access to information Ambush Marketing big data citizen science confidential information copyright data protection digital cartography ecommerce and internet law Electronic Commerce Extraterritoriality fair dealing freedom of expression Geospatial geospatial data intellectual property Internet internet law IP open courts open data open government personal information pipeda Privacy takings trademark law trademarks traditional knowledge transparency
Thursday, 26 January 2017 11:45
How does one balance transparency with civil liberties in the context of election campaigns? This issue is at the core of a decision just handed down by the Supreme Court of Canada.
B.C. Freedom of Information and Privacy Association v. Attorney-General (B.C.) began as a challenge by the appellant organization to provisions of B.C.’s Election Act that required individuals or organizations who “sponsor election advertising” to register with the Chief Electoral Officer. Information on the register is publicly available. The underlying public policy goals to allow the public to see who is sponsoring advertising campaigns during the course of elections. The Supreme Court of Canada easily found this objective to be “pressing and substantial”.
The challenge brought by the B.C. Freedom of Information and Privacy Association (BCFIPA) was based on the way in which the registration requirement was framed in the Act. The Canada Elections Act also contains a registration requirement, but the requirement is linked to a spending threshold. In other words, under the federal statute, those who spend more than $500 on election advertising are required to register; others are not. The B.C. legislation is framed instead in terms of a general registration requirement for all sponsors of election advertising. BCFIPA’s concern was that this would mean that any individual who placed a handmade sign in their window, who wore a t-shirt with an election message, or who otherwise promoted their views during an election campaign would be forced to register. Not only might this chill freedom of political expression in its own right, it would raise significant privacy issues for individuals since they would have to disclose not just their names, but their addresses and other contact information in the register. Thus, the BCFIPA sought to have the registration requirement limited by the Court to only those who spent more than $500 on an election campaign.
The problem in this case was exacerbated by the position taken by B.C.’s Chief Electoral Officer. In a 2010 report to the B.C. legislature, he provided his interpretation of the application of the legislation. He expressed the view that it did not “distinguish between those sponsors conducting full media campaigns and individuals who post handwritten signs in their apartment windows.” (at para 19). This interpretation of the Election Act was accepted by both the trial judge and at the Court of Appeal, and it shaped the argument before those courts as well as their decisions.
The Supreme Court of Canada took an entirely different approach. They interpreted the language “sponsor election advertising” to mean something other than the expression of political views by individuals. In other words, the statute applied only to those who sponsored election advertising – i.e., those who paid for election advertising to be conducted or who received such services as a contribution. The Court was of the view that the public policy behind registration requirements was generally sound. It found that a legislature could mitigate the impact on freedom of expression by either setting a monetary threshold to trigger the requirement (as is the case at the federal level) or by defining sponsorship to exclude individual expression (as was the case in B.C.). While it is true that the B.C. statute could still capture organized activities involving expenditures of less than $500, and might thus have some limiting effect, the Court found that this would not be significant for a number of reasons, and that such impacts were easily reconcilable with the benefits of the registration scheme.
The decision of the Supreme Court of Canada will be useful in clarifying the scope and impact of the Election Act and in providing guidance for similar statutes. It should be noted however, that the case traveled to the Supreme Court of Canada at great cost both to BCFIPA and to the taxpayer because of either legislative inattention to the need to clarify the scope of the legislation or because of an over-zealous interpretation of the statute by the province’s Chief Electoral Officer. The situation highlights the need for careful attention to be paid at the outset of such initiatives to the balance that must be struck between transparency and other competing values such as civil liberties and privacy.
Tuesday, 20 December 2016 08:01
The U.S has cleared the way for the use of citizen science by federal government agencies and departments in a new law titled the American Competitiveness and Innovation Act (ACIA) (awaiting presidential signature).
The ACIA as a whole should be of interest to Canadians, as it lays out the principles for how the National Science Foundation (NSF) in the United States should approach its mandate to support scientific research. Earlier bills failed to reach acceptable compromises; some of these would have restricted types of scientific research funded by the NSF to specific sectors. This has echoes of the controversial choices in Canada under the previous government to focus on applied rather than basic scientific research. The American Competitiveness and Innovation Act has moved away from this narrow approach and sets out two main criteria for funding scientific research: intellectual merit and broader public impacts.
The ACIA contains a distinct section titled the Crowdsourcing and Citizen Science Act (CCSA) which paves the way for the use by government agencies and departments of scientific research practices based upon distributed public participation. The CCSA defines citizen science as “a form of open collaboration in which individuals or organizations participate voluntarily in the scientific process in various ways.” (§402(3)(c)(1)) The level of participation can vary, and may include public participation in the development of research questions or in project design, in conducting research, in collecting, analyzing or interpreting data, in developing technologies and applications, in making discoveries and in solving problems. In its preamble, the CCSA acknowledges some of the unique benefits of crowd-sourced research, including cost-effectiveness, providing hands-on learning opportunities, and encouraging greater citizen engagement.
Significantly, the CCSA also mandates that any data collected through citizen science research enabled under the legislation should be made available to the public as open data in a machine-readable format unless to do so is against the law. It also requires the agency to provide notifications to the public about the expected use of the data, any ownership issues relating to the data, and how the data will be made available to the public. (I note that these issues are addressed in my co-authored guide Managing Intellectual Property Rights in Citizen Science published by the Wilson Center Commons Lab.) The statute also encourages agencies, where possible, to make any technologies, applications or code that are developed as part of the project available to the public. This legislated commitment to open research data and open source technology is an important public policy statement.
One barrier to the use of crowdsourcing and citizen science in the government context is the fear of liability within the risk-averse culture of governments. The CCSA addresses this by proving that participants in citizen science projects enabled under the statute agree to assume all risks of participation, and to waive any claims of liability against the federal government or its agencies.
The CCSA permits federal agencies to partner with community groups, other government agencies, or the private sector for the purposes of carrying out citizen science research. After a two-year grace period, the statute also requires the filing of reports on any citizen science or crowd-sourcing projects carried out under the CCSA, and contains detailed requirements for the content of any such report.
The inclusion in this science and innovation bill of provisions that are specifically designed to facilitate and encourage the use of citizen science by governments is a significant development. It is one that should be of interest to a federal government in Canada that is attempting to carve out space for itself as open, pro-science and keen to engage citizens. Citizen science has significant potential in many fields of scientific research; it also brings with it benefits in terms of education, citizen engagement, and community development.
Monday, 19 December 2016 08:52
Municipalities are under growing pressure to become “smart”. In other words, they will reap the benefits of sophisticated data analytics carried out on more and better data collected via sensors embedded throughout the urban environment. As municipalities embrace smart cities technology, a growing number of the new sensors will capture data in real time. Municipalities are also increasingly making their data open to developers and civil society alike. If municipal governments decide to make real-time data available as open data, what should an open real-time data license look like? This is a question Alexandra Diebel and I explore in a new paper just published in the Journal of e-Democracy.
Our paper looks at how ten North American public transit authorities (6 in the U.S. and 4 in Canada) currently make real-time GPS public transit data available as open data. We examine the licenses used by these municipalities both for static transit data (timetables, route data) and for real-time GPS data (for example data about where transit vehicles are along their routes in real-time). Our research reveals differences in how these types of data are licensed, even when both types of data are referred to as “open” data.
There is no complete consensus on the essential characteristics of open data. Nevertheless, most definitions require that to be open, data must be: (1) made available in a reusable format; (2) prepared according to certain standards; and (3) available under an open license with minimal restrictions or conditions imposed on reuse. In our paper, we focus on the third element – open licensing. To date, most of what has been written about open licensing in general and the licensing of open data in particular, has focused on the licensing of static data. Static data sets are typically downloaded through an open data portal in a one-time operation (although static data sets may still be periodically updated). By contrast, real-time data must be accessed on an ongoing basis and often at fairly short intervals such as every few seconds.
The need to access data from a host server at frequent intervals places a greater demand on the resources of the data custodian – in this case often cash-strapped municipalities or public agencies. The frequent access required may also present security challenges, as servers may be vulnerable to distributed denial-of-service attacks. In addition, where municipal governments or their agencies have negotiated with private sector companies for the hardware and software to collect and process real-time data, the contracts with those companies may require certain terms and conditions to find their way into open licenses. Each of these factors may have implications for how real-time data is made available as open data. The greater commercial value of real-time data may also motivate some public agencies to alter how they make such data available to the public.
While our paper focuses on real-time GPS public transit data, similar issues will likely arise in a variety of other contexts where ‘open’ real-time data are at issue. We consider how real-time data is licensed, and we identify additional terms and conditions that are imposed on users of ‘open’ real-time data. While some of these terms and conditions might be explained by the particular exigencies of real-time data (such as requirements to register for the API to access the data), others are more difficult to explain. Our paper concludes with some recommendations for the development of a standard for open real-time data licensing.
This paper is part of ongoing research carried out as part of Geothink, a partnership grant project funded by the Social Sciences and Humanities Research Council of Canada.
Friday, 02 December 2016 14:00
Many Canadians are justifiably concerned that the vast amounts of information they share with private sector companies – simply by going about their day-to-day activities – may end up in the hands of law enforcement or national security officials without their knowledge or consent. The channels through which vast amounts of personal data can flow from private sector hands to law enforcement with little transparency or oversight can turn the companies we do business with into informers and make us unwittingly complicit in our own surveillance.
A recent Finding of the Office of the Privacy Commissioner of Canada (OPC) illustrates how the law governing the treatment of our personal information in the hands of the private sector has been adapted to the needs of the surveillance state in ways that create headaches for businesses and their customers alike. The Finding, which posted on the OPC site in November 2016 attempts to unravel a tangle of statutory provisions that should not have to be read by anyone making less than $300 per hour.
Basically, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how personal information is collected, used and disclosed by private sector organizations at the federal level and in all provinces that do not have their own equivalent statutes (only Quebec, B.C. and Alberta do). One of the core principles of this statute is the right of access to one’s personal information. This means that individuals may ask to be informed about the existence, use and disclosure of their personal information in the hands of an organization. They must also be given access to that information on request. Without the right of access it would be difficult for us to find out whether an organization was in compliance with its privacy policies. The right of access also allows us to verify and request correction of any erroneous information.
Another core principle of PIPEDA is consent. This means that information about us should not be collected, used or disclosed without our consent. The consent principle is meant to give us some control over our personal information (although there are huge challenges in this age of overly-long, vague, and jargon-laden privacy policies).
The hunger for our personal information on the part of law enforcement and national security officials (check out these Telco transparency reports here, here and here) has led to a significant curtailment of both the principles of access and of consent. The law is riddled with exceptions that permit private sector companies to disclose our personal information to state authorities in a range of situations without our knowledge or consent, with or without a warrant or court order. Other exceptions allow these disclosures to be hidden from us if we make access requests. What this means is that, in some circumstances, organizations that have disclosed an individual’s information to state authorities, and that later receive an access request from the individual seeking to know if their information has been disclosed to a third party, must contact the state authority to see if they are permitted to reveal that information has been shared. If the state authority objects, then the individual is not told of the disclosure.
The PIPEDA Report of Findings No. 2016-008 follows a complaint by an individual who contacted her telecommunications company and requested access to her personal information in the hands of that company. Part of the request was for “any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies.” (at para 4). She received a reply from the Telco to the effect that it was “fully in compliance with subsections 9(2.1), (2.2), (2.3) and (2.4) of [PIPEDA].” (at para 5) In case that response was insufficiently obscure, the Telco also provided the wording of the subsections in question. The individual complained to the Office of the Privacy Commissioner (OPC).
The OPC decision makes it clear that the exceptions to the access principle place both the individual and the organization in a difficult spot. Basically, an organization that has disclosed information to state authorities without the individual’s knowledge or consent, and that receives an access request regarding this disclosure, must check with the relevant state authority to see if they have any objection to the disclosure of information about the disclosure. The state authorities can object if the disclosure of the disclosure would pose a threat to national security, national defence or the conduct of international affairs, or would adversely impact investigations into money laundering or terrorist financing. Beyond that, the state authorities can also object if disclosure would adversely impact “the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law, or the gathering of intelligence for the purpose of enforcing any such law.” If the state authorities object, then the organization may not disclose the requested information to the individual, nor can they disclose that they contacted the state authorities about the request, or that the authorities objected to any disclosure. In the interests of having a modicum of transparency, the organization must inform the Privacy Commissioner of the situation.
The situation is complex enough that in its finding, the OPC produced a helpful chart to guide organizations through the whole process. The chart can be found in the Finding.
In this case, the Telco justified its response to the complainant by explaining that if pushed further by a customer about disclosures, it would provide additional information, but even this additional information would be necessarily obscure. The Commissioner found that the Telco’s approach was not compliant with the law, but acknowledged that compliance with the law could mean that a determined applicant, by virtue of repeated requests over time, could come up with a pattern of responses that might lead them to infer whether information was actually disclosed, and whether the state authority objected to the disclosure. This is perhaps not what Parliament intended, but it does seem to follow from a reading of the statute.
As a result of the complaint, the Telco agreed to change its responses to access requests to conform to the requirements outlined in the table above.
It may well be that this kind of information-sharing offers some, perhaps significant, benefits to society, and that sharing information about information sharing could, in some circumstances, be harmful to investigations. The problem is that protections for privacy – including appropriate oversight and limitations – have not kept pace with the technologies that have turned private sector companies into massive warehouses of information about every detail of our lives and activities. The breakdown of consent means that we have little practical control over what is collected, and rampant information sharing means that our information may be in the hands of many more companies than those with which we actively do business. The imbalance is staggering, as is the risk of abuse. The ongoing review of PIPEDA must address these gaps issues – although there are also risks that it will result in the addition of more exceptions from the principles of access and consent.
Thursday, 17 November 2016 14:47
The Supreme Court of Canada has issued a relatively rare decision on the interpretation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Although it involves fairly technical facts that are quite specific to the banking and mortgage context, the broader significance of the case lies in the Court’s approach to implied consent under PIPEDA.
The case arose in the context of the Royal Bank of Canada’s (RBC) attempt to obtain a mortgage discharge statement for property owned by two individuals (the Trangs), who defaulted on a loan advanced by the bank. The mortgage was registered against a property in Toronto, on which Scotiabank held the first mortgage. In order to recover the money owed to it, RBC sought a judicial sale of the property, but the sheriff would not carry out the sale without the mortgage discharge statement. Scotiabank refused to provide this statement to RBC on the basis that it contained the Trangs’ personal information and it could therefore not be disclosed to RBC without the Trangs’ consent.
PIPEDA allows for the disclosure of personal information without consent in a number of different circumstances. Three of these, raised by lawyers for RBC, include where it is for the purpose of collecting a debt owed by the individual to the organization; where the disclosure is required by a court order; and where the disclosure is required by law. Ultimately, the Court only considered the second of these exceptions. Because Scotiabank refused to disclose the discharge statement, RBC had applied to a court for a court order that would enable disclosure without consent. However, it found itself caught in a procedural loop – it seemed to be asking the court to order disclosure on the basis of a court order which the court had yet to grant. Although the Court of Appeal had found the court order exception to be inapplicable because of this circularity, the Supreme Court of Canada swept aside these objections in favour of a more pragmatic approach. Justice Côté found that the court had the power to make an order and felt that an order was appropriate in the circumstances. She ruled that it would be “overly formalistic and detrimental to access to justice” to require RBC to reformulate its request for a court order in a new proceeding.
Although this would have been enough to decide the matter, Justice Côté, for the unanimous court, went on to find that the Trangs had given implied consent to the disclosure of the mortgage statement in any event. Under PIPEDA, consent can be implied in some circumstances. Express consent is generally required where information is sensitive in nature. Acknowledging that financial information is generally considered highly sensitive, Justice Côté nevertheless found that in this case the mortgage discharge statement was less sensitive in nature. She stated that “the degree of sensitivity of specific financial information is a contextual determination.” (at para 36) Here, the context included the fact that a great deal of mortgage-related financial information is already in the public domain by virtue of the Land Titles Registry, which includes details such as the amount of a mortgage recorded against the property, the interest rate, payment periods and due date. Although the balance left owing on a mortgage is not provided in the Registry, it can still be roughly calculated by anyone interested in doing so. Justice Côté characterized the current balance of a mortgage as “a snapshot at a point in time in the life of a publicly disclosed mortgage.” (at para 39)
Justice Côté’s implied consent analysis was also affected by other contextual considerations. These included the fact that the party seeking disclosure of the discharge statement had an interest in it; as a creditor, it was relevant to them. According to the Court, the reasonable expectations of the individual with respect to the sensitivity of any information must be assessed in “the whole context” so as not to “unduly prioritize privacy interests over the legitimate business concerns that PIPEDA was also designed to reflect”. (at para 44) The fact that other creditors have a legitimate business interest in the information in a mortgage disclosure statement is “a relevant part of the context which informs the reasonable expectation of privacy.” (at para 45) In this regard, Justice Côté observed that the identity of the party seeking disclosure of the information and the reason for which they are seeking disclosure are relevant considerations. She noted that “[d]isclosure to a person who requires the information to exercise an established legal right is clearly different from disclosure to a person who is merely curious or seeks the information for nefarious purposes.” (at para 46)
Justice Côté also found that the reasonable mortgagor in the position of the Trangs would be aware of the public nature of the details of their mortgage, and would be aware as well that if they defaulted on either their mortgage or their loan with RBC, their mortgaged property could be seized and sold. They would also be aware that a judgment creditor would have a “legal right to obtain disclosure of the mortgage discharge statement through examination or by bringing a motion.” (at para 47)
It seems that it is the fact that RBC could ultimately legally get access to the mortgage discharge statement, viewed within the broader context that drives the Court to find that there is an implied consent to the disclosure of this information – even absent a court order. The Court’s finding of implied consent is nevertheless limited to this context; it would not be reasonable for a bank to disclose a mortgage discharge statement to anyone other than a person with a legal interest in the property to which the mortgage relates. The Court’s reasoning seems to be that since RBC is ultimately entitled to get this information and has legal means at its disposal to get the information, then the Trangs can be considered to have consented to the information being shared.
Pragmatism is often a good thing, and it is easy to be sympathetic to the Court’s desire to not create expensive legal hurdles to achieve inevitable ends in transactions that are relatively commonplace. It should be noted, however, that the same result could have been achieved by the addition of a clause in the mortgage documents that would effectively obtain the consent of any mortgagor to disclosures of this kind and in those circumstances. No doubt after the earlier decisions in this case and in the related Citi Cards Canada Inc. v. Pleasance, banks had already taken steps to address this in their mortgage documents. One of the reasons for having privacy policies is to require institutions to explain to their customers what personal information is collected, how it will be used, and in what circumstances it will be disclosed. While it is true that few people read such privacy policies, they are at least there for those who choose to do so. Nobody reads implied terms because they are… well, implied. Implied consent works where certain uses or disclosures are relatively obvious. In more complicated transactions implied consent should be sparingly relied upon.
It will be interesting to see what impact the Court’s judicial eye roll to the facts of this case will have in other circumstances where consent to disclosure is an issue. The Court is cautious enough in its contextual approach that it may not lead to a dangerous undermining of consent. Nevertheless, there is a risk that the almost exasperated pragmatism of the decision may cause a more general relaxation around consent.
Thursday, 10 November 2016 13:55
The Federal Court has just released a decision in a case that raised issues of fair dealing and copyright abuse. Blacklock’s, an Ottawa-based online news agency, had argued that officials at the Department of Finance breached its copyright in news articles when these articles were circulated internally. The decision is an important confirmation of the ‘right to read’ in Canada and may go some way to dispelling the aftertaste of an earlier flawed decision by the Ontario Small Claims Court in a similar dispute.
Blacklock’s business model is to offer its news content on a subscription-only basis. Its articles are behind a paywall, and only subscribers, equipped with a password, can gain access to them. Individual subscriptions are available for $148 a year, whereas institutional subscription rates range between $11,470 and $15,670.
In this case, a reporter from Blacklock’s had interviewed the President of the Canadian Sugar Institute, Sandra Marsden, for a story relating to sugar tariff changes. The same reporter had sought comments from Department of Finance officials and ultimately had an exchange of email correspondence with the Department’s media relations officer. In what appears to be Blacklock’s practice, teasers about the story were sent out to Marsden by email and by Twitter. Based on the teasers Marsden became concerned about the accuracy of the article. She paid for an individual subscription in order to access it. After reading the article her concerns grew and she cut and pasted the article into an email, to a Department official. The same reporter wrote a follow up piece which Marsden also found problematic; she forward this piece to the Department of Finance as well. The two articles were circulated between a total of 6 Finance employees who discussed amongst themselves whether any follow-up with Blacklock’s was required. In the end it was decided that the matter should be dropped.
Justice Barnes found that there was no disputing that the Finance officials had used Blacklock’s copyright-protected material without paying for it or seeking Blacklock’s consent. The key issue was whether the use fell within the fair dealing exception for research or private study in s. 29 of the Copyright Act. After reviewing the Supreme Court of Canada’s landmark fair dealing decision in CCH Canadian v. Law Society of Upper Canada and its more recent decision in SOCAN v. Bell Canada, he concluded that the use constituted fair dealing. He noted that, according to the case law, “research” does not have to lead to the creation of a new work of authorship; it can be ““piecemeal, informal, exploratory, or confirmatory”, and can be undertaken for no purpose except personal interest.” (at para 31)
Justice Barnes found that the Finance officials “had legitimate concerns about the fairness and accuracy” of the reporting in the article. Her further found the internal circulation of the piece was justified on the basis that “[e]veryone involved had a legitimate need to be aware in the event that further action was deemed necessary”. (at para 35) He identified a number of considerations that influenced his conclusion that the officials’ dealing with the material was fair. He noted that the articles had not been obtained by illegal means such as hacking the website; rather, they had been provided by a subscriber to the site who had legally accessed them and had forwarded them for “a legitimate business reason”. (at para 36) The articles had been sent to the Finance officials and not solicited by them; they received limited circulation; and they were not republished or used for any commercial purpose. The court also found that the two articles were a tiny fraction of the content available from the Blacklock’s site. Further, Justice Barnes opined that “a finding of copyright infringement against a news source for the simple act of reading the resulting copy is likely to have a chilling effect on the ability of the press to gather information.” (at para 36). Justice Barnes also stated that “copyright should not be a device that serves to protect the press from accountability for its errors and omissions.” (at para 36).
Blacklock’s had argued that its terms and conditions for access to its paywalled content had been breached when the material was forwarded to Finance officials, and that this breach should serve to negate a finding of fair dealing. Justice Barnes appeared sympathetic to this argument on its face, stating that it was a “relevant consideration” (though he did not state that it would necessarily be determinative). However, he cautioned that for this factor to be taken into account, the copyright owner would have to demonstrate that the user was aware of the terms and conditions and that the terms and conditions actually barred the conduct at issue. In this case, he found that none of the parties involved had either read or even been aware of Blacklock’s terms and conditions which were not readily part of the process for signing up for an individual subscription. He also found that the terms and conditions were not clear, stating: “On the one hand they seemingly prohibit distribution by subscribers but, on the other, they permit it for personal, or non-commercial uses.” (at para 42).
Blacklock’s also objected that a finding of fair dealing would undermine its business model – selling online news through a subscriber-only paywall. Justice Barnes was not particularly sympathetic, noting that “All subscription-based news agencies suffer from work-product leakage.” (at para 45) Further, he stated that “whatever business model Blacklock’s employs it is always subject to the fair dealing rights of third parties.” (at para 45) At the same time, he noted that by so stating, he was not endorsing “blameworthy conduct in the form of unlawful technological breaches of a paywall, misuse of passwords or the widespread exploitation of copyright material to obtain a commercial or business advantage.” (at para 45)
As I noted in an earlier comment on this case, the defendants had argued that Blacklock’s was engaged in copyright misuse and was acting as a kind of “copyright troll”. In fact, there are 9 other suits brought by Blacklock’s against the federal government on similar sets of facts. Noting that “there are certainly some troubling aspects to Blacklock’s business practices”, Justice Barnes nevertheless found it unnecessary to rule on the copyright abuse and trolling arguments in light of his findings on fair dealing. The other cases, which were stayed pending the resolution of this first dispute, may now end up being settled out of court.
In the course of his decision, Justice Barnes referred to what occurred in this case as “no more than the simple act of reading by persons with an immediate interest in the material.” (at para 36) This right to read is fundamentally important in a society that values knowledge and the freedom of expression. The decision makes it clear that business models for content distribution cannot run roughshod over certain fundamental users rights.
Published in Copyright Law
Wednesday, 26 October 2016 14:42
In a press release issued on October 26, 2016, the Ontario Provincial Police announced that they would be adopting a new investigative technique – one that relies on cellphone tracking of ordinary members of the public. The use of this new technique is being launched in the context of the investigation of an unsolved murder that took place in Ottawa in 2015. Police are searching for leads in the case.
The OPP sought a Production Order from a justice of the peace. This order required major cellular phone service providers to furnish them with a list of cellphone numbers used in the vicinity of West Hunt Club and Merivale Road in Ottawa, between 12:30 and 3:30 p.m. on December 15, 2015. Production orders for cell phone information have become commonplace. Typically, however, they have been used to determine whether a person of interest to the police was in a certain area at a specific time. This is not the case here. In this case, the police intend to send text messages to the individual cell phone numbers provided by the phone companies. These messages will encourage recipients to visit a web site set up by the police and to respond to some questions. According to the press release, the production order did not include customer name and address information associated with the phone numbers. In theory, then, individual privacy is protected by the fact that an person who does not respond to the text message does provide any further identifying information to the police.
There is clearly a public interest in solving crimes. Where investigations have grown cold, new techniques may be important to finding justice for victims and their families. However, it is also important that any new investigative techniques are consistent with the principles and values that are an integral part of our justice system. Privacy advocates and the public have reason to be concerned about this new investigative technique. Here are some of the reasons why:
First, production orders of this kind provide completely inadequate opportunities to hear and consider the privacy interests of affected individuals. Persons accused of crimes can always challenge in court the way in which the police went about collecting the evidence against them. They can argue that their privacy interests were violated and that search warrants should never have been issued. However, ordinary members of the public have little practical recourse when their privacy rights are infringed by investigations of crimes that have nothing to do with them. In a decision of the Ontario Superior Court (which I wrote about here) Justice Sproat reviewed production orders for massive amounts of cell phone data sought by police. He was sharply critical of both the seeking and the granting of a production order for quantities of cell phone customer data that far exceeded what was genuinely required for the purpose of the investigation. The case impacted the privacy rights of the broad public (it involved the data of over 43,000 customers) yet as is so often the case, the public had no way to learn of or challenge the production order before it was granted. In that case, it was the Telcos – Rogers and Telus – who challenged the production orders and raised privacy issues before the courts. Without this intervention, there would have been no voice for the privacy interests of ordinary citizens and no means of reviewing the legitimacy of the order.
Second, production orders of this kind come with no safeguards for the protection of data after it has been used by police. Production orders typically do not contain directions on how long data can be retained, whether it should be destroyed after a certain time, what other uses it might (or should not) be put to, or what safeguards are required to protect it while it is in the hands of police. The lack of such safeguards was commented upon by Justice Sproat in the case mentioned above. He was of the view that this was an issue for Parliament to address. Parliament has yet to do so.
In its press release, the OPP analogized what it was doing to police going through a neighborhood where a crime has taken place and knocking on doors to see if anyone has seen or heard anything that might be relevant. The analogy is problematic. The existence and location of houses and apartment units are matters of public record – they are in plain view. However, data about the cell phone usage of individuals, along with their location information, as they carry out their day to day activities are not. When police seek access to information that allows them to identify the locations of thousands of individuals who are not suspected of engaging in criminal activity, they are doing more than knocking on doors.
There needs to be a public conversation about how and when police get to tap into the massive volumes of data collected about the minutiae of our daily activities by private sector companies. The use of cell phone data production orders by the OPP in this case merely adds to list of subjects for that conversation. Because the use of this data by police is now to identify and contact people who are themselves not the targets of criminal investigation, these individuals effectively have no way in which to raise privacy concerns. This is a conversation that must be led by Parliament and that most likely will require new law.
Monday, 17 October 2016 07:27
The Toronto Star is reporting that Canadian architect and indigenous activist Douglas Cardinal is seeking an injunction to prevent the Cleveland Indians from wearing uniforms bearing their logo and team name, and from displaying their logo when the visit Toronto this week for the Major League Baseball playoffs. The legal basis for the injunction is an argument that the team’s name and mascot are discriminatory. Mr. Cardinal has also filed human rights complaints with the Ontario Human Rights Tribunal and the Canadian Human Rights Commission.
While Mr. Cardinal is litigating, he might also want to consider that the name and the offensive cartoonish mascot are also registered trademarks in Canada. (Search for “Cleveland Indians” in the Canadian Trademarks Database). Challenges to the registration of the Washington Redskins’ notorious trademarks are currently before the courts in the U.S. The Redskins trademarks, which most recently have been cancelled in the U.S. for being disparaging of Native Americans (with that decision under appeal), are also registered trademarks in Canada. To date, no one has challenged these or other offensive trademarks in Canadian courts.
Canada’s Trade-marks Act bars the adoption, use or registration of trademarks that are “scandalous, obscene or immoral”. I have written before about circumstances in which this provision has been invoked – or not – to disallow the registration of trademarks. Any challenge to the validity of the marks could be based on the argument that the marks should never have been registered, as they were racist and discriminatory at the time of registration (which, in the case of the Cleveland logo was in 1988). While an applicant to have the trademark expunged might have to address issues of delay in bringing the application, it should be noted that s. 11 of the Trade-marks Act also prohibits the use of a trademark that was adopted contrary to the provisions of the Act. In principle then, the continued use of a trademark that was “scandalous, obscene or immoral” when it was adopted is not permitted under the legislation. Of course, this use restriction raises interesting freedom of expression issues. In the United States, marks that are denied registration for being “disparaging” can still be used, thus arguably shielding the trademarks legislation from First Amendment (free speech) challenges. There is a great deal of unexplored territory around the adoption, use and registration of offensive trademarks in Canada.
Former Justice Murray Sinclair of the Truth and Reconciliation Commission (now Senator Sinclair) called for action to address the use of offensive and racist sports mascots and team names. Douglas Cardinal has clearly responded to that call; there is still more that can be done.
Note: At the hearing on the injunction on October 17, 2016, the Court declined to grant the injunction, with reasons to follow. Toronto Star coverage is here.
Tuesday, 27 September 2016 06:32
Note: I was invited by Canada’s Information Commissioner and the Schools of Journalism and Communication, and Public Policy and Administration at Carleton University to participate in a workshop to launch Right to Know Week 2016. This was a full afternoon workshop featuring many interesting speakers and discussions. This blog post is based on my remarks at this event.
For the last 5 years or so, governments at all levels across Canada have been embracing the open government agenda. In doing so, they have expressed, in various ways, new commitments to open data, to the proactive disclosure of government information, and to new forms of citizen engagement. Given that the core goals of the open government movement are to increase government transparency and accountability in the broader public interest, these developments are positive ones.
There is a risk, however, that public commitments to open government have become a bit of a ‘feel good’ thing for governments. After all, what government doesn’t want to publicly commit to being open, transparent and accountable? As a result, it is important to look behind the rhetoric and to examine the nature of the commitments made to open government in Canada and to question how meaningful and enduring they really are.
For the most part, commitments to open government in Canada have been manifested in declarations, policy documents, and directives. These documents express government policy and provide direction to government actors and institutions. Yet they are “soft law” at best. They are not enacted through a process of legislative debate, they are not expressed in laws that would have to be formally repealed or amended in order to be altered, there are no enforcement or compliance mechanisms, and they remain subject to change at the whim of the government in power. Directives and policies, of course, can provide rapid and responsive mechanisms for operationalizing changes in government direction, and so I am not criticizing decisions to set open government in motion through these various means. But I am suggesting that a longer term commitment to open government might require some of these measures to be expressed in and supported by legislation in order to become properly entrenched.
For example, much effort has been invested by the federal government in creating an open licence to facilitate reuse of government data and information. After a slow and sometimes painful process, we now have a pretty good open government licence. It is based on the UK OGL and is very user friendly compared to earlier iterations. It is bilingual and it can be customized to be used by governments at all levels in Canada (for example, a version of this licence was just adopted by city of Ottawa). This reduces the burden on provincial and municipal governments contemplating open government and it creates the potential for greater legal interoperability (when users combine data or information from a number of different governments in Canada).
But let us not forget why we need an open government licence in Canada. An open licence permits the public to make use of works that are protected by copyright without the need to ask permission or pay royalties, and with the fewest restrictions on re-use as possible. Government works in Canada – and this includes court decisions, statutes, Hansard, government reports, studies, to name just a few – are protected by copyright under section 12 of the Copyright Act. One might well ask why, instead of toiling for years to come up with the current open licence, the government has not shown its commitment to openness by abolishing Crown copyright. It’s not as radical as it might sound. In the U.S., s. 105 of the Copyright Act expressly denies protection to works of the U.S. government without any obvious negative consequences. In the U.S., these works are automatically in the public domain. This legislated, hard law solution makes the commitment real and relatively permanent. Yet as things stand in Canada, government works are protected by copyright by default, and governments choose which works to make available under the open licence and which they wish to provide under more onerous licence terms. They can also decide at some point to tear up the open licence and go back to the way things used to be. Crown copyright in its current incarnation sets the default at ‘closed’.
It is true that some aspects of open government are already part of our legislative framework. We have had freedom of information/access to information laws for decades now in Canada, and these laws enshrine the principle of the public’s right to access information in the hands of government. However, the access to information laws that we have are ‘first generation’ when it comes to open government. The federal Act is currently being reviewed by Parliament, and we might see some legislative change, though how much and how significant remains to be seen. As Mary Francoli has pointed out, there wasn’t really a need for further review – the new government had plenty of material on which to take action in proposing amendments to the Act.
The many deficiencies in the Access to Information Acthave been well documented. For example, in 2015 the Information Commissioner set out 85 proposed reforms to the statute to modernize and improve it. The June 2016 Report by the Standing Committee on Access to Information, Privacy and Ethics on its Review of the Access to Information Act takes up many of these proposals in its own recommendations for extensive reforms to the Act. We are now awaiting the government’s response to this report. Rather than review the many recommendations already made, I will highlight those that relate to my broader point about enshrining open government principles in legislation
The Access to Information Act as it currently stands is premised on a model of individuals asking for information from government, waiting patiently while government puts together the requested information, and then complaining to the Commissioner when too much information is redacted or withheld. Open government promises both information and data proactively, in reusable formats, and without significant restrictions on reuse. While proactive disclosure of information and open data cannot replace the access to information model (which is, itself, capable of considerable improvement), they will provide quicker, cheaper and more effective access in many areas. Yet the Access to Information Act does not currently contain any statement about proactive disclosure. Proactive disclosure – also referred to as “open by default” is not really “open by default” unless the law says it is. Until then, it is just an aspirational statement and not a legal requirement. We see a proliferation of policies and directives at all levels of government that talk about proactive disclosure, but there are not firm legal commitments to this practice, or to open data. And, although I have been focussing predominantly on the federal regime, these issues are relevant across all levels of government in Canada.
A core principle of open data is that the data sets provided by governments should be made available in open, accessible and reusable formats. Proactive disclosure of information should also be in reusable formats. Access under the conventional regime is also enhanced when the information disclosed is in formats that facilitate analysis and reuse. Yet even under the existing access model, there is no default requirement to provide requested information in open, accessible and reusable formats. It is important to remember that it is not enough just to provide ‘access’ – the nature and quality of the access provided is relevant. The format in which information is provided in a digital age can create a barrier to the processing or analysis of information once accessed.
I would like, also, to venture onto territory that is not addressed in the calls for reform to access to information laws. Another challenge that I see for open data (and open information) in Canada relates to the sources of government data. I am concerned about the lack of controls over the use of taxpayer dollars to create closed data. As we move into the big data era, governments will be increasingly tempted to source their data for decision-making from private sector suppliers rather than to generate it in-house. We are seeing this already; an example is found in recent decisions of some municipal governments to source data about urban cycling patterns from cycling app companies. There will also be instances where governments contract with the private sector to install sensors to collect data, or to process it, and then pay licence fees for access to the resulting proprietary data in the hands of the private sector companies. In these cases, the terms of the license agreements may limit public access to the data or may place significant restrictions on its reuse. This is a big issue. All the talk about open government data will not do much good if the data on which the government relies is not characterized as “government data”. It is important that governments develop transparent policies around contracts for the collection, supply or processing of data that ensure that our rights as members of the public to access and reuse this data – paid for with our tax dollars – are preserved. Even better, it might be worth seeing some principle to this effect enshrined in the law.
Tuesday, 20 September 2016 14:25
The Ontario Supreme Court of Justice has just approved the settlement of a class action law suit against Home Depot over a data privacy breach that took place in 2014. Both the settlement agreement and the decision by Justice Perell offer some interesting insights into privacy class actions in Canada.
Between April 11, 2014 and September 13, 2014 Home Depot’s payment system was hacked by criminals who used malware to skim data from credit card purchases at self-serve stations. When Home Depot discovered the breach it notified potentially affected customers through the French and English press in Canada. It also sent out over half a million emails to potentially affected customers in Canada. The emails apologized for the breach, and confirmed that the malware had been eradicated. Customers were assured that they would not be held responsible for fraudulent charges to their credit card accounts and they were offered free credit monitoring and identity theft insurance.
Although the breach led to complaints against Home Depot being filed with the privacy commissioners of Alberta, Quebec, B.C. and Canada, the commissioners all concluded that Home Depot had not breached their respective private sector data protection statutes. The fact that Home Depot had acted quickly and decisively to notify customers and to offer them protection also clearly influenced Justice Perell in his decision on the settlement agreement. He noted that Home Depot “apparently did nothing wrong”, and that it “responded in a responsible, prompt, generous and exemplary fashion to the criminal acts perpetrated on it by the computer hackers.” (at para 74.)
After the breach, which affected customers in the U.S. and Canada, a number of class action lawsuits were filed in both countries. The U.S.-based suits were consolidated into a single action which led to a settlement. The U.S. agreement was used as a template for the Canadian settlement. Under the terms of the settlement agreement put before Justice Perell, Home Depot admitted no wrongdoing. In exchange for releasing their claims against Home Depot, class members would be entitled to access a settlement fund of $250,000 available to compensate them for any actual expenses incurred as a result of the data breach up to a maximum of $5000 per claimant. The agreement also provides for class members to access free credit monitoring to a cap of $250,000. Justice Perell noted that given the cost of bulk purchases of credit card monitoring, this amount would allow for between 2,500 and 5,000 of the class members to access credit monitoring. In order to be entitled to any funds or credit monitoring, class members would have to file a claim form by October 29, 2016. Under the terms of the agreement, Home Depot would assume the costs of notifying class members and of administering the funds. Any money not distributed from the funds at the end of the claims period could be used to offset these costs. Justice Perell approved these terms of the settlement agreement.
The agreement also provided for a sum of $360,000 plus HST to be paid to the class action lawyers for legal fees, costs and disbursements. Small sums were also provided for in the agreement as honoraria for the representative plaintiffs in the class, although Justice Perell declined to approve these amounts, noting that honoraria were not appropriate in this case. He noted that “Compensation for a representative plaintiff may only be awarded if he or she has made an exceptional contribution that has resulted in success for the class.” (at para 80)
In assessing the settlement agreement, Justice Perell made it clear that the value of the settlement for class members was at most $400,000. He noted that in terms of compensation very little might actually be paid out. No class members would have had to cover the cost of fraudulent credit card charges and, in the time since the breach, there were no documented cases of identity theft related to this breach. He noted that the only information obtained through the hack was credit card information; other identity details used in identity theft such as driver’s licence data or social insurance numbers, were never stolen. He thus found it “highly unlikely” that the $250,000 fund would be used for damage awards. He also expressed doubt whether, given the short deadline in the agreement, the $250,000 fund for identity theft insurance would be used up.
Given the modest value of the settlement agreement, Justice Perell would not approve the $360,000 bill for legal fees and disbursements. Instead, he set the amount at $120,000. He noted that to do otherwise would pay class counsel more than would be received by the class members. He noted as well that in his view the case against Home Depot was very weak: the data breach was the result of a criminal hack; the privacy commissioners had found no wrongdoing on the part of Home Depot; and Home Depot had not attempted to cover it up and instead had acted promptly to notify customers and to help them mitigate any possible harm. Further, he noted that “by the time the actions against Home Depot came to be settled, there were no demonstrated or demonstrable losses by the Class Members” (at para 101). Justice Perell observed that while class counsel may have incurred higher fees than what were being awarded, there is a degree of risk with any class proceeding. He noted that “class counsel should not anticipate that every reasonably commenced class action will be remunerative and a profitable endeavor.” (at para 103)
The result is interesting on a number of fronts. Clearly Home Depot found it less costly to settle than to proceed with the litigation even though Justice Perell seems to be of the view that they would have won their case. The case illustrates just how costly data breaches can be, even for companies that have done nothing wrong and are themselves victims of criminal activities. In terms of the class action law suit, as with many data breaches, proof of actual harm to the class members was difficult to come by, making losses quite speculative. Further, as litigation of this kind tends to proceed slowly, the lack of harm to class members becomes increasingly apparent in cases where there is no evidence that the illegal obtained data has been used by the malefactors. The result in this case suggests that in class action law suits related to privacy breaches, class members who do not suffer actual pecuniary loss should not expect significant payouts; and companies who are not at fault in the breach and who act promptly to assist affected customers may substantially reduce (or eliminate) their liability. These factors may affect decisions by class counsel to launch class action lawsuits where the link between the breach and actual harm is weak, or where defendants are not obviously at fault.
Canadian Trademark Law
Published in 2015 by Lexis Nexis
Electronic Commerce and Internet Law in Canada, 2nd Edition
Published in 2012 by CCH Canadian Ltd.
Intellectual Property for the 21st Century
Intellectual Property Law for the 21st Century: