Have you ever wondered if an electronic document like an e-mail or a scanned image can be used instead of a paper document to meet a legal requirement? How about using an electronic signature as opposed to a written signature?
Unfortunately, the provincial government’s dithering over the past decade will not help you answer these important questions.
Manitoba’s e-commerce legislation, called The Electronic Commerce and Information Act, was passed in the Manitoba Legislature in 2000. It was then billed as a cutting edge law that would help Manitobans to prosper in the online world.
Can the act of connecting with other professionals on social networking websites such as LinkedIn constitute a violation of a non-compete or non-solicitation contractual undertaking? Are departing employees that are subject to such restricted covenants required to disconnect and “de-friend” colleagues and customers of their former employer until the contractual undertaking have expired?
ComputerWorld is reporting today that an IT staffing firm has accused one of its former employees of violating her non-compete undertaking through her conduct on LinkedIn. I’m not aware of any similar lawsuit to date in Canada so it’ll be interesting to see how this particular case evolves in the U.S. This case and others that I’ve previously noted highlight the blurring line between online and offline worlds. Businesses should consider whether or not, and to what extent, they should try to enforce such restrictive covenants in the social networking world. Stay tuned…
Canada’s Privacy Commissioner, Jennifer Stoddart, has teamed up with nine other country’s privacy watchdogs today to warn Google and other organizations to better respect people’s privacy rights. The privacy commissioners have sent a letter to Google, accusing it of overlooking privacy values and legislation in launching new online products.
The privacy commissioners’ letter states, “we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws… Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured… We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:
collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
creating privacy-protective default settings;
ensuring that privacy control settings are prominent and easy to use;
ensuring that all personal data is adequately protected, and
giving people simple procedures for deleting their accounts and honouring their requests in a timely way.”
The privacy commissioners’ demand that Google and other organizations better incorporate privacy into the design of new online services underscores the need for the “Privacy by Design” initiative that Ontario’s Information and Privacy Commissioner recently discussed in my “A Conversation with Dr. Ann Cavoukian” post. All organizations, regardless of their size (after all, we’re all not Google), would be well-advised to learn from today’s “buzz” about Google Buzz.
Canadian Business Online is asking if you “ever wonder who’s checking your Facebook profile? Sure, there are probably the old standbys, like your high-school crush and your nosy co-worker, but you should be aware that there might be someone else checking you out: your banker. Financial institutions of all stripes have been scouring social-networking sites since the days when MySpace was all the rage; now they troll Facebook, Twitter and blogs to find out more about their customers. Don’t be surprised if soon they take the information they’ve found about you and use it to determine your creditworthiness.”
Yours truly was interviewed by Canadian Business Online for this article and, as you’ll see, I comment that I’m not aware of whether, or to what extent, the big banks and credit card companies are using personal information that’s publicly available on social networking websites to determine credit worthiness. That being said, in the insurance industry “using information from social-networking sites has already become commonplace”. The message that I’d take from this article is that Canadians’ understanding of privacy, and the ground rules for managing publicly available personal information that we willingly post online, is rapidly evolving.
Are website operators presumed to have “published” defamatory materials that they deliberately link to from their websites? If not, what are the circumstances where it can be inferred that a website operator has “published” hyperlinked defamatory materials? We may be about to find out. The Supreme Court of Canada has just granted leave to appeal of Crookes v. Newton, the B.C. decision that I summarized in a previous post last October.
There’s still plenty of “grey areas” in Internet law. Hopefully, the Supreme Court of Canada will provide more definitive guidance for legal practitioners and website operators in the growing area of online reputation management. In the meantime, website operators should seek legal advice prior to hyperlinking to any potentially defamatory materials on the Internet.
It appears that the growing adoption of cloud computing, combined with the outdated Electronic Communications Privacy Act, is adding pressure in the U.S. for an updated online privacy law to help better protect cloud computers.
CNET is reporting today that “a broad coalition of companies including Google, Microsoft, and AT&T, joined by liberal and conservative advocacy groups, will announce a major push [today] to update federal privacy laws to protect mobile and cloud computing users”.
Of course, in Canada cloud computers have the benefit of PIPEDA and – where they exist – substantially similar provincial privacy laws. To learn more about cloud computing, and related privacy law implications, you may want to check out this previous post.
This really is the kind of personal information that identity thieves love so the OPC article is a useful read. In fact, businesses whose employees create accounts on their behalf would be well-advised to have employees read the OPC article.
Over the past two weeks nearly a million people around the globe have viewed a couple of YouTube videos filmed and posted by Churchill High School students, which show two of their teachers performing a simulated lap dance.
The identities of the teachers have been widely reported. Now the question is: Could the teachers sue the students for violating their privacy?
As originally drafted, the Anti-Spam Bill didn’t clearly define which types of electronic communication would be subject to regulation. While spyware and phishing would clearly be outlawed, questions arose as to whether other decidedly non-Spam and legitimate activities could possibly be caught within the scope of regulation. That’s because the Anti-Spam Bill was drafted to regulate “commercial activity”. Unfortunately, it didn’t clearly explain what this term meant. Here’s where the misconception comes in.
Some think “marketing research” is the same thing as telemarketing. In reality, the two activities have very little in common. Legitimate marketing research organizations do not try to sell products or services (in fact, if they are members of Canada’s Marketing Research and Intelligence Association (the “MRIA”), they are bound by a professional code of conduct which expressly prohibits such activities). Maybe you’ve heard of “mugging” (marketing under the guise of research) and “sugging” (selling under the guise of research). Let’s be clear: legitimate marketing research organizations do neither. If someone is trying to sell you something under the guise of a survey, they are not conducting legitimate marketing research. Nevertheless, comparisons of online marketing research to telemarketing abound, even though the Anti-Spam Bill will regulate online activity, not telephone calls.
Polls tell us that Canadians support the Anti-Spam Bill. How do we know this? Because members of the MRIA were able to conduct marketing research, quite likely, using an online survey. These surveys are fuel for polls that provide valuable and timely information to Canadian decision-makers. What’s more, online surveys are quick and convenient for participants. I have the privilege of serving as the MRIA’s legal counsel, and am also a member, so I ‘ve seen marketing research activities first hand and know the value they provide to Canadians.
My understanding and reading of the Anti-Spam Bill is that online marketing research is not intended to be caught by the law. But that’s the problem: given the ambiguity of the Anti-Spam Bill, it’s impossible to definitively say that online marketing research would not be regulated. Ambiguity leads to uncertainty, which is good for no one. The Personal Information Protection and Electronic Documents Act, for instance, has been criticized for being far too subjective. We should learn from this experience and cut as much ambiguity as possible from the Anti-Spam Bill. That’s why the Anti-Spam Bill should be clarified to ensure it’s clear that it won’t apply to online marketing research. Doing so would not create loopholes, as some have argued; it would simply ensure that online marketing research is not lumped into the annoying Spam that everyone wants to ban. Bringing clarity to the Anti-Spam Bill would also be consistent with the actions of other countries that have already created specific exemptions for marketing research in their anti-spam laws.
The bottom line is that no one likes Spam, except perhaps for these guys from Monty Python. Parliament still has an opportunity to clarify misconceptions and introduce a strong, effective law. Marketing research isn’t Spam, however, and the Anti-Spam Bill should clearly reflect this fact.
The number of cases involving Internet defamation seem to be growing every day. So too, are the number of related issues that businesses need to consider in relation to online activities. Case in point is the recent British Columbia Court of Appeal decision of Crookes v. Newton, where the court was asked if providing a hyperlink to another website containing defamatory comments constituted Internet defamation.
A key hurdle that claimants must prove in defamation lawsuits is that defendants “published” defamatory words. Internet defamation is no different, and in the Crookes case, the court concluded that providing a hyperlink does not necessarily equal the “publishing” of defamatory content. If a website simply provides a hyperlink, or describes a hyperlink’s content in a neutral manner, then according to the court in Crookes, the hyperlink is not adopting the offending words as its own and is not indirectly “publishing” them. However, if the linking website endorses the content of the hyperlink material or encourages the reader to click the hyperlink to the website that contains defamatory material, the defendant may be just as liable for defamation as the original author of the offending material.
The Crookes case provides useful guidance, but businesses should be reminded that each Internet defamation case will turn on its own specific facts, and factors that will be considered include the wording, tone and placement of hyperlinks. To help minimize the risk of being sued for the publication of defamatory comments, business owners should seek legal advice prior to hyperlinking to any potentially defamatory materials on the Internet.
The Federal Government’s recent initiative to modernize law enforcement related legislation for the Internet age has (at least within law enforcement and privacy circles) once again propelled the issue of privacy vs. security to the forefront. The issues are incredibly important for Canadians, yet there has been little debate within the wider public. That being said, I’m pleased to read Ian MacLeod’s recent Ottawa Citizenarticle, which (even if you don’t agree with some of the points) does a good job of raising the issues in plain language. For a more technical analysis of the legal issues, you may want to read fellow blogger David Fraser’s post regarding the debate about warrantless access to ISP customer information.
The debate surrounding the “lawful access” legislation stems from real challenges affecting Canada’s law enforcement agencies and their need for access to personal information in the course of investigations. What is concerning, however, is the prospect of warrantless searches without judicial oversight. As a citizen in a free and democratic society, it troubles me to see any legislative initiative that could lead to investigations without appropriate checks and balances. Privacy and security don’t need to be mutually exclusive. Let’s hope that through the upcoming Parliamentary Hearings on the “lawful access” legislation we see a balance emerge between privacy and security in such a way that empowers law enforcement agencies while preserving the judicial oversight that Canadians have come to rightfully expect in our society.
A widely reported and controversial issue these days relates the identification of anonymous bloggers (I’ve commented on this issue in previous posts). On point, Cook County (Illinois) Circuit Court Judge Jeffrey Lawrence has ordered the identification of an anonymous commenter. According to the Daily Herald, Judge Lawrence has ruled that the Daily Herald and Comcast must reveal the identity of a person who posted a comment on dailyherald.com.
It seems that website operators are being increasingly asked, or ordered, to reveal the identity of anonymous commentators or bloggers, many of whom have likely presumed that their identity would never be disclosed. However, Northwestern University law professor and First Amendment scholar Martin Redish tells the Daily Herald, “[a]ssume a worst-case scenario”. “Proceed on the assumption that your identity can be revealed.”
Americans are very fond of their First Amendment right to free speech (in Canada we call it Freedom of Expression). However, this right does not protect writers whose comments are defamatory. As I’ve said before, this is a rapidly emerging area of law and it’s becoming increasingly important to stay on top of developments.
BBC News is reporting that thousands of Hotmail accounts have been compromised in a phishing attack, which has reportedly affected at least 10,000 individuals.
Phishing involves identity thieves attempting to obtain personal information, such as user names, passwords and financial information, by pretending to be trustworthy organizations in need of such data.
Coincidentally, the Privacy Commissioner of Canada released her annual report today, which stresses the importance of making informed choices when sharing personal information online. The Privacy Commissioner reminds Canadians that there is a risk that unguarded personal information could be exploited by identity thieves. The Hotmail phishing attack, as well as the Privacy Commissioner’s annual report, should also remind businesses to remain vigilant in protecting their brands – or online reputations – from being damaged by identity thieves that use phishing attacks to exploit the well-earned trust that such businesses have built with their customers.
The Lawyers Weekly is running a story that focuses on one of the most cutting edge and rapidly emerging areas of law – online reputation management. Here are some excerpts from the story, which profiles an ongoing client matter:
“On the heels of a recent New York state court decision that ordered Google Inc. to reveal the identity of an anonymous blogger in a defamation suit, a Winnipeg business lawyer has asked the California-based online search engine giant to do the same and out a blogger on behalf of an Ottawa-area resident. Brian Bowman, a partner with Pitblado LLP in Winnipeg who specializes in privacy, access to information, online reputation management, intellectual property and technology matters, says that his client was defamed on a site appearing on Google-operated blogspot.com (also known as Blogger.com).”
“The New York court decision and the Canadian case raise “one of the fundamental legal questions of our time over the appropriate balance between legitimate, anonymous Internet speech versus the right for people to protect their reputations,” says Bowman, who expects more of these situations will emerge in the near future.”
Peruse through your Inbox and look at the e-mails you have received this week. No doubt there will be a few that include legal notices at the bottom of messages warning you of the confidential nature of the correspondence and stressing that if you are not the intended addressee that you are to return the e-mail to the sender… immediately! These automatically generated e-mail disclaimers have become standard business practice. They have become so commonplace it begs the question: are e-mail disclaimers legally enforceable?
This very question has yet to be the focus of judicial consideration in Canada, and it appears as though it remains an unresolved issue in most other jurisdictions. Although bloggers and writers have analyzed e-mail disclaimers, there is no authoritative jurisprudence or legislation to shore up their arguments. There are a number of issues surrounding the enforceability discussion, including, among other things:
the lack of consideration between parties to create binding contracts via typical e-mails;
the timing of e-mail disclaimers (they come at the end of e-mails, after recipients have read the messages); and
the otherwise lack of confidentiality associated with e-mails, which has come to light through the ever-increasing number of e-fraud cases.
That said, it is always safer to err on the side of caution. In the event your organization were unlucky enough to be sued for the contents of an e-mail, it may prove useful to have used an e-mail disclaimer. At the end of the day, even though the enforceability of e-mail disclaimers may not have yet been judicially considered, having an appropriately drafted e-mail disclaimer may help mitigate your businesses’ liability in the event of an unfortunate e-mail mishap.
E-mail disclaimers should be drafted with legal and business considerations in mind in such a manner that reflects the values, marketing strategy and risk tolerance of your organization. Please contact me if I can provide any assistance in drafting an e-mail disclaimer that suits your organization’s needs.
Have you heard the term “cloud computing“, but aren’t really clear what it means?
Cloud computing is an umbrella term that refers to the use of Internet-hosted computer services. Think of your server — instead of having one in-house server located on company premises, an organization might opt to buy space on a third-party provider’s server. Other options include software hosting and data storage. By purchasing computing services from a variety of Internet-based providers, your computer needs are housed within a larger “cloud” of computer services.
Some organizations are opting for ”Software as a service” (SaaS), and allowing their data to reside on other company’s servers, or “the cloud“. Users only have to buy the space they need, which allows organizations to save money on their technology costs. Other benefits include access to people with technological know-how, flexibility and reduced maintenance costs.
Cloud computing is not new, but is now embedded into the fabric of modern business operations. In fact, the Los Angeles Times has reported that the city of Los Angeles is considering using Google applications for all of its software needs.
Privacy issues related to cloud computing, however, are profound. For example, many of the security questions that relate to traditional third-party data hosting were raised when a hacker broke into a Twitter employee’s work e-mail account and stole confidential company documents. The World Privacy Forum, meanwhile, has released a 28-page report on some of the privacy issues that relate to cloud computing. The report concludes that sharing information may expose some business users to liability, and emphasizes the importance of checking a cloud provider’s terms of service, privacy policy, and location.
Canadian businesses that engage in cloud computing should be reminded that they must do so in compliance with applicable privacy laws. For example, the Personal Information and Protection of Electronic Documents Act obliges organizations that transfer personal information to third parties to ensure appropriate security safeguards are in place.
They should also be mindful of the raging debate about the perils of cloud computing that has been underway now for some time. While cloud computing has the potential to provide benefits, organizations should ask themselves whether it is worth the risks it poses. You might save money in the short run, but is it worth the potential of a massive privacy breach?
While the OPC’s Facebook investigation should be a “must read” for all Facebook users, it also provides some insightful information for Canadian organizations regulated by PIPEDA. The lessons that can be learned from the investigation can be applied by Canadian businesses regardless of whether their activities are online or offline.
Despite the fact that “[i]t’s clear that privacy issues are top of mind for Facebook…” federal Privacy Commissioner Jennifer Stoddart says that the OPC has found “serious privacy gaps in the way the site operates”. According to Stoddart, in order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care. An overarching concern of the OPC was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers. The OPC recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.
The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found. The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.
The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts, which is a violation of PIPEDA. The law requires organizations to retain personal information only for as long as is necessary to meet appropriate purposes. Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.
Click here to read the OPC’s News Release, here for the full investigation report and here to read a helpful backgrounder. If you’d like to read more about Facebook, please click on the Facebook link under this blog’s Tags (below).
As I’ve previously discussed, Social networking websites such as MySpace and Facebook are provoking new questions about the appropriate boundaries in employee-employer relationships. This is evident in a United States Federal Court case coming to a head in New Jersey. The case pertains to the conduct of a manager who logged into a private social networking website and observed employees slandering company supervisors and customers. Those same employees were later dismissed. The case exemplifies a rapidly expanding “grey area” between an employee’s work life and personal social life. It begs the question, at what point does a “private” comment to friend made outside of the office constitute defamation, and at what point are such comments simply banter between individuals? Of course, the answer is, it all depends on the facts.
For an interesting discussion on the matter, check out Myrth on a Blog, a personal journal of law, technology and social media.
It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca. Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics. Here’s what we covered…
On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week. The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.
On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter. As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.
On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions. For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.
On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.
The posting of a YouTube video of a woman throwing a tantrum at the Hong Kong International Airport should serve as a reminder to Canadian businesses that employees these days can (and do) easily record and post videos online from their mobile phones.
The three minute video shows a Cathay Pacific customer yelling and flailing her limbs as she lies on the floor after missing her flight from Hong Kong to San Francisco. I’ve been upset at missing a flight before, but the woman in this video takes things to an entirely new level. The video has drawn over five millions views and nearly 21,000 comments, which has resulted in some incredibly cruel and objectionable online commentary about the woman. Since the release of the video, Cathay Pacific has disciplined the gate worker who recorded the video on his mobile phone (although the video was posted on YouTube by a third party) and the company has issued a formal apology to the woman.
The video is noteworthy because it demonstrates the power of new technologies such as YouTube and the corresponding risks to Canadian businesses. Had the video been recorded by an employee of a Canadian business, subject to Canadian privacy laws, the potential privacy complaint and/or lawsuit by the woman in the video could have been substantial.
Canadian businesses should be reminded of the need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy policies and procedures.
Canadian businesses don’t need to look too far to find examples where more effective employee privacy training may have mitigated, or even prevented, privacy complaints.
Earlier this year, the Internet Corporation for Assigned Names and Numbers (“ICANN”) announced that they will be opening up the generic Top Level Domain extensions (the “gTLDs”) to allow for personalized extensions. I could (for a mere US$185,000.00+) now apply for a .brian or even a .privacy. And while the chances of me starting a .brian are very slim, it will be interesting to see how many organizations pay the application fee and create their own .blank extension. Opening up the gTLDs will likely force trademark owners to evaluate their brand strategies and, in doing so, weigh the costs and benefits of buying any or all gTLDs related to their brand.
If you’re a trademark owner and you want to approach your strategy conservatively, then you may want to take a defensive position and register any of the gTLDs that relate to the business in which you’re engaged. The list of commercial gTLDs would include .com, .net., .info, .org, .tel, .biz, .mobi, .tv and any other TLDs that seem to have a commercial application. Additionally, you may want to register and maintain the country code domain names (ccTLDs) in the jurisdictions where your organization offers, or plans to offer, its products or services. Once this is completed, you should then register any known variations of your trademark.
While, in theory, this is a very effective strategy – in practice, this strategy will be more difficult to execute. For example, the owners of Lego currently own 450 domain names within the TLDs. They recently pursued and won a WIPO arbitration decision against a cybersquatter who had registered the domains Justlegos.com, legosonly.com, and onlylegos.com; illustrating that even the most vigilant defensive strategy for the registration of domains names cannot prevent all infringements. As such, any brand strategy should be accompanied by vigorous monitoring and enforcement. The decision about which TLDs to register is a business decision that must weigh the cost of brand enforcement from a defensive position and an offensive position.
Are you a parent with children who use the Internet? Do your children have a better understanding of this new and constantly changing technology? Have your children ever texted “fts” or told you to “bma” in an online message ? I sure hope not!
If you have children, I’d encourage you to visit the Internet 101 website, which provides some great information to increase your computer knowledge. The site provides excellent resources including Tutorials to help you learn more about the online world, Technical Tips to help keep your computer secure, Chat Lingo to help you learn the online lingo, Popular Online Activities to expose you to what today’s youth are doing online, and an Internet Agreement to be signed between parents and children to help your family stay safe in the online world.
Even if you don’t have children, there is some valuable information on the site worth reading.
Over the past couple of years, the world has been preparing for a pandemic. Most experts believed that the avian flu was the most significant threat that faced the world, but recent declarations of a potential pandemic with confirmation of cases in Mexico, the U.S. and Canada from a swine flu have led to fears that the next pandemic is upon us. In the event of a pandemic, the government of Canada has set up a website, which will provide information to the public.
In times of fear, governments and citizens alike often overreact to address a threat. It is times like this that individuals, in addition to heeding advice about how to avoid the flu, should be vigilant about what measures the government may be taking to address this health crisis. Last summer, Canada experienced another health crisis when a strain of listeria was found in certain meat products. Tragically, by the time it was over, 21 people had reportedly died. The public health crisis was announced mid-August, but a team of researchers at Google later found that searches for the term listeriosis spiked in Canada about a month before the public announcement. An article published in the Canadian Medical Association Journal indicated that those searches lined up with the peak of the outbreak while the public announcement came while new cases were on the decline.
The analysis of aggregated search trends has been proposed as a means to fight pandemics and outbreaks of illnesses. However, even those proposing this analysis have admitted this type of analysis is complicated because it is difficult to know who is searching and why. In the Government of Canada’s News Release on April 26, 2009, a short privacy policy was cited stating that although Service Canada does not normally use cookies, if you have cookie notifications set on your browser, you would be notified. However, earlier this month, the same site indicated that the Pandemic Influenza Portal did not normally use cookies to track visitors to the site and that the system would notify you before any cookies were used so you could refuse them with no reference to what your computer settings were.
This change is a minor one but it may possibly be an indication of the small bits of privacy that Canadians will be expected to give up during these times of concern.
The Government of Canada announced today the introduction of anti-spam legislation called the Electronic Commerce Protection Act(“ECPA”) that “aims to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware.”
According to the government’s News Release, the ECPA would allow businesses and individuals to initiate civil actions against anyone who violates the law. The ECPA deals with unsolicited text messages, or “cellphone spam”, as a form of “unsolicited commercial electronic message”.
It would establish a regulatory enforcement regime that would enable the CRTC to impose penalties of up to $1 million for individuals and $10 million in all other cases. The Competition Bureau would use a penalty regime already provided for in the Competition Act, and the federal Privacy Commissioner‘s powers to cooperate and exchange information with her counterparts would be expanded in respect of the Personal Information Protection and Electronic Documents Act.
The ECPA is nearly 70 pages long. Stay tuned to this blog. As soon as I’ve been able to digest the content I’ll post again on how the ECPA is likely going to affect Canadian businesses, especially those enaged in online marketing.
The Lawyers Weekly (a national newspaper for the Canadian legal profession) recently approached me to publish an article for their “Focus on Information Technology” section of the newspaper. The request gave me pause to think about the impact on Canadians’ privacy of recent technological advances such as e-mail, instant messaging, online forums, blogs and social networking websites (such as Facebook and Twitter). Upon reflection, I concluded that these technological advances are the driving force for what I argue are increasing calls for a “third wave” of privacy laws.
The “first wave” of privacy laws (such as the federal Privacy Act) were introduced decades ago to protect the privacy of individuals in respect of public sector government bodies. The “second wave” of privacy laws (such as PIPEDA) were introduced more recently to protect the privacy of individuals in respect of private sector businesses. Arguably, the only missing link in this chain of privacy protection, and what could be the focus of a “third wave” of privacy laws, is protecting individuals from violations of privacy by other individuals in the non-commercial sphere. My goal with the article was not to promote a “third wave” of privacy laws, but rather to engage Canadians in a debate about whether such laws are required.
I also encourage you to share your thoughts on whether – in the era of Facebook and Twitter – the status quo is sufficient or whether a “third wave” of privacy laws are needed.
Another day, another development in the Google Street View story. Canada’s Privacy Commissioner and several provincial privacy commissioners have commented on street level imaging technology by releasing a timely Fact Sheet on the related privacy issues.
The commissioners point out that ”a common misconception is that a company doesn’t need your permission to take your photograph in a public place. In fact, one of your key protections under Canadian privacy law is that you should know when your picture is being taken for commercial reasons, and what your image will be used for. Your consent is also needed.”
The Winnipeg Free Press is also running an excellent story in today’s newspaper, which highlights some of the broader issues related to Google Street View. Arthur Schafer, a professor at the University of Manitoba and director of the Centre for Professional and Applied Ethics, comments in the story about the related ethical issues while I comment in the story about the related legal issues.
The looming battle between privacy advocates and Google Street View could have implications beyond Google and its Canadian-based service providers, who are currently taking detailed photos of Canadian cities. I’m quoted in today’s Winnipeg Sun article on this issue, where I argue that the implications of the Google Street View battle could extend to how Canadian privacy laws are interpreted and enforced.
If you’re not ramped up on Google Street View, you may want to read the Wikipedia description, which does a good job of explaining the Google service. David Fraser also has an illustrative blog post, which highlights the remaining privacy issues despite Google’s efforts to blur faces and licence plates.
Despite the fact that Google’s Canadian-based service providers are taking pictures in public places, Canadian privacy laws generally require the consent of individuals for the collection of their personal information. In fact, the first ever Case Summary under PIPEDA dealt with video surveillance activities in public places. In the Case Summary, the former Privacy Commissioner advised the company being investigated that its intended public video surveillance for commercial purposes was unlawful and should not be pursued. More recently, and on point, Canada’s Privacy Commissioner, Jennifer Stoddart, has sent a letter to Google outlining the concerns about Google Street View from a Canadian privacy law perspective.
As you know, instant messaging, text messaging, blog postings, online chat forums and social networking websites (such as Facebook and MySpace) have changed the way in which people communicate. Regrettably, however, many of these new communications tools (in particular, online forums and social networking websites) are being used to defame not only individuals, but businesses as well. It should not be forgotten that businesses can be defamed.
In general, the defamation (written and spoken) of a business occurs when a party lowers the reputation of a business in the estimation of other members of society or an industry. Since a business doesn’t have “feelings”, defamation cases related to businesses focus on the damage to a business’ reputation or goodwill due to the comments of another party. The following court cases are worth checking out, both of which confirm that a business can be defamed and, as a result, is entitled to receive monetary compensation.
In Barrick Gold v. Lopehandia, the defendant was found liable for a massive online defamation campaign initiated by the defendant against the plaintiff. The defendant had posted comments on gold and mineral investor related online forums defaming the plaintiff. The Ontario Court of Appeal noted that Internet defamation is different than traditional written forms of defamation since online defamation, or “cyber libel”, is often taken at face value, and is capable of instantly reaching an unlimited number of persons around the globe. The plaintiff corporation was awarded $75,000 in general damages for damage to its reputation and goodwill, $50,000 in punitive damages, and a permanent injunction to prevent further postings.
In WeGo Kayaking Ltd. et al v. Sewid, the British Columbia Supreme Court awarded $250,000 in general damages to the plaintiff corporation in relation to “review” comments posted online that incorrectly and intentionally classified the plaintiff as a “bad” tour company.
Defamation doesn’t just happen to individuals. These cases serve as a reminder to businesses that they are capable of being defamed and, as a result, should diligently protect their online reputations.
In terms of privacy, as with many other things, each step forward seems to come with a catch that makes the step forward a little smaller than one would hope. Google, in response to demands from privacy advocates and users, has taken a progressive step forward and created a means for users of Google to opt out of their targeted advertising by allowing a user to access Google Ad Preferences to change settings or to opt out completely.
At the same time, Google has announced plans to launch a new type of targeted advertising. Currently, when an Internet user visits a webpage with Google Adsense, Google will store cookies on a user’s computer and remember their interests from previous searches. The example used by Google is that if you have an interest in gardening, you may be shown gardening ads along with those related to the site you are visiting.
While Google’s addition of its Ad Preferences program is encouraging for privacy advocates, it does come in the wake of an entirely new and -according to privacy advocates – more invasive means of targeting ads at users. As part of this new initiative, Google has asked all Google Adsense publishers to update their privacy policies to notify users of their site of the fact that interest-based advertising will be displayed.
The Privacy Commissioner once noted that although PIPEDA (and other privacy legislation) imposes obligations on organizations to take appropriate measures in protecting personal information, sometimes the more important role of privacy legislation is to help people shape their view of privacy.
By revising their privacy policies, businesses will be taking steps to comply with applicable privacy laws; but whether these steps are enough to address the expectations of their customers regarding privacy is a matter to be best considered by each business. In the meantime, if a business using Adsense has any questions about this change or requires any assistance in updating their Privacy Policy, I would encourage you to contact me to discuss.
Do you ever wish you were Jack Bauer from the TV show 24? Here’s your chance!
There are a growing number of articles that are highlighting the threat of “cyber-terrorism”. It’s a scary topic that is surely consuming the time of government technology infrastructure professionals in the U.S. and Canada.Some of these articles discuss the remote possibility that terrorists may perpetrate cyber-attacks against critical online government and corporate infrastructure.Other articles discuss the very real possibility that terrorists may simply use the Internet (and the information contained online) to plan attacks in the real world. Don Cavender, a special agent and instructor with the FBI’s Computer Training Unit at Quantico, Virginia, is quoted in an excellent ZDNet article and says that “the worry right now is not so much a cyberterrorism event…but when the terrorists use the Internet to facilitate the planning of these attacks.”
We all know that the Internet is filling up with vast amounts of data including people’s personal information, as well as corporate and government data.The lesson that I take from all of these “cyber-terrorism” related articles is that businesses should make sure that they are working with technology professionals to secure their databases and limit the amount of personal information and corporate data available online.Of course, there are many reasons for businesses to secure their databases and to limit what information is available online.For example, privacy laws such as Canada’s PIPEDA regulate the safeguarding of personal information.And, there are good business reasons to limit the availability of proprietary corporate data online.But, if you ever wished you were Jack Bauer, then here’s your chance to fight terrorism…one corporate move at a time.
Last week’s headlines regarding Facebook (see post below) really seemed to raise the awareness of Facebook users about its Terms of Use. The troubling reality that many Facebook users haven’t read its Terms of Use illustrates the all too common practice of website users not reading the Terms of Use of websites they visit.
Website Terms of Use are important to read, especially if you’re then going to post information on or through the website. If you’re a Facebook user, read its Terms of Use to determine if you actually agree to them. If not, you may want to reconsider continuing to be a Facebook user or you may want to simply refrain from posting content that you don’t want to fall under the scope of its Terms of Use.
If your business has a website, check to see if it has a comprehensive Terms of Use document that’s been customized accordingly. Terms of Use are vital documents for websites because they set out the ground rules regarding – among other things – the ownership of content, licence rights, use of the website by minors, user submissions/postings and intellectual property rights. They are intended to serve as legally binding contracts between website operators and users, so they’re pretty important!
Facebook may have suffered a public relations setback last week, but for a commercial enterprise it was on the right path when it reviewed and tried to customize its Terms of Use to meet its business objectives. All businesses that have websites should review and, if necessary, modify their Terms of Use on a regular basis.
Are you new to social media? If so, you probably feel like people are talking in a whole different language. Blogs, wikis, RSS, Twitter – this is English? Or is it Venusian?
After mentioning to a few colleagues that I’d like them to subscribe to this blog using RSS, I realized that I was probably talking to them in “Venusian”. So for all the newbies, here’s a brief explanation of RSS.
RSS stands for “really simple syndication” (or “rich site summary”, depending on which explanation you read). It’s a method of alerting the subscriber to new content. Instead of receiving an email when there’s a new post on a blog, you check your feed reader.
Now, I can hear some people thinking, why would I want to check another site when I’m checking my email a couple of times a day? To that, I say, how much email do you receive? How many newsletters that you get by email do you actually read? The beauty of RSS technology is it lets you do your reading when you’re ready to do it.
As I mentioned, there is one more step you have to take, and that is to set up a feed reader. Fortunately, at least two browsers (IE7 and Firefox) offer built-in readers. Select the “Subscribe via RSS” button
and follow the directions.
If that still doesn’t make sense, here’s what Wikipedia says. For those of you who like a visual explanation, check out RSS in Plain English from the folks at the Common Craft store. I’m now subscribing to other blogs using RSS. If RSS isn’t your thing, you can always subscribe to this blog by e-mail. RSS or e-mail subscription options are provided on the right hand side of the page – I hope you subscribe!
After several days of intense media scrutiny, Facebook has backed down on controversial changes to its Terms of Service (TOS). Both CTV Winnipeg and the Winnipeg Free Press asked me to comment on this timely story, which provides a lesson for other businesses that operate websites to be mindful that TOS (and privacy policies) must be able to withstand legal scrutiny but also user expectations.
My November 5, 2008 column in the Winnipeg Free Press provides some tips on how to be a savvy online shopper and the benefits to online retailers of having sercure websites and comprehensive online privacy policies.
My July 2, 2008 column in the Winnipeg Free Press announces the Privacy Commission of Canada’s new youth privacy site, My Privacy. This is a great site for both parents and their children to view, to help youthful Internet users to be aware of the dangers of ignoring privacy settings as they’re filling out personal information on sites like Facebook and MySpace.
My April 4, 2005 column in the Winnipeg Free Press details the more imaginative ways thieves have come up with to take over your identity and your life.
My March 7, 2005 column in the Winnipeg Free Press discusses the legal right of employers to monitor their employees’ email and internet surfing habits.
This blog provides practical assistance to Canadian businesses so they can better deal with issues related to privacy, access to information, online reputation management, intellectual property and technology legal matters. I hope you subscribe to this blog via RSS (below) or via e-mail (below) so that you can receive timely updates to new posts. Thanks, Brian
This blog is presented for informational purposes only. Content does not constitute legal advice or solicitation and does not create solicitor-client relationship. Views expressed are solely the author's and should not be attributed to any other party, including Pitblado LLP or its clients. The author makes no guarantees regarding the accuracy or adequacy of the information contained herein or linked to via this blog. The author is not able to provide free legal advice. If you are seeking advice on specific matters, please contact Brian Bowman at (204) 956.3520 or bowman@pitblado.com, but please be aware that any unsolicited information sent to the author cannot be considered to be solicitor-client privileged. Comments published on this blog do not reflect the views of Brian Bowman, Pitblado LLP or its clients.
Have you ever wondered if an electronic document like an e-mail or a scanned image can be used instead of a paper document to meet a legal requirement? How about using an electronic signature as opposed to a written signature?
Posted by Brian Bowman 
I’d like to dispel a misconception about 
The number of cases involving Internet defamation seem to be growing every day. So too, are the number of related issues that businesses need to consider in relation to online activities. Case in point is the recent British Columbia Court of Appeal decision of 
The Federal Government’s recent initiative to modernize law enforcement related legislation for the Internet age has (at least within law enforcement and privacy circles) once again propelled the issue of privacy vs. security to the forefront. The issues are incredibly important for Canadians, yet there has been little debate within the wider public. That being said, I’m pleased to read Ian MacLeod’s recent Ottawa Citizen 
A widely reported and controversial issue these days relates the identification of anonymous bloggers (I’ve commented on this issue in previous 
BBC News
The Lawyers Weekly
Peruse through your Inbox and look at the e-mails you have received this week. No doubt there will be a few that include legal notices at the bottom of messages warning you of the confidential nature of the correspondence and stressing that if you are not the intended addressee that you are to return the e-mail to the sender… immediately! These automatically generated e-mail disclaimers have become standard business practice. They have become so commonplace it begs the question: are e-mail disclaimers legally enforceable?
The 
Earlier this year, the 
Are you a parent with children who use the Internet? Do your children have a better understanding of this new and constantly changing technology? Have your children ever texted “fts” or told you to “bma” in an online message ? I sure hope not!
Over the past couple of years, the world has been preparing for a 
The 
The Lawyers Weekly
Another day, another development in the 
The looming battle between privacy advocates and 
As you know, instant messaging, text messaging, blog postings, online chat forums and social networking websites (such as 
In terms of privacy, as with many other things, each step forward seems to come with a catch that makes the step forward a little smaller than one would hope. 
Do you ever wish you were 
Last week’s 
Are you new to social media? If so, you probably feel like people are talking in a whole different language. Blogs, wikis, RSS, Twitter – this is English? Or is it 
and follow the directions.
After several days of intense media scrutiny, 
Online shopping a risky transaction: Protect yourself from identity thieves
New push to educate on online privacy: Youth can get info on important website
ID thieves steal your money the modern way … they dumpster-dive, “phish” online to get your info
Is your employer monitoring your Net use?
Copyright Act changes both right and wrong
