On December 13, 2012, the Office of the Privacy Commissioner of Canada released Report of Findings #2012-004 (August 22, 2012) relating to the unauthorized disclosure to an imposter of a cell phone customer’s account information. In addition, the Report of Findings addresses the scope of an individual’s access rights under the Personal Information Protection and Electronic Documents Act (PIPEDA). It is this aspect of the decision that is the subject of this post.

PIPEDA Access Rights

Principle 4.9 of Schedule 1 to PIPEDA provides that “an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information”. Subsection 8(1) of PIPEDA requires that a request for access be made in writing. Pursuant to subsection 8(3) of PIPEDA, an organization must respond to the request within 30 days subject to certain exceptions. Notwithstanding an individual’s access right under Principle 4.9, an organization is prohibited under section 9(1) of PIPEDA from providing an individual access if it would reveal information about a third party. If the information about the third party can be severed, the organization should follow that procedure in providing access.

No Obligation to Provide Access in a Particular Medium

In Report of Findings #2012-004, the complainant sought a copy of the recording between the imposter and the customer service representative. The organization offered to permit the complainant an opportunity to listen to the recording at the company’s premises. The organization also provided a transcript of the call and deleted the customer service representative’s name. The complainant did not take up the offer to listen to the recording and complained to the OPC regarding the completeness of the transcript.

The OPC concluded as follows:

[35] Regarding the redactions that the company had made from the call transcript that it provided the complainant, we have reviewed those redactions and find them to be in compliance with subsection 9(1) of the Act, which requires an organization to sever personal information about a third party before allowing an individual access to their own personal information. The information redacted from the transcript (i.e., the CSR’s name) belongs to a third party.

[36] As for the issue raised by the complainant that he was not provided with an audio recording of the conversation which took place between the imposter and the CSR, the Act provides individuals with the right to access their personal information. The Act does not, however, require an organization to provide access in a particular medium. Only under section 10 of the Act must an organization give access to personal information in an “alternative format” to an individual with a sensory disability and who requests that their personal information be transmitted in the alternative format. The complainant’s case does not fall within these circumstances. Rather, the company did provide the complainant with the call transcript containing the personal information, and to which he was entitled under the Act. It is, therefore, not required to further provide him with a copy of the recording.

It should be noted that the OPC did not state that a transcript would always suffice. The organization provided the complainant with the opportunity to listen to the recording. A recording of a voice contains more information about the person than what would appear on a transcript. The OPC might conclude that an individual may have a right to listen to the audio recording. Factors that the OPC might consider to be relevant may include whether there is third party information in the recording that cannot be severed without significant and disproportionate cost.

The Supreme Court of Canada determined yesterday, in A.B. v. Bragg Communications, that a 15-year old can proceed anonymously to pursue the identity of her Facebook cyberbully. 

The 15-year old, A.B., found out that someone had posted a face Facebook profile with her picture, a modified version of her name, and other identifying particulars.  The profile also included demeaning comments about A.B.’s appearance, and sexually explicit references.  

Facebook provided the IP address associated with the Nova Scotia account holder.  The Internet provider, Eastlink, agreed to provide more specific information about the address – if a court authorized it to do so.  A.B. brought an application for such an order, and along with the application requested (i) permission to seek the identity of the Facebook cyberbully anonymously (the “anonymity request”), and (ii) a publication ban on the content of the fake Facebook profile. 

While Eastlink did not oppose the privacy requests, the Halifax Herald and Global Television did.  The Nova Scotia court granted the order requiring Eastlink disclose the information about the identity of the cyberbully.  However, it denied A.B.’s anonymity request and the publication ban, on the basis that she had not proved specific harm to her that would outweigh restricting access to the media.  Put simply, the media’s right to access and report on the facts of the case outweighed A.B.’s right to privacy.  This was upheld at the Court of Appeal.

A unanimous Supreme Court overturned this, stating that:

If we value the right of children to protect themselves from bullying, cyber or otherwise, if common sense and the evidence persuade us that young victims of sexualized bullying are particularly vulnerable to the harms of revictimization upon publication, and if we accept that the right to protection will disappear for most children without the further protection of anonymity, we are compellingly drawn in this case to allowing A.B.’s anonymous legal pursuit of the identity of her cyberbully.

The Supreme Court noted that the Canadian Newspapers decision had established that the limits imposed by prohibiting identity disclosure [in a criminal sexual assault case] on the media’s right to freedom of the press are minimal: the media can be present at the hearing, and report facts and the conduct of the trial, without revealing the complainant’s identity. 

In yesterday’s A.B. decision, the Supreme Court placed great emphasis on the inherent vulnerability of children, and the importance of protecting their privacy in the context of cyberbullying.  In the view of the Supreme Court, if we accept that, then surely we must accept the need to prohibit identity disclosure in this case, just as the Court did in the criminal context in Canadian Newspapers.

The Supreme Court allowed A.B.’s appeal in part:  her identity would be protected, and the identifying information in the fake Facebook profile.  The non-identifying information in the profile could be disclosed. 

This decision provides further direction for those conscious of the protection of the privacy of children, and wondering about the specific content of those obligations.  Unlike the United States, Canada has no Children’s Online Privacy Protection Act (COPPA), and while there are set age and child-specific standards in Canadian criminal laws, we have no set age or child-specific standards in our federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) .  The Supreme Court noted that:

Recognition of the inherent vulnerability of children has consistent and deep roots in Canadian law.  This results in protection for young people’s privacy under the Criminal Code, R.S.C., [...] the Youth Criminal Justice Act [...], and child welfare legislation, not to mention international protections such as the Convention on the Rights of the Child [...], all based on age, not the sensitivity of the particular child.  

The Supreme Court has sent a message that in contexts where children may be particularly vulnerable – even when the child is 15 years old, and the context is Facebook – the law will protect their privacy on an objective basis based on age, not individual maturity or temperament.

Mark and Constance Fournier operate the Free Dominion website as a political news discussion forum.  Richard Warman had an exclusive licence to the copyright in a National Post article entitled “Jonathan Kay on Richard Warman and Canada’s Phony Racism Industry”.  Warman alleged that the Fourniers infringed his copyright when excerpts of the article were posted on their website.

In its recent decision, the Federal Court of Canada determined that the reproduction of the excerpts on the site did not infringe Warman’s copyright.  First, the Court found that the excerpts did not amount to a “substantial part” of the work.  In the alternative, the reproduction constituted fair dealing for the purposes of news reporting. 

A quick read of the decision – and some of the subsequent commentary that has appeared online - suggest that borrowing parts of an article for a forum, blog or other piece is generally fine.  It’s important to remember, however, that there is no quick test to judge when using/borrowing/copying content that’s not your own crosses the line into copyright infringement.  For better or for worse: (1) infringement is always assessed on the facts of each individual case (there is no “one size fits all”); and (2) the legal tests are anything but straightforward. 

The comments below are not intended to critique the Federal Court’s analysis.  Instead, we simply point out the various steps the Court went through to assess the facts of this case against the law. 

“Not a substantial part”

Factors considered:

•  quality and quantity of material taken (held: less than half the work, mostly made up of facts, not commentary)
• extent to which the use adversely affects the copyright owner’s activities, diminishes copyright value (held: not directly relevant)
• whether the material taken is the proper subject-matter of copyright (not directly dealt with)
• whether the use was intentional appropriation, to save time and effort (no – intention was to preserve a record of facts)
• whether the material taken is used in the same or a similar fashion as the owner’s (not directly relevant/not directly dealt with)

Quite a murky and arguably subjective exercise.  Moreover, the above points were only part of the analysis.  The Court went on to do an alternative analysis based on:

“Fair Dealing for the Purposes of News Reporting”

The Copyright Act enumerates three accepted types of fair dealing: research or private study; criticism or review; and news reporting.  The Copyright Modernization Act will add satire, parody, and education to this list. 

Because “fair dealing” is not otherwise defined in the Copyright Act, the courts have had to define it themselves.  The Supreme Court of Canada set out six factors to determine whether dealing with a work is “fair” (see CCH Canadian Ltd. v. Law Society of Upper Canada, 2004 SCC 13):

“(1) the purpose of the dealing; (2) the character of the dealing; (3) the amount of the dealing; (4) alternatives to the dealing; (5) the nature of the work; and (6) the effect of the dealing on the work.  Although these considerations will not all arise in every case of fair dealing, this list of factors provides a useful analytical framework to govern determinations of fairness in future cases.”

In the Warman case, the Federal Court assessed each of these, and found that “balancing all the factors together”, the use fell within the fair dealing exception for the purpose of news reporting. 

The take-away:  before you go ahead and use that lengthy quote, or borrow those paragraphs from that book/article/blog, think about whether that use has a good chance of meeting the “fair dealing” test. 

Consider for yourself: 

• is taking several paragraphs from any article online really “news reporting”?  
• is it fair to use a work, or part of a work, to drive traffic to your site instead of the (competing) source site?
• would a link to the content – if possible - work as well as copying it?

Copying online has become commonplace, even expected in some cases and in some forums.  However, for better or for worse, the law still defines what is “fair” in this regard, and there is no quick test.

In a decision that may one day be cited by Canadian courts on the extent of an employer’s rights over its social media properties, the United States District Court for Colorado has ruled that an employer’s MySpace Profile and “Friends” list can qualify as trade secrets.

In Christou et al. v. Beatport LLC et al., Regas Christou sued former employee turned rival nightclub owner, Bradley Roulier, for, amongst other things, theft of trade secrets. In particular, Christou alleged that Roulier had misappropriated the login information for the MySpace profiles of Christou’s nightclubs as well as their corresponding MySpace “Friends” lists.

Following a motion brought by Roulier to dismiss Christou’s trade secrets claim, the Court ruled that Christou had alleged sufficient facts to allow the claim to proceed. In so doing, the Court accepted Christou’s argument that the “Friends” list was more than a list of names; rather it was closer to a database of contact information:

“The names themselves, readily available to the public, are not the important factor. The ancillary information connected to those names cannot be obtained from public directories and is not readily ascertainable from outside sources, and thus this militates in favor of trade secret classification.”

In addition, having secured the MySpace profiles of his various nightclubs through web profile logins and passwords and expended some amount of money, time and resources into developing the list of “Friends”, Christou further bolstered the viability of his trade secret claim at this early stage in proceedings.

While this case dealt only with MySpace and therefore did not address other commonly used social media websites such as LinkedIn or Facebook, it nonetheless demonstrates the steps that employers should take to protect the social media accounts that have been registered on behalf of the company. In those circumstances, employers should be careful to limit access to the company’s social media profiles to only those employees who are responsible for establishing and advancing the company’s on-line presence. There is no reason for every employee to have access to the company’s on-line accounts. In addition, employers should also amend their policies and contracts to clearly indicate that the ownership of the contacts listed on these social media accounts rests with the employer.

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL).  The regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

• businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
• CEMs are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

• simply include the name by which they carry on business (rather than both that and their legal name);
• include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
• include the information in the above point on a website that “is readily accessible” (rather than via a single click);
• use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
• simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.

On February 3, 2012, the Supreme Court of Canada provided guidance on the rights of third parties with respect to information that is the subject of a request under the Access to Information Act (Canada).  The court also dealt with, and was divided with respect to, the issue of the standard of review of access decisions. The standard of review issue will be discussed in a subsequent post.

Background

Merck Frosst Canada Ltd. v. Canada (Health) concerned the procedural rights and substantive protections afforded to persons who submit information to the government for regulatory purposes. In Merck Frosst‘s case, the information was submitted to Health Canada in connection with pharmaceutical drug approval submissions.

Information submitted to a government institution may be released to competitors (and others) under access to information requests unless a statutory exemption applies. Although the Merck Frosst case arose in the context of a regulatory approval, these issues also arise when organizations disclose information in connection with contracts with the federal Canadian government (and provincial and municipal governments under separate access to information legislation).

Procedural Protections

On the issue of procedural protections, the Supreme Court of Canada concluded that the right of a third party to receive notice that the third party’s information may be disclosed in response to an access to information request is not absolute.  However, a government institution must provide the third party with notice that the government proposes to release the third party’s information unless there is no reason to believe that any of the exemptions from disclosure apply.

The Supreme Court’s decision sets a high threshold for disclosure without notice. Therefore, a third party who is affected by the information request will have recourse to the procedural protections of the Access to Information Act except in situations where it is clear that no exemption could apply. As the majority of the Supreme Court stated, those responsible for administering the Access to Information Act ”must take their duty not to disclose exempt third party information as seriously as their duty to disclose information that the Act requires to be disclosed.”

Substantive Protections

Section 20 of the Access to Information Act provides a number of exemptions of which the following three were relevant in the proceeding.

• trade secrets of a third party;
• financial, commercial, scientific or technical information that is confidential information supplied to a government institution by a third party and is treated consistently in a confidential manner by the third party; and
• information the disclosure of which could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, a third party.

The court held that the threshold for a third party establishing a trade secret was high. A trade secret is a plan, process, tool, mechanism or compound that meets the following criteria:

• the information is secret in the sense of being known only by the third party or a relatively small group of persons;
• the third party must demonstrate an intention to treat the information as secret;
• the information has or is capable of having an industrial or commercial application; and
• the third party must have an interest worthy of legal protection (such as an economic interest).

In order to qualify as confidential information for the purposes of the second exemption, the following three criteria must be met:

• the information must be financial, commercial, scientific or technical information;
• the third party must have consistently treated it in a confidential manner; and
• the information must have been supplied to a government institution by the third party.

Information will not be confidential if it is available from public sources. Furthermore, except in unusual cases, a compilation of public sources will not be confidential. Nor will information be confidential if it could be obtained by another party by observation or independent study. Finally, the information will not qualify if it is information that is compiled by the government institution unless it is based on confidential information supplied by the third party.

The third exemption involves assessing the harm of disclosure. The harm-based exemption will be available if there is “a reasonable expectation of probable harm”. To establish a reasonable expectation of probable harm, the third party must demonstrate:

• the harm is more than merely possible;
• there is a direct link between the proposed disclosure and the apprehended harm; and
• the harm is of a type that would reasonably be expected to ensue from disclosure. 

The court held that non-public information that would be reasonably be expected to give competitors an advantage in future transactions or in the development of competing products may meet this threshold. The court did not rule out the possibility that publicly available information might also meet this threshold if the manner of presentation was unique. However, in general, the information must be confidential or at least not publicly available.