Cybersecurity

Overview

Read our white paper on what to do before, during and after a cyber incident

Complete our analysis questionnaire on cybersecurity needs.

Now more than ever, companies of all sizes and in every field must pay particular attention to the issue of cybersecurity.

The rise in cyberattacks and costs associated with data leaks is well documented. Indeed, the mobility of information in a telecommuting context, the use of cloud storage, process automation and the increased connectivity of organizational systems increase organizations’ vulnerability to cyberattacks. Data leaks can adversely affect not only an organization’s reputation with the public, but also the management and continuity of its day-to-day business.

In addition, legislative and regulatory requirements for public and private sector companies that hold personal data and information are also being enhanced, as evidenced, in particular, by the National Assembly of Québec’s very recent adoption of Bill 64 in the wake of high-profile security incidents.

Our expertise

Our service offer covers all aspects of cybersecurity, including identifying risks, understanding the issues at stake, implementing best practices in cyber vigilance and providing support should a company be sued following a breach of confidentiality.

Lavery’s team has extensive experience and expertise, particularly in crisis management with respect to:

  • Protection of personal and other sensitive data
  • Information technology
  • Technology governance
  • IT risk management
  • Disputes (including class actions)
  • Labour and employment law

Our team keeps abreast of legislative changes regarding personal information, an area currently undergoing rapid change. It also has an understanding of cutting-edge technology, including the Internet of Things, artificial intelligence and quantum computing, all of which will drastically affect cybersecurity practices in the coming years.

Service offer to private and public institutions

As we know that legal matters represent only a fraction of the issues that need to be addressed with respect to an organization’s cyber vigilance, our service offer includes legal services geared towards IT security management and non-legal services that combine a range of prevention and response measures to provide an effective and operational solution based on four criteria:

  • Strategy and transformation: Developing strategies and programs that focus on business needs and risks and support growth and resilience by making cybersecurity and privacy a company-wide priority.
  • Incident and threat management: Preparing for, identifying, responding to, investigating and handling threats with confidence.
  • Consumer privacy and protection: Designing, implementing and running a privacy program that enables your organization to maximize the use of data in accordance with the law, while building consumer trust.
  • Implementation and operations: Designing, implementing, running and improving the use of cybersecurity technologies and continuously monitoring your environment to detect and contain threats to your business.

Service offer to SMEs

Our firm has developed a cybersecurity service offer to, in particular, analyze companies’ needs in this area and identify possible flaws that require their attention.

As a first step, your organization must complete a cybersecurity needs analysis questionnaire.

Once the questionnaire is completed, we are able to establish a diagnosis, propose solutions and an action plan to remedy problematic aspects and guide you in implementing our recommendations on the following:

  • Cybersecurity governance: A sound decision-making process is important for any business when it comes to cybersecurity.
  • Processes related to employees, suppliers and subcontractors: A business’ decisions and policies respecting cybersecurity must be properly communicated not only within the organization, but also with all stakeholders.
  • Protection of personal information and data, and Canada’s anti-spam legislation: If your organization collects data or personal information as part of its operations, it must do so in accordance with the law.
  • Technical and technological component to increase cybersecurity: Legal and strategic advice associated with implementing the action plan following our cybersecurity needs analysis.

Representative mandates

  • Advised one of the largest professional orders in Quebec regarding a major computer security breach affecting its employees and members.
  • Advised a major Canadian chemical company on the theft of its employees’ and customers’ personal data.
  • Advised a Canadian tax and financial planning association following a cyberattack on its IT service provider.
  • Advised and provided a legal opinion to one of the most prominent public organizations in Quebec on the appropriateness and content of an incident report resulting from a breach of confidentiality following a cyberattack.
  • Advised a multinational tobacco company on the measures to be implemented in the event of a computer security breach and reviewed its policies, guidelines and response plans in this regard.
  • Provided training to executives of a multinational cybersecurity insurance organization.
  • Provided training to a major accounting and tax firm on cybersecurity and privacy.
  • Advised a Crown corporation on applying the General Data Protection Regulation (GDPR) and created a matrix to identify cases where this European legal framework, which includes rules on IT security breaches, should be applied.
  • Participated in data protection IT audits for various companies as part of a partnership with an international consulting firm.
  • Advised a Canadian vehicle parts company that was held to ransom following an unwarranted intrusion into its databases containing all of the technical drawings of its American and European vehicle manufacturer clients.
  • Reviewed the physical and software security rules of two major Canadian financial institutions’ IT and telecommunications systems and negotiated and drafted the physical and software security obligations incumbent on the service provider to which the operation of these systems was outsourced in order to ensure adequate contractual protection for the financial institutions against any breach of confidentiality of personal and other sensitive data entrusted to the service provider.
  • Assisted a European law firm with a major employee and supplier data breach involving a multinational electronics company and its subsidiaries in several jurisdictions around the world.
  • Advised a publicly traded company in the implementation of IT governance and security measures for the sharing of trade secrets between its various sites in Canada, the United States and Europe.
  • Represented a European company that was the victim of a cyber incident to claim damages from those responsible for the incident located in Canada.
  1. Application for an interim injunction: Manufactured urgency is not a 9-1-1 emergency

    On March 3, 2025, Superior Court Justice Nancy Bonsaint dismissed an application for an interim interlocutory injunction that would allow Les Entreprises de la Batterie inc. to use a property it did not own for major construction work on its building. The judgment serves as a reminder that a party cannot manufacture a sense of urgency and then use that to support its application for an interim injunction. Summary of facts The Plaintiff, Les Entreprises de la Batterie inc., owns a building that has been under construction since March 2021, in order to convert it into a hotel that will serve as an extension to the hotel the Plaintiff currently operates.1 The Defendant owns a hotel and a piece of property adjacent to the building under construction. The property is used as a parking lot for his hotel guests.2 Construction work on the Plaintiff’s building was initially carried out in two separate phases, from March to November 20213 and from August 23, 2022, to July 2024.4 During those phases, the Parties reached various agreements whereby the Plaintiff could use one (1) of the Defendant’s parking spaces, in exchange for compensation.5 On February 14, 2025, the Plaintiff informed the Defendant that it planned to begin a new phase of construction (Phase 3) on February 28, 2025.6 The Plaintiff also informed the Defendant that, as part of the new phase of construction, the Plaintiff would need to use half of the Defendant’s parking lot, that is, six (6) parking spaces, and that the entrance to the parking lot would have to be relocated for more than two (2) years.7 Additionally, the Plaintiff pointed out that it would need access to the Defendant’s entire parking lot for a few days in the spring of 2025.8 The Plaintiff alleged that construction work on its building had to begin urgently on February 28, 2025.9 The Defendant objected to having to tolerate such a major disruption for an additional two (2) years, given that he had endured the inconveniences caused by the Plaintiff’s construction work for over four (4) years now, without being offered any form of compensation that would be considered fair or reasonable in the circumstances. On February 27, 2025, the Plaintiff brought anoriginating application before Justice Bonsaint, seeking orders for an interim interlocutory injunction, an interlocutory injunction and a permanent injunction, as well as for a declaration of abuse of process and damages, which was amended on February 28, 2025.10 At the interim interlocutory injunction stage, the Plaintiff asked the Court to issue a temporary order granting the Plaintiff access to the Defendant’s six (6) parking spaces so it could continue setting up its construction site.11 The Plaintiff also sought reimbursement of the professional fees incurred in applying for the injunction. The Plaintiff alleged that the hotel expansion was [TRANSLATION] “a large-scale project with costs in the tens of millions of dollars”.12 The Plaintiff further alleged that [TRANSLATION] “there is an urgent need for the construction work required to repurpose the building and turn it into a hotel to continue, without being interrupted by the Defendant’s actions”.13 The Plaintiff argued that halting construction work on its building would result in delays, significantly disrupting the timeline of the project, which was planned over the next two (2) years. Furthermore, it would lead to substantial additional costs associated with the various extras charged by the contractors it had hired to carry out the conversion and construction work.14 Needless to say, the Defendant opposed the application for an interim interlocutory injunction, arguing in particularthat the facts alleged by the Plaintiff failed to meet the urgency test.15 Those are the facts that Justice Bonsaint took into account when rendering her decision. The criteria for granting interim interlocutory injunctions In her judgment, Justice Bonsaint reviewed the legal principles governing interim interlocutory injunction applications. We will do the same below. The criteria for granting an interim interlocutory injunction are as follows: Urgency Serious issue to be tried or strong prima facie case Serious or irreparable harm Balance of convenience16 It is a discretionary and exceptional remedy that should only be granted sparingly and under strict conditions.17 The urgency criterion Urgency is [TRANSLATION] “of paramount importance”18 in determining whether an interim interlocutory injunction should be granted. If the urgency test is not met, the application simply cannot be allowed.19 Courts often describe the level of urgency required as being akin to [TRANSLATION] “a 9-1-1 emergency”.20 Interim interlocutory injunctions should only be granted in cases of [TRANSLATION] “extreme urgency”.21 For a court to find that the urgency test is met, the urgency must not result from a delay in bringing legal action. It must be [TRANSLATION] “immediate and apparent”—not the product of the plaintiff’s own lack of diligence.22 In other words, [TRANSLATION] “the alleged urgency must be real—not manufactured by the person asserting it”.23 Upon reviewing the case, Justice Bonsaint noted that the Defendant had been made aware only on January 31, 2025, that the Plaintiff would need access to his property for construction work.24 Prior to January 2025, the Plaintiff had not informed the Defendant of its true intentions regarding the work.25 It was not until February 14, 2025, that the Plaintiff officially informed the Defendant of the nature of the access required for the third phase of the project, namely, the use of at least half of the Defendant’s property from February 28, 2025, to March 31, 2027.26 Further to the Defendant’s contestation, Justice Bonsaint noted that the Plaintiff had known for several months that the third phase of the work would begin in early 2025.27 She found that the Plaintiff [TRANSLATION] “had not treated the issue of accessing the parking lot as one requiring urgent resolution”.28 The Plaintiff tried to justify its failure to be proactive, arguing that it had been unable to inform the Defendant of its space requirements before 2025 because the project timeline was still unknown at the time.29 However, Justice Bonsaint found that such explanations simply did not excuse the Plaintiff’s delay in filing its application for an interim interlocutory injunction against the Defendant.30 On the contrary, the supporting documents that the Plaintiff had submitted with its letter dated February 14, 2025, such as a plan of the Defendant’s parking lot and the preliminary project timeline, included references to “2024”.31 Given the above, Justice Bonsaint could only conclude that the Plaintiff had known for several months that construction work on its building was scheduled to begin in 2025.32 On that point, Justice Bonsaint was clear: [TRANSLATION] “The Court understands that preliminary construction timelines may be subject to change, but there is nothing to suggest that construction needed to begin ‘urgently’ on February 28, 2025. . . . the Plaintiff should have taken action as early as January 2025”.33 The Plaintiff had been aware of the access issues involving the Defendant’s property since the fall of 2024—and certainly since January 2025.34 Those issues should have prompted discussions between the Parties’ lawyers well before February 2025, and no later than January 2025.35 Discussions or attempts to settle the matter The Plaintiff also argued that, at the interim interlocutory injunction stage, discussions or attempts to settle the matter could have a bearing in determining whether the urgency requirement was met.36 Justice Bonsaint rejected that argument, given that no real negotiations had taken place, other than failed calls in November and December 2024, and again in January 2025, and that the Plaintiff had been aware of the access issues involving the Defendant’s property since the fall of 2024—and certainly since January 2025. Consequently, Justice Bonsaint dismissed the application for an interim interlocutory injunction, seeing as the Plaintiff had asked the Court to find that such an order, which would grant the Plaintiff access to half of the Defendant’s parking lot for two (2) years, needed to be issued urgently, even though the Plaintiff itself had not considered the need to access the parking lot as being an urgent matter to be resolved before the third phase of construction began.37 Key takeaways The urgency criterion is of paramount importance in determining whether an interim interlocutory injunction should be granted. That requirement must be met for the Court to allow such an application. In assessing the facts and allegations related to an application for an interim interlocutory injunction, the Court must ensure that the urgency is real—akin to a 9-1-1 situation—and not manufactured by the party seeking the relief. A delay attributable to the plaintiff cannot serve as a basis for granting an interim interlocutory injunction against the defendant. Half-hearted attempts at settlement discussions or negotiations do not excuse the delay between a party becoming aware of the facts warranting an interim interlocutory injunction and the filing of the application. Diligence is therefore essential in managing and mounting such cases, making it more likely that an interim interlocutory injunction will be granted. Entreprises de la Batterie inc. c. Biron, 2025 QCCS 608, paras. 1 and 10 (hereinafter the “Judgment”). Judgment, para. 4. Judgment, para. 10. Judgment, paras. 16 to 19. Judgment, paras. 10 to 18. Judgment, para. 27. Judgment, paras. 3 and 27. Judgment, para. 3. Judgment, para. 2. Judgment, para. 6. Judgment, para. 7. Judgment, para. 46. Judgment, para. 47. Judgment, para. 48. Judgment, para. 8. Judgment, paras. 35 and 37 to 39. Judgment, para. 36. Judgment, para. 41. Id. Judgment, paras. 41 and 43. Judgment, para. 42. Judgment, para. 42. Judgment, para. 40. Judgment, paras. 61 and 62. Judgment, para. 62. Judgment, paras. 64 and 65. Judgment, para. 68. Id. Judgment, para. 74. Judgment, para. 75. Judgment, paras. 76 and 77. Judgment, para. 82. Judgment, para. 82. Judgment, para. 84. Judgment, para. 85. Judgment, para. 83. Judgment, para. 90.

    Read more
  2. Businesses: Four tips to avoid dependency or vulnerability in your use of AI

    While the world is focused on how the tariff war is affecting various products, it may be overlooking the risks the war is posing to information technology. Yet, many businesses rely on artificial intelligence to provide their services, and many of these technologies are powered by large language models, such as the widely-used ChatGPT. It is relevant to ask whether businesses should rely on purely US-based technology service providers. There is talk of using Chinese alternatives, such as DeepSeek, but their use raises questions about data security and the associated control over information. Back in 2023, Professor Teresa Scassa wrote that, when it comes to artificial intelligence, sovereignty can take on many forms, such as state sovereignty, community sovereignty over data and individual sovereignty.1 Others have even suggested that AI will force the recalibration of international interests.2 In our current context, how can businesses protect themselves from the volatility caused by the actions of foreign governments? We believe that it’s precisely by exercising a certain degree of sovereignty over their own affairs that businesses can guard against such volatility. A few tips: Understand Intellectual property issues: Large language models underlying the majority of artificial intelligence technologies are sometimes offered under open-source licenses, but certain technologies are distributed under restrictive commercial licenses. It is important to understand the limits imposed by the licenses under which these technologies are offered. Some language model owners reserve the right to alter or restrict the technology’s functionality without notice. Conversely, permissive open-source licenses allow a language model to be used without time restrictions. From a strategic standpoint, businesses should keep intellectual property rights over their data compilations that can be integrated into artificial intelligence solutions. Consider other options: Whenever technology is used to process personal information, a privacy impact assessment is required by law before such technology is acquired, developed or redesigned.[3] Even if a privacy impact assessment is not legally required, it is prudent to assess the risks associated with technological choices. If you are dealing with a technology that your service provider integrates, check whether there are alternatives. Would you be able to quickly migrate to one of these if you faced issues? If you are dealing with custom solution, check whether it is limited to a single large language model. Adopt a modular approach: When a business chooses an external service provider to provide a large language model, it is often because the provider offers a solution that is integrated to other applications that the business already uses, or because it provides an application programming interface developed specifically for the business. In making such a choice, you should determine whether the service provider can replace the language model or application if problems were to arise. If the technology in question is a fully integrated solution from a service provider, find out whether the provider offers sufficient guarantees that it could replace a language model if it were no longer available. If it is a custom solution, find out whether the service provider can, right from the design stage, provide for the possibility of replacing one language model with another. Make a proportionate choice: Not all applications require the most powerful language models. If your technological objective is middle-of-the-road, you can consider more possibilities, including solutions hosted on local servers that use open-source language models. As a bonus, if you choose a language model proportionate to your needs, you are helping to reduce the environmental footprint of these technologies in terms of energy consumption.  These tips each require different steps to be put into practice. Remember to take legal considerations, in addition to technological constraints, into account. Licenses, intellectual property, privacy impact assessments and limited liability clauses imposed by certain service providers are all aspects that need to be considered before making any changes. This isn’t just about being prudent—it’s about taking advantage of the opportunity our businesses have to show they are technologically innovative and exercise greater control over their futures. Scassa, T. 2023. “Sovereignty and the governance of artificial intelligence.” 71 UCLA L. Rev. Disc. 214. Xu, W., Wang, S., & Zuo, X. 2025. “Whose victory? A perspective on shifts in US-China cross-border data flow rules in the AI era.” The Pacific Review, 1–27. See in particular the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, s. 3.3.

    Read more
  3. Bill C-244: unlocking the right to repair

    On November 7, 2024, Bill C-244, An Act to amend the Copyright Act (diagnosis, maintenance and repair)1 received royal assent, adding a new exception to the provisions governing technological protection measures (TPM) in the Copyright Act (CA). This legislative amendment adds section 41.121 to the CA, making it legal to circumvent TPMs for product maintenance, repair and diagnosis. What it means The new section 41.121 is expected to have a limited impact on the Canadian repair market. Although repairers can now circumvent TPMs to diagnose, maintain or repair a customer’s device, it is still forbidden for repairers to use the services of a TPM circumvention specialist, and specialized circumvention equipment is still prohibited. Furthermore, the absence of a fair dealing exception in this amendment poses ongoing risks of copyright infringement for these purposes. A number of questions remain unanswered, including the scope the courts will assign to the terms “maintenance” and “repair.” Does upgrading a device with improved technology fall within the definition of maintenance, or are repairers restricted to servicing devices according to original specifications? For example, if a connected device becomes obsolete after a new security standard is adopted, would replacing its software constitute maintenance? In short, the adoption of Bill C-244 represents but a small step toward the right to repair goods, and it serves as a prime example of how reconciling property rights with intellectual property rights can be challenging. Amendments made by C-244 Section 41.121, as introduced by C-244, has three paragraphs: Diagnosis, maintenance and repair 41.121 (1) Paragraph 41.1(1)(a) does not apply to a person who circumvents a technological protection measure for the sole purpose of maintaining or repairing a product, including any related diagnosing, if the work, performer’s performance fixed in a sound recording or sound recording to which the technological protection measure controls access forms a part of the product. For greater certainty (2) For greater certainty, subsection (1) applies to a person who circumvents a technological protection measure in the circumstances referred to in that subsection for another person. Non-application (3) A person acting in the circumstances referred to in subsection (1) is not entitled to benefit from the exception under that subsection if the person does an act that constitutes an infringement of copyright. Under the new section, the protection afforded to TPMs is set aside for maintenance and repair purposes, including the related diagnosing. Subsection 41.121(2) adds that the exception also applies to a person, such as a professional repairer, who repairs a product for another person. Subsection 41.121(3) further adds that the exception applies only to situations where there is no copyright infringement; for example, copyright infringement would be a person circumventing TPMs to repair a product, but taking advantage of the situation to make an illicit copy of a computer program. Bill C-244 reintroduced certain provisions of Bill C-272,2 which had been tabled in September 2020 but abandoned after the 2021 federal election. However, unlike the original text, the amendment passed on November 7, 2024, does not allow a person to manufacture, import or distribute TPM-circumvention devices to be used to perform repairs. It is rather limited to making the act of circumvention itself legal. Origin of the problem Bill C-272 was partly introduced in response to the decision in Nintendo of America Inc. v. King,3 which had considerably dampened the TPM-containing-device repair industry. In that case, the Federal Court awarded Nintendo of America Inc. $11.7 million in statutory damages following the circumvention of its TPMs, with $20,000 awarded for each of the 585 affected games, and an additional $1 million in punitive damages. Technological Protection Measures (TPMs), also known as digital locks or digital rights management (DRM) technologies, are mechanisms used to safeguard copyrights and sensitive information in the digital domain. They regulate access to or the copying, alteration and redistribution of digital content, such as audio and video files, software and e-books. TPMs can take various forms, including access codes, passwords, encryption keys, watermarks, digital signatures, encryption methods, and integrated hardware-based protections. These measures may be embedded in the files themselves, or in the devices that read, store or distribute them. DVD encryption and video game cartridge protections are well-known examples. The World Intellectual Property Organization (WIPO) first proposed a framework for protecting TPMs in 1996, anticipating that increased internet usage might escalate copyright infringement.4 In 1999, the United States ratified the framework by passing the Digital Millennium Copyright Act (DMCA), followed by Canada’s enactment of the Copyright Modernization Act5 in 2014. This legislative amendment introduced section 41.1 and related provisions to the Copyright Act (CA), prohibiting the circumvention of TPMs. Today, TPMs are ubiquitous, appearing in cars, tractors, medical implants, printer cartridges, game consoles, and various electronic devices. The $11.7 million award to Nintendo of America Inc. pursuant to this provision had a chilling effect on the repair industry.6 In response to the Nintendo decision, Bill C-272 proposed exceptions to the prohibition on circumventing TPMs for diagnosis, maintenance, and repair activities, as specified in paragraph 41.1(1)(a) of the CA. It also included an exception for the manufacture, importation, or distribution of products designed to circumvent TPMs for these purposes, addressing the restrictions noted in paragraph 41.1(1)(c) of the CA. Harmonization with the Canada-United States-Mexico Agreement The scope of the new section 41.121 introduced by Bill C-244 was significantly narrowed to prevent conflicts with the Canada-United States-Mexico Agreement (CUSMA). Article 20.66 of CUSMA requires member countries to enforce three categories of prohibitions related to TPMs: a prohibition on offering TPM circumvention services, a prohibition on the manufacture, import, or distribution of devices intended for TPMs circumvention, and a prohibition on the act itself of circumventing TPMs. Paragraph 5 of Article 20.66 specifies certain exceptions to these prohibitions, particularly for purposes such as interoperability, encryption research (security), and government activities (most of which are addressed under sections 41.11 and following of the CA), but it does not include an exception for the repair of goods. The exception provided in section 41.121 was thus limited to the third CUSMA category which involves the prohibition on circumventing TPMs themselves, as outlined in paragraph 41.1(1)(a) of the CA. As such, the prohibitions on offering TPM circumvention services, and manufacturing, importing or distributing TPM circumvention devices, set out in paragraphs 41.1(1)(b) and 41.1(1)(c), respectively, remain unchanged, even if the purpose of circumvention is to repair a device. Introduction of ambiguous wording Legal professionals may recognize that the changes made to the definitions in section 41 present new challenges. In an attempt to clarify how the new provision’s application, the legislator has added two conflicting expressions to the definitions of “circumvent” and “technological protection measure,” which may not have been necessary. Before After Technical protection measures and information on the rights mechanism Definitions 41 The following definitions apply in this section and in sections 41.1 to 41.21. circumvent means, a)        (a) in respect of a technological protection measure within the meaning of paragraph (a) of the definition technological protection measure, to descramble a scrambled work or decrypt an encrypted work or to otherwise avoid, bypass, remove, deactivate or impair the technological protection measure, unless it is done with the authority of the copyright owner; and Technical protection measures and information on the rights mechanism Definitions 41 The following definitions apply in this section and in sections 41.1 to 41.21. circumvent means, a)        (a) in respect of a technological protection measure within the meaning of paragraph (a) of the definition technological protection measure, to descramble a scrambled work or computer program, or decrypt an encrypted work or computer program or to otherwise avoid, bypass, remove, deactivate or impair the technological protection measure, unless it is done with the authority of the copyright owner; and b)        … b)        … technological protection measure means any effective technology, device or component that, in the ordinary course of its operation, a)        controls access to a work, to a performer’s performance fixed in a sound recording or to a sound recording and whose use is authorized by the copyright owner; or technological protection measure means any effective technology, device or component that, in the ordinary course of its operation, a)        controls access to a work, including a computer program, to a performer’s performance fixed in a sound recording or to a sound recording and whose use is authorized by the copyright owner; b)        … b)        … In the first instance, the legislator specifies that definition applies to “a work or computer program,” which suggests that a computer program is not considered a work. However, the second definition uses the phrase “a work, including a computer program,” implying the opposite. These clarifications were unnecessary, since the definition of “work” already includes literary works, and section 2 of the CA expressly states that literary works include computer programs. It is unfortunate that the text was adopted in its current form despite the numerous comments on this issue during parliamentary reviews.7 Striking a balance between property rights and intellectual property rights The debates surrounding these legislative changes illustrate the inherent challenges in striking a balance between the reduction of property rights, including the right to repair goods, and the promotion of intellectual property rights. For example, the Entertainment Software Association of Canada has advocated for excluding game consoles from the new exception.8 Paul Fogolin, the association’s Vice President of Policy and Government Affairs, argued that broadly opening the right to repair goods could jeopardize the video game industry by making it almost impossible for rights holders to pursue legal action against those tampering with their protection measures.9 Charles Bernard, Lead Economist for the Canadian Automobile Dealers Association,expressed concerns about increased auto theft risks.10 Catherine Lovrics, Chair of the Copyright Policy Committee, Intellectual Property Institute of Canada, anticipated cybersecurity risks.11 Several industry stakeholders believe that making documents, software, parts, and tools available for repair could elevate the risk of cyberattacks. Industry representatives in the United States have highlighted similar risks. For instance, the Association of Equipment Manufacturerssuggests that enabling the circumvention of TPMs could compromise emission controls on equipment, potentially leading to violations of environmental laws and risks to human life.12 Others have raised concerns about product liability issues.13 According to Apple and Panasonic, today’s electronics are too complex for non-specialists to repair and, thus, broadening the right to repair could compromise consumer safety.14 Concerns about safety, security, and liability are certainly legitimate; however, it is also valid to question whether intellectual property law is the appropriate vehicle to address these issues. During review of C-244, Shannon Sereda, Director of Government Relations, Policy, and Markets for Alberta Wheat and Barley Commissions, highlighted the potential difficulties farmers face when they cannot swiftly repair their equipment. She argued that “[t]he current legislative environment in Canada supports equipment repair monopolies by allowing OEMs to prohibit the bypassing of TPMs.”15 Anthony D. Rosborough, a researcher in the Law Department of the European University Institute, corroborated this viewpoint, stating that TPMs “function principally to protect technologies, rather than works or the rights of authors.” In his view, the industry sometimes relies on copyrights for what should be more appropriately protected with patents or trade secrets.16 The relaxation of TPM rules in Canada aligns with similar measures already implemented in the United States. On October 28, the Librarian of Congress renewed a series of exceptions to section 1201 of the Digital Millennium Copyright Act (DMCA), including provisions that allow the circumvention of certain protection measures for repairs.17 These exceptions are subject to renewal every three years and have so far been renewed twice since 2018.18 Over the past few years, the United States has taken several steps to promote the right to repair goods. In May 2021, the Federal Trade Commission (FTC) filed a detailed report19 on anti-competitive practices related to the right to repair. On July 9, 2021, shortly after the report was released, the U.S. President issued an Executive Order to combat such practices and encourage the development of a third-party or owner repair market.20 Since then, multiple states have enacted laws supporting the right to repair.21 On January 8, 2023, John Deere pledged to enable independent repairers to service its equipment.22 Apple Inc., historically opposed to expanding the right to repair, shifted its stance in 2022 by launching a self-service repair program and publicly supporting California’s new right-to-repair law.23 Last year, WIPO reported that 40 states had introduced legislation in favour of the right to repair.24 Here in Canada, the adoption of Bill C-244 represents another step in establishing the right to repair goods. This measure builds on another federal bill, C-59,25 which also received assent last June and amended the Competition Act to empower courts to compel suppliers to sell diagnosis or repair tools. At the provincial level, Quebec became the first province to enact right-to-repair legislation last year. 26 In the coming months, it remains to be seen whether the new section 41.121 of the Copyright Act (CA) will unlock the repair market. For the moment, the measure strikes us as somewhat timid.27 Parliament of Canada, LEGISinfo: C-244: An Act to amend the Copyright Act (diagnosis, maintenance and repair), Parliament of Canada, online: https://www.parl.ca/legisinfo/en/bill/44-1/c-244. Parliament of Canada, LEGISinfo: C-272, An Act to amend the Copyright Act (diagnosis, maintenance and repair), Parliament of Canada, online: https://www.parl.ca/legisinfo/en/bill/43-2/c-272. Nintendo of America Inc. v. King, 2017 FC 246, [2018] 1 FCR 509. WIPO Copyright Treaty, December 20, 1996, article 11, online: https://www.wipo.int/wipolex/en/treaties/textdetails/12740. Copyright Modernization Act, S.C. 2012, c. 20, assented to on 2012-06-29, online: https://laws-lois.justice.gc.ca/eng/AnnualStatutes/2012_20/FullText.html; Canada Gazette, Vol. 146,No. 23 – November 7, 2012, SI/2012-85 Order Fixing Various Dates as the Dates on which Certain Provisions of the Act Come into Force, P.C. 2012-1392, October 25, 2012, online: https: //canadagazette.gc.ca/rp-pr/p2/2012/2012-11-07/html/si-tr85-fra.html. Graham J. Reynolds, “Of Lock-Breaking and Stock Taking - IP, Climate Change, and the Right to Repair in Canada,” in 2023 101-1 Canadian Bar Review 32, 2023 CanLIIDocs 1144, p. 54, online: https://canlii.ca/t/7n4cj. Committee on Industry and Technology, 5 December 2022, Catherine Lovrics, Open Parliament, online: https://openparliament.ca/committees/industry/44-1/49/catherine-lovrics-2/; Committee on Industry and Technology, 15 February 2023, Viviane Lapointe, Open Parliament, online: https://openparliament.ca/committees/industry/44-1/59/viviane-lapointe-5/; Committee on Industry and Technology, 15 February 2023, Andy  Fillmore, Open Parliament, online: https://openparliament.ca/committees/industry/44-1/59/andy-fillmore-6/; Committee on Industry and Technology, 15 february 2023, Patrick Blanar, online: https://openparliament.ca/committees/industry/44-1/59/patrick-blanar-1/. Entertainment Software Association of Canada, Bill C-244 – An Act to amend the Copyright Act (diagnosis, maintenance and repair), online: https://www.ourcommons.ca/Content/Committee/441/INDU/Brief/BR12209146/br-external/EntertainmentSoftwareAssociationOfCanada-e.pdf. Committee on Industry and Technology, February 8, 2023, Paul Fogolin, online: https://openparliament.ca/committees/industry/44-1/57/paul-fogolin-1/. Committee on Industry and Technology, February 8, 2023, Charles Bernard, online: https://openparliament.ca/committees/industry/44-1/57/charles-bernard-1/. Industry and Technology Committee, December 5, 2022, Catherine Lovrics, online: https://openparliament.ca/committees/industry/44-1/49/catherine-lovrics-2/. Emma Fillman, “Comprehensive Right to Repair:The Fight Against Planned Obsolescence in Canada,” (2023) 32 Dalhousie J Legal Stud 123, p. 145. online https://digitalcommons.schulichlaw.dal.ca/djls/vol32/iss1/5/. Irene Calboli, “The right to repair: Recent Developments in the USA,” World Intellectual Property Organization Magazine, August 2023, online: https://www.wipo.int/wipo_magazine_digital/en/2023/article_0023.html. Emma Fillman, “Comprehensive Right to Repair:The Fight Against Planned Obsolescence in Canada,” (2023) 32 Dalhousie J Legal Stud 123, pp. 142 and following, online https://digitalcommons.schulichlaw.dal.ca/djls/vol32/iss1/5/. Committee on Industry and Technology, February 8, 2023, Shannon Sereda, online: https://openparliament.ca/committees/industry/44-1/57/shannon-sereda-1/. Committee on Industry and Technology, February 8, 2023, Anthony D. Rosborough, online: https://openparliament.ca/committees/industry/44-1/57/anthony-d-rosborough-1/. Copyright Office, Library of Congress, Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies, Federal Register, October 28, 2024, online: https://www.federalregister.gov/documents/2024/10/28/2024-24563/exemption-to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-control. Copyright Office, Library of Congress, Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies, Federal Register, October 26, 2018, online: https://www.federalregister.gov/documents/2018/10/26/2018-23241/exemption-to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-control. Federal Trade Commission, Nixing the Fix: An FTC Report to Congress on Repair Restrictions, May 2021, online: https://www.ftc.gov/system/files/documents/reports/nixing-fix-ftc-report-congress-repair-restrictions/nixing_the_fix_report_final_5521_630pm-508_002.pdf. The White House, Executive Order on Promoting Competition in the American Economy, July 9, 2021, online: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/07/09/executive-order-on-promoting-competition-in-the-american-economy/. X, Jon Campbell, December 29, 2022, online: https://twitter.com/JonCampbellNY/status/1608327624526548993; Colorado General Assembly, Consumer Right to Repair Agricultural Equipment, April 25, 2023, online: https://leg.colorado.gov/bills/hb23-1011; Minnesota Legislature, Minnesota Session Laws, 93rd Legislature, Chapter 57 – S.F. No. 2744, online: https://www.revisor.mn.gov/laws/2023/0/Session+Law/Chapter/57/; Sidley, “California Becomes Third U.S.State to Join the Right-to-Repair Movement,” October 24, 2023, online: https://www.sidley.com/en/insights/newsupdates/2023/10/california-becomes-third-us-state-to-join-the-right-to-repair-movement. John Deere, Memorandum of Undestanding, January 8, 2023, online: https://www.fb.org/files/AFBF_John_Deere_MOU.pdf. The Verge, “Surprise:Apple now supports California’s right to repair,” August 23, 2023, online: https://www.theverge.com/2023/8/23/23843506/apple-california-right-to-repair-sb-244. Irene Calboli, “The right to repair: Recent Developments in the USA,” World Intellectual Property Organization Magazine, online: https://www.wipo.int/wipo_magazine_digital/en/2023/article_0023.html. Parliament of Canada, LEGISinfo: C-59: An Act to implement certain provisions of the fall economic statement tabled in Parliament on November 21, 2023 and certain provisions of the budget tabled in Parliament on March 28, 2023; Parliament of Canada, online:https://www.parl.ca/legisinfo/en/bill/44-1/c-59. Québec National Assembly, Bill 29, An Act to protect consumers from planned obsolescence and to promote the durability, repairability and maintenance of goods, online: https://www.assnat.qc.ca/en/travaux-parlementaires/projets-loi/projet-loi-29-43-1.html. The author would like to thank Laura Trépanier-Champagne for her work in supporting the writing of this publication.

    Read more
  4. Can artificial intelligence be designated as an inventor in a patent application?

    Artificial intelligence (“AI”) is becoming increasingly sophisticated, and the fact that this human invention can now generate its own inventions opens the door to new ways of conceptualizing the notion of “inventor” in patent law. In a recent ruling, the Supreme Court of the United Kingdom (“UK Supreme Court”) however found that an artificial intelligence system cannot be the author of an invention within the meaning of the applicable regulations under which patents are granted. This position is consistent with that of several courts around the world that have already ruled on the issue. But what of Canada, where the courts have yet to address the matter? In this bulletin, we will take a look at the decisions handed down by the UK Supreme Court and its counterparts in other countries before considering Canada’s position on the issue. In Thaler (Appellant) v Comptroller-General of Patents, Designs and Trade Mark,1 the UK Supreme Court ruled that “an inventor must be a person”. Summary of the decision In 2018, Dr. Stephen Thaler filed patent applications for two inventions described as having been generated by an autonomous AI system. The machine in question, DABUS, was therefore designated as the inventor in the applications. Dr. Thaler claimed that, as the owner of DABUS, he was entitled to file patent applications for inventions generated by his machine. That being so, he alleged that he was not required to name a natural person as the inventor. Both the High Court of Justice and the Court of Appeal dismissed Dr. Thaler’s appeal from the decision of the Intellectual Property Office of the United Kingdom not to proceed with the patent applications, in particular because the designated inventor was not valid under the Patents Act 1977. The UK Supreme Court, the country’s final court of appeal, also dismissed Dr. Thaler’s appeal. In a unanimous decision, it concluded that the law is clear in that “an inventor within the meaning of the 1977 Act must be a natural person, and DABUS is not a person at all, let alone a natural person: it is a machine”.2 Although there was no doubt that DABUS had created the inventions in question, that did not mean that the courts could extend the notion of inventor, as defined by law, to include machines. An ongoing trend The UK Supreme Court is not the first to reject Dr. Thaler’s arguments. The United States,3 the European Union4 and Australia5 have adopted similar positions, concluding that only a natural person can qualify as an inventor within the meaning of the legislation applicable in their respective jurisdictions. The UK ruling is part of the Artificial Inventor Project’s cross-border attempt to ensure that the DABUS machine—and AI in general—is recognized as a generative tool capable of generating patent rights for the benefit of AI system owners. To date, only South Africa has issued a patent to Dr. Thaler, naming DABUS as the inventor.6 This country is the exception that proves the rule. It should however be noted that the Companies and Intellectual Property Commission of South Africa does not review applications on their merits. As such, no reason was given for considering AI as the inventor. More recently, in February of this year, the United States Patent and Trademark Office issued a guidance on AI-assisted inventions. The guidance confirms the judicial position and states in particular that “a natural person must have significantly contributed to each claim in a patent application or patent”.7 What about Canada? In 2020, Dr. Thaler also filed a Canadian patent application for inventions generated by DABUS.8 The Canadian Intellectual Property Office (“CIPO”) issued a notice of non-compliance in 2021, establishing its initial position as follows: Because for this application the inventor is a machine and it does not appear possible for a machine to have rights under Canadian law or to transfer those rights to a human, it does not appear this application is compliant with the Patent Act and Rules.9 However, CIPO specified that it was open to receiving the applicant’s arguments on the issue, as follows: Responsive to the compliance notice, the applicant may attempt to comply by submitting a statement on behalf of the Artificial Intelligence (AI) machine and identify, in said statement, himself as the legal representative of the machine.10 To date, CIPO has issued no notice of abandonment and the application remains active. Its status in Canada is therefore unclear. It will be interesting to see whether Dr. Thaler will try to sway the Canadian courts to rule in his favour after many failed attempts in other jurisdictions around the world, and most recently in the UK Supreme Court. At first glance, the Patent Act11 (the “Act”) does not prevent an AI system from being recognized as the inventor of a patentable invention. In fact, the term “inventor” is not defined in the Act. Furthermore, nowhere is it stated that an applicant must be a “person,” nor is there any indication to that effect in the provisions governing the granting of patents. The Patent Rules12 offer no clarification in that regard either. The requirement implied by the clear use of the term “person” in the wording of the relevant sections of the law is important: It was a key consideration that the UK Supreme Court analyzed in Thaler. Case law on the subject is still ambiguous. According to the Supreme Court of Canada, given that the inventor is the person who took part in conceiving the invention, the question to ask is “[W]ho is responsible for the inventive concept?”13 That said, however, we note that the conclusion reached was that a legal person—as opposed to a natural person—cannot be considered an inventor.14 The fact is that the Canadian courts have never had to rule on the specific issue of recognizing AI as an inventor, and until such time as the courts render a decision or the government takes a stance on the matter, the issue will remain unresolved. Conclusion Given that Canadian law is not clear on whether AI can be recognized as an inventor, now would be a good time for Canadian authorities to clarify the issue. As the UK Supreme Court has suggested, the place of AI in patent law is a current societal issue, one that the legislator will ultimately have to settle.15 As such, it is only a matter of time before the Act is amended or CIPO issues a directive. Moreover, in addition to having to decide whether AI legally qualifies as an inventor, Canadian authorities will have to determine whether a person can be granted rights to an invention that was actually created by AI. The question as to whether an AI system owner can hold a patent on an invention generated by their machine was raised in Thaler. Once again, unlike the UK’s patent act,16 our Patent Act does not close the door to such a possibility. Canadian legislation contains no comprehensive list of the categories of persons to whom a patent may be granted, for instance. If we were to rewrite the laws governing intellectual property, given that the main purpose such laws is to encourage innovation and creativity, perhaps a better approach would be to allow AI system owners to hold patent rights rather than recognizing the AI as an inventor. Patent rights are granted on the basis of an implicit understanding: A high level of protection is provided in exchange for sufficient disclosure to enable a person skilled in the art to reproduce an invention. This ensures that society benefits from such inventions and that inventors are rewarded. Needless to say, arguing that machines need such an incentive is difficult. Designating AI as an inventor and granting it rights in that respect is therefore at odds with the very purpose of patent protection. That said, an AI system owner who has invested time and energy in designing their system could be justified in claiming such protection for the inventions that it generates. In such a case and given the current state of the law, the legislator would likely have to intervene. Would this proposed change spur innovation in the field of generative AI? We are collectively investing a huge amount of “human” resources in developing increasingly powerful AI systems. Will there come a time when we can no longer consider that human resources were involved in making AI-generated technologies? Should it come to that, giving preference to AI system owners could become counterproductive. In any event, for the time being, a sensible approach would be to emphasize the role that humans play in AI-assisted inventions, making persons the inventors rather than AI. As concerns inventions conceived entirely by an AI system, trade secret protection may be a more suitable solution. The professionals on our intellectual property team are at your disposal to assist you with patent registration and provide you with a clearer understanding of the issues involved. [2023] UKSC 49 [Thaler]. Ibid., para. 56. See the decision of the United States Court of Appeals for the Federal Circuit in Thaler v Vidal, 43 F. 4th 1207 (2022), application for appeal to the Supreme Court of the United States dismissed. See the decision of the Boards of Appeal of the European Patent Office in J 0008/20 (Designation of inventor/DABUS) (2021), request to refer questions to the Enlarged Board of Appeal denied. See the decision of the Full Court of the Federal Court of Australia in Commissioner of Patents v Thaler, [2022] FCAFC 62, application for special leave to appeal to the High Court of Australia denied. ZA 2021/03242. Federal Register: Inventorship Guidance for AI-Assisted Inventions. CA 3137161. Notice from CIPO dated February 11, 2022, in Canadian patent application 3137161. Ibid. R.S.C., 1985, c. P-4. SOR/2019-251. Apotex Inc.v. Wellcome Foundation Ltd., 2002 SCC 77 at paras. 96–97. Sarnoff Corp. v. Canada (Attorney General), 2008 FC 712, para. 9. Thaler, paras. 48–49, 79. Ibid., para. 79.

    Read more