contain some links to some other publicly available work on this topic.

Tuesday, 09 February 2016 10:19

Evaluating Canada's Open Government Progress

Carleton University’s Mary Francoli has just released her second report on Canada’s progress towards its Open Government commitments as part of its membership in the Open Government Partnership. The report is currently open for public comment.

The report offers a detailed and thorough assessment of the commitments made by the Canadian government in its second Action Plan on Open Government and the extent to which these commitments have been met. For those interested in open government, it makes interesting reading, and it also sets out a number of recommendations for moving the open government agenda forward in Canada.

Because the report is a review of Canada’s progress on meeting its commitments, it is shaped by those commitments rather than by, for example, a list of open government priorities as identified by multiple stakeholders. Indeed, problems with stakeholder consultation and engagement are themes that run through this report. Although Francoli notes that there have been improvements over time, there is clearly still work to be done in this regard.

Francoli’s detailed review shows that progress has certainly been made in moving forward the open government agenda. She notes that “significant progress” has been made with respect to many of the government’s commitments in the second Action Plan, and that in some cases the government’s progress has exceed its commitments. Not surprisingly, however, much remains to be done. Francoli identifies a number of shortcomings flagged by stakeholders that form the basis for her recommendations.

Foremost among the shortcomings is the woeful state of Canada’s Access to Information Act. Although this legislation has been the subject of criticism and calls for reform for decades – and by a broad range of stakeholders – the previous government remained impervious to these demands. That an open government agenda could be advanced with much fanfare without tackling access to information in any substantive way should undermine confidence in Canada’s commitment to open government. Top among Francoli’s recommendations, therefore, is reform of the legislation, and she has written a separate opinion piece on this topic in the Hill Times. In this article she notes with frustration that although the new Liberal government expressed a commitment to reform the access to information regime in its election platform, that commitment is now being expressed in terms of a “review” of the legislation. Francoli justifiably questions whether we really need further review given the many studies already conducted and the ink already spilled about the deficiencies in the legislation. A commitment to meaningful reform might just require swifter action.

Other issues flagged by Francoli include what she refers to as a “data deficit” – the apparent stalling of progress in the release of open data and the lack of diversity in the available data at the federal level. The concerns over a data deficit extend to the cancellation of government-led data collection; the axing of the long-form census being perhaps the most notorious (though not the only) example of this. Although the census has been revived, Francoli notes that other cancelled studies have not. Further, Francoli cautions that the government’s web renewal strategy is having the effect of pushing departments and agencies to reduce digital content available over the web, with the resultant loss of content available to the public. This latter concern ties in as well to Francoli’s recommendation that the government develop and publicize a clear policy on the preservation of digital material.

In addition to recommendations related to these issues, Francoli also recommends that the government overhaul the Advisory Panel on Open Government. This Panel (on which I served) met only very rarely, and opportunities to provide feedback became very limited by tight time constraints imposed on the few meetings that did take place. Francoli is concerned about a disjunction between stakeholders’ perspectives on open government and those of the government, and she sees an Advisory Panel with a new mandate and a new mode of operation as being one way to ensure more open lines of communication.

There may be a common misperception that open data and proactive disclosure are inexpensive and resource-light endeavors (after all, the government is just publishing online information already gathered, right?). Yet, this is far from the case. Open data in particular is resource-intensive, and Francoli notes that the two Action Plans had identified no additional resources for open government (apart from the $3 million dollars set aside for the mysterious Open Data Exchange (ODX)). She therefore also recommends that the government commit the necessary resources to open government in future action plans.

Francoli’s report can be found here, and comments on the report can be made here. The comments are public, and it is also possible to read comments by other stakeholders and to engage in dialogue about the report. With a new government in the process of setting its open government agenda, this is an opportunity to help shape its direction.

A recent decision of the Ontario Superior Court of Justice has expanded the scope of the tort of invasion of privacy in Ontario. This is an important development, given that the tort was only recognized for the first time by the Ontario Court of Appeal in 2012. The rapid expansion of private recourses for invasion of privacy is not surprising. Technology has amplified privacy risks, and highly publicized incidents of data breaches, snooping, shaming, and identity theft have dramatically increased public awareness of the risks and harms of privacy invasive activity.

Doe 464533 v. D. involved a defendant who posted an intimate video of the plaintiff on a pornography website without her knowledge or consent. The two had been in a relationship which began when they were in high school and ended shortly afterwards. The plaintiff moved away to attend university and remained in regular contact with the defendant. He began pressuring her to send him an intimate video of herself. She refused to do so for a time, but eventually gave in to repeated requests. The defendant had assured her that no one else would see the video. As it turns out, he posted the video to a porn site on the same day he received it. He also showed it to other young men from the high school he had attended with the plaintiff.

The posting of the video and its aftermath were devastating to the plaintiff who suffered from depression and anguish. Justice Stinson observed that at the time of the hearing, 4 years after the incident, she was still “emotionally fragile and worried that the video may someday resurface and have an adverse impact on her employment, her career or her future relationships.” (at para 14)

There are two significant aspects to the court’s decision in this case. The first is that it expands the privacy tort recognized by the Ontario Court of Appeal in Jones v. Tsige. In that case, a bank employee had improperly accessed customer information for her own purposes. The Court of Appeal was prepared to recognize at least one aspect of the broad tort of invasion of privacy – that of “intrusion upon seclusion”. In other words, one who snoops or hacks their way into the personal information of another can be held liable for this invasion. The facts of Doe 464533 did not fit within the boundaries of ‘intrusion upon seclusion’. The defendant did not improperly access the plaintiff’s personal information. She sent it to him directly. However, she did so on the understanding that the material would remain strictly private. In breach of this understanding, the defendant posted the information online and shared it with common acquaintances. Justice Stinson characterized this as another branch of the broad tort of invasion of privacy – the “public disclosure of embarrassing private facts about the plaintiff”. Justice Stinson observed that “[i]n the electronic and Internet age in which we all now function, private information, private facts and private activities may be more and more rare, but they are no less worthy of protection.” (at para 44) He adopted a slightly modified version of the American Restatement (second) of Torts’ formulation of this branch of the tort:

One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of the other’s privacy, if the matter publicized or the act of the publication (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public. (at para 46)

The recognition of this branch of the tort is an important development given that it now clearly provides recourse for those who are harmed by the publication of private facts about themselves. There are limits – the tort will only be available where the material published “would be highly offensive to a reasonable person”. Further, if the facts are ones that there is a public interest in knowing (for example, the publication of information about a person’s involvement in corrupt or illegal activity), there will be no liability. However in an era in which “revenge porn” is a known phenomenon, the tort may provide a deterrent effect in some instances, and a basis for recourse in others.

The other interesting aspect of this decision is the damage award. The plaintiff had decided to commence her action under the Court’s Simplified Procedure. This meant that the maximum she could ask for in damages was $100,000. Justice Stinson ordered the maximum amount with little hesitation – which suggests that he might have awarded even more extensive damages had there been no cap. This is surely interesting, as damage awards for breach of privacy (either the tort or recourses under private sector data protection laws in Canada) have been generally quite small. In Jones v. Tsige, the Court had awarded only $10,000 in damages and had indicated that the normal range for such damages would be up to a maximum of $20,000 where no direct financial losses could be shown. In Doe 464533, Justice Stinson found the harm suffered by the plaintiff by the publication of the video to be analogous to the harm suffered in cases of sexual assault and battery. He fixed an amount of $50,000 in general damages for the past and ongoing effects of the defendant’s actions. He also awarded $25,000 in aggravated damages relating to the particularly offensive behavior of the defendant. According to Justice Stinson, the defendant’s breach of trust was “an affront to their relationship that made the impact of his actions even more hurtful and painful for the plaintiff.”(at para 59). He also awarded $25,000 in punitive damages for the defendant’s reckless disregard for the plaintiff. He noted that the defendant had not apologized, nor had he shown any remorse. He noted as well the highly blameworthy nature of the defendant’s conduct, the vulnerability of the plaintiff, and the significant harm the plaintiff had suffered. Justice Stinson also expressed the view that the punitive damage award was meant to have a deterrent effect. He stated: “it should serve as a precedent to dissuade others from engaging in similar harmful conduct.” (at para 62) In addition to the total award of $100,000 in damages, the judge ordered a further $5,500 in prejudgment interest and $36,208.73 in legal costs.

The recognition of the new tort, combined with the court’s approach to quantifying the harm suffered from this form of privacy invasive activity, should sound a warning to those who seek to use the internet as a means to expose or humiliate others.

Recent debates about enhanced police and national security surveillance powers in Canada have drawn attention to the vulnerability of Canadians’ privacy rights in the absence of proper safeguards and oversight. This problem is particularly acute in our big data economy, where participation in the economy – simply by being consumers of products and services – leaves a detailed trail of data in the hands of private sector actors. The Criminal Code provides for extensive access by police to personal information in the hands of third parties through its warrant system. Laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA) also allow private sector companies to provide law enforcement and other government entities with personal information, without the knowledge and consent of the individual. This is often done in response to a court order or search warrant; however, PIPEDA also permits voluntary sharing even without a warrant in some circumstances.

The courts have had to play an important role in placing limits on the extent of access by state authorities to Canadians’ personal information. Just this week, in another significant decision, Justice Sproat of the Ontario Superior Court, issued a long-awaited decision in R. v. Rogers Communication (2016 ONSC 70) on the constitutional limitations on “tower dump” warrants.

The original tower dump warrants in this case were issued to police who were investigating a jewellery store robbery in Toronto. The police believed that the unidentified suspects had used cell phones during or just after the robbery. They asked the court for an order requiring the relevant cell phone service providers (in this case Rogers and Telus) to provide a dump of all of the data from cell phone towers that might have picked up and transmitted these calls within a window of time surrounding the robbery. On Telus’ estimate, compliance with the original order would have required it to provide data relating to at least 9,000 customers. Rogers estimated that it would need to provide the records of 34,000 subscribers. In addition to the data regarding all of the customers who had placed calls through those towers, the police also sought their name and address information, the names and contact information of all of the individuals who these people called, and credit card and bank information on file for the callers. The police subsequently revised their request, seeking a much more limited amount of data. However, Rogers and Telus pursued their Charter case, arguing that a court ruling on the constitutional legitimacy of this type of data request was necessary to protect not just their own interests but those of their customers.

The Court agreed that the customers of telecommunications companies had a reasonable expectation of privacy in their cell phone data and that if Rogers and Telus could not proceed with the Charter claims, it would be difficult for these issues to be effectively litigated. It agreed to hear and rule on the Charter arguments notwithstanding that the police had withdrawn their initial request for the data and notwithstanding the fact that the Charter rights in question belonged to thousands of private citizens and not to the Telcos directly.

Justice Sproat did not hesitate in ruling that the original production orders sought in this case were overly broad and that they infringed the Charter rights of the individuals whose data would have been captured by them. He found that the orders “went far beyond what was reasonably necessary to gather evidence concerning the commission of the crimes under investigation” (at para 42). He then went on to formulate a set of guidelines for police seeking tower dump warrants. He premised his guidelines on the “fundamental principles of incrementalism and minimal intrusion” (at para 63). He emphasized as well the requirement for police who seek such a warrant to explain “clearly in the information to obtain how requested data relates or does not relate to the investigation.” (at para 64)

The guidelines and their more detailed articulation can be found at paragraph 63 of the decision. In summary though, they are that the police must provide:

1. A statement or explanation that demonstrates that the officer seeking the production order is aware of the principles of incrementalism and minimal intrusion and has tailored the requested order with that in mind;

2. An explanation as to why all of the named locations or cell towers, and all of the requested dates and time parameters are relevant to the investigation;

3. An explanation as to why all of the types of records sought are relevant;

4. Any other details or parameters which might permit the target of the production order to conduct a narrower search and produce fewer records;

5. A request for a report based on specified data instead of a request for the underlying data itself;

6. If there is a request for the underlying data there should be a justification for that request

7. Confirmation that the types and amounts of data that are requested can be meaningfully reviewed

These are important guidelines that seek to limit the reach of state authorities into the private lives of Canadians to only that information which is genuinely necessary to investigate criminal activity.

It is worth noting that Justice Sproat declined to consider post-seizure safeguards in relation to tower dump data. Where a production order legitimately allows police to seek tower dump data, nothing in the Criminal Code provides any guidance as to what safeguards should govern the security and retention of this data. These are important issues – we are all painfully aware of the rising number of public and private sector data security breaches, and of cases of excessive retention and careless destruction of no-longer useful personal information. According to Justice Sproat, issues regarding retention of this data are best left to the legislator. Given the vast amount of personal information now capable of collection from the private sector through the host of different production orders available under the Criminal Code, Parliament should be strongly encouraged to address this issue. In the meantime, it would be good to see police forces develop policies regarding the retention and destruction of personal information obtained under warrants that is no longer necessary for its original purpose.

 

 

 

Citizen science is the name given to a kind of crowd-sourced public participatory scientific research in which professional researchers benefit from the distributed input of members of the public. Citizen science projects may include community-based research (such as testing air or water quality over a period of time), or may involve the public in identifying objects from satellite images or videos, observing and recording data, or even transcribing hand written notes or records from previous centuries. Some well-known citizen science projects include eBird, Eyewire, FoldIt, Notes from Nature, and Galaxy Zoo. Zooniverse offers a portal to a vast array of different citizen science projects. The range and quantity of citizen science experiences that are now available to interested members of the public are a testament both to the curiosity and engagement of volunteers as well as to the technologies that now enable this massive and distributed engagement.

Scientific research of all kinds – whether conventional or involving public participation – leads inevitably to the generation of intellectual property (IP). This may be in the form of patentable inventions, confidential information or copyright protected works. Intellectual property rights are relevant to the commercialization, exploitation, publication and sharing of research. They are important to the researchers, their employers, their funders, and to the research community. To a growing extent, they are of interest to the broader public – particularly where that public has been engaged in the research through citizen science.

What IP rights may arise in citizen science, how they do so, and in what circumstances, are all issues dealt with by myself and co-author Haewon Chung in a paper released in December 2015 by the Commons Lab of the Wilson Center for International Scholars in Washington, D.C. Titled Best Practices for Managing Intellectual Property Rights in Citizen Science, this paper is a guide for both citizen science researchers and participants. It covers topics such as the reasons why IP rights should be taken into account in citizen science, the types of rights that are relevant, how they might arise, and how they can be managed. We provide an explanation of licensing, giving specific examples and even parse license terms. The paper concludes with a discussion of best practices for researchers and a checklist for citizen science participants.

Our goal in preparing this report was to raise awareness of IP issues, and to help researchers think through IP issues in the design of their projects so that they can achieve their objectives without unpleasant surprises down the road. These unpleasant surprises might include realizing too late that the necessary rights to publish photographs or other materials contributed by participants have not been obtained; that commitments to project funders preclude the anticipated sharing of research results with participants; or that the name chosen for a highly successful project infringes the trademark rights of others. We also raise issues from participant perspectives: What is the difference between a transfer of IP rights in contributed photos or video and a non-exclusive license with respect to the same material? Should participants expect that research data and related publications will be made available under open licenses in exchange for their participation? When and how are participant contributions to be acknowledged in any research outputs of the project?

In addition to these issues, we consider the diverse IP interests that may be at play in citizen science projects, including those of researchers, their institutions, funders, participants, third party platform hosts, and the broader public. As citizen science grows in popularity, and as the scope, type and variety of projects also expands, so too will the IP issues. We hope that our research will contribute to a greater understanding of these issues and to the complex array of relationships in which they arise.

Note: This research paper was funded by the Commons Lab of the Wilson Center and builds upon our earlier shorter paper: Typology of Citizen Science Projects from an Intellectual Property Perspective: Invention and Authorship Between Researchers and Participants. Both papers are published under a Creative Commons Licence.

 

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Page 1 of 21

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law