Cars and the data they share

Anyone interested in cars and the data they will increasingly collect should read the article in the November Automobile magazine titled The Big Data Boom – How the race to monetize the connected car will drive change in the auto industry.

It talks about how much data might be generated (4,000 GB per day), how that sheer volume will be handled, and how it might be monetized. And the challenges of cybersecurity and privacy.

Auto makers are well aware of the privacy issues.  Challenges will include how to deal with privacy laws that vary dramatically around the world.  Will they default to the highest standard? Or will the data be valuable enough to make it worth their while to deal with information differently in different countries?

How will auto makers give drivers comfort that their information will be secure and won’t be misused?  How will they explain what info will be anonymized, and what will remain identified with the driver?

How many drivers will not be eager to share driving info with insurers and others either for privacy reasons or skepticism about what arbitrary decisions about them will be made based on that info?

For more about this topic, see this post I wrote a few months ago.  It is also on the agenda for the upcoming Canadian IT Law Association conference.

Cross-posted to Slaw

Canadian IT Law Association annual conference

I just signed up to attend the fall IT-Can conference, and thought the conference was worth mentioning.  It is a consistent high quality conference for lawyers practicing in the IT/IP fields, and for others such as CIO’s.

Topics this year include fintech, quantum computing, blockchain and smart contracts, connected vehicles, big data, health care tech, cybersecurity, and control over online content.

Perhaps I’ll see you there in Toronto on Oct 23.

Cross-posted to Slaw

PIPEDA privacy breach notification regulations published for comment

The draft privacy breach regulations under PIPEDA have just been published.  They are open for comment for 30 days.

These regulations detail the mechanics of notifying the Privacy Commissioner and individuals when there is a privacy breach.   PIPEDA was amended some time ago to require mandatory notification when there is a breach that results in “real risk of significant harm”.  Those provisions will come into force after the regulations are passed.

The draft regulations are about what were expected.  They are similar to those under Alberta privacy legislation.

I agree with David Fraser’s view that section 4(a) that says notification to individuals can be sent “by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner” is uncalled for.  A notice of this nature is not spam, and it does not make sense to require that an individual has given consent for communication in that manner to notify of a privacy breach.  These notifications are for the benefit of the individual, so why make it harder for organizations to send it?

The amendments and regulations have provisions requiring organizations to keep records of all privacy breaches, including information that allows the Privacy Commissioner to determine if the organization properly considered the notice threshold tests.  In other words, organizations must be able to prove that any decision not to notify was justified.

Cross-posted to Slaw

Artificial Intelligence and the Legal Profession

Artificial Intelligence is going to have a disruptive effect on the legal profession.  The question is how soon, how much, and what areas of law come first.  This kind of disruptive change builds up slowly, but once it hits a tipping point, it happens quickly.

Futurist Richard Worzel wrote an article titled Three Things You Need to Know About Artificial Intelligence  that is worth a read.  Here are some excerpts:

Every once in while, something happens that tosses a huge rock into the pond of human affairs. Such rocks include things like the discovery of fire, the invention of the wheel, written language, movable type, the telegraph, computers, and the Internet. These kinds of massive disturbances produce pronounced, remarkable, unexpected changes, and radically alter human life.

Artificial Intelligence is just such a rock, and will produce exactly those kinds of disturbances. We’re not prepared for the tsunami that AI is going to throw at us.

But now AI is becoming a reality, and it is going to hit us far faster than we now expect. This will lead to an avalanche of effects that will reach into all aspects of our lives, society, the economy, business, and the job market. It will lead to perhaps the most dramatic technological revolution we have yet experienced – even greater than the advent of computers, smartphones, or the Internet.

The legal profession seems to be particularly susceptible to early occupation by AIs:

“At JPMorgan Chase & Co., a learning machine is parsing financial deals that once kept legal teams busy for thousands of hours. The program, called COIN, for Contract Intelligence, does the mind-numbing job of interpreting commercial-loan agreements that, until the project went online in June, consumed 360,000 hours of work each year by lawyers and loan officers.”

So, before June of 2017, lawyers and loan officers spent 360,000 hours a year interpreting commercial loan agreements for JPMorgan Chase. Since June, that specific kind of work has vanished.

Cross-posted to Slaw

Transport Canada publishes draft drone rules – still not hobbyist friendly

In March I wrote about Transport Canada’s overly restrictive drone rules.  A few weeks ago they lightened those rules a bit.

Transport Canada just released draft permanent rules for comment.  They propose a complex set of rules that vary among 5 different categories of drone.  While the proposed rules will make commercial use a bit easier, they are not friendly to personal use.

MobileSyrup details the proposed rules and comments that: “The new rules, if approved, would dramatically reduce the paperwork burden on both Transport Canada and commercial drone operators, but they would also increase the costs for all pilots while their impact on air safety remains uncertain.”

Unless the drone is 250 grams or less, even hobbyists must have insurance, and must pass a written test.  Drones must also be compliant with a yet to be named standard.

This is being done in the name of safety, but strikes me as being overly complex and burdensome.  The rules are open for comment until mid October.

Cross-posted to Slaw

Feds crack down on use of word “banking” by non-banks

OSFI just issued an advisory threatening to bring criminal sanctions against non-banks that use the words “bank”, “banker”, or “banking”.  Their cover note gives specific dates by which use must stop.  This derives from section 983 of the Bank Act, which says in part that a non-bank can’t use: “… the word “bank”, “banker” or “banking” to indicate or describe a business in Canada or any part of a business in Canada…”.  Examples given of improper use include: “Come do your banking with us”, “Automated Banking Machine”, “Bank Accounts”, “Better Banking”, and “Mobile Banking”.  It also says they can’t advertise under a “banks” heading of a directory.

The Canadian Credit Union Association was quick to respond with a press release saying:  “Ottawa is telling credit unions to stop using the words Canadians use to describe the work we do … This rule will prevent credit unions from advertising their ‘business banking’ services or even having an ‘on-line banking’ button on a website.”  And that: “OSFI has taken a position that is inconsistent with its past practices and with common sense.”

What do readers think?

Is this crackdown needed to stop confusion in the marketplace and to preserve the rights of banks?

Have terms like “banking” become a generic and acceptable way for credit unions and other non banks to describe their services?

Cross-posted to Slaw

Supreme Court of Canada overrides forum clause in Facebook agreement

The Supreme Court of Canada has decided that a British Columbia privacy class action may proceed against Facebook in the courts of BC, despite the contract naming California as the forum for legal actions.

My personal view is that in business to consumer contracts, if a court decides that a local law is important enough, or if the actions of the business offends local sensibilities, it will find a way to apply local laws and hear the case. This Douez v Facebook decision will be relevant for any future actions in Canada that question the applicability of portions of online or other business to consumer agreements.

Here are some points to take away from the case.

  • The decision only decided that the class action may proceed in BC. The substantive privacy claim has yet to be litigated.
  • The decision shows how difficult this issue is to decide. Of the 7 SCC judges, there were 2 different majority opinions, and a dissent by 3 judges. They were fairly consistent about the test, but came to different conclusions based on the facts and legal philosophy.
  • The case was decided based on the BC Privacy Act that includes a statutory privacy breach tort. It remains to be seen how it would apply to other provinces that may only have a common law privacy tort. Or how it would apply to other issues.
  • It does not render choice of law clauses irrelevant. Nor does it render click-wrap agreements unenforceable. It is still important for vendors to include clear choice of law and forum clauses.
  • It has created uncertainty, and vendors need to know that courts may choose to override forum clauses and perhaps others. The fairer a court perceives the document to be in general (especially in the context of local laws), the more likely it will be followed.
  • Getting privacy right is crucial. If vendors offer services to those in countries with strong privacy laws, they must pay close attention to those laws when designing their products and new features. That includes developing Canadian laws, and for those providing services to European customers, the pending GDPR.

Cross-posted to Slaw

CASL private right of action suspended – but CASL is still here

The Canadian government has suspended the CASL private right of action that was to have come into force on July 1.  The private right of action (most likely in the form of class actions) would have allowed people to sue anyone for sending spam.  Or more accurately for those who violated the technical provisions of CASL.

This is a welcome move.  But while we can breathe a sigh of relief that this remedy is gone, CASL still remains in force and must be complied with.

The government’s press release said:

Canadians deserve an effective law that protects them from spam and other electronic threats that lead to harassment, identity theft and fraud. At the same time, Canadian businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation. 

The Government supports a balanced approach that protects the interests of consumers while eliminating any unintended consequences for organizations that have legitimate reasons for communicating electronically with Canadians. 

For that reason, the Government will ask a parliamentary committee to review the legislation, in keeping with the existing provisions of CASL.

There is no indication that the CRTC will lighten up its enforcement against those who try to comply with the spirit of the legislation, but can’t get the technical details right.

We don’t know how long this review process will take or how long it might be until changes are passed.

And frankly I’m skeptical that the “balanced approach” will go nearly as far as I and others would like to see it go.  I (and I’m certainly not alone in this) have maintained from the start that CASL is one of the most ill-conceived, badly written, impractical pieces of legislation I’ve ever seen.  It provides little benefit – at a great cost.  Tinkering with the legislation won’t fix it – it needs a major overhaul.

Cross-posted to Slaw

CASL class actions are looming

The private right of action for sending spam in violation of CASL comes into force on July 1.  Many companies are dreading it – some class action lawyers can’t wait.  The right thing for the government to do would be to completely scrap CASL – the statute is that bad and ill-conceived.  But wishful thinking won’t make it go away.

At the moment, CASL violators are subject to enforcement proceedings by the CRTC. But after July 1, those who have been spammed in violation of CASL can sue the sender.  Here are some things to keep in mind about the private right of action.

  • Individuals can sue a CASL violator – but class actions are most likely.
  • CASL does not say if the right applies only to violations that occur after July 1.  That would be the most obvious interpretation, but expect plaintiffs to say it is retroactive.
  • In addition to the CASL anti-spam formalities, the right of action applies to the anti-harvesting provisions CASL added to PIPEDA, and the email false advertising provisions CASL added to the Competition Act.
  • Damages include actual damages plus statutory damages calculated in a couple of ways – $200 per violation or up to a million dollars per day.  It could get expensive.
  • Directors and officers are at risk to be sued.
  • Depending on timing, a notice of violation from the CRTC or entering into an undertaking with the CRTC may stay a court action.  The reverse also applies – a court can prevent an undertaking or notice of violation.  Potential defendants may have some influence over picking their poison.
  • Due diligence defences are available to mitigate the damage amount.

Cross-posted to Slaw

Lessons from the United passenger “re-accommodation”

The recent United Airlines incident where a passenger was dragged off the plane because United wanted the seat for a United employee is a good reminder of some social media realities.

The obvious lesson is to not bloody your passengers and drag them off your plane.  Or that just because you have the right to do something, doesn’t mean it’s the right thing to do.

But sometimes bad stuff happens.  And often someone is there to record and publish it for the world to see.

When that happens, the social media / public relations lesson is to not react in a way that makes it worse.  Don’t, for example, issue a statement talking about passenger “re-accommodation” that doesn’t suggest any kind of apology or sympathy.  Don’t try to deflect responsibility by talking in terms such as an “involuntary de-boarding situation” – or by focussing blame on the passenger.  And don’t justify it based on your policies or legal rights.  The court of public opinion doesn’t care much about that.

It wasn’t until the third attempt at a response from the CEO that the tone was one of apology and accepting responsibility.

In this case, outrage about the incident was followed by equal outrage about United’s reaction.  It resulted in a social media firestorm and some rather amusing barbs and parodies.

United’s stock lost over a billion dollars at one point yesterday.

The bottom line is if your firm is being lambasted on social media – don’t be tone deaf and defensive about it.  Take a few minutes to look at it from the public’s perspective before you respond.

Cross-posted to Slaw