Teresa Scassa - Blog

The rise of big data analytics, combined with a movement at all levels of government in Canada towards open data and the proactive disclosure of government information have created a context in which privacy interests are increasingly likely to conflict with the goals of transparency and accountability. In some cases these conflicts may be small and easily reconciled, but in other cases they may be more substantial. In addition, some means of reconciling the conflict must be found; where privacy and transparency conflict, for example, which value should prevail and under what conditions?

Conflicts between transparency and privacy have been seen recently in, for example, concerns expressed over the amount of personal information that might be found in court and tribunal decisions that are published online. Sunshine lists – lists of salaries of public employees that are over a certain amount – also raise issues. Provinces that publish such lists have tended to do so using file formats that do not lend themselves to easy digital manipulation. But of course these modest technological barriers are routinely overcome, and individual name and salary information is absorbed into the big data universe for purposes quite distinct from meeting a government’s transparency objectives. Open municipal data files may include information about specific individuals: for example, a database of all home renovation permit applications would have privacy implications for those individuals who applied for such permits. Even with names were redacted, it is easy enough to identify the owners of any homes for which renovation permits were obtained. In some cases, the level of connection may be less direct. For example, a public restaurant inspection record that cited kitchen staff at a small local restaurant for failure to wash their hands on a specific inspection date might indirectly reveal the identity of the persons who did not wash their hands, particularly if the staff of the restaurant is quite small. And, of course, in the big data context, even anonymized data, or data that is not personal information on its face, can be matched with other available data to identify specific individuals.

The point is not that the disclosure of such information must be avoided at all costs – rather, the issue is how to determine where to draw the line between privacy and transparency, and what steps might be taken to protect privacy while still ensuring transparency. No new legislative framework has been created to specifically guide the move towards open government in Canada, notwithstanding the fact that government data is fuel for the engines of big data.

In a paper that has just been published by the Alberta Law Review, my co-author Amy Conroy and I explore these issues, using a recent Supreme Court of Canada decision as a departure point for our analysis. Although the Court’s decision in Ministry of Community Safety and Correctional Services v Information and Privacy Commissioner (Ontario) (Ministry of Community Safety) does not specifically address either open data or proactive disclosure, the case nevertheless offers important insights into the gaps in both legislation and case law in this area.

In our paper we consider the challenges inherent in the release of government data and information either through pro-active disclosure or as open data. A key factor in striking the balance between transparency and privacy is the definition of personal information – information that is not personal information has no privacy implications. Another factor is, of course, the meaning given to the concept of transparency. Our paper considers how courts and adjudicators understand transparency in the face of competing claims to privacy. We challenge the simple equation of the release of information with transparency and argue that the coincidence of open government with big data requires new approaches that are informed by the developing relationship between privacy and transparency.

“Promoting Transparency While Protecting Privacy in Open Government in Canada” by Amy Conroy and Teresa Scassa is published in (2015) 53:1 Alberta Law Review 175-206. A pre-print version is available here.

The Ontario Small Claims Court has issued a decision in a copyright dispute that is extremely unfriendly to users’ rights or the right to read in Canada. The case involves the increasingly common practice of placing digital content behind a paywall.

In this case, the defendant is the Canadian Vintners Association (CVA). It represents the interests of wine producers in Canada. The plaintiff is the company which produces Blacklock’s Reporter, a news service that provides original digital content to subscribers. The CVA was aware of Blacklock’s Reporter, but had decided that it was not interested in subscribing (at a corporate rate of $11,470 per year.)

On December 13, 2013 Blacklock’s published a story that discussed the testimony of the defendant’s president and CEO, Dan Pazsowski, before a Commons Committee. Pazsowski was sent an electronic bulletin notifying him that he had been quoted in the story. Since his company did not have a subscription to the service, he contacted a colleague at another company that did have a subscription and asked if they could forward a copy to him. They did so. He then contacted Blacklock’s to discuss the content of the story, about which he had some concerns. He was asked how he had obtained access to the story, and was later sent an invoice for the cost of two personal subscriptions (because he had shared the story with another employee of his organization). The cost of two subscriptions was $314 plus HST). The defendant’s refusal to pay the invoice ultimately led to the law suit for breach of copyright.

In reaching his decision in this case, Deputy Judge Gilbert was particularly concerned with the fact that the defendant had not complied with the terms and conditions of the plaintiff’s website. However, the website was not the source of the material that was allegedly improperly accessed by Pazowski in this case. The article was shared with Pazsowski by a colleague who had a subscription. If the terms of use of that person’s contact with Blacklock’s prohibited her from sharing any content, then she may have been in breach of her contract. This, however, does not mean that Pazsowski infringed copyright. Receiving and reading a copy of an article sent by another person is not per se copyright infringement.

Judge Gilbert also found that the defendant had unlawfully circumvented technical protection measures in order to access the material in question, in contravention of controversial new provisions of the Copyright Act. It would seem that, in the eyes of the court, to ask someone for a copy of an article legally obtained by that person could amount to a circumvention of technical protection measures. If such an approach were accepted, the scope of the anti-circumvention provision would be disturbingly broad. In fact, in this case, nothing was done to circumvent any technological protection measures. The article was legally accessed by a subscriber. The issue is with the sharing of the content by the subscriber with another, in contravention of the terms of use agreed to by the subscriber.

The defendant had asserted a fair dealing defence, arguing that he had sought access to the article out of concern that it contained inaccuracies that he wanted to take steps to correct. This was argued to be fair dealing for the purpose of research or private study, which is permitted under the Copyright Act. Notwithstanding the very broad scope given to the fair dealing exception by the Supreme Court of Canada, Judge Gilbert ruled that there was no fair dealing. He wrote: “it cannot be said that the purpose here was genuine given the fact that nothing came of the research (obtaining the full article) once obtained. Giving the Defendants the benefit of the doubt here that the intention was genuine, the follow through was not.” (at para 57). This novel proposition suggests that research must result in some concrete or tangible outcome to amount to fair dealing. As any researcher knows, there may be many false starts or cold trails. In any event, the court seems to overlook the fact that Pazowski actually contacted Blacklock’s to discuss their article with them. It was this contact that led to the lawsuit. Justice Gilbert also rejected the fair dealing claim on the basis that the article had not been legally obtained. This, of course, is a significant fair dealing issue in the context of paywalls and other barriers to access to works. Given, however, that Pazowski obtained the article from someone with legal access to the database, there was room here for a more nuanced assessment.

If the decision itself is not enough to raise your eyebrows, then the damage award surely will. Keep in mind that the plaintiffs originally sought the price of two personal annual subscriptions as compensation for the access to the article by the defendant ($314 plus HST). The court ordered damages in the amount of $11,470 plus HST – the cost of a corporate annual subscription. Judge Gilbert cited as justification for this amount the fact that the defendants “continued to stand steadfast to the notion that they had done nothing wrong while knowing that they had taken steps to bypass the paywall.” (at para 64). In addition, he awarded $2000 in punitive damages.

A business that is entirely reliant on providing content behind a paywall clearly has an interest in ensuring that access to that content is limited to subscribers to the extent possible. But does this mean that no other access to the content can be tolerated? A person who has legally purchased a book may lend it to another to read. Is there room for the law adopt an equivalent approach for content behind pay walls? It certainly does not seem appropriate that a news service can publish articles about individuals and then have the courts support them in their attempts to so securely lock down that content that the individual cannot even see what was written about them without having to pay for an annual subscription. This decision is so entirely lacking in the balance mandated by the Supreme Court of Canada that one can only hope it is nothing more than a strange outlier.

It is not every day that courts are asked to interpret Creative Commons licenses, which is what makes the recent U.S. decision in Drauglis v. Kappa Map Group, LLC of particular interest.

Creative Commons offers a suite of licenses that can be used by those seeking to license their copyright-protected works under terms that facilitate different levels of sharing and use. Some licenses are virtually without restriction; others restrict uses of the work to non-commercial uses; contain requirements to give attribution to the author of the work; or require that any derivative works made using the licensed work by made available under similar license terms (Share-Alike). The licenses are available in multiple languages and have been adapted to the laws of a variety of different countries. They are even used for open government licensing of works in countries like Australia and New Zealand.

In this case, the plaintiff Art Drauglis was a photographer who had posted a photograph on Flickr under a Creative Commons Attribution-ShareAlike 2.0 license (CC BY-SA 2.0). The defendant was a company that published maps and map-related products. It downloaded a copy of the plaintiff’s photograph from Flickr, and used it on the cover of an atlas it published titled “Montgomery co., Maryland Street Atlas”. The atlas was sold commercially, and the defendant claimed copyright in it. The copyright notice for the atlas appeared its first page, along with its table of contents. On the rear cover of the atlas, the title of the plaintiff’s photograph was provided as well as the information about the name of the photographer and the fact that it was used under a CC-BY-SA-2.0 license.

The plaintiff’s first claim – that the defendant had breached his copyright in the photograph – was quickly rejected by the Court. The District Court (District of Columbia) found that the defendant had used the image under license. Further, the license specifically permitted commercial uses of the image. Thus the plaintiff was limited to arguing that the defendant’s use of the photograph was not in compliance with the terms of the license. There were 3 main arguments regarding non-compliance. These were that: 1) the Share-Alike condition of the license was breached by the defendant’s commercial sale of the atlas; 2) the defendant did not include a proper Uniform Resource Identifier for the CC license as required by the license terms; and 3) the defendant did not provide the proper attribution for the photograph as required by the license.

The CC BY-SA 2.0 license requires that derivative works made using the licensed works also be made available under the same or comparable license terms. The plaintiff therefore argued that the defendant breached this term by publishing the atlas commercially and not under an equivalent license. The court disagreed. It found that the CC license contemplated two categories of re-use of the licensed work – in a “collective work” (defined in the license as a “periodical issue, anthology or encyclopedia, in which the Work in its entirety in unmodified form” is included with other contributions into a collective whole), or as a “derivative work” (defined in the license as a “work based upon the Work. . . in which the Work may be recast, transformed, or adapted”.) It is only derivative works that must be licensed under comparable license terms. The court found that the use of the photograph in this case was as part of a collective work. That collective work was the atlas, consisting of a series of separate works (maps) compiled together with other elements, including the plaintiff’s photograph, in a book. The court rejected arguments that the photograph had been cropped, and was thus “recast, transformed or adapted” rather than incorporated “in its entirety in unmodified form”. It was not persuaded that any cropping had taken place; if it had it was so minor in nature that it was inconsequential.

The CC BY-SA 2.0 license also requires that the licensee “must include a copy of, or the Uniform Resource Identifier for, this License with every copy . . . of the Work”. The plaintiff argued that this clause had been violated by the defendant because it only referred to the license as a CC-BY-SA 2.0 license and did not provide a URL for the license. The court distinguished between a Uniform Resource Identifier (URI) and a URL, noting that ‘URI’ is a term with a broader meaning than URL. While providing a URL might meet this requirement, providing the abbreviated name and version of the license met the requirement for a URI. The court noted that anyone searching the internet for “CC BY-SA 2.0” would easily arrive at the proper license.

The plaintiff also argued that the defendant did not properly attribute authorship of the photograph to the plaintiff in accordance with the terms of the license. The license required that any credit given to the author of a work in a derivative or collective work must, at a minimum, “appear where any other comparable authorship credit appears and in a manner at least as prominent as such other comparable authorship credit.” (Section 4(c)). Because the copyright information for the atlas as a whole appeared on the inside front page and the credit for the cover photo appeared on the back of the atlas, the plaintiff argued that this condition was not met. However, the court found that copyright information was provided for each map on each page of the atlas, and that this type of credit was comparable to that provided for the cover photograph. The court found that “the Photograph is more akin to each of the individual maps contained with the Atlas than to the Atlas itself; the maps are discrete, stand-alone pictorial or graphic works, whereas the Atlas is a compilation of many elements, arranged in a specific and proprietary fashion, and constituting a separate and original work.” (at p. 18) As a result, the attribution provided for the cover photo was comparable to that provided for other works in the collective work.

This would appear to be a case where the plaintiff’s expectations as to what the CC license he used for his work would achieve for him were not met. It is perhaps a cautionary tale for those who use template licenses – the simplicity and user-friendliness of the human readable version of the license does not mean that the detail in the legal code should be ignored – particularly where the licensor seeks to place specific limits on how the work might be used.

A recent (though not yet in force) amendment to Canada’s Trade-marks Act will permit an unprecedented purging of trademark records in Canada. This destruction of records should be understood within the disturbing context described in a recent Maclean’s article by Anne Kingston, titled “Vanishing Canada: Why We’re All Losers in Canada’s War on Data”.

The new section 29.1 is aptly titled “Destruction of Records”. It provides that, notwithstanding the Registrar’s duty to maintain trademark data and documentation for public view, the Registrar may still destroy a broad range of documents. These can include applications for trademarks that are refused or abandoned, documents relating to trademarks that have been expunged, documents relating to any request for public notice to be given of an official mark that has been abandoned, refused or invalidated, and documents relating to objections to geographical indications that are removed from the list of geographical indications. All of these documents may be destroyed 6 years after the final action on the file.

Since 1997, the Registrar has been maintaining an electronic register of trademarks. This register is publicly accessible and searchable. However, it does not provide electronic access to the underlying documentation relating to the registrations. This information has nonetheless been available for public consultation, and is also available through access to information requests. While it is now possible to file trademark applications online, thus replacing paper with digital documents, this option has not always been available and there is still a great deal of paper floating about. All this paper obviously takes up a significant amount of space. How should the problem be addressed? One option is to begin the process of digitization; paper records can be destroyed once digital copies are made. Digital copies would also allow for a vastly improved level of access. Another option is to just chuck it all out. It is this latter option, cheap and easy, that will be implemented by the new section 29.1 of the Trade-marks Act.

Of what use are the records at issue? Trademark lawyers have argued that information about past trademark applications – including those refused by the Registrar – is often used in trademark opposition proceedings and in litigation. The International Trademark Association (INTA) opposed section 29.1 in a written submission to the Parliamentary Committee that studied the Bill that introduced this provision. INTA stated that “the downside risk of losing public access to these documents outweighs the hardships to the Canadian Intellectual Property Office associated with maintaining those records.” INTA also noted that the Canadian approach was out of line with that in the United States and in Europe. INTA argued that the destruction of paper records should only take place after electronic copies have been made. The United States, for example, has created a searchable online resource to provide access to all of its records relating to all trademark applications, registered trademarks, Madrid Protocol applications and international registrations.

In addition to the relevance of this information to trademark practitioners, the soon to be destroyed information has research value as well. Canadian trademark law is a relatively under-researched area of Canadian intellectual property law. It would be a great shame if large volumes of data disappear just as research in this area begins to mature and expand.

What might a researcher distill from these records? Here’s one example. Official marks have long been criticized for giving “public authorities” an almost unlimited power to carve out trademark space for themselves without any of the usual checks and balances put in place to manage trademark monopolies in the public interest. Many official marks for which public notice has been given by the Registrar have later been invalidated by the courts either on the basis that the “public authority” seeking public notice was not really a public authority or on the basis that they had not actually adopted or used the mark in question. Once s. 29.1 takes effect, the paper records relating to official marks that have been invalidated will disappear after 6 years. The Registrar has become more rigorous in her examination of requests for official marks (within the limits of a law totally lacking in rigour in this respect). Because there is no application process for official marks, all that appears in the register of trademark is the actual public notice in successful cases. Records relating to failed requests for public notice will soon be subject to destruction after 6 years. This means that this information will disappear entirely and without a trace. What public authorities have sought official marks that have been refused? What was the basis for the refusal to give public notice? What entities claiming to be public authorities have attempted to get trademark protection through this avenue? What might the answers to these questions tell us about a regime that is badly in need of reform? The answers to these questions will become unknowable once s. 29.1 takes effect and the wholesale destruction of records begins.

Digitization of records is expensive, time-consuming and labour intensive. But if paper records are destroyed before digitization takes place there is simply no way to recreate the information. It is lost forever. I have given only a few examples of the potential relevance of the information that is set to be destroyed once s. 29.1 comes into force. Let’s hope it never does. The concepts of open government and open data are only meaningful if there is something left to see once the doors are opened.

It’s not easy to write about an area of law that is in a significant state of flux, but that is what I have tried to do in the second edition of my book titled Canadian Trademark Law, which has just rolled off the presses at Lexis Nexis Canada.

This book expands and updates the first edition, which provided a comprehensive account of trademark law in Canada. In the second edition, I take into account the recent significant changes brought about by the Combating Counterfeit Products Act and the Economic Action Plan 2014 Act, and discusses the impact yet to come as key (and in some cases controversial) provisions of these bills take effect in the not too distant future. These will include an expanded definition of what can constitute a trademark; significant changes to registration requirements; and a new, shorter term of protection. Many of the changes still to come are those necessary to implement the Singapore Treaty and the Madrid Protocol. Once the requisite regulations are in place and the new provisions take effect, Canada’s law will be substantially more harmonized with the laws of other countries, and international trademark registrations will be available to Canadian companies.

In addition to its coverage of core trademark law principles and jurisprudence, Canadian Trademark Law (2d ed.) has specific chapters dedicated to contemporary issues. These include parallel importation and counterfeiting, trademark infringement on the internet, and trademarks and freedom of expression.

In the book I have tried to navigate a turbulent period in Canadian trademark law by discussing not only the law as it stands today, but the law as it will likely be once pending amendments take effect. Each chapter ends with a series of point-form highlights of the key legislative changes that will affect the specific area of the law discussed in that chapter. The book also contains a lengthy appendix which attempts to show in tabular form what amendments are now in effect, which ones are likely eventually to take effect, and which ones will most likely be superseded by other amendments.

It is rare that a trademark law dispute becomes the subject matter of a documentary film – rarer still when it is a Canadian case that is the focus of attention. Yet some trademark disputes transcend the legal issues that give rise to them. This is so with the case that inspired Heidi Lasi’s recent documentary titled The Oasis Affair. This short film explores the dispute between Les Industries Lassonde, Inc. (a major Quebec company that produces, among other things, OASIS brand juices) and Olivia’s Oasis, a small Quebec business producing soaps and skin care products made with olive oil.

The conflict between the two companies arose from a trademark infringement lawsuit brought by Les Industries Lassonde against Olivia’s Oasis. Lassonde argued that the Olivia’s Oasis trademark for skin care products created consumer confusion with their well-known mark OASIS for fruit juice. Not only did the defendant rebut the trademark claims, it also argued that the lawsuit against it was abusive litigation under relatively new provisions of the Quebec Code of Civil Procedure. These “anti-SLAPP” provisions are intended to discourage parties with deep pockets from using the threat of litigation either to pressure small parties to comply with their demands or to face financial ruin through costly litigation. At trial, Justice Zerbisias of Quebec’s Superior Court found not only that there was no merit to the trademark infringement suit brought by Les Industries Lassonde, Inc., she also agreed with the defendants that the suit fell within the ambit of the anti-SLAPP provisions. She awarded Olivia’s Oasis $125,000 in extra-judicial costs and punitive damages.

While accepting the trademark law outcome, Les Industries Lassonde appealed the award of damages to the Quebec Court of Appeal. [Spoiler alert: stop reading here if you want to learn how it all ends from watching the video.] This Court found that Lassonde’s motives in commencing litigation were not improper. After all, they opined, a trademark that loses its distinctiveness can no longer function as a trademark; a trademark owner must therefore take the necessary steps to preserve the distinctive character of its marks. It nullified the award of damages to the defendant.

Not only does The Oasis Affair provide an account of the litigation, it tells the remarkable story of the social media outcry that followed the Court of Appeal’s decision. In a very short space of time, Les Industries Lassonde faced an unprecedented public backlash – one that ultimately led them to compensate Olivia’s Oasis for the legal fees that had left the small company teetering on the edge of failure.

Heidi Lasi’s documentary is a crisp, engaging account of this case and its aftermath. The film leaves the viewer with an appreciation of the power of social media to create a “court of public opinion”; and suggests that the Olivia’s Oasis affair heralds an important change in how trademark holders must approach the protection of their trademarks and brands.

In 2007 Stephanie Lenz filed a law suit against Universal Music, alleging that it had violated the Digital Millenium Copyright Act (DMCA) by sending her a takedown notice that misrepresented the extent of their rights. Lenz had made a 29 second videotape of her two small children dancing to a Prince song (Let’s Go Crazy) on the radio and had posted the video on YouTube. YouTube contacted her to indicate that it had received a takedown notice for this video. The notice alleged that it infringed upon Universal’s rights in the song. YouTube removed the video from its service. Lenz sought to have the video reinstated using the provisions of the DMCA. Notwithstanding Universal’s resistance, the video was eventually reinstated by YouTube.

Lenz’s lawsuit (which was supported by the Electronic Frontier Foundation) stalled on the issue of whether the DMCA required copyright owners to take fair use into consideration before issuing takedown notices. On Monday, September 14, the U.S. Court of Appeals for the 9^th Circuit issued its decision on this issue, clearing the way for the matter to finally head to trial. The Court ruled that copyright owners do indeed have an obligation to take fair use into account. In order to issue a takedown notice, the copyright owner must include a statement, pursuant to 17 USC § 512(c)(3)(A)(v) to the effect that “We have a good faith belief that the above-described activity is not authorized by the copyright owner, its agent, or the law.” The DMCA provides, in §512(f) that a party that abuses the DMCA by, among other things, materially misrepresenting “that material or activity is infringing”, is liable for damages.

The core issue for the court to determine was what meaning to give to the statement required by the DMCA that the copyright owner has a good faith belief that the material at issue is not “authorized. . . by law.” More specifically, the issue was whether the fair use defences in the Copyright Act are merely defences, or whether they are provisions capable of “authorizing” certain uses of copyright protected materials. The Court of Appeal found that “the statute unambiguously contemplates fair use as a use authorized by law.” (at p. 11) It ruled that fair use was only characterized as a defence for procedural purposes. The provision itself declares that “the fair use of a copyright work. . . is not an infringement of copyright.” (Note that in Canada, the fair dealing provisions are framed in a similar manner: “Fair dealing . . . does not infringe copyright. . . “.(see ss. 29-29.2 of the Copyright Act). The Court of Appeals also found that even if fair use were considered an “affirmative defense”, it would still have a different character. The Court concluded that because the fair use provision of the U.S. Copyright Act “created a type of non-infringing use, fair use is “authorized by the law” and a copyright holder must consider the existence of fair use before sending a takedown notification.” (at p. 15)

The Court of Appeal also turned its attention to whether Universal knowingly represented that it believed the video did not constitute a fair use of the copyright protected work. The Court was of the view that Universal had to establish a subjective (rather than an objective) good faith belief that the use in question was not authorized. The Court clarified that a copyright owner that formed a good faith belief that a use was not a fair use would not be liable under the DMCA for sending out a takedown notice. However, “if a copyright holder ignores or neglects our unequivocal holding that it must consider fair use before sending a takedown notification”, it will be liable (at p. 17). The Court also made it clear that any copyright owner who merely ”pays lip service to the consideration of fair use by claiming it formed a good faith belief when there is evidence to the contrary” is still liable (at pp. 17-18). The consideration given to the fair use issue “need not be searching or intensive.” (at p. 18) The Court did not rule out the use of screening algorithms to detect potentially infringing content and even to meet the statutory requirement to consider fair use, although it did not consider the issue in detail as Universal did not claim to have used a screening algorithm in this case.

The Court also indicated that a “willful blindness” theory might be available to determine whether a copyright owner made a knowing misrepresentation of a good faith belief that the activity at issue was not fair use. However, on the facts before it, it ruled that the wilful blindness was not available. To show wilful blindness, a plaintiff would have to establish both the defendant’s subjective belief that “there is a high probability that a fact exists” and that the defendant took “deliberate actions to avoid learning of that fact” (at pp. 20-21) The Court found that Lenz had not met the threshold to establish the first element of that test.

On a final point, Universal had argued that Lenz’s suit must fail because she could not show that she suffered any monetary loss as a result of their actions. The Court of Appeals ruled that a plaintiff in Lenz’s circumstances could seek the recovery of nominal damages.

The decision of the U.S. Court of Appeals is significant. It is handed down in a context in which many feel that copyright holders have been abusing the notice and takedown provisions of the DMCA, effectively using them to suppress otherwise legitimate expression. The Court of Appeal had some strong words for copyright owners, warning them that they “cannot shirk their duty to consider – in good faith and prior to sending a takedown notification – whether allegedly infringing material constitutes faire use, a use which the DMCA plainly contemplates as authorized by the law.” (at p. 25)

Data security breaches are frequently in the news, contributing to a growing anxiety regarding the security of the vast stores of personal information held by so many public and private sector organizations in Canada (and abroad). The recent passage of Bill S-4 (The Digital Privacy Act) will impose a data security breach notification requirement on private sector organizations covered by Canada’s Personal Information Protection and Privacy Act. This requirement has yet to come into effect; it awaits the drafting of regulations that will set out the manner and form of breach notifications.

Data security breaches occur in many different ways. While the paradigmatic breach is the malicious intruder who hacks his or her way past corporate firewalls to steal data, this is not the only (or even the most common) form of breach. In many cases, data breaches occur when devices such as USB keys or laptops that contain (often unencrypted) personal data go missing. Whether lost or stolen, it is often impossible to tell whether the data was or will ever be accessed or used. The laptop thief, for example, may have been seeking a laptop rather than the data it contains. Carelessness may take other forms as well; repeatedly faxing sensitive customer information to the wrong fax number is just one example.

The type of breach that perhaps causes the most anxiety for organizations comes from the ‘rogue employee’. Employees of organizations often, of necessity, have a great deal of access to sensitive customer information as a normal part of their duties. Organizations put in place policies regarding access and privacy, and may have other checks and balances within the institution to guard against (or to detect) unauthorized access. Unfortunately, an increasing number of security breaches seem to arise precisely because an employee has accessed personal information in contravention of these policies. This may be done for personal reasons (complicated interpersonal relations following the breakdown of relationships, for example), for financial gain, or for reasons that are not entirely clear. The breaches may affect only one or two individuals, or may be with respect to a significant number of people. Rogue employees are a security weak spot; they already have regular access to the data – all they require is motivation, whether it be personal or financial.

In March 2015, the BC Court of Appeal handed down an interesting decision in a case (Steel v. Coast Capital Savings Credit Union) involving an employee who had wrongfully accessed the personal folder of another employee. The folder was on the company’s server. The case was not a suit for invasion of privacy; the Credit Union for which the employee had worked had fired her following the detection of the breach. The employee had sued for wrongful dismissal, arguing that the penalty of dismissal was too severe given her 21 years of faultless service to the company. The employee worked in the IT department of the Credit Union, and had a high level of access to the company’s systems. She had accessed the personal folder of a manager at the credit union in order to see where she stood on a list setting out priority entitlement to parking. The breach was detected when the manager tried unsuccessfully to access the file at the same time that the employee was looking at the list.

The judge at first instance had upheld the dismissal of the employee, and she had appealed that decision to the Court of Appeal. What the case came down to, in essence, was whether a long-time employee with an excellent record could be dismissed for a one-time accessing of a file in a personal folder of another employee to view a list regarding the assignment of parking spots. The majority of the Court of Appeal ruled that dismissal was an acceptable response. Writing for the majority, Justice Goepel observed that the Supreme Court of Canada made it clear that “dishonesty going to the core of the employment relationship carries the potential to warrant dismissal for just cause.”(McKinley v. BC Tel, at para 57). Such conduct is that which “violates an essential condition of the employment contract, breaches the faith inherent to the work relationship, or is fundamentally or directly inconsistent with the employee’s obligations to his or her employer.”(McKinley at para 48). While other factors (such as length and quality of service) may be relevant, the key issue is whether there has been a fundamental breakdown in the employment relationship. In this case, the Court of Appeal accepted the assessment of the trial judge that the clear breach of internal privacy policies by someone in the position of the appellant employee (whose level of system access created a relationship of trust) led to a “fundamental breakdown of the employment relationship”. (at para 34).

The dissenting justice would have given more weight to the long service of the employee and to the non-critical nature of the information she accessed. Justice Donald also noted that the company policies did not require dismissal for breach of the policies on privacy and access. Disciplinary action could be “up to and including termination of employment”, based on a range of contextual factors which included “the type and severity of the violation, whether it causes any liability or loss to the company, and/or the presence of any repeated violation(s).” (at para 15) He would have found that termination was an excessive consequence on the facts of this case. That this approach was not accepted by the majority of the Court may be an indication that courts are beginning to recognize the broader concerns over the risks posed by “rogue employees” to both their employers (in terms of their potential liability) and to the public.

The Pan Am/Parapan Am Games are set to open in Toronto on July 10, 2015. As with any other major sporting event, these Games raise the possibility of ambush marketing – a form of marketing activity designed to take advantage of public interest in a high profile event.

Major event organizers (including the International Olympic Committee, FIFA, and others) see ambush marketing as a threat to their ability to obtain top dollar for lucrative sponsorship opportunities, and they have increasingly put pressure on host countries to enact legislation to prevent ambush marketing. This legislation has proven controversial – and for good reason.

If you are interested in ambush marketing and the Pan Am/Parapan Am Games, you can read my blog post on this issue on Osgoode’s IPilogue here.

Bill S-4, the Digital Privacy Act has received royal assent and is now law. This bill amends Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA, Canada’s private sector data protection statute has been badly in need of updating for some time now. Although it only came into being in 2001, the technologies impacting personal information and the growing private sector thirst for such data have changed dramatically, rapidly outstripping the effectiveness of the legislation. There have been many calls for the reform of PIPEDA (perhaps most notably from successive Privacy Commissioners). The Digital Privacy Act addresses a handful of issues – some quite important, but leaves much more to be done. In this post I consider three of the changes: new data sharing powers for private sector organizations, data breach notification requirements, and a new definition of consent.

At least one of the amendments is considered a step backwards by privacy advocates. A new s. 7(3)(d.1) allows private sector organizations to share personal information between themselves without the knowledge or consent of the individuals to whom the information pertains for the purposes of investigating breaches of “agreements” or laws. Originally seen as a measure that would make it easier for organizations such as banks to investigate complex fraud schemes that might involve a fraudster dealing with multiple organizations, the growing awareness of the vulnerability of individuals to snooping and information sharing of all kinds, has made this provision the target of significant criticism by privacy advocates. Keep in mind that an “agreement” can be a user agreement with an ISP, the terms of use of a web site or other online service, or any other contract between an individual and an organization. The provision means that any company that suspects that one of the terms of an agreement to which it is party has been breached can ask other companies to share information – without the knowledge or consent of the individual or without a court order – in order to investigate this potential breach. There is a profound lack of transparency and accountability in the data sharing enabled by this provision. True, such sharing is not mandatory – an organization can refuse to share the information requested under this provision. This amendment places an onus on individuals to pressure organizations to give them clearer and more robust assurances regarding whether and how their personal information will be shared.

The amendments will also add to PIPEDA data breach notification requirements. This is a change long sought by privacy advocates. Essentially, the law will require an organization that has experienced a data security breach to report the breach to the Privacy Commissioner “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” (s. 10.1) Affected individuals must also be notified in the same circumstances. “Significant harm” is defined in the legislation as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” A determination of whether there is a “real risk” of these types of harms can be determined by considering two factors spelled out in the legislation: the sensitivity of the information at issue, and the likelihood that it is being misused or may be misused in the future. Any other “prescribed factor” must also be taken into account, leaving room to include other considerations in the regulations that will be required to implement these provisions. The real impact of these data breach notification provisions will largely turn on how “real risk” and “significant harm” are interpreted and applied. It is important to note as well that these provisions are the one part of the new law that is not yet in force. The data breach notification provisions are peppered throughout with references to “prescribed” information or requirements. This means that to come into effect, regulations are required. It is not clear what the timeline is for any such regulations. Those who have been holding their breath waiting for data breach notification requirements may just have to give in and inhale now in order to avoid asphyxiation.

One amendment that I find particularly interesting is a brand new definition of consent. PIPEDA is a consent-based data protection regime. That is, it is premised on the idea that individuals make free and informed choices about who gets to use their personal information and for what purposes. Consent is, of course, becoming somewhat of a joke. There are too many privacy policies, they are too long and too convoluted for people either to have the time to read them all or be capable of understanding them. It doesn’t help that they are often framed in very open-ended terms which do not give a clear indication of how personal information will be used by the organization seeking consent. In this context, the new definition is particularly intriguing. Section 6.1 of the statute now reads:

6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

This is a rather astonishing threshold for consent – and one that is very consumer-friendly. It requires that the individual understand “the nature, purpose and consequences” of the use of their personal information to which they consent. In our networked, conglomerated and big-data dominated economy, I am not sure how anyone can fully understand the consequences of the collection, use or disclosure of much of their personal information. Given a fulsome interpretation this provision could prove a powerful tool for protecting consumer privacy. Organizations should take note. At the very least it places a much greater onus on them to formulate clear, accessible and precise privacy policies.