snIP/ITs

Insights on Canadian Technology and Intellectual Property Law

The “Right to be Forgotten” Guideline from the Article 29 Working Party

Posted in Privacy
Barry Sookman

In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process. As such, they have the obligation, in appropriate cases, to de-list links to personal information in their search results.

The Gonzales decision left open questions about the scope of the duty and the criteria to be used in determining what links must be delisted, something which Google, data protection authorities, and others had disagreed about. The Article 29 Data Protection Working Party has now released a Guideline addressing these controversial issues.

The Guideline is important in a number of respects. First, it provides a summary of how the DPAs interpret the decision of the CJEU. The summary will likely be looked to in future cases involving duties of search engines that include, but will not necessarily be limited to, the type of case that was before the CJEU. In the view of the Working Party:

  • Search engines are controllers of personal information they collect. Hence, all of the duties of controllers of personal information can be expected to apply to them.
  • The legal basis search engines rely on to process personal information without consent is to be found in Article 7(f) of Directive 95/46/EC, the necessity for the legitimate interest of the controller or of the third parties to which data is disclosed.
  • The processing carried out by search engines can significantly affect the privacy rights of individuals. When a balancing is done taking those interests into account against the freedoms of speech of search engines and the rights of individuals to access information, in many cases, the privacy rights of individuals will prevail.
  • Search engines, as independent controllers of personal information, have duties to act to de-list links to data, even if the information remains accessible from other sources.
  • Search engines are not required to completely de-list information about a data subject. The obligation focuses on search results based on the name of the individual.
  • Individuals have rights to go directly to search engines to request de-listings. If their requests are rejected, they can either go to the local DPA or to court to have their request adjudicated.
  • Individuals have a choice as to how to enforce their rights. They are not required to request all search engines to act. Presumably, this enables individuals to approach only Google, given its dominant share of the search engine market.

The Working Party also provided guidance in interpreting the scope of the obligations of search engines under the decision.

  • The ruling applies to general purpose search engines such as Google, Bing and Yahoo. It does not apply to search tools available on websites such as newspapers.
  • The decision applies to “everyone”. The literal wording of the Guideline suggests that it applies to citizens located anywhere in the world. This would extend to personal information about Canadians, collected in Canada, showing up in links in search results in the EU. In practice, it said that “DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State.”
  • De-listing decisions must be implemented in a way that guarantees the effective and complete protection of the privacy rights of individuals and in a manner that prevents circumvention of EU law. Thus, contrary to the position that Google had taken after the decision was released, to comply with the decision “limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the judgment. In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com.” This interpretation of the decision is consistent with the decision of the CJEU[1]  and with other decisions in the EU intended to protect the privacy of individuals such as Mosley v. Google[2] where a de-listing order was made against Google that extended to all search domains (e.g. google.com) from which information could be accessed.[3]
  • Contrary to the practice of some search engines, it is not appropriate to inform users of search engines that hyperlinks have been de-listed if it would suggest that an individual had made a request for the de-listing. Nor should search engines inform webmasters of the sites that are partially de-listed or contact them unless required to do so to get a better understanding of the circumstances of the case.

The Working Party also published a comprehensive annotated list of non-exclusive criteria to be taken into account in deciding whether to make de-listing orders.

The decision in the Gonzales case raises the question about whether Canadian courts will similarly recognize that search engines must comply with privacy laws such as PIPEDA. When the issue comes before the Office of the Privacy Commissioner and the courts, as it eventual will, they will be forced to determine important questions such as

  • do search engines have consents, express or implied, to collect, use, and disclose the personal information they process in providing their services in Canada;
  • what exemption, if any, can search engines in Canada rely on to provide their services;
  • if they do not have the necessary consents and no exemption exists, would PIPEDA be found to violate the Charter of Rights and Freedoms as did Alberta’s PIPA in the United Food case;
  • how will Canadian courts balance the privacy rights of individuals against the interests protected by the Charter;
  • what is the scope of any obligation and when would the obligation to de-list links to personal information arise;
  • what criteria would be considered appropriate in deciding whether links to information should be de-listed; and
  • the territorial reach of PIPEDA to search engines that collect, use, and disclose personal information on a global basis.

Just as it seems inevitable that this issue will arise in Canada, it also seems inevitable that the Gonzales decision and the Article 29 Working Party Guideline will be referred to when it does. This makes recent privacy developments in the EU related to the “right to be forgotten” all the more relevant to Canadians.

________________________________

1. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014). Google had disputed that the de-listing order is global in scope. However, paragraphs 2 and 88 of the decision state:

Para 2 “The request has been made in proceedings between, on the one hand, Google Spain SL (‘Google Spain’) and Google Inc. and, on the other, the Agencia Española de Protección de Datos (Spanish Data Protection Agency; ‘the AEPD’) and Mr Costeja González concerning a decision by the AEPD upholding the complaint lodged by Mr Costeja González against those two companies and ordering Google Inc. to adopt the measures necessary to withdraw personal data relating to Mr Costeja González from its index and to prevent access to the data in the future.”

Para. 88 “In the light of all the foregoing considerations, the answer to Question 2(c) and (d) is that Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”

2. Mosley v. Google (Case No. 11/07970, Tribunal de Grand Instance de Paris, decision of November 6, 2013) Google Inc. ordered to filter photos that had been taken in violation of Max Mosley’s privacy rights from search results retrieved using any of Google’s search engines including google.com.

3. Another de-indexing order was made against Google in Germany also at the request of Max Mosely. See, D. Crossley, “Case Law, Hamburg District Court: Max Mosley v Google Inc”, online: Inforrm’s Blog

First published on barrysookman.com.

SCC Holds Disclosure of Private Communications Engages Constitutional Rights

Posted in Privacy
Lisa Martz

In its Nov. 14, 2014 decision in Wakeling v. United States of America, 2014 SCC 72, the Supreme Court of Canada (SCC) held that s. 8 of the Canadian Charter of Rights and Freedoms (the Charter) (the right to be free from unreasonable search and seizure) applies to the disclosure of communications obtained through a wiretap to police authorities in a foreign jurisdiction.

Continue Reading

The most hackable month of the year: steps companies can take to protect themselves from data breaches

Posted in Data Breach, E-Commerce, Privacy
Kirsten Thompson

In a few short days it will be Cyber Monday, the kickoff to the financial madness that is the holiday shopping season. For cybercriminals and fraudsters, December represents the mother lode of hackable data.

How big is the risk?

The malevolently-inclined are getting more ambitious (a 2014 study by the Ponemon Institute that evaluated security-breach costs in the retail sector suggests that average size of a breach is about 30,000 records) and more damaging (average loss is now about $105 per stolen record). The same study estimated that the average cost of a cybercrime for the retailer is about $3.15-million. These are average numbers only: recent large-scale retail breaches have involved records in the millions, with costs similarly increased.

Continue Reading

Mobile App Privacy Practices: The Office of the Privacy Commissioner of Canada Issues Tips For Communicating Privacy Practices to App Users

Posted in Privacy
David Crane

Communicating privacy practices to users of mobile apps can be challenging, especially given small screen sizes and the difficulty of capturing app user attention.  The Office of the Privacy Commissioner of Canada (OPC) has acknowledged these challenges and, in September 2014, published Ten Tips for Communicating Privacy Practices to Your App’s Users.

These tips were provided in connection with the findings of the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, which the OPC participated in along with twenty-five other privacy enforcement authorities from around the world.

The GPEN Privacy Sweep assessed 1,211 apps with a focus on the information provided and consents request with respect to the collection, use and disclosure of personal information.  Certain findings of the GPEN Privacy Sweep are summarized in a news release issued by the OPC on September 10, 2014.

The Ten Tips for Communicating Privacy Practices to Your App’s Users build on the guidelines on good privacy practices for developing mobile applications jointly issued by the OPC and the offices of the Privacy Commissioners of Alberta and B.C. in 2012.

The key takeaways from the Ten Tips for Communicating Privacy Practices to Your App’s Users are:

  1. Be Transparent.  Issues and complaints arise when there is a lack of transparency around the collection, use and disclosure of personal information. Privacy practice information should be clear and specific (rather than generic or broad), taking into account the sophistication of the audience and “small screen challenge” of mobile devices.  Where personal information is not being collected, that fact should be clearly indicated.
  2. Explain the Data Being Requested and Collected. To obtain meaningful consent from app users, they need to be informed not just of the app’s ability to access personal information (including information made available through logins to third party social media accounts, such as Facebook), but also why that information is needed and how it will be used if consent is provided.  When requesting consent, the request needs to specifically cover the full scope of use (e.g. consent to access does not necessarily constitute consent for the collection, use or disclosure of personal information).
  3. Make, and Keep, Privacy Information Accessible.  It is recommended that privacy practice information be provided just-in-time (when it is most relevant, such as at a key decision point) and be included in the app itself rather than by providing a link to a website that has that information.  Users should be able to easily re-visit privacy practice information at any time (e.g. if an explanation is provided in a pop-up, the same explanation should be available in a location that is accessible after the pop-up has been dismissed).

To ensure compliance with Canadian privacy laws, app providers should take into consideration these tips provided by the OPC when developing and implementing privacy practices for their apps.

Supreme Court of Canada to Hear Landmark Pharmaceutical Section 8 Damages Case

Posted in Intellectual Property, Patents
Sanjaya Mendis

On October 30, 2014, the Supreme Court of Canada granted leave to Sanofi-Aventis’ (“Sanofi”) application for leave to appeal a decision of the Federal Court of Appeal (2014 FCA 68). By granting leave to Sanofi, the Supreme Court will now consider for the first time the correct interpretation of, and the correct legal framework applicable to quantifying section 8 damages under the Patented Medicines (Notice of Compliance) Regulations (“PM(NOC) Regulations”).

The PM(NOC) Regulations strike a balance between the interests of innovative pharmaceutical companies and generic manufacturers, by requiring generic manufacturers to address innovators’ patents before receiving approval from the Minister of Health to market their copycat drugs. This scheme provides a set of rights to innovative companies who develop new drugs and patents, and to generic manufacturers who market copies of such drugs at reduced prices.

Section 8 of the PM(NOC) Regulations provides generic manufacturers with a right to compensation for losses suffered during the period of delay caused in part by unsuccessful litigation brought under the PM(NOC) Regulations.

In the lower court’s decision, a divided Federal Court of Appeal disagreed about the correct legal framework applicable to quantifying Apotex Inc.’s section 8 damages for having been delayed entry for Ramipril to the Canadian market. Under the construct affirmed by the majority, the section 8 compensation awarded to Apotex in this single action was over $200 million. However, the dissent held that the legal framework used by the trial judge (and affirmed by the majority) is one that “inherently leads to windfalls” for both the plaintiff and other generic manufacturers seeking section 8 damages – a result, the dissent found to have occurred in the case at bar, particularly when considering the combined effect of the multiple section 8 claims that have been advanced in respect of Ramipril.

The Supreme Court’s consideration of this issue will be of substantial precedential value and will inject clarity into the body of section 8 jurisprudence that has developed. Given the multitude of section 8 damages cases proceeding before the Federal and Provincial Courts, and the billions of dollars at stake in current and future actions, the Supreme Court’s decision will have important ramifications for the Canadian pharmaceutical industry and the public.

Sanofi is represented by Andrew Reddon, Steven Mason, David Tait and Sanjaya Mendis of McCarthy Tétrault LLP.

Lapse of Alberta PIPA Thwarted

Posted in Privacy
Roland Hung

In my blog dated October 17, 2014, titled, “Impending Lapse of PIPA Creates Uncertainty”, I explored the consequences of PIPA being struck had the Alberta government failed to amend PIPA to comply with the Canadian Charter of Rights and Freedom (the “Charter”) and meet the November 15, 2014 deadline.

Since my October 17, 2014 blog, I have had the opportunity to meet Jill Clayton, the Alberta Information and Privacy Commissioner. In my discussion with Jill Clayton, she advised me that, on October 31, 2014, the Alberta government was granted a 6 month extension to amend PIPA and ensure compliance. This means that it should be business as usual for the next 6 months.

Continue Reading

CASL Enforcement: Much Ado About Nothing?

Posted in Anti-Spam
Kirsten Thompson

Was it all for nothing? CASL, I mean.

The mad rush towards the July 1, 2014 deadline, the thousands (in many cases, hundreds of thousands) of dollars spent on compliance, the escalating salvo of shrill e-entreaties to please, please, please provide consent.

All the hype, all the fuss and….nothing. Was it Y2K all over again?

Complaints

From the perspective of organizations, the eerie calm may indeed be reminiscent of those first few seconds past midnight on January 1, 2000. For the CRTC, however, the regulatory wheels have been furiously churning for months. Unlike Y2K, the first few hours after July 1, 2014 saw the CRTC online spam reporting go live, with newly hired (news reports variously reported 15 and 30 new employees) ready to start processing complaints. And complaints there were.

Speaking on July 4, 2014, the CRTC’s chief compliance and enforcement officer Manon Bombardier told media that over one thousand complaints had been submitted in the first two days. By July 9, 2014 that number was up to 12,000. By the end of July, it was edging past 50,000. By October 7, 2014, 120,000 irate Canadians had filed complaints.

Will all of these complaints be investigated? Even the CRTC has acknowledged that is unlikely. It has promised that all complaints will be reviewed, but will be selective when it decides whether a complaint will be investigated. Continue Reading

Impending Lapse of PIPA Creates Uncertainty

Posted in Privacy
Roland Hung

On November 15, 2013, the Supreme Court of Canada struck down the Alberta Personal Information Protection Act (“PIPA”) in Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401, 2013 SCC 62 (“United Food”), and despite a one-year stay to allow for necessary amendments, delay on the part of the Alberta government has caused PIPA’s lapse to become an inevitability.

The SCC found that sections of PIPA violated the right to freedom of expression enshrined in s. 2(b) of the Canadian Charter of Rights and Freedoms (the “Charter”). Further, the SCC found PIPA unconstitutionally overbroad in that it deemed “virtually all personal information to be protected regardless of context,” thus infringing the right to freedom of expression in a manner disproportionate to the government’s objective (United Food at para 25). Continue Reading

Canada and the EU Successfully Conclude CETA: What It Means to the Pharmaceutical Industry

Posted in Intellectual Property, Patents
Sanjaya MendisSteve Mason

On September 26, 2014, Prime Minister Harper announced that Canada and the European Union have successfully concluded negotiations on a new trade agreement, the Comprehensive Economic and Trade Agreement (CETA) that was five years in the making, and publicly released the consolidated text of the agreement.

CETA is deeper in substance and broader in scope than any other such agreement in Canadian history, significantly affecting all economic areas, including the pharmaceutical sector.

The CETA chapter on intellectual property is of particular interest to the pharmaceutical industry, because it will introduce into Canada for the first time:

  • additional (sui generis) patent protection for pharmaceutical products; and
  • effective rights of appeal for Patented Medicines (Notice of Compliance) (PM(NOC)) litigants Continue Reading

Bitcoin accepted here? Funding M&A transactions by way of Bitcoin

Posted in E-Commerce, M&A/Finance
Ana Badour

There is no denying the increasing popularity and notoriety of the virtual currency Bitcoin.  Bitcoin market capitalization currently stands in the billions of dollars, with over 13 million Bitcoins having been mined and made available for circulation.  An increasing number of merchants, including Dell, have begun accepting payment by way of Bitcoin.  The list of goods and services that have been purchased with Bitcoin now includes university tuition, airline tickets, cars, and pizza delivery.  Some companies have started paying employees in Bitcoins.  Canada in particular has been a world leader in Bitcoin ATM’s: the first Bitcoin ATM in the world was installed in Vancouver and a number of Bitcoin ATMs have now been installed in other Canadian cities.  Canada also stands second, behind the US, in global rankings in the amount of venture capital invested in Bitcoin companies according to a recent study by the Montreal Economic Institute.  Will funding M&A transactions by way of Bitcoins in Canada be next? Continue Reading