Publications

Packed with valuable information, our publications help you stay in touch with the latest developments in the fields of law affecting you, whatever your sector of activity. Our professionals are committed to keeping you informed of breaking legal news through their analysis of recent judgments, amendments, laws, and regulations.

Advanced search
  • Bill C-18 (Online News Act): Canada looking to create a level playing field for news media

    Earlier this month, Canadian Heritage Minister Pablo Rodriguez introduced Bill C-18 (Online News Act) in Parliament. This bill, which was largely inspired by similar legislation in Australia, aims to reduce bargaining imbalances between online platforms and Canadian news outlets in terms of how these “digital news intermediaries” allow news content to be accessed and shared on their platforms. If passed, the Online News Act would, among other things, require these digital platforms such as Google and Facebook to enter into fair commercial agreements with news organizations for the use and dissemination of news related content on their platforms. Bill C-18, which was introduced on April 5, 2022, has a very broad scope, and covers all Canadian journalistic organizations, regardless of the type of media (online, print, etc.), if they meet certain eligibility criteria. With respect to the “digital news intermediaries” on which the journalistic content is shared, Bill C-18 specifically targets online communication platforms such as search engines or social media networks through which news content is made available to Canadian users and which, due to their size, have a significant bargaining imbalance with news media organizations. The bill proposes certain criteria by which this situation of bargaining imbalance can be determined, including the size of the digital platform, whether the platform operates in a market that provides a strategic advantage over news organizations and whether the platform occupies a prominent position within its market. These are clearly very subjective criteria which make it difficult to precisely identify these “digital news intermediaries.” Bill C-18 also currently provides that the intermediaries themselves will be required to notify the Canadian Radio-television and Telecommunications Commission (“CRTC”) of the fact that the Act applies to them. The mandatory negotiation process is really the heart of Bill C-18. If passed in its current form, digital platform operators will be required to negotiate in good faith with Canadian media organizations to reach fair revenue sharing agreements. If the parties fail to reach an agreement at the end of the negotiation and mediation process provided for in the legislation, a panel of three arbitrators may be called upon to select the final offer made by one of the parties. For the purposes of enforceability, the arbitration panel’s decision is then deemed, to constitute an agreement entered into by the parties. Finally, Bill C-18 provides digital platforms the possibility of applying to the CRTC for an exemption from mandatory arbitration provided that their revenue sharing agreements meet the following criteria: Provide fair compensation to the news businesses for news content that is made available on their platforms; Ensure that an appropriate portion of the compensation would be used by the news businesses to support the production of local, regional and national news content; Do not allow corporate influence to undermine the freedom of expression and journalistic independence enjoyed by news outlets; Contribute to the sustainability of Canada’s digital news marketplace; Ensure support for independent local news businesses, and ensure that a significant portion of independent local news businesses benefit from the deals; and Reflect the diversity of the Canadian news marketplace, including diversity with respect to language, racialized groups, Indigenous communities, local news and business models. A bill of this scope will certainly be studied very closely by the members of Parliament, and it would not be surprising if significant amendments were made during this process. We believe that some clarifications would be welcome, particularly as to the precise identity of businesses that will be considered “digital information intermediaries” for the purposes of the Online News Act.

    Read more
  • A False Sense of Cybersecurity?

    Ransomware has wreaked so much havoc in recent years that many people forget about other cybersecurity risks. For some, not storing personal information makes them feeling immune to hackers and cyber incidents. For others, as long as their computers are working, they do not feel exposed to no malware. Unfortunately, the reality is quite different. A new trend is emerging: malware is being released to collect confidential information, including trade secrets, and then such information is being sold to third parties or released to the public.1 The Pegasus software used to spy on journalists and political opponents around the world has been widely discussed in the media, to the point that U.S. authorities decided to include it on their trade blacklist.2 However, the use of spyware is not limited to the political sphere. Recently, a California court ordered a U.S. corporation, 24[7].ai, to pay $30 million to one of its competitors, Liveperson.3 This is because 24[7].ai installed competing technology on mutual client websites where LivePerson’s technology already is installed. Liveperson alleged in its lawsuit that 24[7].ai installed spyware that gathered confidential and proprietary information and data regarding Liveperson’s technology and client relationships. In addition, the software which 24[7].ai allegedly installed removed some features of Liveperson’s technology, including the “chat” button. In doing so, 24[7].ai interfered in the relationship between Liveperson and its clients. This legal saga is ongoing, as another trial is scheduled to take place regarding trade secrets related to a Liveperson client.4 This legal dispute illustrates that cybersecurity is not only about personal information, but also about trade secrets and even the proper functioning of business software. A number of precautions can be taken to reduce the risk of cybersecurity incidents. Robust internal policies at all levels of the business help maintain a safe framework for business operations. Combined with employee awareness of the legal and business issues surrounding cybersecurity, these policies can be important additions to IT best practices. In addition, employee awareness facilitates the adoption of best practices, including systematic investigations of performance anomalies and the use of programming methods that protect trade secrets. Moreover, it may be advisable to ensure that contracts with clients provide IT suppliers with sufficient access to conduct  the necessary monitoring for the security of both parties. Ultimately, it is important to remember that the board of directors must exercise its duty with care, diligence and skill while looking out for the best interests of the business. Directors could be held personally liable if they fail to meet their obligation to ensure that adequate measures are implemented to prevent cyber incidents or if they ignore the risks and are wilfully blind. Thus, board members must be vigilant, be trained in and aware of cybersecurity in order to integrate it into their risk management approach. In an era in which intellectual property has become a corporation’s most important asset, it goes without saying that it is essential to put in place not only the technological tools, but also the procedures and policies required to adequately protect it! Contact Lavery for advice on the legal aspects of cybersecurity. See Page, Carly, “This new Android spyware masquerades as legitimate apps,” Techcrunch, November 10, 2021. https://techcrunch.com/2021/11/10/android-spyware-legitimate-apps; Page, Carly, “FBI says ransomware groups are using private financial information to further extort victims,” Techcrunch, November 2, 2021. https://techcrunch.com/2021/11/02/fbi-ransomware-private-financial-extort. Gardner, Frank, “NSO Group: Israeli spyware company added to US trade blacklist,” BBC News, November 3, 2021. https://www.bbc.com/news/technology-59149651. Claburn, Thomas, “Spyware, trade-secret theft, and $30m in damages: How two online support partners spectacularly fell out,” The Register,June 18, 2021. https://www.theregister.com/2021/06/18/liveperson_wins_30m_trade_secret. Brittain, Blake, “LivePerson wins $30 million from [24]7.ai in trade-secret verdict,”Reuters, June 17, 2021. https://www.reuters.com/legal/transactional/liveperson-wins-30-million-247ai-trade-secret-verdict-2021-06-17.

    Read more
  • Do you know your open-source licences?

    Do you have the right to copy source code written and developed by someone else? The answer to this question depends on the situation; however, even in the context of open innovation, intellectual property rights will be the starting point for any analysis required to obtain such an answer. In the software industry, open-source licences allow anyone to access the source code of corresponding software, free of charge and with few restrictions. The goal is generally to promote the improvement of this code by encouraging as many people as possible to use it. Linus Torval, the programmer of the Linux kernel (certainly one of the most well-known open-source projects) recently stated that without the open-source approach, his project would probably not have survived.1 However, this approach has legal consequences: Vizio was recently hit with a lawsuit alleging non-compliance with an open-sourceGPL licence used in the SmartCast OS software embedded in some of its televisions. It is being sued by Software Freedom Conservancy (“SFC”), an American non-profit promoting and defending open-source licences. As part of its lawsuit, SFC alleges, among other things, that Vizio was required to distribute the SmartCast OS source code under the above-mentioned open-source GPLlicence, which Vizio failed to do, thereby depriving consumers of their rights2. In Canadian law, section 3 of the Copyright Act3 gives the author the exclusive right to produce or reproduce all or any substantial part of an original work. This principle has been adopted by all signatories of the 1886 Berne Convention, i.e., almost every country in the world. A licence agreement, which may inter alia confer the right to reproduce the work of another person, can take different forms. It also establishes the extent of the rights conferred and the terms and conditions of any permitted use. However, not all open-source licences are equivalent. Many allow creators to attach various conditions to the right to use the code that has been made available. Under these licences, anyone may use the work or software, but subject to the following constraints, depending on the type of licence in effect: Obligation to display: An open-source licence may require disclosure of certain information in the software or in the source code itself, such as the following: The author’s name or pseudonym, or even maintaining the anonymity of the author, depending on their wishes, and/or a citation of the title of the work or software; The user licence of the redistributed open-source work or software; A modification note for each modified file; and A warranty disclaimer. Contribution obligations: Some licences require the sharing of any modifications made to the open-source code, with said modifications being under the same licence conditions. In some cases, this obligation extends to any software that incorporates the open-source code. In other words, code derived from open-source material can itself become open-source. This obligation to contribute can generally be categorized as follows: Any redistribution must be done under the original licence, making the result open-source as well; Any redistribution of the code, modified or not, must be done under the original licence, but other code may be associated or added without being subject to the open-source licence; or Any redistribution is done without any sharing constraints. Ban on commercialization: Some licences prohibit any use for commercial purposes. Apache v2 Level of obligation to contribute upon redistributionAny redistribution of the software, modified or not, or with added components, must be done under the terms of the original licence. Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedYes BSD Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Copyright notice Warranty disclaimer Commercial use permittedYes CC BY-NC 4.0 Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedNo CC0 1.0 Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Licence of the redistributed open-source software Commercial use permittedYes GPLv3 Level of obligation to contribute upon redistributionAny redistribution of the software, modified or not, or with added components, must be done under the terms of the original licence Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedYes, but sub-licensing is not allowed LGPLv3 Level of obligation to contribute upon redistributionAny redistribution of the software, modified or not, must be done under the terms of the original licence. New components can be added, but not integrated, under other non-open-source licences Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedYes MIT Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Licence of the redistributed open-source software Copyright notice Warranty disclaimer Commercial use permittedYes It is important to make programming teams aware of the issues that can arise when using modules governed by what are known as “viral licences” (such as the CC BY-NC 4.0 licence) in the design of commercial software. Such software could lose significant value if such modules are incorporated, making it difficult or even impossible to commercialize said software. In the context of open innovation where developers want to share their code, in particular to encourage collaboration, it is important to understand the scope of these different licences. The choice of the appropriate licence must be made based on the project’s objectives. Also, keep in mind that it is not always possible to change the licence used for the distribution of the code once said distribution has commenced. That means the choice of licence can have long-term consequences for any project. David Cassel, Linus Torvalds on Community, Rust and Linux's Longevity, The NewStack, Oct. 1, 2021, online: https://thenewstack.io. See the SFC press release: https://sfconservancy.org/copyleft-compliance/vizio.html. RSC 1985, c. C-42.

    Read more
  • Adoption of Bill 64: what do public bodies need to know?

    Bill 64, also known as the Act to modernize legislative provisions as regards the protection of personal information, was adopted on September 21, 2021, by the National Assembly of Québec. This new bill amends some 20 laws relating to the protection of personal information, including the Act respecting Access to documents held by public bodies and the Protection of personal information ("Access Act"), the Act respecting the protection of personal information in the private sector (“ARPIPS”) and the Act to establish a legal framework for information technology (“AELFIT”). While these changes will affect both public bodies and private businesses, this article focuses exclusively on the new requirements for public bodies covered by the Access Act.  We have prepared an amended version of the Access Act in order to reflect the exact changes brought about by Bill 64. 1. Strengthening consent mechanisms and increasing individual control over personal information By way of Bill 64, some important changes were made to the notion of consent when disclosing personal information to public bodies. From now on, any time an individual’s consent is required by the Access Act, public bodies must ensure that the concerned individual’s consent is given separately from any other disclosed information (s. 53.1). Furthermore, any consent to the collection of sensitive personal information (e.g., health or financial information that gives rise to a reasonable expectation of privacy) will have to be expressly obtained from the data subject (s. 59). The amended Access Act now also provides that minors under the age of 14 must have a parent or a guardian consent to the collection of their personal information. For minors over the age of 14, consent can be given either directly by the minor or by their parent or guardian (s. 53.1). The right to data portability is one of the new rights enforced by Bill 64. These added provisions to the Access Act allow data subjects to obtain data that a public body holds on them in a structured and commonly used technological format and to demand that this data be released to a third party (s. 84). Whenever a public body renders a decision based exclusively on automated processing of personal information, the affected individual must be informed of this process. If the decision produces legal effects or otherwise affects the individual concerned, upon request, the public body must also disclose to the individual (i) the personal information used in reaching the decision, (ii) the reasons and main factors leading to the decision, and (iii) the individual’s right to have this personal information rectified (s. 65.2).  Furthermore, public bodies that use technology to identify, locate or profile an individual must now inform the affected individual of the use of such technology and the means that are available to them in order to disable such functions (s. 65.0.1). 2. New personal data protection mechanisms Public bodies will now be required to conduct a privacy impact assessment whenever they seek to implement or update any information system that involves the collection, use, disclosure, retention or destruction of personal data (s. 63.5). This obligation will effectively compel public bodies to consider the privacy and personal information protection risks involved in a certain project at its outset. In fact, the Access Act now states that every public body must create an access to information committee, whose responsibilities will include offering their observations in such circumstances. 3. Promoting transparency and accountability for public bodies The changes brought about by Bill 64 also aim to increase the transparency of processes employed by public bodies in collecting and using personal data, as well as placing an emphasis on accountability. As such, public bodies will now have to publish on their websites the rules that govern their handling of personal data in clear and simple language (s. 63.3). These rules may take the form of a policy, directive or guide and must set out the various responsibilities of staff members with respect to personal information. Training and awareness programs for staff should also be listed. Any public body that collects personal information through technological means will likewise be required to publish a privacy policy on their website. The policy will have to be drafted in clear and simple language (s. 63.4). The government may eventually adopt regulations to specify the required content of such privacy policies. Moving forward, public bodies will also have to inform data subjects of any personal data transfer outside of the province of Quebec (s. 65). Any such transfer will also need to undergo a privacy impact assessment, which will include an analysis of the legal framework applicable in the State where the personal information will be transferred (s. 70.1). Furthermore, any transfer of personal data outside of Quebec must be subject to a written agreement that takes into account, in particular, the results of the privacy impact assessment and, if applicable, the agreed-upon terms to mitigate the risks identified in the assessment (s. 70.1). A public body that wishes to entrust a person or body outside of Quebec with the task of collecting, using, communicating or retaining personal information on its behalf will have to undertake a similar exercise (s. 70.1 (3)). 4. Managing confidentiality incidents Where a public body has reason to believe that a confidentiality incident (which is defined in Bill 64 as the access, use, disclosure or loss of personal information) has occurred, public bodies will be required to take reasonable steps to mitigate the injury caused to the affected individuals and to reduce the risk of further confidentiality incidents occurring in the future (s. 63.7). In addition, where the confidentiality incident poses a risk of serious harm to the affected individuals, these individuals and the Commission d’accès à l’information (“CAI”) must be notified (unless doing so would interfere with an investigation to prevent, detect or suppress crime or violations of law) (s. 63.7). Public bodies must now also keep a register of confidentiality incidents (s. 63.10), a copy of which must be sent to the CAI upon request. 5. Increased powers for the CAI Bill 64 also grants the CAI an arsenal of new powers aiming to ensure that public bodies, as well as private companies, comply with privacy laws. For example, in the event of a confidentiality incident, the CAI may order any public body to take appropriate action to protect the rights of affected individuals, after allowing the public body to make representations (s. 127.2). Furthermore, the CAI now has the power to impose substantial administrative monetary penalties, the value of which may reach up to $150,000 for public bodies (s. 159). In the event of repeat offences, fines will be doubled (s. 164.1). 6. Coming into force The amendments made by Bill 64 will come into force in several stages. Most of the new provisions of the Access Act [DM1] will come into force two years after the date of assent, which was granted on September 22, 2021. However, some specific provisions will take effect one year after that date, including: The requirements regarding actions to be taken in response to confidentiality incidents (s. 63.7) and the powers of the CAI upon disclosure by an organization of a confidentiality incident (s. 137.2); and The exception to disclosure without consent for research purposes (s. 67.2.1). Conclusion The clock is now ticking for public bodies to implement the necessary changes in order to comply with the new privacy requirements outlined in Bill 64, which received official assent on September 22, 2021. We invite you to consult our privacy specialists to help ensure proper compliance with the new requirements of the updated Access Act. The Lavery team would be more than pleased to answer any questions you may have regarding the upcoming changes and the potential impacts on your org

    Read more
  • Amendments to Privacy Laws: What Businesses Need to Know

    Bill 64, also known as the Act to modernize legislative provisions respecting the protection of personal information, was adopted on September 21, 2021, by the National Assembly of Québec. It amends some 20 laws relating to the protection of personal information, including the Act respecting access to documents held by public bodies ("Access Act"), the Act respecting the protection of personal information in the private sector ("Private Sector Act") and the Act respecting the legal framework for information technology. While the changes will affect both public bodies and private businesses, this publication will focus on providing an overview of the new requirements for private businesses covered by the Private Sector Act. We have prepared an amended version of the Private Sector Act in order to reflect the exact changes brought about by Bill 64. Essentially, the amended Private Sector Act aims to give individuals greater control over their personal information and promote the protection of personal information by making businesses more accountable and introducing new mechanisms to ensure compliance with Québec’s privacy rules. The following is a summary of the main amendments adopted by the legislator and the new requirements imposed on businesses in this area. It is important to note that, for the most part, the new privacy regime will come into effect in two years. 1. Increasing transparency and individual control over personal information The new Private Sector Act establishes the right of individuals to access information about themselves collected by businesses in a structured and commonly used technological format. Data subjects will now also be able to require a business to disclose such information to a third party, as long as the information was not “created or inferred” by the business (s. 27). This right is commonly referred to as the “right to data portability.” Businesses now have an obligation to destroy personal information once the purposes for which it was collected or used have been fulfilled. Alternatively, businesses may anonymize personal information in accordance with generally accepted best practices in order to use it for meaningful and legitimate purposes (s. 23). However, it is important that the identity of concerned individuals can never again be inferred from the retained information. This is a significant change for private businesses which, under the current law, can still retain personal information that has lapsed. In addition, Bill 64 provides individuals with a right to “de-indexation.” In other words, businesses will now have to de-index any hyperlink that leads to an individual’s personal information where dissemination of such personal information goes against the law or a court order (s. 28.1). Additionally, whenever a business uses personal information to render a decision based exclusively on an automated processing of such information, it must inform the concerned individual of the process at the latest when the decision is made (s. 12.1). The individual must likewise be made aware of their right to have the information rectified (s. 12.1). Bill 64 provides that the release and use of nominative lists by a private company for commercial or philanthropic prospecting purposes are now subject to the consent of concerned data subjects. Furthermore, in an effort to increase transparency, businesses will now be required to publish their rules of governance with respect to personal information in simple and clear terms on their website (s. 3.2). These rules may take the form of a policy, directive or guide and must, among other things, set out the various responsibilities of staff members with respect to personal information. In addition, businesses that collect personal information through technology will also be required to adopt and publish a privacy policy in plain language on their website when they collect personal information (s. 8.2). The amended Private Sector Act further provides that businesses that refuse access to information requests, in addition to giving reasons for their refusal and indicating the relevant sections of the Act, must now assist applicants in understanding why their request was denied when asked to (s. 34). 2. Promoting privacy and corporate accountability Bill 64 aims to make businesses more accountable for the protection of personal information, as exemplified by the new requirement for businesses to appoint a Chief Privacy Officer within their organization. By default, the role will fall upon the most senior person in the organization (s. 3.1). In addition, businesses will be required to conduct privacy impact assessments (“PIA”) for any information system acquisition, development or redesign project involving the collection, use, disclosure, retention or destruction of personal information (s. 3.3). This obligation forces businesses to consider the privacy and personal information protection risks involved in a project at its outset. The PIA must be proportionate to the sensitivity of the information involved, the purpose for which it is to be used, its quantity, distribution and medium (s. 3.3). Businesses will likewise be required to conduct a PIA when they intend to disclose personal information outside Québec. In these cases, the purpose of the PIA will be to determine whether the information will be adequately protected in accordance with generally accepted privacy principles (s. 17). The extra-provincial release of personal information must also be subject to a written agreement that takes into account, among other things, the results of the PIA and, if applicable, the terms and conditions agreed to in order to mitigate identified risks (s. 17(2)). The disclosure of personal information by businesses for study, research or statistical purposes is also subject to a PIA (s. 21). The law is substantially modified in this regard, in that a third party wishing to use personal information for such purposes must submit a written request to the Commission d'accès à l'information (“CAI”), attach a detailed description of their research activities and disclose a list of all persons and organizations to which it has made similar requests (s. 21.01.1 and 21.01.02). Businesses may also disclose personal information to a third party, without the consent of the individual, in the course of performing a service or for the purposes of a business contract. The mandate must be set out in a written contract, which must include the privacy safeguards to be followed by the agent or service provider (s. 18.3). The release of personal information without the consent of concerned individuals as part of a commercial transaction between private companies is subject to certain specific requirements (s. 18.4). The amended Private Sector Act now defines a business transaction as “the sale or lease of all or part of an enterprise or its assets, a change in its legal structure by merger or otherwise, the obtaining of a loan or other form of financing by it, or the taking of a security interest to secure an obligation of the enterprise” (s. 18.4). Bill 64 enshrines the concept of “privacy by default,” which means that businesses that collect personal information by offering a technological product or service to the public with various privacy settings must ensure that these settings provide the highest level of privacy by default, without any intervention on behalf of their users (s. 9.1). This does not apply to cookies. Where a business has reason to believe that a privacy incident has occurred, it must take reasonable steps to reduce the risk of harm and the reoccurrence of similar incidents (s. 3.5). A privacy incident is defined as “the access, use, disclosure or loss of personal information” (s. 3.6). In addition, businesses are required to notify concerned individuals and the CAI for each incident that presents a serious risk of harm, which is assessed in light of the sensitivity of the concerned information, the apprehended consequences of its use and the likelihood that it will be used for a harmful purpose (s. 3.7). Companies will furthermore be required to keep a confidentiality incident log that must be made available to the CAI upon request (s. 3.8). 3. Strengthening the consent regime Bill 64 modifies the Private Sector Act to ensure that any consent provided for in the Act is clear, free and informed and given for specific purposes. This means that consent must be requested for each of the purposes of the collection, in simple and clear terms and in a clearly distinct manner, to avoid consent being obtained through complex terms of use that are difficult for individuals to understand (art. 14). The amended Private Sector Act now provides that minors under the age of 14 must have a parent or a guardian consent to the collection of their personal information. For minors over the age of 14, consent can be given either directly by the minor or by their parent or guardian (s. 14). Within an organization, consent to the disclosure of sensitive personal information (e.g., health or other intimate information) must be expressly given by individuals (s. 12). 4. Ensuring better compliance The Private Sector Act has likewise been amended by adding new mechanisms to ensure that businesses subject to the Private Sector Act comply with its requirements. Firstly, the CAI is given the power to impose hefty dissuasive administrative monetary penalties on offenders, which can be as high as $10,000,000 or 2% of the company's worldwide turnover (s. 90.12). In the event of a repeat offence, the fine will be doubled (s. 92.1). In addition, when a confidentiality incident occurs within a company, the CAI may order it to take measures to protect the rights of affected individuals, after allowing the company to make observations (s. 81.3). Secondly, new criminal offences are added to the Private Sector Act, which may also lead to the imposition of severe fines. For offending companies, such fines can reach up to $25,000,000 or 4% of their worldwide turnover (s. 91). Finally, Bill 64 creates a new private right of action. Essentially, it provides that when an unlawful infringement of a right conferred by the Private Sector Act or by articles 35 to 40 of the Civil Code of Québec results in prejudice and the infringement is intentional or the result of gross negligence, the courts may award punitive damages of at least $1,000 (s. 93.1). 5. Coming into force The amendments made by Bill 64 will come into force in several stages. Most of the new provisions of the Private Sector Act will come into force two years after the date of assent, which was granted on September 22, 2021. However, some specific provisions will take effect one year after that date, including: The requirement for businesses to designate a Chief Privacy Officer (s. 3.1); The obligation to report privacy incidents (s. 3.5 to 3.8); The exception for disclosure of personal information in the course of a commercial transaction (s. 18.4); and The exception to disclosure of personal information for study or research purposes (s. 21 to 21.0.2). Finally, the provision enshrining the right to portability of personal information (s. 27) will come into force three years after the date of official assent. The Lavery team would be more than pleased to answer any questions you may have regarding the upcoming changes and the potential impact of Bill 64 on your business. The information and comments contained in this document do not constitute legal advice. They are intended solely for the use of the reader, who assumes full responsibility for its content, for their own purposes.

    Read more
  • Studios and designers: How to protect the intellectual property of your video games?

    Behind every video game, there is intellectual property (IP) which is worth protecting to optimize monetisation of the game. As discussed in Studios and designers: Are you sure that you own the intellectual property rights to your video games, the first step for studios and designers is to make sure that they own all IP rights on the video game. The next step is to identify what type of IP protection is available between trademarks, copyrights and patents and then put in place an IP strategy to protect these assets in Canada and abroad. Below is a summary of the types of protection to consider to fully protect a video game. Trademarks The name of a video game is a valuable asset, with a potential to become internationally famous. Just think about Call of Duty, Fortnite, Minecraft and Assassin’s Creed or, for the more nostalgic, classic games such as Super Mario. Pokémon and Pacman. Trademarks have this power to evoke unique and captivating experience in the gaming world. In this industry, experience shows that a video game may become an instant international success, since it is an online market with powerful gaming influencers. For this reason, being proactive with trademark protection is key. What does it mean? First, clearance searches should be made as soon as you decide on the name of your game, in the most important markets where you anticipate sales. The idea here is to make sure that your brand is not conflicting with other marks so that you may use it and register it in your main market. Once the mark is cleared, you may then proceed with filing. Here again, the earlier the better as trademark protection is, in most countries, granted to the first-to-file. Filing before your project becomes public is therefore strongly recommend. As for the scope of the application, it should of course cover the game itself but also potential merchandising goods, either because it is part of the business plan to monetize the brand, or as a defensive strategy. Apart from the main brand, other aspects of the game may qualify as trademarks and be protectable. For instance, a sound or sequence of sounds associated with starting a console or a game could potentially be registered as trademarks. The names and image of characters in a game may also be protected, especially for merchandising goods.  In short, for studios and designers involved in the video game industry, trademark registration is key to getting the most value out of a video game. This begins with a well-orchestrated protection strategy to minimize risk of conflicts and to build a solid and valuable brand. Copyrights A video game is a mix of literary, artistic and musical works which are protected by copyright, including computer program behind a game’s architecture is also explicitly protected by law.1 The protection offered by the Copyright Act (“CA”) applies as soon as a work is created, without the need for registration. This protection extends to the 176 member countries of the Berne Convention. Although the protection of a work by copyright is automatic, copyright owners may register their right with the Canadian Intellectual Property Office (“CIPO”) at any time. In particular, registration makes it easier to prove ownership of the right in the event of a dispute in that it creates the presumption that the person named in the registration owns the copyright. Copyright protection applies to the entirety of the game, as well as to its various components. Any infringement of these rights by a third party may give rise to a copyright infringement claim if the work or a substantial part of it is copied, unless a defense such as fair dealing is applicable. In this respect, the following activities may qualify as fair dealing: research and private study, education, parody as well as criticism or review and news reporting. Is video game live streaming copyright infringement? In recent years, the phenomenon of video game live streaming has really taken off. Video gamers film or record their computer screens and broadcast them on platforms such as YouTube and Twitch to show their characters, strategies and tactics for completing certain levels of a game. Some live streaming video gamers, who make this their living, have achieved celebrity status and have thousands of followers. Is live streaming a video game without express permission copyright infringement? The courts have yet to rule on whether live streaming games online constitutes a copyright infringement to communicate the work to the public by telecommunication under section 3(1)(f) of the Act. Faced with this widely popular trend, some studios accept this practice because positive reviews from such gamers can boost game sales. Others criticize the fact that they profit from video games without copyright owners receiving any compensation. Chances are that live streaming is not the highest priority of the video industry who is more concerned by the illegal downloads and counterfeits, which may explain why the courts have not yet had the opportunity to rule on video game live streaming. Patents Patents protect the functional aspects of an invention. The owner of a patent may prevent anyone from making, using or commercializing the patented innovation from the date the patent is obtained. Three aspects are taken into consideration before granting a patent:2 Novelty – The invention must be different or be innovative compared to anything that has been done before, anywhere in the world. Utility – The invention must have a useful function and economic value. Inventiveness – The invention must not be obvious to a person skilled in the field. In Canada, it is not possible to patent an abstract idea, but it is possible to patent the physical embodiment of that idea, provided that it meets the criteria of novelty, utility and inventiveness. Canadian patents in the video game industry Patents obtained in the video game industry mainly relate to consoles, controllers, headsets and other gaming accessories. The video game industry has proved to be innovative with the development of inventions that are both fun and useful. In 2012, Nike patented an invention to encourage physical activity among video game players.3 The patent describes a device placed in a gamer’s shoe when the gamer is physically active and connected to a video game. The energy spent by the gamer gives energy to the virtual character. Once the character’s energy is depleted, the gamer must engage in physical activity again. Are game play mechanics patentable? Certain aspects of a video game are less easy to patent, in particular the game play mechanics, which are a distinctive aspect from the standpoint of gamers when choosing a video game. The game play mechanics consists in the virtual experience of a video game: character movement, the interaction of the player with the game, the way the player moves through the levels of the game, etc. Unique and well-developed game play mechanics can be a great asset for a developer wanting to market new versions of a game. Gamers will go back to a familiar game to get immersed in a new experience. This makes patenting such an experience appealing for a studio. Given that game play mechanics are developed using computer code, it might seem that even if the criteria of novelty, utility and inventiveness were met, this type of invention could not be physically embodied and thus could not be patented. To be patented, game play mechanics must have a physical component in addition to the code itself. Consider a patent describing a video game in which a gamer’s heartbeat is integrated into the game,4 which is a good illustration of physical embodiment. Such transposition of a gamer’s vital signs is done physically through a heart monitor worn by the gamer and connected to the game. As all these aspects were described in the invention, this type of inventive game play mechanics was considered patentable. In the United States, the criteria for patents are similar to those in Canada, meaning that abstract game play mechanics would have to be linked to a physical aspect in order to be patentable.   Conclusion Implementing an IP protection strategy prior to launching a video game can prevent conflicts, increase the value of assets and strongly position a company in the market to maximize profits. Copyright Act, section 2. “A guide to patents,” Canadian Intellectual Property Office, Government of Canada, 2020-02-24. Patent No. 2,596,041, issued February 9, 2006. Patent No. 2,208,932, issued June 26, 1997.

    Read more
  • Artificial intelligence soon to be regulated in Canada?

    For the time being, there are no specific laws governing the use of artificial intelligence in Canada. Certainly, the laws on the use of personal information and those that prohibit discrimination still apply, no matter if the technologies involved are so-called artificial intelligence technologies or conventional ones. However, the application of such laws to artificial intelligence raises a number of questions, especially when dealing with “artificial neural networks,” because the opacity of the algorithms behind these makes it difficult for those affected to understand the decision-making mechanisms at work. Such artificial neural networks are different in that they provide only limited explanations as to their internal operation. On November 12, 2020, the Office of the Privacy Commissioner of Canada (OPC) published its recommendations for a regulatory framework for artificial intelligence.1 Pointing out that the use of artificial intelligence requiring personal information can have serious privacy implications, the OPC has made several recommendations, which involve the creation of the following, in particular: A requirement for those who develop such systems to ensure that privacy is protected in the design of artificial intelligence systems; A right for individuals to obtain an explanation, in understandable terms, to help them understand decisions made about them by an artificial intelligence system, which would also involve the assurance that such explanations are based on accurate information and are not discriminatory or biased; A right to contest decisions resulting from automated decision making; A right for the regulator to require evidence of the above. It should be noted that these recommendations include the possibility of imposing financial penalties on companies that would fail to abide by this regulatory framework. Moreover, contrary to the approach adopted in the General Data Protection Regulation and the Government of Quebec’s Bill 64, the rights to explanation and contestation would not be limited solely to automated decisions, but would also cover cases where an artificial intelligence system assists a human decision-maker. It is likely that these proposals will eventually provide a framework for the operation of intelligence systems already under development. It would thus be prudent for designers to take these recommendations into account and incorporate them into their artificial intelligence system development parameters as of now. Should these recommendations be adopted, it will also become necessary to consider how to explain the mechanisms behind the systems making or suggesting decisions based on artificial intelligence. As mentioned in these recommendations, “while trade secrets may require organizations to be careful with the explanations they provide, some form of meaningful explanation should always be possible without compromising intellectual property.”2 For this reason, it may be crucial to involve lawyers specializing in these matters from the start when designing solutions that use artificial intelligence and personal information. https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/completed-consultations/consultation-ai/reg-fw_202011/ Ibid.

    Read more
  • Studios and designers: Are you sure that you own the intellectual property rights to your video games?

    The year 2020 will have been difficult for the vast majority of industries, and in particular for the arts, entertainment and recreation industry. The video game industry, however, is growing in leaps and bounds. For example, Nintendo and PlayStation have each set record sales for their games released in 2020, including Animal Crossing:New Horizons and The Last of UsPart II. Over the past few decades, the number of video game players has never stopped increasing.  The year 2020 will surely be no exception, especially considering the COVID-19 pandemic.  Playing a video game is not only a way to have fun: it is also a way to stay connected with a community that shares the same interests. The world of video games is so popular that the Government of Canada teamed up with the Entertainment Software Association of Canada (“ESAC”) to launch the #CrushCOVID campaign, using ESAC’s and its members’ social media platforms to share mobilization and awareness messages about public health measures. The video game industry is an economic powerhouse in Canada. According to the latest ESAC report, the industry contributed an estimated $4.5 billion to Canada’s GDP in 2019 — up 20% from 20171 — and these figures will likely continue to rise. This video game boom has a decisive impact on the value of companies innovating in this field. A number of recent transactions illustrate this. For instance, last September, Microsoft acquired Bethesda Softworks, one of the largest video game publishers, for US$7.5 billion. Microsoft also bought the Swedish company Mojang Studios, which designed the legendary game Minecraft, for US$2.5 billion in 2014. Closer to home in Montreal, Beat Games was bought by Facebook following the launch of its virtual reality game, Beat Saber, while Typhoon Studios was bought by Google. A successful video game may be lucrative in various ways, between the sale of video games themselves and merchandising goods, such as clothing and accessories, figurines, as well as game-inspired TV series with giants such as Netflix, Amazon Prime, HBO and Hulu, which are always on the lookout for hit TV series. Protecting its intellectual property (“IP”) on a video game is key to monetize all investment put into the development of a game. Doing so is even more crucial in the context where video game commercialization knows no borders, and a game can become an international success overnight. In short, any company should ask itself the following questions before launching its video game, to better position itself in relation to potential investors, licensees or partners, as well as competitors and counterfeiters: Does my company own all of the IP rights on the video game? What kind of IP protection applies and where should IP be protected? Let’s look at the first question. Does my company own all of the IP rights on the video game? Designing a video game usually involves a team of creators, including ideators, programmers, writers, visual and sound effects designers. All these people contribute to the creation of the work that is the video game and the underlying IP. For instance, Ubisoft worked with muralists and graphic designers for its recent game, Watch Dogs: Legion. They designed nearly 300 works to create a post-Brexit urban London. The initiative earned Ubisoft praise even before the game’s release last October.2 Depending on their contribution to the game’s design and their status as employees or consultants, these creators may qualify as authors. As such, they may be considered co-owners of the copyright on the video game. Generally, the copyrights developed by employees in the course of their employment belong to the employer,3 while a consultant remains the owner of the copyrights, unless otherwise agreed upon in writing. Thus, a company behind a video game must make sure that its consultants assigns their IP rights to ensure that it retains full ownership of the copyright. What happens if a consultant has not assigned the copyrights to the company? Can the consultant claim co-ownership of the entire game, or are the consultant’s rights limited to the part he created, such as specific drawings, or music for a particular scene? This is an important question which may have an impact on profit sharing. In Seggie c. Roofdog Games Inc.,4the Superior Court held that a person (non-employee) whose contribution to a game is minimal cannot be considered as a co-author of the entire video game, insofar as: The contribution is limited to a few images; These images are distinguishable from the rest of the work; and The parties had no common intention of creating a collaborative work. Seggie was therefore denied the compensation of 25% of the profits generated by the game that he had claimed. However, the court recognized that Seggie held a copyright on the works he specifically created and which were incorporated into the game, and granted him a compensation of $10,000. Incidentally, this compensation is in our opinion arguable, given that Seggie had agreed to work pro bono for his friend. This decision shows how important it is to have a copyright assignment signed by any person contributing to the conception of a work, regardless of the extent of their involvement. Waiver of moral rights In addition to the assignment of copyrights, the company owning a video game should also ensure that the authors sign a waiver of their moral rights, so as not to limit the potential to modify the game or to associate it with another product or a cause. Indeed, the authors of a work have moral rights that enable them to oppose the use of their work in connection with another product or a cause, service or institution to the prejudice of their honour or reputation. An example would be the use of music or a character from a video game to promote a cause or product, or a television series derived from the game whose script could potentially harm the author’s reputation. To make sure you have plenty of leeway to exploit the commercial potential of the game, a waiver of moral rights should be signed by any employee and consultant involved in the creation of the video game. Conclusion Launching a video game requires a huge investment in terms of resources, time and creativity. In order to develop an effective protection strategy, the first step is to make sure that you own all rights. Then, you are in a position to fully protect and enjoy your IP rights. The next article in this series will discuss the significance and application of these IP rights—i.e., trademarks, copyrights and patents—to the video game industry. “The Canadian Video Game Industry 2019,” Entertainment Software Association of Canada, November 2019, [online]. CLÉMENT, Éric, “Le talent montréalais en vedette dans un nouveau jeu d’Ubisoft,” published in La Presse+, October 21, 2020, edition. Copyright Act, subsection 13(3). Seggie c. Roofdog Games Inc., 2015 QCCS 6462.

    Read more
  • The Unforeseen Benefits of Driverless Transport during a Pandemic

    The COVID-19 pandemic has been not only causing major social upheaval but disrupting business development and the economy as well. Nevertheless, since last March, we have seen many developments and new projects involving self-driving vehicles (SDV). Here is an overview. Distancing made easy thanks to contactless delivery In mid-April 2020, General Motors’ Cruise SDVs were dispatched to assist two food banks in the delivery of nearly 4,000 meals in eight days in the San Francisco Bay Area. Deliveries were made with two volunteer drivers overseeing the operation of the Level 3 SDVs. Rob Grant, Vice President of Global Government Affairs at Cruise, commented on the usefulness of SDVs: “What I do see is this pandemic really showing where self-driving vehicles can be of use in the future.  That includes in contactless delivery like we’re doing here.”1 Also in California in April, SDVs operated by the start-up Nuro Inc. were made available to transport medical equipment in San Mateo County and Sacramento.  Toyota Pony SDVs were, for their part, used to deliver meals to local shelters in the city of Fremont, California.  Innovation: The first Level 4 driverless vehicle service In July 2020, Navya Group successfully implemented a Level 4 self-driving vehicles service on a closed site. Launched in partnership with Groupe Keolis, the service has been transporting visitors and athletes on the site of the National Shooting Sports Centre in Châteauroux, France, from the parking lot to the reception area.  This is a great step forward—it is the first trial of a level 4 vehicle, meaning that it is fully automated and does not require a human driver in the vehicle itself to control it should a critical situation occur. Driverless buses and dedicated lanes in the coming years In August 2020, the state of Michigan announced that it would take active steps to create dedicated road lanes exclusively for SDVs on a 65 km stretch of highway between Detroit and Ann Arbour.  This initiative will begin with a study to be conducted over the next three years. One of the goals of this ambitious project is to have driverless buses operating in the corridor connecting the University of Michigan and the Detroit Metropolitan Airport in downtown Detroit. In September 2020, the first SDV circuit in Japan was inaugurated at Tokyo’s Haneda Airport. The regular route travels 700 metres through the airport.  A tragedy to remind us that exercising caution is key  On March 18, 2018, in Tempe, Arizona, a pedestrian was killed in a collision with a Volvo SUV operated by an Uber Technologies automated driving system that was being tested. The vehicle involved in the accident, which was being fine-tuned, corresponded to a Level 3 SDV under SAE International Standard J3016, requiring a human driver to remain alert at all times in order to take control of the vehicle in a critical situation. The investigation by the National Transportation Safety Board determined that the vehicle’s automated driving system had detected the pedestrian, but was unable to classify her as such and thus predict her path. In addition, video footage of the driver inside the SDV showed that she did not have her eyes on the road at the time of the accident, but rather was looking at her cell phone on the vehicle’s console. In September 2020, the authorities indicted the driver of the vehicle and charged her with negligent homicide. The driver pleaded not guilty and the pre-trial conference will be held in late October 2020.  We will keep you informed of developments in this case.   In all sectors of the economy, including the transportation industry and more specifically the self-driving vehicles industry, projects have been put on hold because of the ongoing COVID-19 pandemic. Nevertheless, many projects that have been introduced, such as contactless delivery projects, are now more important than ever. Apart from the Navya Group project, which involves Level 4 vehicles, all the initiatives mentioned concern Level 3 vehicles. These vehicles, which are allowed on Quebec roads, must always have a human driver present. The recent charges against the inattentive driver in Arizona serve as a reminder to all drivers of Level 3 SDVs that regardless of the context of an accident, they may be held liable. The implementation of SDVs around the world is slow, but steadily gaining ground. A number of projects will soon be rolled out, including in Quebec. As such initiatives grow in number, SDVs will become more socially acceptable, and seeing these vehicles as something normal on our roads is right around the corner.   Financial Post, April 29, 2020, “Self-driving vehicles get in on the delivery scene amid COVID-19,”.

    Read more
  • E-commerce: Protecting Your Work

    As distribution channels with a global reach, websites are a powerful tool for doing business, and during the pandemic, they even play a critical role. A website consists of a set of webpages accessible from an address hosted on a server through the internet or an intranet. A website is a collection of various elements protected by intellectual property laws. We will focus on the following: Copyright It protects an original work (i.e., the author’s own creative work), insofar as it involves the exercise of skill and judgment. This exclusive right allows the owner to produce or reproduce the work in any material form, to perform, represent or publish it, and to exercise other exclusive rights. A website may include the following works: the content of screen page, graphic designs, animation, texts, still and animated images, sounds, databases (which comprise a collection of works, data or other independent elements), software, as for example the ones relating to the creation, operation and launch of the website, computer programs, photographs, cartoons, videos. Ownership of Copyright Copyright is the author’s property, unless the author (i) has assigned his or her right, or (ii) has created the work in the course of his or her employment, in which case the copyright belongs to the employer. It is important to identify the various copyright owners of the works appearing on a website. If a company mandates an external firm to develop a website (website developer), the company will not immediately own the copyright to the website. A development contract entered into with a website developer will usually include a provision regarding the ownership of copyright. It is often provided that the assignment of intellectual property rights to the client who has commissioned a website will take place after payment for said website has been made in full. This poses a problem when the website developer does not complete the website or when a dispute arises over the course of the mandate. Stock Photos Generally speaking, websites that offer photographs do not transfer the copyright of the photographs to the users. They grant a licence to use (a right to use) for a limited time and for a specific purpose. The conditions of these licences must therefore be read carefully. Assignment of Rights An assignment must be in writing in order to transfer the copyright to the company that commissioned the website. Moral Rights Moral rights allow the author or performer (even if he or she is not the copyright owner) to: Claim authorship of the work; Claim respect for the integrity of the work (to protect the work against distortion, mutilation or modification or to prevent use that prejudice the honour or reputation of the author or performer or if the work is associated with a product or service without the consent of the author or performer). Recognition of Copyright in Other Countries Given that Canada is a party to the Berne Convention, copyright owned by a Canadian national, such as a company incorporated in Canada or a Canadian citizen, is recognized in other countries members of the Convention , and said copyright need not be registered in those other countries to acquire rights. In Canada, copyright registration is not mandatory, but it does give rise to a presumption of law that it is advisable to register, at the very least, for works that are important to the business, in order to more effectively  act against  infringement. Copyright infringement is the reproduction of an entire protected work or any substantial part of it without permission. In the same manner that website contents owned by the copyright owner may not be copied without permission, one must ensure that he or she does not import or publish on his or her website any work protected by copyright without first obtaining permission. Domain Name Some domain names are protected by trademark laws, and some are not. This depends on the nature of the domain name and the use made of it. Merely registering a domain name does not create a right that could prohibit the use of a conflicting domain name or trademark. Using a distinctive domain name could confer upon its owner the right to oppose the subsequent use by third parties of a confusing domain name, trademark or trade name. Effective domain name arbitration mechanisms exist for .com and for .ca in the event of misappropriation of a conflicting domain name. Trademark A website owner using a trademark on his or her website in order to identify his or her products or services should protect said trademark by registration. Without listing all the benefits of registering a trademark, suffice it to say that registering one’s rights is significantly less costly than trying to recover said rights once they have been appropriated by a third party. The trademark owner may oppose any confusing third party’s trademark, trade name or domain name (the test of confusion takes into account various factors) if his or her rights precede those of the other. In the case of unauthorized appropriation of a third party’s logo or figurative mark, the owner may, in many cases, not only invoke trademark infringement but also copyright infringement. Right to One’s Image and Privacy The Civil Code of Québec provides that every person is the holder of personality rights, such as the right to life, the right to the inviolability and integrity of his person, and the right to the respect of his name, reputation and privacy. Similar provisions exist in other legislation, such as the Quebec Charter of Human Rights and Freedoms and the Canadian Charter of Rights and Freedoms. The law is similar in other Canadian provinces, and comparable legislation exists in various countries around the world. Thus, as a general rule, a website owner may not: (i) Publish, for example, a photograph or image of a person without that person’s consent. This rule must be weighed against the rule relating to public interest in the right to freedom of expression and the right to information; (ii) Damage a person’s reputation; (iii) Imply or suggest that a person endorses a product or service without that person’s consent. The Civil Code of Québec further provides that the use of a person’s correspondence, manuscripts or other documents without his or her consent constitutes an invasion of his or her privacy. Trade Secret Various components of a website may be protected by trade secret if a confidentiality agreement was signed and the information remains secret. This could be the case with the website coding.   Many people have preconceived ideas about intellectual property in the world of e-commerce. Often, they wrongly assume that since they commissioned their website, they own its intellectual property rights or that they can post a photo of a product copied from another website without authorization because they sell the product. Although it is easy, fast and free to access, a website is governed by a legal framework regarding intellectual property, with which website operators must comply. We did not cover the wide array of rights that are involved in a website in just a few lines. For example, for some websites, there may be patent and industrial design issues to deal with. All these legal considerations are not self-evident. Several rules must be followed to avoid engaging in illegal practices, to avoid the unpleasant surprise of discovering that you do not own the intellectual property rights to parts or all of the website, and to avoid facing threats of legal action for violating the rights of third parties. Furthermore, all the work invested in the creation and operation of the website may not provide any additional value to your company if the intellectual property rights have been neglected, even though in many cases it is a significant asset to the company. It is important to become familiar with these rules, protect your rights and resolve legal pitfalls-ideally before launching a website. If the issue of intellectual property rights is only addressed after launching the website, there may still be time to seek protection or to attempt to overcome legal problems.  Whether the website is already online or is about to be launched, an audit should be carried out to determine the situation and, if necessary, obtain protection, sign contracts and find solutions to problems that could lead to illegal or disadvantageous situations.

    Read more
  • E-commerce: Your Obligations regarding Consumer Protection and Competition Matters

    Before selling your products and services online, you will need to determine the form and content of your contract, and ensure that you comply with the provisions of the Consumer Protection Act (the “CPA”). The CPA applies to any contract between a consumer and a merchant entered into in Quebec, including online contracts of sale, which are known as “distance contracts.” Rules applicable to contracts entered into on the internet Form Contracts concluded on the internet must be in writing and must contain the name and address of the merchant, as well as the date of the transaction. In addition, certain information must be provided to consumers before a contract is concluded, in particular: information identifying your business; a detailed description of the goods or services you are selling, including their characteristics and technical specifications; the price of each item or the terms of payment; all the applicable fees, whether required by law or charged by the merchant; the delivery date or the date on which the service will be provided; and other details regarding delivery, cancellation policies and any other applicable restrictions or conditions. This mandatory information must be presented prominently and in a comprehensible manner, and be expressly brought to the consumer’s attention. This could be done through a web page containing said information, which must appear on the screen before the consumer pays for the items in the shopping cart. It is good practice to ensure that the information is easy to print or save in PDF format. Acceptance Before the contract is entered into, the merchant must provide the consumer with an express opportunity to accept or decline the offer and to correct any errors. Copy The merchant must provide the consumer with a copy of the contract within 15 days after the contract is entered into, in a manner that ensures that the consumer may easily retain it and print it. Delivery A consumer may cancel a contract if the goods are not received (or the service is not performed) within 30 days after the date specified in the contract or within 30 days after the contract is entered into in the case of a contract that does not specify a delivery date. Note that goods for which delivery was attempted on the agreed date will be considered delivered. Cancellation The CPA allows consumers to cancel the contract in a number of cases, in particular when the merchant does not comply with the provisions set out above. Each merchant is free to establish a cancellation policy and set its conditions, so long as these are in accordance with laws of public order. The consumer must be informed of said policy before entering into the contract, which must include the cancellation policy. Warranties Legal warranty The Consumer Protection Act provides for a legal warranty that automatically applies to a good, whether purchased in store or remotely. Under said legal warranty, goods must be fit for the purposes for which goods of the kind are ordinarily used, durable for a reasonable length of time, having regard to their price, the terms of the contract and the conditions of their use. Goods must also match their description under the contract. Finally, a consumer is also entitled to a recourse against the merchant should there be a latent defect in the good. Additional warranty A merchant may offer consumers an additional online warranty, provided that said warranty complies with the relevant provisions of the CPA. Application and exceptions It is noteworthy that the aforementioned rules are the consumer protection rules which generally apply to the sale of goods and services, but they may not apply in certain instances, such as in the case of contracts for the sale of goods which are likely to deteriorate rapidly, such as food. One must be mindful that the Consumer Protection Act contains exceptions or provisions that are specific to certain commercial sectors. Different laws and regulations may also apply to certain types of goods and services that are sold. Competition law issues The CPA contains competition-related obligations that are specific to Quebec. All merchants in Quebec must also comply with the provisions of the Canadian Competition Act. The purpose of the Competition Act is to (i) maintain and encourage competition between businesses in Canada, (ii) provide consumers with competitive prices and product choices, and (iii) to protect consumers from fraudulent or prohibited practices. Prohibited business practices Misleading price display Under the CPA, when you advertise the price of a product or service, you are required to advertise an “all-inclusive” price, which includes all amounts that the consumer will have to pay for the product or service. The all-inclusive price should be more prominent than the sums of which it consists. Taxes (GST/QST), among other things, may be excluded from the advertised price, but must be added at the time of payment. Price-related representations and price display are also subject to specific rules under the Competition Act. False or misleading representations Advertising that contains false or misleading representations, or fails to mention an important fact is prohibited under the CPA. The Competition Act prohibits the making of materially false or misleading representations to the public. The provisions of the Competition Act dealing with false and misleading representations apply to a number of cases, including the following: Performance representations not based on adequate and proper tests: The making of representations to the public about the performance, efficacy or longevity of a product, which is not based on an adequate and proper test, is prohibited. Untrue or unauthorized use of tests and testimonials: The unauthorized use of product performance tests and testimonials (e.g., scientific tests, consumer testimonials, etc.) is prohibited. Needless to say, these cannot be distorted. Misleading warranties: Giving a consumer a warranty containing materially misleading representations that could influence the consumer’s decision to purchase goods or services is prohibited. The overall impression conveyed by a representation and the literal meaning of said representation is used to determine whether the warranty is misleading. Misleading promotional contests: Certain information related to the holding of promotional contests must be disclosed to the public. In addition, the sending of any documentation that would mislead the recipient into believing that he or she has won a prize or other benefit is prohibited. It is noteworthy that in Quebec, there are specific rules related to promotional contests. Other prohibited practices The Competition Act aims to prevent abuse of a dominant position and therefore provides stricter standards that apply to businesses holding a dominant position in a market. Conspiracy provisions aim to prevent a business from unduly reducing competition or unreasonably increasing the price of a product. This law also prohibits the refusal to sell a product, insofar as a business has no right to harm a customer by refusing to supply it sufficiently under normal market conditions. Finally, vertical restraints, that is, practices such as exclusive dealing, tied selling and market restriction, are prohibited, as they generally impose conditions that restrict the freedom of consumers. The CPA prohibits making use of commercial advertising directed at persons under thirteen years of age. Penalties Both the Consumer Protection Act and the Competition Act provide for penalties for prohibited practices. Judges can order punitive damages for certain violations of the CPA. Under the Competition Act, certain acts are considered criminal if a person does them knowingly or recklessly, regardless of the consequences they may have on the public.

    Read more
  • E-commerce: Some Laws and Rules You Should Be Aware of

    Various ways of doing e-commerce E-commerce can take different forms. For the purposes of this article, we will refer to e-commerce where the contract of sale or of supply of services is concluded by electronic means, E-commerce will be said to be “direct” when the product or service is delivered electronically, such as in the online conclusion of a contract for a subscription to an online-only publication, and “indirect” when the item sold is tangible or the service is rendered otherwise than online. E-commerce can be conducted entirely online or in a hybrid manner, where the vendor operates both online and through brick-and-mortar stores. It is considered “closed” when it is between a relatively small number of participants who already have a contractual or professional relationship with each other. It can be conducted between a business and a consumer, in which case it is called “B2C,” or between a business and another business and is then known as “B2B.” E-commerce poses particular challenges for businesses and if these challenges are not properly addressed, they are likely to expose the business to additional liability. This means that e-commerce can be particularly risky for novice businesses that start to do carry out business electronically, without adequate preparation. For example, a merchant who transacts electronically will necessarily have to take direct possession of some of its customers’ personal data, such as their names, addresses and credit card numbers, or have an e-commerce service provider take indirect possession of it. The use of such personal data is subject to the provisions of privacy laws, and, given that the data is of great value to potential thieves or fraudsters, it must be protected. A merchant may also be the victim of fraudulent orders or payments made with stolen credit cards numbers. To better control its risks, a novice in e-commerce may be better off doing business with established e-commerce service providers such as Shopify, BigCommerce, Squarespace or GoDaddy, which have set up robust infrastructures for their customers. A corporation should nonetheless do its homework before choosing an e-commerce service provider. It should, for example, inquire about the terms and conditions of the service agreement to be entered into with the chosen provider, and, in particular, about the services offered (including how returns and chargebacks are handled), how the service provider protects its customers in the event of data theft or fraud, what fees are charged, and so forth. In all cases, whether or not a corporation does business with an e-commerce service provider, it should ensure that the information kept on its own servers and computers is limited to what is absolutely necessary. Likewise, once a transaction is completed, it should avoid, as far as possible, keeping personal data belonging to its customers, such as their names, addresses and credit card numbers. Moreover, a corporation that decides to engage in e-commerce must be aware of certain specific legal aspects relating first, to the particularities of e-commerce itself and second, to the fact that its customers may be located anywhere in the world. For the purposes of this article, we will focus on the rules generally applicable to all types of e-commerce. A future article will deal with the specific rules provided in the Consumer Protection Act (Quebec). Consumption tax The majority of governments impose a consumption tax on goods (and sometimes services) sold within their jurisdiction. Applicable consumption tax laws generally provide that businesses with a presence in a jurisdiction must collect applicable taxes and remit them to the competent tax authorities. For a corporation that is otherwise not present in a jurisdiction, the mere fact of selling goods in that jurisdiction is generally not sufficient to require registering with its tax authorities and collecting and remitting applicable taxes. However, the definition of what constitutes a sufficient presence to require business registration and the collection and remittance of consumption taxes varies from one jurisdiction to another. A corporation wanting to sell its goods and services electronically must therefore ensure that it is aware of the applicable consumption tax rules in the main jurisdictions where it will sell these goods or provide these services. Licences and permits Although it is generally not necessary for a manufacturer or seller to obtain a license, permit or other governmental authorization for the vast majority of goods typically sold online, they  may be required before certain products, in particular medical or pharmaceutical products, can be sold online or otherwise, domestically or internationally. It is also important to note that a licence, permit or other authorization may not be required to sell goods in a jurisdiction while the sale of the same goods in another may require such license, permit or other authorization. Thus, if a merchant wants to sell its product in a jurisdiction where a permit, licence or other authorization is required, it will be required to obtain it before proceeding with any sales. In addition, in some territories, the sale of certain goods must necessarily be done through a State monopoly. For instance, such restrictions are still the norm in Canada for the sale of alcoholic beverages. For example, a resident of Ontario may not order alcoholic beverages directly online from a producer in another province and have them delivered to Ontario, which prevents a small-scale producer of alcoholic beverages in Quebec from selling its products online to Ontario customers, for delivery in Ontario. Shipping Not all goods can be shipped in the same way. Some must be specially packaged, and some may even not be shipped by regular means, such as Canada Post and major courier companies. For example, Canada Post requires that fish, game, meat, fruit, vegetables or other perishable products be properly prepared and meet certain other applicable requirements for mailing. Other products, such as objects classified as hazardous materials, may simply not be shipped by mail. To ship these products, it will be necessary to deal with a specialized courier service. Finally, Canadian laws prohibit the export of certain goods or require special permits for their export. In addition, merchants must ensure that the laws of the destination jurisdiction allow the goods shipped to be imported into that jurisdiction. Indeed, all countries either prohibit the import of certain goods into their jurisdiction or require the importer to obtain a permit or licence issued by their government. Age restrictions Under applicable laws and regulations, certain goods may only be sold to persons who have reached a certain age or may not be sold to children. These restrictions vary from jurisdiction to jurisdiction. For instance, in Quebec, one must be 18 years old to legally buy alcohol, while elsewhere in Canada the age is 19 and in the United States, 21. Merchants wishing to sell alcoholic beverages online must take these restrictions into account. The same applies to the sale of any other goods that are subject to age restrictions. PCI DSS compliance In 2006, the main credit card issuers, American Express, Discover Financial Services, JCB International, MasterCard and Visa formed the PCI Security Standards Council to standardize the rules and standards applicable to payments made with their credit cards. The council adopted a set of rules called “Payment Card Industry Data Security Standard,” better known by its acronym, PCI DSS. All merchants wishing to accept credit card payments, including direct online payments, must adhere to these rules. Any merchant, regardless of its size, wishing to process credit card payments on its website must also be PCI DSS compliant, unless it is doing business through a compliant payment service provider. The PCI DSS include the following 12 compliance requirements, which are grouped into six categories called “control objectives.” The following table, taken from the document entitled “Payment Card Industry (PCI) — Data Security Standard — Requirements and Security Assessment Procedures”1, provides a summary of these requirements.   Control objectives PCI DSS conditions Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data over open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel   Although the PCI DSS are mandatory, only Visa and MasterCard require merchants and service providers that accept their cards to comply with these standards. However, a non-compliant corporation will nevertheless be held fully liable if fraud associated with theft of cardholder data occurs. In addition, should a security breach occur, all exposed merchants that are not PCI DSS compliant will be fined. It is up to merchants and service providers to achieve, demonstrate and maintain compliance through annual validations. Merchants may use the services of specialized service providers to help them comply with PCI DSS standards. Useful tools to ensure compliance are also available online for these purposes2. Should a merchant not wish to go through the PCI DSS compliance process, it may always use the services of a PCI DSS compliant payment service provider3.   PCI Security Standards Council, Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (Version 3.2.1, May 2018), online (PDF): Official website of the PCI Security Standards Council These can be found through a search using the keywords “PCI DSS compliance” or “PCI DSS conformity.” These can be found through a search using the keywords “PCI DSS Payment Gateway.”

    Read more
  • Impact of technology on the practice of law

    Technology is now a part of our day-to-day lives, and we’ve learned how to use it. But what about our judicial institutions? What impact does technology have on the administration of proof and the practice of law? The Court of Appeal provides us with some solutions (and grounds for discussion) in its recent case of Benisty v. Kloda 1 Charles Benisty (hereinafter “the appellant”) initiated an appeal in June 2009 against Samuel Kloda (hereinafter “the respondent”) as well as CIBC Wood Gundy (hereinafter “CIBC”). The appellant is claiming that the respondent committed errors in fulfilling the mandate that he had entrusted to him with regard to certain financial transactions completed between November 2004 and September 2008. The respondent was a financial consultant and Executive Vice-President of the Montréal branch of the CIBC. Prior to the initiation of legal proceedings, the appellant recorded some of their telephone conversations, as part of discussions that took place between the respondent and himself, without the knowledge of the respondent. He states that he acted in this manner because he was convinced that the appellant was lying to him and was conducting unauthorized transactions in his accounts. In total, 60 conversations were recorded between April and October 2008. In first instance, judge Benoît Emery overturned the appellant’s recourse. He allowed the respondent’s objection with the introduction into evidence of a series of audio recordings of telephone conversations between the respondent and the appellant.  Judge Emery considers that the recordings are not a technological document, but rather a material element that must be subject to separate proof to establish its authenticity and legal value.  In fact, Judge Emery states: “It is clear from listening to the recordings, that they are fraught with interruptions, cut-offs, or voluntary or non-voluntary deletions”, and therefore they are not authentic. He goes on to say: “[...] these incomplete and sometimes incoherent excerpts that, at times support the appellant’s cause, and at times, the respondent’s, seem to reveal everything and its opposite – wherein lies the need for evidence that is independent from its reliability and authenticity.2” The appellant is appealing the Superior Court judgement. He purports namely that the judge erred by declaring the audio recordings inadmissible as evidence. He reiterates the argument to the effect that the cassettes, on which audio recordings of the telephone conversations he had with the respondent were made, constitute technological documents within the meaning of the Act to Establish a Legal Framework for Information Technology3 (hereinafter “LFIT Act”).  He says that the cassettes benefit from the presumption of authenticity stipulated in article 2855 QCC and, consequently, it is the respondent’s responsibility to establish that this technological support does not ensure the integrity of the document and its authenticity. For his part, the respondent is rather of the opinion that the audio recordings on a magnetic medium do not fall within the scope of the LFIT Act. He therefore considers that it is the appellant’s responsibility to establish authenticity. The Court of Appeal says that the application and interpretation of the LFIT Act, which came into force in 2001, was never actually subject to the decisions of the courts and, therefore, it feels that it is useful to analyze the matter brought before it by the parties. The Court of Appeal was, in connection with this matter, facing a specific situation: in fact, in the first instance, the appellant had presented six (6) audio cassettes on which were recorded his conversations with the respondent, for a total recording duration of about six (6) hours. However, in appeal, the appellant had selected 50 excerpts of these conversations that he had transferred onto a CD for a listening duration of roughly one (1) hour. In other words, the appellant chose to substitute a CD for the cassettes produced in the Superior Court, under the same evidence docket (P-60). First off, judge Lévesque, who drafted the motives to which judges Dufresne and Healy subscribe to, qualifies these audio recordings in this matter as “material elements of proof”. He explains that when “a person is recorded without his knowledge during a telephone conversations or interview, this is considered a material element of proof, whereas a person who records himself and recites a dictation attempts instead to establish a testimony”4. Consequently, judge Lévesque reiterates that for a recording to be admitted as evidence, its authenticity must be proven 5. Consequently, the Court of Appeal asked the question as to whether the audio recording is a “technological document” within the meaning of the LFIT Act.  In this respect, judge Lévesque points to the existence of a doctrinal controversy that qualifies an audio recording on magnetic tape differently, more commonly referred to as a cassette, from a recording on a USB key or on CD. According to author Mark Philips, on whom the respondent is basing his argument, a cassette is not a “technological document” since the technology relative to the cassette is “analog”, whereas the most recent technologies are digital (such as magnetic hard drive, USB key, CD, etc.). According to this author, the definition given by the LFIT Act of a “technological document” therefore excludes analog documents. The Court of Appeal does not uphold the theory posited by author Mark Phillips.  It prefers the interpretation under which a recording on magnetic tape is considered a technological document. Despite the noted discrepancies in the text of article 2874 CCQ in comparison with those of the provisions in the LFIT Act, judge Lévesque considers it necessary to retain the interpretation that most closely complies with the purpose of the Act and the lawmaker’s intention.  He notes that the LFIT Act came into force in 2001, whereas the Civil Code of Québec was cam into effect ten (10) years before that.  Thus, on the one hand, this specific Act must take precedence over the provisions of the Civil Code, whose scope is more general in nature.  Moreover, judge Lévesque refers to two (2) case study maxims that make it possible to deduce the lawmaker’s intention: [77] Two case study maxims make it possible to deduce the lawmaker’s intention. Under the first, “precedence must be given to the most recent legislation, the legislative standard that is subsequent to the other standard in conflict”. In fact, when a new law is passed, the lawmaker is deemed to be aware of those laws that already exist. We could, therefore, presume that he wanted to implicitly repeal those standards that were not compatible with the new ones. The second principle stipulates that precedence must be given to the specific statute as compared with the statute of general application. The Court of Appeal therefore arrived at the conclusion that a recording on magnetic tape, such as a cassette, is a technological document.  More generally, it retains that a “technological document” must be considered a document whose medium uses information technologies, whether this medium is analog or digital6; Subsequently, the Court of Appeal examined articles 2855 and 2874 of the Civil Code, along with articles 5, 6 and 7 of the LFIT Act, in order to outline the principles applicable to the legal value to be assigned to a technological document. When is there presumption of authenticity? When is there presumption of integrity? When is there exemption of proof for a party when a technological document is introduced as proof? After analyzing various theories supported by different authors, the Court of Appeal retained the following regarding the procedure to follow when introducing a technological document as evidence: [99] […] articles 2855 and 2874 CCQ require the demonstration of distinct or separate proof of authenticity of a document presented as evidence. Thus, a technological document generally includes an inherent documentation, such as metadata, making it possible to identify an author, the date of creation, or even whether modifications were made to the document. Since such metadata constitute inherent proof of a technological document — and not a distinct or separate proof, as is required by the first part of articles 2855 and 2874 CCQ — and that they fulfill the same role as a traditional proof of authenticity, the lawmaker exempts that party from additionally establishing a separate proof. [100] Thus, article 7 LFIT Act does not create presumption of integrity of a document, but only a presumption that the technology used by its medium makes it possible to ensure its integrity, which I refer to as technological reliability. The nuance arises from the fact that an attack on the document’s integrity may come from various sources; for example, we can mention that the information may be altered or manipulated by an individual without technology being at fault. [101] Articles 2855 and 2874 CCQ indicate that a separate proof of authenticity is required in the case indicated in the third paragraph of article 5 EFIT., i.e., in the case where the medium or technology does not make it possible to either confirm or deny whether the document’s integrity is ensured. [102] Hence, the idea that a technological medium is deemed reliable (article 7 LFIT Act.) differs from the notion that such a medium may effectively ensure the document’s integrity (article 5 al. 3 LFIT Act.). It is a subtle distinction. A technology may, therefore, be reliable (7 LFIT Act.) without making it possible to affirm that we may conclude that the integrity of the document is ensured: this added insurance is provided by the technological documents that include an inherent documentation, or metadata, that prove the integrity of the document. [103] In other words, the exemption of proving the document’s authenticity applies where the medium or technology used make it possible to ensure the integrity of the document. This is not a case of presumed technological reliability under article 7 LFIT Act., but of the specific case of technological documents that include metadata and that, consequently, prove their own integrity. [104] However, in the absence of intrinsic documentation making it possible to ensure the document’s integrity, which is the case set out by article 5, al. 3 LFIT Act., the party that wants to produce such a document must establish this distinct traditional proof of its authenticity: […] [105] Thus, when an audio recording is accompanied by metadata and this documentation satisfies, in the court’s opinion, the authenticity requirement of the document, the party that produces this recording will be exempt from proving its authenticity. […] To summarize, the party seeking to present as evidence the audio recording must prove its authenticity7, but will not be required to prove the reliability of the technological medium used by virtue of the presumption established by article 7 LFIT Act. This article establishes a “presumption of reliability” of the technological medium by virtue of which the technology used makes it possible to ensure the document’s integrity.  This integrity itself is not presumed8. Applying these principles in the case under analysis, the Court of Appeal arrives at the conclusion that the judge of first instance erred by deciding that the cassettes did not constitute a technological document. It maintains, however, that the first judge was correct in affirming that the authenticity of the audio recordings must be proven for them to be accepted as evidence.  Therefore, in appeal, the appellant did not provide the same technological medium as that which was presented during the first instance. Six (6) cassettes were presented in the Superior Court, whereas one CD representing a summary of these recordings was presented instead in the Court of Appeal. Thus, it was not sufficient in the Court of Appeal to compare the technology and the different mediums of the proof presented, since it was impossible to distinguish the content of the cassettes from those of the CD in order to determine whether they presented the same information. By virtue of the rules of proof, the reproduction of an original may be made by a copy or a transfer9.  The copy shall be made on the same medium, whereas the transfer will be made on a technological medium that is different from the original.  Since the Court had no way to determine with certainty that the content of the CD was the same as that of the cassettes, it concluded that it simply did not have the same legal value. Lastly, the Court concluded that the appellant did not discharge his burden of demonstrating that the first instance judge had made an error that could justify their involvement. This ground of appeal was therefore rejected10. Overall, the Court of Appeal rejected in any case all of the other claims put forth by the appellant, noting that the latter faces a critical challenge: he was not persuasive. Our takeaway from this case is that the administration of a piece of evidence on a technological medium is no simple matter, and it must not be taken lightly. It is not easy to navigate the various provisions set out in both the Civil Code and the LFIT Act in order to extract the principles applicable to matters of proof. The Court of Appeal retains that the presumption of integrity set out in article 7 of the LFIT Act applies exclusively to the technological medium and not its content. It emphasizes that there should not be confusion between the integrity of a document and the capacity of a technology to ensure it.  Also, it suggests referring to the presumption set out in article 7 of the LFIT Act as a “presumption of technological reliability” instead of a “presumption of integrity of medium”. Lastly, it specifies that establishing the authenticity of an audio recording comprises two (2) components: 1)    The qualities related to the methods of creation; and, 2)    The qualities related to the information itself contained on the technological medium. A party seeking to dispute the reliability of a technological medium must, by virtue of article 89 of the CCQ, produce an affidavit “indicating in specific detail the facts and motives that make an attack on the integrity of the document likely”. An example of the administration of such technological proof may be found in the matter of Forest v. Industrial Alliance11. In this matter, photographs taken from the appellant’s Facebook account were submitted as an element of material proof. Attached was an affidavit, proclaiming the authenticity of the document, from the intern who took the screen capture. Regarding the identity of the informants, the appellant’s spouse confirmed, during the hearing, that it was in fact he himself who had taken the photographs in question. Since the opposing party did not offer any objection, the authenticity was established. While the Civil Code of Québec and its related laws strive to cover every situation that may arise in connection with presenting evidence on a technological medium, it is undeniable that technology is progressing at a rate that is far outpacing that set by lawmakers. That being the case, it is also the responsibility of attorneys to collaborate and innovate in the administration of their proof so as not to find themselves in an endless debate when seeking to determine the authenticity of specific evidence they are attempting to present.   2018 QCCA 608. Judgement on appeal, par. 97 CQLR, c. C-1.1. Paragraph 60 Art. 2855, the CCQ. 9, par. 119 of the decision. CCQ., art. 2855 and 2874. 9, par. 120 of the decision LFIT Act, art. 12, 15, 17 and 18 and CCQ, art. 2841. We should note that the other grounds of appeal presented by the appellant were all rejected as well, and that the Court, in a written judgement rendered by the Honorable Jacques J. Lévesque, j.c.a., rejected the appeal with legal fees. 2016 QCCS 497.

    Read more
1 2 3 4 5