Publications

While the Canadian government has said it intends to pass legislation dealing with cybersecurity (see Bill C-26 to enact the Critical Cyber Systems Protection Act), many companies have already taken significant steps to protect their IT infrastructure. However, the Internet of Things is too often overlooked in this process. This is in spite of the fact that many devices are directly connected to the most important IT infrastructure for businesses. Industrial robots, devices that control production equipment in factories, and devices that help drivers make deliveries are just a few examples of vulnerable equipment. Operating systems and a range of applications are installed on these devices, and the basic operations of many businesses and the security of personal information depend on the security of the devices and their software. For example: An attack could target the manufacturing equipment control systems on the factory floor and result in an interruption of the company’s production and significant recovery costs and production delays. By targeting production equipment and industrial robots, an attacker could steal the blueprints and manufacturing parameters for various processes, which could jeopardize a company’s trade secrets. Barcode scanners used for package delivery could be infected and transmit information to hackers, including personal information. The non-profit Open Web Application Security Project (OWASP) has released a list of the top ten security risks for the Internet of Things.1 Leaders of companies that use this kind of equipment must be aware of these issues and take measures to manage these risks. We would like to comment on some of the risks which require appropriate policies and good company governance to mitigate them. Weak or unchangeable passwords: Some devices are sold with common or weak initial passwords. It is important to ensure that passwords are changed as soon as devices are set up and to keep tight control over them. Only designated IT personnel should know the passwords for configuring these devices. You should also avoid acquiring equipment that does not allow for password management (for example, a device with an unchangeable password). Lack of updates: The Internet of Things often relies on computers with operating systems that are not updated during their lifetime. As a result, some devices are vulnerable because they use operating systems and software with known vulnerabilities. Good governance includes ensuring that such devices are updated and acquiring only devices that make it easy to perform regular updates. Poor management of the fleet of connected devices: Some companies do not have a clear picture of the Internet of Things deployed in their company. It is crucial to have an inventory of these devices with their role in the company, the type of information they contain and the parameters that are essential to their security. Lack of physical security: Wherever possible, access to these devices should be protected. Too often, devices are left unattended in places where they are accessible to the public. Clear guidelines should be provided to employees to ensure safe practices, especially for equipment that is used on the road. A company’s board of directors plays a key role in cybersecurity. In fact, the failure of directors to monitor risks and to ensure that an adequate system of controls is in place can expose them to liability. Here are some elements of good governance that companies should consider practising: Review the composition of the board of directors and the skills matrix to ensure that the team has the required skills. Provide training to all board members to develop their cyber vigilance and equip them to fulfill their duties as directors. Assess cybersecurity risks, including those associated with connected devices, and establish ways to mitigate those risks. The Act to modernize legislative provisions respecting the protection of personal information sets out a number of obligations for the board of directors, including appointing a person in charge of the protection of personal information, having a management plan and maintaining a register of confidentiality incidents. For more information, you can read the following bulletin: Amendments to Privacy Laws: What Businesses Need to Know (lavery.ca) Lastly, a company must at all times ensure that the supplier credentials, passwords and authorizations that make it possible for IT staff to respond are not in the hands of a single person or supplier. This would put the company in a vulnerable position if the relationship with that person or supplier were to deteriorate. See OWASP top 10

On July 15, 2022, Justice François Lebel of the Court of Québec rendered a decision1 confirming that, in the case of the sale of immovable property, a clear and unambiguous exclusion clause, whereby the warranty is waived at the buyer’s risk, results in a break in the chain of title preventing the buyer from taking any legal action under such warranty against the seller and previous sellers. Justice Lebel thus declared the originating application against the defendants Marshall and Bergeron inadmissible and dismissed the call in warranty. This decision is consistent with the recent decision of the Court of Appeal of Quebec in Blais,2 rendered in May 2022, which clarified the state of the law on the consequence of waiving a legal warranty where successive sales are involved. The facts In March 2009, the defendant Bergeron sold an income property (hereinafter the “Property”) to the defendants, the Marshalls, with a legal warranty of quality. In May 2012, the Marshalls in turn sold the Property to the defendants Hamel and Drouin, still with a legal warranty of quality. In December 2016, the defendants Hamel and Drouin resold the Property to the plaintiff, but this time [translation] “without legal warranty of quality, at the buyer’s risk, but with warranty of ownership”. In the fall of 2020, the plaintiff had work done to repair the drain tile system. It was at that point that it discovered the presence of petroleum hydrocarbons in the soil under the Property’s foundation, rendering the soil unsuitable for residential use. According to an expert report, the alleged contamination stemmed from a heating oil tank once located in a shed behind the Property. The tank was apparently removed before the sale in December 2016. The plaintiff was seeking a reduction in the sale price and to have the defendants Hamel and Drouin, as well as the two previous sellers, the defendants Marshall and Bergeron, held solidarily liable. The plaintiff referred to the warranty of quality provided for in articles 1726 and following of the Civil Code of Québec (C.C.Q.) and the warranty against public law restrictions provided for in article 1725 C.C.Q. The plaintiff also claimed to be the victim of fraud on the part of the defendants Hamel and Drouin. After being called in warranty by the defendants Hamel and Drouin, the Marshalls moved to dismiss the substantive claim and the action in warranty. They claimed that the sale of the Property between the defendants Drouin and Hamel and the plaintiff was made at the buyer’s risk and that such a clause in a subsequent deed of sale irrevocably breaks the chain of title, thereby preventing the plaintiff from taking any legal action against the seller and previous sellers. The law and the importance of a clear clause According to article 1442 C.C.Q., which codifies the principles arising from the decision in Kravitz,3 buyers may seek to have the sellers previous to their own seller held liable. However, for such an action to be deemed valid, it must be established that: The defect existed at the time that the previous sellers owned the immovable; and The right to the legal warranty was transferred to the plaintiff through subsequent sales. Indeed, the buyer of an immovable may take legal action directly against a previous seller in accordance with article 1442 C.C.Q. However, this article presupposes that the right to the legal warranty was passed on from one owner to the next, right down to the current buyer seeking to file a claim for latent defects. In other words, the legal warranty must have been transferred to each owner through the chain of title. In Blais, the Court of Appeal confirmed that an unambiguous warranty exclusion clause results in a break in the chain of title. Such a clause prevents the buyer of an immovable from taking legal action directly against the former owners who sold the immovable with a legal warranty. Given the decision in Blais, it is now clear that such a clause waiving the legal warranty closes the door to any direct recourse against a seller’s predecessors, even if such predecessors sold the immovable with a legal warranty.4 In these circumstances, a buyer who acquires an immovable at their own risk will be deprived of their right to take legal action directly against the previous sellers, insofar as the warranty exclusion clause in the deed of sale is clear and unambiguous. In this case, Justice Lebel considered that the wording of the warranty exclusion clause in the deed of sale, which was binding on the plaintiff, was clear and unambiguous, and that a sale at the buyer’s “risk” excludes both the warranty of quality and the warranty of ownership, which covers the public law restrictions of article 1725 C.C.Q. Justice Lebel indicated that there was a break in the chain of title resulting from the sale at the buyer’s risk and that the plaintiff could not claim that it was still entitled to take legal action directly against any sellers other than the defendants Hamel and Drouin. He therefore ruled in favour of the defendants Marshall and Bergeron and declared the originating application against them inadmissible. Key takeaways A warranty exclusion clause in a deed of sale will only be deemed valid if it is clear and unambiguous. The mention that a sale is made “at the buyer’s risk” completely eliminates the warranty of quality provided for in article 1726 C.C.Q. and the warranty of ownership provided for in article 1725 C.C.Q. A deed of sale containing a valid warranty exclusion clause AND a mention that the sale is made “at the buyer’s risk” precludes any recourse by the buyer against the seller, but also against previous sellers. With the current state of the Quebec real estate market, the decision in Hamel, which ties in with the Court of Appeal’s teachings in Blais, certainly clarifies how case law established in recent years should be applied, in particular as concerns the effect of a warranty exclusion clause on successive sales. The members of our Litigation and Dispute Resolution group are available to advise you and answer your questions. 9348-4376 Québec inc. c. Hamel, 2022 QCCQ 5217 Blais c. Laforce, 2022 QCCA 858. General Motors Products of Canada Ltd v. Kravitz, [1979] 1 S.C.R. 790 Supra note 1, paras. 6 and 8.

On June 20, 2022, the federal government registered regulations that, as the name implies, prohibit (or restrict, in some cases) the manufacture, import and sale of certain single-use plastics that pose a threat to the environment. The Regulations will come into force on December 20, 2022, with the exception of certain provisions taking effect in the following months.1 Manufacturing, importing and selling certain single-use plastic products made entirely or partially of plastic, such as foodservice ware, checkout bags and straws, will be soon be prohibited. This regulation is expected to affect more than 250,000 Canadian businesses that sell or provide single-use plastic products, primarily in the retail, food service, hospitality and healthcare industries. The following is a comprehensive list of items that will be prohibited: Single-use plastic ring carriers designed to hold and carry beverage containers together2; Single-use plastic stir sticks designed to stir or mix beverages or to prevent liquid from spilling from the lid of its container3; Single-use plastic foodservice ware (a) designed in the form of a clamshell container, lidded container, box, cup, plate or bowl, (b) designed to serve or transport ready-to-eat food or beverages without further preparation, and (c) made from certain materials4; Single-use plastic checkout bags designed to carry purchased goods from a business and (a) whose plastic is not a fabric, or (b) whose plastic is a fabric that will break or tear, as the case may be, (i) if it is used to carry 10 kg over a distance of 53 m 100 times; (ii) if it is washed in accordance with the washing procedures specified for a single domestic wash in the International Organization for Standardization standard ISO 6330, as amended from time to time5; Single-use plastic cutlery that is formed in the shape of a fork, knife, spoon, spork or chopstick that either (a) contains polystyrene or polyethylene, or (b) changes its physical properties after being run through an electrically operated household dishwasher 100 times6; Single-use plastic straws that either (a) contain polystyrene or polyethylene, or (b) change their physical properties after being run through an electrically operated household dishwasher 100 times7. The main exceptions Single-use flexible plastic straws Single-use flexible plastic straws, i.e. those with a corrugated section that allows the straw to bend and maintain its position at various angles,8 may be manufactured and imported9. These flexible straws may also be sold in any of the following circumstances:  The sale does not take place in a commercial, industrial, or institutional setting10. This exception means that individuals can sell these flexible straws. The sale is between businesses in packages of at least 20 straws.11 The sale is made by a retail store of a package of 20 or more straws to a customer who requests it without the package being displayed in a manner that permits the customer to view the package without the help of a store employee12; The sale of straws is between a retail store and a customer, if the straw is packaged together with a beverage container and the packaging was done at a location other than the retail store13; The sale is between a care facility, such as a hospital or long-term care facility, and its patients or residents14. The export of single-use plastic items - All the manufactured single-use plastic items listed above may be manufactured, imported or sold for export15. That said, any person who manufactures or imports such items for export will be required to keep a record of certain information and documents as appropriate for each type of plastic manufactured item16. Records of the information and documents will have to be kept for at least five years in Canada17. Conclusion: an opportunity to rethink common practices In the short term, businesses will need to start thinking about how they will replace the plastic manufactured items they use. To help businesses select alternatives to single-use plastic items, the federal government has released its Guidance for selecting alternatives to the single-use plastics in the proposed Single-Use Plastics Prohibition Regulations.18 According to this document, the aim should be to reduce plastics.  Businesses may begin by considering whether a single-use plastic should be replaced or no longer provided. Only products that perform essential functions should be replaced with non-plastic equivalents. Stir sticks and straws can be eliminated most of the time. Another way to reduce waste is to opt for reusable products and packaging. Businesses are invited to rethink their products and services to provide reusable options. Reusable container programs (i.e. offering customers the option of using their own reusable containers) are a reuse option that businesses may want to consider, in particular to reduce the amount of plastic food containers. Only where reusable products are not feasible should businesses substitute a single-use plastic product with a recyclable single-use alternative. Businesses in this situation are encouraged to contact local recycling facilities to ensure that they can successfully recycle products at their end of life. Ultimately, charging consumers for certain single-use substitutes (e.g. single-use wooden or moulded fibre cutlery) may also discourage their use. Ibid, s. 1 Ibid, s. 3 Ibid, s. 6 Polystyrene foam, polyvinyl chloride, plastic containing black pigment produced through the partial or incomplete combustion of hydrocarbons or oxo-degradable plastic; Ibid. This standard is entitled Textiles – Domestic washing and drying procedures for textile testing; Ibid. Ibid. Ibid, ss. 4 and 5. Ibid, s. 1. Ibid, s. 4. Ibid, para. 5(2). Ibid, para. 5(3). Ibid, para. 5(4); According to Guidance for selecting alternatives to the single-use plastics in the proposed Single-Use Plastics Prohibition Regulations, the goal is to ensure that people with disabilities who need flexible single-use plastic straws continue to have access to them at home and can carry them to restaurants and other premises. Ibid, para. 5(5). Ibid, para. 5(6). Ibid, para. 2(2). Ibid., s. 8 Ibid, para. 9(1). https://www.canada.ca/en/environment-climate-change/services/managing-reducing-waste/consultations/proposed-single-use-plastics-prohibition-regulations-consultation-document.html

Earlier this month, Canadian Heritage Minister Pablo Rodriguez introduced Bill C-18 (Online News Act) in Parliament. This bill, which was largely inspired by similar legislation in Australia, aims to reduce bargaining imbalances between online platforms and Canadian news outlets in terms of how these “digital news intermediaries” allow news content to be accessed and shared on their platforms. If passed, the Online News Act would, among other things, require these digital platforms such as Google and Facebook to enter into fair commercial agreements with news organizations for the use and dissemination of news related content on their platforms. Bill C-18, which was introduced on April 5, 2022, has a very broad scope, and covers all Canadian journalistic organizations, regardless of the type of media (online, print, etc.), if they meet certain eligibility criteria. With respect to the “digital news intermediaries” on which the journalistic content is shared, Bill C-18 specifically targets online communication platforms such as search engines or social media networks through which news content is made available to Canadian users and which, due to their size, have a significant bargaining imbalance with news media organizations. The bill proposes certain criteria by which this situation of bargaining imbalance can be determined, including the size of the digital platform, whether the platform operates in a market that provides a strategic advantage over news organizations and whether the platform occupies a prominent position within its market. These are clearly very subjective criteria which make it difficult to precisely identify these “digital news intermediaries.” Bill C-18 also currently provides that the intermediaries themselves will be required to notify the Canadian Radio-television and Telecommunications Commission (“CRTC”) of the fact that the Act applies to them. The mandatory negotiation process is really the heart of Bill C-18. If passed in its current form, digital platform operators will be required to negotiate in good faith with Canadian media organizations to reach fair revenue sharing agreements. If the parties fail to reach an agreement at the end of the negotiation and mediation process provided for in the legislation, a panel of three arbitrators may be called upon to select the final offer made by one of the parties. For the purposes of enforceability, the arbitration panel’s decision is then deemed, to constitute an agreement entered into by the parties. Finally, Bill C-18 provides digital platforms the possibility of applying to the CRTC for an exemption from mandatory arbitration provided that their revenue sharing agreements meet the following criteria: Provide fair compensation to the news businesses for news content that is made available on their platforms; Ensure that an appropriate portion of the compensation would be used by the news businesses to support the production of local, regional and national news content; Do not allow corporate influence to undermine the freedom of expression and journalistic independence enjoyed by news outlets; Contribute to the sustainability of Canada’s digital news marketplace; Ensure support for independent local news businesses, and ensure that a significant portion of independent local news businesses benefit from the deals; and Reflect the diversity of the Canadian news marketplace, including diversity with respect to language, racialized groups, Indigenous communities, local news and business models. A bill of this scope will certainly be studied very closely by the members of Parliament, and it would not be surprising if significant amendments were made during this process. We believe that some clarifications would be welcome, particularly as to the precise identity of businesses that will be considered “digital information intermediaries” for the purposes of the Online News Act.

Introduction Non-liability clauses are often included in many types of contracts. In principle, they are valid and used to limit (limitation of liability clause) or eliminate (exoneration clause) the liability of a party with respect to its obligations contained in a contract. The recent unanimous decision of the Supreme Court of Canada confirms that under Quebec law, parties may limit or exclude their liability in a contract by mutual agreement. However, a party may have such a clause declared inoperative by invoking the doctrine of breach of a fundamental obligation of the contract. In this case, the Supreme Court of Canada confirmed the validity of the clause at issue and circumscribed the limits of the application of the doctrine. The Supreme Court of Canada’s decision The facts The dispute relates to a contract signed between 6362222 Canada inc. (“Createch”), a consulting firm specializing in the improvement and implementation of integrated management systems, and Prelco inc. (“Prelco”), a manufacturing company specializing in the fabrication and transformation of flat glass. Under the terms of the contract that the parties concluded in 2008, Createch was to provide software and professional services to help Prelco implement an integrated management system. Createch prepared a draft contract and Prelco did not ask for any changes to the proposed conditions. A clause entitled Llimited Liability was included in the contract, which stipulated that Createch’s liability to Prelco for damages attributed to any cause whatsoever would be limited to amounts paid to Createch, and that Createch could not be held liable for any damages resulting from the loss of data, profits or revenues or from the use of products or for any other special, consequential or indirect damages. When the system was implemented, numerous problems arose and Prelco decided to terminate its contractual relationship with Createch. Prelco brought an action for damages against Createch for the reimbursement of an overpayment, costs incurred to restore the system, claims from its customers and loss of profits. Createch filed a cross-application for the unpaid balance for the project. At trial, the Superior Court of Québec concluded that the limitation of liability clause was inoperative under the doctrine of breach of fundamental obligation, because Createch had breached its fundamental obligation by failing to take Prelco’s operating needs into account when implementing the integrated management system. The Court of Appeal of Québec confirmed the trial judge’s decision and held that the doctrine of breach of fundamental obligation can annul the effect of an exoneration or limitation of liability clause by the mere fact that a breach relates to a fundamental obligation. The Supreme Court of Canada’s reasons The Supreme Court of Canada allowed the appeal and set aside the decisions of the lower courts. Per Chief Justice Wagner and Justice Kasirer, the Supreme Court held that the limitation of liability clause in the parties’ contract was valid, despite the fact that Createch had breached its fundamental obligation. The Supreme Court addressed the two legal bases for the existence of the doctrine of breach of fundamental obligation: the validity of the clause having regard to public order and he validity of the clause having regard to the requirement relating to the cause of the obligation. In this case, the Court determined that public order could not render the limitation of liability clause inoperative as the contract at issue was one by mutual agreement and the parties were free to share the risks associated with a contractual breach between them, even if the breach involved a fundamental obligation. As for the validity of the limitation of liability clause, the Court determined that it was not a no obligation clause that would exclude the reciprocity of obligations. Createch had significant obligations to Prelco, and Prelco could keep the integrated management system, obtain damages for unsatisfactory services and be compensated for necessary costs for specific performance by replacement, but no higher than what had been paid to Createch. A limitation of liability clause does not therefore deprive the contractual obligation of its objective cause and does not exclude all sanctions. The Court explains: “[86] Thus, art. 1371 C.C.Q. applies to contract clauses that negate or exclude all of the debtor’s obligations and, in so doing, deprive the correlative obligation of its cause. Where a contract includes such clauses, it can be said that the reciprocal nature of the contractual relationship is called into question (arts. 1371, 1378 para. 1, 1380 para. 1, 1381 para. 1 and 1458 C.C.Q.). To apply a more exacting criterion would amount to annulling or revising a contract on assessing the equivalence rather than the existence of the debtor’s prestation and, as a result, to indirectly introducing the concept of lesion, which is narrowly delimited in the Code.”1 Prelco remains bound by the limitation of liability clause in this case. The Supreme Court of Canada is of the view that the trial judge and the Court of Appeal erred in law in declaring the limitation of liability clause inoperative. It allowed Createch’s appeal. Conclusion This Supreme Court of Canada decision confirms the importance of the principles of autonomy of contracting parties and freedom of contract between sophisticated legal persons in Quebec law. The doctrine of breach of fundamental obligation does not permit the circumvention of the principle of freedom of contract: It cannot be said that an obligation is deprived of its cause when a sanction for nonperformance of obligations fundamental to the contract is provided for in a limitation of liability clause. [1] 6362222 Canada inc. v. Prelco inc., 2021 SCC 39, para. 86..

Ransomware has wreaked so much havoc in recent years that many people forget about other cybersecurity risks. For some, not storing personal information makes them feeling immune to hackers and cyber incidents. For others, as long as their computers are working, they do not feel exposed to no malware. Unfortunately, the reality is quite different. A new trend is emerging: malware is being released to collect confidential information, including trade secrets, and then such information is being sold to third parties or released to the public.1 The Pegasus software used to spy on journalists and political opponents around the world has been widely discussed in the media, to the point that U.S. authorities decided to include it on their trade blacklist.2 However, the use of spyware is not limited to the political sphere. Recently, a California court ordered a U.S. corporation, 24[7].ai, to pay $30 million to one of its competitors, Liveperson.3 This is because 24[7].ai installed competing technology on mutual client websites where LivePerson’s technology already is installed. Liveperson alleged in its lawsuit that 24[7].ai installed spyware that gathered confidential and proprietary information and data regarding Liveperson’s technology and client relationships. In addition, the software which 24[7].ai allegedly installed removed some features of Liveperson’s technology, including the “chat” button. In doing so, 24[7].ai interfered in the relationship between Liveperson and its clients. This legal saga is ongoing, as another trial is scheduled to take place regarding trade secrets related to a Liveperson client.4 This legal dispute illustrates that cybersecurity is not only about personal information, but also about trade secrets and even the proper functioning of business software. A number of precautions can be taken to reduce the risk of cybersecurity incidents. Robust internal policies at all levels of the business help maintain a safe framework for business operations. Combined with employee awareness of the legal and business issues surrounding cybersecurity, these policies can be important additions to IT best practices. In addition, employee awareness facilitates the adoption of best practices, including systematic investigations of performance anomalies and the use of programming methods that protect trade secrets. Moreover, it may be advisable to ensure that contracts with clients provide IT suppliers with sufficient access to conduct  the necessary monitoring for the security of both parties. Ultimately, it is important to remember that the board of directors must exercise its duty with care, diligence and skill while looking out for the best interests of the business. Directors could be held personally liable if they fail to meet their obligation to ensure that adequate measures are implemented to prevent cyber incidents or if they ignore the risks and are wilfully blind. Thus, board members must be vigilant, be trained in and aware of cybersecurity in order to integrate it into their risk management approach. In an era in which intellectual property has become a corporation’s most important asset, it goes without saying that it is essential to put in place not only the technological tools, but also the procedures and policies required to adequately protect it! Contact Lavery for advice on the legal aspects of cybersecurity. See Page, Carly, “This new Android spyware masquerades as legitimate apps,” Techcrunch, November 10, 2021. https://techcrunch.com/2021/11/10/android-spyware-legitimate-apps; Page, Carly, “FBI says ransomware groups are using private financial information to further extort victims,” Techcrunch, November 2, 2021. https://techcrunch.com/2021/11/02/fbi-ransomware-private-financial-extort. Gardner, Frank, “NSO Group: Israeli spyware company added to US trade blacklist,” BBC News, November 3, 2021. https://www.bbc.com/news/technology-59149651. Claburn, Thomas, “Spyware, trade-secret theft, and $30m in damages: How two online support partners spectacularly fell out,” The Register,June 18, 2021. https://www.theregister.com/2021/06/18/liveperson_wins_30m_trade_secret. Brittain, Blake, “LivePerson wins $30 million from [24]7.ai in trade-secret verdict,”Reuters, June 17, 2021. https://www.reuters.com/legal/transactional/liveperson-wins-30-million-247ai-trade-secret-verdict-2021-06-17.

In IT service contracts, it is common to find non-liability clauses protecting companies that provide software and professional IT system implementation or integration services. Issue In Dispute Is such a contractual non-liability clause valid under Quebec civil law where a fundamental obligation is breached? In 6362222 Canada inc. v. Prelco inc., recently rendered, the Supreme Court of Canada ruled that the non-liability clause in question was freely negotiated between the parties and resulted from compromises made by both sides. It therefore had to be respected. The respondent “Prelco” mandated the appellant “Créatech” to supply software and provide services to implement an integrated management system, the purpose of which was to manage and track all operational services information found in a large number of databases. Further to the many recurring problems during the system implementation, Prelco decided to end its contractual relationship with Créatech and hired another company to render the system operational. Prelco then claimed damages from Créatech, while Créatech filed a counterclaim for the unpaid balance for the project from Prelco. This began a long legal battle, which ended in the Supreme Court. In its decision, the Supreme Court treated various arguments which, according to Prelco, would have precluded the application of the non-liability clause. The Court dismissed these arguments. Reaffirmation Of The Primacy Of Freedom Of Contract The Supreme Court of Canada held that the Civil Code is set out in such a way as to provide for parties’ freedom to contract and to strike a balance between the notion of public order and the principle of freedom of contract. In considering the applicable legal principles, the judges noted however that the principle of respect for the contractual will of the parties does have exceptions, for example in cases of gross negligence or intentional fault, where economic forces are unbalanced ( such as a contract between a merchant and a consumer), where adhesion contracts and other types of contracts, such as nominate contracts mentioned in the Civil Code are involved, or where exclusions cover liability for body or moral injury.  Conclusion From this decision, it appears beneficial for IT service providers or other service providers to choose to be governed by the Quebec regime in contracts where the parties negotiate a clause limiting or excluding liability.

Bill 64, also known as the Act to modernize legislative provisions as regards the protection of personal information, was adopted on September 21, 2021, by the National Assembly of Québec. This new bill amends some 20 laws relating to the protection of personal information, including the Act respecting Access to documents held by public bodies and the Protection of personal information ("Access Act"), the Act respecting the protection of personal information in the private sector (“ARPIPS”) and the Act to establish a legal framework for information technology (“AELFIT”). While these changes will affect both public bodies and private businesses, this article focuses exclusively on the new requirements for public bodies covered by the Access Act.  We have prepared an amended version of the Access Act in order to reflect the exact changes brought about by Bill 64. 1. Strengthening consent mechanisms and increasing individual control over personal information By way of Bill 64, some important changes were made to the notion of consent when disclosing personal information to public bodies. From now on, any time an individual’s consent is required by the Access Act, public bodies must ensure that the concerned individual’s consent is given separately from any other disclosed information (s. 53.1). Furthermore, any consent to the collection of sensitive personal information (e.g., health or financial information that gives rise to a reasonable expectation of privacy) will have to be expressly obtained from the data subject (s. 59). The amended Access Act now also provides that minors under the age of 14 must have a parent or a guardian consent to the collection of their personal information. For minors over the age of 14, consent can be given either directly by the minor or by their parent or guardian (s. 53.1). The right to data portability is one of the new rights enforced by Bill 64. These added provisions to the Access Act allow data subjects to obtain data that a public body holds on them in a structured and commonly used technological format and to demand that this data be released to a third party (s. 84). Whenever a public body renders a decision based exclusively on automated processing of personal information, the affected individual must be informed of this process. If the decision produces legal effects or otherwise affects the individual concerned, upon request, the public body must also disclose to the individual (i) the personal information used in reaching the decision, (ii) the reasons and main factors leading to the decision, and (iii) the individual’s right to have this personal information rectified (s. 65.2).  Furthermore, public bodies that use technology to identify, locate or profile an individual must now inform the affected individual of the use of such technology and the means that are available to them in order to disable such functions (s. 65.0.1). 2. New personal data protection mechanisms Public bodies will now be required to conduct a privacy impact assessment whenever they seek to implement or update any information system that involves the collection, use, disclosure, retention or destruction of personal data (s. 63.5). This obligation will effectively compel public bodies to consider the privacy and personal information protection risks involved in a certain project at its outset. In fact, the Access Act now states that every public body must create an access to information committee, whose responsibilities will include offering their observations in such circumstances. 3. Promoting transparency and accountability for public bodies The changes brought about by Bill 64 also aim to increase the transparency of processes employed by public bodies in collecting and using personal data, as well as placing an emphasis on accountability. As such, public bodies will now have to publish on their websites the rules that govern their handling of personal data in clear and simple language (s. 63.3). These rules may take the form of a policy, directive or guide and must set out the various responsibilities of staff members with respect to personal information. Training and awareness programs for staff should also be listed. Any public body that collects personal information through technological means will likewise be required to publish a privacy policy on their website. The policy will have to be drafted in clear and simple language (s. 63.4). The government may eventually adopt regulations to specify the required content of such privacy policies. Moving forward, public bodies will also have to inform data subjects of any personal data transfer outside of the province of Quebec (s. 65). Any such transfer will also need to undergo a privacy impact assessment, which will include an analysis of the legal framework applicable in the State where the personal information will be transferred (s. 70.1). Furthermore, any transfer of personal data outside of Quebec must be subject to a written agreement that takes into account, in particular, the results of the privacy impact assessment and, if applicable, the agreed-upon terms to mitigate the risks identified in the assessment (s. 70.1). A public body that wishes to entrust a person or body outside of Quebec with the task of collecting, using, communicating or retaining personal information on its behalf will have to undertake a similar exercise (s. 70.1 (3)). 4. Managing confidentiality incidents Where a public body has reason to believe that a confidentiality incident (which is defined in Bill 64 as the access, use, disclosure or loss of personal information) has occurred, public bodies will be required to take reasonable steps to mitigate the injury caused to the affected individuals and to reduce the risk of further confidentiality incidents occurring in the future (s. 63.7). In addition, where the confidentiality incident poses a risk of serious harm to the affected individuals, these individuals and the Commission d’accès à l’information (“CAI”) must be notified (unless doing so would interfere with an investigation to prevent, detect or suppress crime or violations of law) (s. 63.7). Public bodies must now also keep a register of confidentiality incidents (s. 63.10), a copy of which must be sent to the CAI upon request. 5. Increased powers for the CAI Bill 64 also grants the CAI an arsenal of new powers aiming to ensure that public bodies, as well as private companies, comply with privacy laws. For example, in the event of a confidentiality incident, the CAI may order any public body to take appropriate action to protect the rights of affected individuals, after allowing the public body to make representations (s. 127.2). Furthermore, the CAI now has the power to impose substantial administrative monetary penalties, the value of which may reach up to $150,000 for public bodies (s. 159). In the event of repeat offences, fines will be doubled (s. 164.1). 6. Coming into force The amendments made by Bill 64 will come into force in several stages. Most of the new provisions of the Access Act [DM1] will come into force two years after the date of assent, which was granted on September 22, 2021. However, some specific provisions will take effect one year after that date, including: The requirements regarding actions to be taken in response to confidentiality incidents (s. 63.7) and the powers of the CAI upon disclosure by an organization of a confidentiality incident (s. 137.2); and The exception to disclosure without consent for research purposes (s. 67.2.1). Conclusion The clock is now ticking for public bodies to implement the necessary changes in order to comply with the new privacy requirements outlined in Bill 64, which received official assent on September 22, 2021. We invite you to consult our privacy specialists to help ensure proper compliance with the new requirements of the updated Access Act. The Lavery team would be more than pleased to answer any questions you may have regarding the upcoming changes and the potential impacts on your org

Bill 64, also known as the Act to modernize legislative provisions respecting the protection of personal information, was adopted on September 21, 2021, by the National Assembly of Québec. It amends some 20 laws relating to the protection of personal information, including the Act respecting access to documents held by public bodies ("Access Act"), the Act respecting the protection of personal information in the private sector ("Private Sector Act") and the Act respecting the legal framework for information technology. While the changes will affect both public bodies and private businesses, this publication will focus on providing an overview of the new requirements for private businesses covered by the Private Sector Act. We have prepared an amended version of the Private Sector Act in order to reflect the exact changes brought about by Bill 64. Essentially, the amended Private Sector Act aims to give individuals greater control over their personal information and promote the protection of personal information by making businesses more accountable and introducing new mechanisms to ensure compliance with Québec’s privacy rules. The following is a summary of the main amendments adopted by the legislator and the new requirements imposed on businesses in this area. It is important to note that, for the most part, the new privacy regime will come into effect in two years. 1. Increasing transparency and individual control over personal information The new Private Sector Act establishes the right of individuals to access information about themselves collected by businesses in a structured and commonly used technological format. Data subjects will now also be able to require a business to disclose such information to a third party, as long as the information was not “created or inferred” by the business (s. 27). This right is commonly referred to as the “right to data portability.” Businesses now have an obligation to destroy personal information once the purposes for which it was collected or used have been fulfilled. Alternatively, businesses may anonymize personal information in accordance with generally accepted best practices in order to use it for meaningful and legitimate purposes (s. 23). However, it is important that the identity of concerned individuals can never again be inferred from the retained information. This is a significant change for private businesses which, under the current law, can still retain personal information that has lapsed. In addition, Bill 64 provides individuals with a right to “de-indexation.” In other words, businesses will now have to de-index any hyperlink that leads to an individual’s personal information where dissemination of such personal information goes against the law or a court order (s. 28.1). Additionally, whenever a business uses personal information to render a decision based exclusively on an automated processing of such information, it must inform the concerned individual of the process at the latest when the decision is made (s. 12.1). The individual must likewise be made aware of their right to have the information rectified (s. 12.1). Bill 64 provides that the release and use of nominative lists by a private company for commercial or philanthropic prospecting purposes are now subject to the consent of concerned data subjects. Furthermore, in an effort to increase transparency, businesses will now be required to publish their rules of governance with respect to personal information in simple and clear terms on their website (s. 3.2). These rules may take the form of a policy, directive or guide and must, among other things, set out the various responsibilities of staff members with respect to personal information. In addition, businesses that collect personal information through technology will also be required to adopt and publish a privacy policy in plain language on their website when they collect personal information (s. 8.2). The amended Private Sector Act further provides that businesses that refuse access to information requests, in addition to giving reasons for their refusal and indicating the relevant sections of the Act, must now assist applicants in understanding why their request was denied when asked to (s. 34). 2. Promoting privacy and corporate accountability Bill 64 aims to make businesses more accountable for the protection of personal information, as exemplified by the new requirement for businesses to appoint a Chief Privacy Officer within their organization. By default, the role will fall upon the most senior person in the organization (s. 3.1). In addition, businesses will be required to conduct privacy impact assessments (“PIA”) for any information system acquisition, development or redesign project involving the collection, use, disclosure, retention or destruction of personal information (s. 3.3). This obligation forces businesses to consider the privacy and personal information protection risks involved in a project at its outset. The PIA must be proportionate to the sensitivity of the information involved, the purpose for which it is to be used, its quantity, distribution and medium (s. 3.3). Businesses will likewise be required to conduct a PIA when they intend to disclose personal information outside Québec. In these cases, the purpose of the PIA will be to determine whether the information will be adequately protected in accordance with generally accepted privacy principles (s. 17). The extra-provincial release of personal information must also be subject to a written agreement that takes into account, among other things, the results of the PIA and, if applicable, the terms and conditions agreed to in order to mitigate identified risks (s. 17(2)). The disclosure of personal information by businesses for study, research or statistical purposes is also subject to a PIA (s. 21). The law is substantially modified in this regard, in that a third party wishing to use personal information for such purposes must submit a written request to the Commission d'accès à l'information (“CAI”), attach a detailed description of their research activities and disclose a list of all persons and organizations to which it has made similar requests (s. 21.01.1 and 21.01.02). Businesses may also disclose personal information to a third party, without the consent of the individual, in the course of performing a service or for the purposes of a business contract. The mandate must be set out in a written contract, which must include the privacy safeguards to be followed by the agent or service provider (s. 18.3). The release of personal information without the consent of concerned individuals as part of a commercial transaction between private companies is subject to certain specific requirements (s. 18.4). The amended Private Sector Act now defines a business transaction as “the sale or lease of all or part of an enterprise or its assets, a change in its legal structure by merger or otherwise, the obtaining of a loan or other form of financing by it, or the taking of a security interest to secure an obligation of the enterprise” (s. 18.4). Bill 64 enshrines the concept of “privacy by default,” which means that businesses that collect personal information by offering a technological product or service to the public with various privacy settings must ensure that these settings provide the highest level of privacy by default, without any intervention on behalf of their users (s. 9.1). This does not apply to cookies. Where a business has reason to believe that a privacy incident has occurred, it must take reasonable steps to reduce the risk of harm and the reoccurrence of similar incidents (s. 3.5). A privacy incident is defined as “the access, use, disclosure or loss of personal information” (s. 3.6). In addition, businesses are required to notify concerned individuals and the CAI for each incident that presents a serious risk of harm, which is assessed in light of the sensitivity of the concerned information, the apprehended consequences of its use and the likelihood that it will be used for a harmful purpose (s. 3.7). Companies will furthermore be required to keep a confidentiality incident log that must be made available to the CAI upon request (s. 3.8). 3. Strengthening the consent regime Bill 64 modifies the Private Sector Act to ensure that any consent provided for in the Act is clear, free and informed and given for specific purposes. This means that consent must be requested for each of the purposes of the collection, in simple and clear terms and in a clearly distinct manner, to avoid consent being obtained through complex terms of use that are difficult for individuals to understand (art. 14). The amended Private Sector Act now provides that minors under the age of 14 must have a parent or a guardian consent to the collection of their personal information. For minors over the age of 14, consent can be given either directly by the minor or by their parent or guardian (s. 14). Within an organization, consent to the disclosure of sensitive personal information (e.g., health or other intimate information) must be expressly given by individuals (s. 12). 4. Ensuring better compliance The Private Sector Act has likewise been amended by adding new mechanisms to ensure that businesses subject to the Private Sector Act comply with its requirements. Firstly, the CAI is given the power to impose hefty dissuasive administrative monetary penalties on offenders, which can be as high as $10,000,000 or 2% of the company's worldwide turnover (s. 90.12). In the event of a repeat offence, the fine will be doubled (s. 92.1). In addition, when a confidentiality incident occurs within a company, the CAI may order it to take measures to protect the rights of affected individuals, after allowing the company to make observations (s. 81.3). Secondly, new criminal offences are added to the Private Sector Act, which may also lead to the imposition of severe fines. For offending companies, such fines can reach up to $25,000,000 or 4% of their worldwide turnover (s. 91). Finally, Bill 64 creates a new private right of action. Essentially, it provides that when an unlawful infringement of a right conferred by the Private Sector Act or by articles 35 to 40 of the Civil Code of Québec results in prejudice and the infringement is intentional or the result of gross negligence, the courts may award punitive damages of at least $1,000 (s. 93.1). 5. Coming into force The amendments made by Bill 64 will come into force in several stages. Most of the new provisions of the Private Sector Act will come into force two years after the date of assent, which was granted on September 22, 2021. However, some specific provisions will take effect one year after that date, including: The requirement for businesses to designate a Chief Privacy Officer (s. 3.1); The obligation to report privacy incidents (s. 3.5 to 3.8); The exception for disclosure of personal information in the course of a commercial transaction (s. 18.4); and The exception to disclosure of personal information for study or research purposes (s. 21 to 21.0.2). Finally, the provision enshrining the right to portability of personal information (s. 27) will come into force three years after the date of official assent. The Lavery team would be more than pleased to answer any questions you may have regarding the upcoming changes and the potential impact of Bill 64 on your business. The information and comments contained in this document do not constitute legal advice. They are intended solely for the use of the reader, who assumes full responsibility for its content, for their own purposes.

Bill 78 was introduced in December 2020 by Minister Jean Boulet and given assent on June 8, 2021. It amends the Act respecting the legal publicity of enterprises (the “Act”) and its regulation, the Regulation respecting the application of the Act respecting the legal publicity of enterprises (the “Regulation”). This legislative amendment is part of a process to prevent and fight tax evasion, money laundering and corruption, and will now require registrants to disclose more of their information. Disclosure of information relating to ultimate beneficiaries The amendments set out new requirements for corporate transparency and now require registrants to disclose information about the natural persons who are their ultimate beneficiaries, including their names, domiciles and dates of birth, in order to prevent the use of nominees for tax evasion, among other things. It should be noted that the obligation to disclose the ultimate beneficiary’s domicile can be circumvented by disclosing a professional address instead. New section 35.2 of the Bill provides that “a registrant who must declare the domicile of a natural person under a provision of this Bill may also declare a professional address for the natural person.” If such an address is declared, the information relating to the domicile of that person may not be consulted. Under the Bill, a “registrant” means a person or group of persons registered voluntarily or any person, trust or partnership required to be registered. The Bill specifies that “ultimate beneficiary” means a natural person who meets any of the following conditions in respect of a registrant1: Is the holder, even indirectly, or beneficiary of a number of shares or units of the registrant, conferring on the person the power to exercise 25% or more of the voting rights attached to the shares or units; Is the holder, even indirectly, or beneficiary of a number of shares or units the value of which corresponds to 25% or more of the fair market value of all the shares or units issued by the registrant; Exercises control in fact of the registrant; or Is a general partner of a limited partnership. The Bill also provides that where natural persons holding shares or units of the registrant have agreed to jointly exercise the voting rights attached to the shares or units and the agreement confers on them, together, the power to exercise 25% or more of those voting rights, each of those natural persons is considered to be an ultimate beneficiary of the registrant. Lastly, it provides that a natural person operating a sole proprietorship is presumed to be the only ultimate beneficiary of the sole proprietorship, unless he or she declares otherwise. Notwithstanding this definition of ultimate beneficiary, it is important to note that the government may make regulations determining other conditions according to which a natural person is considered to be an ultimate beneficiary. Search by name of an ultimate beneficiary The Bill provides that a natural person’s name may be part of a compilation of information or serve as the basis for a compilation, and may be used as a search term for the purposes of a search in the enterprise register. This will allow the public to identify all corporations with which a natural person is associated, where such a person has been named the ultimate beneficiary of a registrant. However, information that may not be consulted may not be part of such a compilation or serve as the basis for one. It should be noted that the Bill also allows the government to make regulations determining the information contained in the enterprise register that may not be consulted. Conclusion This legislative amendment, particularly with the addition of the notion of ultimate beneficiary, will considerably increase disclosure requirements for corporations that are already required to communicate certain types of information to the Registraire des entreprises du Québec. We can only hope that at the end of this legislative process, the government will implement a clear and effective information disclosure system, making it easier for registrants and their advisors to manage the information that they disclose. The new section 0.3 will now be part of the new Chapter 0.1 “Purposes and definitions.”

It’s been more than a year since the COVID-19 pandemic began, and many companies are attempting to market products intended to help consumers deal with the risks associated with COVID-19. Some of the most common examples of such products include face masks, testing devices, hand sanitizers, and hard-surface disinfectants. However, while many of these products can be useful (such as by helping reduce the risk of infection), there remains the question of what COVID-19 related claims, if any, can be attributed to the product (e.g. on the product's packaging or in an advertisement). An inaccurate or inappropriate statement can garner the attention of both Health Canada and the Competition Bureau. In fact, since the start of the pandemic, the Competition Bureau has been issuing compliance warnings to businesses across Canada regarding potentially false or misleading claims that their products and services can prevent the disease and/or protect against the virus.1  Accordingly, we have written this newsletter to summarize what Health Canada and the Competition Bureau are looking for when assessing COVID-19-related claims. We also provide examples of the types of statements that have been considered “unacceptable,” as well as a brief description of the consequences of utilizing such unacceptable statements. Please note that the following does not address which licenses are necessary to sell specific products in Canada, nor does it address which legal requirements apply. For example, hand sanitizers, in order to be sold in Canada, must meet the requirements of the Natural Health Products Regulations (NHPR). The general principles of the Competition Act and the rules of the Canadian Competition Bureau With respect to both COVID-19-related claims and product claims in general, the Competition Act prohibits false or misleading claims about any product, service, or business interest. This applies to both the literal meaning of a statement and the general impression it creates. Furthermore, the Competition Act prohibits performance claims that are not backed up by adequate and proper testing. First, such testing must be performed prior to the claim being made and on the actual product being sold, as opposed to a comparable or similar product. Second, they must reflect the product's real-world usage—such as in-home use. Third, the results of the tests must support the general impression created by the claims.  Since as early as May 2020, the Competition Bureau has enforced the above guidelines by issuing direct compliance warnings to a variety of businesses across Canada to stop potentially deceptive claims, including warnings against: Making claims that certain products (including herbal remedies, bee-related products, vitamins, and vegetables) can prevent COVID-19 infections; and Making claims—without first conducting the testing required by law—that certain UV and ozone air sterilization systems, as well as certain air filters or air purifiers, will effectively kill or filter out the virus. Accordingly, the above rules should always be followed when making any COVID-19-related claim about a product. Examples of advertising incidents addressed by Health Canada Health Canada has provided a list of more than 400 advertising incidents related to COVID-19.2 The table provided in footnote 2 lists products and corresponding companies or advertising media found to engage in non-compliant marketing, which are currently under review or have been resolved. While many of these incidents have been resolved, it is unclear what resolution occurred. Was the claim modified or removed entirely? Did the company have to pay a fine? Did the company manage to convince Health Canada that their claim was acceptable as is? Nonetheless, it is clear that the statements were questionable enough that Health Canada found it necessary to intervene. The COVID-19-related claims found therein can thus serve as an effective guide of what claims not to use when advertising products. Along with many unauthorized general claims of “preventing” or “treating” coronavirus and/or COVID-19, some interesting examples of statements flagged by Health Canada include the following: “To protect against Coronavirus” – with respect to a “bandana and protection mask set.” “Flatten the curve with these on trend Fashion Masks” – with respect to a face mask. “Anti-Microbial Micropoly Fabric” – with respect to a face mask. “Ideal for Covid-19” – with respect to a face mask. “Anti-coronavirus, blocks pollution like: exhaust fume, smog, flu virus” – with respect to a face mask. “Effectively isolates saliva carrying coronavirus” – with respect to an “Anti-Dust And Anti-Fog Hat Anti Coronavirus Hat.” “The importance of boosting the immune system during the threat of COVID-19” – with respect to various natural health products. “Suitable in bathroom, living room, bedroom hotel, flu Covid-19” – with respect to a “UV Disinfection Lamp Steriliser.” “labeled ‘COVID-19’ under tab” – with respect to a face mask. As can be seen, some of the statements do not even directly mention COVID-19 or coronavirus, and instead reference concepts such as “flattening the curve” or make general representations about having “anti-microbial” properties. Moreover, many of the claims simply reference COVID-19, without making any representations about treating and/or preventing it. In addition to consulting the above guidelines and examples, it may be wise to seek out products that have been approved by Health Canada for use against COVID-19. Some examples of such products include the following: Disinfectants with evidence for use against COVID-19. Authorized medical testing devices for uses related to COVID-19. Authorized medical devices other than testing devices for uses related to COVID-19. Based on the above, products should only bear COVID-19-related claims if they have been approved for use against COVID-19 by Health Canada, and, even then, such claims should be limited to said use and to what the supporting evidence demonstrates. Some of the links above also contain information on how to obtain the aforementioned approval from Health Canada. Please note that, as of the date of this newsletter, no hand sanitizers have been approved in Canada with COVID-19-related claims.3 Consequently, although hand sanitizers can help reduce the risk of infection by, or spread of, microorganisms, COVID-19-related claims should not be used with such products. Even so, Health Canada has provided a list of hand sanitizers that they have authorized for sale in Canada. In general, a sound policy is to thoroughly review your marketing materials to identify any claims related to the prevention or treatment of COVID-19 that may be false, misleading, or unsubstantiated, and immediately modify or remove such claims accordingly. Penalties for false representations and misleading marketing practices The penalties for using COVID-19-related claims that do not comply with the law can be quite severe and can include fines and jail time.4 In fact, false or misleading representations and deceptive marketing practices, regardless of whether they involve COVID-19-related claims, can be prosecuted under civil law and/or criminal law. As an example, under civil law, the court may order a person to cease an activity, publish a notice and/or pay an administrative monetary penalty. On first occurrence, individuals are liable to penalties of up to $750,000, and corporations, up to $10,000,000. For subsequent occurrences, the penalties increase to a maximum of $1,000,000 for individuals and $15,000,000 for corporations. Under criminal law, a person is liable to a fine of up to $200,000 and/or imprisonment for up to one year. We thus strongly recommend avoiding making false or misleading COVID-19-related claims at all times.     We hope that our newsletter serves as a useful guide regarding what Health Canada and the Competition Bureau consider an “inaccurate” or “false” COVID-19-related claim, and that it has clearly laid out what the consequences of making such a claim in association with a given product can be. However, whether a COVID-19-related claim is appropriate will depend on many factors, such as the exact wording of the claim and the exact nature of the product. Our intellectual property team would be happy to help you with any questions you may have regarding what COVID-19-related claims, if any, you should use on your products, as well as any other legal requirements that must be met before a specific product can be sold in Canada. https://www.canada.ca/en/competition-bureau/news/2020/05/competition-bureau-cracking-down-on-deceptive-marketing-claims-about-covid-19-prevention-or-treatment.html https://www.canada.ca/en/health-canada/services/drugs-health-products/covid19-industry/health-product-advertising-incidents.html https://www.canada.ca/en/health-canada/services/drugs-health-products/disinfectants/covid-19.html https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/03133.html

In the recent decision in Agracity Ltd. v. The Queen1, the Tax Court of Canada (the “Court”) endorsed the Canadian tax consequences of business transactions between a Canadian corporation (“Agracity”) and its Barbados affiliate (“NewAgco-Barbados”) within a group of companies operating in the agrochemical industry (the “Group”). NewAgco-Barbados is an offshore company established for the purpose of negotiating and purchasing a particular herbicide (the “Herbicide”) internationally for resale in Canada. All of NewAgco-Barbados’s profits were generated by the resale of the Herbicide, which were subject to Barbados’s low tax rate. Agracity was in charge of receiving and filling orders for the Herbicide from Canadian consumers, under a service agreement with NewAgco-Barbados for the logistics, storage and transportation of the Herbicide from abroad to Canadian consumers. The Canada Revenue Agency (the “CRA”) attempted to allocate all of NewAgco-Barbados’s profits to Agracity, relying primarily on sham transaction rules and secondarily on transfer pricing rules under subsection 247(2) of the Income Tax Act2 (the “Act”). The Court held that the negotiation and procurement of the Herbicide by NewAgco-Barbados constituted a legitimate commercial objective and a genuine function within the Group. It ruled in favour of Agracity in this case and confirmed that the transactions between Agracity and NewAgco-Barbados were not deceptive and did not warrant any adjustment to Agracity’s profits under transfer pricing rules. This case sheds new light on how to interpret the business role of foreign subsidiaries and the limits of the CRA’s remedial authority with respect to transfer pricing provided for in the Act, making it easier for domestic businesses to implement international business structures. When properly set up and operated, these structures can provide substantial tax savings.  The decision in Agracity v. The Queen has not been appealed. Our taxation team can assist you with national and international tax planning for your business transactions.   2020 CCI 91 R.S.C. 1985, c. 1 (5th suppl.);

As distribution channels with a global reach, websites are a powerful tool for doing business, and during the pandemic, they even play a critical role. A website consists of a set of webpages accessible from an address hosted on a server through the internet or an intranet. A website is a collection of various elements protected by intellectual property laws. We will focus on the following: Copyright It protects an original work (i.e., the author’s own creative work), insofar as it involves the exercise of skill and judgment. This exclusive right allows the owner to produce or reproduce the work in any material form, to perform, represent or publish it, and to exercise other exclusive rights. A website may include the following works: the content of screen page, graphic designs, animation, texts, still and animated images, sounds, databases (which comprise a collection of works, data or other independent elements), software, as for example the ones relating to the creation, operation and launch of the website, computer programs, photographs, cartoons, videos. Ownership of Copyright Copyright is the author’s property, unless the author (i) has assigned his or her right, or (ii) has created the work in the course of his or her employment, in which case the copyright belongs to the employer. It is important to identify the various copyright owners of the works appearing on a website. If a company mandates an external firm to develop a website (website developer), the company will not immediately own the copyright to the website. A development contract entered into with a website developer will usually include a provision regarding the ownership of copyright. It is often provided that the assignment of intellectual property rights to the client who has commissioned a website will take place after payment for said website has been made in full. This poses a problem when the website developer does not complete the website or when a dispute arises over the course of the mandate. Stock Photos Generally speaking, websites that offer photographs do not transfer the copyright of the photographs to the users. They grant a licence to use (a right to use) for a limited time and for a specific purpose. The conditions of these licences must therefore be read carefully. Assignment of Rights An assignment must be in writing in order to transfer the copyright to the company that commissioned the website. Moral Rights Moral rights allow the author or performer (even if he or she is not the copyright owner) to: Claim authorship of the work; Claim respect for the integrity of the work (to protect the work against distortion, mutilation or modification or to prevent use that prejudice the honour or reputation of the author or performer or if the work is associated with a product or service without the consent of the author or performer). Recognition of Copyright in Other Countries Given that Canada is a party to the Berne Convention, copyright owned by a Canadian national, such as a company incorporated in Canada or a Canadian citizen, is recognized in other countries members of the Convention , and said copyright need not be registered in those other countries to acquire rights. In Canada, copyright registration is not mandatory, but it does give rise to a presumption of law that it is advisable to register, at the very least, for works that are important to the business, in order to more effectively  act against  infringement. Copyright infringement is the reproduction of an entire protected work or any substantial part of it without permission. In the same manner that website contents owned by the copyright owner may not be copied without permission, one must ensure that he or she does not import or publish on his or her website any work protected by copyright without first obtaining permission. Domain Name Some domain names are protected by trademark laws, and some are not. This depends on the nature of the domain name and the use made of it. Merely registering a domain name does not create a right that could prohibit the use of a conflicting domain name or trademark. Using a distinctive domain name could confer upon its owner the right to oppose the subsequent use by third parties of a confusing domain name, trademark or trade name. Effective domain name arbitration mechanisms exist for .com and for .ca in the event of misappropriation of a conflicting domain name. Trademark A website owner using a trademark on his or her website in order to identify his or her products or services should protect said trademark by registration. Without listing all the benefits of registering a trademark, suffice it to say that registering one’s rights is significantly less costly than trying to recover said rights once they have been appropriated by a third party. The trademark owner may oppose any confusing third party’s trademark, trade name or domain name (the test of confusion takes into account various factors) if his or her rights precede those of the other. In the case of unauthorized appropriation of a third party’s logo or figurative mark, the owner may, in many cases, not only invoke trademark infringement but also copyright infringement. Right to One’s Image and Privacy The Civil Code of Québec provides that every person is the holder of personality rights, such as the right to life, the right to the inviolability and integrity of his person, and the right to the respect of his name, reputation and privacy. Similar provisions exist in other legislation, such as the Quebec Charter of Human Rights and Freedoms and the Canadian Charter of Rights and Freedoms. The law is similar in other Canadian provinces, and comparable legislation exists in various countries around the world. Thus, as a general rule, a website owner may not: (i) Publish, for example, a photograph or image of a person without that person’s consent. This rule must be weighed against the rule relating to public interest in the right to freedom of expression and the right to information; (ii) Damage a person’s reputation; (iii) Imply or suggest that a person endorses a product or service without that person’s consent. The Civil Code of Québec further provides that the use of a person’s correspondence, manuscripts or other documents without his or her consent constitutes an invasion of his or her privacy. Trade Secret Various components of a website may be protected by trade secret if a confidentiality agreement was signed and the information remains secret. This could be the case with the website coding.   Many people have preconceived ideas about intellectual property in the world of e-commerce. Often, they wrongly assume that since they commissioned their website, they own its intellectual property rights or that they can post a photo of a product copied from another website without authorization because they sell the product. Although it is easy, fast and free to access, a website is governed by a legal framework regarding intellectual property, with which website operators must comply. We did not cover the wide array of rights that are involved in a website in just a few lines. For example, for some websites, there may be patent and industrial design issues to deal with. All these legal considerations are not self-evident. Several rules must be followed to avoid engaging in illegal practices, to avoid the unpleasant surprise of discovering that you do not own the intellectual property rights to parts or all of the website, and to avoid facing threats of legal action for violating the rights of third parties. Furthermore, all the work invested in the creation and operation of the website may not provide any additional value to your company if the intellectual property rights have been neglected, even though in many cases it is a significant asset to the company. It is important to become familiar with these rules, protect your rights and resolve legal pitfalls-ideally before launching a website. If the issue of intellectual property rights is only addressed after launching the website, there may still be time to seek protection or to attempt to overcome legal problems.  Whether the website is already online or is about to be launched, an audit should be carried out to determine the situation and, if necessary, obtain protection, sign contracts and find solutions to problems that could lead to illegal or disadvantageous situations.