Canadian Technology & IP Law : Canadian Technology Lawyers & Attorneys : Stikeman Elliott Law Firm : IP Law in Toronto, Montreal, Calgary, Ottawa & Vancouver

Contrary to what Gaudio was told, works are not considered to be in the public domain simply because they are published on the internet. Rather, works are considered to be in the public domain if they are not protected by intellectual property rights, if such rights have expired or if the rights have been forfeited. The fact that a work is published on the internet rather than on paper does not change the definition of the public domain and, while there are public domain works on the internet, such works are not in the public domain simply because of their publication on the Internet.

Under the Berne Convention for the Protection of Literary and Artistic Works and the Copyright Act (Canada), copyright protection is automatically provided to a work as soon as the original work is written down, recorded or entered as a computer file. Under the “fair dealing” provisions of the Copyright Act, individuals may use original works without infringing upon the works’ copyright only if used for specific purposes: criticism and review, news reporting, and private study or research. The Copyright Act also exempts certain categories of users, such as non-profit educational institutions. Republishing a work that first appeared on the internet does not provide for a fair dealing exception simply because the work first appeared online.

Beyond the public domain issues, the Cooks Source case also provides a good example of the power and influence that social media can have on a business. As discussed above, online reaction to allegations of copyright infringement was swift, with Cooks Source’s Facebook page quickly overrun with derogatory posts. According to a statement by Cooks Source, its Facebook page was hacked and fake Facebook and Twitter accounts were created to spread word of the uproar. Facebook users also began publishing links to other articles that Cooks Source had allegedly copied, and a list of the magazine’s advertisers was soon posted online (with contact information), prompting Cooks Source to issue a plea that users stop bombarding their advertisers with “distasteful messages”.

In this age of social media, therefore, businesses must be more careful than ever to ensure the propriety of their actions to avoid the type of response seen in this case. While Cooks Source may be a small regional magazine, the response to its actions came from across the online universe and the story was widely reported in the mainstream press. Thus, while the internet and social media can be invaluable in building a business and a brand, this case provides an example of how powerful social media can be when going the other direction.

Bill C-28 is extremely similar in substance to Bill C-27, which was introduced in April 2009 and titled the Electronic Commerce Protection Act. Bill C-27 received unanimous support in the House of Commons following its third reading, but it died upon prorogation in December of 2009 while at the Standing Senate Committee on Transport and Communications. Given the strong resemblance between the two bills, many expect that Bill C-28 will move quickly through the legislative process. 

Like its predecessor, Bill C-28 was designed to reduce unsolicited or junk e-mail, commonly referred to as “spam”. Most importantly, the legislation aims to bolster consumer confidence in electronic commerce, which the government has described as necessary in order to position Canada as a leader in the digital economy. The bill incorporates a number of the legislative recommendations made in 2005 by the government-mandated “Task Force on Spam”. The proposed FIWSA aims to regulate activities such as spam, counterfeit websites (known as “phishing”) and spyware. 

The FIWSA would also establish a regime whereby the Canadian Radio-television and Telecommunications Commission (“CRTC”), Competition Bureau of Canada and the Office of the Privacy Commissioner could share information and evidence with law enforcement agencies outside Canada, in an effort to enforce similar international laws and pursue violators beyond Canadian borders. Currently Canada is the only G8 country and one of only four OECD (Organisation for Economic Cooperation and Development) countries without specific spam legislation. Thus, when the government first introduced Bill C-27 it was cast as a necessary step in fulfilling Canada’s international duty to join global partners in passing laws to combat spam and related cyber threats.   

Prohibitions

The anti-spam provisions remain largely unchanged from Bill C-28. They would prohibit sending (or causing or permitting to be sent) a commercial “electronic message” (which is defined broadly to include a text, sound, voice or image message) to an electronic address, unless the recipient has given express or implied consent. Implied consent would apply to situations in which there is an existing business or non-business relationship between the sender and recipient, and to certain limited circumstances where the recipient has, within a business context, conspicuously published or disclosed the electronic address and the disclosure was not accompanied by any statement that the person did not wish to receive commercial messages (there is also a provision that would permit future regulations to further define implied consent). 

The FIWSA also sets requirements for the form of permitted messages: the message must identify the person who sent the message (and, if it is different, the identity of the person on whose behalf the message was sent), along with contact information for those identified. Moreover, permitted messages must include an unsubscribe mechanism, which includes either a hyperlink (valid for at least 60 days after the message is sent) that the recipient can follow, or a specified electronic address to which an unsubscribe request can be sent. Requests must be given effect within 10 days. 

The anti-phishing provisions are drafted as prohibitions against “altering transmissions data”, and would prohibit the unauthorized redirection of an electronic message to a destination other than or in addition to that specified by the sender, except with the sender’s express consent. As with the anti-spam provisions, an electronic address must be provided to which the sender may give a notice of withdrawal of consent, and the request must be given effect within ten days.

Notably, the prohibitions in Bill C-28 are broader than those previously provided for in Bill C-27. The prohibitions in both bills apply to anyone who procures or causes to procure a prohibited act. However, the language in Bill C-28 has been extended to also apply where someone aids in or induces such an act. 

Administrative Monetary Penalties and Private Actions

Provisions of the FIWSA that would subject violators of the Act to an Administrative Monetary Penalty (“an AMP”) remain the same as those originally envisaged in Bill C-27. An individual who violates any of the foregoing prohibitions may be subject to an AMP of up to $1 million and corporate entities would be liable to an AMP of up to $10 million. Officers, directors, and agents of corporations that violate the prohibitions could also be held liable for such actions if they directed, authorized, acquiesced in or participated in the commission of the violation. 

Anyone charged under the Act can raise a due diligence defence. They must show that they exercised due diligence to prevent the violation, but there is no indication as to what actions will constitute due diligence. Furthermore, any relevant common law rule or principle that would create a justification or excuse may be relied on to the extent that it is not inconsistent with the Act. 

The process for imposing liability under the AMP is a fairly expedited administrative process, administered through the CRTC. A notice may be served where the CRTC has reasonable grounds to believe that a person has committed a violation under the FIWSA. The notice must include details of every act or omission for which the notice is served, the relevant provisions and the amount of the fine. The recipient of the notice has 30 days to respond, after which time he or she will be deemed to have committed the violation and will be liable to pay the amount set out in the notice. If the recipient does provide a response, the CRTC must decide on a balance of probabilities whether the violation was committed. Upon determining that there was a violation the CRTC may impose the original fine, impose a reduced fine, or may suspend payment of the fine subject to any conditions that it considers necessary to ensure compliance with the Act. Decisions of the CRTC can be appealed to the Federal Court of Appeal. However, where the issue is one of fact, leave to appeal must be granted by the Court. The CRTC can also agree to an undertaking, which is in essence an agreement to settle an alleged violation on terms acceptable to both the CRTC and the offender.

One of the most controversial provisions of the Bill C-27 remains largely unchanged in Bill C-28. It would establish a private right of action for persons who allege that they have been affected by a contravention of the anti-spam, anti-phishing or anti-spyware provisions of the FIWSA. The application must include the alleged contravention, all relevant provisions, acts or omissions at issue, and should state the nature and amount of the loss, damage or expense. If the court is satisfied that the contravention occurred it may order the responsible individual(s) to pay the applicant compensation for any loss, damage or expenses incurred by the applicant. The court may also grant an additional award, up to a maximum of $200 per day for most contraventions, and $1 million for each day on which a contravention occurred. Again, officers, directors, or agents of corporations would be subject to this private right of action, if it could be proved that they directed, authorized or participated in the commission of the contravention.

That same private right of action would apply to persons who allege that they have been affected by breaches of the new provisions of PIPEDA and the Competition Act. These new provisions, discussed in detail below, would be brought into effect by the FIWSA.

The FIWSA would establish new prohibitions under PIPEDA in relation to collecting personal information, including a ban on (i) collecting an individual’s electronic address through a computer program designed or marketed for use in generating (or searching for) and collecting electronic addresses, or using any address collected by the foregoing means; and (ii) collecting personal information through any means of telecommunications if the collection involves accessing a computer system (or causing one to be accessed) without authorization, or using any personal information that is collected that way. 

The FIWSA also proposes numerous amendments to the Competition Act, including the addition of section 52.01, which broadens the criminal false or misleading representation provisions of the Competition Act. This new section would prohibit knowingly or recklessly sending, for business promotion purposes: (i) a false or misleading representation in the sender or subject matter information of an electronic message; or (ii) an electronic message that contains a materially false or misleading representation. Under the proposed new section 74.011 of the Competition Act, such actions would also qualify as reviewable conduct, thus permitting the Commissioner of Competition to apply to a court or the Competition Tribunal for an order prohibiting the conduct and/or imposing AMPs under the Competition Act.

Impact on Other Statutes

The FIWSA, if enacted, would amend the Telecommunications Act to permit the government to either maintain the current “Do Not Call” list in such a way that it would not overlap with the FIWSA regime, or to have the responsibility for regulating telemarketing fall under the FIWSA entirely. 

Recent Changes to Privacy Settings

In the past, Facebook has been criticized for requiring users to adjust multiple buttons across several different pages to control privacy. The new simplified privacy controls aim to make this process easier by reducing and simplifying the number of privacy settings.

Users will also have the ability to set up lists of different kinds of friends. For example, family members, individuals from work, or teammates from sports can set different privacy preferences for each category of friend. Facebook’s “social plug-ins” will additionally allow users to set who can see their friends and show the pages they’ve "liked.” Previously, these fields were automatically made public.

Facebook has also made it easier to turn off the controversial “instant personalization” function, which allows people to share their information through other web services like Yelp, Pandora, and Microsoft Docs. Now, users can opt-out of this with one click.

Previous OPC Investigations of Facebook

The OPC conducted an in depth investigation of Facebook in response to complaints from University of Ottawa law students interning at the Canadian Internet Policy and Public Interest Clinic (CIPPIC). It struck a settlement with the social media company in 2009 to agree to comply with Canadian privacy laws.

The investigations and the settlement were followed by further changes to Facebook’s privacy settings and another OPC probe commenced this January 2010 in response to a complainant who “alleged that the new default setting [at that time] would have made his information more readily available than the settings he had previous put in place.”

OPC Response to Recent Changes

The OPC’s initial response to the recent changes indicates that the OPC believes that Facebook has not gone far enough to satisfy the commitments it made to the OPC in its 2009 settlement. The new settings do not affect what Facebook refers to as users’ “basic directory information”, including name and profile picture, pictures, gender and networks to the broader internet. The OPC remains concerned that users are still by default required to reveal personal information to the internet public when Canadian law demands greater user control.

Additionally, organizations that use service providers outside of Canada, must develop and follow policies and practices that identify:

• the countries outside of Canada in which collection, use, disclosure or storage of personal information is occurring or may occur; and
• the purposes for which service providers have been authorized to collect, use or disclose personal information for or on behalf of the organization.

Expanded definitions of "employee" and "personal employee information"

The definition of "employee" now includes individuals who perform a service for organizations as partners, directors or officers. This amendment allows organizations to collect, use and disclose personal information about their partners, directors and officers under PIPA's special provisions for personal employee information.

PIPA's definition of "personal employee information" has also been expanded to include personal information reasonably required for the purposes of "managing a post-employment or post-volunteer-work relationship." The expansion allows employers to collect, use and disclose personal information about former employees under PIPA's special provisions for personal employee information.

Retention and destruction of personal information

A new provision has been added to PIPA requiring organizations to destroy records containing personal information (or to render such information non-identifying) when such information is no longer reasonably required for legal or business purposes.

Notice to Individuals of security breach

The Alberta Information and Privacy Commissioner has been given the authority to require organizations that suffer a privacy breach to notify individuals to whom there is a real risk of significant harm. The Commissioner is able to exercise this power at any time and an individual complaint need not be filed.

If notification is ordered, the notice must include a description of the incident that led to the privacy breach, the time the incident occurred, a description of the personal information involved, information about any steps taken to reduce the risk of harm and contact information for a person who can answer questions about the breach.

New offence provisions

There are two new offence provisions. It is now an offence under PIPA to:

• fail to notify the Commissioner of a privacy breach that poses a real risk of significant harm to individuals; and
• take any adverse employment action against individuals who disclose a contravention of PIPA by their employer or fellow employees, who take action in order to avoid having any person contravene PIPA, or who refuse to do anything in contravention of PIPA.

All parties in a litigation have an obligation to disclose all relevant documents to the other side. The plaintiff did not disclose any information from Facebook and the defendant argued the plaintiff must have violated her obligation to disclose. The judge held that one could not assume that the plaintiff had relevant information on Facebook just because people normally put information on Facebook. 

The judge noted that the plaintiff had restrictive privacy settings and that she did not intend to share her information with the public at large. The judge allowed the defendant to cross-examine the plaintiff to ensure that all relevant information on Facebook had been disclosed.

PIPEDA requires that organizations contemplating the use of covert video surveillance ensure that the collection, use or disclosure of such personal information is limited to purposes that a reasonable person would consider appropriate in the circumstances. The guidance document notes that what is considered appropriate in the circumstances involves an analysis of several factors, including whether:

•  there is a demonstrable, evidentiary need for the collection, beyond mere suspicion
•  the personal information collected is clearly related to a legitimate business purpose and objective
• the loss of privacy from the covert video surveillance is proportional to the benefit gained; and
• less privacy-invasive measures were exhausted prior to the implementation of covert video surveillance.

Under Rule 30.06 of Ontario’s Rules of Civil Procedure, a court may make certain orders, such as for the production of a document for inspection or the service of a further and better affidavit of documents, where it believes that relevant documents have been omitted from a party’s affidavit of documents. Relying on Rule 30.06, in June 2008 the defendant moved for, among other things, the production of all information on the plaintiff’s Facebook profile and the production of a sworn supplementary affidavit of documents. While the plaintiff consented to producing a supplementary affidavit of documents, the production issue remained unresolved.

At the motion level, while Master Dash recognized that Facebook profile pages are “documents” for the purposes of the Rules of Civil Procedure, he refused to order the production of the Facebook pages. According to Master Dash, the defendant’s request, based simply on the evidence that Facebook profiles typically include such things as photographs, was “clearly a fishing expedition.”

On appeal, Justice Boswell considered the case of Murphy v. Perger, [2007] O.J. No. 5511 (Ont. SCJ), which also dealt with the production of a limited-access Facebook profile. In Murphy, the Court had ordered production of documents posted on the plaintiff’s private profile based on photographs on the publicly-accessible portion of her profile showing the plaintiff engaged in various social activities. The Court in Murphy found that the nature of Facebook and the photographs existing on the public portion of the plaintiff’s profile made it reasonable to conclude that the private portion of the profile would also contain photographs.

The Superior Court in the immediate case agreed with the Court in Murphy that the presence of content on a party’s publicly-accessible profile would allow for the inference that similar content exists on the private portion of a profile. Taking it one step further, however, the Court found that even in cases where there is no publicly-accessible profile,

a court can infer from the social networking purpose of Facebook, and the applications it offers to users such as the posting of photographs, that users intend to take advantage of Facebook’s applications to make personal information available to others.

The Court disagreed with the categorization of the defendant’s request as a “fishing expedition” even though there existed no evidence of relevant content beyond the mere existence of the plaintiff’s Facebook profile. While the Court disagreed that production should extend to all material on such a profile, the Court found that a party that discovers a profile following examination for discovery “should enjoy some opportunity to ascertain and test whether the Facebook profile contains content relevant to any matter in issue in an action.” This would include requiring the preservation and printing out of posted material, the swearing of a supplementary affidavit of documents identifying relevant Facebook documents and where few or no documents are disclosed, permitting a cross-examination of documents. Ultimately, therefore, the Court allowed the appeal and granted leave to the defendant to cross-examine the plaintiff on his supplementary affidavit of documents with respect to the nature of material on his Facebook profile.

Of particular note to counsel, the Court found that

[g]iven the pervasive use of Facebook and the large volume of photographs typically posted on Facebook sites, it is now incumbent on a party’s counsel to explain to the client, in appropriate cases, that documents posted on the party’s Facebook profile may be relevant to allegations made in the pleadings.

While the court’s findings would obviously apply to other similar social networking sites, it is unclear whether they would extend beyond such websites. For example blogs have traditionally been more focused on the exchange of ideas rather than the sharing of photographs and it is questionable whether the existence of a private blog would lead to the inference that relevant material existed on the site.