access to information Ambush Marketing big data citizen science confidential information copyright data breach notification data protection digital cartography ecommerce and internet law Electronic Commerce Extraterritoriality fair use freedom of expression Geospatial geospatial data intellectual property Internet internet law IP open data open government personal information pipeda Privacy takings trademark law trademarks traditional knowledge transparency
Friday, 02 December 2016 14:00
Many Canadians are justifiably concerned that the vast amounts of information they share with private sector companies – simply by going about their day-to-day activities – may end up in the hands of law enforcement or national security officials without their knowledge or consent. The channels through which vast amounts of personal data can flow from private sector hands to law enforcement with little transparency or oversight can turn the companies we do business with into informers and make us unwittingly complicit in our own surveillance.
A recent Finding of the Office of the Privacy Commissioner of Canada (OPC) illustrates how the law governing the treatment of our personal information in the hands of the private sector has been adapted to the needs of the surveillance state in ways that create headaches for businesses and their customers alike. The Finding, which posted on the OPC site in November 2016 attempts to unravel a tangle of statutory provisions that should not have to be read by anyone making less than $300 per hour.
Basically, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how personal information is collected, used and disclosed by private sector organizations at the federal level and in all provinces that do not have their own equivalent statutes (only Quebec, B.C. and Alberta do). One of the core principles of this statute is the right of access to one’s personal information. This means that individuals may ask to be informed about the existence, use and disclosure of their personal information in the hands of an organization. They must also be given access to that information on request. Without the right of access it would be difficult for us to find out whether an organization was in compliance with its privacy policies. The right of access also allows us to verify and request correction of any erroneous information.
Another core principle of PIPEDA is consent. This means that information about us should not be collected, used or disclosed without our consent. The consent principle is meant to give us some control over our personal information (although there are huge challenges in this age of overly-long, vague, and jargon-laden privacy policies).
The hunger for our personal information on the part of law enforcement and national security officials (check out these Telco transparency reports here, here and here) has led to a significant curtailment of both the principles of access and of consent. The law is riddled with exceptions that permit private sector companies to disclose our personal information to state authorities in a range of situations without our knowledge or consent, with or without a warrant or court order. Other exceptions allow these disclosures to be hidden from us if we make access requests. What this means is that, in some circumstances, organizations that have disclosed an individual’s information to state authorities, and that later receive an access request from the individual seeking to know if their information has been disclosed to a third party, must contact the state authority to see if they are permitted to reveal that information has been shared. If the state authority objects, then the individual is not told of the disclosure.
The PIPEDA Report of Findings No. 2016-008 follows a complaint by an individual who contacted her telecommunications company and requested access to her personal information in the hands of that company. Part of the request was for “any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies.” (at para 4). She received a reply from the Telco to the effect that it was “fully in compliance with subsections 9(2.1), (2.2), (2.3) and (2.4) of [PIPEDA].” (at para 5) In case that response was insufficiently obscure, the Telco also provided the wording of the subsections in question. The individual complained to the Office of the Privacy Commissioner (OPC).
The OPC decision makes it clear that the exceptions to the access principle place both the individual and the organization in a difficult spot. Basically, an organization that has disclosed information to state authorities without the individual’s knowledge or consent, and that receives an access request regarding this disclosure, must check with the relevant state authority to see if they have any objection to the disclosure of information about the disclosure. The state authorities can object if the disclosure of the disclosure would pose a threat to national security, national defence or the conduct of international affairs, or would adversely impact investigations into money laundering or terrorist financing. Beyond that, the state authorities can also object if disclosure would adversely impact “the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law, or the gathering of intelligence for the purpose of enforcing any such law.” If the state authorities object, then the organization may not disclose the requested information to the individual, nor can they disclose that they contacted the state authorities about the request, or that the authorities objected to any disclosure. In the interests of having a modicum of transparency, the organization must inform the Privacy Commissioner of the situation.
The situation is complex enough that in its finding, the OPC produced a helpful chart to guide organizations through the whole process. The chart can be found in the Finding.
In this case, the Telco justified its response to the complainant by explaining that if pushed further by a customer about disclosures, it would provide additional information, but even this additional information would be necessarily obscure. The Commissioner found that the Telco’s approach was not compliant with the law, but acknowledged that compliance with the law could mean that a determined applicant, by virtue of repeated requests over time, could come up with a pattern of responses that might lead them to infer whether information was actually disclosed, and whether the state authority objected to the disclosure. This is perhaps not what Parliament intended, but it does seem to follow from a reading of the statute.
As a result of the complaint, the Telco agreed to change its responses to access requests to conform to the requirements outlined in the table above.
It may well be that this kind of information-sharing offers some, perhaps significant, benefits to society, and that sharing information about information sharing could, in some circumstances, be harmful to investigations. The problem is that protections for privacy – including appropriate oversight and limitations – have not kept pace with the technologies that have turned private sector companies into massive warehouses of information about every detail of our lives and activities. The breakdown of consent means that we have little practical control over what is collected, and rampant information sharing means that our information may be in the hands of many more companies than those with which we actively do business. The imbalance is staggering, as is the risk of abuse. The ongoing review of PIPEDA must address these gaps issues – although there are also risks that it will result in the addition of more exceptions from the principles of access and consent.
Thursday, 17 November 2016 14:47
The Supreme Court of Canada has issued a relatively rare decision on the interpretation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Although it involves fairly technical facts that are quite specific to the banking and mortgage context, the broader significance of the case lies in the Court’s approach to implied consent under PIPEDA.
The case arose in the context of the Royal Bank of Canada’s (RBC) attempt to obtain a mortgage discharge statement for property owned by two individuals (the Trangs), who defaulted on a loan advanced by the bank. The mortgage was registered against a property in Toronto, on which Scotiabank held the first mortgage. In order to recover the money owed to it, RBC sought a judicial sale of the property, but the sheriff would not carry out the sale without the mortgage discharge statement. Scotiabank refused to provide this statement to RBC on the basis that it contained the Trangs’ personal information and it could therefore not be disclosed to RBC without the Trangs’ consent.
PIPEDA allows for the disclosure of personal information without consent in a number of different circumstances. Three of these, raised by lawyers for RBC, include where it is for the purpose of collecting a debt owed by the individual to the organization; where the disclosure is required by a court order; and where the disclosure is required by law. Ultimately, the Court only considered the second of these exceptions. Because Scotiabank refused to disclose the discharge statement, RBC had applied to a court for a court order that would enable disclosure without consent. However, it found itself caught in a procedural loop – it seemed to be asking the court to order disclosure on the basis of a court order which the court had yet to grant. Although the Court of Appeal had found the court order exception to be inapplicable because of this circularity, the Supreme Court of Canada swept aside these objections in favour of a more pragmatic approach. Justice Côté found that the court had the power to make an order and felt that an order was appropriate in the circumstances. She ruled that it would be “overly formalistic and detrimental to access to justice” to require RBC to reformulate its request for a court order in a new proceeding.
Although this would have been enough to decide the matter, Justice Côté, for the unanimous court, went on to find that the Trangs had given implied consent to the disclosure of the mortgage statement in any event. Under PIPEDA, consent can be implied in some circumstances. Express consent is generally required where information is sensitive in nature. Acknowledging that financial information is generally considered highly sensitive, Justice Côté nevertheless found that in this case the mortgage discharge statement was less sensitive in nature. She stated that “the degree of sensitivity of specific financial information is a contextual determination.” (at para 36) Here, the context included the fact that a great deal of mortgage-related financial information is already in the public domain by virtue of the Land Titles Registry, which includes details such as the amount of a mortgage recorded against the property, the interest rate, payment periods and due date. Although the balance left owing on a mortgage is not provided in the Registry, it can still be roughly calculated by anyone interested in doing so. Justice Côté characterized the current balance of a mortgage as “a snapshot at a point in time in the life of a publicly disclosed mortgage.” (at para 39)
Justice Côté’s implied consent analysis was also affected by other contextual considerations. These included the fact that the party seeking disclosure of the discharge statement had an interest in it; as a creditor, it was relevant to them. According to the Court, the reasonable expectations of the individual with respect to the sensitivity of any information must be assessed in “the whole context” so as not to “unduly prioritize privacy interests over the legitimate business concerns that PIPEDA was also designed to reflect”. (at para 44) The fact that other creditors have a legitimate business interest in the information in a mortgage disclosure statement is “a relevant part of the context which informs the reasonable expectation of privacy.” (at para 45) In this regard, Justice Côté observed that the identity of the party seeking disclosure of the information and the reason for which they are seeking disclosure are relevant considerations. She noted that “[d]isclosure to a person who requires the information to exercise an established legal right is clearly different from disclosure to a person who is merely curious or seeks the information for nefarious purposes.” (at para 46)
Justice Côté also found that the reasonable mortgagor in the position of the Trangs would be aware of the public nature of the details of their mortgage, and would be aware as well that if they defaulted on either their mortgage or their loan with RBC, their mortgaged property could be seized and sold. They would also be aware that a judgment creditor would have a “legal right to obtain disclosure of the mortgage discharge statement through examination or by bringing a motion.” (at para 47)
It seems that it is the fact that RBC could ultimately legally get access to the mortgage discharge statement, viewed within the broader context that drives the Court to find that there is an implied consent to the disclosure of this information – even absent a court order. The Court’s finding of implied consent is nevertheless limited to this context; it would not be reasonable for a bank to disclose a mortgage discharge statement to anyone other than a person with a legal interest in the property to which the mortgage relates. The Court’s reasoning seems to be that since RBC is ultimately entitled to get this information and has legal means at its disposal to get the information, then the Trangs can be considered to have consented to the information being shared.
Pragmatism is often a good thing, and it is easy to be sympathetic to the Court’s desire to not create expensive legal hurdles to achieve inevitable ends in transactions that are relatively commonplace. It should be noted, however, that the same result could have been achieved by the addition of a clause in the mortgage documents that would effectively obtain the consent of any mortgagor to disclosures of this kind and in those circumstances. No doubt after the earlier decisions in this case and in the related Citi Cards Canada Inc. v. Pleasance, banks had already taken steps to address this in their mortgage documents. One of the reasons for having privacy policies is to require institutions to explain to their customers what personal information is collected, how it will be used, and in what circumstances it will be disclosed. While it is true that few people read such privacy policies, they are at least there for those who choose to do so. Nobody reads implied terms because they are… well, implied. Implied consent works where certain uses or disclosures are relatively obvious. In more complicated transactions implied consent should be sparingly relied upon.
It will be interesting to see what impact the Court’s judicial eye roll to the facts of this case will have in other circumstances where consent to disclosure is an issue. The Court is cautious enough in its contextual approach that it may not lead to a dangerous undermining of consent. Nevertheless, there is a risk that the almost exasperated pragmatism of the decision may cause a more general relaxation around consent.
Thursday, 10 November 2016 13:55
The Federal Court has just released a decision in a case that raised issues of fair dealing and copyright abuse. Blacklock’s, an Ottawa-based online news agency, had argued that officials at the Department of Finance breached its copyright in news articles when these articles were circulated internally. The decision is an important confirmation of the ‘right to read’ in Canada and may go some way to dispelling the aftertaste of an earlier flawed decision by the Ontario Small Claims Court in a similar dispute.
Blacklock’s business model is to offer its news content on a subscription-only basis. Its articles are behind a paywall, and only subscribers, equipped with a password, can gain access to them. Individual subscriptions are available for $148 a year, whereas institutional subscription rates range between $11,470 and $15,670.
In this case, a reporter from Blacklock’s had interviewed the President of the Canadian Sugar Institute, Sandra Marsden, for a story relating to sugar tariff changes. The same reporter had sought comments from Department of Finance officials and ultimately had an exchange of email correspondence with the Department’s media relations officer. In what appears to be Blacklock’s practice, teasers about the story were sent out to Marsden by email and by Twitter. Based on the teasers Marsden became concerned about the accuracy of the article. She paid for an individual subscription in order to access it. After reading the article her concerns grew and she cut and pasted the article into an email, to a Department official. The same reporter wrote a follow up piece which Marsden also found problematic; she forward this piece to the Department of Finance as well. The two articles were circulated between a total of 6 Finance employees who discussed amongst themselves whether any follow-up with Blacklock’s was required. In the end it was decided that the matter should be dropped.
Justice Barnes found that there was no disputing that the Finance officials had used Blacklock’s copyright-protected material without paying for it or seeking Blacklock’s consent. The key issue was whether the use fell within the fair dealing exception for research or private study in s. 29 of the Copyright Act. After reviewing the Supreme Court of Canada’s landmark fair dealing decision in CCH Canadian v. Law Society of Upper Canada and its more recent decision in SOCAN v. Bell Canada, he concluded that the use constituted fair dealing. He noted that, according to the case law, “research” does not have to lead to the creation of a new work of authorship; it can be ““piecemeal, informal, exploratory, or confirmatory”, and can be undertaken for no purpose except personal interest.” (at para 31)
Justice Barnes found that the Finance officials “had legitimate concerns about the fairness and accuracy” of the reporting in the article. Her further found the internal circulation of the piece was justified on the basis that “[e]veryone involved had a legitimate need to be aware in the event that further action was deemed necessary”. (at para 35) He identified a number of considerations that influenced his conclusion that the officials’ dealing with the material was fair. He noted that the articles had not been obtained by illegal means such as hacking the website; rather, they had been provided by a subscriber to the site who had legally accessed them and had forwarded them for “a legitimate business reason”. (at para 36) The articles had been sent to the Finance officials and not solicited by them; they received limited circulation; and they were not republished or used for any commercial purpose. The court also found that the two articles were a tiny fraction of the content available from the Blacklock’s site. Further, Justice Barnes opined that “a finding of copyright infringement against a news source for the simple act of reading the resulting copy is likely to have a chilling effect on the ability of the press to gather information.” (at para 36). Justice Barnes also stated that “copyright should not be a device that serves to protect the press from accountability for its errors and omissions.” (at para 36).
Blacklock’s had argued that its terms and conditions for access to its paywalled content had been breached when the material was forwarded to Finance officials, and that this breach should serve to negate a finding of fair dealing. Justice Barnes appeared sympathetic to this argument on its face, stating that it was a “relevant consideration” (though he did not state that it would necessarily be determinative). However, he cautioned that for this factor to be taken into account, the copyright owner would have to demonstrate that the user was aware of the terms and conditions and that the terms and conditions actually barred the conduct at issue. In this case, he found that none of the parties involved had either read or even been aware of Blacklock’s terms and conditions which were not readily part of the process for signing up for an individual subscription. He also found that the terms and conditions were not clear, stating: “On the one hand they seemingly prohibit distribution by subscribers but, on the other, they permit it for personal, or non-commercial uses.” (at para 42).
Blacklock’s also objected that a finding of fair dealing would undermine its business model – selling online news through a subscriber-only paywall. Justice Barnes was not particularly sympathetic, noting that “All subscription-based news agencies suffer from work-product leakage.” (at para 45) Further, he stated that “whatever business model Blacklock’s employs it is always subject to the fair dealing rights of third parties.” (at para 45) At the same time, he noted that by so stating, he was not endorsing “blameworthy conduct in the form of unlawful technological breaches of a paywall, misuse of passwords or the widespread exploitation of copyright material to obtain a commercial or business advantage.” (at para 45)
As I noted in an earlier comment on this case, the defendants had argued that Blacklock’s was engaged in copyright misuse and was acting as a kind of “copyright troll”. In fact, there are 9 other suits brought by Blacklock’s against the federal government on similar sets of facts. Noting that “there are certainly some troubling aspects to Blacklock’s business practices”, Justice Barnes nevertheless found it unnecessary to rule on the copyright abuse and trolling arguments in light of his findings on fair dealing. The other cases, which were stayed pending the resolution of this first dispute, may now end up being settled out of court.
In the course of his decision, Justice Barnes referred to what occurred in this case as “no more than the simple act of reading by persons with an immediate interest in the material.” (at para 36) This right to read is fundamentally important in a society that values knowledge and the freedom of expression. The decision makes it clear that business models for content distribution cannot run roughshod over certain fundamental users rights.
Published in Copyright Law
Wednesday, 26 October 2016 14:42
In a press release issued on October 26, 2016, the Ontario Provincial Police announced that they would be adopting a new investigative technique – one that relies on cellphone tracking of ordinary members of the public. The use of this new technique is being launched in the context of the investigation of an unsolved murder that took place in Ottawa in 2015. Police are searching for leads in the case.
The OPP sought a Production Order from a justice of the peace. This order required major cellular phone service providers to furnish them with a list of cellphone numbers used in the vicinity of West Hunt Club and Merivale Road in Ottawa, between 12:30 and 3:30 p.m. on December 15, 2015. Production orders for cell phone information have become commonplace. Typically, however, they have been used to determine whether a person of interest to the police was in a certain area at a specific time. This is not the case here. In this case, the police intend to send text messages to the individual cell phone numbers provided by the phone companies. These messages will encourage recipients to visit a web site set up by the police and to respond to some questions. According to the press release, the production order did not include customer name and address information associated with the phone numbers. In theory, then, individual privacy is protected by the fact that an person who does not respond to the text message does provide any further identifying information to the police.
There is clearly a public interest in solving crimes. Where investigations have grown cold, new techniques may be important to finding justice for victims and their families. However, it is also important that any new investigative techniques are consistent with the principles and values that are an integral part of our justice system. Privacy advocates and the public have reason to be concerned about this new investigative technique. Here are some of the reasons why:
First, production orders of this kind provide completely inadequate opportunities to hear and consider the privacy interests of affected individuals. Persons accused of crimes can always challenge in court the way in which the police went about collecting the evidence against them. They can argue that their privacy interests were violated and that search warrants should never have been issued. However, ordinary members of the public have little practical recourse when their privacy rights are infringed by investigations of crimes that have nothing to do with them. In a decision of the Ontario Superior Court (which I wrote about here) Justice Sproat reviewed production orders for massive amounts of cell phone data sought by police. He was sharply critical of both the seeking and the granting of a production order for quantities of cell phone customer data that far exceeded what was genuinely required for the purpose of the investigation. The case impacted the privacy rights of the broad public (it involved the data of over 43,000 customers) yet as is so often the case, the public had no way to learn of or challenge the production order before it was granted. In that case, it was the Telcos – Rogers and Telus – who challenged the production orders and raised privacy issues before the courts. Without this intervention, there would have been no voice for the privacy interests of ordinary citizens and no means of reviewing the legitimacy of the order.
Second, production orders of this kind come with no safeguards for the protection of data after it has been used by police. Production orders typically do not contain directions on how long data can be retained, whether it should be destroyed after a certain time, what other uses it might (or should not) be put to, or what safeguards are required to protect it while it is in the hands of police. The lack of such safeguards was commented upon by Justice Sproat in the case mentioned above. He was of the view that this was an issue for Parliament to address. Parliament has yet to do so.
In its press release, the OPP analogized what it was doing to police going through a neighborhood where a crime has taken place and knocking on doors to see if anyone has seen or heard anything that might be relevant. The analogy is problematic. The existence and location of houses and apartment units are matters of public record – they are in plain view. However, data about the cell phone usage of individuals, along with their location information, as they carry out their day to day activities are not. When police seek access to information that allows them to identify the locations of thousands of individuals who are not suspected of engaging in criminal activity, they are doing more than knocking on doors.
There needs to be a public conversation about how and when police get to tap into the massive volumes of data collected about the minutiae of our daily activities by private sector companies. The use of cell phone data production orders by the OPP in this case merely adds to list of subjects for that conversation. Because the use of this data by police is now to identify and contact people who are themselves not the targets of criminal investigation, these individuals effectively have no way in which to raise privacy concerns. This is a conversation that must be led by Parliament and that most likely will require new law.
Monday, 17 October 2016 07:27
The Toronto Star is reporting that Canadian architect and indigenous activist Douglas Cardinal is seeking an injunction to prevent the Cleveland Indians from wearing uniforms bearing their logo and team name, and from displaying their logo when the visit Toronto this week for the Major League Baseball playoffs. The legal basis for the injunction is an argument that the team’s name and mascot are discriminatory. Mr. Cardinal has also filed human rights complaints with the Ontario Human Rights Tribunal and the Canadian Human Rights Commission.
While Mr. Cardinal is litigating, he might also want to consider that the name and the offensive cartoonish mascot are also registered trademarks in Canada. (Search for “Cleveland Indians” in the Canadian Trademarks Database). Challenges to the registration of the Washington Redskins’ notorious trademarks are currently before the courts in the U.S. The Redskins trademarks, which most recently have been cancelled in the U.S. for being disparaging of Native Americans (with that decision under appeal), are also registered trademarks in Canada. To date, no one has challenged these or other offensive trademarks in Canadian courts.
Canada’s Trade-marks Act bars the adoption, use or registration of trademarks that are “scandalous, obscene or immoral”. I have written before about circumstances in which this provision has been invoked – or not – to disallow the registration of trademarks. Any challenge to the validity of the marks could be based on the argument that the marks should never have been registered, as they were racist and discriminatory at the time of registration (which, in the case of the Cleveland logo was in 1988). While an applicant to have the trademark expunged might have to address issues of delay in bringing the application, it should be noted that s. 11 of the Trade-marks Act also prohibits the use of a trademark that was adopted contrary to the provisions of the Act. In principle then, the continued use of a trademark that was “scandalous, obscene or immoral” when it was adopted is not permitted under the legislation. Of course, this use restriction raises interesting freedom of expression issues. In the United States, marks that are denied registration for being “disparaging” can still be used, thus arguably shielding the trademarks legislation from First Amendment (free speech) challenges. There is a great deal of unexplored territory around the adoption, use and registration of offensive trademarks in Canada.
Former Justice Murray Sinclair of the Truth and Reconciliation Commission (now Senator Sinclair) called for action to address the use of offensive and racist sports mascots and team names. Douglas Cardinal has clearly responded to that call; there is still more that can be done.
Note: At the hearing on the injunction on October 17, 2016, the Court declined to grant the injunction, with reasons to follow. Toronto Star coverage is here.
Tuesday, 27 September 2016 06:32
Note: I was invited by Canada’s Information Commissioner and the Schools of Journalism and Communication, and Public Policy and Administration at Carleton University to participate in a workshop to launch Right to Know Week 2016. This was a full afternoon workshop featuring many interesting speakers and discussions. This blog post is based on my remarks at this event.
For the last 5 years or so, governments at all levels across Canada have been embracing the open government agenda. In doing so, they have expressed, in various ways, new commitments to open data, to the proactive disclosure of government information, and to new forms of citizen engagement. Given that the core goals of the open government movement are to increase government transparency and accountability in the broader public interest, these developments are positive ones.
There is a risk, however, that public commitments to open government have become a bit of a ‘feel good’ thing for governments. After all, what government doesn’t want to publicly commit to being open, transparent and accountable? As a result, it is important to look behind the rhetoric and to examine the nature of the commitments made to open government in Canada and to question how meaningful and enduring they really are.
For the most part, commitments to open government in Canada have been manifested in declarations, policy documents, and directives. These documents express government policy and provide direction to government actors and institutions. Yet they are “soft law” at best. They are not enacted through a process of legislative debate, they are not expressed in laws that would have to be formally repealed or amended in order to be altered, there are no enforcement or compliance mechanisms, and they remain subject to change at the whim of the government in power. Directives and policies, of course, can provide rapid and responsive mechanisms for operationalizing changes in government direction, and so I am not criticizing decisions to set open government in motion through these various means. But I am suggesting that a longer term commitment to open government might require some of these measures to be expressed in and supported by legislation in order to become properly entrenched.
For example, much effort has been invested by the federal government in creating an open licence to facilitate reuse of government data and information. After a slow and sometimes painful process, we now have a pretty good open government licence. It is based on the UK OGL and is very user friendly compared to earlier iterations. It is bilingual and it can be customized to be used by governments at all levels in Canada (for example, a version of this licence was just adopted by city of Ottawa). This reduces the burden on provincial and municipal governments contemplating open government and it creates the potential for greater legal interoperability (when users combine data or information from a number of different governments in Canada).
But let us not forget why we need an open government licence in Canada. An open licence permits the public to make use of works that are protected by copyright without the need to ask permission or pay royalties, and with the fewest restrictions on re-use as possible. Government works in Canada – and this includes court decisions, statutes, Hansard, government reports, studies, to name just a few – are protected by copyright under section 12 of the Copyright Act. One might well ask why, instead of toiling for years to come up with the current open licence, the government has not shown its commitment to openness by abolishing Crown copyright. It’s not as radical as it might sound. In the U.S., s. 105 of the Copyright Act expressly denies protection to works of the U.S. government without any obvious negative consequences. In the U.S., these works are automatically in the public domain. This legislated, hard law solution makes the commitment real and relatively permanent. Yet as things stand in Canada, government works are protected by copyright by default, and governments choose which works to make available under the open licence and which they wish to provide under more onerous licence terms. They can also decide at some point to tear up the open licence and go back to the way things used to be. Crown copyright in its current incarnation sets the default at ‘closed’.
It is true that some aspects of open government are already part of our legislative framework. We have had freedom of information/access to information laws for decades now in Canada, and these laws enshrine the principle of the public’s right to access information in the hands of government. However, the access to information laws that we have are ‘first generation’ when it comes to open government. The federal Act is currently being reviewed by Parliament, and we might see some legislative change, though how much and how significant remains to be seen. As Mary Francoli has pointed out, there wasn’t really a need for further review – the new government had plenty of material on which to take action in proposing amendments to the Act.
The many deficiencies in the Access to Information Acthave been well documented. For example, in 2015 the Information Commissioner set out 85 proposed reforms to the statute to modernize and improve it. The June 2016 Report by the Standing Committee on Access to Information, Privacy and Ethics on its Review of the Access to Information Act takes up many of these proposals in its own recommendations for extensive reforms to the Act. We are now awaiting the government’s response to this report. Rather than review the many recommendations already made, I will highlight those that relate to my broader point about enshrining open government principles in legislation
The Access to Information Act as it currently stands is premised on a model of individuals asking for information from government, waiting patiently while government puts together the requested information, and then complaining to the Commissioner when too much information is redacted or withheld. Open government promises both information and data proactively, in reusable formats, and without significant restrictions on reuse. While proactive disclosure of information and open data cannot replace the access to information model (which is, itself, capable of considerable improvement), they will provide quicker, cheaper and more effective access in many areas. Yet the Access to Information Act does not currently contain any statement about proactive disclosure. Proactive disclosure – also referred to as “open by default” is not really “open by default” unless the law says it is. Until then, it is just an aspirational statement and not a legal requirement. We see a proliferation of policies and directives at all levels of government that talk about proactive disclosure, but there are not firm legal commitments to this practice, or to open data. And, although I have been focussing predominantly on the federal regime, these issues are relevant across all levels of government in Canada.
A core principle of open data is that the data sets provided by governments should be made available in open, accessible and reusable formats. Proactive disclosure of information should also be in reusable formats. Access under the conventional regime is also enhanced when the information disclosed is in formats that facilitate analysis and reuse. Yet even under the existing access model, there is no default requirement to provide requested information in open, accessible and reusable formats. It is important to remember that it is not enough just to provide ‘access’ – the nature and quality of the access provided is relevant. The format in which information is provided in a digital age can create a barrier to the processing or analysis of information once accessed.
I would like, also, to venture onto territory that is not addressed in the calls for reform to access to information laws. Another challenge that I see for open data (and open information) in Canada relates to the sources of government data. I am concerned about the lack of controls over the use of taxpayer dollars to create closed data. As we move into the big data era, governments will be increasingly tempted to source their data for decision-making from private sector suppliers rather than to generate it in-house. We are seeing this already; an example is found in recent decisions of some municipal governments to source data about urban cycling patterns from cycling app companies. There will also be instances where governments contract with the private sector to install sensors to collect data, or to process it, and then pay licence fees for access to the resulting proprietary data in the hands of the private sector companies. In these cases, the terms of the license agreements may limit public access to the data or may place significant restrictions on its reuse. This is a big issue. All the talk about open government data will not do much good if the data on which the government relies is not characterized as “government data”. It is important that governments develop transparent policies around contracts for the collection, supply or processing of data that ensure that our rights as members of the public to access and reuse this data – paid for with our tax dollars – are preserved. Even better, it might be worth seeing some principle to this effect enshrined in the law.
Published in Geospatial Data/Digital Cartography
Tuesday, 20 September 2016 14:25
The Ontario Supreme Court of Justice has just approved the settlement of a class action law suit against Home Depot over a data privacy breach that took place in 2014. Both the settlement agreement and the decision by Justice Perell offer some interesting insights into privacy class actions in Canada.
Between April 11, 2014 and September 13, 2014 Home Depot’s payment system was hacked by criminals who used malware to skim data from credit card purchases at self-serve stations. When Home Depot discovered the breach it notified potentially affected customers through the French and English press in Canada. It also sent out over half a million emails to potentially affected customers in Canada. The emails apologized for the breach, and confirmed that the malware had been eradicated. Customers were assured that they would not be held responsible for fraudulent charges to their credit card accounts and they were offered free credit monitoring and identity theft insurance.
Although the breach led to complaints against Home Depot being filed with the privacy commissioners of Alberta, Quebec, B.C. and Canada, the commissioners all concluded that Home Depot had not breached their respective private sector data protection statutes. The fact that Home Depot had acted quickly and decisively to notify customers and to offer them protection also clearly influenced Justice Perell in his decision on the settlement agreement. He noted that Home Depot “apparently did nothing wrong”, and that it “responded in a responsible, prompt, generous and exemplary fashion to the criminal acts perpetrated on it by the computer hackers.” (at para 74.)
After the breach, which affected customers in the U.S. and Canada, a number of class action lawsuits were filed in both countries. The U.S.-based suits were consolidated into a single action which led to a settlement. The U.S. agreement was used as a template for the Canadian settlement. Under the terms of the settlement agreement put before Justice Perell, Home Depot admitted no wrongdoing. In exchange for releasing their claims against Home Depot, class members would be entitled to access a settlement fund of $250,000 available to compensate them for any actual expenses incurred as a result of the data breach up to a maximum of $5000 per claimant. The agreement also provides for class members to access free credit monitoring to a cap of $250,000. Justice Perell noted that given the cost of bulk purchases of credit card monitoring, this amount would allow for between 2,500 and 5,000 of the class members to access credit monitoring. In order to be entitled to any funds or credit monitoring, class members would have to file a claim form by October 29, 2016. Under the terms of the agreement, Home Depot would assume the costs of notifying class members and of administering the funds. Any money not distributed from the funds at the end of the claims period could be used to offset these costs. Justice Perell approved these terms of the settlement agreement.
The agreement also provided for a sum of $360,000 plus HST to be paid to the class action lawyers for legal fees, costs and disbursements. Small sums were also provided for in the agreement as honoraria for the representative plaintiffs in the class, although Justice Perell declined to approve these amounts, noting that honoraria were not appropriate in this case. He noted that “Compensation for a representative plaintiff may only be awarded if he or she has made an exceptional contribution that has resulted in success for the class.” (at para 80)
In assessing the settlement agreement, Justice Perell made it clear that the value of the settlement for class members was at most $400,000. He noted that in terms of compensation very little might actually be paid out. No class members would have had to cover the cost of fraudulent credit card charges and, in the time since the breach, there were no documented cases of identity theft related to this breach. He noted that the only information obtained through the hack was credit card information; other identity details used in identity theft such as driver’s licence data or social insurance numbers, were never stolen. He thus found it “highly unlikely” that the $250,000 fund would be used for damage awards. He also expressed doubt whether, given the short deadline in the agreement, the $250,000 fund for identity theft insurance would be used up.
Given the modest value of the settlement agreement, Justice Perell would not approve the $360,000 bill for legal fees and disbursements. Instead, he set the amount at $120,000. He noted that to do otherwise would pay class counsel more than would be received by the class members. He noted as well that in his view the case against Home Depot was very weak: the data breach was the result of a criminal hack; the privacy commissioners had found no wrongdoing on the part of Home Depot; and Home Depot had not attempted to cover it up and instead had acted promptly to notify customers and to help them mitigate any possible harm. Further, he noted that “by the time the actions against Home Depot came to be settled, there were no demonstrated or demonstrable losses by the Class Members” (at para 101). Justice Perell observed that while class counsel may have incurred higher fees than what were being awarded, there is a degree of risk with any class proceeding. He noted that “class counsel should not anticipate that every reasonably commenced class action will be remunerative and a profitable endeavor.” (at para 103)
The result is interesting on a number of fronts. Clearly Home Depot found it less costly to settle than to proceed with the litigation even though Justice Perell seems to be of the view that they would have won their case. The case illustrates just how costly data breaches can be, even for companies that have done nothing wrong and are themselves victims of criminal activities. In terms of the class action law suit, as with many data breaches, proof of actual harm to the class members was difficult to come by, making losses quite speculative. Further, as litigation of this kind tends to proceed slowly, the lack of harm to class members becomes increasingly apparent in cases where there is no evidence that the illegal obtained data has been used by the malefactors. The result in this case suggests that in class action law suits related to privacy breaches, class members who do not suffer actual pecuniary loss should not expect significant payouts; and companies who are not at fault in the breach and who act promptly to assist affected customers may substantially reduce (or eliminate) their liability. These factors may affect decisions by class counsel to launch class action lawsuits where the link between the breach and actual harm is weak, or where defendants are not obviously at fault.
Monday, 12 September 2016 07:01
The U.S. Court of Appeals for the Ninth Circuit has applied U.S. trademark law (the Lanham Act) to the activities of a Canadian citizen operating a business in Vancouver. The court acknowledged that it was applying the Lanham Act extraterritorially, but ruled that it was justified in doing so on the facts of the case.
The extraterritorial application of trademark law is unusual. Registered trademarks are valid only in the country of registration. A Canadian who uses trademarks in Canada could normally only infringe another party's trademark rights if those rights have been acquired through registration or use in Canada. Countries normally get to decide which marks receive protection within their own borders, and a judgment from a foreign court would not be enforceable in Canada without a Canadian court’s approval. The decision in Trader Joe’s Company v. Hallatt, which applies U.S. law to U.S. registered trademarks used in Canada, is therefore quite unusual. However, the facts of the case are also unique.
Many Canadians will recognize the name Trader Joe’s. This grocery store chain, which operates exclusively in the U.S., has carved out a niche for itself as a purveyor of high quality fresh foods. A majority of the products sold in Trader Joe’s stores are branded with Trader Joe’s’ U.S.-registered trademarks. The company has no stores in Canada. It may have contemplated a possible expansion north of the border; in 2010 it took steps to register two of its trademarks in Canada. However, these registrations have not been perfected – quite probably because the company has not started to use the marks in Canada.
The defendant Hallatt is a Canadian citizen living in British Columbia who also has permanent resident status in the United States. In 2011 employees of a Trader Joe’s store in Washington State noticed that Hallatt was making several large purchases per week. It transpired that he was driving the purchased goods across the Canada/U.S. border in order to sell them in Canada. He later opened a store in Vancouver for this purpose. Originally called Transilvania Trading, he changed its name to Pirate Joe’s. He sold Trader Joe’s labelled merchandise at this store at prices considerably higher than in the U.S. After Trader Joe’s took steps to limit Hallatt’s access to their stores, he began to wear disguises to make his purchases. There was also some evidence that he hired people to purchase goods from Trader Joe’s that he could then bring into Canada. The court also found that he used a store sign that resembled Trader Joe’s’, and that the trade dress of his store also resembled that of the plaintiff company.
Trader Joe’s objected to this use of their trademarks and trade dress in Canada. They alleged that it could cause confusion among Canadian consumers who were familiar with the U.S. brand, and that the defendant’s activities might harm their trademarks because they had lost the ability to maintain their strict controls over product quality and freshness. They alleged that they had already received one complaint from a customer who had been made ill after eating Trader Joe’s food from Pirate Joe’s in Canada. They were also concerned about harm to their reputation because the food sold at Pirate Joe’s was overpriced and because the customer service did not meet their standards. Since Canadians would also cross the border and shop at Trader Joe’s stores in the U.S., harm to the store’s reputation from Pirate Joe’s activities in Canada could have an effect on the U.S.-based business.
The complex set of cross-border factors in this case motivated the Court to find that Hallatt had violated the Lanham Act. In the first place, they found that the “use in commerce” requirement of the Lanham Act had been met. Normally, where there is extraterritorial application of the Lanham Act, the plaintiff has to show that goods sold outside of the U.S. have made their way back into U.S. markets in order to show use in commerce. This was not the case here. However, the court was prepared to find that there was nevertheless an impact on U.S. commerce from the sale of the goods in Canada. This flowed from the potential reputational harm from the sale of products of compromised quality and from selling the goods at inflated prices. The court noted that Canadians were regular customers at the Trader Joe’s stores in northern Washington State (40% of credit card transactions at the Bellingham store were by non-residents of the U.S.). These customers might be confused by the sale of Trader Joe’s products in Canada, and might form a negative opinion of the company if the goods sold in Canada were overpriced or of inferior quality. The Court also found other links to the United States that could be used to ground a decision to apply the Lanham Act extraterritorially. The defendant travelled to the U.S. to purchase the goods and/or hired people based in the U.S. to purchase them for him. It also found that his activities might have been assisted to some extent by his landed immigrant status in the U.S.
International comity is a relevant consideration in deciding on extraterritorial application of a country’s laws. The idea is to interfere as little as possible with the sovereignty of another state. In this case, the court noted that there was no ongoing litigation in Canada over trademark issues on the same facts. It also noted that both parties in this case had ties to the United States; the defendant through his landed immigrant status. The Court also found that “an essential part” of Hallatt’s commercial venture took place in the U.S. Perhaps most importantly, the Court found that it was in a position to order the remedies sought by Trader Joe’s. The defendant had assets in the United States so that an award of damages could be enforced in the U.S. against those assets. A court in the U.S. could also order an injunction to stop Hallatt’s activities in purchasing the goods in the U.S. for export to Canada.
The particular facts of this case were clearly a central factor in the court’s decision to apply the Lanham Act extraterritorially. In this sense, then, the case does not signal a shift that would see U.S. courts hearing a flood of trademark infringement suits relating to U.S.-registered trademarks that happen to be used in Canada. Without the substantial links to the U.S. – and the deliberate attempt to trade on the goodwill of the U.S.-based company, the court would likely not have extended U.S. law in this case. Nevertheless, it is a warning to Canadian entrepreneurs that the exploitation of well-known U.S. trademarks, even if not registered in Canada, could, in the right circumstances, expose them to liability on either side of the border.
Wednesday, 07 September 2016 08:45
A new report from uOttawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) prepared in collaboration with Carleton’s Geomatics and Cartographic Research Centre (GCRC) proposes a strategy for protecting traditional knowledge that is shared in the digital and online context. The report proposes the use of template licences that will allow Indigenous communities to set the parameters for information sharing consistent with cultural norms..
Traditional knowledge – defined by the World Intellectual Property Organization as “the intellectual and intangible cultural heritage, practices and knowledge systems of traditional communities, including indigenous and local communities” – is poorly protected by contemporary intellectual property (IP) regimes. At the root of the failed protection is the reality that Western IP systems were designed according to a particular vision of creativity and innovation rooted in the rise of the industrial revolution. It is a product of a particular social, economic and ideological environment and does not necessarily transplant well to other contexts.
The challenge of protecting indigenous cultural objects, practices and traditional knowledge has received considerable attention – at least on the international stage – as it is a problem that has been exacerbated by globalization. There are countless instances where multinational corporations have used traditional knowledge or cultural heritage to their profit – and without obvious benefit to the source communities. Internationally, the Nagoya Protocol on Access and Benefit Sharing seeks to provide a framework for the appropriate sharing of traditional knowledge regarding plant and genetic resources. Innovative projects such as Mukurtu provide a licensing framework for Indigenous digital cultural heritage. What CIPPIC’s report tackles is a related but distinct issue: how can Indigenous communities share traditional knowledge about themselves or their communities while still maintaining a measure of control that is consistent with their cultural norms regarding that information?
For years now, the GCRC has worked with Indigenous communities in Canada to provide digital infrastructure for cybercartographic atlases that tell stories about those communities and their land. These multimedia atlases offer rich, interactive experiences. For example, the Inuit Siku (Sea Ice) Atlas documents Inuit knowledge of sea ice. The Lake Huron Treaty Atlas is a complex multimedia web of knowledge that is still evolving. These atlases are built upon an open platform developed by the GCRC and that can be adapted by interested communities.
The GCRC sought out the assistance of CIPPIC to explore the possibility of creating a licensing framework that could assist Indigenous communities in setting parameters for the sharing and reuse of their traditional knowledge in these contexts. The idea was to reduce the burden of information management for those sharing information and for those seeking to use it through a series of template licences that can be adapted by communities to suit particular categories of knowledge and contexts of sharing. This is a complex task, and there remains much work to be done, but what CIPPIC proposes offers a glimpse into what might be possible.
Published in Geospatial Data/Digital Cartography
Monday, 29 August 2016 09:43
A pair of interesting copyright lawsuits are making their way through the federal court and are worth watching for the novel issues they raise and the potential they have for shaping copyright law in Canada.
One of these is actually a series of lawsuits brought by the news service Blacklock’s Reporter against a total of 7 federal government departments and agencies and 3 Crown corporations and agencies. Blacklock’s provides articles on a subscription basis only; it accuses the various defendants of having accessed copies of its articles without having subscribed to the service and in breach of their copyrights. The defendants argue that Blacklock’s “employs a pattern of writing misleading or inaccurate articles about an organization with the expectation that these articles would be accessed and shared internally.” They then allege that Blacklock’s files access to information requests to uncover details of such access and distribution in order to issue claims for damages for copyright infringement. Essentially, they contend that Blacklock’s is engaged in copyright trolling. (Note that I wrote about an earlier law suit brought in Ontario small claims court by Blacklock’s against the Canadian Vintner’s Association here.)
The Federal Court has just upheld a prothonotary’s decision to streamline this litigation by issuing a stay of proceedings in 9 of the 10 lawsuits until certain legal issues have been aired and decided in the 10th. The decision is based on the view that since each of the cases raises similar issues, it would be more just and a more efficient use of resources to proceed in this way.
The defendants do not appear to deny having accessed the articles in question. Instead, they argue that the uses made of the articles in question were fair dealing (based on use of the material for “internal government reporting purposes”). They also raise the defense of copyright misuse. Copyright misuse relies on an argument that the copyright owner, through its conduct, is attempting to secure for themselves a broader right than it is entitled to by law. The defence now has a considerable track record in the United States, but remains novel in Canada. Clearly this litigation raises interesting arguments that make it worth following. The five-day trial for the case that is to go forward has been scheduled for September 2016.
A second case involves what is called a “reverse class action law suit” brought by Voltage Pictures against an as-yet unidentified group of defendants for copyright violation related to the downloading of films in which Voltage holds copyright. Typically a class action law suit is brought by a large group of plaintiffs who have all been harmed by the same wrong allegedly committed by a single defendant. The class action law suit allows plaintiffs to pool their efforts and it makes for a more efficient use of judicial resources. Class action law suits can also be used to hold defendants to account in cases where large numbers of people are negatively affected, but no single individual has suffered enough economic harm to make it worthwhile taking their case to court. In these ways, class action law suits improve access to justice. The reverse class-action law suit is quite another animal. In a reverse class-action law suit, there is a single plaintiff who essentially is arguing that it has been harmed by the actions of multiple defendants. Rather than sue each defendant individually, they proceed against a single defendant who is considered representative of the much larger class.
Voltage has recently succeeded in having a court compel Rogers Communications Inc. to reveal the name and address of a subscriber whose account has been linked by Voltage to allegedly illegal downloading activity. This will be the representative defendant in a law suit that may put the activities of thousands of other as yet unnamed ISP subscribers at issue. Of course, a court has yet to certify the reverse class action law suit.
Voltage’s strategy comes as both the courts and Parliament have put limits on the extent to which ordinary consumers can be targeted in copyright infringement lawsuits for non-commercial uses of works. By significantly limiting the damages available in such instances, Parliament made it deliberately difficult for copyright holders to launch law suits seeking massive amounts of damages against ordinary individuals – a practice that has become notorious in the United States. The “notice and notice” provisions of the Copyright Act also protect against sweeping accusations of copyright infringement that might otherwise limit freedom of expression by compelling the take down of content that might fall within the fair dealing exceptions to copyright infringement. Canadian courts have also been quite protective of individual privacy, requiring that a plaintiff establish a bona fide claim of copyright infringement before a court will issue an order compelling a service provider to produce customer name and address information that is linked to the allegedly infringing activity. The reverse class action lawsuit offers plaintiffs a work-around to some of these protective measures and could open the door to the large-scale pursuit of those who download unauthorized content over the internet. Both copyright owners and users’ rights advocates will be watching this case with interest.
Canadian Trademark Law
Published in 2015 by Lexis Nexis
Electronic Commerce and Internet Law in Canada, 2nd Edition
Published in 2012 by CCH Canadian Ltd.
Intellectual Property for the 21st Century
Intellectual Property Law for the 21st Century: