Snoops and gossips beware: Ontario Government to introduce stiffer measures to protect patient privacy

Recently, the Government of Ontario announced its intent to strengthen the rules protecting patient privacy. If passed, these amendments to the Personal Health Information Protection Act (PHIPA) would include:

  • Mandatory reporting of privacy breaches to the Privacy Commissioner and potentially the regulatory colleges;
  • Allow individuals to more easily prosecute offences under PHIPA by removing the 6 month limitation period following an alleged privacy breach;
  • Increasing institutional fines for offences from $250,000 to $500,000;
  • Increasing individual fines for offences from $50,000 to $100,000; and
  • Clarifying how and when healthcare providers may collect, use and disclose personal health information contained in electronic health records.

Changes to PHIPA were originally introduced in May 2013, as part of Bill 78, although the Bill did not pass before the Legislature dissolved that same month.  The new round of legislation also intends to re-introduce protections to the Ontario electronic health record—a system of health records that spans the province and is shared between healthcare providers—and other personal health information.  Among other things, these protections include privacy and security rules, as well as rules for how patients may control or mask their personal information contained in the electronic health record. Protecting individuals’ privacy in Canada is a patchwork of federal and provincial legislation affecting the federal and provincial public sectors, as well as private and health sectors. 

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), controls how businesses and healthcare providers may collect, use and disclose individuals’ personal information.  The Provinces, including Ontario, also have legislation specifically addressing privacy in the collecting, using and disclosing of health-related information. 

SEC comments on corporate disclosures on social media

Kaleb Honsberger -

Earlier this week, the U.S. Securities and Exchange Commission released a report of its investigation regarding whether Netflix and its CEO, Reed Hastings, violated certain securities regulations prohibiting the selective disclosure of corporate information when Hastings posted a comment on his personal Facebook page regarding the achievement of a corporate milestone.

In doing so, the SEC considered the disclosure of corporate information on social media generally, ultimately finding that its 2008 guidance, which discusses the distribution of information on corporate websites, also applies to corporate disclosures made through social media channels such as Facebook and Twitter. Specifically, the SEC stated that where it is reasonably foreseeable that the recipients (securities professionals and/or shareholders) of such information will trade on the basis of such information, it must be disseminated in a manner reasonably designed to provide broad non-exclusionary distribution to the public. To achieve this, issuers must take sufficient steps to alert investors, the market and the media as to the channels that will be used for the dissemination of material, nonpublic information. As an example, the 2008 guidance encourages periodic reports or press releases to include web site addresses or other information regarding steps investors or the public can take to be in a position to receive important disclosure.

As such, the SEC does not preclude the use of social media sites to distribute material, nonpublic information so long as appropriate notice regarding the use of such sites has been made to investors. To this end, the SEC report cautions that issuers are expected to “rigorously” examine factors indicating whether a particular channel is a “recognized channel of distribution” for communicating with investors. While each case will be fact specific, in most cases (as in the Netflix example) disclosure of material nonpublic information on a personal Facebook page without advance notice is unlikely to qualify as an acceptable method of distribution even if the individual in question has a large number of subscribers or contacts.

In Canada, regulators have not specifically addressed issuer disclosure through social media, however, principles governing selective disclosure are set out in National Policy 51-201 Disclosure Standards. For TSX-listed companies, the TSX has published its own Electronic Communications Disclosure Guidelines. Staff of the Canadian securities administrators have also provided guidance on the use of social media by portfolio managers, noting that firms and registered individuals contemplating the use of social media should consider, among other things, establishing appropriate policies and procedures for the review, supervision, retention and retrieval of materials posted on social media websites.

Supreme Court issues clear warning of need to respect the "Patent Bargain"

Ian P. Goodman -

On Thursday, November 8, 2012, a unanimous Supreme Court of Canada issued a decision with significant implications for those wishing to obtain or enforce Canadian patent rights.  Owners of issued patents seeking to enforce such rights should carefully scrutinize the disclosure and claims of their issued patents in light of this decision, and patent applicants should consider this decision when drafting the specifications of new applications.

The case of Teva Canada Ltd. v. Pfizer Canada Inc.  arose out of a Patented Medicines (Notice of Compliance) [PMNOC] proceeding in which Novopharm Limited (now, Teva Pharmaceuticals Limited) sought approval from Health Canada to market and sell a generic version of Pfizer’s Viagra-branded sildenafil tablets.  To obtain such approval, the decision-maker had to be convinced that Pfizer’s patent (the ‘466 Patent) was invalid. However, Teva was unsuccessful at both the Federal Court of Canada and the Federal Court of Appeal, each of which held that Teva’s allegations of invalidity were not justified.

Teva appealed to the Supreme Court. The primary issue on appeal was whether Pfizer complied with section 27(3) of the Patent Act and properly disclosed its invention in the ‘466 Patent.  In considering this issue, the Supreme Court reiterated the importance of a patent applicant respecting the “patent bargain”.  The essence of the patent bargain is that in exchange for a time limited monopoly granted to an inventor for a new and useful invention, the inventor discloses this invention to the public so that society can benefit from the inventor’s knowledge.  From a societal perspective, the patent bargain exchanges short term inefficiencies (the potential for “monopoly” rents for the patent rights) for long-term gains (the encouragement of efficiencies gained through innovation). However, the bargain cannot be one-sided: adequate disclosure in the specification is a precondition for the granting of a patent. 

Pfizer’s ‘446 Patent is directed to compounds for treating erectile dysfunction (ED). The claims are arranged in a cascading structure in which claim 1 is directed to over 260 quintillion compounds (i.e. 260,000,000,000,000,000,000!), claims 2 to 5 directed to gradually fewer compounds, and claims 6 and 7 each directed to a single compound.  Most importantly, claim 7 is directed to sildenafil, which is the only active ingredient in Pfizer’s Viagra product.

Section 27(3) of the Patent Act requires that the “specification of an invention must correctly and fully describe the invention and its operation or use as contemplated by the inventor…”.  The “specification” includes both the claims of a patent and the disclosure made in the patent.

The Supreme Court affirmed previous decisions that a patent specification must answer two questions: (1) what is the invention; and (2) how does it work? If the patent disclosure answers these questions, the applicant has held up his or her part of the patent bargain. More particularly, the specification must provide sufficient information to enable a person of skill in the art to which the invention relates to be able to use the invention, using only the instructions of the specification.

The Supreme Court was of the view that the lower courts erred in considering the sufficiency of disclosure (and therefore the validity) of a single claim independently of the rest of the specification. As a result, the lower Courts erroneously confused the principle that the claims of a patent define the scope of the exclusive right being sought with the principle that the content of the specification determines whether the disclosure requirements have been met. 

The Supreme Court found that Pfizer was aware through testing, as of the filing date of the ‘466 Patent, that only sildenafil was effective in treating ED, and that none of the other compounds were effective in treating ED.  Despite this, Pfizer provided no indication in its disclosure as to which one of the preferred compounds was effective in treating ED. The Supreme Court held that by failing to expressly disclose the use of sildenafil to treat ED, Pfizer did not adequately disclose the invention in its specification. 

Pfizer had argued that its specification was adequate, because one of the claims in the ‘466 Patent clearly described the use of sildenafil as effective in treating ED. The Supreme Court did acknowledge that a skilled reader would know that “when a patent contains cascading claims, the useful claim will usually be the one at the end concerning an individual compound”. However, this acknowledgement did not assist Pfizer because in the case of the ‘466 Patent, the cascading claim ended with two individually claimed compounds, thereby obscuring the true invention.  A person skilled in the art would still have to perform further testing to determine which of the two compounds was actually effective in treating ED. The Supreme Court therefore held that the specification of the ‘466 Patent did not meet the requirements of section 27(3) of the Patent Act.

This case has important repercussions when drafting a patent application. While emphasis is typically placed on the claims because they define the scope of the monopoly, this case shows that identifying the invention in the specification can be equally important, particularly in relation to pharmaceutical patents. The Supreme Court has clearly warned patent holders against “playing games” with the public by not providing a complete disclosure of the invention and therefore not upholding their end of the patent bargain.

Interestingly, the Supreme Court’s remedy was to “invalidate the patent”. Normally in an appeal of a PMNOC proceeding and given the Supreme Court’s findings, the remedy would be to deny Pfizer’s application seeking obtain a prohibition order, thereby permitting the Minister of Health to issue Teva a Notice of Compliance and thus allowing Teva to manufacture and sell sildenafil tablets.  The Court may give further directions in this respect.

One more province (partially) exempt from PIPEDA

The Federal government has expanded the list of organizations that are exempt from the Personal Information Protection and Electronic Documents Act (PIPEDA) on the basis that similar provincial legislation sufficiently protects the relevant personal information. As of October 10, 2012, health care organizations subject to Newfoundland and Labrador’s Personal Health Information Act (PHIA) are exempt from PIPEDA because provincial legislation is “substantially similar”.

Newfoundland and Labrador is now the sixth province to be granted an exemption from some or all of Part I of PIPEDA, and the third to enact exempted personal health information legislation.

Under s. 26(2)(b) of PIPEDA, organizations or activities subject to provincial privacy legislation that is substantially similar to Part I of PIPEDA can be exempted from PIPEDA for the collection, use or disclosure of personal information within that province. This ensures that organizations will not have to comply with two sets of rules that provide the same or greater protection for personal information.

It is important to note that exemptions from PIPEDA are granted only to relevant organizations for their activities within the relevant province. PIPEDA continues to apply to personal information collected, used or disclosed by federal works, undertakings and businesses, as well as to personal information collected, used or disclosed across provincial or Canadian borders in the course of business. The Newfoundland and Labrador exemption is therefore limited in scope as PIPEDA continues to apply to health care organizations’ collection, use and disclosure of personal health information from/into other provinces.

Newfoundland and Labrador’s PHIA has been in force since April 1, 2011. The legislation provides rules for organizations that collect, use and disclose health information that (i) could identify an individual, and (ii) relates to delivering or administering health care. Such organizations include health care providers and operators, provincial agencies involved in health care and health information, ambulance services, pharmacies and others. PHIA provides that consent from the individual must be obtained to collect, use and disclose health information except in specific circumstances. PHIA also provides that applicable organizations must take reasonable steps to secure health information and prevent its disclosure, failing which a fine of not more than $10,000 or imprisonment for a term not exceeding 6 months is possible. However, an organization will not be liable if they demonstrate that reasonable steps were taken to prevent the contravention.

Comprehensive personal information legislation in three provinces has already been declared to be substantially similar to PIPEDA: the Personal Information Protection Act, in British Columbia, the Personal Information Protection Act in Alberta, and An Act respecting the protection of personal information in the private sector in Quebec. Personal health information legislation of two other provinces, in addition to Newfoundland and Labrador, has been declared substantially similar: the Personal Health Information Privacy and Access Act in New Brunswick and the Personal Health Information Protection Act in Ontario. In light of this most recent exemption, it will be interesting to see if similar exemptions are granted in other provinces, leading to fewer organizations which are subject to PIPEDA.

 

High Court stands behind victims of online bullying

Anti-bullying advocates will applaud a recent Supreme Court of Canada decision that paves the way to give young victims of online bullying stronger legal rights. The case of A.B. v Bragg Communications Inc. is notable as it directly pits society’s interest in the protection of children from cyberbullying against freedom of the press and the open court principle.

The facts of the case are straightforward. A 15-year old Nova Scotia girl, identified only as A.B., discovered that someone had created a phony Facebook profile using her name and picture. The picture was accompanied by some unwelcomed commentary about the girl’s appearance along with sexually explicit references. A.B. applied to a Nova Scotia court for an order requiring Eastlink, an internet service provider, to disclose the identity of the person(s) standing behind the IP address used to publish the phony Facebook profile. In order to protect her privacy, A.B. also asked the court for permission to make her application anonymously and for a publication ban on the contents of the fake Facebook profile. Her request to proceed anonymously and under a publication ban were denied by the trial judge and the Court of Appeal but those decisions were partially overturned in this case by the Supreme Court of Canada.

In reaching its decision to allow A.B. to proceed both anonymously and under partial publication ban, the Supreme Court carefully considered the impact such a decision would have on the open court principle—the idea that court proceedings should be open and accessible to the media and the public. While it was observed that this principle is a “hallmark of a democratic society” and is “inextricably tied to freedom of expression,” the Court held that the privacy and protection of children from cyberbullying must ultimately prevail because the serious harm in failing to protect young victims of bullying through anonymity outweighs the minimal harm to press freedom.

The Court’s conclusion on this point was buttressed by a report on bullying and cyberbullying, which noted that “The immediacy and broad reach of modern electronic technology has made bullying easier, faster, more prevalent, and crueller than ever before.” Equally unsettling for the Court was the fact that, without anonymity, children might shy away from pursuing responsive legal action out of embarrassment or fear of retaliation. Finally, the Court noted that a victim’s identity constituted only a “sliver of information” and that any restriction on freedom of the press and the open court principle was thus “minimal”. For these reasons, The Court found that A.B. could proceed anonymously and with a publication ban covering the identity-revealing content of the phony Facebook profile.

This case demonstrates that freedom of the press and the open court principle are not absolute rights and that the privacy and protection of children from cyberbullying will prevail over press freedom in cases such as this one.

Personal data protection: implications for the corporate arena

In an increasingly digital age, data protection has become a key component of business risk management. Companies in every industry are understandably keen to protect their trade secrets, clients list and other company data. To that end, companies routinely include confidentiality and related provisions in employment contracts, and maintain policies and procedures regarding the protection of business-related information within and outside the workplace. Further, employers now more commonly monitor employees’ use of electronic technology, such as email.

Recent decisions from the U.S. and Canada, however, demonstrate that there remains a potentially uncertain balance between the ability for law enforcement to investigate potential crimes and the rights of individuals and employees.

For example, the recent case of United States v. Doe dealt with the seizure of the defendant’s laptops and drives as part of an investigation into child pornography. Law enforcement was unable to view the encrypted portions of the drives and a Florida court held the defendant in contempt of court for refusing to produce the unencrypted data.  Ultimately, the 11th Circuit found that the lower court had violated the defendant’s Fifth Amendment right against self-incriminating when the lower court ordered the production of the unencrypted data.

As some commentators have noted, while the computers in question did not belong to the defendant’s employer in the Doe case, a similar situation could occur in a corporate context. What if an employee were to encrypt data on a company-provided laptop? Would the employer be prohibited from forcing an employee to produce the unencrypted data should a suspected violation of laws occur? Would employment policies claiming corporate ownership over all data residing on company-owned machines skew the legal analysis in a different direction?

The Doe decision is particularly interesting in light of a Canadian decision handed down last year. As we discussed in a previous post, in R. v. Cole, the Ontario Court of Appeal held that a teacher had a reasonable expectation of privacy with respect to personal files stored on his work laptop in relation to the search and seizure of those files by the police. In that case, a school technician that was monitoring traffic on the school network discovered nude images of a student on the teacher’s laptop and subsequently copied the images onto a disk for the school’s principal and copied temporary internet files found in the laptop’s browsing history onto another disk to transfer to the police. The Court found that neither the technician’s search, the subsequent search and seizure by the principal and school board, nor the transfer to the police of the disk constituted a Charter violation. The appellant's privacy rights under section 8 of the Charter were found to have been violated, however, by the warrantless police search and seizure of the laptop itself.

While it is not clear how the Doe decision (a criminal case) would apply in the employer context, the Cole decision does offer some guidance on reasonable expectations of privacy. Provided employers have clear privacy policies in place, which afford employers the right to monitor employee personal activities in the workplace, a reasonable expectation of privacy will likely not be found to exist. Employers should monitor subsequent rulings on this issue in the United States to assess whether a similar approach would be taken there.

This post has been edited after initial publication to provide further information on the decision in R. v. Cole.

Privacy lessons learned: do your homework about home work

David Elder -

A recently publicized privacy breach by a Canada Revenue Agency (CRA) employee underlines the need for all organizations to impose strict controls and safeguards respecting the ability of employees to remove sensitive data from the workplace.

In a widely reported story, it was recently discovered, through a request under the Access to Information Act, that confidential material respecting Canadian taxpayers, contained in hundreds of documents and tens of thousands of email messages sent and received by a CRA employee, were downloaded in unencrypted form to CDs taken home and retained by a CRA auditor, at least some of which were subsequently copied to a third party’s laptop.   While the CDs have been recovered, the laptop – thought to contain the tax files of at least 2,700 Canadians – is still missing. 

Although the incident in question raises concerns with respect to the Privacy Protection Policy issued to government institutions under the Privacy Act, it also provides important lessons for private sector organizations, which are subject to similar legal requirements. All Canadian private sector privacy laws, both federal and provincial, include data protection requirements that require private organizations to protect personal information with appropriate security safeguards, including physical, organizational and technical measures.

The first - and most obvious – lesson from the CRA case is to minimize the ability of employees and consultants to remove personal information from company premises. The less data that leaves the building or the company servers/network, the less the risk that it may be lost, stolen or otherwise disclosed to unauthorized parties.

Recognizing that, in today’s mobile and networked world, it is unavoidable that work will be done by some employees outside the office, the second lesson is to employ robust safeguards to protect the personal data that must be accessed and used outside company premises. 

One approach is to have clear policies respecting removal from the office of personal information and required practices for the protection of devices on which it is stored. Such policies should be readily available and regularly communicated to employees; however, such “soft” controls are not, by themselves, a complete solution. Policies will always be breached by some employees (which, in fact, is what occurred in the CRA case) and organizations will likely still be accountable for such breaches

Another, more reliable, layer of protection is to use “hardwired” security: robust physical, and particularly, technological measures that keep personal information secure and confidential.

One of the best technological protections for data on portable storage media and devices is encryption, since strongly encrypted data remains inaccessible to most third parties, even if the device itself falls into the wrong hands, which tends to happen frequently with portable devices such as laptops and flash drives. Encryption has been strongly endorsed by privacy commissioners across Canada, and is generally considered to the required standard of protection for personal information stored on portable devices. In the health information context, he Ontario Information and Privacy Commissioner has gone so far as to suggest that the loss or theft of a device containing encrypted personal information would not generally be considered to be a loss or theft of personal information.

Other important technological solutions would include configuring most computerized corporate equipment to block the ability to download content to portable storage devices, logging and retaining each incident of such activity for the few devices for which such downloading may be permitted (such as those accessible by senior IT and security professional). However, even this kind of encryption scheme is not foolproof, as there is still room for inappropriate action by IT and security employees. In fact, in the CRA case, the data in question was actually copied to the unencrypted CDs by a Government IT technician, contrary to Government policy.

Recognizing such vulnerabilities, another technological solution adopted by many companies with a mobile workforce is to host all records on company controlled servers, using a “virtual desktop” solution to allow employees to access workplace files remotely via a secure internet connection. Such a solution eliminates entirely the need for storage on portable devices, as all documents and data are stored in the corporate system.

A final lesson here is to consider notifying the appropriate federal or provincial privacy commissioner(s) of any material data breaches, even if there is no legal requirement to do so (while federal legislation including such a requirement is currently before Parliament, at present only the Province of Alberta requires breach notification by private sector organizations). Such notification was apparently not done in the CRA case, depriving the CRA of potentially useful advice as to appropriate taxpayer notifications or other remedial action – as well as leaving the Office of the Privacy Commissioner flat-footed when contacted by media about the breach.  

This post is part of an occasional series highlighting the lessons that businesses can learn from recent news items and events.

Cloud computing and Canadian federally regulated financial institutions

Wesley Ng and Stuart Carruthers  -

Cloud computing has grown significantly in the last few years. A Gartner Executive Program survey of more than 2,000 Chief Information Officers (CIOs), representing 50 countries and 38 industries, found that cloud computing is the number one technology priority for 2011. Fully 43% of the CIOs expected that a majority of their IT will be running “in the cloud” within four years. In its updated June 2011 forecast of Information Technology spending, Gartner stated that cloud computing expenditures are likely to rise by 16-20% per year through 2015, representing 4% of global IT spending by the end of that period. Richard Gordon, research vice president at Gartner, noted that expenditures for cloud computing services grew four times faster than overall IT spending.

What is Cloud Computing?

The term "cloud computing" has been used to refer to almost anything from the ability to access virtual servers over the Internet to the consumption of any information technology service situated outside an organization's infrastructure. The more precise technical meaning, however, is expressed in the following draft definition published by the U.S. Government's National Institute of Standards and Technology:

[A] model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

As this suggests, the key feature of cloud computing is the ability to access a remote, shared IT infrastructure on an as-needed basis. 

Benefits of Cloud Computing

There are many benefits of cloud computing, including that organizations that use cloud computing are not required to maintain their own localized infrastructures to support the services; rather, they pay for the use of technology resources only when and to the extent that they actually need them. As a result, users can avoid the expense of setting up and looking after in-house infrastructure. Among other things, this allows organizations to replace up-front capital expenditures with a more fluid operational expenditure that more closely tracks actual business activity. Further, because cloud computing services are available to multiple users leveraging the same infrastructure, the cloud service provider is typically able to achieve significant economies of scale, producing additional savings for its customers.

Federally Regulated Entities under OSFI Guideline B-10

Guideline B-10 of the Office of the Superintendent of Financial Institutions (Canada) (OSFI) governs cloud computing arrangements (and other outsourcing agreements) entered into by Federally Regulated Entities (FREs).  For the purposes of the Guideline, the term "FRE" encompasses all Canadian banks, insurance companies, fraternal benefit societies, trust and loan companies and cooperative credit associations and Canadian branches of foreign banks and insurance companies.

Guideline B-10 imposes overall accountability and control requirements, and requires an assessment of the materiality of an outsourcing arrangement and the implementation of a risk management program (the scope and nature of which will vary depending on the materiality of the outsourcing arrangement in question).

B-10 and Cloud Computing

Many of the issues that cloud computing raises for FREs are not unique to cloud computing; they exist in the context of any outsourcing. Nevertheless, cloud computing involves a host of inherent risks, including the use of shared resources; the use of multiple dynamic data transfer routes (to minimize bandwidth usage); dependency on a commoditized, non-customized, volume-based solution; and the use of infrastructure scattered over multiple locations (often in low-cost centres with minimal legislative data protection obligations). The significance of the issues involved in cloud computing will largely depend on the materiality and nature of the services obtained. It would be prudent for FREs to consider the following issues in connection with the development of their cloud computing strategies:

1) Data commingling and segregation
The use of shared virtual infrastructure may create data commingling and segregation issues. B-10 requires service providers to be capable of isolating an FRE's data, records and items in process from those of other customers at all times. As a precondition of entering into a cloud computing arrangement which is subject to B-10, an FRE must therefore determine whether the cloud service provider can offer the service in a manner that permits proper data segregation.

2) Accessibility of confidential information
The nature of cloud computing - including the ability for multiple entities to access shared resources and the use of multiple locations across low cost regions - can create data security and privacy issues. B-10 requires the FRE to ensure that security and confidentiality policies of the cloud computing service provider are commensurate with those of the FRE, which should ensure that all necessary protections are in place to secure the confidentiality of the data provided to the cloud infrastructure. In particular, contractual provisions should clearly define who has responsibility for protection mechanisms, the information that is covered by such protections, the ability of either party to modify security procedures and requirements and notification obligations of the cloud service provider should any confidentiality or security breach occur.

3) Business continuity
The FRE's business continuity plans must address all reasonably foreseeable situations in which a cloud service provider may be unable to continue to provide services at the required levels. Most importantly, in the context of any business interruption affecting the cloud service provider, the FRE should ensure that it has access to all necessary records to allow it to continue its business operations and meet any statutory obligations or other obligations to OSFI.

4) Data location
A cloud service provider's infrastructure and software may be dispersed across multiple locations across the globe. This may be problematic for FREs since B-10 requires the contract governing the provision of the cloud services to identify the nature and scope of the services, including specification of the physical location where the services are being provided. While this may be possible at the outset of a cloud computing arrangement, the dynamic nature of cloud computing means that regular updates should be contemplated under the contract in order to address any shift in the location of the information technology infrastructure supporting the services. In addition, contractual provisions to address any deficiencies in legislated privacy protections and issues relating to access rights of foreign governments and their regulatory agencies should be considered.

5) Subcontractors
Many cloud service providers enter into subcontracts for additional virtual technology infrastructure on an as-needed basis. FREs need to ensure that subcontracting limitations are imposed to ensure that all such subcontractors are subject to the same security, confidentiality and audit obligations as the cloud service provider.

6) Monitoring cloud arrangements
The nature of cloud computing can make monitoring and auditing the arrangements difficult. B-10 requires that the FRE be able to monitor the services to ensure that they are being delivered in accordance with the FRE's requirements. The FRE must be capable of evaluating the cloud service provider from time to time, including its internal controls (which may be satisfied through the provision of a SAS70 or analogous control report). The FRE must carefully consider how best to ensure that the necessary monitoring can occur, based on the service model and geographic territory of the services being provided, as well as on the level of monitoring required (given the risks presented by the cloud computing arrangements in question).

7) e-Discovery
While not specific to FREs, some thought should be given to the growing need to facilitate e-discovery (the production of electronic data and information required in the "discovery" process that occurs when a lawsuit is initiated). The use of cloud computing could lead to delays and costly efforts to produce relevant materials due to data commingling or data dispersion across locations and/or service providers.

Know the Challenges - Address the Risks

Virtually all organizations' IT business plans include at least some outsourcing of IT functions to third parties. Because cloud computing offers so many advantages, its adoption is, for many companies, a question of "when" rather than "if". Security and other challenges faced by FREs in the context of cloud computing are not unique to FREs, but are more pronounced due to the need to comply with B-10. While in certain contexts the challenges and compromises inherent in cloud computing may preclude its adoption by the FRE, in most cases cloud computing will work well, provided that the FRE carefully considers the relevant issues before entering into any agreements.

Court of Appeal recognizes reasonable expectation of privacy in contents of work computer

In a judgment released last week, the Ontario Court of Appeal held that the appellant teacher had a reasonable expectation of privacy with respect to personal files stored on his work laptop. Specifically, R. v. Cole involved the discovery of nude images of a student on the appellant's laptop by the school's computer technician. The technician copied the images onto a disk for the school's principal and subsequently copied temporary internet files found in the laptop's browsing history onto another disk.

According to the Court,

[a]lthough this was a work computer owned by the school board and issued for employment purposes with access to the school network, the school board gave the teachers possession of the laptops, explicit permission to use the laptops for personal use and permission to take the computers home on evenings, weekends and summer vacation. The teachers used their computers for personal use, they employed passwords to exclude others from their laptops, and they stored personal information on their hard drives. There was no clear and unambiguous policy to monitor, search or police the teachers’ use of their laptops.

The appellant's reasonable expectation of privacy, however, was limited to the extent that the school's technician could access the laptop to ensure the integrity of the school's network. In this case, the technician had accessed the appellant's laptop through the school server to investigate the possibility that the laptop had become infected by a computer virus. During the course of his work, the technician came across the offending images. Ultimately, therefore, the Court of Appeal concluded that  the search by the technician and the subsequent search and seizure of the laptop conducted by the principal and school board did not violate the appellant's Charter rights. Meanwhile, the transfer to police of the disk containing the offending images, and the viewing of the images by police, did not constitute a search or seizure, since the photographs were taken from the school's network using the school's computer and were the subject of the privacy interest of the student. As such, the appellant had no privacy interest in the photographs themselves.

The appellant's privacy rights under section 8 of the Charter were found to have been violated, however, by the warrantless police search and seizure of the laptop itself. According to the court of Appeal, "[t]he technician’s discovery of the photographs during the course of his implied right of access did not vitiate the appellant’s reasonable expectation of privacy in the contents of his laptop in relation to the police." The Court of Appeal found a similar privacy interest in the appellant's personal internet browsing history.

Ultimately, therefore, the Court of Appeal found that the laptop and the mirror image of its hard drive taken by the police should be excluded from the evidence, as should the disk containing the temporary internet files.

Facebook reaches agreement with German officials over privacy concerns

Yesterday, Facebook reached an agreement with German data protection officials in order to end a dispute over the social networking site’s “Friend Finder” application. Hamburg’s Data Protection Authority received complaints about the feature, which allows Facebook to send unsolicited email invitations to non-members through current members’ address books. The agreement comes as a response to legal proceedings launched by German officials last year against Facebook for accessing and saving the private data of non-members without their permission. For more information, see this article from the Globe and Mail.

How much is that Tweet in the window?

A Tweet may represent a mere 140-characters; however a recent investigation in the UK is exposing that those 140-characters can represent big money. In July, 2010, the Office of Fair Trading (UK) (OFT) launched an investigation on its own initiative into Handpicked Media (Handpicked), a self-described “Collective of independent sites and blogs with a focus on publishers”, due to suspicion that it was engaging and paying individuals for online promotional activity in circumstances where such remuneration was not clearly disclosed to consumers. It was the OFT’s view that Handpicked was operating in breach of the Consumer Protection from Unfair Trading Regulations 2008 (CPUTR) which prohibits the use of editorial content in the media, including Twitter, blogs and other social networking websites, for the purpose of product promotion where the promoter has been paid, unless such payment is clearly identifiable to the consumer.

Sections 5(1) and 5(2)(a) of the CPUTR state that “A commercial practice is a misleading action if it … causes or is likely to cause the average consumer to take a transactional decision he would have not taken otherwise” and such action is prohibited. The regulations also include prohibitions against “misleading omissions” which may be triggered where a Tweeter, Blogger or the like fails to indicate that he or she has been paid to publish their opinion of a particular product. The OFT investigation into Handpicked’s practices was closed on December 13, 2010.  Handpicked was forced to sign undertakings prohibiting it from engaging in any future promotion without clearly identifying that the promotion has been paid for or otherwise remunerated.

The UK is not alone in its crusade against misleading marketing practices through digital media. In Canada, the Competition Act (the Act) contains provisions addressing false or misleading material representations and deceptive marketing practices in promoting the supply or use of a product. Representations are considered to be material where the statement would affect a consumer’s decision to buy or use a particular product or service. The Act provides for both criminal and civil adjudication of misleading representations, with penalties including fines and imprisonment. Online marketing, including the use of Twitter, is captured under the Act.

In the United States, the Federal Trade Commission (FTC) has also recently revised its Endorsement Guides (the Guides) so as to reflect modern truth-in-advertising principles. The Guides, which were originally written in 1980, were revised to address new social media, although the FTC states that the legal principles have not changed.  The general principle is that if there is a connection between the endorser of a product and its manufacturer/marketer that would affect how consumers evaluate the endorsement, such connection should be disclosed in the statement. 

Companies should exercise caution to ensure that they do not accidentally violate any of these laws or regulations.

How much money is privacy worth?

According to two recent Federal Court decisions, privacy – though protected by the law - is not worth that much money when it comes to actual damage awards.

While most privacy complaints are resolved through the Office of the Privacy Commissioner of Canada, some cases are litigated in court with plaintiffs hoping to receive monetary compensation for privacy violations. Two such cases are Randall v. Nubodys Fitness Centres, 2010 FC 681 (CanLII) and Stevens v. SNF Maritime Metal Inc. 2010 FC 1137 (CanLII).

Randall involved a situation where an employee’s attendance at a fitness club was regularly reported back to his company which paid half of his monthly fees as part of his benefits package. While the Federal Court agreed that this constituted a violation of his privacy rights, the Court did not award any damages stating that only egregious breaches such as video-taping and phone-line tapping warranted compensation. In Stevens, the Federal Court reached the same conclusion and found that while the applicant’s rights were violated when his company accessed his personal account information, the wrong was not malicious and therefore did not warrant an award of damages. The Court noted that the company then voluntarily put into place a confidentiality policy which would help prevent these situations in the future. 

From these decisions, the Federal Court has shown that while privacy violations are readily recognized and condemned, they will rarely result in any monetary compensation. While Michael Geist states that this may have the unintended consequence of diminishing respect for privacy compliance due to a focus on the bottom line, it is important that companies recognize the other costs involved in breaching privacy - such as a damaged reputation and the cost of litigation. It is always advisable for companies to have and follow privacy policies which will protect both themselves and their employees.

Amendments to Alberta's PIPA come into force

A post on Slaw today contains a discussion of Alberta's Personal Information Protection Amendment Act, 2009 by Stikeman Elliott partner Wesley Ng. Specifically, Mr. Ng considers the new requirements respecting written policies and procedures and notification.

Canadian Government re-introduces anti-spam legislation

Justine Whitehead

On May 25, 2010, the Canadian government introduced Bill C-28, an act that would establish the federal Fighting Internet and Wireless Spam Act (“FIWSA”), and make significant consequential amendments to other federal legislation, including Canada’s Competition Act; Telecommunications Act; and Personal Information Protection and Privacy Act (PIPEDA).

Bill C-28 is extremely similar in substance to Bill C-27, which was introduced in April 2009 and titled the Electronic Commerce Protection Act. Bill C-27 received unanimous support in the House of Commons following its third reading, but it died upon prorogation in December of 2009 while at the Standing Senate Committee on Transport and Communications. Given the strong resemblance between the two bills, many expect that Bill C-28 will move quickly through the legislative process. 

Like its predecessor, Bill C-28 was designed to reduce unsolicited or junk e-mail, commonly referred to as “spam”. Most importantly, the legislation aims to bolster consumer confidence in electronic commerce, which the government has described as necessary in order to position Canada as a leader in the digital economy. The bill incorporates a number of the legislative recommendations made in 2005 by the government-mandated “Task Force on Spam”. The proposed FIWSA aims to regulate activities such as spam, counterfeit websites (known as “phishing”) and spyware. 

The FIWSA would also establish a regime whereby the Canadian Radio-television and Telecommunications Commission (“CRTC”), Competition Bureau of Canada and the Office of the Privacy Commissioner could share information and evidence with law enforcement agencies outside Canada, in an effort to enforce similar international laws and pursue violators beyond Canadian borders. Currently Canada is the only G8 country and one of only four OECD (Organisation for Economic Cooperation and Development) countries without specific spam legislation. Thus, when the government first introduced Bill C-27 it was cast as a necessary step in fulfilling Canada’s international duty to join global partners in passing laws to combat spam and related cyber threats.   

Prohibitions

The anti-spam provisions remain largely unchanged from Bill C-28. They would prohibit sending (or causing or permitting to be sent) a commercial “electronic message” (which is defined broadly to include a text, sound, voice or image message) to an electronic address, unless the recipient has given express or implied consent. Implied consent would apply to situations in which there is an existing business or non-business relationship between the sender and recipient, and to certain limited circumstances where the recipient has, within a business context, conspicuously published or disclosed the electronic address and the disclosure was not accompanied by any statement that the person did not wish to receive commercial messages (there is also a provision that would permit future regulations to further define implied consent). 

The FIWSA also sets requirements for the form of permitted messages: the message must identify the person who sent the message (and, if it is different, the identity of the person on whose behalf the message was sent), along with contact information for those identified. Moreover, permitted messages must include an unsubscribe mechanism, which includes either a hyperlink (valid for at least 60 days after the message is sent) that the recipient can follow, or a specified electronic address to which an unsubscribe request can be sent. Requests must be given effect within 10 days. 

The anti-phishing provisions are drafted as prohibitions against “altering transmissions data”, and would prohibit the unauthorized redirection of an electronic message to a destination other than or in addition to that specified by the sender, except with the sender’s express consent. As with the anti-spam provisions, an electronic address must be provided to which the sender may give a notice of withdrawal of consent, and the request must be given effect within ten days.

Notably, the prohibitions in Bill C-28 are broader than those previously provided for in Bill C-27. The prohibitions in both bills apply to anyone who procures or causes to procure a prohibited act. However, the language in Bill C-28 has been extended to also apply where someone aids in or induces such an act. 

Administrative Monetary Penalties and Private Actions

Provisions of the FIWSA that would subject violators of the Act to an Administrative Monetary Penalty (“an AMP”) remain the same as those originally envisaged in Bill C-27. An individual who violates any of the foregoing prohibitions may be subject to an AMP of up to $1 million and corporate entities would be liable to an AMP of up to $10 million. Officers, directors, and agents of corporations that violate the prohibitions could also be held liable for such actions if they directed, authorized, acquiesced in or participated in the commission of the violation. 

Anyone charged under the Act can raise a due diligence defence. They must show that they exercised due diligence to prevent the violation, but there is no indication as to what actions will constitute due diligence. Furthermore, any relevant common law rule or principle that would create a justification or excuse may be relied on to the extent that it is not inconsistent with the Act. 

The process for imposing liability under the AMP is a fairly expedited administrative process, administered through the CRTC. A notice may be served where the CRTC has reasonable grounds to believe that a person has committed a violation under the FIWSA. The notice must include details of every act or omission for which the notice is served, the relevant provisions and the amount of the fine. The recipient of the notice has 30 days to respond, after which time he or she will be deemed to have committed the violation and will be liable to pay the amount set out in the notice. If the recipient does provide a response, the CRTC must decide on a balance of probabilities whether the violation was committed. Upon determining that there was a violation the CRTC may impose the original fine, impose a reduced fine, or may suspend payment of the fine subject to any conditions that it considers necessary to ensure compliance with the Act. Decisions of the CRTC can be appealed to the Federal Court of Appeal. However, where the issue is one of fact, leave to appeal must be granted by the Court. The CRTC can also agree to an undertaking, which is in essence an agreement to settle an alleged violation on terms acceptable to both the CRTC and the offender.

One of the most controversial provisions of the Bill C-27 remains largely unchanged in Bill C-28. It would establish a private right of action for persons who allege that they have been affected by a contravention of the anti-spam, anti-phishing or anti-spyware provisions of the FIWSA. The application must include the alleged contravention, all relevant provisions, acts or omissions at issue, and should state the nature and amount of the loss, damage or expense. If the court is satisfied that the contravention occurred it may order the responsible individual(s) to pay the applicant compensation for any loss, damage or expenses incurred by the applicant. The court may also grant an additional award, up to a maximum of $200 per day for most contraventions, and $1 million for each day on which a contravention occurred. Again, officers, directors, or agents of corporations would be subject to this private right of action, if it could be proved that they directed, authorized or participated in the commission of the contravention.

That same private right of action would apply to persons who allege that they have been affected by breaches of the new provisions of PIPEDA and the Competition Act. These new provisions, discussed in detail below, would be brought into effect by the FIWSA.

The FIWSA would establish new prohibitions under PIPEDA in relation to collecting personal information, including a ban on (i) collecting an individual’s electronic address through a computer program designed or marketed for use in generating (or searching for) and collecting electronic addresses, or using any address collected by the foregoing means; and (ii) collecting personal information through any means of telecommunications if the collection involves accessing a computer system (or causing one to be accessed) without authorization, or using any personal information that is collected that way. 

The FIWSA also proposes numerous amendments to the Competition Act, including the addition of section 52.01, which broadens the criminal false or misleading representation provisions of the Competition Act. This new section would prohibit knowingly or recklessly sending, for business promotion purposes: (i) a false or misleading representation in the sender or subject matter information of an electronic message; or (ii) an electronic message that contains a materially false or misleading representation. Under the proposed new section 74.011 of the Competition Act, such actions would also qualify as reviewable conduct, thus permitting the Commissioner of Competition to apply to a court or the Competition Tribunal for an order prohibiting the conduct and/or imposing AMPs under the Competition Act.

Impact on Other Statutes

The FIWSA, if enacted, would amend the Telecommunications Act to permit the government to either maintain the current “Do Not Call” list in such a way that it would not overlap with the FIWSA regime, or to have the responsibility for regulating telemarketing fall under the FIWSA entirely. 

Two courts rule on identity protection for online commentators

Courts in Nova Scotia and Ontario recently issued conflicting decisions on the ability of a plaintiff to compel a website to reveal the identities of online commentators.In both cases, the plaintiff in a defamation suit sought the identities of individuals who had posted allegedly defamatory comments to a website.In the Nova Scotia case, the court granted the order; in Ontario, the court refused it.The Ontario decision made it clear that such orders are not automatic – the court must be satisfied that there is a prima facie case for defamation, and must also weigh the public interest in disclosure against the freedom of expression and privacy interests of the parties. These issues were not addressed in the Nova Scotia decision.

Mosher v. Coast Publishing

On April 14, the Nova Scotia Supreme Court ordered a newspaper to help identify seven people who posted allegedly defamatory comments on the newspaper’s website.The case, Mosher v. Coast Publishing Ltd., 2010 NSSC 153, involved a Halifax-based newspaper, The Coast, which had published online a story about racism in Halifax’s fire service.

The Chief and Deputy Chief of the Halifax fire department sought to bring an action for defamation against the individuals who had posted the comments. Before the action could proceed, the would-be plaintiffs had to apply to the court for an order requiring The Coast to provide information about the web commentators, who had identified themselves only with pseudonyms.

In granting the order for disclosure of the information, Justice Robertson stated that “the court does not condone the conduct of anonymous internet users who make defamatory comments and they like other people have to be accountable for their actions.”

Warman v. Wilkins-Fournier

Warman v. Wilkins-Fournier, [2010] ONSC 2126 (S.C.J.), decided just a few weeks after Mosher, on May 3, was an appeal of an order to disclose information that could identify individuals who had posted allegedly defamatory comments on an internet message board managed by the defendants.In making this order, the motions judge had found that disclosure was mandatory because the information was relevant and not protected by privilege.

The Divisional Court’s appeal decision disagreed with this, noting that Charter values of privacy and freedom of expression weighed in favour of non-disclosure.The court held that where privacy interests are involved, disclosure is not automatic even if information is relevant and not protected by privilege.The court also noted the potential chilling effect on speech that would result if anyone could obtain information about the identity of online commentators simply by initiating an action. An appropriate balance, according to the court, is established by requiring that the plaintiff establish a prima facie case of defamation before disclosure can be ordered.

The decision in Mosher does not include any analysis of whether a prima facie case was made out, nor does it consider any balance of rights to be met in determining whether disclosure would be appropriate under the circumstances of that case.

Personal Information Protection Act amendments proclaimed in Alberta

Barbara B. Johnston, Gary T. Clarke, Birch K. Miller and April Kosten

Effective May 1, 2010, amendments to Alberta's Personal Information Protection Act (PIPA) are in force, which provide new and notable requirements applicable to organizations.

Notification respecting service providers outside of Canada

Organizations that use service providers outside of Canada to collect personal information about individuals or that transfer personal information to service providers outside of Canada must notify individuals of:

  • the ways in which they may obtain access to written information about the organization's policies and practices with respect to service providers outside of Canada; and
  • the person who is able to answer questions on behalf of the organization about the collection, use, disclosure or storage of personal information by service providers outside Canada.

Such notification must be provided before personal information is collected by, or transferred to, the service provider.

Additionally, organizations that use service providers outside of Canada, must develop and follow policies and practices that identify:

  • the countries outside of Canada in which collection, use, disclosure or storage of personal information is occurring or may occur; and
  • the purposes for which service providers have been authorized to collect, use or disclose personal information for or on behalf of the organization.
Expanded definitions of "employee" and "personal employee information"

The definition of "employee" now includes individuals who perform a service for organizations as partners, directors or officers. This amendment allows organizations to collect, use and disclose personal information about their partners, directors and officers under PIPA's special provisions for personal employee information.

PIPA's definition of "personal employee information" has also been expanded to include personal information reasonably required for the purposes of "managing a post-employment or post-volunteer-work relationship." The expansion allows employers to collect, use and disclose personal information about former employees under PIPA's special provisions for personal employee information.

Retention and destruction of personal information

A new provision has been added to PIPA requiring organizations to destroy records containing personal information (or to render such information non-identifying) when such information is no longer reasonably required for legal or business purposes.

Notice to Individuals of security breach

The Alberta Information and Privacy Commissioner has been given the authority to require organizations that suffer a privacy breach to notify individuals to whom there is a real risk of significant harm. The Commissioner is able to exercise this power at any time and an individual complaint need not be filed.

If notification is ordered, the notice must include a description of the incident that led to the privacy breach, the time the incident occurred, a description of the personal information involved, information about any steps taken to reduce the risk of harm and contact information for a person who can answer questions about the breach.

New offence provisions

There are two new offence provisions. It is now an offence under PIPA to:

  • fail to notify the Commissioner of a privacy breach that poses a real risk of significant harm to individuals; and
  • take any adverse employment action against individuals who disclose a contravention of PIPA by their employer or fellow employees, who take action in order to avoid having any person contravene PIPA, or who refuse to do anything in contravention of PIPA.

U.S. federal agencies publish final model GLBA privacy form

On November 16, 2009, the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; the Federal Trade Commission; the Commodity Futures Trading Commission; and the Securities and Exchange Commission (collectively, the Agencies) published a final rule amending the rules that implement the privacy notice obligations under the Gramm-Leach-Bliley Act (GLBA). Pursuant to the final rule, the Agencies are adopting an optional model privacy form that financial institutions may rely on as a safe harbour and that will satisfy their privacy notice obligations under the GLBA. The final rule will come into effect on December 31, 2009.

The model form replaces the “sample clauses” previously contained in the Agencies’ privacy rules and used by many financial institutions in their GLBA notices as a safe harbour. The Securities and Exchange Commission is eliminating the guidance associated with, and the other Agencies are eliminating the safe harbour permitted for, notices based on the sample clauses if the notice is provided after December 31, 2010.

The final rule includes three versions of the model form: (1) a model form with no opt-out; (2) a model form with opt-out by telephone and/or online; and (3) a model form with opt-out by telephone, online and/or mail-in.

Canadian Privacy Commissioners provide guidance on workplace privacy in the time of a pandemic

In response to inquiries from organizations seeking clarification as to the application of privacy laws in the private sector workplace during the H1N1 pandemic, the Office of the Privacy Commission of Canada, together with the Office of the Information and Privacy Commission for British Columbia and the Office of the Information and Privacy Commission of Alberta published a guidance document on the issue.

The federal Personal Information Protection and Electronic Documents Act, and the provincial privacy legislation in Alberta, British Columbia and Quebec apply in the usual way in the event of “non-emergency” situations. However, in the event of the declaration of a public emergency, the powers to collect, use and disclose personal information to protect the public health may be very broad. Orders issued under public health legislation could require the collection, use and disclosure of certain information relating to employees and customers, which collection would not be impeded by private sector privacy legislation.

The guidance document encourages employers to provide employees with information on prevention rather than asking employees personal questions that go beyond what is reasonable and minimally necessary.

The impact of new material contract filing requirements on existing licenses to use patents or trade name

As a consequence of the new amendments to National Instrument 51-102 Continuous Disclosure Obligations coming into force on March 17, 2008, a reporting issuer will have to disclose on SEDAR any new or existing “franchise or licence or other agreement to use a patent, formula, trade secret, process or trade name” not entered into in the ordinary course of business. Further information about this amendment can be found in Stikeman Elliott LLP’s article on “New material contract filing requirements in force March 17, 2008 and impact on existing material contracts”.