Publications

Packed with valuable information, our publications help you stay in touch with the latest developments in the fields of law affecting you, whatever your sector of activity. Our professionals are committed to keeping you informed of breaking legal news through their analysis of recent judgments, amendments, laws, and regulations.

Advanced search
  • Bill C-18 (Online News Act): Canada looking to create a level playing field for news media

    Earlier this month, Canadian Heritage Minister Pablo Rodriguez introduced Bill C-18 (Online News Act) in Parliament. This bill, which was largely inspired by similar legislation in Australia, aims to reduce bargaining imbalances between online platforms and Canadian news outlets in terms of how these “digital news intermediaries” allow news content to be accessed and shared on their platforms. If passed, the Online News Act would, among other things, require these digital platforms such as Google and Facebook to enter into fair commercial agreements with news organizations for the use and dissemination of news related content on their platforms. Bill C-18, which was introduced on April 5, 2022, has a very broad scope, and covers all Canadian journalistic organizations, regardless of the type of media (online, print, etc.), if they meet certain eligibility criteria. With respect to the “digital news intermediaries” on which the journalistic content is shared, Bill C-18 specifically targets online communication platforms such as search engines or social media networks through which news content is made available to Canadian users and which, due to their size, have a significant bargaining imbalance with news media organizations. The bill proposes certain criteria by which this situation of bargaining imbalance can be determined, including the size of the digital platform, whether the platform operates in a market that provides a strategic advantage over news organizations and whether the platform occupies a prominent position within its market. These are clearly very subjective criteria which make it difficult to precisely identify these “digital news intermediaries.” Bill C-18 also currently provides that the intermediaries themselves will be required to notify the Canadian Radio-television and Telecommunications Commission (“CRTC”) of the fact that the Act applies to them. The mandatory negotiation process is really the heart of Bill C-18. If passed in its current form, digital platform operators will be required to negotiate in good faith with Canadian media organizations to reach fair revenue sharing agreements. If the parties fail to reach an agreement at the end of the negotiation and mediation process provided for in the legislation, a panel of three arbitrators may be called upon to select the final offer made by one of the parties. For the purposes of enforceability, the arbitration panel’s decision is then deemed, to constitute an agreement entered into by the parties. Finally, Bill C-18 provides digital platforms the possibility of applying to the CRTC for an exemption from mandatory arbitration provided that their revenue sharing agreements meet the following criteria: Provide fair compensation to the news businesses for news content that is made available on their platforms; Ensure that an appropriate portion of the compensation would be used by the news businesses to support the production of local, regional and national news content; Do not allow corporate influence to undermine the freedom of expression and journalistic independence enjoyed by news outlets; Contribute to the sustainability of Canada’s digital news marketplace; Ensure support for independent local news businesses, and ensure that a significant portion of independent local news businesses benefit from the deals; and Reflect the diversity of the Canadian news marketplace, including diversity with respect to language, racialized groups, Indigenous communities, local news and business models. A bill of this scope will certainly be studied very closely by the members of Parliament, and it would not be surprising if significant amendments were made during this process. We believe that some clarifications would be welcome, particularly as to the precise identity of businesses that will be considered “digital information intermediaries” for the purposes of the Online News Act.

    Read more
  • Do you know your open-source licences?

    Do you have the right to copy source code written and developed by someone else? The answer to this question depends on the situation; however, even in the context of open innovation, intellectual property rights will be the starting point for any analysis required to obtain such an answer. In the software industry, open-source licences allow anyone to access the source code of corresponding software, free of charge and with few restrictions. The goal is generally to promote the improvement of this code by encouraging as many people as possible to use it. Linus Torval, the programmer of the Linux kernel (certainly one of the most well-known open-source projects) recently stated that without the open-source approach, his project would probably not have survived.1 However, this approach has legal consequences: Vizio was recently hit with a lawsuit alleging non-compliance with an open-sourceGPL licence used in the SmartCast OS software embedded in some of its televisions. It is being sued by Software Freedom Conservancy (“SFC”), an American non-profit promoting and defending open-source licences. As part of its lawsuit, SFC alleges, among other things, that Vizio was required to distribute the SmartCast OS source code under the above-mentioned open-source GPLlicence, which Vizio failed to do, thereby depriving consumers of their rights2. In Canadian law, section 3 of the Copyright Act3 gives the author the exclusive right to produce or reproduce all or any substantial part of an original work. This principle has been adopted by all signatories of the 1886 Berne Convention, i.e., almost every country in the world. A licence agreement, which may inter alia confer the right to reproduce the work of another person, can take different forms. It also establishes the extent of the rights conferred and the terms and conditions of any permitted use. However, not all open-source licences are equivalent. Many allow creators to attach various conditions to the right to use the code that has been made available. Under these licences, anyone may use the work or software, but subject to the following constraints, depending on the type of licence in effect: Obligation to display: An open-source licence may require disclosure of certain information in the software or in the source code itself, such as the following: The author’s name or pseudonym, or even maintaining the anonymity of the author, depending on their wishes, and/or a citation of the title of the work or software; The user licence of the redistributed open-source work or software; A modification note for each modified file; and A warranty disclaimer. Contribution obligations: Some licences require the sharing of any modifications made to the open-source code, with said modifications being under the same licence conditions. In some cases, this obligation extends to any software that incorporates the open-source code. In other words, code derived from open-source material can itself become open-source. This obligation to contribute can generally be categorized as follows: Any redistribution must be done under the original licence, making the result open-source as well; Any redistribution of the code, modified or not, must be done under the original licence, but other code may be associated or added without being subject to the open-source licence; or Any redistribution is done without any sharing constraints. Ban on commercialization: Some licences prohibit any use for commercial purposes. Apache v2 Level of obligation to contribute upon redistributionAny redistribution of the software, modified or not, or with added components, must be done under the terms of the original licence. Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedYes BSD Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Copyright notice Warranty disclaimer Commercial use permittedYes CC BY-NC 4.0 Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedNo CC0 1.0 Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Licence of the redistributed open-source software Commercial use permittedYes GPLv3 Level of obligation to contribute upon redistributionAny redistribution of the software, modified or not, or with added components, must be done under the terms of the original licence Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedYes, but sub-licensing is not allowed LGPLv3 Level of obligation to contribute upon redistributionAny redistribution of the software, modified or not, must be done under the terms of the original licence. New components can be added, but not integrated, under other non-open-source licences Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedYes MIT Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Licence of the redistributed open-source software Copyright notice Warranty disclaimer Commercial use permittedYes It is important to make programming teams aware of the issues that can arise when using modules governed by what are known as “viral licences” (such as the CC BY-NC 4.0 licence) in the design of commercial software. Such software could lose significant value if such modules are incorporated, making it difficult or even impossible to commercialize said software. In the context of open innovation where developers want to share their code, in particular to encourage collaboration, it is important to understand the scope of these different licences. The choice of the appropriate licence must be made based on the project’s objectives. Also, keep in mind that it is not always possible to change the licence used for the distribution of the code once said distribution has commenced. That means the choice of licence can have long-term consequences for any project. David Cassel, Linus Torvalds on Community, Rust and Linux's Longevity, The NewStack, Oct. 1, 2021, online: https://thenewstack.io. See the SFC press release: https://sfconservancy.org/copyleft-compliance/vizio.html. RSC 1985, c. C-42.

    Read more
  • Adoption of Bill 64: what do public bodies need to know?

    Bill 64, also known as the Act to modernize legislative provisions as regards the protection of personal information, was adopted on September 21, 2021, by the National Assembly of Québec. This new bill amends some 20 laws relating to the protection of personal information, including the Act respecting Access to documents held by public bodies and the Protection of personal information ("Access Act"), the Act respecting the protection of personal information in the private sector (“ARPIPS”) and the Act to establish a legal framework for information technology (“AELFIT”). While these changes will affect both public bodies and private businesses, this article focuses exclusively on the new requirements for public bodies covered by the Access Act.  We have prepared an amended version of the Access Act in order to reflect the exact changes brought about by Bill 64. 1. Strengthening consent mechanisms and increasing individual control over personal information By way of Bill 64, some important changes were made to the notion of consent when disclosing personal information to public bodies. From now on, any time an individual’s consent is required by the Access Act, public bodies must ensure that the concerned individual’s consent is given separately from any other disclosed information (s. 53.1). Furthermore, any consent to the collection of sensitive personal information (e.g., health or financial information that gives rise to a reasonable expectation of privacy) will have to be expressly obtained from the data subject (s. 59). The amended Access Act now also provides that minors under the age of 14 must have a parent or a guardian consent to the collection of their personal information. For minors over the age of 14, consent can be given either directly by the minor or by their parent or guardian (s. 53.1). The right to data portability is one of the new rights enforced by Bill 64. These added provisions to the Access Act allow data subjects to obtain data that a public body holds on them in a structured and commonly used technological format and to demand that this data be released to a third party (s. 84). Whenever a public body renders a decision based exclusively on automated processing of personal information, the affected individual must be informed of this process. If the decision produces legal effects or otherwise affects the individual concerned, upon request, the public body must also disclose to the individual (i) the personal information used in reaching the decision, (ii) the reasons and main factors leading to the decision, and (iii) the individual’s right to have this personal information rectified (s. 65.2).  Furthermore, public bodies that use technology to identify, locate or profile an individual must now inform the affected individual of the use of such technology and the means that are available to them in order to disable such functions (s. 65.0.1). 2. New personal data protection mechanisms Public bodies will now be required to conduct a privacy impact assessment whenever they seek to implement or update any information system that involves the collection, use, disclosure, retention or destruction of personal data (s. 63.5). This obligation will effectively compel public bodies to consider the privacy and personal information protection risks involved in a certain project at its outset. In fact, the Access Act now states that every public body must create an access to information committee, whose responsibilities will include offering their observations in such circumstances. 3. Promoting transparency and accountability for public bodies The changes brought about by Bill 64 also aim to increase the transparency of processes employed by public bodies in collecting and using personal data, as well as placing an emphasis on accountability. As such, public bodies will now have to publish on their websites the rules that govern their handling of personal data in clear and simple language (s. 63.3). These rules may take the form of a policy, directive or guide and must set out the various responsibilities of staff members with respect to personal information. Training and awareness programs for staff should also be listed. Any public body that collects personal information through technological means will likewise be required to publish a privacy policy on their website. The policy will have to be drafted in clear and simple language (s. 63.4). The government may eventually adopt regulations to specify the required content of such privacy policies. Moving forward, public bodies will also have to inform data subjects of any personal data transfer outside of the province of Quebec (s. 65). Any such transfer will also need to undergo a privacy impact assessment, which will include an analysis of the legal framework applicable in the State where the personal information will be transferred (s. 70.1). Furthermore, any transfer of personal data outside of Quebec must be subject to a written agreement that takes into account, in particular, the results of the privacy impact assessment and, if applicable, the agreed-upon terms to mitigate the risks identified in the assessment (s. 70.1). A public body that wishes to entrust a person or body outside of Quebec with the task of collecting, using, communicating or retaining personal information on its behalf will have to undertake a similar exercise (s. 70.1 (3)). 4. Managing confidentiality incidents Where a public body has reason to believe that a confidentiality incident (which is defined in Bill 64 as the access, use, disclosure or loss of personal information) has occurred, public bodies will be required to take reasonable steps to mitigate the injury caused to the affected individuals and to reduce the risk of further confidentiality incidents occurring in the future (s. 63.7). In addition, where the confidentiality incident poses a risk of serious harm to the affected individuals, these individuals and the Commission d’accès à l’information (“CAI”) must be notified (unless doing so would interfere with an investigation to prevent, detect or suppress crime or violations of law) (s. 63.7). Public bodies must now also keep a register of confidentiality incidents (s. 63.10), a copy of which must be sent to the CAI upon request. 5. Increased powers for the CAI Bill 64 also grants the CAI an arsenal of new powers aiming to ensure that public bodies, as well as private companies, comply with privacy laws. For example, in the event of a confidentiality incident, the CAI may order any public body to take appropriate action to protect the rights of affected individuals, after allowing the public body to make representations (s. 127.2). Furthermore, the CAI now has the power to impose substantial administrative monetary penalties, the value of which may reach up to $150,000 for public bodies (s. 159). In the event of repeat offences, fines will be doubled (s. 164.1). 6. Coming into force The amendments made by Bill 64 will come into force in several stages. Most of the new provisions of the Access Act [DM1] will come into force two years after the date of assent, which was granted on September 22, 2021. However, some specific provisions will take effect one year after that date, including: The requirements regarding actions to be taken in response to confidentiality incidents (s. 63.7) and the powers of the CAI upon disclosure by an organization of a confidentiality incident (s. 137.2); and The exception to disclosure without consent for research purposes (s. 67.2.1). Conclusion The clock is now ticking for public bodies to implement the necessary changes in order to comply with the new privacy requirements outlined in Bill 64, which received official assent on September 22, 2021. We invite you to consult our privacy specialists to help ensure proper compliance with the new requirements of the updated Access Act. The Lavery team would be more than pleased to answer any questions you may have regarding the upcoming changes and the potential impacts on your org

    Read more
  • Amendments to Privacy Laws: What Businesses Need to Know

    Bill 64, also known as the Act to modernize legislative provisions respecting the protection of personal information, was adopted on September 21, 2021, by the National Assembly of Québec. It amends some 20 laws relating to the protection of personal information, including the Act respecting access to documents held by public bodies ("Access Act"), the Act respecting the protection of personal information in the private sector ("Private Sector Act") and the Act respecting the legal framework for information technology. While the changes will affect both public bodies and private businesses, this publication will focus on providing an overview of the new requirements for private businesses covered by the Private Sector Act. We have prepared an amended version of the Private Sector Act in order to reflect the exact changes brought about by Bill 64. Essentially, the amended Private Sector Act aims to give individuals greater control over their personal information and promote the protection of personal information by making businesses more accountable and introducing new mechanisms to ensure compliance with Québec’s privacy rules. The following is a summary of the main amendments adopted by the legislator and the new requirements imposed on businesses in this area. It is important to note that, for the most part, the new privacy regime will come into effect in two years. 1. Increasing transparency and individual control over personal information The new Private Sector Act establishes the right of individuals to access information about themselves collected by businesses in a structured and commonly used technological format. Data subjects will now also be able to require a business to disclose such information to a third party, as long as the information was not “created or inferred” by the business (s. 27). This right is commonly referred to as the “right to data portability.” Businesses now have an obligation to destroy personal information once the purposes for which it was collected or used have been fulfilled. Alternatively, businesses may anonymize personal information in accordance with generally accepted best practices in order to use it for meaningful and legitimate purposes (s. 23). However, it is important that the identity of concerned individuals can never again be inferred from the retained information. This is a significant change for private businesses which, under the current law, can still retain personal information that has lapsed. In addition, Bill 64 provides individuals with a right to “de-indexation.” In other words, businesses will now have to de-index any hyperlink that leads to an individual’s personal information where dissemination of such personal information goes against the law or a court order (s. 28.1). Additionally, whenever a business uses personal information to render a decision based exclusively on an automated processing of such information, it must inform the concerned individual of the process at the latest when the decision is made (s. 12.1). The individual must likewise be made aware of their right to have the information rectified (s. 12.1). Bill 64 provides that the release and use of nominative lists by a private company for commercial or philanthropic prospecting purposes are now subject to the consent of concerned data subjects. Furthermore, in an effort to increase transparency, businesses will now be required to publish their rules of governance with respect to personal information in simple and clear terms on their website (s. 3.2). These rules may take the form of a policy, directive or guide and must, among other things, set out the various responsibilities of staff members with respect to personal information. In addition, businesses that collect personal information through technology will also be required to adopt and publish a privacy policy in plain language on their website when they collect personal information (s. 8.2). The amended Private Sector Act further provides that businesses that refuse access to information requests, in addition to giving reasons for their refusal and indicating the relevant sections of the Act, must now assist applicants in understanding why their request was denied when asked to (s. 34). 2. Promoting privacy and corporate accountability Bill 64 aims to make businesses more accountable for the protection of personal information, as exemplified by the new requirement for businesses to appoint a Chief Privacy Officer within their organization. By default, the role will fall upon the most senior person in the organization (s. 3.1). In addition, businesses will be required to conduct privacy impact assessments (“PIA”) for any information system acquisition, development or redesign project involving the collection, use, disclosure, retention or destruction of personal information (s. 3.3). This obligation forces businesses to consider the privacy and personal information protection risks involved in a project at its outset. The PIA must be proportionate to the sensitivity of the information involved, the purpose for which it is to be used, its quantity, distribution and medium (s. 3.3). Businesses will likewise be required to conduct a PIA when they intend to disclose personal information outside Québec. In these cases, the purpose of the PIA will be to determine whether the information will be adequately protected in accordance with generally accepted privacy principles (s. 17). The extra-provincial release of personal information must also be subject to a written agreement that takes into account, among other things, the results of the PIA and, if applicable, the terms and conditions agreed to in order to mitigate identified risks (s. 17(2)). The disclosure of personal information by businesses for study, research or statistical purposes is also subject to a PIA (s. 21). The law is substantially modified in this regard, in that a third party wishing to use personal information for such purposes must submit a written request to the Commission d'accès à l'information (“CAI”), attach a detailed description of their research activities and disclose a list of all persons and organizations to which it has made similar requests (s. 21.01.1 and 21.01.02). Businesses may also disclose personal information to a third party, without the consent of the individual, in the course of performing a service or for the purposes of a business contract. The mandate must be set out in a written contract, which must include the privacy safeguards to be followed by the agent or service provider (s. 18.3). The release of personal information without the consent of concerned individuals as part of a commercial transaction between private companies is subject to certain specific requirements (s. 18.4). The amended Private Sector Act now defines a business transaction as “the sale or lease of all or part of an enterprise or its assets, a change in its legal structure by merger or otherwise, the obtaining of a loan or other form of financing by it, or the taking of a security interest to secure an obligation of the enterprise” (s. 18.4). Bill 64 enshrines the concept of “privacy by default,” which means that businesses that collect personal information by offering a technological product or service to the public with various privacy settings must ensure that these settings provide the highest level of privacy by default, without any intervention on behalf of their users (s. 9.1). This does not apply to cookies. Where a business has reason to believe that a privacy incident has occurred, it must take reasonable steps to reduce the risk of harm and the reoccurrence of similar incidents (s. 3.5). A privacy incident is defined as “the access, use, disclosure or loss of personal information” (s. 3.6). In addition, businesses are required to notify concerned individuals and the CAI for each incident that presents a serious risk of harm, which is assessed in light of the sensitivity of the concerned information, the apprehended consequences of its use and the likelihood that it will be used for a harmful purpose (s. 3.7). Companies will furthermore be required to keep a confidentiality incident log that must be made available to the CAI upon request (s. 3.8). 3. Strengthening the consent regime Bill 64 modifies the Private Sector Act to ensure that any consent provided for in the Act is clear, free and informed and given for specific purposes. This means that consent must be requested for each of the purposes of the collection, in simple and clear terms and in a clearly distinct manner, to avoid consent being obtained through complex terms of use that are difficult for individuals to understand (art. 14). The amended Private Sector Act now provides that minors under the age of 14 must have a parent or a guardian consent to the collection of their personal information. For minors over the age of 14, consent can be given either directly by the minor or by their parent or guardian (s. 14). Within an organization, consent to the disclosure of sensitive personal information (e.g., health or other intimate information) must be expressly given by individuals (s. 12). 4. Ensuring better compliance The Private Sector Act has likewise been amended by adding new mechanisms to ensure that businesses subject to the Private Sector Act comply with its requirements. Firstly, the CAI is given the power to impose hefty dissuasive administrative monetary penalties on offenders, which can be as high as $10,000,000 or 2% of the company's worldwide turnover (s. 90.12). In the event of a repeat offence, the fine will be doubled (s. 92.1). In addition, when a confidentiality incident occurs within a company, the CAI may order it to take measures to protect the rights of affected individuals, after allowing the company to make observations (s. 81.3). Secondly, new criminal offences are added to the Private Sector Act, which may also lead to the imposition of severe fines. For offending companies, such fines can reach up to $25,000,000 or 4% of their worldwide turnover (s. 91). Finally, Bill 64 creates a new private right of action. Essentially, it provides that when an unlawful infringement of a right conferred by the Private Sector Act or by articles 35 to 40 of the Civil Code of Québec results in prejudice and the infringement is intentional or the result of gross negligence, the courts may award punitive damages of at least $1,000 (s. 93.1). 5. Coming into force The amendments made by Bill 64 will come into force in several stages. Most of the new provisions of the Private Sector Act will come into force two years after the date of assent, which was granted on September 22, 2021. However, some specific provisions will take effect one year after that date, including: The requirement for businesses to designate a Chief Privacy Officer (s. 3.1); The obligation to report privacy incidents (s. 3.5 to 3.8); The exception for disclosure of personal information in the course of a commercial transaction (s. 18.4); and The exception to disclosure of personal information for study or research purposes (s. 21 to 21.0.2). Finally, the provision enshrining the right to portability of personal information (s. 27) will come into force three years after the date of official assent. The Lavery team would be more than pleased to answer any questions you may have regarding the upcoming changes and the potential impact of Bill 64 on your business. The information and comments contained in this document do not constitute legal advice. They are intended solely for the use of the reader, who assumes full responsibility for its content, for their own purposes.

    Read more
  • Loss of personal information: The Superior Court dismisses a class action

    On March 26, 2021, the Superior Court rendered a decision dismissing a class action against the Investment Industry Regulatory Organization of Canada (“IIROC”) on the loss of personal information of thousands of Canadian investors.1 The lack of evidence of compensable injury and IIROC’s diligent behaviour are the main reasons for the dismissal of the class action. The Facts On February 22, 2013, an inspector working for IIROC forgot his laptop computer in a public place. The computer, which contained the personal information of approximately 50,000 Canadians, was never found. The information had originally been collected by various securities brokers who were under inspection by IIROC. Mr. Lamoureux, whose personal information was on the computer, brought a class action on behalf of all persons whose personal information was lost in the incident. He claimed compensatory damages for the stress, anxiety and worries associated with the loss of personal information, as well as compensation for the injury associated with the identity theft or attempted identity theft of members. He also claimed punitive damages for unlawful and intentional infringement of the right to privacy protected by the Quebec Charter of Human Rights and Freedoms. On this point, the members claimed that IIROC had been reckless and had delayed in notifying affected persons and brokers, as well as relevant authorities. Decision The class action is dismissed in its entirety. Compensatory damages The Superior Court started by acknowledging IIROC’s admission that it was at fault for the loss of the computer, and that the computer was not encrypted as it should have been to comply with IIROC policies. With respect to compensatory damages, the Court reiterated the principle according to which the existence of fault does not presume the existence of injury; each case must be analyzed on the basis of the evidence.2 In this case, the injury alleged by the members can be summarized as follows: They suffered worry, anger, stress and anxiety about the incident. They were forced to monitor their financial accounts, and in particular their credit cards and bank accounts. They were inconvenienced and wasted time in having to deal with credit agencies and ensuring that their personal information was protected. They felt shame and suffered delays caused by identity checks on their credit applications attributable to flags on their files. In its analysis, the Court held that, apart from the fact that the members were generally troubled by the loss of their personal information, there was no evidence of any particular and significant difficulties related to their mental state. Relying on Mustapha v. Culligan of Canada Ltd.,3 the Court reiterated that “the law does not recognize upset, disgust, anxiety, agitation or other mental states that fall short of injury.” If the injury is not serious and prolonged, and is limited to ordinary discomforts and fears that are inherent to life in society, it does not constitute compensable injury. In this case, the Court found that the negative feelings experienced as a result of the loss of personal information did not rise above the level of ordinary discomforts, anxieties and fears that people living in society routinely accept. Having to monitor one’s personal accounts more closely does not qualify as a compensable injury, as the courts equate this practice with that of [translation] “a reasonable person who protects their assets.”4 The Court also considered the fact that IIROC provided members with free credit monitoring and protection services. It thus concluded that, in this respect, there was no injury to compensate. Finally, the experts who were mandated to analyze the circumstances and wrongful use of the investors’ personal information found that there was no clear indication of wrongful use of the information by a person or group of persons, although evidence of wrongful use of personal information is not necessary to assert a claim. Punitive damages The plaintiff, on behalf of the members of the class action, also sought punitive damages on the grounds that IIROC had been reckless in its handling of the incident. To analyze IIROC’s diligence, the Court noted the following facts.  IIROC launched an internal investigation in the week that followed that of February 22, 2013, the date on which the computer was lost. On March 4, 2013, the investigation revealed that the computer likely contained the personal information of thousands of Canadians. IIROC filed a police report. On March 6, 2013, it mandated Deloitte to identify what personal information was lost and who were the affected persons and brokerage firms, and to help it manage the risks and obligations associated with the loss of the personal information. On March 22, 2013, Deloitte informed IIROC that the computer contained “highly sensitive” and “increased sensitivity” information about thousands of Canadian investors. On March 27, 2013, IIROC notified the Commission d’accès à l’information du Québec and the Office of the Privacy Commissioner of Canada. On April 8 and 9, 2013, IIROC met with representatives of the affected brokerage firms, and simultaneously mandated credit agencies to implement safeguards for investors and brokerage firms. IIROC also set up a bilingual call center, issued a press release about the loss of the computer and sent a letter to affected investors. The Court also accepted expert evidence according to which IIROC’s response was consistent with industry best practices, and that the measures put in place were appropriate in the circumstances and consistent with other responses to similar incidents. In light of the evidence, the Court concluded that the loss of the unencrypted laptop computer and the resulting violation of the right to privacy were isolated and unintentional. It therefore dismissed the claim for punitive damages. The outcome is that IIROC was not reckless: it rather acted in a timely manner. Comments This decision introduces a basis for analyzing the diligent conduct of a company should the personal information that it holds be compromised, and confirms that a prompt and diligent response to a security incident can safeguard against a civil suit. It also confirms that the mere loss of personal information, no matter how sensitive, is not in itself sufficient to justify financial compensation, and that it must be proven that injury was suffered. Furthermore, ordinary annoyances and temporary inconveniences do not constitute compensable injury, and monitoring financial accounts is not exceptional, but is rather considered the standard practice expected of a reasonable person protecting their assets. At the time of writing this bulletin, the time limit for appeal has not expired and the plaintiff has not announced whether he intends to appeal the judgment. Lamoureux v. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2021 QCCS 1093. Sofio v. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2014 QCCS 4061, paras. 21 and 22. Mustapha v. Culligan of Canada Ltd., 2008 SCC 27 [2008] 2 SCR 114. Lamoureux v. Organisme canadien de réglementation du commerce des valeurs mobilières, 2021 QCCS 1093, para. 73.

    Read more
  • Artificial intelligence soon to be regulated in Canada?

    For the time being, there are no specific laws governing the use of artificial intelligence in Canada. Certainly, the laws on the use of personal information and those that prohibit discrimination still apply, no matter if the technologies involved are so-called artificial intelligence technologies or conventional ones. However, the application of such laws to artificial intelligence raises a number of questions, especially when dealing with “artificial neural networks,” because the opacity of the algorithms behind these makes it difficult for those affected to understand the decision-making mechanisms at work. Such artificial neural networks are different in that they provide only limited explanations as to their internal operation. On November 12, 2020, the Office of the Privacy Commissioner of Canada (OPC) published its recommendations for a regulatory framework for artificial intelligence.1 Pointing out that the use of artificial intelligence requiring personal information can have serious privacy implications, the OPC has made several recommendations, which involve the creation of the following, in particular: A requirement for those who develop such systems to ensure that privacy is protected in the design of artificial intelligence systems; A right for individuals to obtain an explanation, in understandable terms, to help them understand decisions made about them by an artificial intelligence system, which would also involve the assurance that such explanations are based on accurate information and are not discriminatory or biased; A right to contest decisions resulting from automated decision making; A right for the regulator to require evidence of the above. It should be noted that these recommendations include the possibility of imposing financial penalties on companies that would fail to abide by this regulatory framework. Moreover, contrary to the approach adopted in the General Data Protection Regulation and the Government of Quebec’s Bill 64, the rights to explanation and contestation would not be limited solely to automated decisions, but would also cover cases where an artificial intelligence system assists a human decision-maker. It is likely that these proposals will eventually provide a framework for the operation of intelligence systems already under development. It would thus be prudent for designers to take these recommendations into account and incorporate them into their artificial intelligence system development parameters as of now. Should these recommendations be adopted, it will also become necessary to consider how to explain the mechanisms behind the systems making or suggesting decisions based on artificial intelligence. As mentioned in these recommendations, “while trade secrets may require organizations to be careful with the explanations they provide, some form of meaningful explanation should always be possible without compromising intellectual property.”2 For this reason, it may be crucial to involve lawyers specializing in these matters from the start when designing solutions that use artificial intelligence and personal information. https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/completed-consultations/consultation-ai/reg-fw_202011/ Ibid.

    Read more
  • Artificial Intelligence and Telework: Security Measures to be Taken

    Cybersecurity will generally be a significant issue for businesses in the years to come. With teleworking, cloud computing and the advent of artificial intelligence, large amounts of data are likely to fall prey to hackers attracted by the personal information or trade secrets contained therein. From a legal standpoint, businesses have a duty to take reasonable steps to protect the personal information they hold.1 Although the legal framework doesn’t always specify what such reasonable means are in terms of technology, measures appropriate for the personal information in question must nevertheless be applied. These measures must also be assessed in light of the evolution of threats to IT systems. Some jurisdictions, such as Europe, go further and require that IT solutions incorporate security measures by design.2 In the United States, with respect to medical information, there are numerous guidelines on the technical means to be adopted to ensure that such information is kept secure.3 In addition to the personal information they hold, companies may also want to protect their trade secrets. These are often invaluable and their disclosure to competitors could cause them irreparable harm. No technology is immune. In a recent publication,4 the renowned Kaspersky firm warns us of the growing risks posed by certain organized hacker groups that may want to exploit the weaknesses of Linux operating systems, despite their reputation as highly secure. Kaspersky lists a number of known vulnerabilities that can be used for ransom attacks or to gain access to privileged information. The publication echoes the warnings issued by the FBI regarding the discovery of new malware targeting Linux.5 Measures to be taken to manage the risk It is thus important to take appropriate measures to reduce these risks. We recommended in particular that business directors and officers: Adopt corporate policies that prevent the installation of unsafe software by users; Adopt policies for the regular review and updating of IT security measures; Have penetration tests and audits conducted to check system security; Ensure that at least one person in management is responsible for IT security. Should an intrusion occur, or, as a precautionary measure for businesses that collect and store sensitive personal information, consulting a lawyer specializing in personal information or trade secrets is recommended in order to fully understand the legal issues involved in such matters.   See in particular: Act respecting the protection of personal information in the private sector (Quebec), s. 10, Personal Information Protection and Electronic Documents Act (Canada), s. 3. General Data Protection Regulation, art. 25. Security Rule, under the Health Insurance Portability and Accountability Act, 45 CFR Part 160, 164. https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ https://www.fbi.gov/news/pressrel/press-releases/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecurity-advisory

    Read more
  • Constant supervision: how does the recent court decision impact CPEs, daycare centres and home childcare providers?

    On January 15, 2020, the Court of Québec handed down an important decision that could have an impact very quickly on the entire childcare network.1. In its ruling dealing with a breach of the obligation to provide constant supervision of the children, the court questioned the concept of auto-pauses (also known as pauses jumelées or pauses autogérées). This widespread practice consists of having a single childcare staff member, usually an educator, temporarily supervise two groups of napping children to allow another childcare staff member to go on a break. The court took advantage of the opportunity to delimit the obligation of constant supervision set out in section 100 of the Educational Childcare Regulation2 (The “Regulation”), awhich applies indiscriminately to all childcare providers: the centres de la petite enfance (CPEs), daycare centres and home childcare providers. Finally, the court made some interesting comments on the calculation of the ratios, although this was not a central issue in the dispute. The court’s reasons and comments will likely lead childcare providers to question the organization of their work, their practices, directives and even their individual or collective work agreements. Decision Facts In April 2018, an inspector from the Ministère de la Famille visited a CPE to conduct a full inspection for the renewal of its permit, and to deal with a complaint about child supervision during naps. In the afternoon, the inspector entered a room and found seven children lying on small mats scattered on the floor. Some of them were not sleeping and no educator was present. However, in an adjacent room, an educator was sitting along the back wall. This second room had ten other children, also lying down for a nap. The evidence showed that an observation window separated the two rooms, which were also connected by a shared bathroom. The court noted that it was impossible at that time for the educator to get a full view of the adjacent room, in particular, because of the furniture that was dispersed about the room and partially obstructed the view. A statement of offence for failure to maintain constant supervision was issued to the CPE, although the practice of placing two groups under the supervision of a single educator at nap time, to allow a colleague to take a break, is a well-known practice. The concept of constant supervision To date, there are very few decisions dealing with the concept of constant supervision in a childcare context. The court, therefore, used this opportunity to consider this concept in greater detail [translation]: « [23] The CPE [...] must ensure that the children to whom childcare is provided are constantly supervised for their safety; [24] The French adjective constante [constant] is defined in the Larousse dictionary as follows: [translation] that which is uninterrupted, continuous; durable. [25] Le Petit Druide des synonymes et des antonymes has the following synonyms for the adjective constante: [translation] continual, continuous, at every moment, unceasing, uninterrupted, perpetual, without end. The antonyms are: [translation] discontinuous, intermittent, irregular. [26] The Larousse dictionary defines the French word surveiller [to supervise] as the act of observing attentively. In the decision in Directeur des poursuites criminelles et pénales c. Centre de la petite enfance (CPE) Le petit sentier, Judge Rivest noted that it is the action of watching over someone in one’s care and/or for whom one is responsible, taking care of them, being attentive. [27] There are few reported decisions dealing with this issue. Based on the decisions filed with the pleadings, the Court finds that the adequacy of the supervision depends on the specific facts of each case. [28] Since young children are involved in this case, the Court finds that this supervision must be visual and auditory to be effective. (References omitted) Applying this reasoning to the facts in this case, the court found, beyond any reasonable doubt, that the children in the group for which there was momentarily no educator were not under constant, but rather “intermittent", supervision. Due diligence and the auto-pause concept At trial, the CPE presented a so-called "due diligence" defence, arguing that all reasonable precautions were taken to avoid committing the offence. In particular, it referred to an internal memo sent to all the employees on how to proceed during an auto-pause. According to the memo, educators must be near the observation window and walk regularly between the two rooms to verify the children’s status. In the event that a child wakes up, the instruction is then to respond to his or her needs promptly and engage in a quiet game with the child in order to respect the other children’s nap time. The CPE demonstrated that this directive had been communicated to all the staff and that it was regularly discussed at meetings. In addition, a pedagogical adviser ensured that this rule was respected. The failure to comply with this obligation could result in disciplinary sanctions up to and including dismissal. Despite the foregoing, the court rejected the CPE’s due diligence defence. It stated that in the context of an auto-pause, the directive was not able to bring the CPE into compliance with the Educational Childcare Act3 (the “Act”). It was in fact inevitable, in the court's view, that the educator would have to attend to a specific child at some point in time and would no longer be able to see what was happening in the other room. The court concluded by adding that a reasonable person placed in the same circumstances should provide for a sufficient quantity of staff to replace the educators during their breaks. On this point, it noted that [translation] “the children's safety must take precedence over the economic interests of the [childcare] service providers”4. Furthermore, it stated that, despite the CPE's efforts to ensure compliance with its directives, it was the auto-pause concept itself that was problematic and, in the court’s words, [translation] “completely inappropriate”5. Thus, the CPE was convicted of breaching the obligation of constant supervision of the children and ordered to pay a fine. What is the impact with respect to the organization of work for childcare providers? The court’s decision will likely raise doubts about the organization of work for many childcare service providers, particularly permit holders who make use of the auto-pause concept. However, the ramifications could be much more far-reaching. Level of supervision We can easily imagine that the issue of adequate supervision could give rise to many challenges on a daily basis. The court indicated that such supervision must be auditory and visual, but may also vary depending on the circumstances. The analysis of a situation could therefore be influenced by various things, such as the premises (private residence, facility, park, etc.), their layout (presence of furniture, size of openings, etc.), the location of the workers and children while services are being provided, and the nature of the activities conducted. Given the court’s requirement that the supervision must be both visual and auditory, the assessment of its adequacy would seem to be all the more likely to raise questions for home childcare providers and compliance officers in coordinating offices who conduct visits to monitor these providers. Calculating ratios It should be noted that the offence with which the CPE was charged in this case did not concern compliance with the ratios provided for under the Act for the number of children to childcare staff that are required to be present on the premises during the provision of services. The issue before the court was strictly to determine whether the CPE was providing constant supervision of the two groups of children at the time of the inspection. While the court stated that it would reserve its comments on the question of the ratio, it nevertheless clearly added that it did not agree with the CPE’s interpretation of the number of childcare staff that were needed to care for the children in its facility. Thus, despite the fact that the educators could not leave the facility during their breaks, the court noted that by ordering the educators to split their time between two rooms, the CPE was disregarding the ratios provided for in the Act. Thus, the court's view was evidently that the ratios set out in section 21 of the Act would apply to each group of children, and could not be calculated as a whole, across the entire facility. The auto-pause concept In light of the specific facts submitted as evidence, the court found that the very concept of auto-pause is inappropriate. While some might therefore be tempted to conclude that all auto-pauses should be abolished, or that they are necessarily illegal, it should be remembered that each situation must be analyzed separately, based on its specific circumstances. Thus, a permit holder may still be able to show that they are in compliance with their obligation of constant supervision, for example, through a combination of adequate premises, resources, work instructions and protocols. This being said, the fact that the court has raised doubts about the very concept of the auto-pause will necessarily lead permit holders to question the organization of their work. In a context in which the court relies, inter alia, on its own calculation of the ratios applicable to the group of children, it could be even more complex for permit holders to determine the scope of their obligations. The same thing can be said for the manner in which they will be able to meet their obligations taking into account their mission, budget, human and material resources, individual or collective work agreements, and the specific needs of the children in their care. Conclusion The decision rendered by the Court of Québec on January 15, 2020 sheds light on the notion of constant supervision in the context of the provision of childcare services. Thus, to ensure that they are in compliance with their obligations and avoid penal or administrative penalties, it may be appropriate for childcare providers to review the organization of their work. A notice of appeal of this decision was filed on February 14, 2020 by the CPE. We will keep you informed of further developments. Should you wish to obtain further information on this topic, or discuss possible solutions for your own situation, please do not hesitate to contact our team of professionals.   Directeur des poursuites criminelles et pénales c. Centre de la petite enfance Soulanges (CPE Soulanges), C.Q. Beauharnois, 760-61-124110-199, January 15, 2020 (hereinafter DPCP c. CPE Soulanges). CQLR, c. S-4.1.1, r. 2. CQLR, c. S-4.1.1. DPCP c. CPE Soulanges, para. 42. Idem, para. 45.

    Read more
  • Impact of technology on the practice of law

    Technology is now a part of our day-to-day lives, and we’ve learned how to use it. But what about our judicial institutions? What impact does technology have on the administration of proof and the practice of law? The Court of Appeal provides us with some solutions (and grounds for discussion) in its recent case of Benisty v. Kloda 1 Charles Benisty (hereinafter “the appellant”) initiated an appeal in June 2009 against Samuel Kloda (hereinafter “the respondent”) as well as CIBC Wood Gundy (hereinafter “CIBC”). The appellant is claiming that the respondent committed errors in fulfilling the mandate that he had entrusted to him with regard to certain financial transactions completed between November 2004 and September 2008. The respondent was a financial consultant and Executive Vice-President of the Montréal branch of the CIBC. Prior to the initiation of legal proceedings, the appellant recorded some of their telephone conversations, as part of discussions that took place between the respondent and himself, without the knowledge of the respondent. He states that he acted in this manner because he was convinced that the appellant was lying to him and was conducting unauthorized transactions in his accounts. In total, 60 conversations were recorded between April and October 2008. In first instance, judge Benoît Emery overturned the appellant’s recourse. He allowed the respondent’s objection with the introduction into evidence of a series of audio recordings of telephone conversations between the respondent and the appellant.  Judge Emery considers that the recordings are not a technological document, but rather a material element that must be subject to separate proof to establish its authenticity and legal value.  In fact, Judge Emery states: “It is clear from listening to the recordings, that they are fraught with interruptions, cut-offs, or voluntary or non-voluntary deletions”, and therefore they are not authentic. He goes on to say: “[...] these incomplete and sometimes incoherent excerpts that, at times support the appellant’s cause, and at times, the respondent’s, seem to reveal everything and its opposite – wherein lies the need for evidence that is independent from its reliability and authenticity.2” The appellant is appealing the Superior Court judgement. He purports namely that the judge erred by declaring the audio recordings inadmissible as evidence. He reiterates the argument to the effect that the cassettes, on which audio recordings of the telephone conversations he had with the respondent were made, constitute technological documents within the meaning of the Act to Establish a Legal Framework for Information Technology3 (hereinafter “LFIT Act”).  He says that the cassettes benefit from the presumption of authenticity stipulated in article 2855 QCC and, consequently, it is the respondent’s responsibility to establish that this technological support does not ensure the integrity of the document and its authenticity. For his part, the respondent is rather of the opinion that the audio recordings on a magnetic medium do not fall within the scope of the LFIT Act. He therefore considers that it is the appellant’s responsibility to establish authenticity. The Court of Appeal says that the application and interpretation of the LFIT Act, which came into force in 2001, was never actually subject to the decisions of the courts and, therefore, it feels that it is useful to analyze the matter brought before it by the parties. The Court of Appeal was, in connection with this matter, facing a specific situation: in fact, in the first instance, the appellant had presented six (6) audio cassettes on which were recorded his conversations with the respondent, for a total recording duration of about six (6) hours. However, in appeal, the appellant had selected 50 excerpts of these conversations that he had transferred onto a CD for a listening duration of roughly one (1) hour. In other words, the appellant chose to substitute a CD for the cassettes produced in the Superior Court, under the same evidence docket (P-60). First off, judge Lévesque, who drafted the motives to which judges Dufresne and Healy subscribe to, qualifies these audio recordings in this matter as “material elements of proof”. He explains that when “a person is recorded without his knowledge during a telephone conversations or interview, this is considered a material element of proof, whereas a person who records himself and recites a dictation attempts instead to establish a testimony”4. Consequently, judge Lévesque reiterates that for a recording to be admitted as evidence, its authenticity must be proven 5. Consequently, the Court of Appeal asked the question as to whether the audio recording is a “technological document” within the meaning of the LFIT Act.  In this respect, judge Lévesque points to the existence of a doctrinal controversy that qualifies an audio recording on magnetic tape differently, more commonly referred to as a cassette, from a recording on a USB key or on CD. According to author Mark Philips, on whom the respondent is basing his argument, a cassette is not a “technological document” since the technology relative to the cassette is “analog”, whereas the most recent technologies are digital (such as magnetic hard drive, USB key, CD, etc.). According to this author, the definition given by the LFIT Act of a “technological document” therefore excludes analog documents. The Court of Appeal does not uphold the theory posited by author Mark Phillips.  It prefers the interpretation under which a recording on magnetic tape is considered a technological document. Despite the noted discrepancies in the text of article 2874 CCQ in comparison with those of the provisions in the LFIT Act, judge Lévesque considers it necessary to retain the interpretation that most closely complies with the purpose of the Act and the lawmaker’s intention.  He notes that the LFIT Act came into force in 2001, whereas the Civil Code of Québec was cam into effect ten (10) years before that.  Thus, on the one hand, this specific Act must take precedence over the provisions of the Civil Code, whose scope is more general in nature.  Moreover, judge Lévesque refers to two (2) case study maxims that make it possible to deduce the lawmaker’s intention: [77] Two case study maxims make it possible to deduce the lawmaker’s intention. Under the first, “precedence must be given to the most recent legislation, the legislative standard that is subsequent to the other standard in conflict”. In fact, when a new law is passed, the lawmaker is deemed to be aware of those laws that already exist. We could, therefore, presume that he wanted to implicitly repeal those standards that were not compatible with the new ones. The second principle stipulates that precedence must be given to the specific statute as compared with the statute of general application. The Court of Appeal therefore arrived at the conclusion that a recording on magnetic tape, such as a cassette, is a technological document.  More generally, it retains that a “technological document” must be considered a document whose medium uses information technologies, whether this medium is analog or digital6; Subsequently, the Court of Appeal examined articles 2855 and 2874 of the Civil Code, along with articles 5, 6 and 7 of the LFIT Act, in order to outline the principles applicable to the legal value to be assigned to a technological document. When is there presumption of authenticity? When is there presumption of integrity? When is there exemption of proof for a party when a technological document is introduced as proof? After analyzing various theories supported by different authors, the Court of Appeal retained the following regarding the procedure to follow when introducing a technological document as evidence: [99] […] articles 2855 and 2874 CCQ require the demonstration of distinct or separate proof of authenticity of a document presented as evidence. Thus, a technological document generally includes an inherent documentation, such as metadata, making it possible to identify an author, the date of creation, or even whether modifications were made to the document. Since such metadata constitute inherent proof of a technological document — and not a distinct or separate proof, as is required by the first part of articles 2855 and 2874 CCQ — and that they fulfill the same role as a traditional proof of authenticity, the lawmaker exempts that party from additionally establishing a separate proof. [100] Thus, article 7 LFIT Act does not create presumption of integrity of a document, but only a presumption that the technology used by its medium makes it possible to ensure its integrity, which I refer to as technological reliability. The nuance arises from the fact that an attack on the document’s integrity may come from various sources; for example, we can mention that the information may be altered or manipulated by an individual without technology being at fault. [101] Articles 2855 and 2874 CCQ indicate that a separate proof of authenticity is required in the case indicated in the third paragraph of article 5 EFIT., i.e., in the case where the medium or technology does not make it possible to either confirm or deny whether the document’s integrity is ensured. [102] Hence, the idea that a technological medium is deemed reliable (article 7 LFIT Act.) differs from the notion that such a medium may effectively ensure the document’s integrity (article 5 al. 3 LFIT Act.). It is a subtle distinction. A technology may, therefore, be reliable (7 LFIT Act.) without making it possible to affirm that we may conclude that the integrity of the document is ensured: this added insurance is provided by the technological documents that include an inherent documentation, or metadata, that prove the integrity of the document. [103] In other words, the exemption of proving the document’s authenticity applies where the medium or technology used make it possible to ensure the integrity of the document. This is not a case of presumed technological reliability under article 7 LFIT Act., but of the specific case of technological documents that include metadata and that, consequently, prove their own integrity. [104] However, in the absence of intrinsic documentation making it possible to ensure the document’s integrity, which is the case set out by article 5, al. 3 LFIT Act., the party that wants to produce such a document must establish this distinct traditional proof of its authenticity: […] [105] Thus, when an audio recording is accompanied by metadata and this documentation satisfies, in the court’s opinion, the authenticity requirement of the document, the party that produces this recording will be exempt from proving its authenticity. […] To summarize, the party seeking to present as evidence the audio recording must prove its authenticity7, but will not be required to prove the reliability of the technological medium used by virtue of the presumption established by article 7 LFIT Act. This article establishes a “presumption of reliability” of the technological medium by virtue of which the technology used makes it possible to ensure the document’s integrity.  This integrity itself is not presumed8. Applying these principles in the case under analysis, the Court of Appeal arrives at the conclusion that the judge of first instance erred by deciding that the cassettes did not constitute a technological document. It maintains, however, that the first judge was correct in affirming that the authenticity of the audio recordings must be proven for them to be accepted as evidence.  Therefore, in appeal, the appellant did not provide the same technological medium as that which was presented during the first instance. Six (6) cassettes were presented in the Superior Court, whereas one CD representing a summary of these recordings was presented instead in the Court of Appeal. Thus, it was not sufficient in the Court of Appeal to compare the technology and the different mediums of the proof presented, since it was impossible to distinguish the content of the cassettes from those of the CD in order to determine whether they presented the same information. By virtue of the rules of proof, the reproduction of an original may be made by a copy or a transfer9.  The copy shall be made on the same medium, whereas the transfer will be made on a technological medium that is different from the original.  Since the Court had no way to determine with certainty that the content of the CD was the same as that of the cassettes, it concluded that it simply did not have the same legal value. Lastly, the Court concluded that the appellant did not discharge his burden of demonstrating that the first instance judge had made an error that could justify their involvement. This ground of appeal was therefore rejected10. Overall, the Court of Appeal rejected in any case all of the other claims put forth by the appellant, noting that the latter faces a critical challenge: he was not persuasive. Our takeaway from this case is that the administration of a piece of evidence on a technological medium is no simple matter, and it must not be taken lightly. It is not easy to navigate the various provisions set out in both the Civil Code and the LFIT Act in order to extract the principles applicable to matters of proof. The Court of Appeal retains that the presumption of integrity set out in article 7 of the LFIT Act applies exclusively to the technological medium and not its content. It emphasizes that there should not be confusion between the integrity of a document and the capacity of a technology to ensure it.  Also, it suggests referring to the presumption set out in article 7 of the LFIT Act as a “presumption of technological reliability” instead of a “presumption of integrity of medium”. Lastly, it specifies that establishing the authenticity of an audio recording comprises two (2) components: 1)    The qualities related to the methods of creation; and, 2)    The qualities related to the information itself contained on the technological medium. A party seeking to dispute the reliability of a technological medium must, by virtue of article 89 of the CCQ, produce an affidavit “indicating in specific detail the facts and motives that make an attack on the integrity of the document likely”. An example of the administration of such technological proof may be found in the matter of Forest v. Industrial Alliance11. In this matter, photographs taken from the appellant’s Facebook account were submitted as an element of material proof. Attached was an affidavit, proclaiming the authenticity of the document, from the intern who took the screen capture. Regarding the identity of the informants, the appellant’s spouse confirmed, during the hearing, that it was in fact he himself who had taken the photographs in question. Since the opposing party did not offer any objection, the authenticity was established. While the Civil Code of Québec and its related laws strive to cover every situation that may arise in connection with presenting evidence on a technological medium, it is undeniable that technology is progressing at a rate that is far outpacing that set by lawmakers. That being the case, it is also the responsibility of attorneys to collaborate and innovate in the administration of their proof so as not to find themselves in an endless debate when seeking to determine the authenticity of specific evidence they are attempting to present.   2018 QCCA 608. Judgement on appeal, par. 97 CQLR, c. C-1.1. Paragraph 60 Art. 2855, the CCQ. 9, par. 119 of the decision. CCQ., art. 2855 and 2874. 9, par. 120 of the decision LFIT Act, art. 12, 15, 17 and 18 and CCQ, art. 2841. We should note that the other grounds of appeal presented by the appellant were all rejected as well, and that the Court, in a written judgement rendered by the Honorable Jacques J. Lévesque, j.c.a., rejected the appeal with legal fees. 2016 QCCS 497.

    Read more
  • Artificial Intelligence and the 2017 Canadian Budget: is your business ready?

    The March 22, 2017 Budget of the Government of Canada, through its “Innovation and Skills Plan” (http://www.budget.gc.ca/2017/docs/plan/budget-2017-en.pdf) mentions that Canadian academic and research leadership in artificial intelligence will be translated into a more innovative economy and increased economic growth. The 2017 Budget proposes to provide renewed and enhanced funding of $35 million over five years, beginning in 2017–2018 to the Canadian Institute for Advanced Research (CIFAR) which connects Canadian researchers with collaborative research networks led by eminent Canadian and international researchers on topics including artificial intelligence and deep learning. These measures are in addition to a number of interesting tax measures that support the artificial intelligence sector at both the federal and provincial levels. In Canada and in Québec, the Scientific Research and Experimental Development (SR&ED) Program provides a twofold benefit: SR&ED expenses are deductible from income for tax purposes and a SR&ED investment tax credit (ITC) for SR&ED is available to reduce income tax. In some cases, the remaining ITC can be refunded. In Québec, a refundable tax credit is also available for the development of e-business, where a corporation mainly operates in the field of computer system design or that of software edition and its activities are carried out in an establishment located in Québec. This 2017 Budget aims to improve the competitive and strategic advantage of Canada in the field of artificial intelligence, and, therefore, that of Montréal, a city already enjoying an international reputation in this field. It recognises that artificial intelligence, despite the debates over ethical issues that currently stir up passions within the international community, could help generate strong economic growth, by improving the way in which we produce goods, deliver services and tackle all kinds of social challenges. The Budget also adds that artificial intelligence “opens up possibilities across many sectors, from agriculture to financial services, creating opportunities for companies of all sizes, whether technology start-ups or Canada’s largest financial institutions”. This influence of Canada on the international scene cannot be achieved without government supporting research programs and our universities contributing their expertise. This Budget is therefore a step in the right direction to ensure that all the activities related to artificial intelligence, from R&D to marketing, as well as design and distributions, remain here in Canada. The 2017 budget provides $125 million to launch a Pan-Canadian Artificial Intelligence Strategy for research and talent to promote collaboration between Canada’s main centres of expertise and reinforce Canada’s position as a leading destination for companies seeking to invest in artificial intelligence and innovation. Lavery Legal Lab on Artificial Intelligence (L3AI) We anticipate that within a few years, all companies, businesses and organizations, in every sector and industry, will use some form of artificial intelligence in their day-to-day operations to improve productivity or efficiency, ensure better quality control, conquer new markets and customers, implement new marketing strategies, as well as improve processes, automation and marketing or the profitability of operations. For this reason, Lavery created the Lavery Legal Lab on Artificial Intelligence (L3AI) to analyze and monitor recent and anticipated developments in artificial intelligence from a legal perspective. Our Lab is interested in all projects pertaining to artificial intelligence (AI) and their legal peculiarities, particularly the various branches and applications of artificial intelligence which will rapidly appear in companies and industries. The development of artificial intelligence, through a broad spectrum of branches and applications, will also have an impact on many legal sectors and practices, from intellectual property to protection of personal information, including corporate and business integrity and all fields of business law. In our following publications, the members of our Lavery Legal Lab on Artificial Intelligence (L3AI) will more specifically analyze certain applications of artificial intelligence in various sectors and industries.

    Read more
  • The Supreme Court of Canada reinforces the protection of litigation privilege by elevating it to class privilege status

    Ten years after Blank v. Canada (Minister of Justice),1 the leading case regarding litigation privilege, the Supreme Court of Canada has seized the opportunity to reaffirm and expand on the principles set out in that important decision. Indeed, in its most recent case, Lizotte v. Aviva Insurance Company of Canada,2 rendered on November 25, 2016, Canada’s highest court clarified the limits and reinforced the scope of litigation privilege. It also closely considered what legislators would have to do to derogate from the application of this common law privilege which also applies under Québec civil law. The context This case originated in the context of an investigation by the assistant syndic of the Chambre de l’assurance de dommages of a claims adjuster subject to her powers of investigation in matters of professional conduct. Relying on section 337 of the Act respecting the distribution of financial products and services (the “Act”), which provides for the duty of an insurer to forward “any document or information” on the activities of a representative under investigation, the assistant syndic asked the Aviva insurance company to provide her with a full copy of the claim file held by the adjuster. Aviva opposed the request on the ground that some of the documents were protected by litigation privilege. Although the privilege issue later became moot since a settlement was reached in the litigation involving Aviva and its insured, the syndic nonetheless decided to file a motion for a declaratory judgment before the Court on the issue of whether the general wording of section 337 of the Act is enough to set aside litigation privilege. The characteristics of litigation privilege As stated in the Blank case, rendered by the Supreme Court in 2006, the purpose of litigation privilege is to ensure the efficacy of the adversarial process, by leaving the parties “to prepare their contending positions in private, without adversarial interference and without fear of premature disclosure”.3 Litigation privilege therefore creates an immunity from disclosure with respect to documents and communications whose “main purpose” is the preparation for litigation. Due to its origins, this privilege has often been conflated with solicitorclient privilege. However, the Blank case made a very clear conceptual distinction between these two notions. In Blank, the Supreme Court noted that “[t]hey often co-exist and one is sometimes mistakenly called by the other’s name, but they are not coterminous in space, time or meaning”.4 The Court also states that litigation privilege, “unlike the solicitor-client privilege, is neither absolute in scope nor permanent in duration”.5 The distinctions between these two concepts as identified in the Blank case are repeated in the Lizotte case: The purpose of solicitor-client privilege is to protect a relationship, while that of litigation privilege is to ensure the efficacy of the adversarial process; Solicitor-client privilege is permanent, whereas litigation privilege is temporary and lapses when the litigation ends; Litigation privilege applies to unrepresented parties, even where there is no need to protect access to legal services; Litigation privilege applies to non-confidential documents. In fact, contrary to solicitor-client privilege, confidentiality is not an essential condition of litigation privilege; Litigation privilege is not directed at communications between solicitors and clients as such. Despite the clear distinctions between these two types of privilege, the Lizotte case does point out their common characteristics, particularly the fact that they serve a common cause: the secure and effective administration of justice.6 The Court is then asked to address the issue of whether litigation privilege can be raised against third parties, particularly investigators. According to the Court, it would not be appropriate to exclude third parties from the application of this privilege or to expose this privilege to the uncertainties of disciplinary and legal proceedings which could result in the disclosure of documents that would otherwise be protected, even assuming that there is no risk that a syndic’s inquiry will result in the disclosure of privileged documents. Indeed, the mere possibility of a party’s work being used by the syndic in preparing for litigation could discourage that party from writing down what he or she has done.7 As a result, unless a third party can satisfy the conditions of a recognized exception to litigation privilege, such privilege can be raised against him or her. Finally, it is interesting to note that in the Blank case, the Court recognized that while solicitor-client privilege has benefited from a liberal interpretation, commensurate with its importance, the situation has been notably different for litigation privilege, the scope of which had to be adapted to the modern trend in the legislation and case law towards mutual and reciprocal disclosure, the hallmark of the judicial process.8 The recognition of a new class privilege However, this last remark, which could correctly be referred to as an obiter dictum, did not prevent the Supreme Court from pushing further the recognized protection of litigation privilege in the Lizotte case by elevating it to “class privilege” status, that is, a privilege with a nondisclosure presumption each time its conditions of application are met. This is to be contrasted with a privilege recognized on a case-by-case basis, whose application depends upon a specific analysis based on a four-pronged test, including a balancing of the interests involved. The Court states as follows: “[36] Thus, although litigation privilege differs from solicitor-client privilege in that its purpose is to facilitate a process — the adversary process (Blank, at para. 28, quoting Sharpe, at paras. 164-65) — and not to protect a relationship, it is nevertheless a class privilege. It is recognized by the common law courts, and it gives rise to a presumption of inadmissibility for a class of communications, namely those whose dominant purpose is preparation for litigation (Blank, at para. 60). [37] This means that any document that meets the conditions for the application of litigation privilege will be protected by an immunity from disclosure unless the case is one to which one of the exceptions to that privilege applies. As a result, the onus is not on a party asserting litigation privilege to prove on a case-by-case basis that the privilege should apply in light of the facts of the case and the “public interests” that are at issue (National Post, at para. 58).” To grasp the importance of the Lizotte case, one must understand that the law has recognized precious few of these so-called “class” privileges. Except for solicitor-client privilege, which is “the most notable example of a class privilege,”9the only other class privileges which we have encountered in the case law are police informer privilege,10 spousal privilege11 and litigation privilege.12 In the case of R. v. National Post, the Supreme Court even refused to recognize class status for the privilege of journalists’ confidential sources, noting that “[i]t is likely that in future such “class” privileges will be created, if at all, only by legislative action.” Exceptions to litigation privilege As with other class privileges, litigation privilege is subject to clearly defined exceptions, rather than a balancing of interests on a case-by-case basis. The Court has therefore decided that the recognized exceptions to solicitor-client privilege are also applicable to litigation privilege,13 that is, those exceptions related to public safety, the innocence of an accused, and communications of a criminal nature. There is also the exception to litigation privilege already recognized in the Blank case regarding the disclosure of “evidence of the claimant party’s abuse of process or similar blameworthy conduct.” Legislative exceptions to litigation privilege Although it is undeniable that litigation privilege does not benefit from the same status as solicitor-client privilege — a principle of fundamental justice and a “civil right of supreme importance in the Canadian justice system”14 — it nonetheless remains the case that it has been referred to as being “fundamental to the proper functioning of our legal system”15 since it is at the heart of our accusatory and contradictory system and because it promotes the search for truth by allowing the parties to adequately prepare for litigation. For this reason, the Court reminded us of the requirement whereby the modification or revocation of common law rules, which are of fundamental importance, requires that the legislator use clear and explicit language. As a result, a party cannot be deprived of the right to claim litigation privilege in the absence of a clear and explicit legislative text. In that respect, section 337 of the Act, on which the assistant syndic was relying, was not deemed to be sufficient to set aside the application of that privilege. Therefore, the Québec legislator, as well as the legislators of the other provinces and the federal legislator, will have to take note of this important decision and will likely be called upon to amend the wording of the general provisions regarding the production of documents where they do not specify that they apply to documents in respect of which litigation privilege, or any other privilege of a similar nature, may be relied upon. [2006] 2 S.C.R. 319 (“Blank”). 2016 SCC 52 (“Lizotte”). Blank, para 27. Id., para 1. Id., para 37. Lizotte, para 24. Id., para 52. Blank, para 60, 61. R. v. McClure, [2001] 1 S.C.R. 445, para 28. R. v. Basi, [2009] 3 S.C.R. 389, para 22. Canada Evidence Act, RSC 1985, c C-5, sec. 4(3); R. c. McClure, cited above, para 28. Sable Offshore Energy Inc. v. Ameron International Corp., [2013] 2 S.C.R. 623, para 12. Smith v. Jones, [1999] 1 S.C.R. 455, para 44. Canada (Attorney General) v. Chambre des notaires du Québec, 2016 SCC 20, para 5. Canada (Privacy Commissioner) v. Blood Tribe Department of Health, [2008] 2 S.C.R. 574.

    Read more
  • From “Safe Harbor” to “Privacy Shield”: laying the groundwork for a new agreement on transatlantic data transfer with the United States

    The United States and the European Union recently concluded a new agreement aimed at allowing U.S. companies to continue to collect, use and disclose personal information concerning European citizens, while still preserving their fundamental rights. To properly understand the importance of this new agreement, one must be aware that the Court of Justice of the European Union, in a decision rendered on October 6, 2015, had declared invalid the previous data sharing framework, known as "Safe Harbour", which governed the holding of personal information regarding European nationals by numerous American companies, including Web giants such as Facebook and Google. This transnational agreement provided for a self-certification mechanism for U.S. companies by which they undertook to abide by a certain number of guiding principles applicable in the European Economic Area (EEA), pursuant to which these companies could obtain the authorization to collect and store personal information originating from the European Union. Such an agreement was necessary to allow U.S. companies to hold personal information about European citizens because the legislative framework applicable in the United States does not offer "an adequate level of protection" for personal information as compared with that required by European authorities. However, in the wake of the revelations by Edward Snowden regarding the mass surveillance by U.S. authorities of the computer data of several large corporations, an Austrian citizen, Maximillian Schrems, sought and obtained the invalidation by the Court of Justice of the European Union of the Safe Harbour Agreement.1 The Court held that the “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”. While this decision was, in principle, supposed to apply immediately, the Data Protection Working Party (known as the “WP29”) — an independent European advisory board on data protection and privacy — urged the European institutions and the U.S. government to act by January 31, 2016 to agree to an alternative solution. It was in this context that the European Commission made the highly anticipated announcement, on February 2, 2016, of a new agreement in principle with the United States, dubbed the "Privacy Shield". The details of this agreement have not yet been disclosed, but we already know that this new mechanism will entail stricter obligations and tighter control of U.S. companies that deal with information of a personal nature originating from the European Union. Furthermore, access by U.S. authorities to this information is expected to be more closely regulated and more transparent. While, in theory, this agreement does not directly affect Canadian companies that collect, use or disclose personal information regarding European citizens, any such companies having an American subsidiary or a place of business in the United States and which collect personal information from Europe, as well as Canadian companies mandating third parties located in the United States with tasks that require the communication of personal information on European nationals, e.g. for hosting purposes, would be well advised to ensure they comply with the conditions of this new agreement when it takes effect. Stay tuned for more updates.   Schrems v. Data Protection Commissioner, 2000/520/CE, Court of Justice of the European Union, 6 Octobre 2015.

    Read more
  • Canada’s Anti-spam Legislation : Phase 2 comes into force and first monetary penalty imposed

    Whereas Canadian businesses have barely recovered from the first phase of Canada’s anti-spam legislation (CASL), which aims primarily to regulate the sending of unsolicited commercial electronic messages, a new series of requirements applicable to the unauthorized installation of computer programs came into force on January 15, 2015. Like the rules applicable to commercial electronic messages, the second phase of the CASL is based on an opt-in mechanism as opposed to an opt-out mechanism. In other words, if someone wishes to install computer software or programs on someone else’s device, he must first obtain the consent of the device’s owner or authorized user. Parliament has not limited the legislation to any devices in particular. This means that the installation of software or programs on a computer, smartphone, tablet or game console is likely subject to the new rules. Likewise, the installation of software or programs on any device with computerized components, such as cars, appliances, smartwatches, etc. Since the legislation does not apply to the personal installation of computer software or programs, it is important to bear in mind that the new rules only apply when a business installs or causes the installation of software on someone’s device as part of its business activities. For example, the new rules do not apply where a person downloads an application onto his or her own device. Nor does the legislation apply to employers who install software or a computer program on the company’s devices. On the other hand, if the employer wishes to install a program or software on a device belonging to its employee, it must obtain the employee’s consent first. Furthermore, the legislation establishes several cases in which a person is deemed to have consented to the installation of a computer program or software. These include, for example, cookies, HTML, JavaScript, or an operating system such as Windows, OS/IOS, Linux, Android, Unix and BlackBerry OS. For the time being, if computer software or a computer program was installed on someone else’s computer before January 15, 2015, the person is also deemed to have implicitly consented to the installation of updates until January 15, 2018. CONSENT OF THE OWNER OR AUTHORIZED USER Express consent must be obtained from the device’s owner or an authorized user. The CASL does not define the notion of “authorized user.” According to the CRTC, anyone who has permission to use the device is an authorized user. For example, an employee who uses a device supplied by his or her business, a spouse or children who use the family computer, the renter of a device, and a person who is repairing a computer (but only to the extent that the person is making agreed-upon repairs) are authorized users. When a person must obtain consent, the person must convey the following information to the owner or authorized user in clear and simple language: The reason consent is being requested The identity of the person who is seeking consent If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought The mailing address and one other type of contact information of the person A statement indicating that the person whose consent is sought can withdraw their consent A description in general terms of the functions and purpose of the computer program to be installed In addition, if the software or computer program collects personal information, interferes with the user’s control of the device, changes the device’s settings or the data stored on the device, causes the device to communicate with another device or allows a third party to connect to the device remotely without the owner or authorized user’s knowledge, the request for consent must also disclose the following information: A description of these functions and the reason for them A description of the impact of these functions on the operation of the device All the consent-related requirements must be met before the software or computer program is installed. As for the consent itself, it is not presumed and the burden of proof is always on the person who does or causes the installation. A $1.1 MILLION PENALTY FOR CONTRAVENING CANADA’S ANTI-SPAM LEGISLATION The CRTC recently reprimanded a Quebec business for sending commercial electronic messages without the consent of the addressees and for sending messages with unsubscribe mechanisms that did not function properly. The monetary penalty for the four violations is $1.1 million. The company has 30 days to submit written representations to the CRTC or pay the penalty. It also has the option to request an undertaking with the CRTC to address this issue. We remind you that the CASL imposes serious penalties on people who do not comply with its provisions, including those concerning the unauthorized installation of computer programs. Offenders who are individuals face administrative monetary penalties of up to $1 million, whereas the maximum is $10 million for all other offenders. Effective July 1, 2017, any person who suffers a loss or damage due to a contravention of the CASL may apply to a competent court for an order requiring the person to pay the amount of the damage in question, plus up to $1 million in liquidated damages. CONCLUSIONS Although this second phase of the CASL mainly seeks to protect Canadian consumers and businesses against the installation of malware or spyware that is often particularly harmful to users, it should be kept in mind that the new requirements can apply to many other situations. It is therefore important for businesses to review their practices in this regard, to ensure they comply with the law’s provisions.

    Read more
1 2