Sometimes legislative or regulatory definitions create ambiguity rather than clarity. The definition of “family relationship” in the draft Industry Canada regulations regarding Canada’s Anti-Spam Legislation (CASL) is a case in point.

CASL is not yet in force. When it comes into force (no date set yet as of the date of this post), CASL will provide exemptions for a commercial electronic message (CEM) sent to a recipient with whom the sender has a “family relationship”. CASL typically requires express opt-in consent to CEMs and requires CEMs to contain prescribed information, including an unsubscribe mechanism. Those requirements won’t apply to CEMs to “family relationship” recipients.

What constitutes a “family relationship” for the purposes of CASL has been left to Industry Canada. The draft regulations did not disappoint for complexity, adopting, in part, definitions from Canada’s Income Tax Act. Does the complexity deprive the exemption of utility? Possibly. Take the question of whether your sister’s boyfriend will be able to send you his monthly business newsletter (without first getting your consent). If he wants to use the family relationship exemption, its availability seems to depend on where your sister and her boyfriend live in Canada, whether they are in a conjugal relationship, and how long they have lived together in that conjugal relationship! Or, in some cases, it might be relevant whether they have a child.

The draft Industry Canada regulations released in December 2012 contained the following definition:

“family relationship” means the relationship between individuals who are connected by

(i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or is of collateral descent from the other individual’s grandparent,

(ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,

(iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual, or

(iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual;

So, an electronic newsletter from your sister’s boyfriend could be exempt if you and your sister’s boyfriend are in a “family relationship”. You will be in a “family relationship” with your sister’s boyfriend, according to the draft regulations, if your sister and her boyfriend are in a common law partnership, since (taking the ordinary meaning of “sister”) you would be connected by a blood relationship to your sister.

The draft regulation assumes that there is something easily identifiable as a “common law partnership” in Canada. That’s an assumption worth examining.

Typically, whether an intimate or interdependent relationship is recognized as having marriage-like qualities depends on provincial legislation. When Canada’s Parliament wishes to impose a uniform definition, it does so through a defined term. For example, subsection 248(1) of the Income Tax Act defines a “common-law partner” as two people who are cohabiting in a conjugal relationship for a continuous period of at least one year. (To make matters complicated, there is another definition involving persons who have a child.)

Provinces also define types of de facto marriage relationships for specific purposes, typically family law support obligations. However, the term “common law partnership” is not a term of legal art.

In Ontario, for example, section 29 of the Family Law Act recognizes individuals as spouses of one another for certain family support obligations if they have lived in a conjugal continuously with one another for a period of not less than three years or are the natural or adoptive parents of a child and are living in a relationship of “some permanence”.

By contrast the period of conjugal relationship in subsection 3(1) of the British Columbia Family Law Act is two years.

By further contrast, the Alberta Interdependent Relationships Act recognizes interdependent relationships of three years or more but there is no necessity for the relationship to have a conjugal element.

In yet another variation, individuals may simply register their relationship as common law under the Manitoba Vital Statistics Act.

So what definition of common law partnership will be read into CASL? Family law where the couple lives? The commonly used federal legislative definition? Something else developed by the regulators or the courts?

The sky won’t fall, of course. There is also a “personal relationship” exemption. The proposed definition for this exemption is very broad. However, it does require direct, voluntary, two-way communications and enough factors to suggest that the relationship is personal. Relevant factors include whether there are shared interests, experiences, opinions and information “evidenced in the communications, the frequency of the communication, the length of time since the parties communicated and if the parties have met in person”. So, the exemptions may not quite overlap.

the Office of the Privacy Commissioner of Canada (OPC) has announced that the Federal Trade Commission, the UK Information Commissioner’s Office, the OPC and the Office of the Information and Privacy Commissioner for British Columbia and 15 other enforcement authorities worldwide are participating in an “Internet Privacy Sweep“.

The first sweep takes begins today and continues for a week during which the enforcement agencies will focus on Privacy Practice Transparency.

In Canada, the Commissioners will be reviewing websites to determine whether they have a privacy policy and how difficult it is to locate. The Commissioners will also examine privacy policies to determine whether they contain contact information and to assess the readability of the disclosure.

Canada’s Anti-Spam Legislation (CASL) restricts the ability of organizations to send commercial electronic messages without the consent of the recipient.

A critical step in the decision tree is, therefore, to determine what constitutes a “commercial electronic message”. Here’s the definition of a “commercial electronic message” in subsection 1(2) of CASL:

(2) For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that

(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;

(b) offers to provide a business, investment or gaming opportunity;

(c) advertises or promotes anything referred to in paragraph (a) or (b); or

(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.

When designing a compliance policy, care must be taken not to consider the items listed in (a) to (d) as being exhaustive. Instead, the critical part of the definition is the portion that is bolded –that is, “it would be reasonable to conclude [that the message] has as its purpose, or one of its purposes, to encourage participation in a commercial activity”.

“Commercial activity” is broadly, albeit ambiguously defined in subsection 1(1). A commercial activity does not require profit-making or even a profit-making motive. It involves any transaction, act or conduct or regular course of conduct that is of a “commercial character”.

The difficulty for organizations, particularly non-profit organizations, is that determining what is of a “commercial character” is not straightforward. Indeed, this seems to be acknowledged by the need to expressly exclude such activities as law enforcement, public safety, the protection of Canada and the conduct of international affairs or the defence of Canada.

Historically, Canadian courts have interpreted “commerce” as any activity involving the exchange for money, or by barter, of products. The debate has been whether a one-off transaction would be considered commerce. CASL seems to suggest that even a one-off transaction could be commerce, given the reference to a “particular” transaction, act or conduct. In the context of CASL, any electronic message that “encourages participation” in a commercial activity will be a CEM.

If a broad scope is given to the meaning of “commercial character”, the definition may sweep in many types of messages that would not be commonly understood as such. For many organizations, branding is critical. Emails will frequently include at least some form of information to invite the reader to visit a website for a hyper-link or announce or promote a product or service. Once CASL comes into force, it will be important for organizations to have strict controls over the content of electronic messages and approvals for content. Choices may need to be made between promotional “add-ons” and ensuring consent is obtained or the organization has a viable exception to consent.

There are a number of curious features to the Privacy Notice splash page for Canada’s new online tool for making access to information (ATIP) requests.

The online tool is certainly a welcome development and nothing in this post is meant to detract from that important effort. However, there are a number of issues raised by the Privacy Notice accompanying the tool that are worth considering and debating when considering how to structure and implement privacy notices.

1. Transparency

The online tool contains a “Privacy Notice” on the first page that is more than 530 words long. That doesn’t include all of the information that the reader is directed to by way of hyperlinks or references.

Personally, I don’t think 530 words even when combined with hyperlinks is excessive, although it should be borne in mind that this is for a single tool on a single portal!

What is curious is that the Privacy Notice is not the totality of the privacy terms. There are also “Terms and Conditions” in the footer of the webpage. However, there is no indication in the Privacy Notice that those Terms and Conditions might also contain a “privacy notice”, which is different from and contains additional information regarding information collected by users of the website.

So here’s the question – should all privacy information be in one place? If you split it up, should you be sure to cross-reference it? Would anyone be misled into thinking the Privacy Notice was all there is, given its prominence?

2. Express Consent

Another interesting feature is that the user must also expressly click wrap his or her agreement to the front page Privacy Notice by checking a box that states:

I have read, understood and agree with the above Privacy Notice.

Why must the user expressly agree to the Privacy Notice?

This is not a feature of the paper form, nor is it a feature of the Terms and Conditions, which also contains a “privacy notice”.

What does the express agreement to some, but not all, of the “privacy terms” accomplish? Does the “express consent” feature of the Privacy Notice splash page give a user the false sense that this is all there is?

3. Details

Another interesting feature of the Privacy Notice is that the Privacy Notice leaves the user to figure out his or her legal rights. The Privacy Notice is plainly worded, but much of the detail is in the hyperlinks or in clauses that are external to the Privacy Notice. Of course, the Privacy Notice is not governed by the federal Personal Information Protection and Electronic Documents Act and so we aren’t really comparing apples to apples if we are comparing the Privacy Notice to what you might find in the private sector. However, the following examples are worth considering:

• Retention. The user is told that personal information ”will be kept for the period of time identified in standard Personal Information Bank PSU 901 (Access to Information and Privacy).” The hyperlink isn’t particularly illuminating. If the user accesses it, the user will be told:

For information about the length of time that specific types of common administrative records are maintained by a federal government institution, including the final disposition of those records, please contact the institution’s Access to Information and Privacy Coordinator.

• Disclosure. The user is told that information “may be shared with other organizations only in accordance with paragraph 8(2) of the Privacy Act.” A hyperlink elsewhere in the Privacy Notice takes the user to the whole of the Privacy Act. From there, the user is on his or her own. That would be like a private sector entity saying. We disclose your information in accordance with s.7(3) of PIPEDA – here’s a link to the Act – figure it out.

That’s not to say that the Privacy Notice isn’t an improvement over the paper form. The paper form does not even disclose to the user the handling practices of the user’s personal information once the form is submitted. All the paper form states is:

The personal information provided on this form is protected under the provisions of the Access to Information Act and the Privacy Act.

Is this disclosure adequate? Are private sector organizations just over-complicating matters?

4. Security

There is one last interesting feature of the Privacy Notice. Apparently, if “you are concerned about the confidentiality of information, including your personal information, in transit, you should consider sending it directly to a government institution by secure means.” The recommendation? Mail. This seems to be an odd thing to say, given that the portal to make the online request is supposed to be a secure portal with 128 bit encryption.

Thoughts?

Transition periods for new legislation are often critical in taking the sting out of compliance costs. But some transition periods are better than others. In the case of Canada’s Anti-Spam Legislation (CASL), organizations should consider the transition periods – not only what the cover, but also what they don’t. There are definitely winners and losers.

When CASL eventually comes into force, there will be two separate transition periods. The first is for consent to commercial electronic messages (CEMs) and the other is for the installation of computer programs. This Spam Smart Tip examines the transition period for CEMs and existing business relationships.

Section 66 provides for implied consent to CEMs for the shorter of:

• three years after the coming into force of the legislation; or

• the recipient’s “unsubscribe” or indication that they no longer.

An organization may relied on the transitional implied consent to CEMs if:

• the person has an “existing business relationship”; and

• that relationship includes CEMs

What’s an “existing business relationship”? For the purposes of the transition period, the existing business relationships that will be applicable to most enterprises are ones that arises out of:

• the purchase or lease of a product, goods, a service, land or an interest or right in land by the person to whom the message is sent from the person who sent the message or caused the message to be sent (the “purchaser / lease exception”);

• the acceptance by the person to whom the message is sent of a business, investment or gaming opportunity offered by the person who sent the message or caused the message to be sent (the “investment / gaming opportunity exception”);

• a written contract entered into between the person to whom the message is sent and the person who sent the message or caused the message to be sent (and that is not already covered by the purchaser / lease exception or the investment / opportunity exception);

• an inquiry or application made by the person to whom the message is sent to the person who sent the message or caused the message to be sent regarding the purchaser / lease exception or the investment / gaming opportunity exception.

Usually, there is a sunset provision for an existing business relationship under CASL. For example, an existing business relationship in respect of an inquiry or application ends 6 months after the inquiry or application for the purposes of implied consent for any new relationships after CASL comes into force. But that isn’t the case for those existing at the time of CASL coming into force. The sender may rely on implied consent for three years.

This is a significant transition period. Three years is a long time to refresh consents for existing business relationships and existing non-business relationships. Organizations may wish to consider this in planning priorities in their compliance strategy.

However, the story isn’t uniformly a good news one. Organizations should also carefully review the scope of the relationships captured by the transition period. The definition of an existing business relationship certainly does not cover the field of relationships that enterprises may have with individuals to whom they send CEMs. Notably, the transition period may not be of assistance to professions or enterprises with very long lead times to make sales.

The House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled its Report, entitled “Privacy and Social Media in the Age of Big Data” on April 23, 2013.

The report is the result of 15 meetings of the Committee and 30 witnesses between May 29, 2012 and December 11, 2012. The Committee’s Report summarizes the witness’s testimony but doesn’t suggest any legislative response. Some issues are punted to the Office of the Privacy Commissioner of Canada (OPC) to establish guidelines. Other issues, such as children’s privacy interests, enforcement powers of the OPC, Do Not Track and “privacy as the default” are discussed but the Committee offers no recommendations.

OPC’s Homework

The Committee may not have had advice or solutions on many of the issues, but it was ready to recommend that the OPC develop more guidelines. Among the guidelines that the Committee wishes to see the OPC develop are:

• Guidelines for social media and data management companies regarding accountability and openness

• Guidelines for drafting policies, agreements and contracts in clear, accessible language that facilitates meaningful and ongoing consent

• Guidelines for mechanisms to ensure individuals have access to personal information held by them, mechanisms to limit how long information could be held, and mechanisms to facilitate deletion of information

Protection of Children

Although the Committee recognized the special issues of obtaining informed, meaningful consent and protecting children on the Internet, there were no calls by the Committee for a U.S.-style Children’s Online Privacy Protection Act (COPPA). Instead, the Committee simply recommended that the Government of Canada and social media companies “continue to provide support to organizations that provide education and training on digital activities and privacy.” The Committee also urged social media companies to promote safe online environments that are protective of the privacy interests of children and young persons.

No Comment on Enforcement Powers for the OPC

Intriguingly, after reviewing the competing perspectives on increasing the enforcement powers of the Office of the Privacy Commissioner, the Committee ducked the issue by stating that the Committee hoped the discussion would be of benefit to future legislative review:

“The evidence presented to the Committee demonstrates the competing views regarding the enforcement powers of the Privacy Commissioner. On the one hand, the current model facilitates the constant flow of information and good will between the private sector and the Privacy Commissioner, and has proven effective in ensuring that this relationship remains cordial and non-adversarial. On the other hand, much can and has been said regarding how the current model favours self-regulation and is not adequately prepared to ensure compliance when self-regulation fails. The Committee hopes that this valuable discussion will be of benefit to any future legislative review in this regard.”

Many will be disappointed, no doubt, with the lack of substance to the recommendations. No doubt we will hear more in the coming weeks as Canada’s approach is compared and contrasted with the U.S.’s recent  revamp of COPPA Rules and the U.S. Commerce hearings on Do Not Track.

Have you heard about the Internet of things? If it is industry’s great opportunity, it might be the Privacy Officer’s brainteaser over the next few years.

Increasingly objects are becoming “smart”. No human intervention is required to record and communicate data, permitting otherwise unconnected objects to interact with one another.

Objects are being embedded with a variety of sensors. These objects collect information about their environment, their operation, and their interaction with other objects. These devices can communicate with each other and with databases through wireless networks. All the of data that these objects collect and produce becomes fodder for analysis in Big Data projects for understanding complex systems.

Even though human intervention is not required; individuals are often interacting with those objects in some way, such that the information is, at least in part, about those individuals.

As the Federal Trade Commission (FTC) puts it:

“Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors. The devices can provide important benefits to consumers: they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable pose privacy and security risks.”

For that reason, the FTC is holding a workshop on November 21, 2013 to study the Internet of Things.

FTC will accept submissions on the implications of these developments through June 1, 2013.

Our New Look and International Legal Practice

Welcome to the new look for DataGovernanceLaw.com. Fraser Milner Casgrain (FMC) has become Dentons Canada LLP, and has joined Salans and SNR Denton to form Dentons, an international legal practice. For more on Dentons, visit www.dentons.com.

We are now working together with 2,500 talented lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US.

Two Blogs!

This blog will continue to bring you developments in data governance law, including privacy, e-commerce and consumer protection topics that we think are interesting to you, with a Canadian spin.

We also invite you to visit our sister blog at www.privacydatasecurityblog.com, which will provide you with coverage and commentary from an international perspective on privacy and data security.

What does the future hold in store?

We have always covered international legal developments on this blog because e-commerce and m-commerce are not confined to geographical boundaries and because there is much to be learned from other jurisdictions in this evolving area of the law. I am personally delighted to join our colleagues from the former Salans and SNR Denton. Together, we will be able to provide you with insights regarding best practices in privacy and security and insights regarding data governance from around the world.

Over the coming months, we will be combining our blogs. These are exciting times. I look forward to sharing them with you.

I recently had the pleasure of presenting on privacy and security issues in mobile e-commerce (“M-Commerce”) at the 7th Managing Privacy Compliance Seminar organized by Federated Press.

In my presentation, I described some important issues to consider in designing privacy compliance programs for mobile e-commerce. The topics included:

• Main takeaways from recent Canada and U.S. guidelines
• Dealing with Address Book Information
• Online Behavioural Tracking and Analytics
• Geolocation Data
• Collecting Information from Children
• Transparency and Accountability in Design
• Consent, Representations and Disclaimer

Learn more by viewing the Slideshare presentation below.

Privacy and Security in Mobile E-Commerce

On February 22, 2013, the Office of the Privacy Commissioner of Canada (OPC) released a summary of findings in two cases arising out of inappropriate sharing of information between two summer camps about a child following an online application for a summer camp spot.

The issue arose when the child’s legal guardian completed an online application for a position at a camp. The child had spent the previous two summers at a different camp. The OPC report of findings notes that the child is disabled. During the online application process, the legal guardian accepted an “Additional Agreement”, which, according to the OPC, provided that “camp directors, at their discretion, could use the information supplied in applications for any means.”

The prospective camp contacted the first camp and asked questions about the child’s history at the previous camp and the level of support that the child required as a camper. The exchange came to light when the prospective camp allegedly refused the child’s application on the basis that the child could not be supported at the camp and that the “child’s disabilities would not be fair to other campers.”

Although the camps claimed that sharing of information about children was commonplace in order to assure that campers have a successful summer, the camps were members of the Ontario Camps Association, which adheres to a Code of Professional Ethics, requiring camps to adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The previous camp did not obtain any form of consent to the disclosure of a child’s application history or experience at the camp. This was a fairly open and shut violation of the requirement of PIPEDA to obtain consent to the disclosure of personal information.

However, the prospective camp defended against the complaint on the basis that the legal guardian had consented to the collection, use and disclosure of personal information about the child when the legal guardian accepted the “Additional Agreement”.

Not so, found the OPC.  The “Additional Agreement” was too general and overly broad to obtain meaningful consent to the collection, use and disclosure of personal information.

“This Office does not share the view of the first camp’s director that the complainant’s consent was obtained by her agreeing to the terms of the application she submitted, including the terms of the application’s “Additional Agreement”. We examined the application as well as that organization’s privacy policy and believe that the general statements regarding how the information supplied is to be used are overly broad and not sufficient to obtain consent to collect personal information from a third party as part of the enrolment process.”

The prospective camp made four errors:

• The prospective camp used information in the application to conduct a background check on the child by contacting the previous camp.

• The prospective camp disclosed information to the previous camp in order to elicit information about the child.

• The prospective camp collected information from the previous camp.

• The prospective camp used the information from the previous camp in order to evaluate the child’s application.

The OPC findings with respect to the previous camp, can be found here. The OPC findings with respect to the prospective camp can be found here.

The Federal Trade Commission (FTC) released a Staff Report on February 1, 2013, entitled “Mobile Privacy Disclosures: Building Trust Through Transparency.” The FTC Staff Report follows on the heels of earlier recommendations by the California Attorney General (AG), released in January, in a report entitled “Privacy on the Go: Recommendations for the Mobile Ecosystem.”

The FTC Staff Report is particularly notable for articulating a gatekeeper function for platform providers in the mobile app ecosystem. The Staff Report and the California AG Recommendations recognize that there are distinct players in the mobile app market – platforms that provide the operating system and marketplaces; developers of the apps; and advertising networks. Each of the FTC Staff Report and the California AG Recommendations target these different players with recommendations.

However, it appears that FTC Staff see the platform providers as particularly amenable to regulation because they are the focal point for the interface between users and app developers.

“[…] platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving privacy disclosures.” (FTC Staff Report, p. 14)

FTC Staff asserted that the platforms “use the plethora of apps offered on their devices as a significant marketing tool” (p. 14). The inference appears to be that the platforms have fair trading obligations to ensure that the apps they distribute meet privacy standards.

As gatekeepers, FTC Staff want platform providers to:

• Require developers to make privacy disclosures;

• Enforce privacy disclosure standards;

• Educate developers on privacy issues;

• Be responsible for providing “just-in-time” disclosure for the collection of geolocation data and other sensitive data;

• Be responsible for obtaining consent for the collection of geolocation data and other sensitive data;

• Develop a “dashboard” to allow consumers to review what types of content is being accessed by Apps on their devices;

• Develop icons to notify the user of the transmission of user data;

• Establish a do-not-track (DNT) option at the platform level to allow consumers to make a one-time choice; and

• Provide consumers with disclosure regarding the extent of review that the platform undertakes prior to making the app available as well as any compliance checks or reviews after the app is made available on the platform’s market store.

The approach to platform providers as a potential gatekeeper and enforcer is different from that California AG’s report, which focused on the educational role that platform providers could play.

Other highlights from the FTC Staff Report and the earlier California AG Recommendations are:

• DNT or bust? FTC Staff continue to call on the industry to develop a “DNT mechanism that would prevent an entity from developing profiles about mobile users” (FTC, p. 21). The DNT mechanism must be (i) universal, (ii) easy to find and use, (iii) persistent, (iv) effective and enforceable, and (v) apply to more than just advertisements (FTC, p. 21).

• “Just-in-Time” and “Surprise Minimization”. The FTC Staff Report emphasizes “just-in-time” or contextual disclosure and obtaining express affirmative consent at the point in which it is going to matter to consumers – that is, just prior to collection (FTC, p. 15). The California AG’s basic approach is to “minimize surprises to users”. The emphasis is on clearer, shorter notices. Organizations should not rely on privacy policies alone but also supplement those notices with alerts delivered “in context and just in time” (AG, p. 5).

• Icons – but which ones? Privacy icons are the future; however, FTC Staff want to see consumer testing to ensure efficacy (FTC, p. 16).

• Privacy by Design. The California AG continues to emphasize privacy as the default and the limiting of collection, use and retention to what is necessary to complete the function for which the data was required (AG, p. 9).

On Data Privacy Day (January 28), the Canadian Radio-television and Telecommunications Commission (CRTC) amended its notice regarding a mandatory code for wireless services and invited Canadians to comment on the proposed provisions. A hearing on the wireless code is scheduled for February 11, 2013.

There are a number features of the wireless code that are particularly interesting from a privacy and data security perspective:

• The CRTC is suggesting that consumer be “provided with a personalized summary of how key terms and conditions” of a contract would apply to that consumer prior to the consumer entering into the agreement. In addition, the code would also mandate upfront, clear and concise disclosure privacy policies.

• The CRTC is also suggesting that the consumers would have recourse to make a complaint to the Commissioner for Complaints for Telecommunications Services (CCTS). It is unclear whether this might include complaints with respect to the privacy disclosures of the wireless services provider and, if so, whether the CCTS could order monetary compensation.

• The CRTC would mandate that consumers be offered an online tool to allow the consumer to monitor the balance of included usage allowances and any additional fees during a billing cycle. Consumers would also be entitled to obtain a usage alert at 50% and 100% of billing cycle limits, which would be an amount set by the consumer or $50.

The U.S. Federal Trade Commission (FTC) announced on Data Privacy Day (January 28) that it had reached a settlement with a cord blood bank in respect of the loss of nearly 300,000 customers’ personal information. The lost data included contact information, social security numbers, credit and debit card account numbers, drivers’ licences, banking information, and medical information. The information had been stored on unencrypted backup tapes, an external hard drive and a laptop that were stolen from a backpack left in an employee’s car for several days.

In the statement of allegations, the FTC alleged that the blood bank misrepresented that it maintained reasonable and appropriate practices to protect consumers’ personal information from unauthorized access. The proposed settlement involves an order prohibiting future misrepresentations and requiring the cord blood bank “to establish and maintain a comprehensive information security program that is reasonable designed to protect the security, confidentiality, and integrity of personal information collected from or about customers.” The proposed settlement also requires the organization to submit to independent privacy assessments for a period of 20 years.

Although the FTC settlement concerns an incident in December 2010, the use of unencrypted portable storage devices to transport personal information appears to continue to be an all too common phenomenon. In Canada, there has been a string of cases in which government custodians in Canada have lost control of unencrypted storage devices containing personal information.

The FTC settlement is a cautionary tale. Many organizations assert that they take appropriate administrative, technological and physical security precautions regarding the protection of personal information. If the risk of loss of data is not a sufficient reason to stop the practice of using unencrypted portable storage devices, the FTC settlement is a reminder that there is the potential for prosecution or liability for misrepresentation in using a manifestly unsafe data transfer method.

The FTC settlement is equally instructive for Canadian organizations. Even though, to date, the approach of the FTC in relying on consumer protection provisions regarding unfair trade practices and misrepresentations has not taken root in Canada, Canadian organizations may wish to consider that Canadian common law and consumer protection legislation also prohibits misrepresentations and unfair and deceptive practices – quite apart from compliance with privacy legislation.

As I mentioned in an earlier post, the Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (DPA) announced the results of their coordinated investigation into a mobile messaging platform that allows users to send and receive instant messages over the Internet.

In addition to the issue of the use of address book information, the OPC raised concerns regarding status update broadcasts.

The app requires a user to enter a status update. The OPC reported that standard messages include “available”, “busy”, “at school”, “at work”, “sleeping”, “in a meeting” and “urgent calls only”. Users may also personalize status updates using 139 characters. The status field must be populated. However, the user could use emoticons or meaningless combinations of characters.

The status update is visible to every other user with the user’s phone number in his or her address book. There is no method to limit broadcasts. As the OPC put it:

[51]. In contrast to some social networking platforms which allow an individual to limit or control the broadcast of status submissions to only certain people, status messages shared using the WhatsApp messenger service are, by design, broadcast to all WhatsApp users who have the broadcasting user’s telephone number in their contact list. As such, a sender may not have knowledge of the identity of all those application users who may be receiving or monitoring the sender’s status messages. Any individual, whether for friendly or nefarious purposes, may track a user’s status, so long as that individual has the message sender’s telephone number.

It should be noted, however, that the app did permit users to block other users. A status would not be seen by a blocked user.

The OPC concluded that the status information was personal information because the information might be used alone or in combination with other data to render an individual identifiable.

Notwithstanding that the status information was being broadcast within the app to other users of the app, as disclosed in the privacy policy, the OPC concluded that the app provider needed to obtain more meaningful consent to the collection, use and disclosure of that status information.

The OPC distinguished the app from micro-blogging platforms because unlike a micro-blogging platform, the the app was primarily marked as a SMS replacement. As the OPC put it, the app conveyed “the general impression that such messages are being shared only with those people the user knows”.

Given the lack of granular user controls to limit the sharing of the status update, the OPC recommended real-time notification. However, the OPC conceded that users should be given control over notification prompts.

This decision provides an illustration of the OPC’s concern that meaningful consent in the mobile environment may require notice and consent contemporaneous with collection and disclosure as well as in stand-alone privacy policies.

The Office of the Privacy Commissioner of Canada (OPC)  announced the results of an investigation into a mobile messaging platform that allows users to send and receive instant messages over the Internet. The OPC coordinated its investigation with the Dutch Data Protection Authority (DPA). Commissioner Stoddart has previously stated that coordinated enforcement is a priority of the OPC.

The OPC found that the mobile app was not compliant with the Personal Information Protection and Electronic Documents Act (Canada) in respect of how it handles address book information. Once a user consents to the app using the user’s address book information, telephone numbers are uploaded to the providers’ servers using SSL/TLS encryption. This may occur up to two times a day or when a manually refreshes. Telephone numbers that are correlated to other users are retained in clear text by the provider. These are “in network” numbers to which instant messages could be sent.  Telephone numbers that are not associated with other users of the app are not discarded. Instead they are retained in a hashed format. These are “out of network” numbers.

The OPC raised a number of concerns:

• Users could not (as a general rule) manually add and amend contacts. Instead, as a condition of using the service, a user had to provide access to his or her complete address book.

• The app retained out of network numbers (that is, information of non-users). The fact that the out of network numbers were hashed was not sufficient to justify the retention.

• The anonymization technique was not complete because “the number could be recovered, with a modest amount of computing effort, if the out-of-network number database and salt value were breached.” In addition, the OPC found that the methodology applied by the provider meant that the hash was always the same for the same number. This meant that it was theoretically possible to search to see whether a number had been submitted before.

The OPC’s decision sets a high threshold for retaining information even in an anonymized form where the information is not needed for the operation of the service.

On December 18, 2012, the UK Information Commissioners’ Office (ICO) issued an enforcement report on compliance with the rules regarding obtaining consent to the use of cookies and similar technologies.

North Americans accessing UK-based websites that are not distinguishing between IP addresses of EU visitors and North American users, may have noticed “cookie banners” when they visit the UK website. These “cookie banners” respond to the requirements of the Privacy and Electronic Communications (EC Directive (Amendment) Regulations of 2011, which the UK Information Commissioner’s Office began to enforce in May 2012. Typically the banner will appear at the top of the web page or float semi-transparently on the web page until closed by the visitor. The banner provides information on the use of cookies on the website, links to further information, including methods of opting out.

The ICO has helpfully provided examples of cookie banners that it considers to be compliant with the cookie rules.

The Office of the Privacy Commissioner of Canada (OPC) has made it clear in recent decisions and in its guidance on behavioural advertising that organizations must be transparent about their use of cookies and should consider alternative methods than privacy policies for explaining that cookies are being used, the purpose for their use and the ability of the website user to opt-out of tracking cookies. Although not yet in force, Canada’s Anti-Spam Legislation (CASL) provides that an organization must have express consent to install a computer program on a person’s computer. A “computer program” has been defined broadly to include a cookie. An organization will be considered to have expressly consent if the person’s conduct “is such that it is reasonable to believe” that the person has consented to the installation of the cookie.

Although the UK cookie rules are not directly applicable in Canada, organizations may consider reviewing the ICO’s enforcement report when considering revising their cookie disclosure practices in light of the OPC’s guidance and the requirements in CASL.

Draft Regulations recognize CASL should not apply to ”regular business communications” 

Industry Canada has published long-awaited draft Regulations that would lessen the impact of Canada’s Anti-Spam Law (CASL) on businesses.  Or in the words of the Regulatory Impact Analysis Statement, to: 

provide relief to businesses through targeted exemptions where the broad application of the Act would otherwise impede business activities that are not within the intended scope of the legislation.

Under the heading “Proposed exemptions to address stakeholder concerns”, the Statement explains:

Since it applies broadly to commercial electronic messages, the Act captures some regular business communications that are not the types of threats that were intended to be captured within the scope of the Act. To ensure these business communications are not regulated under the Act, the Regulations include business to business exemptions for commercial electronic messages that are sent within a business, or sent between businesses that are already in a business relationship, where the messages are sent by an employee, representative, contractor or franchisee and are relevant to the business, role, function or duties of the recipients. These proposed exemptions address many of the most serious concerns raised in the consultations about the unintended application of CASL to ordinary, transactional business communications.

The Canadian government has not issued a formal entry into force date for the Anti-Spam law, and the date has been a moving target since CASL was passed into law in December 2010.  Informally, CASL, the CRTC Regulations, and the proposed Industry Canada Regulations are expected to enter into force late in 2013.

Industry Canada’s Proposed Approach

Comments are due on February 4 on the proposed Regulations.  Here is a summary of Industry Canada’s proposed approach to clarify the application of the Act, and more importantly, to carve out “non-threatening” commercial electronic messaging.

1.  Limited Exemptions for Certain Types of Message

Exemptions are proposed for CEMs sent:

• within a business;
• between businesses already in a business relationship, sent by employee, representative, contractor or franchisee, where message is relevant to business, role, function or duties of recipient;
• by foreign businesses and accessed by a visitor to Canada;
• as a response to an inquiry; and
• due to a legal obligation, or to enforce a legal right.

2.  Third-Party Referrals

Existing business relationship (also non-business, personal or family relationship) would permit third-party referral. 

Example:  Client of Company and Potential Client of Company have a business, non-business, personal or family relationship.  Client refers Potential Client to Company.  Company sends a single consent request message to Potential Client, including name of Client and identification and unsubscribe requirements set out in the Act and CRTC Regulations.

3.  Clarifying What is Required where Sender is an “Unknown Third Party”

CASL permits consent to be obtained to receive messages from a third party unknown to the recipient, in certain circumstances.  The proposed Regulations specify that the recipient must have the ability to unsubscribe and alert the “original requester” that he has withdrawn his consent.  That “original requester” must notify each third party sender that the recipient’s consent has been withdrawn.

4.  Membership in a Club, Association or Voluntary Organization

The proposed Regulations clarify the definition and scope of these “non-business relationships”, and include references to the purpose and not-for-profit status of these organizations.

5.  Limited Exemptions for Protecting, Upgrading and Updating Computer Networks

The proposed Regulations include new definitions for computer programs that are to be excluded from the “installation consent” requirements:  those installed (i) to prevent illegal activites that present an imminent risk to network security; and (ii) to update and upgrade an entire network.

Certain Questions Clarified

The Regulatory Impact Statement clarifies that not all messages sent “in a commercial context” are necessarily CEMs.  For example, Industry Canada notes that:

• a CEM is a message that “encourages participation in a commercial activity”: therefore a message such as a courtesy SMS or an unsubscribe notification (without that encouragement) is not a CEM;
• a CEM is a message sent to an electronic address:  “…[t]he publication of blog posts or other publications on microblogging and social media sites is not within the intended scope of the Act”.

What Industry Canada has Not Done

Industry Canada has rejected stakeholder requests to:

• “grandfather” consents obtained under PIPEDA (rejected as the CASL consent requirements are much more stringent than PIPEDA’s);
• send CEMs from Canada to recipients outside Canada on behalf of foreign companies (rejected as a potential loophole to be exploited by spammers);
• permit manufacturers to send CEMs to end-users of their products (rejected as potentially too broad);
• revise the “unknown third party” approach to make it less complex and burdensome (rejected as tracking and managing consents is not “unduly onerous”).

A growing number of businesses in Canada, the United States and elsewhere has become involved in weighing in on the proposed Regulations.  The outcome of the current regulatory review will be worth watching, for all those impacted by CASL. 

There were two important developments in the U.S. regarding children and mobile technologies.

FTC Staff Report

On December 10, 2012, the U.S. Federal Trade Commission (FTC) released a Staff Report entitled“Mobile Apps for Kids: Disclosures Still Not Making the Grade”. The Staff Report examines the privacy disclosures and practices of mobile apps. The survey was conducted during the summer of 2012. FTC Staff tested 400 apps. Among the interesting survey results:

• 80% of the apps (319) apparently did not disclose any information about the apps privacy practices prior to download. Many of those that contained privacy disclosures “consisted of a link to a long, dense, and technical privacy policy” according to the FTC Staff Report.

• 60% of the apps (235) transmitted the device ID to the developer, an advertising network, an analytics company, or other third party. The most common transmission was to advertising networks (by a large margin). Only 20% (44) of the 223 apps that transmitted device ID, geolocation or phone number to third parties provided any privacy disclosures.

• 58% of the apps (230) contained in-app advertising, but only 15% of the apps (59) disclosed information about the presence of advertising.

• 17% of the apps (66) contained in-app purchase functionality.

The FTC Staff Report states that FTC Staff have commenced a number of investigations where FTC have identified gaps between the company practices and disclosures, which could constitute violations of the U.S. Children’s Online Privacy Protection Act (COPPA) or the Federal Trade Commission Act’s prohibition on deceptive practices.

In Canada, app developers should be aware of provincial consumer protection legislation and the federal Competition Act, which contain prohibitions on deceptive practices, as well as federal and provincial privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), which required transparency with respect to an organization’s practices regarding the collection, use, retention and disclosure of personal information. In addition, app developers marketing apps with in-app advertising should be aware of Quebec’s Consumer Protection Act, which prohibits advertising to children under 13 years of age.

Amendments to the COPPA Rule

On December 19, 2012, the FTC adopted the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). Highlights from the amendments include:

• Expanded Definition of Personal Information. The new definition includes geolocation information, photos, videos and audio files that contain a child’s image or voice. Persistent identifiers such as a unique device ID or MAC address may also be personal information.

• Extension of Rule to Third Party Applications. The FTC perceived a gap or loophole to the existing COPPA Rule that permitted advertising networks, third party plug-ins and other applications to collect personal information from children without parental consent. The amended COPPA Rule provides that an organization will be considered an “operator” of a website directed to children if it is benefits from the collection of information by a third party even where the third party is not acting as its agent. This will place an obligation on the operator to obtain consent to the collection of the personal information collected by the third party. FTC Commissioner Ohlhausen dissented from the new COPPA Rule on the basis that this extension went beyond what the statute permitted.

• New Rules for Verifiable Parental Consent. The new COPPA Rule permits obtaining consent by way of electronically scanned parental consent, video conferencing, government-issued identification or payment systems that provide notice to the primary account holder of each discrete transaction.

Canada contains no equivalent to COPPA; however, the Office of the Privacy Commissioner of Canada (OPC) has focused on children’s online privacy as a priority. In the OPC’s guidance regarding online behavioural advertising, the OPC stated:

“The most obvious type of information that should not be tracked involves children’s information. Operators of web sites that are targeted at children should not permit the placement of any kind of tracking technologies on the site. It is hard to argue that young children could meaningfully consent to such practices, and the profiling of youngsters to serve them online behaviourally targeted ads seems inappropriate in such circumstances. The Canadian advertising industry has indicated that it will require its members to not knowingly target children; this is a position that the OPC endorses and encourages.”

Given the increasing focus on meaningful consent to the collection of personal information, it may be only a matter of time before Canadian privacy commissioners issue a decision regarding the collection and use of personal information about children. In the meantime, app developers hoping to offer their apps in the U.S. should take note of the new COPPA Rule.

It is 2013, and time for a bit of tough love. Here are five data governance matters that need your attention as soon as possible.

1. Enough of the Unencrypted USB Keys. December 2012 ended with Human Resources and Skills Development Canada reporting that a USB key containing personal information of Canadians had gone missing. Just months before, Elections Ontario apparently lost USB keys containing unencrypted personal information of Ontarians. The use of unencrypted USB keys to store or transfer personal information or any confidential corporate information is the number one practice that organizations should address in 2013. The solution is not overly complex. Just stop it already! And, also make sure that subcontractors don’t use unencrypted USB devices when handling your data.

2. BYOD is Here to Stay; Stop Pretending Otherwise. Employees are coming to work with their own smart phones, laptops, tablets, and other devices. There is no point pretending that employees don’t have proprietary rights and privacy rights in these devices with heavy-handed and unworkable policies on their use. But turning a blind eye to the fact these devices may introduce security risks and can be used as unencrypted USB keys is also not an option. It is time to develop a workable policy. Be clear with employees regarding appropriate use. Audit compliance. If your organization is of sufficient size, it may be a wise investment to employ a “show me – don’t just tell me” policy. Invest in a video showing proper use of these devices and, perhaps more importantly, the cost and consequences of improper use. If it is a condition of BYOD that the organization be able to wipe the whole device remotely, consider illustrating what that is going to mean so that employees understand that they may lose data that they consider to be theirs and that is not backed-up.

3. End the Denial About Your Website Data Collection. You know that part of the website privacy policy that says the organization doesn’t share personal information with third parties? Or, the bit about how the organization only uses information for the purposes described in the privacy policy? Saying it doesn’t make it so. Chances are that even in an organization with very good privacy practices this statement is not 100% accurate, particularly if the organization is engaged in on-line advertising, uses third-party website analytics services, or has third-party content on its site. These activities may involve the transmission of personal information about the user without the knowledge and consent of the individual. If staff in the marketing and technology departments say there is no personal information being shared, ask whether any non-personal data is being shared. Ask what that that non-personal information is. There is a decent chance that some of the data being shared is data that a Canadian Privacy Commissioner would consider to be personal information.

4. Stop Ignoring Unstructured Data; It Might Be Your Achilles’ Heel. Data privacy policy? Check. Records retention policy? Check. Litigation hold procedure? Check. Wait, what’s that? Your organization is using social media. Employees are storing documents in electronic and physical files that are not saved in a centralized repository with pre-defined fields or labels. All of this unstructured data is probably falling outside of the organization’s procedures and policies for dealing with the collection, use, retention and destruction of information. Unstructured data doesn’t need to be the weak link, provided that it is not ignored. It is time to start tackling why employees are using unstructured files and responding with solutions that can address the usefulness of the unstructured data while managing its risks.

5. Really, Why is “That” Confidential? Yes, yes, everything about the organization’s business is confidential. Except that half of it is on the corporate website or in public filings and everyone in the organization with a user ID has access to the other half of it. Okay, I’m being deliberately provocative. However, this one also falls in the category of “saying it doesn’t make it so”. If information is confidential, then there should be many contextual clues so that employees are re-sensitized to the need to protect the information. Limiting access, requiring higher levels of clearance and training, using watermarks to establish the custodian of the information, having properly labelled and locked shredding containers, all contribute to better information security practices by providing employees with contextual reminders of the importance of information security and confidentiality.

The Conference Board and the Stanford University’s Rock Center for Corporate Governance recently published its 2012 Social Media Survey, entitled “What Do Corporate Directors and Senior Managers Know about Social Media?” What is the bottom line from the survey of 180 senior executives and corporate directors of North American public and private companies? Senior executives and directors appreciate the power and the risk of social media. But they are not engaged from a governance perspective. The majority of organizations do not monitor social media to detect risks. Only a minority receive reports containing summary reports and metrics from social media. More disturbingly, the majority of companies did not have social media policies in place.

In Canada, the Canadian Institute of Chartered Accountants’ Risk Oversight and Governance Board published a helpful Director Alert in January 2012 providing directors with some basic questions to ask. The publication is a helpful primer on the basic issues.

In addition, here are 10 topics that Directors may wish to review from a governance perspective:

1.  Social Media Plan. Does the organization have a social media plan identifying the purposes of the organization’s social media, the persons accountable for implementing the social media plan, and the metrics by which the time and effort spent on social media will be measured?

2.  Type of Social Media Strategy. Will the social media be simply one-way promotion of the organization or will it truly be “social” in the sense of engaging with stakeholders? How does the strategy fit with the organization’s social media plan and other public relations efforts?

3.  Choice of Platforms. What social media platforms will be used to implement the social media plan? How do those platforms match the goals of the social media plan and the strategy to achieve those goals? Have the terms of use and end user licence agreements for those platforms been reviewed?

4.  Advertising Compliance. Does the organization’s social media plan comply with the Competition Act (Canada), Competition Bureau Guidelines, the Canadian Code of Advertising Standards and other legal restrictions that may affect the use of social media to promote the organization? Is the organization providing benefits to “influencers” (persons who have large followings on social media and who influence people to take actions, such as clicking on a link or signing up for a promotion)? Is this appropriately disclosed?

5.  Contests. Will social media be used to engage in contests? How will the organization ensure compliance with the Criminal Code and the Competition Act in respect of those contests?

6.  Criticism. How will the organization respond to criticism in social media platforms? Does the organization have clear guidelines on how to handle a disgruntled stakeholder or a negative social media report? How will criticism be elevated within the organization?

7.  Confidentiality. How will the organization ensure that postings through social media do not result in the inadvertent disclosure of non-public material information, confidential information or trade secrets of the organization or a third party to whom the organization owes a duty of confidence, or personal information of employees, customers or others?

8. Employee Engagement. Does the organization have a social media policy in place for employees? Does the policy balance the right of employees to engage in free speech while educating employees and protecting the organization against activities that may contravene advertising laws or be considered to be defamatory or discriminatory? Do employees understand the consequences of breaching the social media policy?

9.  Monitoring. Who is responsible for surveillance of the reputation of the organization and competitors in social media? Who will receive reports of major events? How will the social media strategy be fine-tuned to respond to the information received through social media?

10.  Disaster Plan. Does the organization have a 24/7/365 disaster plan in place in the event that the organization is under attack on social media platforms or a social media effort backfires? Are the appropriate personnel and external advisers in place to assist?

Here’s a brain teaser. Who owns an e-mail? The sender? The recipient? Both? Typical e-mail footers seem to assert some type of ownership by the sender by directing that the e-mail is only for the attention of an intended recipient and that the sender prohibits retention and use by other persons. In the U.K, the answer to who owns an e-mail appears to be neither the sender nor the recipient.

In Fairstar Heavy Transport N.V. v. Adkins, [2012] EWHC 2952, decided by the Technology and Construction Court of the Queen’s Bench Division of the English High Court, the issue was whether the plaintiff company, “Fairstar” had a proprietary interest over e-mails held by the defendant “Adkins” who was formerly the CEO of Fairstar. Adkins was not directly employed by Fairstar. Instead, Fairstar contracted with Adkins’ company. The plaintiff had been taken over by a competitor in a hostile bid and Adkins had been terminated.

According the court decision, Adkin’s incoming emails while he was CEO would be automatically forwarded by Fairstar’s server to Adkin’s e-mail account hosted by a third party. Copies of the e-mails on Fairstar’s server were automatically deleted after being forwarded. Copies of e-mails sent by Adkins did not go through Fairstar’s server unless someone at Fairstar was copied.

Fairstar wanted access to the e-mails in relation to the construction of a vessel in a Chinese shipyard, which turned out to be a substantial liability for Fairstar and with respect to which Adkins was involved in the negotiations. Fairstar’s position was that, notwithstanding that it had no claim to the medium in which the e-mails were stored, it had a proprietary claim to the content of the e-mails.

In examining the possibility of a proprietary claim, the court considered five options:

1. Title to the e-mail remains with the creator (or his or her employer) irrespective of who receives the e-mail or how many times it is forwarded.

2. Title to the e-mail passes to the recipient (or his or her employer).

3. In the alternative to (1), even though title to the e-mail remains with the creator, the recipient has a licence to use the content for any legitimate purpose consistent with the circumstances in which the e-mail was sent.

4. In the alternative to (3), even though title has passed to the recipient, the creator continues to have a licence to retain the content and to use it for any legitimate purpose.

5. In the alternative to each of the foregoing, title is shared between the sender and recipient and anyone else to whom the e-mail is sent.

The court concluded that options (1) and (2) were not workable. Indeed, either option would lead to the possibility of a party having the right to demand that an e-mail (subsequently regretted) be returned or destroyed.

The court held that options (3) and (4), which involve one party retaining ownership and the other party a licence (presumably irrevocable) to use the e-mail, effectively left the concept of ownership devoid of any real meaning because only illegitimate uses could be precluded. If a breach of copyright or confidentiality was not in issue, there would be very little, if any use, left to restrain as being illegitimate.

The court also rejected option (5). The court hypothesized that the result of a joint proprietary might mean presumably that if a supplier lost its database of e-mails, it could demand all of its correspondents to deliver up a copy of the e-mail in order to reconstitute the database.

In the case of a letter, the recipient of the letter “owns” the letter in the sense of the tangible thing.  Of course, the owner’s right to reproduce the content of the letter is subject to copyright just as I might own the book on my bookshelf but my entitlement to reproduce the book or passages from it are subject to applicable copyright laws.

The question of who owns an e-mail is of course more complex since it is not a tangible thing in the same way as a letter or book.  However, might it not be analogous to the author making a copy of a letter and sending the original or the copy or the author of book retaining a copy of the manuscript.  Author and recipient each are entitled to own and use their own copy subject to copyright laws. No one would suggest that the author could demand return of the copy of the letter or book, subject, of course, to duties of confidence or other equitable rights and obligations. Might the reason why the options discussed by the court don’t make sense have to do with thinking about an e-mail as a single thing, whereas an e-mail is a message transmitted electronically and always already involves a copy (perhaps many times over) once created and even more so when sent.  Thoughts?

On October 24, 2012, the Privacy Commissioners of Canada, Alberta and British Columbia issued a joint guidance document on mobile applications, titled Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps. The guidance conveniently summarizes general private sector privacy principles under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Information Protection Acts of Alberta and British Columbia in one document, with specific application to the development of mobile applications (Apps).

The Privacy Commissioners provide tips on making consent more meaningful in the mobile App environment. Suggestions include:

• Layering Information. The first layer of privacy disclosure could be icons, labels and images that lead to more detail through hyperlinks.

• Privacy Dashboards. Provide tools to display privacy settings in a way that encourages user action and also explains the consequence of making a choice.

• Colour and sound. Scale colour and sound and their intensity to the importance of the decision or sensitivity of the information.

• Timing of user notice and consent.  Users should not have to search for an Apps privacy policy. Instead, users should be provided without clear and accessible information prior to download. However, disclosure before download may not be sufficient. Further disclosure to obtain consent should occur in real time as the information is being collected so that the user can make a timely choice. For example, if location information is being collected, a symbol could be used to indicate to users that this is happening.

The Privacy Commissioners also provide specific guidance with respect to the collection and use of certain types of personal information. For example:

• Sound, Location and Movement. Collection of sound and data from the device’s location and movement sensors requires informed consent and must be directly related to the functionality of the App.

• Cameras. Activation of the device camera requires specific permission of the user.

• Device Identifiers. Apps should be designed in a way that that do not require collection of unique device identifiers unless that is “essential” to the functioning of the App.

• Third parties.  Information about third parties (e.g. from a contact list) should not be collected without consent. The Privacy Commissioners do not specify whose consent.

The Privacy Commissioners also state that data should not be associated across Apps unless it is “necessary” to do so and “obvious” to the user.

In addition to this latest guidance, Apps developers may wish to consult The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers and Users, which was co-authored by the Information and Privacy Commissioner of Ontario and the Arizona State University Privacy by Design Research Lab and published in December 2010.

Canada’s Anti-Spam Law (CASL) is expected to enter into force in 2013, together with two sets of regulations that will address certain detailed requirements under the Act. Industry Canada Regulations are still underway. The Canadian Radio-television and Telecommunications Commission (CRTC) is further ahead: it enacted its Electronic Commerce Protection Regulations in March 2012.

The CRTC has moreover issued two Information Bulletins on its Regulations. The new guidelines address practical aspects of obtaining consent to send commercial electronic messages (CEMs), and providing an effective unsubscribe mechanism.

1. OBTAINING CONSENT

Specific requests for consent must be clearly identifiable to the user and indicate that the user’s consent can be withdrawn at any time. Consent can be obtained orally or in writing, and must be positive and explicit. In other words, it must be “opt-in”.

Acceptable: an icon or an empty toggle box that must be actively clicked or checked.

Not Acceptable: an opt-out mechanism (i.e. unchecking a pre-checked box); a CEM in the form of a subscription email, text message, or other equivalent form to request express consent

2. UNSUBSCRIBE MECHANISM

The unsubscribe mechanism must be consumer-friendly, simple, easy to use, and must be set out clearly and prominently. Under the Regulations it must be capable of being “readily performed”.

Email Example: a link takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

SMS Example: the user should have the choice between clicking a link, or replying to the SMS with the word “STOP” or “Unsubscribe”.

For more information, please see:

Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)

Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation

Wondering how Canada’s Anti-Spam Law compares to the U.S. CAN-SPAM requirements? Check out http://www.slideshare.net/fmclaw/casl-vs-canspam-canadas-antispam-law

Lookout Canada and the U.S.: European regulators are working to give Europe a head-start as a safe jurisdiction for cloud computing.

European Commission Supports Cloud Computing

The European Commission has announced that it will draft model contract terms that organizations could use in cloud computing contracts and service level agreements. In a document entitled “Unleashing the Potential of Cloud Computing in Europe”, the European Commission stated that it “aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the economy”. The Commission wishes to address the “perception” that cloud computing may bring additional risks by making it easier to signal and verify compliance (though standards and certification) and by developing legal frameworks, such as an initiative on cyber security. The Commission summarized the business case for devoting Commission resources to cloud computing as follows:

Addressing the specific challenges of cloud computing would mean a faster and more harmonised adoption of the technology by Europe’s businesses, organisations and public authorities, resulting, on the demand side, in accelerated productivity growth and increased competitiveness across the whole economy as well as, on the supply-side, in a larger market in which Europe becomes a key global player. Here, the European ICT sector stands to benefit from important new opportunities; given the right context, Europe’s traditional strengths in telecommunications equipment, networks and services could be deployed very effectively for cloud infrastructures. Beyond that, European application developers large and small could benefit from rising demand.

The Commission identified several barriers to an accelerated adoption for cloud computing, including:

• Contractual standards regarding data access, portability, change of control, ownership of data and dispute resolution processes.

• Regulatory fragmentation due to differing national legal frameworks and uncertainties over applicable laws, given that cloud services may span multiple jurisdictions.

• Proliferation of security standards and uncertainty by organizations regarding the security of those standards and the interoperability of data formats to permit portability.

Among the Commission’s activities for 2013:

• The Commission has challenged itself to develop model terms for cloud computing service level agreements for professional cloud users by the end of 2013. The Commission will also review clauses that could be used in contracts involving the transfer of personal data to countries outside of the EU.

• The Commission will also develop standardized contract terms for consumer agreements for cloud computing.

• The Commission supports the development of uniform standards and the certification of organizations providing cloud computing services. The Commission will be tasking the European Telecommunications Standards Institute with developing a set of necessary standards for security, interoperability, data portability and reversibility. The Commission will also assist in the development of an EU-wide voluntary certification scheme.

UK Information Commissioner Provides Constructive Guidance

In other developments, the U.K. Information Commissioner’s Office (ICO) has issued “Guidance on Cloud Computing”, which should prove to be a useful resource for privacy professionals and counsel who are beginning to grapple with cloud computing technologies and mandatory reading for Canadian companies operating in the U.K. Although there are significant differences between Canadian and U.K. privacy laws, this ICO resource is a useful starting point because of the clear and practical approach to decoding the “lingo” of cloud computing and describing the privacy issues. In-house counsel may especially appreciate the use of specific short examples to illustrate concepts.

Among the points covered in the ICO booklet are:

• Assess the risk of processing highly sensitive data in the cloud. The ICO does not, however, put any types of data off-limits. The ICO states: “Often, the question may not be whether the personal data should be put into the cloud but what the data protection risks are and whether those risks can be mitigated.”

• Consider that moving data to the cloud may create additional types of data. Metadata regarding usage statistics or transaction histories of users may be recorded and should be covered by the organization’s privacy policy.

• Privacy impact assessments should be considered before engaging in large or complex cloud services.

• Assessment of the administrative, technical and physical controls of the cloud service provider is not a “one-time” event. Organizations should engage in a “continual cycle of monitoring, review and assessment”. Furthermore, organizations should ensure that they are notified of any changes to subcontractors and those subcontractors are approved.

• Use third-party audits and certifications. The ICO supports the use of third party audits and industry certifications to assist organizations assessing the physical, technical and administrative security measures of the cloud service provider. Responsibility remains, however, with the organization to satisfy itself that the cloud service provider has adequate security measures in place to maintain data security.

The ICO states that technical security measures of a cloud computing program should include:

• Access control through the use of a robust authentication program involving individual username and strong passwords and an administrative program to create, update, suspend and delete user accounts.

• Encryption of data while in transit and, if possible, at rest (i.e. when stored) should be considered. It is important, however, to ensure that the encryption process also contains a “robust key management arrangement”. This is because access to the decryption key means access to the data and, in addition, inadvertent loss of the key would result in the loss of data.

• Data retention and destruction procedures to provide for the overwriting and destruction of data consistent with the organization’s document retention protocol and following a transfer to another cloud service provider or discontinuance of the use of the cloud service provider’s services.

• Limits on the cloud service provider’s access to the organization’s data and controls on whether and how the cloud service provider may use the organization’s data. There should be “an audit process that will alert the cloud customer if unauthorised access, deletion or modification occurs.”

On the thorny subject of international transfers of data becoming subject to the laws of the organization to which the data transfer is made, the ICO joined the trend towards international comity by stating as follows:

If a cloud provider is required to comply with a request for information from a foreign law enforcement agency, and did comply, the ICO would be likely to take the view that, provided the cloud customer had taken appropriate steps to ensure that the use of the cloud services would ensure an appropriate level of protection for the rights of data subjects whose personal data would be processed in the cloud, regulatory action against the cloud customer (in respect of the disclosure of personal data to the foreign law enforcement agency) would not be appropriate as the cloud provider, rather than the cloud customer, had made the disclosure.

Movement to cloud computing appears inexorable.  Jurisdictions that are first movers to develop standards and to facilitate the advantages of the cloud computing industry may have the advantage in the long-run.  Digital strategy, anyone?

The Government of Ontario has commenced a consultation on a new proposed Unclaimed Intangible Property Program. The possibility of this new program for unclaimed property was mentioned in the 2012 Budget and reported on in a previous post. The Government has released a consultation paper, which includes a series of questions. The deadline for submissions is October 12, 2012. Given the additional burden this may pose for businesses, it is to be hoped that the consultation period is extended.

Ontario previously enacted an Unclaimed Intangible Property Act in 1989. However, this legislation was never proclaimed into force and ultimate was repealed as of December 31, 2011, by the operation of the Legislation Act, 2006.

The Government of Ontario is proposing that the new program for unclaimed intangible property would be based on the Uniform Unclaimed Intangible Property Act, which was developed by the Uniform Law Conference of Canada. This form of legislation would impose upon Ontario business the obligation to take prescribed steps to notify owners of abandoned unclaimed property. If the property remains unclaimed, holders must file a report and transfer the property to the Government of Ontario, which then can use the property until it is claimed (if ever). There would be fines for non-compliance. The Government of Ontario would maintain a publicly searchable registry of the property it has received. Owners may file a claim for the property.

What constitutes “property” for the purposes of the new program is up for grabs. The breadth of that definition will directly affect the number and types of business that will face additional administrative burdens. If, for example, Ontario were to include gift certificates and gift cards, this would have significant implications for Ontario retailers.

Another issue that is open for debate is the time period after which property should be considered to be abandoned. The general period of time is five years. Thus far, there has been insufficient consideration given to the interaction between Ontario’s Limitations Act, 2002 and an unclaimed property program. Legislation tends to ignore the effect of limitation periods on the enforceability of intangible property rights and, therefore, the issue of whether the property should be considered abandoned or the property rights considered unenforceable. In Ontario, the basic limitation period is two years from the date of discovery of the claim or the date on which a reasonable person with abilities and in the circumstances of the person could have discovered the claim.  However, the limitation period for demand obligations does not commence until a demand for performance is made.

The issue of limitation periods is also relevant to the transitional provisions of for an unclaimed intangible property program. Ontario is proposing not to enact a transitional period that would have exempted property that became unclaimed more than five years before the coming into force of the legislation. The effect of this is uncertain. Apart from the problem that businesses may have records for the past seven years, some businesses may have considered the rights of the property holders unenforceable for accounting purposes, provided the obligation was not a demand obligation.

During the consultation period, the Government is asking:

1. Whether any modifications to the Uniform Unclaimed Intangible Property Act should be made?
2. What types of property should be included or excluded? Do certain types of property present unique challenges?
3. Are the time periods for considering property abandoned in the Uniform Unclaimed Intangible Property Act appropriate?
4. What are the challenges for businesses in transitioning into the new program?
5. Are there additional issues that the Government should be aware of?
6. How should the Government continue the consultation as the new program is developed?

The consultation document is available here. Remember, the consultation deadline is October 12, 2012.

Last month the Bureau of Consumer Protection of the U.S. Federal Trade Commission (FTC) issued guidance regarding the marketing of mobile Apps.  The guidance should be of interest to companies engaged in cross-border e-commerce activities.  It should be noted, however, that minimum compliance with the FTC guidance may not result in a App marketer being fully compliant in Canada.

Among the key points in the FTC’s guidance document, entitled “Marketing Your Mobile App: Get It Right from the Start” are:

• Advertising has a broad compass.  The FTC reminds developers that advertising isn’t just a traditional advertisement but includes a range of representations made expressly or by implication about what the product does.  The FTC cautions that App marketers require competent and reliable evidence to support objective claims and may require competent and reliable scientific evidence to support health claims.

• Key information must be clear and conspicuous.  This isn’t just a matter of the size and readability (although those are obviously important).  It also includes the way in which information is layered.  Layering information isn’t a licence to hide information behind vague hyperlinks.

• Engage in “privacy by design”.  The Ontario Information and Privacy Commissioner’s “privacy by design” approach should be followed.  This includes the principles of limiting collection, secure storage and safe destruction.  Although the FTC did not emphasize the “privacy by design” principle of privacy as the default, the FTC did note that sharing of data that would not be expected by an average consumer should only be done with express consent.  The FTC also states that sensitive information should only be collected and used with express consent.  In addition, mobile Apps should offer consumers choices and control over their personal information.

• Honour the promises, including privacy promises, made to consumers.  The FTC cautioned that “[c]hances are you make assurance to users about the security standards you apply or what you do with their personal information.”  Systemic failure to honour these promises or take reasonable steps to protect personal information may lead to FTC enforcement action.

• Apps designed for children under the age of 13 must comply with the U.S. Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule.  This will involve additional disclosures and consent requirements.

With permission of the publisher of E-Commerce Law Reports, here is a link to my recent article examining three cases decided in Canada, the U.K. and the U.S. in which the Statute of Frauds was pleaded as a defence to the enforceability of contracts created by conversational email.

The U.S. Federal Trade Commission (FTC) is proposing new rules under the Children’s Online Privacy Protection Act (COPPA).  The current COPPA Rules date to 1999, long before the proliferation of advertising networks and plug-ins.

Given the fluid nature of the Canada-U.S. border when it comes to e-commerce activities, Canadian companies should pay attention to the proposed rule changes.  The FTC is seeking comments until September 10, 2012. [UPDATE: The deadline for comments has been extended to September 24, 2012.]

Key amendments involve changes to the definition of “personal information”, “website or online service directed to children” and “operator”.

Personal Information

The definition of “personal information” would expressly include persistent identifiers. These are identifiers that can be used to recognize a user over different websites or online services, provided that it is used for functions other than the internal operations of the website or online services. This could include Cookies, Internet Protocol addresses, Media Access Control addresses, or any Unique Device Identifier. This is a very interesting amendment that could begin to decouple our understanding of what “personal information” is and focus the policy conversation more properly on the limits of surveillance.

Website or Online Service Directed to Children

The FTC proposes amending the definition of “website or online service directed to children” to include any operator who “knows or has reason to know” that it is collecting personal information from children. The FTC does not believe that this requires ad networks or the suppliers of plug-ins to monitor or to investigate websites and online services. However, the FTC states that this will prevent willful blindness to credible information that their services are being used in respect of children.

Operator

The FTC proposes amendments to the definition of “operator” to make the owner of the website or online service responsible for the activities of the network advertiser or plug-in. The rationale for this amendment is that even though the owner of the website or online service may not have direct access to the personal information collected by the third-party advertising network or plug-in, it is benefiting from that collection because those third-party services provide content, functionality or advertising revenue. Accordingly, these activities should be treated as being integrated with the website or online services being directed to children. The FTC considers the operator of the website or online service to be in the best position to control what advertising networks and plug-ins are integrated into its website or online service and to give notice and obtain appropriate consent.

A minor kerfuffle broke out at a recent (May 30, 2012) U.S. Federal Trade Commission workshop, “In Short: Advertising and Privacy Disclosures in a Digital World.”  During a discussion of a privacy and advertising on mobile platforms, Sara Kloek, Director of Outreach for the Association for Competitive Technology, stated that a MAC address was information about a device and not personal information. Pam Dixon, founder and executive director of the World Privacy Forum, was quick to snap back stating that a MAC address was personal information.

Who is right?  Why is it that we are still debating this fundamental issue?  And is the answer different for IP addresses?  This post is a bit longer than most here on www.datagovernancelaw.com but I’ll try to unpack these issues in the context of Canadian privacy laws and principles.

What’s a MAC address?

A Media Access Control address is an alpha-numeric number that is assigned to a hardware device that connects to a computer network. In simple terms, a MAC address is part of the addressing system that will allow one device to route packets of information to another device.  I’m a lawyer and not a technologist but I think it is fair to say that the MAC address for my smart phone will, for example, be visible to a retailer operating a wireless network when I come within range of that network.  The MAC address will be used by that wireless network when I connect to access the Internet or network services of that retailer.

Each device has a unique MAC address (leaving aside counterfeiting and spoofing).  Therefore, the MAC address for the device may be harnessed as a unique identifier for more than network functionality when it is visible or when an application installed on my device inspects and relays the MAC address. So, a MAC address could be a potential gateway to collecting information on the activities of users of that device when connected to the Internet.  (I wrote “users” deliberately because although there is probably only one user of my smart-phone, the same may or may not be true for any family’s laptop and other devices.)

A MAC address can also be used as a tool in tracking the movements of the device.  For example, Wi-Fi access points will have a MAC address that can be mapped geographically.  When a device (such as a smart-phone, tablet or laptop) interacts with a Wi-Fi network, the MAC address for that device will also be visible, thereby permitting anyone interacting with the device to determine the location of the device, provided that that person (a) knows the location of the Wi-Fi access point and (b) can see the MAC addresses of the access point and the device.

What’s an IP address?

An Internet Protocol address is a numerical label that is assigned to an addressable connection to the Internet. The IP address is also part of the addressing system (at a higher level than the MAC address).  It is used in routing packets of information over the Internet.  Again, I am not a technologist but my understanding is that, for most consumers, the IP address is probably not static or permanently assigned to their device.  Instead, the IP address will be dynamic.  The consumer’s Internet service provider will assign an IP address for a period of time, which might be reassigned to someone else after the consumer disconnects. However, an Internet service provider is able to correlate the IP address at a specific date and time to a subscriber to whom it is providing Internet service access, assuming it retains that information.

The issue gets a bit tricky when a wireless network router is involved.  Take my home wireless network as an example.  The router gateway to the Internet service provider may be assigned an IP address by the Internet service provider.  That IP address may be changed from time to time. Each device connected to the home network will each have an individual IP address internally to the network system.

What’s personal information?

Personal information is defined in Canadian private sector privacy legislation as information about an identifiable individual.  There are some exceptions, but that is the basic definition.

Although reasonable people can debate the point, one justification of privacy legislation – whether applicable to the private sector or the public sector – is that it is necessary to protect individuals from unreasonable surveillance.  Indeed, there was a telling exchange at the FCC workshop mentioned at the outset of this post, when Pam Dixon said that the MAC address was personal information since, after all, it could be correlated to an individual and be subject to a subpoena.

Unreasonable surveillance may be viewed as inimical to personal liberty and potentially used as a tool of manipulation or, in its worst form, oppression.  Even when an organization engages in surveillance for public good or passively without seeking to manipulate, some view this as a significant intrusion since the information obtained through that surveillance may be conscripted by the power of the state for other purposes.

The problem that privacy advocates face is that the gateway concept of “personal information”as currently drafted in Canadian privacy legislation is probably too amorphous in many cases to constrain systematic surveillance in a coherent way.

Thus, in a recent appellate case last year, theAlberta Court of Appeal concluded that in order for information to be about an “identifiable individual”, the person must be identifiable, the information must have a precise connection to an individual.  In order to be “personal” the information must be about the individual–that is, directly related to the individual.  Information did not become personal information simply by being associated indirectly with an individual through ownership.  Without that limit, “virtually every object or property is connected in some way with an individual” and would become personal information.

So, a driver’s licence is personal information in Alberta but a licence plate is not.  The driver’s licence is uniquely connected to a person. Indeed, the driver’s licence card functions in Canada as an identification card – that is, government issued identification.  On the other hand, in Alberta, at least, a licence plate is connected to the vehicle and only linked through a database to an individual. Reasonable people can debate the Alberta decision and whether other appellate courts should follow when the issue arises.

So what’s the answer?

In one sense, the answer is easy.  The Office of the Privacy Commissioner of Canada considers that an IP address may constitute personal information if the IP address is associated with or linked to an identifiable individual.

Similarly, in a commendable and comprehensive study of the issues, the Information and Privacy Commissioner of Ontario and Kim Cameron argue that MAC addresses, as unique identifiers, may be linked to individuals and, therefore, may constitute personal information.

The precautionary principle suggests that organizations should treat MAC and IP addresses as personal information.  However, in many (most?) cases, MAC and IP addresses may not be directly linked to individuals.  An Internet service provider will be able to associate the IP address to a home or business account but not (at least in the ordinary course) to any particular person using a device linked to the Internet, particularly if we are talking about my access to the Internet through a WiFi system at a coffee shop.  A MAC address does not disclose who actually has possession of the device.  However, there is a greater probability of correlation between the owner of the device and the MAC address than there is of an IP address and an individual.

So we are back to where we always are with personal information.  A MAC address or an IP address information is rarely going to be in and of itself information about an identifiable individual in the sense of having a precise connection and being directly related to an identifiable individual.  It is the context of how the MAC address or IP address is combined with other information (or could be reasonably be combined with other information) that has privacy advocates concerned.  In each case, of course, if you knew and combined enough on-line and off-line information you might have enough data to make a highly probably guess about who was doing what and where.  But the same could be said about a licence plate number.

So who was correct (from a Canadian perspective) at the FTC workshop?  Both.  In and of itself, a MAC address (and an IP address) are likely not personal information but they are rich gateways to the collection and the accumulation of data points that can transform them into personal information if privacy (anti-surveillance) measures are not built into the technologies using these addresses.  Ultimately, what is personal information is fundamentally determined by context.  The debate will continue.

Today the Supreme Court of Canada determined that 30 second previews of songs offered by online music services constitute “fair dealing for the purpose of research”.  The Court addressed important principles of “users’ rights”, and re-stated its finding in the oft-quoted CCH Canadian Ltd. v. Law Society of Upper Canada case, that 

“‘research’ must be given a large and liberal interpretation in order to ensure that users’ rights are not unduly constrained”. 

The Supreme Court has therefore again come down on the side of users with an accommodating approach to fair dealing. 

The decision remains an important reminder, however, that an analysis of fair dealing is always highly fact-specific and case-by-case.  In a previous post, we cautioned that when the issue is fair dealing online, there is no “quick test” and no “one size fits all”.

Canada’s Federal Court of Appeal released an interesting decision on the obligations of individuals using on-line resources to determine their eligibility for government programs.  The upshot – a reasonably diligent individual must ask questions about his or her own particular situation and cannot simply stop with broad statements on a website.

The claimant quit his job to move to a new city where his wife had accepted employment.  The claimant looked at a government website and concluded that he was not eligible for employment insurance  (EI) benefits.  The claimant was wrong in coming this conclusion but did not find out about his error until it was too late for him to apply for benefits.  He sought administrative relief on the basis that he had good cause for the delay in applying for benefits. The basis for his position was that the “the principal message initially conveyed to the reader of the website was that only those who lose employment through no fault of their own are eligible, and he did not regard voluntarily leaving his job as “losing” his employment.”

Initially his application was refused.  However, he was successful before the Board of Referees. The Board held that it was reasonable for the claimant to rely on the website (not least because of the claimant’s information technology background and previous experience as a claimant of EI benefits).  This decision was reversed on appeal to an Umpire.  The Umpire found that if the website was too complex or confusing, then a reasonable claimant would make further inquiries. The claimant appealed to the Federal Court of Appeal.

The court agreed that the Umpire overturned the Board’s decision on the wrong basis.  The Board never found (and the claimant did not argue) that the website was too complex or confusing.  On the contrary, the Board found (and the claimant argued) that the main message of the website was clear.  The allegation was that the main message of the website was that the claimant was not eligible.

However, the court also concluded that the Board was incorrect about whether the claimant could rely on that message.  The court held as follows with respect to the duties of an individual looking at websites for information:

[13] [...] A reasonable person who relies on the website for information must do more thorough research than [the claimant] apparently undertook. A reasonable person would not have been so misled by its initial general statements about eligibility as to be deterred from looking for more specific information relevant to his or her situation. The statements early in the website that EI is for those who lose employment through no fault of their own are general enough to include those who are longer employed because they voluntarily quit their job with just cause.

[14] In my view, the website contained enough information to have alerted a reasonable person in [the claimant's] position to wonder whether he or she might be eligible for benefits and to contact the Commission to find out or to make an application for benefits. The question is not whether a particular claimant found the information clear and unambiguous, and decided that further search of the website was pointless, but whether a reasonable person would have so regarded it. It is not alleged that the website contained erroneous material.

[15] Since the website does not purport to deal with the specifics of every person’s particular situation, claimants cannot reasonably treat information on it as if it were personally provided to them by an agent in response to an inquiry about their eligibility on given facts. That it can now take several days to speak with a Commission agent by telephone does not justify [the claimant's] delay.

In a press release entitled “Harper Government Says No to Fees on Memory Cards”, Minister of Industry Christian Paradis announced the government’s plans to exclude microSD cards from the application of a levy under Canada’s private copying regime. 

In the press release and in his announcement this afternoon at an Ottawa Future Shop store, Minister Paradis stated:

“Our government worked hard to strike the right balance in the Copyright Modernization Act, which ensures world-leading consumer and user rights while giving creators the tools to protect their work and grow their businesses. [...] An additional fee on removable memory cards is not only unwarranted but unfair to Canadian consumers.”

The Copyright Modernization Act received Royal Assent on June 29, 2012.  It has not yet entered into force.  Regulations to exclude microSD cards from the levy are expected this fall.

Mark and Constance Fournier operate the Free Dominion website as a political news discussion forum.  Richard Warman had an exclusive licence to the copyright in a National Post article entitled “Jonathan Kay on Richard Warman and Canada’s Phony Racism Industry”.  Warman alleged that the Fourniers infringed his copyright when excerpts of the article were posted on their website.

In its recent decision, the Federal Court of Canada determined that the reproduction of the excerpts on the site did not infringe Warman’s copyright.  First, the Court found that the excerpts did not amount to a “substantial part” of the work.  In the alternative, the reproduction constituted fair dealing for the purposes of news reporting. 

A quick read of the decision – and some of the subsequent commentary that has appeared online - suggest that borrowing parts of an article for a forum, blog or other piece is generally fine.  It’s important to remember, however, that there is no quick test to judge when using/borrowing/copying content that’s not your own crosses the line into copyright infringement.  For better or for worse: (1) infringement is always assessed on the facts of each individual case (there is no “one size fits all”); and (2) the legal tests are anything but straightforward. 

The comments below are not intended to critique the Federal Court’s analysis.  Instead, we simply point out the various steps the Court went through to assess the facts of this case against the law. 

“Not a substantial part”

Factors considered:

•  quality and quantity of material taken (held: less than half the work, mostly made up of facts, not commentary)
• extent to which the use adversely affects the copyright owner’s activities, diminishes copyright value (held: not directly relevant)
• whether the material taken is the proper subject-matter of copyright (not directly dealt with)
• whether the use was intentional appropriation, to save time and effort (no – intention was to preserve a record of facts)
• whether the material taken is used in the same or a similar fashion as the owner’s (not directly relevant/not directly dealt with)

Quite a murky and arguably subjective exercise.  Moreover, the above points were only part of the analysis.  The Court went on to do an alternative analysis based on:

“Fair Dealing for the Purposes of News Reporting”

The Copyright Act enumerates three accepted types of fair dealing: research or private study; criticism or review; and news reporting.  The Copyright Modernization Act will add satire, parody, and education to this list. 

Because “fair dealing” is not otherwise defined in the Copyright Act, the courts have had to define it themselves.  The Supreme Court of Canada set out six factors to determine whether dealing with a work is “fair” (see CCH Canadian Ltd. v. Law Society of Upper Canada, 2004 SCC 13):

“(1) the purpose of the dealing; (2) the character of the dealing; (3) the amount of the dealing; (4) alternatives to the dealing; (5) the nature of the work; and (6) the effect of the dealing on the work.  Although these considerations will not all arise in every case of fair dealing, this list of factors provides a useful analytical framework to govern determinations of fairness in future cases.”

In the Warman case, the Federal Court assessed each of these, and found that “balancing all the factors together”, the use fell within the fair dealing exception for the purpose of news reporting. 

The take-away:  before you go ahead and use that lengthy quote, or borrow those paragraphs from that book/article/blog, think about whether that use has a good chance of meeting the “fair dealing” test. 

Consider for yourself: 

• is taking several paragraphs from any article online really “news reporting”?  
• is it fair to use a work, or part of a work, to drive traffic to your site instead of the (competing) source site?
• would a link to the content – if possible - work as well as copying it?

Copying online has become commonplace, even expected in some cases and in some forums.  However, for better or for worse, the law still defines what is “fair” in this regard, and there is no quick test.

The old style privacy policy brought up by clicking on a hyper link usually found in a footer of a web page or grouped with other “legal notices” is manifestly unworkable in the mobile environment.  A contribution to re-thinking the delivery of privacy information and control over personal information has recently been released by the Ontario Information and Privacy Commissioner, Anne Cavoukian, and Yahoo!’s Senior Director, International Privacy and Policy.  Their paper, entitled “Privacy by Design and User Interfaces: Emerging Design Criteria – Keep it User-Centric“, discuss how the design of user interfaces may increase the “privacy experience” of mobile technologies.

Here are some of the points made in the paper:

•  Context. User interfaces should take into account the limits and the uses of the devices.  Small screens mean that users should not have to resize or endless scroll to access and understand privacy policies.  User interfaces should provide the context for the value proposition to the user for the collection of the personal information.  If the photo just taken is going to be shared on another platform, notify the user.  If geo-location data is being collected, why is that beneficial for the user?
• Awareness.  Although terms of use (which may include acceptance of privacy policies) are likely here to stay, user interfaces should be designed to permit interactive delivery of privacy information “at the time, in the place and in the manner that is meaningful for users.”  Users should be offered privacy choices as they take actions within a website or application, which would assist users in understanding the range of their choices and the implications of those choices.
• Discoverability.  User interfaces should be interactive and contain navigational aids. The functionality of websites and applications should be harnessed to deliver information in a way that is important as is already done for advertising and other important content.
• Comprehension.  Layered privacy notices that deliver subsets of policy information and navigate to information that is important to the user should be considered. In addition, organizations should be considering “Privacy Centres” which bring together information on privacy practices and the tools to manage privacy setting.

This post is co-authored by Saba Zia.

Social media is great “word of mouth” advertising when things go right. It can also be a nightmare in damage control when things go wrong. Sometimes the unsatisfied customer just lets it rip fairly or unfairly.

In a recent Ontario case, 2964376 Canada Inc. (Ameublement Prestige Furniture) v. Bisaillon, a retailer was awarded Cdn. $15,000 in damages for defamation after the daughter of an unsatisfied customer began an e-mail campaign. Although the case deals with e-mail, there is no reason why it would not apply to social media.

The facts of the alleged unsatisfactory customer service were not unusual.  The customer had purchased a dining room table. It was damaged. There were attempts to fix it. The company offered to rebuild the table. The customer wanted a refund. When the customer didn’t get the refund, the customer’s daughter began an email campaign.

The daughter e-mailed 38 of her contacts using her work address. She inserted a logo that looked like the retailer’s and asked that the recipients to forward the email along to others. The email stated that the company was “an untrustworthy company and I strongly advise you to think twice before putting your trust and money in their hands!” and “We are all consumers and deserve to be made aware of deceitful companies who do not honour their Consumer’s Guarantee. BUYERS BEWARE!”

The Ontario court concluded that the daughter had gone too far and awarded the retailer Cdn. $15,000. E-mailing 38 people and asking them to pass it along constituted publication. Accusing the company of being untrustworthy and deceitful would clearly affect its reputation, character and business. The defence of fair comment was not available. The defamatory statements were not based on fact (at least not all of the available facts) and, in any event, the statements were based on malice. She openly stated that she wanted revenge.

Although there are other means for managing a company’s reputation, this recent case suggests that courts will take seriously an action in defamation as a last resort for dealing with a customer who goes too far.

The UK Information Commissioner’s Office (ICO) has released a draft Code of Practice on Data Anonymisation.  The UK ICO will be conducting a consultation on the draft Code until August 23, 2012.

The UK ICO states that the Data Protection Act (UK) should not be a barrier to prevent the anonymization of personal data.  Moreover, once data is anonymized, the UK ICO states that the data can be disclosed to others without being subject to the Data Protection Act.  This remains true, even if the disclosing organization retains the ability to re-identify the data.

The UK ICO’s interpretation of the Data Protection Act is that data that has been properly anonymized can be deployed for new uses without the consent of the individual from whom the data was initially collected.  The exemption from the need to obtain consent is subject to a number of provisos:

• the anonymization must be effective (the UK ICO recommends a privacy impact assessment);
• the purpose for which the anonymization takes place is legitimate (and any ethical approvals have been obtained);
• there are no detrimental effects on particular individuals;
• the organization’s privacy policy or some other form of notification explains the anonymization process; and
• there is a system for collecting individuals’ objections (even though consent is not required).

In assessing the effectiveness of anonymization, the UK ICO states that organizations must consider whether a motivated intruder could re-identify the individual using the data set.  An organization must consider whether information that has purportedly been anonymized could be combined with other information to identify an individual.  If so, then this would be a disclosure of personal information.  The UK ICO suggests that organizations disclosing anonymized data will want to assess the disclosure risk “in the round”.  In other words, all organizations disclosing part of the data set should consider whether another organization (or, the public) could identify the information from the information being disclosed.

Importantly, the UK ICO distinguishes identification from an educated guess.  In order for there to be a re-identification issue creating a risk of disclosure, the data set must be capable of being used for more than establishing a probability that an individual has the characteristics attributed by the data set.

One of the most helpful aspects of the draft Code of Practice are the thoughtful examples of anonymization techniques that will help organizations understand the privacy principles in action.

In a previous post, I discussed British Columbia’s proposed Civil Resolution Tribunal Act.  Bill 44 was introduced on May 7, 2012 and sped through the Legislature receiving Royal Assent on May 31, 2012.  It provides for on-line non-facilitated and facilitated dispute resolution with the final stage being a tribunal hearing, which could take place on-line.  One of the controversial aspects of the Bill is that it precludes representation by lawyers except in specific circumstances, such as where the person has impaired capacity or it is in the “interests of justice.”

It is expected that it will be at least several months before the new tribunal is up and running.  The President of the Law Society of British Columbia stated in a press release that:

“While our review of the Civil Resolution Tribunal Act raised some concerns,” said Bruce LeRose, QC, president of the Society, “we hope that the participation of the legal community in the implementation working group will ensure that the promise of a voluntary dispute resolution process is fulfilled without compromising the integrity of the justice system and the rule of law.”

Ontario’s Information and Privacy Commissioner, Anne Cavoukian, and IBM Fellow, Jeff Jonas, have released a very interesting paper entitled “Privacy by Design in the Age of Big Data“.

“Big Data” is the buzz word used to describe the latest frontier in data analysis.  In very simple terms, we are producing huge quantities of structured and unstructured data through our electronic activities.  Organizations are now able to “crunch” extremely large data sets involving disperse data from various aspects of those digital footprints that we leave behind through our activities.  Moreover, the increased sophistication of technologists in developing algorithms and the increasing processing power of technology means that the analysis of extremely large data sets may take place almost in real time, thereby permitting organizations to act or react to opportunities as they present themselves.

The size of the data sets, the combining of data about individuals from multiple sources or interactions, and the risk of inadvertent disclosure or unauthorized access creates significant privacy risks.  However, there is also a significant risk that a lack of understanding by the public and legislatures or a significant privacy breach at this critical stage of development of Big Data analysis could produce a knee-jerk legislative or policy reaction.  We only need to recall how justified and unjustified fear of “Big Brother” databases have entrenched privacy legislation that has historically prevented sharing of information across government departments and agencies.

Ontario’s Information and Privacy Commissioner, Dr. Cavoukian, and IBM Fellow, Mr. Jonas, demonstrate that privacy and “Big Data” can co-exist.  We can have the benefits of both.  Their paper outline seven technical principles employed in Mr. Jonas’ “next generation” systems, which balance the utility of Big Data with privacy principles by embedding those principles in a very sophisticated way into the systems employed by the technology.  Of course, the technology itself is not the complete answer to privacy issues.  The point is that by embedding privacy principles into the technology, the technology will not frustrate an organization’s adherence to privacy principles.

For example, accountability and transparency are embedded into the feature of “full attribution” — that is, all data can be traced back to its source and changes accounted for in real time.  However, by using sophisticated technologies to de-identify data on transfer, the data sets will be anonymous when placed into the Big Data database used for deployment of the Big Data analytics.

If you are interested in “Big Data”, be sure to join me, Nathalie Des Rosiers (General Counsel, Canadian Civil Liberties Association) and Colin McKay (Manager, Global Public Policy, Google Canada) at the Canadian Institute’s Forum on Privacy Law and Compliance (September 20-21, 2012) where we will be presenting on this topic.

The Office of the Privacy Commissioner of Canada (OPC) has released a more detailed policy position regarding on-line behavioural advertising.  This is a must-read for companies conducting on-line behavioural advertising strategies in Canada.

The OPC defines on-line behavioural advertising as advertising that uses information regarding the multiple websites that a person has visited and will usually involve advertisements on multiple websites.  The OPC gives the following example: “a user has visited websites about pets in the past, then ads related to pets might be shown on various web sites, even sites that are not related to pets (e.g., an online newspaper).” On-line behavioural advertising differs from 1st party advertising where the organization’s advertising is based solely on the profile of an individual with whom that organization has a relationship and is not based on tracking the individual across websites.

Some highlights from the position paper:

• The OPC will generally consider information collected during on-line behavioural advertising to be personal information.  The OPC acknowledges that some information does not appear at first glance to be personal information when segmented.  Nevertheless, the OPC reaches the default position that the information that is collected is personal information on the basis that (1) “the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads” and (2) the nature of on-line behaviour advertising is such that it involves “powerful means [...] for gathering and analyzing disparate bits of data and the serious possibility of identifying affected individuals”; and, perhaps circularly, (3) the result of on-line behavioural advertising is “highly personalized”.

• On-line behavioural advertising is not an unreasonable use of personal information.  The OPC acknowledges that the model for the commercial websites requires, in many cases, consumers accept advertising in return for access to free websites.  However, the OPC also states that submission to on-line behavioural advertising is not a term or condition of use of the Internet.  Advertisers must obtain meaningful consent, limit collection and safeguard information in accordance with Canadian privacy legislation.

• Opt-out consent may be acceptable.  In order to rely on opt-out consent, advertisers should meet what are essentially three conditions.
1. Clear, upfront disclosure of the purposes of on-line behavioural tracking. The disclosure cannot be “buried” in a privacy policy.  The OPC is encouraging use of the functionality of websites to deliver information in layered disclosure, interactive media or through banners.
2. Individuals must have the ability to easily op-out of the practice.  Ideally this is to occur before or at the time the information begins to be collected.  The opt-out technology must permit the opt-out to be immediate and persistent.  Consumers can’t be required to send an e-mail or snail mail request that will be dealt with in days.
3. The information collected should be limited and should be destroyed or de-identified as soon as possible.  The OPC wants to put sensitive information (examples include health/medical information) off-limits.  Information should not be kept indefinitely but have a time-horizon and destroyed or de-identified.

• Technologies that do not permit an individual to opt-out easily cannot be used.   If an individual cannot control the technology by opting-out easily or would have to take extraordinary measures, then the OPC’s position is that they should not be used.  Essentially, these technologies do not offer any meaningful way to withdraw consent as is required by Canadian privacy laws.

• Personal information from young children should not be collected through on-line behavioural advertising.  Older children’s consent must be meaningful although the OPC recommends against on-line behavioural tracking of all children. The OPC’s position is that it is difficult to obtain meaningful consent for young children (even from their parents).  In terms of older children, the OPC’s position is that the disclosure and manner in which consent is obtained must be meaningful for the targeted age-group and the context.

You’ve heard reports that your social or professional networking service provider’s systems or your e-mail service provider’s systems may have had a security breach allowing hackers to see your password.

What do you do?  You might change your password for that account, right?  Sure, but you probably won’t be able to stop there if you want to protect yourself.  You need to develop a more complete response.  First, you need to map the extent of the risk.  Here are a few ideas:

1. Make a list of all accounts where you use the same User ID as the potentially compromised account. If you are very active on-line, this could be a very long list. Quite often your e-mail address will be your user ID for multiple accounts. For example, LinkedIn, Facebook, Google, online shopping accounts, professional association websites, online access to employment benefits providers, and applications at the office might use the same email address as the User ID for the application.  If you ever wondered why Canadian Privacy Commissioners think your e-mail address is personal information, here’s why!

2. Now make a list of all User IDs that are visible on the compromised account or are connected with the compromised account. What do I mean by this? You might have listed your Twitter address on a social or professional networking page. Is that Twitter address your User ID to log into Twitter? If so, add it to the list. Have you entered other email addresses? If so, add them to the list as well as all the other accounts that use these same credentials as User IDs.

3. Now put a mark beside every account that shares the same password with the compromised account or uses a variation on the password used for the potentially compromised account. Yes, you are supposed to have a unique password for each account but we all know that most of you don’t. You have a few that you rotate or use as variations of one another.

4. Here’s your last preparatory step: make a list of all applications that are launched from accounts listed in #3 and that store your passwords for other applications if they are not already on your lists. Put a mark beside those too because they may have been compromised.  For example, does the application you use for Twitter also store the password for and post to Facebook on your behalf?

Now you have a map of the potential problem.  It is probably much bigger than just changing the password for the potentially compromised account. If a hacker knows the password that is associated with a User ID or group of User IDs, the hacker has a starting point to hack your other accounts that you have helpfully listed or connected for the world (or at least the hacker) to see! If you only change the account that has been potentially compromised, you have locked the front door but left the windows and side door open. If you want to increase your protection, you should be thinking about changing all of these passwords.

Notice that I have not mentioned the potentially compromised account yet? That’s because you should consider doing something different for that account. If you are not yet certain whether the alleged security breach has been fixed, you should chose a password that you will not use for any of the other accounts – not even a variation on what you will use for any other accounts.  Otherwise, you might have to go through this all again in short order once the breach has been fixed.  You might also wish to temporarily suspend any permissions you have given to the potentially compromised account to access your other accounts (for example, if you aggregate social networks or you use one account to post into another account).

Last step: You should monitor your accounts closely, particularly if they contained sensitive personal information (such as financial information) that could be used for identity theft.  If you are a consumer and you have questions about identity theft, you may also wish to start with the Ontario Government’s pamphlet on protecting your identity.

A perennial issue in Canadian privacy law is what to do about the USA Patriot Act.  Just when we think we have things reasonably sorted out, the issues pop up again in a new context.  This time it is cloud computing.

What’s the USA Patriot Act?

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (usually referred to as the “USA Patriot Act” or just the “Patriot Act”) is US legislation that was passed following the September 11, 2001 attacks on the World Trade Centre in New York City.  Among other things, the Patriot Act made it easier for US law enforcement officials to intercept electronic communications and business records.  One of the controversial measures was that officials were granted the power to issue a National Security Letter to electronic communication service providers requiring them to hand over information without informing the affected parties (in some cases without any judicial oversight).

For the purposes of this discussion of cloud computing, however, one of the most important provisions is section 215, which deals with access to business records.  Section 215 repealed and re-enacted provisions of the Foreign Intelligence Surveillance Act (USA).  Pursuant to section 215 of the Patriot Act, the FBI may apply to a federal judge for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities.   US commentators agree that this definition covers electronic business records.

What’s cloud computing?

In its most complete form, cloud computing involves outsourcing applications (e.g. email, customer relationship management, and accounting software), platforms (e.g. database architecture) and infrastructure (e.g. servers).  All of these IT functions are offered as a service to organizations either independently or as a package.  An organization’s data (e.g. its emails) may be stored in segregated servers or intermingled with the data of other organizations and segregated through the functionality of the service provider’s information technology.  The organization accesses its data through Internet portals.

Where’s the Cloud?

The cloud isn’t in the sky.  Data sent over the Internet in a cloud computing arrangement may be (and often will be) stored outside of Canada and may be intermingled with data from other organizations.  In many cases, the cloud computing service provider may subcontract the storage of data to one or more organizations operating data centres.  If these data centres are in the US, well, therein lies the rub.  The data is going to be subject to the laws of the United States, including the Patriot Act.  Actually, if the data is even accessible from the US or by an organization subject to the jurisdiction of the US, the data is likely to be subject to the laws of the United States.

Okay, so the USA Patriot Act may apply, do I have a Canadian privacy problem?

Transfers create legal issues. Organizations have a privacy “problem” every time they transfer data.  This is because under Canadian federal and provincial private sector privacy laws, the organization that collected and is entitled to use the personal information remains responsible for its security throughout its life-cycle.  Indeed, in many cases organizations will have created a contractual obligation with individuals by incorporating the organization’s privacy policy (and privacy commitments) into terms of service or use or other customer e-commerce contracts.  Organizations may wish to consider legal advice to understand how commencing cloud service transfers of personal information will affect existing legal commitments.  It may be necessary, for example, to give special notice to individuals and to provide them with opt-out or termination opportunities.

But organizations aren’t prohibited from using US-based cloud services, if they are only operating in the private sector.  Federal and provincial private sector privacy legislation does not prohibit the transfer of personal information to an organization in another jurisdiction for processing and storage, provided that:

• The transfer does not entitle the receiving the personal information to use that information for purposes other than those for which individuals expressly or impliedly consented.
• The transferring organization remains accountable for the protection of the personal information that has been transferred.
• The organization receiving the personal information provides a comparable level of data security as would be required under Canadian law and the terms on which the collecting organization collected the information.
• Disclosure is made to individuals.  As a general rule, this disclosure to individuals should include notice that (1) their personal information will be transferred outside of Canada for processing and storage, (2) their personal information will be subject to the laws of the foreign jurisdiction and (3) the laws of the foreign jurisdiction may be different (and less protective) than those of Canada.

The transferring organizations will wish to consider obtaining meaningful contractual commitments to administrative, technological and physical security protections from the organization to which the personal information is being transferred. The transferring organizations will also wish to consider audit or other rights that would permit ongoing diligence of these security protections as well as the use being made of the personal information.

The Patriot Act provisions do not (on their own) mean that personal information will not be subject to a comparable level of security. An interesting survey and comparison of surveillance laws in Canada, the US, the UK and France was conducted by the Office of the Privacy Commissioner of Canada in 2009, which remains an important reference.  Since 1990, Canada and the US have had Treaty on Mutual Legal Assistance in Criminal Matters in which each country has agreed to assist the other with the investigation, including seizure of records, of criminal activity. The Canadian Security and Intelligence Service Act (Canada) provides for secret warrants for the interception and seizure of, among other things, electronic data.  The National Defence Act (Canada) permits the Minister of Defence (without judicial supervision) to authorize the Canadian Communications Security Establishment to intercept communications relating to foreign entities under certain circumstances.  In addition, the Criminal Code (Canada) permits seizures of electronic data.  The combination of this legislation has led the Office of the Privacy Commissioner of Canada to conclude in three decisions (here , here, and here) not only that Canadians are at risk of personal information being seized by Canadian governmental authorities (including without the knowledge of the target) but also that there is already a risk of that information being shared with US authorities.  (This is not to say that reasonable people cannot still differ as to whether they wish to have their personal information stored outside of Canada.)

But if you are a public sector organization or contracting with a public sector organization in British Columbia or Nova Scotia (and probably Alberta), you need legal advice.  Cloud-based services get a bit trickier when dealing with public sector organizations.  British Columbia, Nova Scotia and Alberta each have legislation the prohibits or, in the case of Alberta, potentially prohibits the storage of data outside of Canada.  In these cases, organizations would be prudent to obtain legal advice.

 In December 2011, the Office of the Privacy Commissioner of Canada (OPC) issued guidance in December 2011 stating that “collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent” and that there must be an “opt-out” mechanism if the technology is being used for on-line behavioural advertising.  However, organizations in Canada have been short on tools for complying with the OPC’s guidance and have been slow to increase the prominence of their disclosure regarding cookie use.

In the United States, as I reported in a previous post, the FTC has called for the advertising industry to make “Do Not Track” initiatives fully operational by the end of 2012.  Advertisers must be transparent about their deployment of cookies and other on-line tracking technologies and provide people with a method of opting out.  The Digital Advertising Alliance in the U.S. has continued to promote an advertising opt out tool (AdChoices), which is beginning to appear on web sites (often near the link to organization’s privacy policy).  The Network Advertising Initiative also offers an opt-out tool and organizations have been including links to the tool for users to opt-out.

In the UK, new “cookie” rules came into force on May 26, 2012.  Organizations must now obtain consent to the use of cookies and provide a method for subscribers and users to opt-out of cookies (with some exceptions). The UK Information Commissioner’s Office has issued a guidance document to assist organizations with compliance efforts.  The examples provided for increasing the prominence of disclosure of cookie use and how to obtain consent is particularly helpful.

Meanwhile, Canada has lagged behind on practical advice from the Federal and Provincial Privacy Commissioners and tools for assisting Internet users to opt-out of tracking technologies.  On the “tools” front, this may change.  In a preface to an article reporting on an interview with outgoing IAB Canada president Paula Gignac, Marketing Magazine reports that IAB Canada is in negotiations to bring the AdChoices program to Canada.  Some Canadian organizations aren’t waiting for a Canadian solution.  The AdChoices icon has begun popping up on websites of Canadian-based organizations.

Today the Canadian Bar Association held an update session for members on Canada’s Anti-Spam Legislation (“CASL”).  An oral presentation was provided by Andy Kaplan-Myrth, a Policy Advisor in the Digital Policy Branch at Industry Canada and a member of the team that developed and is implementing CASL.

Here’s what we heard from the discussion.  [Please note that information and comments provided by Mr. Kaplan-Myrth and other participants are intermingled with my own below.  The following is not intended as a verbatim report on the presentation.]

• Industry Canada is targeting the release of further draft regulations for comment by the summer; however the ultimate timing depends in part on internal government processes including Treasury Board approval;
• The regulations will reflect some concerns heard during and since last year’s comment process on the last draft regulations.  As we noted in past posts, many industry stakeholder believed that the earlier draft regulations did not go far enough to clarify obligations and provide needed exemptions;
• Industry Canada is focusing on exempting activities that clearly do not constitute “spam”, where a line can clearly be drawn to define permitted activities and exclude others;
• Industry Canada welcomes comments on the regulations, and beyond that process, is also seeking input from stakeholders on what areas of CASL and definitions should be clarified in information bulletins;

More substantive questions discussed:

Q:  Does it make sense for the “form and content” (ie. contact information and unsubscribe) requirements to apply to messsages: sent within businesses, to their employees?  sent B2B, such as banking transactions? that must be sent by law?  that are responses to an inquiry?

A: In some cases…not really.  The forthcoming draft regulations may address these.

Q:  How do you set up third-party referrals under CASL?

A: Referral marketing can be done with appropriate consent, but don’t forget that consent must meet both CASL and PIPEDA requirements.

If it’s a “refer a friend” scenario, and the person is truly a friend or family under the law, then CASL will not apply.  (As some have suggested, CASL will legally define for us who our true friends are.)  Under regulations to come, the definition of a “friend” may be broadened to include virtual friends met online.

Q:  What’s required to get express consent, and document it?

A:  Oral consent, and even a check-box is acceptable (perhaps even pre-checked, if the request for consent is clearly conveyed).  Australia has provided some practical guidance for business under its Spam Act 2003 on obtaining consent, and a range of other topics.  Although Canada’s legislation is different from Australia’s, the CRTC may provide similar forms of guidance on practices to obtain consent and related issues.  As mentioned above, both Industry Canada and the CRTC are interested to hear from stakeholders on where guidance is most needed.

As for documenting consent:  this will be up to clear internal policies and practices.  These are intentionally not spelled out anywhere, to give organizations the latitude to find what works for them…while meeting the CASL requirements.

Q:  Can organizations rely on PIPEDA consents under CASL?

Remember that CASL “overrides” PIPEDA, to the extent of any conflict (s. 2 of CASL).  And that CASL expressly requires a high standard of consent to send commercial electronic messages.  Therefore organizations can’t rely on “grandfathering” PIPEDA consents under CASL, broadly speaking.

If however, existing PIPEDA consent also meets the CASL requirements for implied consent – for example an “existing business or non-business relationship” – then that is sufficient.  Many organizations can and will rely on implied consents to send many of their CEMs during the transition years, the first three years after CASL enters into force (see s. 66 of CASL).

What’s Next?

Although CASL won’t enter into force until 2013, there is a significant amount of preparation going on this year, as noted above, and here.

We have also heard reports that many organizations outside of Canada have not even heard of CASL, so clearly more needs to be done to raise awareness.  For those organizations that are familiar with the U.S. Can-Spam Act requirements, our comparison of CASL to CAN-SPAM may assist.

So, what can Canada do to become a leader in e-commerce? Canada’s House of Commons Standing Committee on Industry, Science and Technology would like to offer some suggestions for how the Government can help and Industry Canada has released its 2012-2013 Plans and Priorities.  There is not much in the way of innovation in these documents but one recurring issue is the fragmentation of consumer protection legislation.  Might the future bring greater harmonization?

Standing Committee Report

Recently, the Standing Committee released its report entitled “E-Commerce in Canada: Pursuing the Promise” in which it summarized its investigation into the market for e-commerce market in Canada and what the Government can do to assist to overcome some of the challenges to the e-commerce market.

Canadians are on-line.  Using information gathered by Statistics Canada, the Report states that 79% of Canadians had Internet access in 2010 and 74% of those with Internet access used the Internet for “window shopping” or “comparison shopping”.  E-commerce is also growing in Canada; however, the Report suggests that Canadian businesses may be under-investing in this retail channel and consumers are purchasing from U.S.-based Internet retail channels.

The Report acknowledges several barriers to e-commerce in Canada, particularly for small and medium sized enterprises (SMEs).  These include the cost of investment and access to capital.  However, they also include the fact that Canada has a huge geography and low population density.  The Report states that logistics and shipping costs in Canada are larger (even for domestic shipping) than in the United States. Furthermore, the Report notes the lack of uniformity in consumer protection laws across Canada.

The Standing Committee made 16 recommendations for the Government of Canada.  They are:

1. Place an emphasis on e-commerce in its forthcoming digital economy strategy.

2. Work with the payments industry to modernize payments systems to ensure an efficient, fair, safe, competitive and world-leading payments system in Canada.

3. Work with industry to increase the affordability, reliability and speed of broadband Internet available to Canadians.

4. Reduce “red tape” and costs of cross-border business and shipping for businesses and consumers.

5. Examine disclosure and transparency rules so that businesses and consumers are aware of the total costs of e-commerce transactions prior to purchase.

6. The Business Development Bank of Canada make information and communications technology adoption a strategic focus.

7. Bring Canada’s Anti-Spam Legislation into force to help to increase consumer confidence in the e-marketplace.

8. Work with the provinces and industry to develop strategies to meet the skilled workers shortage in information and communication technology industries.

9. Provide an easily accessible directory or service containing all government programs related to innovation and R&D to help firms access the tools and support they need to increase innovation and adopt information and communications technologies (ITC).

10. Work with Internet service providers to ensure and promote the availability of 24/7 technical support to their clients to ensure their services are functioning as required, and to ensure that clients have transparent and up-to-date access to their account information.

11. Examine ways to increase the quality of information available regarding adoption and use by Canadian SMEs, and the business impact of such adoption and use.

12. Consumers and retailers should be protected by a code of conduct applicable to on-line, mobile, and other emerging transaction technologies.

13. The Government should become a “model user” of e-commerce and on-line solutions in its procurement practices and delivery of services to Canadians.

14. Ensure Government systems are secure from potential security threats to avoid lengthy shut-downs of Government of Canada on-line services.

15. Work with industry and consumer groups to increase digital literacy and simplify terms and conditions of e-commerce transactions.

16. View financial literacy and digital literacy as being intertwined due to the widespread adoption of electronic and mobile payments systems.

 Industry Canada Plans and Priorities

Industry Canada has also released its 2012-2013 Estimates — Report on Plans and Priorities.  If you believe the government should be facilitating the building of e-commerce capacity, it might be criticized for lack of ambition (University of Ottawa Professor Michael Geist is a critic).  Some highlights are:

• Industry Canada will participate on a federal-provincial-territorial Consumer Measures Committee to examine best practices in achieving compliance with consumer protection laws.
• Industry Canada will also participate in developing or updating consumer information.
• Industry Canada will review consumer issues in cross-border transactions through participation in three projects: (1) the Organisation for Economic Co-operation and Development (OECD) review of the Guidelines for Consumer Protection in the Context of Electronic Commerce; (2) the development of an International Organization for Standardization (ISO) standard for business to consumer electronic commerce, and (3) related projects regarding on-line dispute resolution and redress.
• Industry Canada has set performance targets for its activities.  These include: (1) 86% of Canadians using the Internet; (2) 65% of Canadian businesses understanding their privacy obligations; and (3) 43% for Canadians purchasing goods and services on-line.

On May 7, 2012, the Ministry of Justice for British Columbia announced the introduction of Bill 44, the Civil Resolution Tribunal Act.  If enacted, British Columbia would become the first jurisdiction in Canada to create a tribunal to provide on-line dispute resolution services. Use of the tribunal’s services would be voluntary, except for strata corporations (condos).

Some things to note:

• Lawyers aren’t welcome.  Parties are to represent themselves unless they are a minor or a person with impaired capacity.  There are other exceptions such as if the rules for the Tribunal (to be drafted) permit representation or the tribunal finds it is in the interests of justice to permit the party to be represented.  The Trial Lawyers Association of British Columbia has already responded negatively as has the Canadian Bar Association British Columbia Branch.
• Tribunal will vet its jurisdiction. A party will make a request to the tribunal to resolve a dispute. The tribunal’s jurisdiction has not been fully described but it appears to intended for simple legal matters involving small claims.  As a prerequisite, the tribunal may require the parties to agree to on-line dispute resolution services.
• Limitation period suspension. Making a request for resolution by the tribunal will suspend the limitation period until the tribunal decides to refuse to consider the case or the parties agree to cease the process.
• Not clear whether jurisdiction can be agreed to in advance. Although the process is voluntary, it is not clear whether the process can be agreed to in advance in a consumer sales contract.  Once agreed to, the process is mandatory unless the tribunal dismisses the proceeding or the parties consent to the termination of the process.
• Staged process of dispute resolution. The intention appears to be that each case would proceed through four phases.  The first phase would be self-help dispute resolution using on-line, interactive tools.  If that did not result in resolution, the second phase would be on-line, supervised negotiations. Assuming no resolution, the third phase would involve direct intervention by a case manager to attempt to facilitate a settlement.  The final stage would be a tribunal hearing, which could take place on-line.
• Tribunal orders can be filed with the court. Final decisions of the tribunal may be filed with the British Columbia Supreme Court (or, in some cases the Provincial Court) and enforced as court orders.
• Limited judicial review. In its current form, the Bill has limited scope for judicial review of tribunal decisions. The Bill states that the standard of review is correctness but then exempts from that standard findings of fact, the exercise of discretion and the common law rules of natural justice and procedural fairness. A finding of fact can only be set aside if there is no evidence to support the finding or the finding is otherwise unreasonable. Discretionary decisions can only be set aside if the discretion is exercised arbitrarily or in bad faith, is exercised for an improper purpose, is based entirely or predominantly on irrelevant factors, or fails to take statutory requirements into account. Issues of natural justice and procedural fairness are to be reviewed taking into account the mandate of the tribunal.

Nova Scotia’s proposed Bill 65, which involves amendments to consumer protection legislation to “Ensure Fairness in Cellular Telephone Contracts” passed second reading on May 2, 2012 and is now in committee.

The proposed Bill follows the same theme as recent legislation enacted in Manitoba (discussed here) and proposed in Ontario (discussed here).

Manitoba has proclaimed into force the Consumer Protection Amendment Act (Cell Phone Contracts).  

The Act applies to contracts for cell phone services with consumers in Manitoba.  Cell phone services include wireless communication services, including voice and data.  As mentioned, the Act only applies to agreements with consumers, who are those who purchase the goods and services primarily for personal, family or household purposes.  The Act will not apply if the subscriber purchases the services primarily for business use.

Among the highlights:

• Advertisements and contracts must set out the minimum monthly cost of the services.
• The minimum monthly cost must be set out as an “all-inclusive” price.
• Consumers may cancel a cell phone contract at any time for any reason.
• Cancellation fees are limited to the prorated value of any cellphone provided to the consumer for free or at a reduced cost as an incentive for signing the contract.
• Before selling the consumer an extended warranty, the supplier must explain any other warranties that automatically apply.

The Ontario Minister of Consumer Services introduced the Wireless Services Agreements Act, 2012 on May 3, 2012.

The Bill only applies to agreements with consumers.  Consumers are those acting for personal, family or household purposes.  Accordingly, the Act will not apply to those who are self-employed and purchase smart phones for business use.  The proposed legislation will only apply prospectively to agreements entered into after the date the legislation comes into force where either the consumer or the person entering into the agreement with the consumer is located in Ontario.

Here are some of the highlights:

• The legislation will apply to wireless agreements, which are agreements with a consumer in which the supplier agrees to provide wireless services that the consumer is able to access from a mobile device such as a smart phone or cell phone.
• The legislation will apply even if the supplier does not sell the consumer the mobile device.
• Advertising must show all-inclusive costs, which must be the most prominent cost information in the advertising.
• Wireless services agreement must meet the prescribed disclosure obligations or they will not be enforceable.  Among the disclosure obligations are:
• Minimum cost obligations described on a periodic basis (e.g. monthly);
• Maximum usage of each service before the consumer will trigger additional costs not included in the minimum cost obligations; and
• Cost of optional services and any restrictions that will cause those costs to increase.
• Suppliers of wireless services must provide advance notice to the consumer if the consumer accesses a service that will result in additional costs.
• Consumers may cancel an agreement at any time for any reason.
• There are limits on cancellation fees based on prorating the economic inducements (such as discounted handsets) over the term of the contract or, for agreements of no fixed term, 48 months.

As many of us now know, Canada’s Anti-Spam Law is now expected to enter into force in 2013.  Don’t expect things to sit idle until then, however. 

3 Next Steps for CASL in 2012

Following are three next steps for 2012, ranked in order of importance to industry stakeholders:

1.  Industry Canada to issue new set of regulations for comment

As we noted in previous posts here and here, while businesses had hoped that regulations would clarify key terms and obligations under the Act, and lessen the Act’s impact on certain types of communications, many stakeholders were disappointed.  Many businesses considered that neither the Industry Canada regulations as originally published for comment, nor the CRTC regulations as finalized, went far enough to clarify obligations.  Moreover, neither set of regulations provided the exemptions many businesses have called for, to exclude certain categories or types of messages from the application of CASL consent requirements. 

A glimmer of hope is in sight:  Industry Canada is expected to publish a new set of regulations for comment in the coming weeks.  These regulations are expected to contain some exemptions from the application of CASL requirements.  In the comment period, businesses will have the opportunity to comment on the regulations, and seek further changes to make CASL more workable. 

2.  CRTC to issue a series of information bulletins for industry

Anyone who has tried to read through CASL’s provisions and the accompanying CRTC regulations knows that they tend to raise at least as many questions as they answer.  The CRTC is expected to issue information bulletins in the coming weeks to help clarify what is meant, and required, by some key elements of the regulations.  These bulletins may include matters relating to what it means to get consent “in writing” online, and how far businesses must go to make information accessible in “commercial electronic messages”. 

3.  Spam Reporting Centre

The government is currently reviewing bids by third-party service providers to operate the The Spam Reporting Centre.  The Centre will act as a liaison between the public and the government agencies (CRTC, Office of the Privacy Commissioner, Competition Bureau) on spam complaints and monitoring.  The government states that:

“When operational, the Spam Reporting Centre will accept various types of electronic messages from individuals and organizations in Canada. Reporting spam and related electronic threats will not stop such threats completely; however, the data sent to the Spam Reporting Centre will help it identify trends, and try to find out who is sending the spam and other threats and from where. This will aid in the future prosecution and civil proceedings against those responsible for electronic threats in Canada and internationally.”

The final line of the above quote – “future prosecution and civil proceedings”, and “threats in Canada and internationally” – is a stark reminder of two important points. 

First, the government means business.  Its objective is to “drive spammers out of Canada” (then Minister of Industry Tony Clement, 2010).  Second, CASL is designed to reach beyond Canada.  It is designed to capture commercial electronic messages that may be sent from other countries, and also to provide the framework for international monitoring and enforcement. 

3 Things to do while you “wait” for CASL in 2013:

1. Participate in the comment process on the coming draft Industry Canada regulations
2. Remind yourself of the differences between the U.S. CAN-SPAM requirements, and CASL
3. It’s strongly recommended that businesses use the lead time before CASL’s entry into force to get their operations in order.  Prepare your organization’s  CASL audit, checklist, and Compliance Policy.  The CAN-SPAM vs. CASL presentation and an earlier article of ours can help explain the basics. 

This is the third post in a series dealing with promotional activities in which a user of a website or mobile app is requested to provide e-mail addresses of their contacts or allow access to the user’s address book for the purpose of sending an e-mail invitation to a contact of the user.  In the first post, I discussed the privacy by design principle.  In the second post, I discussed the implications of treating the contact information as the personal information of the user and the non-user. 

As I mentioned in previous posts, this whole area is fraught with difficulty and will become more so once Canada’s Anti-Spam Legislation is in-force.  Legal advice should be sought for these types of promotion to ensure compliance.

So the invitation has gone out to the non-user.  Now what? 

Resist the urge to build a profile for the non-user.

The user has not yet agreed to join.  Typically, an organization will want to build privacy protections to avoid building a user profile for the non-user until the user consents to join.  If the purpose of collection was to send an e-mail invitation, it may be difficult to justify the collection of the non-user’s street address or telephone number.

There may be more subtle ways of building a profile, such as by cross-referencing the user’s e-mail address against other users’s address books or searching out other available information on the Internet.  If the website or mobile application’s design involves building a profile for the non-user as part of the promotional activity to invite the user to join, care should be taken to deploy privacy protections. In particular, the organization should avoid “using” the non-user’s personal information for purposes other than making the invitation until the organization has made privacy disclosures to the non-user.

In a recent decision of the Office of the Privacy Commissioner of Canada (“OPC”), the OPC considered Facebook’s practices with respect to generating friend suggestions for non-users in invitations.  At the time of the investigation, Facebook would bundle friend suggestions within the first invitation to the non-user.  The OPC found it significant that by doing so Facebook had already “used” the non-users’ e-mail address to generate friend suggestions without providing any information on how the non-user’s personal information was being used and any opt-out mechanism. 

During the investigation, Facebook changed its practices to something more acceptable to the OPC.  No additional friend suggestions were made in the initial invitation.  There was a more prominent opt-out notice and a notice and link to information regarding the use of the e-mail address for generating friend suggestions.  The non-user’s e-mail address was only used to make additional friend suggestions to the non-user once those disclosures had been made and the non-user given an opt-out opportunity.

Destroy the e-mail address once the purpose for the collection has been fulfilled.

Another issue is what to do with the e-mail addresses of non-users who do not respond either to join or to opt-out.  Organizations should consider whether the purpose for which the e-mail address has been collected has been fulfilled.  If so, then privacy legislation in Canada would instruct the organization to destroy (delete) the non-user’s contact information. 

There will be instances where the website or mobile app stores the contact information for another purpose as a service to the user.  However, if the sole purpose of the collection was to make the invitation, then the organization should consider what would constitute a reasonable period of time to keep the non-user’s contact information.

This is the second in a series of posts on privacy and anti-spam implications of organizations engaging in promotional activities in which the user of a website or mobile app is asked to supply e-mail addresses of contacts in order to invite those contacts to the website or to download the mobile app.

In the last post, I wrote about building privacy into the design of the website or mobile app.  This post deals with a few considerations regarding consent.  Upcoming posts will deal with anti-spam and other issues.

Treat the contact information as the personal information of the user (owner of the address book).

Most organizations understand that it is necessary to obtain the consent of the owner of the address book to use contact information for the purposes of soliciting those contacts. Obtaining consent from the user is generally straightforward. In most contexts, there will be a transparent way for the organization to ask for permission to use the user’s contacts. If privacy considerations have been built into the promotional program, asking for permission to use contact information or asking the user to input the contact information for the purpose of “inviting a friend” to the site can be accompanied by disclosure of how the information is going to be used. If the user is going to be provided with the opportunity to customize the message to the recipient, the use will be transparent.

What might not be obvious is any on-going use that the organization may intend to make of the information that is supplied. Consideration should be given to providing relevant information about on-going uses, if any, at the point of request regarding the proposed use and direction to the organization’s more detailed data use policy governing the life-cycle of the requested information.

Treat the contact information as the personal information of the contact (the owner of the email address).

The personal information being collected through “Suggest to a Friend” promotions is also personal information of the non-user.  This is frequently overlooked in the design of these marketing initiatives.

The Office of the Privacy Commissioner of Canada has previously stated that organizations that actively solicit non-users’ e-mail addresses from users with the intention of using them for their own purposes must take some responsibility for obtaining consent of the non-users.

The requirement to obtain the recipient’s consent may not be obvious to an organization. The e-mail is, after all, being sent as an invitation from the user. However, in a “suggest a friend” promotion, the substance of the communication is a commercial.  The organization is processing the e-mail address for a promotional purpose to invite the recipient to sign-up or join the organization’s site. This use of the e-mail address is likely to be governed by Canadian privacy legislation.

How to Obtain Consent from the Recipient

An e-mail address, on its own, is generally not considered to be sensitive personal information. If the e-mail address will only be used for the purpose of sending an invitation by a user to a non-user who the user knows, the use of the e-mail address by the organization will not be considered to be sensitive. Leaving aside anti-spam legislation, which will be discussed in upcoming posts, the organization soliciting the e-mail addresses may rely on the users to obtain express or implied consent of the non-users.

However, the organization must demonstrate reasonable due diligence to ensure that non-user’s consent has been obtained. Reasonable due diligence varies in the circumstances.  In most contexts it will consist (at a minimum) of making sure that users are aware that they must not disclose the non-users’ e-mail address unless the user knows the non-user personally and the non-user would want to receive the e-mail.

If more than one e-mail will be generated (for example, reminder e-mails), that information must be disclosed to the user so that the user can consider whether that use of their contact’s e-mail address would be appropriate.  This information should also be disclosed to the recipient.

Due diligence also requires that the organization confirm whether the recipient has in fact expressly or impliedly consented to the use of his or her e-mail address in this manner. This is not an impossible task.  For example, when the e-mail is sent to the non-user, the organization could explain why the e-mail is being sent, what use will be made of the e-mail address (reminders, permanent links to the user who sent the message, etc.).

If the recipient objects to this use of the e-mail address (in effect, withdrawing the implied consent), the recipient non-user should be given a way of opting out of further communications. In other words, consideration should be given to allowing the recipient to put himself or herself on a “do not contact” list. In addition, or in the alternative, consideration might be given to permitting the recipient to request deletion from the organization’s system.

Issues relating to non-user consent can be tricky.  The organization should consider all uses of the e-mail address and the life-cycle of that use and consult a lawyer to ensure the promotion is compliant.

A not uncommon Web-based marketing tool is to invite users to suggest the website to their friends and family. The user inputs e-mail addresses or allows the website or mobile app to harvest the user’s address book information to generate a list of potential contacts. Organizations planning to implement this type of marketing program should seek legal advice to ensure that they remain on side privacy and anti-spam regulations. This is the first in a series of posts in which I will comment on a few notable issues relating to these types of promotional activities.

Employ the “privacy by design” principle.

The starting point when designing these types of promotions is to assess privacy implications of each aspect of the promotion and build privacy protections into the administrative and technological design of the promotion.

By assessing the privacy implications of the marketing program at the outset, the process of ensuring that the marketing tool will be privacy compliant will be simplified. Employees in the marketing group will know what questions to ask of vendors and IT professionals will be better positioned to implement systems to ensure privacy compliance.

To take a simple example, organizations should consider whether they have a legal obligation to provide the recipient of a promotional e-mail invitation a way of opting-out from further e-mail communications. The non-user may expect to be given the opportunity to permanently opt-out of further communications from not only the friend who sent the invitation that any other friends who may use the organization’s services. The technological ability to provide that permanent opt-out mechanism would need to be built into the design of the system.

Moreover, as will be discussed in subsequent posts, the organization will not have consent to send the recipient further promotional material other than perhaps a reminder e-mail, until the recipient takes a positive step to accept the invitation. This means that the organization must have the technological capability to prevent the non–user’s e-mail address from being mixed into the database for general promotional communications.

Earlier this month, the Canadian Radio-television and Telecommunications Commission (CRTC) announced that it had concluded a five-month investigation and has taken enforcement action against 85 companies for violating Unsolicited Telemarketing Rules.

In stepping-up its enforcement action, the CRTC issued citations to 74 companies who were engaged in telemarketing activity but who would fail to register with the National Do Not Call List operator or to subscribe to the National Do Not Call List.  The National Do Not Call List which allows Canadians to register their telephone and fax numbers in order to opt-out of being contacted by telemarketers.

Another 11 companies were assessed administrative monetary penalties for violating the Unsolicited Telemarketing Rules. The aggregate administrative monetary penalties assessed by the CRTC for these 11 companies was $41,000. The amount reflects that in each case the company that had failed to comply with the Unsolicited Telemarketing Rules appears to have been a relatively small business.

Small businesses should be aware that even though the costs of compliance with the Unsolicited Telemarketing Rules may be material; all telemarketers must exercise diligence in complying with and with demonstrating compliance with the Rules.  For example, if the company wishes to rely on the exemption that applies to telemarketing calls to a person with whom the company has an existing business relationship, the company must be able to demonstrate the one of the following: (i) a contract was concluded with person who was contacted or a contract with that person had expired in the 18-month period preceding the telecommunication; or (ii) the person who was contacted had made an inquiry of the company or an application within the six-month period preceding the telecommunication. In order to defend itself, therefore, the company must maintain accurate records that can be produced on demand to the CRTC.

If the existing business relationship exemption, or another exemption, does not apply to the telecommunication, the company must register with the Do Not Call List operator and download the Do Not Call List once every 31 days. All businesses engaged in telemarketing activity (including small businesses) must, therefore, invest in sufficient computer technology to be able to utilize the Do Not Call List to screen out persons who do not wish to receive unsolicited telecommunications.

Are you one of those who have been monitoring the progress of Canada’s Anti-Spam Law (CASL)?  

If so, you may also have given some thought to the difference between the existing U.S. rules under the CAN-SPAM Act, and the new Canadian rules under CASL coming into force in 2012.  After all, the CAN-SPAM rules have been in place for years, and have become accepted industry practice for marketers and others in the U.S., and to a certain extent, informally, in Canada. 

CASL and CAN-SPAM are similar in some basic respects, but they are very different in important ways.  As we’ve explained in earlier posts, CASL has broader application, a higher standard for consent, greater penalties, and a clearer out-of-country reach than the U.S. CAN-SPAM Act. 

Our SlideShare overview, Comparing CASL to CAN-SPAM, has received over 1,000 views to date.  We’ve just updated the overview to reflect the recently finalized CRTC regulations which set out requirements for consent and message content.  Take a look at the updated Comparing CASL to CAN-SPAM and let us know if it answers your questions.

Today, Ontario’s Minister of Finance, Dwight Duncan, presented Ontario’s proposed budget, “Stronger Action for Ontario“. 

From a privacy and data governance perspective, here are a few things to note:

• Public-Private Partnership for ServiceOntario.  ServiceOntario operates a hub for government registrations, certifications and licensing.  The government is proposing to increase private sector involvement, including in the expansion of online services.
• Unclaimed Intangible Property. Ontario has unclaimed intangible property legislation that has not been proclaimed into force.  The government has indicated that it will move forward to establish and Unclaimed Intangible Property Program that would allow the government to take unclaimed intangible property and use it for government purposes until claimed by the owner of the property.  This will inevitably create data gathering, reporting and payment obligations for businesses operating in Ontario as well as the collection of further information about Ontarians by the government.
• Integration of Social Programs. As mentioned in our previous post, the Drummond Report suggested that there would be benefits to integrating social programs and centralizing data collection.  It appears that the government will move forward on some of these recommendations.
• Sharing Information for Tax Compliance. The Drummond Report also called for greater information sharing to combat the loss of tax revenue in the underground economy. The government is proposing to move forward with, among other things, enhanced information sharing across Ontario ministries, municipalities and with the Canada Revenue Agency. 

The government is also proposing amendments to the Freedom of Information and Protection of Privacy Act to accomplish some of its tax and revenue collection objectives.

At a press conference today, March 26, 2012, the U.S. Federal Trade Commission (FTC) released its final report on protecting consumer privacy, entitled “Protecting Consumer Privacy in an Era of Rapid Change“. 

FTC Chairman Jon Leibowitz began the press conference quoting former U.S. Supereme Court Justice Louis Brandeis, who wrote in dissent in a 1928 wire-tapping case, that the Fourth and Fifth Amendments to the U.S. Constitution recognized that the right to be let alone was ”the most comprehensive of rights and the right most valued by civilized men.”

The FTC outlined three over-arching principles for protecting consumer privacy at the beginning of the 21st Century:

1. Privacy by Design. Incoporate privacy in the developmental stages of projects.  This is the “privacy by design” principle the case for which has been convincingly made by the Ontario Information and Privacy Commissioner.
2. Simplified Consumer Choice. Consumers must have simplified choice with respect to how their personal data is used.  The FTC emphasized that non-one has the right to put anything on a consumer’s computer.  The FTC acknowledged the strides being made in Do Not Track initiatives.
3. Transparency. Data use practices must be transparent. The FTC suggests that privacy disclosures must be less onerous for consumers to navigate and read.

The FTC suggests that legislation may be required to regulate “data brokers”.  Data brokers may be engaged in types of activities that are similar to credit and consumer reporting agencies without coming within existing legislation governing consumer and credit reporting agencies. The FTC has called on data brokers to creating a centralized website where data brokers would “(1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”

On the issue of “Do Not Track”, the FTC acknowledged the strides that had been made stated that if “Do Not Track” was not fully operational by the end of 2012, the advertising industry should expect that there would be a “tsunami” of calls for legislation.

From time-to-time, I will comment on legal developments in consumer protection that have implications for the e-commerce environment. On March 15, 2012, the British Columbia Court of Appeal released its decision in Loychuk v. Cougar Mountain Adventures Ltd., which establishes that complete waivers of liability for personal injury in recreational activities may be enforceable under British Columbia’s Business Practices and Consumer Protection Act (“BPCPA”), even if the plaintiffs do not understand at the time of booking the activity that a waiver will be required.

Background

The plaintiffs reviewed the website of the defendant and booked a zip-line adventure. The plaintiffs were injured when they collided on a zip-line operated by the defendant.  According to the court’s reasons for judgment, the defendant admitted that its employees had been negligent (there had been miscommunication between the guides leading the zip-line tour).

The defendant relied on a waiver of liability that the plaintiffs signed prior to participating in the adventure. The waiver was a one-page document. It had a warning at the top indicating that by signing the document the plaintiffs would waive certain legal rights, including the right to sue or claim for compensation following an accident. In the body of the waiver, the plaintiffs released all claims for any loss, damage, expense or injury, including death, due to any cause whatsoever, including negligence, breach of contract, or breach of any statutory or other duty of care, and including the failure on the part of the releasees to take reasonable steps to safeguard or protect the plaintiffs from the risks, dangers and hazards of participating in the zip-line activities.

Each of the plaintiffs had had prior experience with signing releases in the context of recreational activities. One of the plaintiffs was the owner of a business that offered kickboxing programs for women in which waivers of liability were used. The other plaintiff had previously signed a waiver in connection with the renting a kayak.

Issues for the Court of Appeal

In the Court of Appeal, the plaintiffs argued:

1. The waiver was unconscionable at common law;
2. The waiver was unenforceable under the provisions of the BCPBCA; and
3. There was no consideration in exchange for the signing of the waver.

Unconscionability

The court, following the Supreme Court of Canada’s decision in Tercon Contractors Ltd. v. British Columbia (Transportation and Highways), held that whether the waiver of liability was enforceable depended upon it three-step analysis:

1. Did the release covered in the injury in issue? There was no debate that this step was satisfied.
2. Was the exclusion of liability was unconscionable at the time of the contract with the defendant was entered into?
3. Was there was any overriding public policy reason that would permit the plaintiff to avoid the exclusion of liability?

To succeed on the second step (unconscionability), the Court of Appeal held that the plaintiffs had to demonstrate that there was (1) inequality of the parties arising from the ignorance, need or distress of the weaker and (2) substantial unfairness. The court concluded that there is no power imbalance where a person wishes to engage in an inherently risky recreational activity, simply because that activity is controlled or operated by another person. Nor was it unfair for an operator to require a waiver as a condition of participation.

Regarding the third step (public policy), the court rejected the argument that the fact that the zip lining activity was totally within the control of the operator meant that the operator could not disclaim liability as a matter of public policy. The court held that if there were policy reasons why releases for injuries in recreational activities that are freely entered into should not be enforced that was a question for the Legislature. The relevant public policy issues for the court were whether the defendant knowingly placing the public in danger or was reckless as to whether it was doing so.  These factors didn’t apply.

Consumer Protection

For the purposes of the appeal, the court assumed that the BPCPA applied.

The plaintiffs argued that the defendant had engaged in unconscionable or deceptive acts and practices and for that reason the waiver was unenforceable. In particular, the plaintiffs relied on paragraph 8(3) of the BPCPA, which directs the court to consider whether “the terms or conditions on, or subject to, which the consumer entered into the transaction were so harsh or adverse to the consumer as to be inequitable”. The court held that this provision did not lower the standard to be met before a contract would be set aside on the basis of unconscionability. The court would not set aside the release merely because it was arguably “inequitable” – it had to be unconscionable.

The plaintiffs also alleged that there had been deceptive advertising, which rendered the waiver void. In particular, the plaintiffs relied on a statement from the “Frequently Asked Questions” page on the website. In response to the question about the safety of the zip line activity, the defendant describes the engineering construction and certification of the zip line and did not mention the risks inherent in its operation. The court rejected this argument. First, there was nothing to indicate that the plaintiffs were aware of or relied on the statement. Second, and more importantly, the court held that the website statement could not be inferred as representation of anything other than a statement of the infrastructure.

Lack of Consideration

The plaintiffs’ final argument was that the waivers lacked consideration. The plaintiffs argued that they had entered into their contracts prior to having signed the waivers. One of the plaintiffs argued that the contract was complete when she made the reservation using her husband’s credit card. The other plaintiff argued that the contract was entered into when her friend made the reservation for the group. The court held that it was bound by prior decisions of the court and found that permission to continue an activity or to commence an activity constituted immediate and fresh consideration capable of supporting the waiver. It was “immaterial” whether the plaintiffs had read the statement on the website that participants would be required to sign a waiver.

Carnegie Mellon CyLab has released a summary of its third survey regarding corporate governance of the privacy and security of digital assets.  CyLab is a centre for cyber security research. The 2012 study was sponsored by RSA, the security division of the information infrastructure company EMC. A summary of the study is available on the RSA website.

The authors of the 2012 study state that less than one-third of Global Forbes 2000 companies who responded to the survey are undertaking basic responsibilities for cyber governance.  Among the key findings were that:

• 94% of respondents stated that they had a formal enterprise risk management program; however, half of the respondents reported that they do not have personnel in key privacy and security roles;
• at the board level, audit committee responsibility for technology risks has decreased in favour of risk committees;
• however, only one-third (approximately) of the respondents reported that their board of directors are focused on activities that would help protect against reputational or financial losses resulting from breaches of data security and the theft of confidential and proprietary information; and
• more than half of the respondents reported that their boards do not review insurance policies for protection against cyber risks.

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL).  The regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

• businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
• CEMs are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

• simply include the name by which they carry on business (rather than both that and their legal name);
• include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
• include the information in the above point on a website that “is readily accessible” (rather than via a single click);
• use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
• simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.

Earlier this month, the Office of the Privacy Commissioner of Canada (“OPC”) released its first  report of findings for 2012. This first report concerned a complaint regarding the privacy practices at a on-line “open community” social networking site popular with youth.

The original complaint against the social networking site was filed in January 2010 by a public interest advocacy group. According to the OPC, the social networking site described itself as an “open community” platform used primarily for youth to “show off to the world”.

The OPC report is lengthy.  In this summary, I focus on five areas.

1.  ”Visible to All” Privacy Settings

The OPC was concerned that default privacy settings were completely open — meaning that user profiles (containing what the OPC considers to be sensitive personal information) could show up in Internet search results.  Some data showed up even in higher privacy settings. In response, the social networking site appears to have argued that the privacy defaults were reasonable given that very few of its users change their privacy settings to a more restrictive setting. When certain blocks of information were given a more restrictive setting by default, 5% of users had lessened the privacy restrictions.

Notwithstanding that users generally did not make their settings more restrictive, the OPC concluded that youth have special vulnerabilities and, therefore, a “reasonable person” would not consider it appropriate for the social networking site to preselect a low privacy setting for users, such that personal information would show up in Internet search results.

2.  Meaningful Consent

The OPC also found that the site failed to get meaningful consent to the collection, use and disclosure of personal information. In this regard, the OPC was also influenced by the age of the typical users of the site. The OPC accepted that parental consent was not required. However, consent had to be obtained in a way that was meaningful given the demographics of the users.

The “take-away” on this point is that the standard privacy policy hyper-link at the bottom of a website may not always be adequate. Given the target audience, the OPC did not consider that the social networking site’s reliance on users to read a lengthy and formal privacy policy was a reasonable way to obtain consent. A more interactive privacy disclosure at point of click was better-suited to the audience. Nevertheless, the OPC accepted a process where a user had to review the privacy policy as part of the registration process.

3. Targeted / Behavioural Advertising

The OPC accepted that the nature of the free social networking service being offered meant that the use of personal information for the purposes of advertising was an acceptable  condition of service, provided there was proper disclosure of information use and sharing practices. The OPC wanted more robust disclosure. Although the OPC did not require the social networking site to permit users to opt-out of third-party tracking cookies, the OPC required enhanced disclosure of third-party cookies in the social networking site’s privacy policy.

4.  Sharing of User IDs for Rewards and Payment Processing

The social networking site disclosed user IDs to its third-party payment processor when users made purchases. In addition, the site disclosed user IDs, age and gender to a rewards company when users participated in certain offers. Apart from deficiencies in the privacy policy disclosure regarding these practices, the OPC had concerns that more information was being shared than was necessary. The OPC was not convinced that the user ID could not be linked back to a user profile. The OPC tested the site using a search function and was able to link to user profiles. Accordingly, OPC recommended that the social networking site use another unique code for payment processing. The social networking site discontinued the rewards program during the course of the investigation.

5.  Retention of Information in Declined Invitations and Deleted Accounts

The OPC also had two significant concerns regarding the retention of information. The first concern related to the use of non-user e-mail addresses. As is common, users of the social networking site could invite their friends to join. Users did not have to confirm that they had their friend’s consent to this use of the friend’s email address. If a non-user did not want to receive further invitations, the non-user could opt-out but the email address will be retained (not surprising if further invitations are to be blocked). The OPC stated that the user who provides the e-mail address should have to confirm that they have the prior consent of their friend. Moreover, the OPC stated that non-users should be given a choice between opting-out and having their e-mail deleted.

A more tricky issue was the issue of what happens with information for deleted accounts.  The OPC reported that when a user clicks the “Delete Account” option, they were informed that: “This will delete your account, including your profile, your pictures, friends list, messages, etc. Your forum posts, comments and messages in other users’ in-boxes will remain.” However, in practice, only the user’s “shouts” were deleted. The user’s user-name, user ID, email address, IP address and log-in information, friends list, gallery pictures, profile contents, messages and comments, and profile photos were archived.

The OPC stated that there should be a true “Delete Account” function and that the disclosure was misleading. The OPC reports that the social networking site has stated that it refuses to implement this recommendation because of the costs of doing so. The position of the social networking site, as described by the OPC, is that the information is only accessible to system administrators and recovered in the event that they receive a warrant from a law enforcement authority.

As this issue is outstanding, the OPC is considering further action.

The British Columbia Information and Privacy Commissioner (“IPC”) has released guidelines on cloud computing. The guidelines apply to the public sector bodies to which British Columbia’s Freedom of Information and Protection of Privacy Act (“FIPPA”) applies.

Paragraph 30.1(a) of FIPPA restricts the ability of public bodies in British Columbia to transfer data outside of Canada.  Subject to limited exceptions, public bodies in British Columbia are permitted to store personal information outside of Canada only with consent of the individual with respect to whom the information relates. The consent must be provided in writing and specify to whom the personal information may be disclosed.

The British Columbia IPC recognizes that some vendors are offering cloud computing services that store information solely within Canada. However, the IPC cautions that public bodies must make inquiries to determine whether they can rely on these representations. In addition, the IPC states that public bodies must consider whether there are reasonable security measures, such as:

• corporate policies, procedures and standards with respect to security and privacy;
• controls regarding access by authorized users;
• infrastructure security, including layered security controls and patch management;
• encrypted transmission and storage of personal information;
• contractual safeguards for the information to prevent unauthorized use, to require mandatory breach reporting and to permit audits.

On February 7, 2012, the U.S. Federal Trade Commission (FTC) announced that it had warned marketers of six mobile applications that they may be violating the U.S. Fair Credit Reporting Act.  The FTC stated that the mobile applications provide background screening reports on individuals.  Although the FTC reached no conclusion regarding whether there was any violation by the marketers, the FTC requested that the marketers review the application of and their compliance with the Fair Credit Reporting Act.

The U.S. Fair Credit Reporting Act regulates the activities of consumer reporting agencies.  A “consumer reporting agency” is one that regularly assembles or evaluates information about a person’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living and reports that information to third parties for the purpose of establishing the consumer’s eligibility for (1) credit or insurance to be used primarily for personal, family, or household purposes or (2) employment purposes.

The FTC warned the marketers that they must comply with the Fair Credit Reporting Act if they have reason to believe the information provided through the apps is being used for employment, housing, credit or similar purposes. For example, the Fair Credit Reporting Act imposes obligations on credit reporting agencies with respect to ensuring the accuracy of information, providing mechanisms for consumer redress, and, in some circumstances, requiring consumer reporting agencies to notify users of consumer reports of their obligations under the Fair Credit Reporting Act. The FTC stated that a warning by the marketer that the app was not to be used for the purposes regulated by the Fair Credit Reporting Act did not protect the marketers if the marketers had reason to believe the apps were being used in decisions by third parties with respect to employment, housing, credit or similar purposes.

Developers and marketers of similar applications in Canada should be aware that Canadian provinces have similar laws regulating consumer reporting.  For example, in Ontario, the Consumer Reporting Act regulates persons or organizations that provide reports to third parties for use in relation to, among other things, (1) credit granting or debt collection, (2) entering into or a renewal of a tenancy agreement, (3) employment decisions, and (4) underwriting of insurance.

Among other things, consumer reporting agencies in Ontario (1) must be registered, (2) must follow prescribed practices with respect to the information that may be contained in a report, (3) must provide consumers with access to their consumer report, and (4) must have a process for the consumer to contest inaccurate information.

Failure to comply with the Consumer Reporting Act (Ontario) may result in a fine of not more than Cdn. $25,000 or to imprisonment for a term of not more than one year, or to both.  Accordingly, developers and marketers of background checking or screening apps in Canada may wish to obtain legal advice to ensure that they remain compliant with respect to Canadian provincial laws governing consumer reporting.

On April 11, 2011, FMC Partners Anneli LeGault and Catherine Coulter presented a round-up of 10 things you need to know about Canadian privacy laws.

One often overlooked aspect of Canadian privacy compliance that they addressed is particularly relevant to e-commerce businesses offering goods or services across Canada.  E-commerce businesses should be aware that some Canadian provinces have private sector privacy legislation.  British Columbia, Alberta and Quebec each have their own private sector privacy legislation.  Although these laws are substantially similar to Canada’s federal legislation (known by its acronymn PIPEDA), they are not identical. We’ll touch on some of the differences in up-coming posts.

As an example of differences, compare the order making powers of the provincial privacy commissioners and the range of fines that might be levied. Click here for a link to Anneli and Catherine’s slide show used at their presentation and jump to slide 8!

On January 25, 2011, EU Justice Commissioner Reding announced proposals for new data privacy rules for members of the European Union. The proposed rules include:

• An expanded “right to be forgotten”. Not only would an organization have to delete personal information that it could not demonstrate any legitimate need to retain, the organization may be required to inform third parties to facilitate the erasure of links to or replication of the personal information.
• Explicit consent for data use. If consent is required for data processing, the consent will have to be explicit (not implied).
• Breach notification. National data protection authorities must be notified of serious data breaches within 24 hours (if feasible) or as soon as possible.
• Extra-territorial reach. EU rules would apply to any organization active in the EU market even if the data is processed elsewhere.
• Expanded jurisdiction to investigate. National data protection authorities would be able to investigate complaints even though the complainant’s data is processed by an organization outside of the EU.
• Enhanced penalties. Organizations may be subject to fines for non-compliance of up to €1 million (approx. Cdn. $1.3 million Jan 27/12) or up to 2% of the global annual turnover of a company.

These proposed changes are relevant to Canadians. The outcome of this regulatory reform may affect Canadian firms processing data collected in EU member states or marketing to residents of EU member states. But more broadly, these are all issues that Canadian privacy regulators are examining.

Data Privacy Day is observed annually on January 28th in a number of jurisdictions with varying formality and support by government officials.  Privacy professionals and consumers use this day annually to raise awareness regarding best privacy practices, to educate consumers and to reflect on the complexity of privacy issues in our global and electronically interconnected economy. 

To learn more about Data Privacy Day, a great strating point with a collection of resources is the Privacy Commissioner of Canada’s website.  Also, check out the U.S. National Cyber Security Alliance website.

January 28, 2012 is World Data Privacy Day. Privacy is interconnected with anti-spam, data management and records retention issues for many industries, particularly those operating in the e-commerce environment.  

To mark this year’s World Data Privacy Day, Fraser Milner Casgrain LLP (FMC) is launching this new blog on data governance.  FMC is a national Canadian law firm with offices in the principal economic centres of Canada.  Our focus in this blog will be to provide interested followers with information on how privacy, anti-spam, records management and e-commerce interact in the Canadian legal environment.  Along the way, we will provide updates on worldwide developments that we think may be of particular interest to businesses operating in Canada with global e-commerce connectivity.

Please check back frequently.  Or better yet, subscribe!