access to information Ambush Marketing big data citizen science confidential information copyright data protection digital cartography ecommerce and internet law Electronic Commerce Extraterritoriality fair dealing freedom of expression Geospatial geospatial data intellectual property Internet internet law IP open courts open data open government personal information pipeda Privacy takings trademark law trademarks traditional knowledge transparency
Friday, 16 October 2015 06:02
It is not every day that courts are asked to interpret Creative Commons licenses, which is what makes the recent U.S. decision in Drauglis v. Kappa Map Group, LLC of particular interest.
Creative Commons offers a suite of licenses that can be used by those seeking to license their copyright-protected works under terms that facilitate different levels of sharing and use. Some licenses are virtually without restriction; others restrict uses of the work to non-commercial uses; contain requirements to give attribution to the author of the work; or require that any derivative works made using the licensed work by made available under similar license terms (Share-Alike). The licenses are available in multiple languages and have been adapted to the laws of a variety of different countries. They are even used for open government licensing of works in countries like Australia and New Zealand.
In this case, the plaintiff Art Drauglis was a photographer who had posted a photograph on Flickr under a Creative Commons Attribution-ShareAlike 2.0 license (CC BY-SA 2.0). The defendant was a company that published maps and map-related products. It downloaded a copy of the plaintiff’s photograph from Flickr, and used it on the cover of an atlas it published titled “Montgomery co., Maryland Street Atlas”. The atlas was sold commercially, and the defendant claimed copyright in it. The copyright notice for the atlas appeared its first page, along with its table of contents. On the rear cover of the atlas, the title of the plaintiff’s photograph was provided as well as the information about the name of the photographer and the fact that it was used under a CC-BY-SA-2.0 license.
The plaintiff’s first claim – that the defendant had breached his copyright in the photograph – was quickly rejected by the Court. The District Court (District of Columbia) found that the defendant had used the image under license. Further, the license specifically permitted commercial uses of the image. Thus the plaintiff was limited to arguing that the defendant’s use of the photograph was not in compliance with the terms of the license. There were 3 main arguments regarding non-compliance. These were that: 1) the Share-Alike condition of the license was breached by the defendant’s commercial sale of the atlas; 2) the defendant did not include a proper Uniform Resource Identifier for the CC license as required by the license terms; and 3) the defendant did not provide the proper attribution for the photograph as required by the license.
The CC BY-SA 2.0 license requires that derivative works made using the licensed works also be made available under the same or comparable license terms. The plaintiff therefore argued that the defendant breached this term by publishing the atlas commercially and not under an equivalent license. The court disagreed. It found that the CC license contemplated two categories of re-use of the licensed work – in a “collective work” (defined in the license as a “periodical issue, anthology or encyclopedia, in which the Work in its entirety in unmodified form” is included with other contributions into a collective whole), or as a “derivative work” (defined in the license as a “work based upon the Work. . . in which the Work may be recast, transformed, or adapted”.) It is only derivative works that must be licensed under comparable license terms. The court found that the use of the photograph in this case was as part of a collective work. That collective work was the atlas, consisting of a series of separate works (maps) compiled together with other elements, including the plaintiff’s photograph, in a book. The court rejected arguments that the photograph had been cropped, and was thus “recast, transformed or adapted” rather than incorporated “in its entirety in unmodified form”. It was not persuaded that any cropping had taken place; if it had it was so minor in nature that it was inconsequential.
The CC BY-SA 2.0 license also requires that the licensee “must include a copy of, or the Uniform Resource Identifier for, this License with every copy . . . of the Work”. The plaintiff argued that this clause had been violated by the defendant because it only referred to the license as a CC-BY-SA 2.0 license and did not provide a URL for the license. The court distinguished between a Uniform Resource Identifier (URI) and a URL, noting that ‘URI’ is a term with a broader meaning than URL. While providing a URL might meet this requirement, providing the abbreviated name and version of the license met the requirement for a URI. The court noted that anyone searching the internet for “CC BY-SA 2.0” would easily arrive at the proper license.
The plaintiff also argued that the defendant did not properly attribute authorship of the photograph to the plaintiff in accordance with the terms of the license. The license required that any credit given to the author of a work in a derivative or collective work must, at a minimum, “appear where any other comparable authorship credit appears and in a manner at least as prominent as such other comparable authorship credit.” (Section 4(c)). Because the copyright information for the atlas as a whole appeared on the inside front page and the credit for the cover photo appeared on the back of the atlas, the plaintiff argued that this condition was not met. However, the court found that copyright information was provided for each map on each page of the atlas, and that this type of credit was comparable to that provided for the cover photograph. The court found that “the Photograph is more akin to each of the individual maps contained with the Atlas than to the Atlas itself; the maps are discrete, stand-alone pictorial or graphic works, whereas the Atlas is a compilation of many elements, arranged in a specific and proprietary fashion, and constituting a separate and original work.” (at p. 18) As a result, the attribution provided for the cover photo was comparable to that provided for other works in the collective work.
This would appear to be a case where the plaintiff’s expectations as to what the CC license he used for his work would achieve for him were not met. It is perhaps a cautionary tale for those who use template licenses – the simplicity and user-friendliness of the human readable version of the license does not mean that the detail in the legal code should be ignored – particularly where the licensor seeks to place specific limits on how the work might be used.
Monday, 05 October 2015 07:45
A recent (though not yet in force) amendment to Canada’s Trade-marks Act will permit an unprecedented purging of trademark records in Canada. This destruction of records should be understood within the disturbing context described in a recent Maclean’s article by Anne Kingston, titled “Vanishing Canada: Why We’re All Losers in Canada’s War on Data”.
The new section 29.1 is aptly titled “Destruction of Records”. It provides that, notwithstanding the Registrar’s duty to maintain trademark data and documentation for public view, the Registrar may still destroy a broad range of documents. These can include applications for trademarks that are refused or abandoned, documents relating to trademarks that have been expunged, documents relating to any request for public notice to be given of an official mark that has been abandoned, refused or invalidated, and documents relating to objections to geographical indications that are removed from the list of geographical indications. All of these documents may be destroyed 6 years after the final action on the file.
Since 1997, the Registrar has been maintaining an electronic register of trademarks. This register is publicly accessible and searchable. However, it does not provide electronic access to the underlying documentation relating to the registrations. This information has nonetheless been available for public consultation, and is also available through access to information requests. While it is now possible to file trademark applications online, thus replacing paper with digital documents, this option has not always been available and there is still a great deal of paper floating about. All this paper obviously takes up a significant amount of space. How should the problem be addressed? One option is to begin the process of digitization; paper records can be destroyed once digital copies are made. Digital copies would also allow for a vastly improved level of access. Another option is to just chuck it all out. It is this latter option, cheap and easy, that will be implemented by the new section 29.1 of the Trade-marks Act.
Of what use are the records at issue? Trademark lawyers have argued that information about past trademark applications – including those refused by the Registrar – is often used in trademark opposition proceedings and in litigation. The International Trademark Association (INTA) opposed section 29.1 in a written submission to the Parliamentary Committee that studied the Bill that introduced this provision. INTA stated that “the downside risk of losing public access to these documents outweighs the hardships to the Canadian Intellectual Property Office associated with maintaining those records.” INTA also noted that the Canadian approach was out of line with that in the United States and in Europe. INTA argued that the destruction of paper records should only take place after electronic copies have been made. The United States, for example, has created a searchable online resource to provide access to all of its records relating to all trademark applications, registered trademarks, Madrid Protocol applications and international registrations.
In addition to the relevance of this information to trademark practitioners, the soon to be destroyed information has research value as well. Canadian trademark law is a relatively under-researched area of Canadian intellectual property law. It would be a great shame if large volumes of data disappear just as research in this area begins to mature and expand.
What might a researcher distill from these records? Here’s one example. Official marks have long been criticized for giving “public authorities” an almost unlimited power to carve out trademark space for themselves without any of the usual checks and balances put in place to manage trademark monopolies in the public interest. Many official marks for which public notice has been given by the Registrar have later been invalidated by the courts either on the basis that the “public authority” seeking public notice was not really a public authority or on the basis that they had not actually adopted or used the mark in question. Once s. 29.1 takes effect, the paper records relating to official marks that have been invalidated will disappear after 6 years. The Registrar has become more rigorous in her examination of requests for official marks (within the limits of a law totally lacking in rigour in this respect). Because there is no application process for official marks, all that appears in the register of trademark is the actual public notice in successful cases. Records relating to failed requests for public notice will soon be subject to destruction after 6 years. This means that this information will disappear entirely and without a trace. What public authorities have sought official marks that have been refused? What was the basis for the refusal to give public notice? What entities claiming to be public authorities have attempted to get trademark protection through this avenue? What might the answers to these questions tell us about a regime that is badly in need of reform? The answers to these questions will become unknowable once s. 29.1 takes effect and the wholesale destruction of records begins.
Digitization of records is expensive, time-consuming and labour intensive. But if paper records are destroyed before digitization takes place there is simply no way to recreate the information. It is lost forever. I have given only a few examples of the potential relevance of the information that is set to be destroyed once s. 29.1 comes into force. Let’s hope it never does. The concepts of open government and open data are only meaningful if there is something left to see once the doors are opened.
Tuesday, 29 September 2015 13:50
It’s not easy to write about an area of law that is in a significant state of flux, but that is what I have tried to do in the second edition of my book titled Canadian Trademark Law, which has just rolled off the presses at Lexis Nexis Canada.
This book expands and updates the first edition, which provided a comprehensive account of trademark law in Canada. In the second edition, I take into account the recent significant changes brought about by the Combating Counterfeit Products Act and the Economic Action Plan 2014 Act, and discusses the impact yet to come as key (and in some cases controversial) provisions of these bills take effect in the not too distant future. These will include an expanded definition of what can constitute a trademark; significant changes to registration requirements; and a new, shorter term of protection. Many of the changes still to come are those necessary to implement the Singapore Treaty and the Madrid Protocol. Once the requisite regulations are in place and the new provisions take effect, Canada’s law will be substantially more harmonized with the laws of other countries, and international trademark registrations will be available to Canadian companies.
In addition to its coverage of core trademark law principles and jurisprudence, Canadian Trademark Law (2d ed.) has specific chapters dedicated to contemporary issues. These include parallel importation and counterfeiting, trademark infringement on the internet, and trademarks and freedom of expression.
In the book I have tried to navigate a turbulent period in Canadian trademark law by discussing not only the law as it stands today, but the law as it will likely be once pending amendments take effect. Each chapter ends with a series of point-form highlights of the key legislative changes that will affect the specific area of the law discussed in that chapter. The book also contains a lengthy appendix which attempts to show in tabular form what amendments are now in effect, which ones are likely eventually to take effect, and which ones will most likely be superseded by other amendments.
Monday, 21 September 2015 07:48
It is rare that a trademark law dispute becomes the subject matter of a documentary film – rarer still when it is a Canadian case that is the focus of attention. Yet some trademark disputes transcend the legal issues that give rise to them. This is so with the case that inspired Heidi Lasi’s recent documentary titled The Oasis Affair. This short film explores the dispute between Les Industries Lassonde, Inc. (a major Quebec company that produces, among other things, OASIS brand juices) and Olivia’s Oasis, a small Quebec business producing soaps and skin care products made with olive oil.
The conflict between the two companies arose from a trademark infringement lawsuit brought by Les Industries Lassonde against Olivia’s Oasis. Lassonde argued that the Olivia’s Oasis trademark for skin care products created consumer confusion with their well-known mark OASIS for fruit juice. Not only did the defendant rebut the trademark claims, it also argued that the lawsuit against it was abusive litigation under relatively new provisions of the Quebec Code of Civil Procedure. These “anti-SLAPP” provisions are intended to discourage parties with deep pockets from using the threat of litigation either to pressure small parties to comply with their demands or to face financial ruin through costly litigation. At trial, Justice Zerbisias of Quebec’s Superior Court found not only that there was no merit to the trademark infringement suit brought by Les Industries Lassonde, Inc., she also agreed with the defendants that the suit fell within the ambit of the anti-SLAPP provisions. She awarded Olivia’s Oasis $125,000 in extra-judicial costs and punitive damages.
While accepting the trademark law outcome, Les Industries Lassonde appealed the award of damages to the Quebec Court of Appeal. [Spoiler alert: stop reading here if you want to learn how it all ends from watching the video.] This Court found that Lassonde’s motives in commencing litigation were not improper. After all, they opined, a trademark that loses its distinctiveness can no longer function as a trademark; a trademark owner must therefore take the necessary steps to preserve the distinctive character of its marks. It nullified the award of damages to the defendant.
Not only does The Oasis Affair provide an account of the litigation, it tells the remarkable story of the social media outcry that followed the Court of Appeal’s decision. In a very short space of time, Les Industries Lassonde faced an unprecedented public backlash – one that ultimately led them to compensate Olivia’s Oasis for the legal fees that had left the small company teetering on the edge of failure.
Heidi Lasi’s documentary is a crisp, engaging account of this case and its aftermath. The film leaves the viewer with an appreciation of the power of social media to create a “court of public opinion”; and suggests that the Olivia’s Oasis affair heralds an important change in how trademark holders must approach the protection of their trademarks and brands.
Tuesday, 15 September 2015 14:24
In 2007 Stephanie Lenz filed a law suit against Universal Music, alleging that it had violated the Digital Millenium Copyright Act (DMCA) by sending her a takedown notice that misrepresented the extent of their rights. Lenz had made a 29 second videotape of her two small children dancing to a Prince song (Let’s Go Crazy) on the radio and had posted the video on YouTube. YouTube contacted her to indicate that it had received a takedown notice for this video. The notice alleged that it infringed upon Universal’s rights in the song. YouTube removed the video from its service. Lenz sought to have the video reinstated using the provisions of the DMCA. Notwithstanding Universal’s resistance, the video was eventually reinstated by YouTube.
Lenz’s lawsuit (which was supported by the Electronic Frontier Foundation) stalled on the issue of whether the DMCA required copyright owners to take fair use into consideration before issuing takedown notices. On Monday, September 14, the U.S. Court of Appeals for the 9th Circuit issued its decision on this issue, clearing the way for the matter to finally head to trial. The Court ruled that copyright owners do indeed have an obligation to take fair use into account. In order to issue a takedown notice, the copyright owner must include a statement, pursuant to 17 USC § 512(c)(3)(A)(v) to the effect that “We have a good faith belief that the above-described activity is not authorized by the copyright owner, its agent, or the law.” The DMCA provides, in §512(f) that a party that abuses the DMCA by, among other things, materially misrepresenting “that material or activity is infringing”, is liable for damages.
The core issue for the court to determine was what meaning to give to the statement required by the DMCA that the copyright owner has a good faith belief that the material at issue is not “authorized. . . by law.” More specifically, the issue was whether the fair use defences in the Copyright Act are merely defences, or whether they are provisions capable of “authorizing” certain uses of copyright protected materials. The Court of Appeal found that “the statute unambiguously contemplates fair use as a use authorized by law.” (at p. 11) It ruled that fair use was only characterized as a defence for procedural purposes. The provision itself declares that “the fair use of a copyright work. . . is not an infringement of copyright.” (Note that in Canada, the fair dealing provisions are framed in a similar manner: “Fair dealing . . . does not infringe copyright. . . “.(see ss. 29-29.2 of the Copyright Act). The Court of Appeals also found that even if fair use were considered an “affirmative defense”, it would still have a different character. The Court concluded that because the fair use provision of the U.S. Copyright Act “created a type of non-infringing use, fair use is “authorized by the law” and a copyright holder must consider the existence of fair use before sending a takedown notification.” (at p. 15)
The Court of Appeal also turned its attention to whether Universal knowingly represented that it believed the video did not constitute a fair use of the copyright protected work. The Court was of the view that Universal had to establish a subjective (rather than an objective) good faith belief that the use in question was not authorized. The Court clarified that a copyright owner that formed a good faith belief that a use was not a fair use would not be liable under the DMCA for sending out a takedown notice. However, “if a copyright holder ignores or neglects our unequivocal holding that it must consider fair use before sending a takedown notification”, it will be liable (at p. 17). The Court also made it clear that any copyright owner who merely ”pays lip service to the consideration of fair use by claiming it formed a good faith belief when there is evidence to the contrary” is still liable (at pp. 17-18). The consideration given to the fair use issue “need not be searching or intensive.” (at p. 18) The Court did not rule out the use of screening algorithms to detect potentially infringing content and even to meet the statutory requirement to consider fair use, although it did not consider the issue in detail as Universal did not claim to have used a screening algorithm in this case.
The Court also indicated that a “willful blindness” theory might be available to determine whether a copyright owner made a knowing misrepresentation of a good faith belief that the activity at issue was not fair use. However, on the facts before it, it ruled that the wilful blindness was not available. To show wilful blindness, a plaintiff would have to establish both the defendant’s subjective belief that “there is a high probability that a fact exists” and that the defendant took “deliberate actions to avoid learning of that fact” (at pp. 20-21) The Court found that Lenz had not met the threshold to establish the first element of that test.
On a final point, Universal had argued that Lenz’s suit must fail because she could not show that she suffered any monetary loss as a result of their actions. The Court of Appeals ruled that a plaintiff in Lenz’s circumstances could seek the recovery of nominal damages.
The decision of the U.S. Court of Appeals is significant. It is handed down in a context in which many feel that copyright holders have been abusing the notice and takedown provisions of the DMCA, effectively using them to suppress otherwise legitimate expression. The Court of Appeal had some strong words for copyright owners, warning them that they “cannot shirk their duty to consider – in good faith and prior to sending a takedown notification – whether allegedly infringing material constitutes faire use, a use which the DMCA plainly contemplates as authorized by the law.” (at p. 25)
Thursday, 06 August 2015 09:57
Data security breaches are frequently in the news, contributing to a growing anxiety regarding the security of the vast stores of personal information held by so many public and private sector organizations in Canada (and abroad). The recent passage of Bill S-4 (The Digital Privacy Act) will impose a data security breach notification requirement on private sector organizations covered by Canada’s Personal Information Protection and Privacy Act. This requirement has yet to come into effect; it awaits the drafting of regulations that will set out the manner and form of breach notifications.
Data security breaches occur in many different ways. While the paradigmatic breach is the malicious intruder who hacks his or her way past corporate firewalls to steal data, this is not the only (or even the most common) form of breach. In many cases, data breaches occur when devices such as USB keys or laptops that contain (often unencrypted) personal data go missing. Whether lost or stolen, it is often impossible to tell whether the data was or will ever be accessed or used. The laptop thief, for example, may have been seeking a laptop rather than the data it contains. Carelessness may take other forms as well; repeatedly faxing sensitive customer information to the wrong fax number is just one example.
The type of breach that perhaps causes the most anxiety for organizations comes from the ‘rogue employee’. Employees of organizations often, of necessity, have a great deal of access to sensitive customer information as a normal part of their duties. Organizations put in place policies regarding access and privacy, and may have other checks and balances within the institution to guard against (or to detect) unauthorized access. Unfortunately, an increasing number of security breaches seem to arise precisely because an employee has accessed personal information in contravention of these policies. This may be done for personal reasons (complicated interpersonal relations following the breakdown of relationships, for example), for financial gain, or for reasons that are not entirely clear. The breaches may affect only one or two individuals, or may be with respect to a significant number of people. Rogue employees are a security weak spot; they already have regular access to the data – all they require is motivation, whether it be personal or financial.
In March 2015, the BC Court of Appeal handed down an interesting decision in a case (Steel v. Coast Capital Savings Credit Union) involving an employee who had wrongfully accessed the personal folder of another employee. The folder was on the company’s server. The case was not a suit for invasion of privacy; the Credit Union for which the employee had worked had fired her following the detection of the breach. The employee had sued for wrongful dismissal, arguing that the penalty of dismissal was too severe given her 21 years of faultless service to the company. The employee worked in the IT department of the Credit Union, and had a high level of access to the company’s systems. She had accessed the personal folder of a manager at the credit union in order to see where she stood on a list setting out priority entitlement to parking. The breach was detected when the manager tried unsuccessfully to access the file at the same time that the employee was looking at the list.
The judge at first instance had upheld the dismissal of the employee, and she had appealed that decision to the Court of Appeal. What the case came down to, in essence, was whether a long-time employee with an excellent record could be dismissed for a one-time accessing of a file in a personal folder of another employee to view a list regarding the assignment of parking spots. The majority of the Court of Appeal ruled that dismissal was an acceptable response. Writing for the majority, Justice Goepel observed that the Supreme Court of Canada made it clear that “dishonesty going to the core of the employment relationship carries the potential to warrant dismissal for just cause.”(McKinley v. BC Tel, at para 57). Such conduct is that which “violates an essential condition of the employment contract, breaches the faith inherent to the work relationship, or is fundamentally or directly inconsistent with the employee’s obligations to his or her employer.”(McKinley at para 48). While other factors (such as length and quality of service) may be relevant, the key issue is whether there has been a fundamental breakdown in the employment relationship. In this case, the Court of Appeal accepted the assessment of the trial judge that the clear breach of internal privacy policies by someone in the position of the appellant employee (whose level of system access created a relationship of trust) led to a “fundamental breakdown of the employment relationship”. (at para 34).
The dissenting justice would have given more weight to the long service of the employee and to the non-critical nature of the information she accessed. Justice Donald also noted that the company policies did not require dismissal for breach of the policies on privacy and access. Disciplinary action could be “up to and including termination of employment”, based on a range of contextual factors which included “the type and severity of the violation, whether it causes any liability or loss to the company, and/or the presence of any repeated violation(s).” (at para 15) He would have found that termination was an excessive consequence on the facts of this case. That this approach was not accepted by the majority of the Court may be an indication that courts are beginning to recognize the broader concerns over the risks posed by “rogue employees” to both their employers (in terms of their potential liability) and to the public.
Monday, 06 July 2015 13:58
The Pan Am/Parapan Am Games are set to open in Toronto on July 10, 2015. As with any other major sporting event, these Games raise the possibility of ambush marketing – a form of marketing activity designed to take advantage of public interest in a high profile event.
Major event organizers (including the International Olympic Committee, FIFA, and others) see ambush marketing as a threat to their ability to obtain top dollar for lucrative sponsorship opportunities, and they have increasingly put pressure on host countries to enact legislation to prevent ambush marketing. This legislation has proven controversial – and for good reason.
If you are interested in ambush marketing and the Pan Am/Parapan Am Games, you can read my blog post on this issue on Osgoode’s IPilogue here.
Thursday, 25 June 2015 12:37
Bill S-4, the Digital Privacy Act has received royal assent and is now law. This bill amends Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA, Canada’s private sector data protection statute has been badly in need of updating for some time now. Although it only came into being in 2001, the technologies impacting personal information and the growing private sector thirst for such data have changed dramatically, rapidly outstripping the effectiveness of the legislation. There have been many calls for the reform of PIPEDA (perhaps most notably from successive Privacy Commissioners). The Digital Privacy Act addresses a handful of issues – some quite important, but leaves much more to be done. In this post I consider three of the changes: new data sharing powers for private sector organizations, data breach notification requirements, and a new definition of consent.
The amendments will also add to PIPEDA data breach notification requirements. This is a change long sought by privacy advocates. Essentially, the law will require an organization that has experienced a data security breach to report the breach to the Privacy Commissioner “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” (s. 10.1) Affected individuals must also be notified in the same circumstances. “Significant harm” is defined in the legislation as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” A determination of whether there is a “real risk” of these types of harms can be determined by considering two factors spelled out in the legislation: the sensitivity of the information at issue, and the likelihood that it is being misused or may be misused in the future. Any other “prescribed factor” must also be taken into account, leaving room to include other considerations in the regulations that will be required to implement these provisions. The real impact of these data breach notification provisions will largely turn on how “real risk” and “significant harm” are interpreted and applied. It is important to note as well that these provisions are the one part of the new law that is not yet in force. The data breach notification provisions are peppered throughout with references to “prescribed” information or requirements. This means that to come into effect, regulations are required. It is not clear what the timeline is for any such regulations. Those who have been holding their breath waiting for data breach notification requirements may just have to give in and inhale now in order to avoid asphyxiation.
One amendment that I find particularly interesting is a brand new definition of consent. PIPEDA is a consent-based data protection regime. That is, it is premised on the idea that individuals make free and informed choices about who gets to use their personal information and for what purposes. Consent is, of course, becoming somewhat of a joke. There are too many privacy policies, they are too long and too convoluted for people either to have the time to read them all or be capable of understanding them. It doesn’t help that they are often framed in very open-ended terms which do not give a clear indication of how personal information will be used by the organization seeking consent. In this context, the new definition is particularly intriguing. Section 6.1 of the statute now reads:
6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
This is a rather astonishing threshold for consent – and one that is very consumer-friendly. It requires that the individual understand “the nature, purpose and consequences” of the use of their personal information to which they consent. In our networked, conglomerated and big-data dominated economy, I am not sure how anyone can fully understand the consequences of the collection, use or disclosure of much of their personal information. Given a fulsome interpretation this provision could prove a powerful tool for protecting consumer privacy. Organizations should take note. At the very least it places a much greater onus on them to formulate clear, accessible and precise privacy policies.
Tuesday, 23 June 2015 08:16
The Privacy Commissioner of Canada has issued his findings in relation to the investigation of multiple complaints by Canadians regarding the collection, use and disclosure of their personal information by a company based in Romania. The company, Globe24h operates a website which it describes as a “global database of public records”. This global database contains a substantial number of decisions from Canadian courts and administrative tribunals. Some of this content was acquired by scraping court or tribunal websites, or websites such as CanLII. (I wrote about this situation earlier here.)
The problem, from a privacy point of view is that many court and tribunal decisions contain a great deal of personal information. For example, a decision from a divorce case might provide considerable detail about personal assets. Immigration or refugee determination hearings similarly might reveal sensitive personal information. As Commissioner Therrien noted in his findings, the “highly detailed, highly sensitive personal information” found in the decisions that were the focus of the complaints in this case “could have negative reputation impacts (including financial information, health information, and information about children)” (at para 27). Globe24h offers a fee-based service for removal of personal information. A number of the complainants in this case had paid up to 200 euros to have their information removed from decisions in the database.
The Romanian company responded to the investigation by arguing that the Office of the Privacy Commissioner of Canada had no jurisdiction over its activities; and that if it did, Canada’s Personal Information Protection and Electronic Documents Act did not apply because it was engaged in journalistic activities. Alternatively, they argued that they were making use of publicly available information, for which consent is not required under PIPEDA. In this admittedly long blog post, I look at a number of different issues raised in the Commissioner’s findings. You can jump ahead if you like to: Open courts principle and privacy; Extended territorial jurisdiction; Journalism exception; Publicly available personal information; or Crown copyright – the unspoken issue.
The open courts principle – which provides transparency for the justice system in Canada – dictates that decision-makers provide reasons for their decisions and that these decisions be publicly accessible. In the old days, decisions were published in law reports or made available for consultation at court offices. Either way, anyone interested in a particular case had to make some effort to track it down. Decisions were indexed according to subject matter, but were not easily searchable by individual names. The capacity to make court decisions publicly available on the Internet has dramatically increased the ability of the public to access court decisions (and, given the high cost of legal services and the growing number of self-represented litigants, it is not a moment too soon). However, public availability of court decisions on the Internet can raise significant privacy issues for individuals involved in litigation. There is a big difference between accepting that a court decision in one’s case will be published in the interests of transparency and having one’s personal information sucked up and spit out by search engines as part of search results unrelated to the administration of justice.
The main response to this problem to date (from the Canadian Judicial Council’s 2005 Model Policy for Access to Court Records) has been for courts to require the use of technological measures on court websites (and on websites such as CanLII) to prevent search engines from indexing the full text of court decisions. This means that those searching online using a particular individual’s name would not find personal details from court proceedings caught up in the search results. However, these licence terms are only imposed on entities such as CanLII. The general copyright licences on court websites place no such restrictions on the reproduction and use of court decisions. Of course, placing restrictions on the searchability/usability of published decisions can also be a barrier to their innovative reuse. A better approach – or at least a complementary one – might be to be more restrained in the sharing of personal information in published decisions. This latter approach is one recommended by the Office of the Privacy Commissioner of Canada for administrative tribunals. It is unevenly adopted by courts and tribunals in Canada.
While the open courts principle and how Canadian courts and tribunals implement it are relevant to the problem in this case, the Commissioner’s decision does not address these issues. The complaints focussed on the activities of the Romanian company and not on how courts and tribunals manage personal information. Nevertheless, this issue is, to a large extent, at the heart of the problem in this case.
Under basic international law principles, countries cannot apply their laws outside of their own borders. So how could Canadian law apply to a Romanian company’s activities? The answer lies in what some co-authors of mine and I call extended territorial jurisdiction. This arises where activities outside a country’s borders are nonetheless closely connected to that country. After receiving over 20 complaints from Canadians regarding the hosting of their personal information on the Globe24h website, the Privacy Commissioner chose to apply Canada’s PIPEDA to the Romanian company. He did so on the basis that the company was collecting, using and disclosing personal information in the course of commercial activities (key triggers for PIPEDA’s application) and that its activities had a “real and substantial connection” to Canada. This connection was found in the fact that the company chose to include Canadian court and tribunal decisions in its database; that it sourced this material from websites located in Canada; that it accepted requests from Canadians to remove their personal information from its databases; and that it charged Canadians a fee to perform this service. While the company would be subject to Romanian data protection law in general, the Commissioner did not see this as an impediment to applying Canadian law in the specific circumstances. He noted that “It is commonplace in today’s global environment that organizations with an online presence may be subject to data protection laws in multiple jurisdictions depending on the nature of their activities.” (at para 100)
This approach is consistent with that taken by the Office of the Privacy Commissioner of Canada since the Federal Court handed down its decision on this point in Lawson v. Accusearch Inc. Of course, taking jurisdiction over a party in another country and being able to enforce outcomes in accordance with Canadian law are separate matters. In any event, the Privacy Commissioner is relatively toothless even within Canada; in the case of offshore companies any positive results depend largely upon a respondent’s willingness to cooperate with investigations and to change their practices with some gentle nudging. In this case, there seems to be a change of practice on the part of Globe24h, although the extent and durability of this change remain to be seen.
I have previously written about the rather broad and open-ended exception to the application of PIPEDA to the collection, use or disclosure of personal information for “journalistic purposes”. Journalism is capable of a fairly broad interpretation, and in an era of disintermediated information and commentary, a broad approach to this exception is warranted. This may be even more so the case given the Supreme Court of Canada’s recent admonition that privacy laws must be balanced with the freedom of expression. However, an overly broad approach could exclude large swaths of activity from the scope of PIPEDA.
In this case, Globe24h argued that by providing a database of legal information it was entitled to benefit from the journalistic purposes exception. The Commissioner adopted a definition of “journalism” put forward by the Canadian Association of Journalism (CAJ). According to this definition journalism is an activity that has as its goal the communication of information, in a format that has “an element of original production” and that “provides clear evidence of a self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation.” (at para 52). The definition is interesting, but it may be under inclusive when it comes to balancing freedom of expression and privacy. This remains an open question. Using this definition, the Commissioner found that the database of public records compiled by Globe24h was not journalism. In particular, he was of the view that the purpose of the database was to generate revenue from different means, including charging individuals who wish to have their personal information removed. He also found that the database did not embody the “original production” required in the CAJ’s definition, and concluded that “Globe24h is republishing information already available online through Canadian court and tribunal websites in a manner that enables the information to be located by search engines, which would not otherwise be possible, so as to profit from individuals’ desire to have this practice stop.” (at para 66).
While there may be an argument that this website does not serve journalistic purposes, the analysis here relies heavily upon the Commissioner’s conclusion that the site’s primary motivation is to derive revenue from individuals who are concerned about their privacy. It is not clear whether, without that element, he would have found that the journalism exception applied. The importance of this poorly worded exception – and the potential of narrow interpretations to conflict with the freedom of expression – leaves one wishing for clearer guidance.
Globe24h also argued that it made use of publicly available personal information. PIPEDA expressly permits the collection, use and disclosure of such information without consent so long as it is used for the purposes for which it was collected and made publicly available. According to the Commissioner, the purpose for which the court decisions were made publicly available was “to promote transparency in the judicial system” (at para 93). He also went on to state that “the purpose for publishing court findings online does not include the association of such findings with individuals’ names in online search results.” (at para 92). The point here, I think, is that the search engine indexing shifts uses of this information away from transparency and towards data mining or snooping; the latter are not consistent with the purposes for which the information was made publicly available.
However, it should be noted that in this case, the assessment of purpose drifts into how the information might be accessed or manipulated by third parties –not by the respondent. This is rather tricky territory. It is a kind of secondary liability in the data protection context: court decisions are made publicly available to anyone around the world; the respondent creates a database that aggregates court decisions from multiple jurisdictions and makes them available. In doing so it enhances the searchability of the decisions by freeing them from technological restrictions. Has it done anything to take it outside the exception? Is the possibility that this new searchability might lead to improper uses of the information by others enough to find that the use does not fall within the exception? My point here is that the problem of excessive personal information in published court decisions seems to be pushed onto those who publish this information (and who thus facilitate the open courts principle), rather than resting with the courts who perhaps should be more careful in deciding what personal information is required to serve the open courts principle and what information is not.
In Canada, court and tribunal decisions are covered by Crown copyright. This lies behind the courts’ ability to dictate licence terms to those who publish these decisions. Recent amendments to the Copyright Act also make it an infringement to circumvent technological protection measures on copyright protected works. Had the Romanian website been publishing court decisions in contravention of the user licence provided by court websites or circumventing court-mandated technological protection measures that blocked the indexing of the court decisions by search engines, then the courts themselves might have sought takedown of these materials or insisted upon compliance with their licence terms. These terms, however, do not appear in the licence for federal court decisions, for decisions of Ontario superior courts, or for decisions of the BC Supreme Court – and this is just a sample. Whether courts should use copyright restrictions to protect privacy values is an interesting question, particularly in an era of increasingly open government. Whether it is realistic or feasible to do so is another good question – if it is not then the privacy issues must be addressed at source. In any event, it may be time for the CJC to revisit its digitally archaic 2005 policy.
The individuals affected by Globe24h turned to the Privacy Commissioner for help when they experienced privacy invasions as a result of the company’s activities. They found a sympathetic ear, and the Commissioner may have achieved some results for them. One can ask, though, where the courts and tribunals have been in all of this. As noted earlier, they should take the lead in addressing privacy issues in their decisions. In addition, while Crown copyright may be an anachronism with the potential to limit free speech, as long as the government clings to it in the face of calls for reform it might consider using it on occasion in circumstances such as these, where inadequate measures designed to protect privacy have failed Canadians and something more is required.
Tuesday, 26 May 2015 07:05
It’s a busy week for Open Government and Open Data in Ottawa. All week long conferences and workshops are taking place in the capital around the theme of open government. Yesterday’s Open Data Summit, hosted by organized by Open North, drew a good-sized audience of developers, public servants and academics from Canada and elsewhere. Later this week, the 3rd international Open Data Conference will unfold. There is also an open data Unconference on May 26.
The meetings are creating a buzz around open data – a practice that is spreading through all three levels of government in Canada. The Canadian government and provincial leaders such as Alberta and British Columbia have open data portals where government data sets are made available in machine readable formats for reuse by anyone under an open licence containing very few restrictions. Many municipalities, including Vancouver, Ottawa and Toronto have also embraced open data. The City of Edmonton, a leader in this area was given an open data award at the Open Data Summit.
Other recent developments of note relating to open data include the call for comments by the Ontario Government on its new plan for Open Data by Default. The draft document is made available to the public on Google docs. Anyone can visit and leave their comments or can view the many comments of those who have already visited the document. The document also contains, in an appendix, the open licence which the Ontario government will use in relation to its data. The licence is based upon the open government licence developed by the federal government.
Also of note is the rather low-profile launch by the federal government of the ODX. The creation of this open data incubator organization is part of the government’s Action Plan on Open Data, and funding to launch this institute was announced last week.
Meanwhile, the Geothink research team of which I am a part (funded by a Partnership Grant from the Social Sciences and Humanities Research Council of Canada) continues its work on open-data related research. Ongoing projects relate to open data standards, liability issues, privacy, intellectual property, civic participation, and much, much more. Several Geothinkers are attending and participating in this week’s Ottawa events.
Canadian Trademark Law
Published in 2015 by Lexis Nexis
Electronic Commerce and Internet Law in Canada, 2nd Edition
Published in 2012 by CCH Canadian Ltd.
Intellectual Property for the 21st Century
Intellectual Property Law for the 21st Century: