• A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
• Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
• For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
• Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
• People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
• A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
• EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
• Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
• A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

The proposals will be passed on to the European Parliament and EU Member States for discussion. They will take effect two years after they have been adopted.

The Court gave lucid and compelling reasons for recognizing the cause action. According to the Court:

The case law, while certainly far from conclusive, supports the existence of such a cause of action. Privacy has long been recognized as an important underlying and animating value of various traditional causes of action to protect personal and territorial privacy. Charter jurisprudence recognizes privacy as a fundamental value in our law and specifically identifies, as worthy of protection, a right to informational privacy that is distinct from personal and territorial privacy. The right to informational privacy closely tracks the same interest that would be protected by a cause of action for intrusion upon seclusion. Many legal scholars and writers who have considered the issue support recognition of a right of action for breach of privacy: see e.g. P. Winfield, “Privacy” (1931), 47 L.Q.R. 23; D. Gibson, “Common Law Protection of Privacy: What to do Until the Legislators Arrive” in Lewis Klar (ed.), Studies in Canadian Tort Law (Toronto: Butterworths, 1977) 343; Robyn M. Ryan Bell, “Tort of Invasion of Privacy – Has its Time Finally Come?” in Todd Archibald & Michael Cochrane, Annual Review of Civil Litigation (Toronto: Thomson Carswell, 2005) 225; Peter Burns, “The Law and Privacy: the Canadian Experience” (1976), 54 Can. Bar Rev. 1; John D.R. Craig, “Invasion of Privacy and Charter Values: The Common Law Tort Awakens” (1997), 52 McGill L.J. 355.

For over one hundred years, technological change has motivated the legal protection of the individual’s right to privacy. In modern times, the pace of technological change has accelerated exponentially. Legal scholars such as Peter Burns have written of “the pressing need to preserve ‘privacy’ which is being threatened by science and technology to the point of surrender”: “The Law and Privacy: the Canadian Experience” at p. 1. See also Alan Westin, Privacy and Freedom (New York: Atheneum, 1967). The internet and digital technology have brought an enormous change in the way we communicate and in our capacity to capture, store and retrieve information. As the facts of this case indicate, routinely kept electronic data bases render our most personal financial information vulnerable. Sensitive information as to our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled, and the nature of our communications by cell phone, e-mail or text message.

It is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order.

Finally, and most importantly, we are presented in this case with facts that cry out for a remedy. While Tsige is apologetic and contrite, her actions were deliberate, prolonged and shocking. Any person in Jones’ position would be profoundly disturbed by the significant intrusion into her highly personal information. The discipline administered by Tsige’s employer was governed by the principles of employment law and the interests of the employer and did not respond directly to the wrong that had been done to Jones. In my view, the law of this province would be sadly deficient if we were required to send Jones away without a legal remedy.

The Court accepted that the essential elements of the tort of intrusion upon seclusion were as described the Restatement (Second) of Torts (2010):  

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

According to the Court, the key features of the cause of action are:

• first, that the defendant’s conduct must be intentional, which would include reckless;
• second that the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
• third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

However, proof of harm to a recognized economic interest is not an element of the cause of action.

The Court stressed the limitations of the cause of action as follows:

These elements make it clear that recognizing this cause of action will not open the floodgates. A claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy. Claims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.

Finally, claims for the protection of privacy may give rise to competing claims. Foremost are claims for the protection of freedom of expression and freedom of the press. As we are not confronted with such a competing claim here, I need not consider the issue in detail. Suffice it to say, no right to privacy can be absolute and many claims for the protection of privacy will have to be reconciled with, and even yield to, such competing claims. A useful analogy may be found in the Supreme Court of Canada’s elaboration of the common law of defamation in Grant v. Torstar where the court held, at para. 65, that “[w]hen proper weight is given to the constitutional value of free expression on matters of public interest, the balance tips in favour of broadening the defences available to those who communicate facts it is in the public’s interest to know.” 

The Court noted that in the US the general right to privacy embraces four distinct torts. These are: intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; public disclosure of embarrassing private facts about the plaintiff; publicity which places the plaintiff in a false light in the public eye; and appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness. It also noted that each of these torts has its own considerations and rules, and that confusion may result from a failure to maintain appropriate analytic distinctions between the categories. Accordingly, while the Court did not rule out the possibility that all of the other torts existed, it limited it reasons only to the tort of intrusion upon seclusion.

The slides include a summary of the following cases and statutory materials:

Privacy:

Cite Cards Canada Inc. v. Pleasance, 2011 ONCA 3

Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94

State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2010 FC 736

Nammo v. TransUnion of Canada Inc., 2010 FC 1284

Randall v. Nubodys Fitness Centres, 2010 FC 681

Stevens v. SNF Maritime Metal Inc., 2010 FC 1137

Vancouver (City) v Ward, 2010 SCC 27

Hannaford Bros. Co. Customer Data Security Breach Litigation 4 A.3d 492 (Sup, Ct. Me. 2010)

Paul v Providence Health System 240 P.3d 1110 (2010)

Doe 1 v. AOL LLC 719 F.Supp.2d 1102 (N.D.Cal. 2010)

LaCourt v. Specific Media, Inc. 2011 WL 1661532 (C.D.Cal. Apr. 28, 2011)

Claridge v. RockYou, Inc.  2011 WL 1361588 (N.D.cal. Apr. 11, 2011)

Jones v. Tsige, 2011 ONSC 1475

CTB v. News Group Newspapers Ltd & Anor [2011] EWHC 1326 (QB)

City of Ontario, Cal. v. Quon, 130 S. Ct. 2619

R. v. Cole, 2011 ONCA 218

U.S. v. Warshak 631 F.3d 266 (6th Cir. 2010)

FCC v. AT&T INC., 562 US__ (2011)

Holmes v. Petrovich Development Co. 191 Cal. App. 4th 1047

Bigstone v. St. Pierre, 2011 SKCA 34

Mosley v. UK (EU Ct. Human Rights) (10 May 2011)

Sparks v. Dubé, 2011 NBQB 40

Warman v. Wilkins-Fournier, 2011 ONSC 3023

Contracts and Electronic Agreements:

Seidel v. TELUS Communications Inc., 2011 SCC 15

AT&T Mobility LLC v. Conception, 2011 WL 1561956 (U.S. Sup. Ct. 2011)

Evans v. Linden Research, Inc., 2011 WL 339212 (E.D.Pa. 2011)

St-Arnaud v. Facebook Inc., 2011 QCCS 1506

Grosvenor v. Qwest Communications Intern., Inc., 2010 WL 3906253 (D. Colo. 2010)

Hoffman v. Supplements Togo Management, LLC, 2011 WL 1885675 (N.J.Super.A.D. 2011)

Roling v. E*Trade Securities, LLC, 756 F. Supp. 2d 1179 (N.D. Cal. 2010)

Patco Const. Co., Inc. v. People’s United Bank, 2011 WL 2174507 (D.Me. May 27, 2011)

Harold H. Huggins Realty, Inc. v. FNC, Inc., 575 F.Supp. 2d 696, 708 (D.Md. 2008) 

U.S. v. Nosal 2011 WL 1585600 (9th. Cir. Apr 28, 2011)

United Stats v. Rodriguez, 628 F. 3d 1258, (11th Cir. 2010)

Facebook, Inc. v. Power Ventures, Inc. 2010 WL 3291750 (N.D.cal.2010)

Naldi v. Grunberg, 908 N.Y.S.2d 639 (N.Y.A.D. 2010)

Golden Ocean Group Ltd. v Salgaocar Mining Industries PVT Ltd. & Anor [2011] EWHC 56 (Comm) (21 January 2011) 

Barwick v. Government Employee Ins. Co., Inc. 2011 Ark. 128 (Sup. Ct. Ark. 2011)

Distinct Fortune Ltd. v. Hyndland Investment Co. Ltd. [2010] HKEC 2013

Yazdani v. Canada (Citizenship and Immigration), 2010 FC 885

Contract and License Issues:

De Beers UK Ltd. v. Atos Origin It Services UK Ltd. [2010] EWHC 3276 (16 December 2010) 

Vernor v. Autodesk, Inc. 621 F.3d 1102 (9th Cir. 2010)

MDY Industries, LLC v Blizzard Entertainment, Inc. 2010 WL 5141269 (9th.Cir. 2010)

London Borough of Southwark v. IBM UK Ltd. [2011] EWHC 549 (17 March 2011) 

Agence France Presse v. Morel, 2011 WL 147718 (S.D.N.Y.2011)

Baidu, Inc. v. Register.com, Inc., 2010 WL 2900313 (S.D.N.Y.2010)

Facebook, Inc. v. Pacific NorthWest Software, Inc., 2011 WL 1843509 (9th Cir. 2011)

Patents and Trade-marks

Amazon.com, Inc. v. Attonrey General of Canada, 2010 FC 1011

Microsoft Crop. V I4I Limited Partnership 564 U.S. __ (2011)

Global-Tech Appliances, Inc. v. SEB S.A., 563 U.S. __ (2011)

Board of Trustees of Leland Stanford Junior University v. Roche Molecular Systems, Inc., 563 U.S. ___(2011)

Rosetta Stone Ltd. v. Google Inc., 730 F. Supp. 2d 531 (E.D. Vir. 2010)

Jurin v Google Inc., 2011 WL 572300 (E.D.Cal.2011)

Private Career Training Institutions Agency v. Vancouver Career College (Burnaby) Inc., 2010 BCSC 765 

Network Automation Inc. v Advanced Systems Concepts Inc, 638 F.3d 1137 (9th.Cir.2011)

Microsoft Corp. v. Shah, 2011 WL 108954 (W.D.Wash. 2011)

Masterpiece Inc. v. Alavida Lifestyles Inc., 2011 SCC 27

Copyright:

Sirius Canada Inc. v. CMRRA/SODRAC, 2010 FCA 348

Harmony Consulting Ltd. v. G.A. Foss Transport Ltd., 2011 FC 340

Telstra Corporation Limited v. Phone Directories Company Pty Ltd. [2010] FCAFC 149 (15 December 2010)

Acohs Pty Ltd. v. Ucorp Pty Ltd. [2010] FCA 577 (10 June 2010)

Roadshow Films Pty Ltd. v  iiNet Limited, [2011] FCAFC 23

REFERENCE for a preliminary ruling from the Nejvyšší správní soud (Czech Republic) ECJ 22 December, 2010

SAS Institute Inc. v. World Programming Ltd. [2010] EWHC 1829 (Ch) (23 July 2010) 

SAS Institute Inc v World Programming Ltd [2010] EWHC 3012 (Ch) (22 November 2010) 

The Newspaper Licensing Agency Ltd. v. Meltwater Holding BV [2010] EWHC 3099 (Ch) (26 November 2010) 

La société Des Auteurs des Arts Visuels et de L’image Fixe Visual Auteurs (SAIF) v. Google France  S.A.R.L. and Google Inc., Paris Court of Appeal, Jan. 26, 2011

Google v Copiepresse et al, Brussels Court of Appeal (9th Chamber) May 5, 2011

Media C.A.T. Ltd. v. A [2010] EWPCC 17 (01 December 2010) 

The Authors Guild et al v. Google Inc.  2011 WL 986049 (S.D.N.Y. 2011)

US v. ASCAP, 2010 WL 3749292 (2nd. Cir. Sept. 28, 2010)

Kernal Records Oy v. Mosley,  2011 WL 2223422 (S.D.Fla. Jun. 7, 2011)

Seng-Tiong Ho v. Taflove, 2011 WL 2175878 (7th.Cir, 2011)

The declaration on the Internet made the link between the Internet and innovation as follows:

For business, the Internet has become an essential and irreplaceable tool for the conduct of commerce and development of relations with consumers. The Internet is a driver of innovation, improves efficiency, and thus contributes to growth and employment…

The Internet has become a major driver for the global economy, its growth and innovation…

Their implementation must be included in a broader framework: that of respect for the rule of law, human rights and fundamental freedoms, the protection of intellectual property rights, which inspire life in every democratic society for the benefit of all citizens. We strongly believe that freedom and security, transparency and respect for confidentiality, as well as the exercise of individual rights and responsibility have to be achieved simultaneously. Both the framework and principles must receive the same protection, with the same guarantees, on the Internet as everywhere else…

The Internet and its future development, fostered by private sector initiatives and investments, require a favourable, transparent, stable and predictable environment, based on the framework and principles referred to above. In this respect, action from all governments is needed through national policies, but also through the promotion of international cooperation…

The leaders recognized the importance of framework laws and means for enforcing intellectual property laws on the Internet.

With regard to the protection of intellectual property, in particular copyright, trademarks, trade secrets and patents, we recognize the need to have national laws and frameworks for improved enforcement. We are thus renewing our commitment to ensuring effective action against violations of intellectual property rights in the digital arena, including action that addresses present and future infringements. We recognize that the effective implementation of intellectual property rules requires suitable international cooperation of relevant stakeholders, including with the private sector. We are committed to identifying ways of facilitating greater access and openness to knowledge, education and culture, including by encouraging continued innovation in legal on line trade in goods and content, that are respectful of intellectual property rights.

The leaders also gave special recognition of the need for protecting privacy in the Internet context using common approaches.

The effective protection of personal data and individual privacy on the Internet is essential to earn users’ trust. It is a matter for all stakeholders: the users who need to be better aware of their responsibility when placing personal data on the Internet, the service providers who store and process this data, and governments and regulators who must ensure the effectiveness of this protection. We encourage the development of common approaches taking into account national legal frameworks, based on fundamental rights and that protect personal data, whilst allowing the legal transfer of data.

The leaders acknowledged the importance of addressing key concerns of all G8 nations for protecting the security of networks against the ever growing criminal and terrorist threats.

The security of networks and services on the Internet is a multi-stakeholder issue. It requires coordination between governments, regional and international organizations, the private sector, civil society and the G8’s own work in the Roma-Lyon group, to prevent, deter and punish the use of ICTs for terrorist and criminal purposes. Special attention must be paid to all forms of attacks against the integrity of infrastructure, networks and services, including attacks caused by the proliferation of malware and the activities of botnets through the Internet. In this regard, we recognize that promoting users’ awareness is of crucial importance and that enhanced international cooperation is needed in order to protect critical resources, ICTs and other related infrastructure. The fact that the Internet can potentially be used for purposes that are inconsistent with the objectives of peace and security, and may adversely affect the integrity of critical systems, remains a matter of concern. Governments have a role to play, informed by a full range of stakeholders, in helping to develop norms of behaviour and common approaches in the use of cyberspace. On all these issues, we are determined to provide the appropriate follow-up in all relevant fora.

The leaders also focused on the importance of innovation in the knowledge economy. The declaration highlighted the importance of having strong and robust intellectual property systems as a catalyst to innovation.

We agree on the necessity of a level playing field in the innovation area, including a strong and robust intellectual property system as an incentive to innovation and a catalyst for growth. We acknowledge the important role of the World Intellectual Property Organization (WIPO) in developing a broad approach to intellectual property in support of business friendly, robust and efficient national intellectual property systems. Renewing our support to the principles of the patent system, we attach great importance to its promotion and development. We encourage increased international action to strengthen patent quality, and call for improved diffusion of patent information, particularly critical for SMEs and research centres. We support transparency in technology markets and call for the improvement of market places for trading rights. We invite WIPO, in close cooperation with Member States and other relevant entities, to intensify its work in these three areas. In addition we note the importance of enforcement in order to incentivise innovation and protect innovation once developed.

Indeed, there was much satisfaction when Canada’s anti-SPAM law, also known as FISA[2], was given royal assent on December 15, 2011.  After a lengthy and thorough review process, including consultations and Parliamentary reviews, Canadians could look forward to the toughest anti-SPAM law in the world just as soon as the regulations were finalized, which is expected this summer.

With FISA passed into law, and expected to come into force by the end of 2011, Canadian businesses started preparing for a new SPAM-reduced world. They began to scrutinize their use of emails, SMS and social network communication with existing and prospective customers. They looked at the language for obtaining consent from these customers, and for allowing them to unsubscribe. They reviewed the conditions for those customers that may have given implied consent. All of this scrutiny was expected.

Businesses also began to look closely at regulatory aspects of FISA. They began to appreciate the severe penalties for violating FISA, and thus the risks of failing to fully comply with the new requirements. Their interest in compliance increased further. And this too was expected.

But a funny thing happened on the way to the SPAM-free utopia.  It began to dawn on some that FISA imposes very significant costs, not just on individual Canadian businesses, but also on the Canadian economy as a whole. These are costs that Canadians will uniquely bear because FISA is the toughest anti-SPAM law in the world.  And while everyone understood that implementing FISA would not be cost-free, questions began to be asked about the balance of costs and benefits from complying with FISA.

During the past months, as we have helped numerous Canadian businesses understand FISA and its impact on their operations.  In doing so, we have come to recognize that stakeholders did not fully appreciate just how costly this law would become for Canada or the dangers it poses to the Canadian economy.  We acknowledge that FISA was thoroughly reviewed before it was passed into law.  However, we have also come to recognize that rather than promoting the “efficiency and adaptability of the Canadian economy”, as formally stated in FISA’s official title, it may well achieve the opposite result.

In this commentary we will describe some of the challenges presented by FISA.  We will focus on the anti-SPAM provisions, and leave for another day the anti-spyware and other provisions of FISA.

In summary, we have identified the following problems that need to be addressed before FISA’s regulations are finalized and the law is proclaimed into force:

1)      FISA will impede start-up businesses from launching in Canada.

2)      FISA will impede Canadian businesses from developing new marketing models over the Internet.

3)      FISA will deter suppliers of service providers, including outsourcing and cloud service providers, from operating with or maintaining facilities in Canada.

4)      FISA will deter foreign businesses from offering their products to Canadians via the Internet, mobile and other communications networks.

5)      FISA will impose costs and restrictions on Canadian businesses that their competitors outside Canada will not have to bear.

6)      FISA contains very strong incentives for Canadian businesses to confess wrong-doing, even in cases of questionable or trivial conduct, thereby tarnishing the reputation of legitimate businesses in circumstances where the offending conduct is not significant.

7)      FISA will chill legitimate commercial speech and thereby undermine fundamental values protected by the Charter of Rights and Freedoms.

Our analysis starts with a brief background introduction to FISA.  We then move on to discuss the problems we have observed.

Overview of FISA’s anti-SPAM provisions

The anti-SPAM and related provisions of FISA have their genesis in a 2005 federal government Task Force report: Stopping Spam: Creating a Stronger, Safer Internet.[3] The report included a range of recommendations to fight SPAM including more rigorous law enforcement, public education, policy development and legislation. Importantly, the Task Force made recommendations that formed the structure that eventually became FISA including:

• Commercial email sent without prior consent — or that is deceptive, fraudulent or malicious — is SPAM and should be prohibited.
• Failure to abide by an opt-in regime for sending unsolicited commercial email should be made an offence in a stand-alone, technology-neutral SPAM statute.
• The use of false or misleading headers or subject lines designed to disguise the origins, purpose or contents of an email should be made an offence. This should be the case whether the objective is to mislead recipients or to evade technological filters.
• The new offences created should be civil and strict-liability offences, with criminal liability open for more egregious or repeated offences. There should be meaningful statutory penalties for all offences outlined above.
• There should be an appropriate private right of action available to persons, both individuals and corporations. There should be meaningful statutory damages available to persons who successfully bring civil action.

The Task Force recommendations, which by and large were carried over into FISA, were not just ambitious. They cast a wider net than legislation anywhere else in the world. For example, the U.S. CAN-SPAM Act of 2003[4] prohibits e-mails that are sent in violation of an individual’s opt-out request, or that are fraudulent, false or misleading. The EU Directive 2002/58/EC on privacy and electronic communications targets sending e-mail for the purposes of direct marketing to individuals. The Australia Spam Act 2003[5] and the New Zealand Unsolicited Electronic Messages Act 2007[6], after which FISA’s provisions are most closely modelled (but with significant changes which make FISA more encompassing and more difficult to comply with), prohibit sending certain commercial electronic messages without the express or inferred consent of the recipient.

In contrast to the narrower approach of these other countries, FISA prohibits sending (or causing or permitting to be sent) any commercial electronic message to any electronic address unless express consent is given by the recipient, or certain specific exclusions apply.[7]

The exclusions are limited, and encompass the following: (1) some categories of electronic message are excluded completely; (2) some categories are excluded from the consent requirements, but they must still comply with certain formalities (for example, contain an unsubscribe mechanism); and (3) very similar to (2), some categories are deemed to have implied consent, although they must also comply with the formalities.

The totally excluded categories are: commercial electronic messages to an individual with whom the person stands in a personal or family relationship as defined in regulations; an inquiry or application to a person engaged in commercial activity; or messages of a class defined in regulations.[8] There is a further exception for telecommunications service providers (TSPs) in their role as carriers.[9] Messages related to law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada are excluded because they are deemed not to be part of a commercial activity.[10]

Then, there are categories of commercial electronic messages which do not require consent, but for which the prescribed formalities still apply, namely commercial electronic messages that solely involve the following: (a) provide a quote in response to a request; (b) are in furtherance of previously agreed to transactions; (c) provide warranty, safety, security, product recall information; (d) provide factual information about a purchase; (e) provide information about an employment or benefits plan; (f) deliver a product, service or upgrade; or (g) other exceptions specified in a regulation.[11]

The categories of commercial electronic messages for which there is deemed to be implied consent (and to which the prescribed formalities still apply) are limited to the following exclusive circumstances:

• There is “an existing business relationship” as this term is defined. In summary, this is a relationship arising from a purchase or barter within 2 years; acceptance of a business, investment or gaming opportunity with last 2 years; or is related to a contract until 2 years after expiry; or any inquiry or application within 6 months.[12]
• There is an “existing non-business relationship” as this term is defined. In summary, this is a relationship arising from a donation or gift; volunteer work performed for a registered charity; or membership, within a 2 year window.[13]
• The person to whom the message is sent has “conspicuously published”, or has caused to have published, an electronic address without a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity.[14]
• The person to whom the message is sent has disclosed, to the person who sends the message, an electronic address without indicating a wish not to receive unsolicited commercial electronic messages, and the message is relevant to the person’s business, role, functions or duties in a business or official capacity.[15]
• The message is sent in the circumstances set out in the regulations.[16]

Commercial electronic messages that do not fall into one or more of the above exclusions cannot be sent except with the express consent of the recipient. Obtaining consent has its own requirements. When requesting consent, the sender must set out clearly and simply: (a) the purpose or purposes for which the consent is being sought; (b) information prescribed in regulations that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, information prescribed in regulations that identifies that other person; and (c) any other prescribed information.[17] Sending a message to obtain consent is deemed to be a commercial electronic message.[18] As such, contacting a recipient to ask if the sender can send a commercial electronic message is itself SPAM (unless some exclusion applies).

Moreover, each commercial electronic message that is transmitted by a sender must abide by certain formalities which require the sender to: (a) set out prescribed information that identifies the person who sent the message and, if different, on whose behalf it is sent; (b) set out information enabling the person to whom the message is sent to readily contact the sender (the contact information must be valid for 60 days); and (c) set out the prescribed unsubscribe mechanism.[19]

The unsubscribe mechanism must (a) enable the recipient to indicate, at no cost to them, the wish to no longer receive any messages, or any specified class of such messages, from the sender, using (i) the same electronic means by which the message was sent, or (ii) if using those means is not practicable, any other electronic means that will enable the person to indicate the wish; and (b) specify an electronic address, or link to a page on the World Wide Web that can be accessed through a web browser, to which the indication may be sent.[20]

Having described the key elements of FISA, we will now describe some of the problems that we have encountered as Canadian businesses grapple with its implementation.

FISA Impedes Start-up Companies

Unlike established companies, start-up companies do not have a ready list of electronic contacts they can approach to market their products. Rather, they will develop emailing lists from a variety of sources and use them to launch their products. For example, a newly graduated financial advisor may look up the lawyers and doctors in his/her neighbourhood using a published professional or business directory or other publication such as a magazine, book, or newspaper and invite them to an educational event. A newly established orthodontist may send an announcement to dentists in her town, with the electronic addresses derived from a conference attendance list. A university student wanting to earn some money as a contract programmer may contact professors and lecturers using their electronic addresses found in the university catalogue or telephone directory. A new real estate agent in search of listings may want to contact owners of properties using information recorded in publically available registries.

Although few would find these activities offensive, they will all likely be illegal under FISA.[21] Rather than using electronic communications, business start-ups will therefore be forced to send their messages using the post or other more expensive and less convenient and efficient mechanisms, or limit the persons to whom they can send messages to the limited exception that permits use of conspicuously published e-mail addresses.[22] The new start-ups could also not rely on the alternative route of using software that is design to assist them in searching for relevant business or other connections because it will also be illegal to use such software or electronic addresses gathered using such software under the amendments to PIPEDA included in FISA.[23]

Although it is easy to say that the FISA impositions on small businesses are not that important, most countries, Canada included, actively promote small business formation and expansion. Policy-makers understand that small business is a vital part of the economy in its own right and, as well, that all big businesses were small start-ups at one point.  As such, Canada should not want to impede start-up businesses from making effective use of digital communications to launch and sustain their businesses.

FISA Impedes Use of New Forms of Communications and Business Models

FISA is supposed to be technologically neutral, applying broadly to practically all electronic means of sending electronic messages. However, the FISA regulatory regime (which prescribes specific formalities for each message) is modelled on regulating electronic messages that are sent as emails. This focus on emails means that other forms of electronic messaging, such as those through social networks, do not easily fit within the FISA framework. As a result, Canadian businesses that wish to exploit new and developing alternative electronic messaging systems will be impeded by FISA.

As an example, consider an enterprise that wishes to send its commercial electronic messages, with express consent, by SMS.[24] Because SMS only allows for 140 characters, it will be very difficult if not impossible in the allotted number of characters to include all of the formalities required for commercial electronic messages. The SMS message would have to include (a) prescribed information that (1) identifies the sender and (2) any person on whose behalf the message is sent, (b) information that enables the recipient to (1) contact the sender or (2) the person on whose behalf the message was sent, and (c) an unsubscribe mechanism that (1) enables the recipient to indicate, at no cost to him/her a wish to no longer receive messages (which could be at a separate web location), and (2) specifies an electronic address or link to the web which can be used to unsubscribe from receiving further messages.[25] Consider the following difficulties when trying to utilize SMS for a commercial electronic message:

• Can conditions (a)(2), (b)(2), and (c)(2) be met in a message that is only 140 characters?  Some URLs could be as long as the message itself.  The same problem will arise in other messaging services where short messages are the rule, such as Instant Messaging (IM) services.
• Where the recipient uses a regular cell phone, not a smart phone, an unsubscribe URL is likely not accessible by the phone to effect an unsubscribe instruction.  Is it still a compliant message?  If not, how can the sender ever know if its messages are compliant given that the sender will not know what sort of device the recipient is using?
• Where the sender wants to permit recipients to unsubscribe using a text message at no cost to the recipient[26], this will require negotiations with all mobile operators to ensure that the recipient is not charged for the unsubscribe message – a very cumbersome approach.
• Further, it may be challenging for a person using any of these messaging services to seek express consents from recipients using 140 characters given the request for the consent must “clearly and simply” provide information setting out the purpose or purposes for which consent is being requested, information that identifies the requester and another person on whose behalf the request is made, and other prescribed information.[27]

The result is that unless accommodation is made by means of the regulations or amendment to the legislation, FISA could make using new and innovative short messaging platforms effectively impractical to use in Canada for whole categories of commercial speech.[28]

As another example, consider the situation of a social network that allows a recruiter to search the profiles of members looking for suitable employee prospects, who the recruiter then contacts using the social network built-in communications tools. Many members would welcome such communications, and therefore they would likely consent to such recruitment messages, presumably at sign-up time. However, FISA’s design does not easily accommodate such a situation. The recruiter cannot directly request consent to send a message to a member of the social network because that message would be deemed to be a commercial electronic message.[29] The social network could try and obtain the member’s consent for the recruiter to send such messages. However, FISA contemplates that the consent request must include identification information about the person on whose behalf the consent is being obtained, in this case the recruiter’s identity.[30] But is this workable when the identity of the recruiter(s) will only be known much after the consent is granted? Faced with this complexity and uncertainty, recruiters and their social network partners may well ponder if they should avoid offering these services in Canada.

Consider another business model where a virtual gaming site allows members to offer to buy and sell virtual objects amongst themselves. Does each member have to obtain consent from the other members before the messages are sent? Can the social network site request consent in advance for all such messages among members? Bear in mind that the members only disclose game-playing aliases and not their real identities. How then can the identification requirements of FISA be satisfied? How practical is it for each game-player to include an unsubscribe mechanism in every buy-sell offer? If members fail to comply with these identification or unsubscribe mechanisms, will be social network operator have to enforce these requirements in order to avoid liability for aiding in a contravention of FISA? Will the operators of such sites be concerned that they could face accessorial liability for not designing mechanisms to enable  their players to comply with FISA? Will they make necessary changes to their games or simply exclude Canadians from being able to join their networks?

Consider next a business model where a social network operator offers business coupons to members and encourages the members to pass the coupons on to friends and social media contacts.[31] As an incentive, the operator grants a modest incentive to the member for every person that uses such a passed-on coupon. The passing on of the coupon with an express or implied suggestion as its use is likely the sending of a commercial electronic message. While some recipients in these models may fit into the personal or family relationship exemption in FISA,[32] others won’t necessarily fall within these so far undefined categories. And how many members are likely to include unsubscribe mechanisms when sending such messages to their contacts? Although one might be tempted to say that no-one will pursue the members for such trivial transgressions of FISA, the operator that knowingly permits such conduct might well worry if it will be at risk of being accused of aiding, inducing, procuring or causing to be procured the doing of any act contrary to the anti-SPAM provisions of FISA.[33]

Faced with the risks of offending FISA, Canadian businesses will be wary of developing (or continuing to offer) these innovative business models or implementing similar models that are legal in other countries such as the United States. Or if they do wish to develop them, they will feel a strong incentive to develop and launch them outside of Canada. The logical port of call for any such developers will be the United States, with its familiarity to Canadians, vast market, openness to innovation, and ample sources of funding. Canada, which already faces a tough time in fostering innovation inside our borders, will now be adding one more reason for Canadians to take their digital economy initiatives south of the border.

FISA Will Deter Service Providers from Locating in Canada

In the foregoing, we have explained impediments that will be faced by start-ups and developers of new e-commerce models as a result of FISA. But the potential harm to the Canadian economy goes further. FISA will deter many suppliers from providing innovative services globally using Canadian facilities.

Consider the case of a data centre operator that is deciding where to locate a new server farm.  If the operator decides to locate it in Canada, the customers that send electronic commercial messages from those servers will be subject to FISA for all of those communications – even those where the company is non-Canadian and the recipients are all non-Canadian. This consequence arises because FISA applies if a computer system in Canada is used to send or receive the electronic message.[34] The data centre operator will realize that its customer base will be immediately narrowed if the server farm is located in Canada and knowledgeable customers will ask the operator that servers in Canada not be used for their commercial electronic communication purposes.

For the same reasons, FISA will also deter businesses from operating or using cloud services that have facilities in Canada. In an era of ever-increasing reliance on “cloud computing”, where operators organize servers in the most efficient manner, operators and their customers would avoid locating cloud services with facilities in Canada to avoid burdening their foreign customers with onerous obligations they would not have, and their foreign competitors will not have, if their facilities were located outside of Canada.

Likewise, operators of messaging systems such as e-mail services, social networks, and e-commerce platforms that serve North American or global enterprises will have a strong reason to avoid locating their facilities in Canada to ensure that their global users are not regulated by FISA. They would likely relocate existing Canadian facilities outside of Canada to avoid requiring their non-Canadian customers having to bear costs and expenses of complying with laws that their competitors do not face.

Even established Canadian businesses, especially global ones, might decide that it is in their interest to locate their servers, whether in-house or outsourced, outside the country. Many of them will send commercial electronic communications to non-Canadians. They will not want to take on the FISA-derived extra costs and restrictions associated with communicating with those non-Canadians from a Canadian server. Faced with the choice of two servers, one in Canada for FISA-complaint Canadian messages, and one outside Canada for everything else, many Canadian companies will decide that the most efficient approach is to ensure that all their  servers are located outside Canada.

By discouraging service suppliers from locating or maintaining facilities in Canada, not only does Canada lose the jobs, taxes and spin-off activities from such businesses, but Canada’s participation in a core building block of the digital economy is reduced. This in turn lessens the attractiveness of Canada as a location for other participants in the digital economy.

FISA Will Deprive Canadians of Products and Services From Foreign Businesses

In the foregoing discussion, we have concentrated on the impact of FISA on Canadian businesses and suppliers to those businesses. But there is another constituency that will be impacted by FISA, namely consumers.

FISA will of course benefit consumers by hopefully reducing the flow of SPAM. That is the key purpose behind FISA. But consumers will be negatively impacted by FISA if they cannot benefit from worthwhile commercial electronic messages simply because foreign companies are unwilling to comply with FISA and thus decide simply to exclude Canadians from their electronic communication databases. We have been told by some businesses that the costs of developing specific marketing campaigns for Canadians could influence whether foreign businesses make the same offers to Canadians that they make to their customers in other countries.

The point to realize is that not all commercial electronic messaging is bad and unwanted (although some is undoubtedly both). Some is benign, and some may be quite useful. Indeed, in the example above of a recruiter using social media platforms to contact prospective employees, some may be very welcome.

FISA however risks walling off Canada from the good as well as the bad. And foreign companies, especially international companies that market and promote products and services on a global basis from outside Canada, may well decide that Canada is simply not worth the effort and hazards that come with FISA.

FISA Imposes Costs on Canadian Businesses that Foreign Competitors will not Bear

Canadian businesses are coming to grips with the costs of FISA compliance, and it is not a happy realization. Businesses that have large contact lists must assess which contacts fit into particular categories: exempt, express consent, implied consent, no consent. The exempt category will be small for most businesses. Where express consent has been given, businesses have to figure out if the consent is sufficient for FISA purposes, now and in the future. Absent express consent, businesses will have to determine if one of the listed categories of an implied consent can apply.  This will be difficult to assess in many cases.[35] For example, where an individual was entered onto a contact list 5 years ago, how will a business determine if that person voluntarily disclosed his/her email address, or whether it was “conspicuously published” or if there exists an existing business relationship that is less than 2 years old? If the existing business relationship heading is relied on, what sort of routines are in place to determine customer-by-customer when the 2-year window expires? The answer to each of these question can be determined, but at a cost – a cost that can be significant for a company with thousands or even millions of contacts.

It may be simple to suggest that businesses should just communicate with everyone on their contact lists and ask for express consent. But the response rate from such campaigns is often not large, and Canadian businesses risk a large contraction of their contact lists, with a consequential impact on their business models. In some cases, such as the social network recruiter described earlier, it is questionable if a consent approach is even workable. And, of course, once FISA comes into force, communicating with a contact to ask for consent will itself be prohibited unless some exemption or implied consent applies.

Further, as noted above, Canadian businesses with substantial numbers of non-Canadian contacts will face costs of moving their servers outside of Canada in order to service these non-Canadians, and likely Canadians as well. In the same vein, those Canadian businesses will have to give up any use of cloud computing that involves Canada-based servers if there is a chance that some commercial electronic messaging could originate on servers in Canada.

Canadian businesses will also face extra costs as ongoing customers unsubscribe from commercial electronic messages.  The FISA-mandated  unsubscribe mechanism must permit the recipient to not receive any commercial electronic messages, or any specified class of messages.  If even a handful of customers choose the broad unsubscribe option, companies will have to either change their systems to ensure that innocuous commercial electronic messages are not included in ordinary correspondence such as billing statements (consider, for example, a mention that mortgage rates are being reduced which appears in a bank account statement with an offer to extend the mortgage term), or ensure that such correspondence is sent to those customers by the post or other non-electronic means. All of this can be done, but clearly at a cost.  The problem would be compounded for businesses that contract with their customers only to communicate electronically.  Customers including B2B business partners could arguably use FISA’s unsubscribe right to require communications in a different format and to thereby trump contractually agreed to terms.  This could undermine purely electronic means of doing business (including data interchange arrangements) and force companies to cease doing business with any person insisting on an unsubscribe right or to incur substantial costs to do business in less modern and inefficient way.

In addition to costs of these proactive activities, Canadian businesses will face potentially large costs of after-the fact compliance by way of substantial fines and class action damages, and associated legal costs, as further discussed below.

In contrast, most non-Canadian competitors do not face equivalent costs. Although some may elect to comply with FISA for their Canadian contacts, others may simply abandon services to Canadians. Others will likely just ignore FISA, expecting that the Canadian regulators will have neither the inclination nor resources nor the jurisdiction to pursue these offenders.

FISA’s Enforcement Model is Biased Towards Excessive Fault-Finding, which will Tarnish Legitimate Businesses

The penalties for violating FISA are severe. Companies can be subject to fines[36] of up to $10 million per violation. The regulations may specify that violations are a day-by-day determination.[37] Officers and directors can be liable, whether or not the corporation is prosecuted.[38] If the CRTC does not initiate proceedings, companies can be liable to private action by SPAM recipients, including (most worryingly) class action claims, for actual damages (which will likely be insignificant), but also an additional private fine of up to $1 million per day (which is not so insignificant).[39]

The fear of class action claims, which can be very expensive to defend against, will act as a strong incentive for companies to self-report potential contraventions to the CRTC and submit to voluntary undertakings and fines. Entering into such an undertaking with the CRTC will exempt the contravention from private action liability.[40] Although this incentive will help ensure FISA compliance, its undoubted goal, it will also encourage companies to confess wrong-doing in situations where the impugned conduct may be questionable or trivial. This will lead to a parade of Canadian businesses being punished under FISA, with the regulators extolling their enforcement proficiency against these wrong-doers.[41] As such, the public image of many Canadian businesses will be unfairly tarnished in circumstances where the offending conduct may not be significant.

Is It Right To Extensively Chill Commercial Electronic Communications?

In the proceeding pages, we have explained the negative impact that FISA will have on Canadian businesses and consumers. But there is a larger question that should also be asked. Is it right to so extensively curtail Canadian businesses from engaging in commercial electronic communication, which is, after all, a form of commercial free speech? This is a big question, with clear constitutional overtones. But it is a question that should be asked.

FISA’s regulatory approach to SPAM is to broadly ban all commercial electronic messages unless the messages are sent with prior express consent or fall into an excluded category. The regulatory regime does not focus, as do most laws that restrict the free speech of Canadians, on prohibiting actions that are necessarily unwanted, false, fraudulent, misleading or otherwise harmful. It is therefore inevitable that sending some legitimate, wanted, and economically and socially useful commercial speech will be rendered illegal.

FISA’s curtailment of commercial speech is apparent in a number of ways.

• The prohibitions on commercial speech are not narrowly tailored to a limited class of electronic communications that are more likely than not to be unwanted or harmful such as direct marketing, pornography, messages sent to consumers that misuse personal information, or messages that are false, fraudulent, or misleading.
• Because FISA extends to “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit”, it will extend to activities of not-for-profit entities, educational institutions, charities, private clubs, and political fundraising activities, subject the specific exceptions that only partially exclude some of their commercial electronic messages.
• A message that is, on balance, benign or useful, will nonetheless be caught by FISA if only one of the message’s many purposes would encourage participation in a commercial activity.
• FISA’s anti-SPAM provisions provide for extensive accessorial and vicarious liability Under FISA, liability extends to any person who aids, induces or procures a prohibited act.[42] Businesses are liable for acts of their employees within the scope of their authority.[43] The liability also extends to officers, directors, agents, and mandataries if they “directed, authorized, assented to, acquiesced, or participated in the prohibited act”.[44]
• A direct result of the “ban-all” approach taken in FISA will be to shift the onus onto individuals and businesses to find an exception that would permit their sending electronic messages. However as described above, FISA also has extremely tough sanctions that can be levied against individuals or businesses that violate its prohibitions. These sanctions will undoubtedly deter individuals and businesses from sending messages in circumstances where it is unclear they are entitled to do so.

The Canadian Charter of Rights and Freedoms protects free speech as one of our highest legal and societal imperatives.[45] The courts have recognized that Canadian businesses benefit from this protection and that commercial speech benefits Canadian consumers.[46] While limits on free speech are clearly permitted, these limits should be reasonable and justified, with minimal impairment of the free speech right and with the limit on free speech being in proportion to the harm that is being targeted.  As we have come to better understand how companies will be required to operate under FISA, questions indeed arise as to whether this important principle has been given appropriate regard.

Where Should We Go From Here?

Recognizing that it may be too late to revise the FISA legislation, developing sensible regulations will be of paramount importance as many of the deficiencies that we have discussed can be remedied in the regulations. For example, FISA provides significant flexibility to for the regulations to exclude classes of commercial electronic messages from its scope.[47] FISA also enables the government to create, by regulation, new broad categories of implied consent.[48] Employing the regulation process in this remedial manner should not be seen as undermining the basic thrust of FISA, which is to reduce the volume of SPAM, but rather as properly aligning FISA’s benefits with its costs.

To conclude, we believe that it is time to re-examine FISA – and to do so before the regulations are finalized and FISA is proclaimed into law. Failing to undertake such a review, and to make appropriate changes through regulation or otherwise, risks imposing significant burdens on Canadian businesses and depriving Canadians of beneficial services, thereby undermining the promotion of “the efficiency and adaptability of the Canadian economy” that FISA calls for. Other countries have managed to discover a different and more proportionate balance between thwarting SPAM and not impeding legitimate electronic messaging. Canada should seek to do likewise.

[1] Lorne Salzman and Barry Sookman are lawyers with McCarthy Tétrault LLP.

[2] FISA is the acronym for “Fighting Internet and Wireless Spam Act”, a title bestowed in an early version of the legislation that was eventually passed by the Canadian Parliament. Unfortunately (and unusually), the final version did not include any such short-form title. Accordingly, some commentators refer to FISA, while others refer to “CASL”, which is the acronym for Canadian Anti-Spam Legislation, while others employ yet other titles and abbreviations. For ease of understanding, we will use the term “FISA” in this commentary.

[3] Available at www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00317.html

[4] www.ftc.gov/bcp/edu/microsites/spam/rules.htm

[5] www.austlii.edu.au/au/legis/cth/consol_act/sa200366/

[6] www.legislation.govt.nz/act/public/2007/0007/latest/DLM405134.html

[7] The breadth of FISA’s prohibitions can be seen from looking at the definitions:

• An “electronic message” is an open ended list of message types: a “message sent by any means of telecommunication, including a text, sound, voice or image message”.

• An “electronic address” is an open ended list of types of addresses to which messages may be sent; it is “an address used in connection with the transmission of an electronic message to (a) an electronic mail account; (b) an instant messaging account; (c) a telephone account; or (d) any similar account”.

• A “commercial electronic message” is an open ended list of electronic messages “that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (b) offers to provide a business, investment or gaming opportunity; (c) advertises or promotes anything referred to in paragraph (a) or (b); or (d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.” An electronic message that contains a request to send a prohibited message is also deemed to be a prohibited commercial electronic message.

• A “commercial activity” is also broadly defined to mean “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit”. It excludes “any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada”.

[8] s. 6(5)

[9] s. 6(7)

[10] s. 1(1)

[11] s. 6(6)

[12] ss. 10(9) and 10(10)

[13] ss. 10(9) and 10(13)

[14] s. 10(9)(b)

[15] s. 10(9)(c)

[16] s. 10(9)(d)

[17] s. 10(1)

[18] s. 1(3)

[19] ss. 6(2) and 6(3)

[20] ss. 11(1) and 11(2)

[21] Despite problems under FISA, collecting personal information from some of the sources described above would likely be permissible under PIPEDA (Canada’s federal privacy law) pursuant to regulations which permit the collection, use and disclosure of personal information that is publically available. See, Regulations Specifying Publicly Available Information, P.C. 2000-1777 13 December, 2000, http://www.gazette.gc.ca/archives/p2/2001/2001-01-03/html/sor-dors7-eng.html

[22] s. 10(9)(b). This section has some overlap with the PIPEDA publically available exception. However, the FISA exception is limited to where the recipient “has conspicuously published, or caused to be conspicuously published”, the electronic address. It would seem to clearly apply where an individual publishes his/her email address on a web site. It is much less clear that it applies where an individual gives his/her email address to an organization and the organization publishes the email address in a directory or other publication. To fall within the exception one would have to conclude that by giving an organization an email address, the person who provides the email address “causes” the organization to publish it – which may be somewhat of a stretch.

[23] s. 82 (adding new s. 7.1(2) to PIPEDA)

[24] Short Message Service (SMS) is a text-based data communications service typically used in connection with cell phones and smart phones.

[25] ss. 6(2) and 11(1)

[26] s. 11(1).

[27] s. 10(1).

[28] For a real life example of an entrepreneur who recently used Twitter service as a pivotal aid in launching a new business, see: www.thestar.com/business/smallbusiness/article/985678–twitter-marketing-word-of-mouth-on-steroids

[29] s. 1(3). It does not appear that this approach would fall within any of the existing exceptions including the exception for inquiries (s. 6(5)(b)). The message would be an inquiry, but would not necessarily be an inquiry related to the commercial activity of the recipient. It would not fall into the employment benefits exception either. (s. 6(6)(e)).

[30] s. 10(1). The upcoming regulations are expected to address the identification information that will be required.

[31] Other innovative businesses also use variations on the “refer a friend” business model.

[32] s. 6(5)(a)

[33] s. 9

[34] s. 12(1)

[35] Consents obtained under PIPEDA cannot be relied upon given PIPEDA recognizes opt-out consents in many circumstances.

[36] Technically, the fines are referred to as “administrative monetary penalties”. Quaintly, FISA states that these penalties are “to promote compliance” but not “to punish”. See s. 20.

[37] s. 20(5)(a)

[38] s. 52. Note that there is a “due diligence” defence that may be available in some cases to companies and their staff. See s.54(1)

[39] s. 51(1)

[40] s. 48(1)

[41] As an example of the CRTC’s press releases when it punishes offenders of the do-not-call regime, see www.crtc.gc.ca/eng/com100/2010/r101217.htm

[42] s. 9

[43] ss. 32 and 53

[44] ss. 31 and 52

[45] See s. 2(b) of the Charter.

[46] See RJR-MacDonald Inc. v. Canada (Attorney General), [1995] 3 S.C.R. 199; Rocket v. Royal College of Dental Surgeons of Ontario, [1990] 2 S.C.R. 23.

[47] s. 6(5)(c)

[48] s. 10(9)(d)

The documents in the possession of the PMO and offices of Ministers were held not to be in the control of a government institution and were therefore not subject to the Act. The Court held that the agenda of former Prime Minister Jean Chrétien in the possession of the RCMP and the PCO were under the control of a “government institution”. However, they were not subject to disclosure because 19(1) of the Access to Information Act prohibits the head of a government institution from releasing any record that contains personal information as defined in s. 3 of the Privacy Act. Section 3(j) of the Privacy Act creates an exception by allowing for the disclosure of personal information where such information pertains to an individual who is or was an officer or employee of a government institution and where the information relates to the position or function of the individual.  The Supreme Court agreed with the Federal Court of Appeal that this exception did not apply as the Prime Minister could not be viewed as an officer of a government institution.

In rendering its decision the Supreme Court did not express any opinion as to whether the Prime Minister’s agenda, or parts thereof, were “personal information” as defined in s. 3 of the Privacy Act. It didn’t deal with the issue as the parties agree that the Prime Minister’s agenda fell within the general definition of personal information in the Privacy Act. That Act defines the term as meaning “information about an identifiable individual that is recorded in any form” and goes on to include a non-exclusive list of examples.

It is too bad that the issue of whether the Prime Minister’s agenda, or portions thereof, were personal information was conceded and not argued before the Court. The issue of what is personal information is one in which lower appellant courts have recently been focusing on.

For example, the Ontario Court of Appeal in Citi Cards Canada Inc. v. Pleasance, 2011 ONCA 3 recently held that financial information pertaining to a debtor, collected and used by a financial institution in the course of a mortgage transaction was personal information under PIPEDA. In its reasons for decision the Court stressed that the term was to be given “a very elastic definition”. According to the Court:

I also agree with the application judge that the information Citi Cards seeks from the Banks is “personal information” of the debtor.  “Personal information” is defined in s. 2(1) of the Act.  It “means information about an identifiable individual.”

This is a very elastic definition, and should be interpreted in that fashion to give effect to the purpose of the Act.  There can be no doubt that financial information pertaining to a debtor, collected and used by a financial institution in the course of a mortgage transaction – including the particulars of, and the balance owing on the debtor’s mortgage – is “information about an identifiable individual.”  Current mortgage balances are not information that is publicly available.

This information is collected and used by the Banks for purposes of administering the mortgage; it is not collected or used for purposes of facilitating another judgment creditor’s execution on its judgment.  As the purpose of the Act – expressed in s. 3 cited above – indicates, what is balanced is the individual’s right to privacy in his or her personal information, on the one hand, and the organization’s need to collect or use the information, on the other hand.  The Act does not contemplate a balancing between the privacy rights of the individual and the interests of a third-party organization that may by happenstance have commercial dealings with the individual that make the targeted information attractive to it.

The Alberta Court of Appeal recently also canvassed the scope of the term personal information in Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94. Under the Alberta Personal Information Protection Act “personal information” is defined to mean “information about an identifiable individual”. In interpreting this definition the Court ruled that driver’s licence numbers were personal information but that vehicle licence numbers were not. The Court reached this conclusion reasoning that to fall within the definition information must directly identify the individual and have a precise connection to the individual and must relate to the individual and not to some object or property.

The “identifiable individual” term has two components. Firstly, the individual must be “identifiable”. Generic and statistical information is thereby excluded, and the personal information (here the relevant number) must have some precise connection to one individual. Secondly, the information must relate to an individual. Information that relates to objects or property is, on the face of the definition, not included. The key to the definition is the word “identifiable”. The Act is designed to regulate and protect information that is uniquely connected to one person. An important (although not the only) purpose of the Act is to control the use of information that would enable “identity theft”, that is, information that is used to distinguish one individual from another in financial and commercial transactions. This can be seen by reviewing the type of information that is dealt within the more specific provisions and exceptions in the Act. The definition is not primarily aimed at information about that individual’s opinions, choices and status in life.

Further, to be “personal” in any reasonable sense the information must be directly related to the individual; the definition does not cover indirect or collateral information. Information that relates to an object or property does not become information “about” an individual, just because some individual may own or use that property. Since virtually every object or property is connected in some way with an individual, that approach would make all identifiers “personal” identifiers. In the context of the statute, and given the purposes of the statute set out in s. 3, it is not reasonable to expand the meaning of “about an individual” to include references to objects that might indirectly be affiliated or associated with individuals. Some identification numbers on objects may effectively identify individuals. Many, however, are not “about the individual” who owns or uses the object, they are “about the object”.

The adjudicator’s conclusion that the driver’s licence number is “personal information” is reasonable, because it (like a social insurance number or a passport number) is uniquely related to an individual. With access to the proper database, the unique driver’s licence number can be used to identify a particular person: Gordon v. Canada (Minister of Health), 2008 FC 258 (CanLII), 2008 FC 258, 324 F.T.R. 94, 79 Admin. L.R. (4th) 258 at paras. 32-4. But a vehicle licence is a different thing. It is linked to a vehicle, not a person. The fact that the vehicle is owned by somebody does not make the licence plate number information about that individual. It is “about” the vehicle. The same reasoning would apply to vehicle information (serial or VIN) numbers of vehicles. Likewise a street address identifies a property, not a person, even though someone may well live in the property. The licence plate number may well be connected to a database that contains other personal information, but that is not determinative. The appellant had no access to that database, and did not insist that the customer provide access to it.

It is also contrary to common sense to hold that a vehicle licence number is in any respect private. All vehicles operated on highways in Alberta must be registered, and must display their licence plates in a visible location: Traffic Safety Act, R.S.A. 2000, c. T-6, ss. 52(1)(a) and 53(1)(a). The requirement that a licence plate be displayed is obviously so that anyone who is interested in the operation of that vehicle can record the licence plate. The fact that the licence plate number might be connected back to personal information about the registered owner is obvious, but the Traffic Safety Act nevertheless requires display of the licence plate. Control of that information is provided by controlling access to the database. It makes no sense to effectively order, as did the adjudicator, that everyone in the world can write down the customer’s licence plate number, except the appellant.

In summary, the adjudicator’s conclusion that a driver’s licence number is “personal information” is reasonable. The conclusion that a licence plate number is also “personal information” is not reasonable, and the adjudicator’s ruling must be set aside insofar as it dealt with licence plate numbers.

Had the Supreme Court addressed the personal information status of the various elements of the Prime Minister’s agenda, it might have used the occasion to expound upon the meaning of that term. But, given the procedural posture of the case, the Court was not required to do so.

The privacy issues raised by online tracking, profiling and targeting and cloud computing raise many questions with important public policy and economic implications. The report, by and large, raises and does a good job of explaining the issues and challenges. Beyond explaining general principles, it does not purport to provide any real guidelines. After discussing the issues and generally applicable principles, the OPC asked for further comments and input on most of the intriguing questions.

The report did contain a few notable observations about how PIPEDA applies to certain online activities. These were mostly in areas that the OPC has already provided guidance. For example, the OPC repeated its views on its interpretation of the term personal information saying:

The OPC has generally taken a broad and contextual approach in determining whether certain information is or is not personal information. Of note is a finding from 2003, in which it was concluded that the information stored by temporary and permanent cookies was personal information. The Office has also determined that an IP address is personal information if it can be associated with an identifiable individual.

Other noteworthy examples include an investigation into the collection and use of Global Positioning System information placed in a company’s vehicles, in which it was concluded that such information is personal information since it could be linked to specific employees driving the vehicles. It was noted that the employees were identifiable even if they are not identified at all times to all users of the system. Information collected through radio frequency identification tags (RFID) to track and locate baggage, retail products and individual purchases may constitute the personal information of any identifiable individual associated with those items.

The OPC also summarized its guidelines for the use of opt-out consents:

The OPC has had opportunity to consider the use of opt-out in a number of different contexts. A common use of opt-out is in the context of using or disclosing personal information for secondary purposes of marketing. Secondary purposes are additional to those for which the information needed to be collected in the first place. The Office considers that an organization must satisfy the following requirements when using opt-out, for example, to obtain consent for secondary marketing purposes:

The personal information must be demonstrably non-sensitive in nature and context.

The information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.

The organization’s purposes must be limited and well-defined, and stated in a clear and understandable manner.

As a general rule, organizations should obtain consent for the use or disclosure at the time of collection.

The organization must establish a convenient procedure for opting out of, or withdrawing consent to, secondary purposes. The opt-out should take effect immediately and prior to any use or disclosure of personal information for the proposed new purposes.

A very difficult issue in cloud environments is to determine who is responsible for obtaining consents for the collection, use and disclosure of personal information that is handled in such environments. The OPC continues to draw a distinction, between “consumer services” and “business services.” Where the cloud service is offered directly to consumers, the provider, according to the OPC, is the “data controller”. However, where the services are offered to enterprise customers, the provider is the “data processor”.

Generally speaking, in Louise’s case, when she uses her social networking site or e-mail for fun, the social networking site or e-mail provider is the data controller. When she wishes to use a cloud service to help her handle her jewellery customer data, the provider is a data processor and Louise is the data controller. This distinction is important because it means that when Louise is the data controller, she has certain obligations to her customers in terms of privacy protection.

Unfortunately, the report does not provide any statutory basis for this distinction. Nor does the report explain how the EU concepts of “processor” and “controller” conceptually  fit within the structure of PIPEDA.

The Alberta Court of Appeal recently overturned a decision of the Alberta Privacy Commissioner resulting in a significant privacy law decision for businesses in Alberta and B.C. The Court endorsed a deferential approach to businesses and their adoption of reasonable policies towards the collection of personal information. The majority ruled that the collection of personal information must only be “reasonable.” A business need not show that it adopted the “best” or “least intrusive” approaches.”

Summary

In a split decision released March 29, 2011, the Alberta Court of Appeal overturned a decision of the Alberta Privacy Commissioner: Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94.

Leon’s has a policy of recording driver’s licence and licence plate information where a customer takes delivery of merchandise some time after the date of purchase. The purpose of doing so is to have the information available to give to the police in the event of subsequent allegations of theft or fraud, such as when a fraudster claiming to be the purchaser picks up merchandise. The information is kept in a secure location and is used for no other purpose than to assist police if there are allegations of theft or fraud.

The Privacy Commissioner had held Leon’s policy unlawful under Alberta’s Personal Information Protection Act (“PIPA”), even going so far as to hold that recording licence plate numbers was a breach of the statute. The Privacy Commissioner’s decision was initially upheld on judicial review by the Alberta Court of Queen’s Bench. In a two-to-one decision, the Alberta Court of Appeal reversed.

In the Court of Appeal, there was significant disagreement between the majority and the dissent over the proper interpretation of PIPA. The majority accepted Leon’s argument that there must be a balance between (i) the right of an individual to have his or her personal information protected; and (ii) the need of organizations to collect, use or disclose personal information for purposes that are reasonable.

Writing for the majority, Justice Slatter emphasized that neither of the two competing values is paramount. At paragraph 34, he stated:

The statute does not give predominance to either of the two competing values, and any interpretation which holds that one must always prevail over the other is likely to be unreasonable. A balancing is called for. That balancing is not fully implemented by the other provisions of the Act. [emphasis added]

The majority acknowledged not only the rights of the retailer organization but the larger public interest in preventing fraud:

But their admitted importance [the importance of privacy rights] does not mean that privacy rights must predominate over all other societal needs, values and interests. Because the customer’s interests are important does not mean that the retailer’s are not. Our society is complex and increasingly information based, and many organizations, businesses and individuals must use personal information for legitimate reasons on a daily basis. (para. 35)

The majority agreed with the Privacy Commissioner’s finding that driver’s licences are “personal information” under PPIA, yet cautioned against placing blanket restrictions on their use:

Driver’s licences are not just proof that the holder is authorized to drive; the average Albertan uses his or her driver’s licence far more frequently to prove identity than to prove the right to drive….

In determining what use of driver’s licence numbers would be found to be ‘appropriate in the circumstances’ by ‘reasonable persons,’ one must therefore have regard to the important place that driver’s licences play as a universal form of identification…

While protecting Albertans from invasions of privacy, intrusive marketing practices and identity theft are laudable objectives, it is unreasonable to place restrictions on the use of driver’s licences that seriously undermine their usefulness as forms of identification. Section 3 of the Act specifically recognizes that individuals and organizations all have legitimate reasons to use personal information in this way. (paras. 40-41)

In assessing the reasonableness of the collection of licence plate numbers, the majority found that licence plate numbers do not constitute “personal information … about an individual” under the Act. The Court stated that a vehicle licence is “linked to a vehicle, not a person” (para 49) and “[i]t makes no sense to effectively order, as did the adjudicator, that everyone in the world can write down the customer’s licence plate number, except the appellant.” (para. 50)

In assessing the reasonableness of the Privacy Commissioner’s decision, the Court found that the Privacy Commissioner erred by concluding that an organization must implement the least intrusive policies. Rather, the Court found that an organization must implement a reasonable approach towards the collection of personal information. The Court stated:

…the reasonableness of the adjudicator’s decision is undermined by her failure to recognize that the appellant needed to show only that its policies were ‘reasonable,’ not that they were the ‘best’ or ‘least intrusive’ approaches. Sections 3 and 11 do not create any test of ‘paramountcy’; the test is whether the use being made of the information is ‘reasonably necessary.’ That standard does not require the organization to defer in all instances to the interests of individual privacy. The respondent [Privacy Commissioner] is not empowered to direct an organization to change the way it does business, just because the respondent thinks he has identified a better way. So long as the business is being conducted reasonably, it does not matter that there might also be other reasonable ways of conducting the business.

Finally, the Court concluded that the Privacy Commissioner’s conclusion that Leon’s policy on the delivery of goods to third parties “was unreasonable is itself unreasonable”:

The adjudicator’s [Privacy Commissioner] approach was influenced by the view that privacy rights prevail in all circumstances over the legitimate need to use information. It was also unreasonable for the adjudicator to conclude that the appellant’s policy was unreasonable, because the adjudicator thought that there were other reasonable ways that the business could be operated. (para. 65)

This decision is obviously a very important win for businesses, in particular retail businesses, in Alberta. It is also important in British Columbia, which has privacy legislation similar to Alberta’s. It may have limited relevance outside Alberta and B.C., because the majority’s decision turned on a provision of the Alberta statute which is worded differently from the federal privacy legislation (PIPEDA). Nonetheless, it seems that even outside Alberta and B.C., this is an important decision that our clients will want to make full use of in limiting the excesses of privacy commissioners.

* Geoff Hall and Kara Smyth of McCarthy Tétrault LLP acted as counsel for the successful appellant Leon’s.

Here are some of the important findings made by Justice Charleton, the same judge who presided over the EMI Records & Ors -v- Eircom Ltd, [2010] IEHC 108 case :

• The business of the recording industry is “being devastated by internet piracy”. Internet piracy undermines their business but also “ruins the ability of a generation of creative people in Ireland, and elsewhere, to establish a viable living. It is destructive of an important native industry.”
• The “scourge of internet piracy” strongly affects Irish musicians. Internet piracy is an economic and a moral problem.
• Surveys show a loss of between 20% to 30% as a proportion of decline in sales to what is illegally downloaded. The ratio of unauthorized downloaders per broadband internet line is 1:0.42.
• ISPs “have an economic and moral obligation to address the problem”. In the case UPC it did not do so, fully knowing it facilitated infringing conduct, to increase its levels of profits. UPC’s attitude towards illegal file sharing by its subscribers was neither reasonable nor fair. UPC had “no interest in doing anything other than making deceptive noises by reference to its acceptable usage policy”. UPC intended to do nothing about copyright piracy.
• Norwich orders are available to identify persons sharing files illegally, as was recognized by the Canadian Federal Court of Appeal in the BMG case. However, this process “is burdensome and, ultimately, futile as a potential solution to the problem of internet piracy”.
• A graduated response solution involving “detection, notification and termination” “is viable and proportionate”. According to Justice Charleton “The evidence analysed in the course of this judgment also establishes that detection, warning, and discontinuance are, each of them, proportionate to the vast scale of the problem established in evidence”.
• A graduated response solution comprising detection and three warning notices with the threat of account termination “will succeed in strongly alleviating the problem of internet piracy”. “There is a strong probability that a graduated response would yield a majority level of desistence from the practice of illegal downloading on a first warning”.
• Privacy considerations  would be no bar to granting the form of relief requested.
• The evidence convinced the trial judge that “there is no just or convenient solution open to the record companies other than seeking injunctive relief against the” ISP, in this case UPC.
• The record labels had also asked the court to grant an injunction requiring UPC to block access to the Pirate Bay. The court was willing to do so, but could not because Irish law did not authorize such relief, although it was available in other European jurisdictions.

A lot has been written about graduated response solutions to the problems of illegal file sharing over the internet. See, Prof.Bomsel Decreasing Copyright Enforcement Costs: The Scope of a Graduated Response,Prof. Bridy, Graduated Response and the Turn to Private Ordering in Online Copyright Enforcement, Prof.Strowel, Internet Piracy as a Wake-up Call for Copyright Law Makers—Is the ‘‘Graduated Response’’ a Good Reply?, Barry Sookman and Dan Glover Graduated response and copyright: an idea that is right for the times. The EMI v UPC case adds further reflections on the issue. This case is a must read for anyone concerned about internet piracy and the legislative solutions needed to help curb it.

The judgment in full is set out below.

EMI v. UPC