Top legal developments in e-commerce, privacy and intellectual propertyTop legal developments in e-commerce, privacy and intellectual property



Despite COVID-19, 2020 was an eventful year, chock full of impactful legal developments in e-commerce, technology, privacy, anti-spam, and intellectual property law. Here is a summary of my picks for the top legal developments.

e-commerce

Standard form online agreements and unconscionability

Online and in-App agreements are typically presented to users as “standard form”, “take it or leave it”, “boiler plate” forms. Most common are some variation of a “click-wrap”, “sign-in wrap”, or “browsewrap” agreement. They are used pervasively on websites and on Apps, among other locations.

Business Growth and Trade in Intangibles – Digital Trade, Data Governance, Intellectual PropertyBusiness Growth and Trade in Intangibles – Digital Trade, Data Governance, Intellectual Property



I had the pleasure of participating in a virtual roundtable earlier today hosted by The Center for International Governance Innovation (CIGI), an independent, non-partisan think tank. It was organized at the request of Minister Mary Ng, the Federal Minister of Small Business, Export Promotion and International Trade and moderated by Rohinton Medhora, CIGI’s President.

The roundtable had three main topics:

1. Digital trade: Covid-19 economic recovery and Canadian businesses

2. Data governance: balancing privacy, security and economic opportunities

3. Fostering competitiveness: innovation and IP strategy

Following opening remarks from Minister Ng (who demonstrated a good understanding of our digital challenges and pressed attendees for their insights on how to solve them), I was asked to provide brief opening comments on topic 2.

CPPA: identifying the inscrutable meaning and policy behind the de-identifying provisionsCPPA: identifying the inscrutable meaning and policy behind the de-identifying provisions



The Consumer Privacy Protection Act (CPPA) will make substantial changes to Canada’s privacy law. As noted previously, the bill includes many of the provisions in the Personal Information Protection and Electronic Documents Act (PIPEDA), plus a lot more. In a prior post, CPPA: transfers of personal information to service providers, I examined the new provisions dealing with transfers of personal information to service providers.

In this post I examine the significant proposed changes to the law as they relate to personal information that has been “de-identified”.

CPPA: transfers of personal information to service providersCPPA: transfers of personal information to service providers



The Consumer Privacy Protection Act (CPPA) will make substantial changes to Canada’s privacy law. As noted previously, the bill includes many of the provisions in the Personal Information Protection and Electronic Documents Act (PIPEDA), plus a lot more. In some cases, it builds on the provisions of PIPEDA, on the guidance and decisions of the Commissioner, but includes changes designed either to clarify or change the law. A case in point are the very important new provisions which address transfers of personal information to service providers.

Canada’s Digital Charter privacy lawCanada’s Digital Charter privacy law



Personal data is the new oil. Yet, the commoditization and uses of personal data in innovative and other ways often collides with the individual and public interest in observing reasonable expectations of privacy. Privacy has been at the crossroads in Canada; our existing privacy law is over 20 years old –  in digital terms – over 140 years old. After much consultation the government introduced a new bill to catch us up with the somewhat long name An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.

PIPEDA by the numbers: lessons for privacy law reform in Canada?PIPEDA by the numbers: lessons for privacy law reform in Canada?



The Federal Privacy Commissioner (OPC) just released the 2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA). In the report the OPC repeated the plea for reform of PIPEDA arguing that PIPEDA “is outdated and does not sufficiently deal with the digital environment to ensure appropriate regulation of new technologies.” The report also proposed major new remedial powers for the OPC. Interestingly, however, statistical data in the Annual Report illustrates how well PIPEDA appears to be working despite the lack of these remedial powers.

Alert: OSFI consultation on technologyAlert: OSFI consultation on technology



OSFI, the federal regulator of financial institutions such banks and insurance companies (FI’s), just released a discussion paper Developing financial sector resilience in a digital world: Selected themes in technology and related risks. The paper signals that the Office of the Superintendent of Financial Institutions may eventually develop guidance to regulate digital risks such as cybersecurity, data analytics, artificial intelligence (AI), quantum computing, third party ecosystems and data.

OSFI’s decision to even study regulating the use of technologies by Canadian FIs is something that needs to be on people’s radar.

Privacy developments: OPC Privacy Guide for Businesses and Ontario privacy consultationPrivacy developments: OPC Privacy Guide for Businesses and Ontario privacy consultation




Unquestionably, personal data is the economy’s “new oil” and Canadian organizations face compliance challenges like never before. It is noteworthy, therefore, that last week the federal Office of the Privacy Commissioner (OPC) released a new Privacy Guide for Businesses (the Privacy Guide) and the Ontario Ministry of Government and Consumer Services released a public consultation on Reforming Privacy in Ontario’s Private Sector.

The Privacy Guide provides a high level overview of PIPEDA including the fair information principles.

The Privacy Guide has some interesting interpretations of PIPEDA.

EU-US Privacy Shield invalid: Schrems IIEU-US Privacy Shield invalid: Schrems II



In a bombshell decision in Schrems II released earlier today, the Court of Justice of the European Union (CJEU) found that the Commission decision finding the EU-US Privacy Shield to be adequate for transferring personal data to the U.S. is invalid. In what can only be seen as a double whammy, the CJEU also ruled that transferring personal data to the U.S. pursuant to standard data protection clauses adopted by the Commission could also be found to be invalid by local data protection authorities.

Court of Appeal rules CASL is constitutional and releases decision on the making available rightCourt of Appeal rules CASL is constitutional and releases decision on the making available right



The Federal Court of Appeal released two important decisions earlier today. First, in the Compufinder decision, it ruled that Canada’s anti-spam law (CASL) is constitutional. More specifically, if found that CASL does not violate the Canadian Charter of Rights and Freedoms right to freedom of expression. It also found that the law was intra vires within federal jurisdiction.

The finding that CASL dd not violated the Charter is a surprising one  to anyone who understands its scope and impacts on commercial speech.