On January 14, 2015, the Federal Court of Appeal released its reasons and judgment in Philip Morris Products S.A. v. Marlboro Canada Limited, 2015 FCA 9. The Court dismissed the appeal, finding that Justice de Montigny of the Federal Court made no reviewable error in awarding the respondents over $1 million in legal costs and disbursements. The award amounted to nearly half of the respondents’ actual costs.
It is rumoured that Bill 12 that amended the Alberta Health Information Act (“HIA”), passed on May 14, 2014, will come into force this year. Bill 12 made 3 significant changes to the HIA:
- adds mandatory breach notification provisions;
- authorizes the Office of the Information and Privacy Commissioner (“OIPC”) to disclose information about a breach in certain situations; and
- creates new offences and penalties.
We will discuss these 3 amendments in turn.
On January 20, 2015, the US Supreme Court rendered its precedent-setting decision in Teva that reversed the Federal Circuit’s practice of reviewing all District Court claim constructions de novo on appeal. Instead the Supreme Court found that some decisions are entitled to deference as a consequence of certain factual findings that require Courts of Appeal to apply a “clear error” standard of review, and consequently, bringing the review of US claims constructions methodology more in line with the Canadian approach.
On January 7, 2015, Justice de Montigny of the Federal Court released his judgment and reasons in Eli Lilly Canada Inc. v. Mylan Pharmaceuticals ULC, 2015 FC 17, allowing Lilly’s application for an order prohibiting the Minister of Health from issuing a Notice of Compliance to Mylan until the expiry of Canadian Patent No. 2,226,784 (the “‘784 Patent”). The patent relates to Lilly’s successful erectile dysfunction (“ED”) drug CIALIS® (tadalafil).
The Court found that Mylan’s allegations of invalidity on the basis of lack of utility and obviousness-type double patenting were unjustified. Justice de Montigny’s reasons signal the Court’s continuing hesitation to impute potentially invalidating promises of utility if they are not clearly and explicitly stated in the patent. Further, the case establishes that the relevant date for conducting the double patenting analysis is the earlier patent’s claim date.
Copyright infringement is normally a factual question – it doesn’t matter whether one intended to copy a substantial part of someone else’s original expression if, in fact, one did so – but there are circumstances where the alleged infringer’s state of mind does matter. Knowledge is relevant to secondary infringement under s. 27 of the Canadian Copyright Act, or to the assessment of statutory damages under s. 38.1, for example. Willful infringement may also be relevant to the applicable limitation period, to the assessment of costs or punitive damages, or to piercing the corporate veil.
Rights holders often want to put an alleged infringer on notice of the rights that they claim. What does it take for such a notice to establish a state of mind of knowing or willful infringement? A recent decision of the United States Court of Appeals for the Eleventh Circuit, while not directly applicable in Canada, offers some clues.
Just in time for the new year, the Alberta’s Personal Information Protection Act (“PIPA”) was amended by Bill 3 which came into force on December 17, 2014. These amendments were in response to the Supreme Court of Canada decision to struck down PIPA in Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401, 2013 SCC 62 (“United Food”) on the basis that it infringed on the union’s freedom of expression.
On December 31, 2014, the Canada Gazette published an order proclaiming into force sections 2, 5 and 6, subsection 7(6) and sections 43, 44 and 60 of the Combating Counterfeit Products Act, c. 32, S.C. 2014, as of January 1, 2015. The Act itself received Royal Assent on December 9, 2014.
The principal effect of this order is to bring into force new border enforcement measures intended to combat the importation or exportation of trade-mark or copyright-infringing goods. These measures involve three main features:
- Prohibitions on importation and exportation of infringing copies or goods under the Copyright and Trade-Marks Acts, respectively, which provide a basis for detention of the goods in question by the Canadian Border Services Agency (CBSA) under s. 101 of the Customs Act;
- A mechanism by which rights-holders can request the assistance of the CBSA to enforce their rights; and
- A mechanism by which the CBSA can provide information to rights-holders about suspect shipments and, potentially, the identity of the parties involved; samples of the allegedly infringing goods; and access to inspect the goods.
The assessment of a corporation’s cyber risks is part of a board of directors’ general risk oversight responsibilities. Since lawsuits, including class actions, are often commenced soon after a data breach, directors and officers should now consider that the board’s oversight of cyber risks may also be closely and thoroughly scrutinized in future litigation and regulatory investigations.
On October 20, 2014, a New Jersey Court dismissed a shareholder derivative suit that sought damages notably from the directors and officers of Wyndham Worldwide Corp. (“WWC”) for several data breaches. This decision is the first decision issued in the US in a shareholder derivative claim arising out of data breaches. The decision is important and instructive for board members since it provides examples of approaches to cyber risk oversight which directors and officers may implement to help shield them from liability in the context of data breaches.
The relevant facts and the claim
In the course of its business, WWC collects the personal and financial information of clients, including payment card account numbers, expiration dates and security codes. Between 2008 and 2010, WWC suffered several data breaches that resulted in the theft of credit card information of more than half million of its clients. In April 2010, the Federal Trade Commission began investigating the data breaches and commenced legal action against WWC for its security practices.
In November 2012, a shareholder sent a letter to WWC’s board requesting that WWC commence a lawsuit against the members of the board. The shareholder alleged that the directors and officers were liable to WWC for breach of fiduciary duty. The board’s audit committee mandated external lawyers to assess the shareholder’s demand. Counsel investigated the allegations and concluded that they were not founded. WWC therefore decided not to commence any proceedings against the board members.
In June 2013, shareholder Dennis Palkon (“Palkon”) provided WWC with another letter reiterating the demand. This second demand was also dismissed as unfounded, based on the investigation that had been done previously. Palkon then commenced a derivative action on behalf of WWC against the board members for breach of the fiduciary duties of care and loyalty, corporate waste and unjust enrichment. It was alleged that the directors and officers were responsible for the following:
- failing to oversee and implement the proper internal controls to protect the personal and financial information of clients;
- allowing WWC to conceal the data breaches from investors and clients;
- failing to conduct a reasonable investigation;
- and negligently refusing to commence proceedings against the board members.
On October 20, 2014, Justice Stanley R. Chesler dismissed Palkon’s derivative action with prejudice, based on the finding that WWC had done a reasonable investigation into the data breaches following the initial demand to commence proceedings against the board members. Therefore, the decision not to commence proceedings was protected by the business judgment rule.
The investigation that led to this decision demonstrated that prior to the data breaches, WWC had cybersecurity policies and internal controls in place. These had been discussed numerous times at the board level. After the data breaches, more than 10 board meetings took place where WWC’s security policies, internal controls and security enhancements were discussed. The audit committee also held more than 15 meetings in the context of its investigation of the data breaches to review the policies, procedures and internal controls related to cybersecurity. WWC’s Board had therefore based its decision not to commence proceedings against the board members on a thorough investigation of their conduct prior to and after the data breaches.
This decision by Justice Chesler to dismiss the action underlines the importance of direct board involvement in addressing cybersecurity, both before and after a data breach occurs.
In light of the decision rendered in the WWC case, the following are examples of steps that could now be considered by management and board in identifying and assessing the corporation’s cybersecurity risks by management and the board identifying and assessing the corporation’s cybersecurity risks:
- Adopting written cybersecurity policies, procedures and internal controls:
- The incident plans and protocols should consider whether and how cyber-attacks should be disclosed to customers, to investors, regulators, law enforcement, etc.; and
- An incident response team should be identified and clear responsibilities given to each member.
- Implementing methods to detect the occurrence of a cybersecurity event.
- Management and board members could discuss the appointment of a chief information officer or a chief information security officer with the expertise to meet regularly with and advise the board.
- Consideration could be given to appointing a board member with cybersecurity expertise and experience (or the board should seek out an expert who can provide presentation(s) to the board in this regard).
- The board should review annual budgets for privacy and IT security programs.
- The board should receive regular reports on breaches and cyber risks.
- The board should have a clear understanding of who in management has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices.
 Palkon v. Holmes et al. Civil Action No. : 14-CV-01234 (SRC) which can be found at http://law.justia.com/cases/federal/district-courts/new-jersey/njdce/2:2014cv01234/300630/49/
 These recommendations are notably inspired by the presentation by Securities and Exchange Commission commissioner Luis A. Aguilar’s dated June 10, 2014 entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus” which can be found at http://www.sec.gov/News/Speech/Detail/Speech/1370542057946 and by the National Institute of standards and technology’s “Framework for Improving Critical Infrastructure Cybersecurity” which can be found at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process. As such, they have the obligation, in appropriate cases, to de-list links to personal information in their search results.
The Gonzales decision left open questions about the scope of the duty and the criteria to be used in determining what links must be delisted, something which Google, data protection authorities, and others had disagreed about. The Article 29 Data Protection Working Party has now released a Guideline addressing these controversial issues.
The Guideline is important in a number of respects. First, it provides a summary of how the DPAs interpret the decision of the CJEU. The summary will likely be looked to in future cases involving duties of search engines that include, but will not necessarily be limited to, the type of case that was before the CJEU. In the view of the Working Party:
- Search engines are controllers of personal information they collect. Hence, all of the duties of controllers of personal information can be expected to apply to them.
- The legal basis search engines rely on to process personal information without consent is to be found in Article 7(f) of Directive 95/46/EC, the necessity for the legitimate interest of the controller or of the third parties to which data is disclosed.
- The processing carried out by search engines can significantly affect the privacy rights of individuals. When a balancing is done taking those interests into account against the freedoms of speech of search engines and the rights of individuals to access information, in many cases, the privacy rights of individuals will prevail.
- Search engines, as independent controllers of personal information, have duties to act to de-list links to data, even if the information remains accessible from other sources.
- Search engines are not required to completely de-list information about a data subject. The obligation focuses on search results based on the name of the individual.
- Individuals have rights to go directly to search engines to request de-listings. If their requests are rejected, they can either go to the local DPA or to court to have their request adjudicated.
- Individuals have a choice as to how to enforce their rights. They are not required to request all search engines to act. Presumably, this enables individuals to approach only Google, given its dominant share of the search engine market.
The Working Party also provided guidance in interpreting the scope of the obligations of search engines under the decision.
- The ruling applies to general purpose search engines such as Google, Bing and Yahoo. It does not apply to search tools available on websites such as newspapers.
- The decision applies to “everyone”. The literal wording of the Guideline suggests that it applies to citizens located anywhere in the world. This would extend to personal information about Canadians, collected in Canada, showing up in links in search results in the EU. In practice, it said that “DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State.”
- De-listing decisions must be implemented in a way that guarantees the effective and complete protection of the privacy rights of individuals and in a manner that prevents circumvention of EU law. Thus, contrary to the position that Google had taken after the decision was released, to comply with the decision “limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the judgment. In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com.” This interpretation of the decision is consistent with the decision of the CJEU and with other decisions in the EU intended to protect the privacy of individuals such as Mosley v. Google where a de-listing order was made against Google that extended to all search domains (e.g. google.com) from which information could be accessed.
- Contrary to the practice of some search engines, it is not appropriate to inform users of search engines that hyperlinks have been de-listed if it would suggest that an individual had made a request for the de-listing. Nor should search engines inform webmasters of the sites that are partially de-listed or contact them unless required to do so to get a better understanding of the circumstances of the case.
The Working Party also published a comprehensive annotated list of non-exclusive criteria to be taken into account in deciding whether to make de-listing orders.
The decision in the Gonzales case raises the question about whether Canadian courts will similarly recognize that search engines must comply with privacy laws such as PIPEDA. When the issue comes before the Office of the Privacy Commissioner and the courts, as it eventual will, they will be forced to determine important questions such as
- do search engines have consents, express or implied, to collect, use, and disclose the personal information they process in providing their services in Canada;
- what exemption, if any, can search engines in Canada rely on to provide their services;
- if they do not have the necessary consents and no exemption exists, would PIPEDA be found to violate the Charter of Rights and Freedoms as did Alberta’s PIPA in the United Food case;
- how will Canadian courts balance the privacy rights of individuals against the interests protected by the Charter;
- what is the scope of any obligation and when would the obligation to de-list links to personal information arise;
- what criteria would be considered appropriate in deciding whether links to information should be de-listed; and
- the territorial reach of PIPEDA to search engines that collect, use, and disclose personal information on a global basis.
Just as it seems inevitable that this issue will arise in Canada, it also seems inevitable that the Gonzales decision and the Article 29 Working Party Guideline will be referred to when it does. This makes recent privacy developments in the EU related to the “right to be forgotten” all the more relevant to Canadians.
1. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014). Google had disputed that the de-listing order is global in scope. However, paragraphs 2 and 88 of the decision state:
Para 2 “The request has been made in proceedings between, on the one hand, Google Spain SL (‘Google Spain’) and Google Inc. and, on the other, the Agencia Española de Protección de Datos (Spanish Data Protection Agency; ‘the AEPD’) and Mr Costeja González concerning a decision by the AEPD upholding the complaint lodged by Mr Costeja González against those two companies and ordering Google Inc. to adopt the measures necessary to withdraw personal data relating to Mr Costeja González from its index and to prevent access to the data in the future.”
Para. 88 “In the light of all the foregoing considerations, the answer to Question 2(c) and (d) is that Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”
2. Mosley v. Google (Case No. 11/07970, Tribunal de Grand Instance de Paris, decision of November 6, 2013) Google Inc. ordered to filter photos that had been taken in violation of Max Mosley’s privacy rights from search results retrieved using any of Google’s search engines including google.com.
3. Another de-indexing order was made against Google in Germany also at the request of Max Mosely. See, D. Crossley, “Case Law, Hamburg District Court: Max Mosley v Google Inc”, online: Inforrm’s Blog”
First published on barrysookman.com.
In its Nov. 14, 2014 decision in Wakeling v. United States of America, 2014 SCC 72, the Supreme Court of Canada (SCC) held that s. 8 of the Canadian Charter of Rights and Freedoms (the Charter) (the right to be free from unreasonable search and seizure) applies to the disclosure of communications obtained through a wiretap to police authorities in a foreign jurisdiction.