CRTC releases onerous CASL intermediary bulletin

The CRTC just released a bulletin that goes to surprising lengths to impose liability on third parties for CASL violations. Lengths that may not be supported by the legislation.

It basically tries to turn intermediaries into enforcers. An approach this aggressive is surprising in light of the INDU committee report on CASL released in December 2017 that concluded in part: “The Act and its regulations require clarifications to reduce the cost of compliance and better focus enforcement.”

The bulletin is Compliance and Enforcement Information Bulletin CRTC 2018-415 Guidelines on the Commission’s approach to section 9 of Canada’s anti-spam legislation (CASL)

Section 9 of CASL says “It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to…” the anti-spam provisions. In other words, anyone who helps someone spam, is also guilty.

The bulletin states that intermediaries subject to this provision include: Advertising brokers, Electronic marketers, Software and application developers, Software and application distributors, Telecommunications and Internet service providers, and Payment processing system operators.

It states that these intermediaries can be liable even though they have no knowledge that a customer of theirs is violating CASL.

It then goes on to list some over the top things that intermediaries are expected to do to avoid liability, including getting incorporation documents, validating customer director identity, researching the reputation of customers, and reviewing customer services of potential customers for legal compliance.

It seems to be drafted from the lens of what an intermediary would have to do to catch a spammer, not what it is reasonable for an intermediary to do in real life.

Cross-posted to Slaw

PIPEDA breach notification & recording starts Nov 1 – are you ready?

Starting Nov 1 2018 PIPEDA requires businesses to notify the Privacy Commissioner and affected individuals of any privacy breach that poses “a real risk of significant harm”.

It also requires businesses to keep a record of all breaches of security safeguards that involve personal information, even if there is no risk of harm. It must include details of why a breach does not pass the reporting threshold.

So simply dealing with a potentially harmful privacy breach when and if it happens is not sufficient compliance.

The Commissioner can ask to see that breach record at any time. Failure to comply with the recording and notification requirements can result in a penalty of up to $100,000.

From a practical perspective, it means that there must be awareness by staff about what a breach of security safeguards is, and who to tell about it. It can’t be based only on complaints.

The Privacy Commissioner has published guidance on this. I’ve written about it before.

This chart is an overview of the process. Be sure to follow the detailed definitions and requirements in PIPEDA.

Cross-posted to Slaw

Copyright Notice & Notice is Flawed

You may have read about the Supreme Court of Canada deciding Rogers can be paid its costs for telling a copyright owner the identity of movie downloading customers. What isn’t talked about is the notice and notice system that puts this in motion.

A summary of the Rogers v Voltage decision is here. Omar has written about this on Slaw as well.

This is a complex and controversial issue. The essence is that sections 41.25 and 41.26 of the Copyright Act allow the owner of a copyright (eg a movie studio) to create a notice to send to people who breached copyright by downloading the movie, or by allowing others to then upload the movie. At this point the copyright owner only knows the downloader’s IP address and their internet service provider (ISP) – not the person’s name or contact information. The ISP is obligated to forward that message on – hence the term notice and notice.

The concept of notice and notice sounds good on the surface. But no matter whether you side with the copyright owner or the downloader – it doesn’t work in practice – and doesn’t help either side.

If a consumer saw a notice that simply said:

We own movie X, we know you downloaded it, and your sharing software is allowing others to download from you. Delete it, and we will leave you alone. If you don’t, we might sue you.

most consumers would comply.

But in what I’ve seen, the notice ends up being a long email with that message buried closer to the end than the beginning. So the consumer’s first inclination is to delete it assuming it is just another unimportant message from their ISP that they can ignore along with other marketing, scam, and quasi- spam emails.

Like any email, if you don’t get the message across immediately and bluntly, it won’t be read.

The email tends to be long as the copyright owner must explain who it is, why they are emailing, and what they know about the consumer’s behaviour to convince the consumer it is legitimate, and that the consumer needs to stop. ISPs tend to add their own message on top of the copyright owner’s email. They want to clarify what is happening, who it is coming from, that they are obligated to send it on, and they won’t reveal the consumer’s identity unless ordered by a court. And both of those messages might be in both official languages.

That is understandable, but until those messages are structured to start off simple and blunt, and explain all that below it, they won’t be effective.

Cross-posted to Slaw

Facebook: We’re updating our terms …

Most of us have received a number of emails pointing us to revised terms of use and privacy/data policies, or asking us to consent. These have been driven by the GDPR, the new privacy regime in the EU.

Facebook’s starts with:

Hi David,

We’re updating our Terms, Data Policy, and Cookies Policy to make sure you know how your data is used so you can make the choices that are right for you.

(You have all taken the time to read, understand and make informed choices under these, right?)

Facebook has been under increasing scrutiny over what it does with our information. Frankly, the notion of privacy is somewhat inconsistent with Facebook’s fundamental mission to share information. But at least Facebook is now complying with the tougher consent rules of the GDPR, and giving us the choices we deserve. Or are they?

At least one privacy advocate doesn’t think so. On the same day the GDPR took effect, Austrian lawyer Max Schrems launched complaints against Facebook through a crowdfunded group called None Of Your Business. The gist of the complaints is that Facebook’s consents are not compliant with the GDPR.

Even Apple is on the anti-Facebook, anti-tracking movement. At its WWDC developer conference this week it announced new features in its Safari browser to stop Facebook and others from collecting so much information.

Cross-posted to Slaw

Pizza delivery – in the not too distant future

In the not too distant future…

“Hey Google, order me a pizza – the usual, but a large this time, and have it delivered.”

Google Duplex calls pizza place. Pizza place AI bot answers the phone.  The bots talk to each other.

Robots make the pizza.

Pizza is loaded into an autonomous vehicle containing a pizza oven that cooks it on the way to me.

Autonomous vehicle texts me when 2 minutes away.

I meet it at the curb.  It authenticates me using voice or facial recognition and gives me the pizza.

 

Cross-posted to Slaw

Are you ready for PIPEDA’s privacy breach recording obligation?

In a recent blog post I talked about the new privacy breach notification requirements coming under PIPEDA this November 1. I said that perhaps the most challenging aspect is a requirement to maintain a “record of every breach of security safeguards involving personal information under its control.”

Why is that so challenging?

Many large companies already have this kind of procedure in place. But most business do not. Maintaining a record sounds easy. But this is not so simple when you think it through. First, the business must create a procedure and educate its staff to recognize breaches and report them to its privacy officer, even if they are not significant. No longer can the business rely on staff recognizing a breach because it is serious and obvious, or someone complains.

Then for each one the privacy officer must go through the analysis required under PIPEDA to determine if there is a “real risk of significant harm” that triggers a reporting requirement. The rationale for that decision must be recorded.

Why does it matter?

The Privacy Commissioner has the right to inspect any business’s breach record at any time. If a business does not report a breach when it is supposed to, or if they don’t keep a breach record, they can be subject to a fine of up to $100,000.

What you need to do about it.

Before November 1, every business subject to PIPEDA should put a breach recording procedure in place, educate their staff what a breach is, and how to report it to the privacy officer.

Cross-posted to Slaw

Home builder liability for IoT?

I was on a “Smart panel” discussing smart technology yesterday at the LSTAR Economic / Smart Technology Summit. Our panel had a good discussion around the benefits and privacy aspects of smart tech and the internet of things.

The context was in part the inclusion of smart tech in new homes. I made a brief comment about the possibility of liability to home builders, and thought it might be worth exploring that in more detail. IoT devices are notorious for their potential to be hacked. So much so that I’ve referred to them before as a gateway to mayhem. For various reasons, IoT devices (such as security cameras, door bells, water leak sensors) are often not properly secured. Once a hacker gets through one of these devices, they are inside the network and can do many nefarious things (such as stealing information, ransomware, and using the system to mine cryptocurrency).

How could a builder be liable if a breach happened on a house/condo/apartment they built?

Privacy torts are an emerging area, and the possible result is not certain. But it would be plausible for a class action to name the builder amongst the defendants. The cost to defend can be significant even if there is ultimately no liability.

How can builders reduce the risk?

Builder sale agreements include limitation clauses that limit their liability. But they may not be drafted broadly enough to limit liability for this kind of exposure. After all, they were drafted by real estate lawyers with physical building materials and equipment in mind, not this kind of risk. Builders should have their counsel review and revise if needed their limitation clauses to try to limit their liability for this risk.

New home warranty plans also tend to apply to physical items. Perhaps those plans should consider how this risk should be addressed.

Cyber risk insurance is also something to be considered.

On the practical front, builders should choose devices wisely. They should educate their buyers on the security and privacy issues around whatever devices and services are included. Either set up the devices properly, or instruct or help the buyers do it. That will both reduce the chances of a problem happening, and if a problem does occur, will reduce the chances that buyers will blame the builder.

PIPEDA privacy breach notification coming Nov 1

Effective Nov 1, 2018, businesses that have a privacy breach must give notice of the breach under PIPEDA – the privacy legislation affecting the private sector in most Canadian provinces. The final regulations containing the details are about to be published.

Here are the highlights.

When do I have to report?

If there is a privacy breach that “creates a real risk of significant harm to an individual”. That includes bodily harm, humiliation, damage to reputation, financial loss, identity theft. Risk factors to decide the reporting threshold are provided.  The report must be made “as soon as feasible after the organization determines that the breach has occurred.”

What do I have to report?

Circumstances of the breach, when it happened, what information was breached, steps taken to reduce the risk of harm, steps individuals can take to reduce risk, contact information.

Who do I have to report to?

The Privacy Commissioner, the individuals, and third parties that “may be able to reduce the risk of harm.” That third party requirement will require some pondering.

But wait, there’s more

Perhaps the most challenging aspect is a requirement to maintain a “record of every breach of security safeguards involving personal information under its control.” That must be shown to the Privacy Commissioner on request. The challenge is that there is no threshold, and every breach, even trivial ones, must be recorded.

What are the penalties?

Failure to report when required, and failure to keep the breach records can result in a penalty of up to $100,000.

What do I need to do now?

Businesses should review their privacy policies and processes and amend as needed. Record keeping systems must be put in place for recording all breaches. A breach reporting and incident response process should be put in place.

 

Cross-posted to Slaw

New Stuff & Old Laws

A common issue for new technology is the application of existing laws that were created before the new tech was contemplated. Examples include fintech (financial applications), fitness and health applications, and ridesharing services (such as Uber).

What is the issue?

Some activities and services are highly regulated. Financial services and the taxi industry are good examples. New entrants create innovative applications and services that compete with incumbents, but may or may not be regulated the same.

In some areas the entity may be regulated rather than the activity (often the case in fintech).

Laws sometimes prescribe a specific solution, rather than a desired result. Regulations around car headlights, for example, tend to specify how they must be built rather than how they must perform.

New tech may start out unregulated, but may as it develops creep into areas that are regulated. Fitness and health devices can easily become subject to medical device regulations (under the Food and Drugs Act) that impose certain requirements or licensing.

Why does it matter?

These issues for new tech have always been around – but the pace of change and innovation is getting much faster. Tech like cheap sensors, cheap connectivity, the increased power of smartphones, autonomous cars, blockchain, and artificial intelligence can be disruptive. Rapid, disruptive change makes it more difficult to get regulation right.

If you are the innovator, you may have legal issues to address that are not immediately apparent. The playing field may not be even, and can unfairly favour new players or incumbents. It can stifle or slow innovation – such as better headlight technology.

What to do about it?

Anyone developing new technology needs to think about where it fits within existing laws. Then either comply, make it different so it doesn’t need to comply, work with an incumbent, work with the regulators, or perhaps take some calculated risk.

Lawmakers face some tough issues. They should focus on evidenced based regulation rather than sticking with partisan or historical perspectives. Do existing regulations have the wrong focus and unintentionally distort the playing field? Does the new tech solve a problem in a different way than the regulations contemplate? Do existing regulations make sense in the modern context? Do they properly address a real issue? Do existing or proposed regulations help, or do they cause more problems than they solve?

 

Cross-posted to Slaw

Apply for trademarks now to save money?

Canada has made significant changes to the Trademarks Act, mostly to make it more consistent with international practice. Anyone considering applying for a trademark might want to file before the new rules come into force.

What is the issue?

In early 2019 the trademark application process will undergo significant changes. The changes include:

  • Not having to state first use dates or declare actual use
  • Registration term reduced from the current 15 years to 10
  • Adoption of the class system and a class based fee structure
  • Proof of distinctiveness needed for some types of marks

Why does it matter?

CIPO fees are now $450 per application no matter how many classes of goods and services are listed. The new fees will be $330 for the first class, plus $100 for each additional class. So any more than 2 classes will cost more. It is not unusual, depending on the nature of the goods and services, and whether include promotional items are included (eg if you sell hats or t-shirts that have your brand on it) to have several classes. Add to that the effective increase caused by getting only 10 years of protection vs 15. It is not clear yet how the proof of distinctiveness will work in practice, other than it will take more time and effort when required.

What to do about it

Businesses should ponder their trademark situation over the coming months and whether they might want to file for new marks or expanded uses at some point.   If so, they might save some money by applying before the new rules take effect.

Cross-posted to Slaw