LibertyVoice

The digital lock provisions have quickly emerged as the most contentious part of Bill C-32, the new copyright bill.  This comes as little surprise, given the decision to bring back the digital lock approach from C-61 virtually unchanged. The mounting public concern with the digital lock provisions (many supporters of the bill have expressed serious misgivings about the digital lock component) has led to many questions as well as attempts to characterize public concerns as myths.  In effort to set the record straight, I have compiled 32 questions and answers about the digital lock provisions found in C-32.  The result is quite lengthy, so I will divide the issues into five separate posts over the next five days: (1) general questions about the C-32 approach; (2) the exceptions in C-32; (3) the missing exceptions; (4) the consumer provisions; and (5) the business provisions.  For those that want it all in a single package, I've posted the full series as PDF download.

Before getting into the 32 questions, it is worth answering the most basic question – what are anti-circumvention or digital lock provisions?  The short answer is that they are provisions that grant legal protection to technological protection measures (TPMs).  In plainer English, traditional copyright law grants creators a basket of exclusive rights in their work.  TPMs or digital locks (such as copy-controls on CDs, DVDs, or e-books) effectively provide a second layer of protection by making it difficult for most people to copy or sometimes access works in digital format.  Anti-circumvention legislation creates a third layer of protection by making it an infringement to simply pick or break the digital lock (in fact, it even goes further by making it an infringement to make available tools or devices that can be used to pick the digital lock).  Under the Bill C-32, it would be an infringement to circumvent a TPM even if the intended use of the underlying work would not constitute traditional copyright infringement.

The C-32 Approach

This section features answers to the following questions:

• Isn't the C-32 digital lock approach simply the required implementation to comply with the WIPO Internet treaties?
• Penalties are reduced for individuals who circumvent for personal purposes.  Doesn't this solve the problem?
• The digital lock provisions in C-32 appear to distinguish between copy controls and access controls.  Isn't that enough to address concerns about the bill's impact on fair dealing?
• Are the digital lock provisions in C-32 constitutional?
• Is it true that C-32 requires teachers and students to destroy some digital lessons 30 days after the course concludes?
• Is it true that C-32 requires librarians to ensure that inter-library digital loans self-destruct within five days of first use?
• The U.S. has a regular review of new exceptions every three years.  Does Canada plan the same?

Isn't the C-32 digital lock approach simply the required implementation to comply with the WIPO Internet treaties?

No.  The WIPO Internet treaties require that countries provide legal protection for digital locks, but leave considerable flexiblity in how this requirement is implemented.  The U.S. has promoted its particular approach (as found in the DMCA and now in C-32) since before the treaty was even concluded, yet consensus in establishing the treaty was only achieved by adopting far more flexible language.

On the issue of legal protection for digital locks, the treaties require countries to provide "adequate legal protection and effective legal remedies" for technological protection measures.  The U.S. initially proposed:

(1) Contracting Parties shall make unlawful the importation, manufacture or distribution of protection-defeating devices, or the offer or performance of any service having the same effect, by any person knowing or having reasonable grounds to know that the device or service will be used for, or in the course of, the exercise of rights provided under this Treaty that is not authorized by the rightholder or the law.

(2) Contracting Parties shall provide for appropriate and effective remedies against the unlawful acts referred to in paragraph (1).

This language did not achieve consensus support with many proposed changes.  A compromise position was ultimately reached using the "to provide adequate legal protection and effective legal remedies" standard.  Not only does this language not explicitly require a ban on the distribution or manufacture of circumvention devices (ie. software programs used to circumvent digital locks), it is quite obvious that the intent of the negotiating parties was to provide flexibility to avoid such an outcome.

U.S. law professor Pam Samuelson chronicles precisely what happened in her 1997 law review article, The U.S. Digital Agenda at the World Intellectual Property Organization:

At the diplomatic conference, there was little support for the Committee's proposed language on circumvention technologies. Some countries opposed inclusion of any anti-circumvention provision in the treaty.  Others proposed a "sole purpose" or "sole intended purpose" standard for regulating circumvention technologies. Some wanted an explicit statement that carved out circumvention for fair use and public domain materials.  The E.U. offered a proposal that would have required contracting parties to adopt adequate and effective legal measures to regulate devices and services intended for technology-defeating purposes.

Facing the prospect of little support for its proposal or the Committee's draft anti-circumvention provision, the U.S. delegation was in the uncomfortable position of trying to find a national delegation to introduce a compromise provision brokered by U.S. industry groups that would simply have required contracting parties to have adequate and effective legal protection against circumvention technologies and services.  In the end, such a delegation was found, and the final treaty embodied this sort of provision as Article 11.

This was, of course, a far cry from the provision that the U.S. had initially promoted. Still, it was an accomplishment to get any provision in the final treaty on this issue. The inclusion of terms like "adequate" and "effective" protection in the treaty will mean that U.S. firms will be able to challenge national regulations that they deem deficient.

In the years since the treaty was concluded, the U.S. and a handful of supporters have argued strenuously that countries should ignore the compromise language and adopt the U.S. approach. Yet some countries have rejected that advice – Canada's own bill C-60 adopted a flexible approach, as does the most recent copyright reform bill from India.  New Zealand's law features many differences from the U.S. model and dozens of countries have added exceptions and changes to the basic U.S. approach.  In fact, the reality is that of the 88 states that have ratified the WIPO Internet treaties, fewer than half that have adopted the U.S. model. 

When the U.S. was in the process of implementing the WIPO Internet treaties into what became the DMCA, officials acknowledged the flexibility that exists in the treaty.  Marybeth Peters, the U.S. Register of Copyrights, said in testimony before the House Judiciary Committee on 16 Sept. 1997:

"Some have urged that the legislation not address the provision of products or services, but focus solely on acts of circumvention. They state that the treaties do not require such coverage, and argue that devices themselves are neutral, and can be used for either legitimate or illegitimate purposes. It is true that the treaties do not specifically refer to the provision of products or services, but merely require adequate protection and effective remedies against circumvention. As discussed above, however, the treaty language gives leeway to member countries to determine what protection is appropriate, with the question being whether it is adequate and effective."

And, later in the same testimony, the clearest statement: "the treaties do not specifically require protection for access controls in themselves."

Applied to C-32, the current bill goes far beyond what is strictly required to be compliant with the WIPO Internet treaties.  A more flexible, balanced implementation would still be WIPO compliant, provide protection for businesses seeking to use DRM, and maintain the copyright balance.

Penalties are reduced for individuals who circumvent for personal purposes.  Doesn't this solve the problem?

No.  First, claims that reduced penalties removes the impediment to Canadians circumventing digital locks for personal purposes assumes that concern for statutory damages is the primary motivator for a particular action.  I disagree. In the education world, teachers and students will not break the lock because academic guidelines will make it clear that they can't.  Similarly, research will also be stifled in the same way since researchers sign ethics documents when they apply for grants that their research plan is compliant with all laws.  They can't sign the document in this situation, regardless of the likelihood of damages.

Second, C-32 also makes the distribution and marketing of devices (ie. software) used to circumvent illegal.  This suggests it will be more difficult to get those tools (and perhaps risky), so the notion that people will circumvent in light of lower penalties is undermined by the underground nature of being able to do so.

Third, from a bigger picture perspective, rights holders have been complaining for years that the public does not respect copyright.  This bill is an attempt to revive respect for copyright by having the law better reflect current norms (and therefore make it more respectable).  However, you do not build respect for copyright by creating provisions that outlaw something but have the government indirectly say it is acceptable to violate its new rule.  C-32 should craft rules that generate support and acceptance in the public and thereby build support and acceptance for copyright more broadly.

The digital lock provisions in C-32 appear to distinguish between copy controls and access controls.  Isn't that enough to address concerns about the bill's impact on fair dealing?

No.  The distinction in one section of Bill C-32, which was also contained in C-61, does not address the fair dealing concerns in the bill.  First, the distinction between access controls (access to the work itself) and copy controls (copying the work) is a distinction without a difference for many of today's TPMs.  The digital locks used by Amazon or Apple on e-books or the TPMs on DVDs are both access and copy controls.  In order to effectively circumvent to be able to copy, you have to circumvent access.  The locks often permit access for some uses, but not others.  In other words, Canadians will often need to circumvent access to get to the copying and therefore will still be infringing under the law.

Moreover, even if a consumer could distinguish between access and copy controls, the tools themselves that would be used to circumvent for copy purposes cannot be lawfully marketed or distributed.  The notion that it is permissible to circumvent for copying but that the software needed to do so can't be distributed demonstrates how this distinction really makes no real difference. 

Finally, many of the other new exceptions – format shifting, time shifting, and backup copies – are covered by all digital locks, including both access and copy controls.

Are the digital lock provisions in C-32 constitutional? 

Possibly not.  The constitutionality of digital lock legislation has been examined in two articles by Canadian law professors.  Both conclude that the provisions are constitutionally suspect if they do not contain a clear link to conventional copyright law.  Their reasoning is that the constitution grants jurisdiction over copyright to the federal government, but jurisdiction over property rights is a provincial matter.  Digital lock legislation that is consistent with existing copyright law – ie. one that factors in existing exceptions – is more clearly a matter of copyright.  The C-32 provisions are arguably far more about property rights since the provisions may be contained in the Copyright Act, but they are focused primarily on the rights associated with personal property.

My colleague Jeremy deBeer conducted a detailed analysis of this issue in his article, Constitutional Jurisdiction over Paracopyright Laws.  Many of his arguments were echoed in a 2009 article published in the Journal of Information Law and Technology by Professor Emir Aly Crowne-Mohammed and Yonatan Rozenszajn, both from the University of Windsor, which concluded that the anti-circumvention provisions found in Bill C-61 were unconstitutional.  The authors argue that the DRM provisions were "a poorly veiled attempt by the Government to strengthen the contractual rights available to copyright owners, in the guise of copyright reform and the implementation of Canada’s international obligations. Future iterations of Bill C-61 that do not take the fair dealing provisions of the Copyright Act (and the overall scheme of the Act) into account would also likely to fail constitutional scrutiny."

Is it true that C-32 requires teachers and students to destroy some digital lessons 30 days after the course concludes?

Yes.  Bill C-32 requires teachers that utilize a new educational exemption to destroy the lessons that they have created for their courses with one month of the conclusion of the course.  Teachers must recreate the lessons each year, which obviously establishes a strong incentive to run as far away as possible from these new "rights." 

Is it true that C-32 requires librarians to ensure that inter-library digital loans self-destruct within five days of first use?

Yes.  While moving toward digital interlibrary loans has obvious advantages (speed and cost being at the top of the list), Bill C-32 forces libraries to implement DRM-based solutions.  The requirements for legal digital interlibrary loans include limits on further copying and distribution that go far beyond what is necessary (they are presumably a response to the unlikely scenario that only a single Canadian library will purchase the copy of a work and use digital distribution to cover the rest of the country).  Even worse is the requirement to destroy the digital copy within five days of first use.  There are no similar requirements for paper-based copies of works and it makes no sense to force libraries to install DRM protections on digital copies to create time-limited uses.

The U.S. has a regular review of new exceptions every three years.  Does Canada plan the same?

No.  The U.S. DMCA experience leaves little doubt that the introduction of anti-circumvention legislation will create some unintended consequences.  No matter how long the list of circumvention rights and other precautionary measures, it is impossible to identify all future concerns associated with anti-circumvention legislation.  The U.S. DMCA addresses this by establishing a flawed tri-annual review process.  The system has not worked well, creating a formidable barrier to new exceptions and long delays to address emerging concerns.

As bad as the U.S. system is, the proposed Canadian system under Bill C-32 is worse since there is no mandated review of the exceptions at all.  Instead, Canada gets a flexible process that will allow the government to consider new exceptions if and when it sees fit.  In other words, the same government that brought you the Canadian DMCA will decide if there is a need to add any exceptions. If Canada establishes anti-circumvention legislation, it should also establish an impartial process that will enable concerned parties to raise potential new circumvention rights without excessive delay.  The process must be fast, cheap, and easily accessible to all Canadians.  Bill C-32 establishes the criteria for the introduction of new circumvention rights but fails to implement an administrative structure to conduct the reviews.

While there are critics of C-32, everyone should be willing to give props to Industry Minister Tony Clement for his tweeting on the bill.  Soon after the usual press conference, Clement began responding directly to public tweets asking questions about the bill.  He thanked the public for positive and negative feedback and answered questions on unlocking cellphones, format shifting CDs, copying DVDs, and statutory damages. This form of direct engagement with the public on government policy is something worth noting as it sets a benchmark for others to follow.

David Akin has pointed to a new paper from Blayne Haggart, a doctoral student at Carleton who is focusing on copyright policy in Canada, the U.S., and Mexico.  The paper, being presented this week in Montreal, includes some interesting analysis of digital copyright reforms in each country.  Given today's introduction of the copyright reform bill, of particular significance are comments Haggart obtained from Michele Austin, who served as Maxime Bernier's chief of staff when he was Industry Minister. 

According to Austin, the decision to introduce U.S.-style DMCA rules in Canada in 2007 was strictly a political decision, the result of pressure from the Prime Minister's Office desire to meet U.S. demands.  She states "the Prime Minister's Office's position was, move quickly, satisfy the United States." When Bernier and then-Canadian Heritage Minister Bev Oda protested, the PMO replied "we don't care what you do, as long as the U.S. is satisfied."

This mandate will not come as a huge surprise to anyone who has followed the issue, but it still shocks to see it presented in such stark terms.  Given the strong public opposition to the anti-circumvention provisions in C-61, the thousands of Canadians who spoke out against the U.S. approach during the copyright consultation, and even Industry Minister Tony Clement's reported support for a more flexible approach, it would appear that the PMO's decision to side with Canadian Heritage Minister James Moore in requiring strict anti-circumvention rules reflects a long-term decision to prioritize U.S. interests on copyright ahead of the national interest.  The decision is particularly discouraging since it is unnecessary – a compromise could be struck that provides legal protection for digital locks, is WIPO compliant, and preserves the copyright balance.

Update: The NDP runs a "reality check" that highlights the Haggart article.

With the copyright bill – Bill C-32 – being introduced this afternoon, it is worth noting that my technology law column last week (Toronto Star version, homepage version) focused on some of the key issues likely to find their way into the bill.  The column noted the internal dynamics that led to the bill are by now fairly well known.  Industry Minister Tony Clement, emboldened by last summer’s copyright consultation that generated unprecedented public participation, argued for a forward-looking, technology neutral bill with flexibility as a core principle.  Canadian Heritage Minister James Moore advocated for a U.S.-style protectionist approach, with priority given to digital locks that can be used to limit copying, access, and marketplace competition.

With the active support of Prime Minister Stephen Harper, Moore won the fight over digital locks and the new bill will feature provisions certain to please the U.S. government and lobby groups.  Yet the bill will include far more than just tough legal protection for a digital locks.  

This brief unofficial user's guide to the new legislation that focuses on three key issues – fair dealing, Internet provider liability, and digital locks (Internet downloading is unlikely to figure prominently in the bill).

First, the bill is certain to include a handful of changes to the current fair dealing provision. The Supreme Court of Canada has ruled that Canada's fair dealing provision – which is similar though not identical to fair use in the U.S. – must be interpreted in a broad and liberal manner. Yet the law currently includes a limited number of categories (research, private study, criticism, news reporting, and review) that renders many everyday activities illegal.  

During the copyright consultation, many Canadians called for the introduction of a flexible fair dealing provision that would legalize many common activities.  This is an issue that touches everyone.  Creators would benefit from a parody and satire exception. Consumers would benefit from exceptions for recording television shows or changing the format of content they have purchased. Educators would benefit from exceptions to cover teaching activities and distance education.

Sources say the government has rejected the flexible fair dealing approach, but that new exceptions will make their way into the bill.  The scope of the exceptions – the last bill contained 12 conditions in order to legally record a television show – will go a long way to determining whether the bill tries to strike a balance between competing copyright interests.

Second, the bill will address the responsibility of Internet intermediaries such as Internet providers and search engines for the activities of their users and subscribers.  The past two copyright bills both struck a reasonable compromise by adopting an approach that gave copyright holders the ability to warn users about alleged infringements, but protected the privacy and free speech rights of the public.  The bill will likely adopt the same system once again, which should garner support from across the spectrum.

Third, the bill will include digital lock provisions, known as anti-circumvention rules.  These rules, which will allow Canada to implement international copyright treaties it signed over ten years ago, was the most-discussed issue during the consultation.  Thousands of Canadians argued that Canada should adopt a flexible implementation that renders it illegal to “pick a digital lock” for the purposes of copyright infringement, but preserves the right to do so for legal purposes.

Sources say the government has rejected the flexible approach in favour of the U.S.-style ban on circumvention (subject to a handful of limited exceptions).  If true, the problem with the approach is that it undermines both the new and existing exceptions.  For millions of Canadians, that means that their user rights will be lost whenever a digital lock is present including for CDs, DVDs, electronic books, and many other devices.  In the process, the balance will tilt strongly away from consumers and their property rights over their own purchases.

The government has placed the forthcoming copyright bill on the Notice Paper, which means that the bill could be introduced as soon as tomorrow.  The campaign to support the bill has also begun, with an op-ed in today's National Post jointly authored by Industry Minister Tony Clement and Canadian Heritage Minister James Moore.  The op-ed throws out lots of statistics about the digital and cultural economies and tries to make the case that it has been years since the last update (it references how the current bill is more than 80 years old, but then states that at the last update Canadians used CD players, pagers, and Sega Genesis – not exactly an eternity given that many still use CD players and pagers).

A word cloud of the op-ed would focus primarily on two words – balance and modernization.  Both words appear repeatedly in the piece, with the Ministers emphasizing that the bill will be balanced and that modernizing the law is long overdue.  This suggests that the C-61 communication line of a "made in Canada" has been dropped, which makes sense given the digital lock provisions will reflect a made-in-the-USA approach.

Last week Industry Minister Tony Clement unveiled two bills touted as important components of the government’s national digital strategy.  The Fighting Internet and Wireless Spam Act is a repeat of the anti-spam bill that passed through the House of Commons last year but died after Parliament prorogued.  Since the new bill reflects roughly the same compromise that garnered all-party support, it should receive swift passage.

My weekly technology law column (Toronto Star version, homepage version) argues that the second bill, the Safeguarding Canadians' Personal Information Act, is likely to be far more controversial.  The bill amends Canada’s existing privacy legislation by establishing new exceptions for businesses and new powers for law enforcement.

The centrepiece is a long overdue security breach disclosure requirement. Over the past seven years, virtually every U.S. state has enacted disclosure rules that compel organizations that suffer a security breach that places personal information at risk to promptly disclose that fact to the affected individuals.  By mandating notification, the laws ensure that individuals are better able to guard against identity theft by closely monitoring their credit card bills, bank accounts, and credit reports for any unusual activity.

From a business perspective, the laws create a strong incentive to protect personal information since the notification process is both expensive and embarrassing.  Moreover, the laws have persuaded some organizations to rethink the amount of personal information they retain, since mounting data collection and retention increases the damaging consequences of a security breach.

The Canadian proposal establishes two requirements.  First, businesses are required to report a "material breach of security safeguards involving personal information under its control" to the Privacy Commissioner.  The business determines whether the breach meets this standard by assessing the sensitivity of the information, the number of individuals affected, and whether there is a systemic security problem.

Second, businesses are required to notify individuals affected by the breach "if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual."  The business makes its own determination of whether there is a real risk by considering the sensitivity of the information and the probability that the personal information will be misused.

While the bill is better than the current situation where there is no security breach disclosure requirement, it falls far short of the rules found elsewhere.  The government’s proposal sets a very high threshold for disclosure of a breach and contains no clear penalties for non-disclosure.

By comparison, the California law establishes a threshold of whether an unauthorized person acquired the information, not whether there is real risk of significant harm (other states merely require harm, not significant harm).  Moreover, the California law requires disclosure in the most expedient time possible and without unreasonable delay – far quicker than the Canadian plan.

Some states also establish tough penalties for failure to promptly notify.  For example, Florida's law provides for penalties of up to US$500,000 for failure to notify affected individuals and up to US$50,000 for failure to document non-notifications of security breaches.

Security breach disclosure was widely recognized as a major hole in the Canadian law framework, yet this proposal is a disappointment that falls short of striking the right balance between protecting Canadians, encouraging appropriate safeguards of personal information, and guarding against overwhelming Canadians with too many notices.

In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good.  If it becomes law, Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying, safe in the knowledge that there are no established financial penalties for failing to do so.

This is copyright week in Canada as multiple reports indicate that the long-awaited copyright bill will be tabled on Thursday.  The recent round of reports are noteworthy for several reasons.  First, they confirm earlier reports that the government plans to introduce DMCA-style anti-circumvention legislation.  This suggests that the digital lock provisions that were the source of enormous public outrage (and the dominant issue during last summer's copyright consultation) will remain largely unchanged from Bill C-61 and will unquestionably be the most hotly debated aspect of the bill.

Second, the reports also drop hints of other aspects of the bill.  While I previously reported there will be no flexible fair dealing provision, the reports indicate that there will some changes to fair dealing.  This comes as little surprise, given that C-61 included provisions on time shifting and format shifting.

Third, the government is increasingly turning its attention to what comes after the bill is introduced.  The Canadian Press reports that the government is planning to pressure the opposition parties to hold summer hearings in an effort to fast-track the bill through the House of Commons.   While this raises concern for many groups who may face challenges participating in summer hearings (and the hearings themselves risk becoming abbreviated as MPs cut the process short to get back to their constituencies), Industry Minister Tony Clement has also indicated that the government is open to compromise:


“I’m not coming down from the mountain with this chiselled in stone. This bill may have elements in it where we could seek some consensus and there could be some positive amendments to this bill. That’s certainly in the realm of possibility too, and let the process begin."

These comments make it absolutely crucial for Canadians to take stock of the bill once introduced and to ensure that their voices are heard.  As I argued in my recent Hill Times piece, there is room for compromise on anti-circumvention legislation in the form of a provision confirming that circumvention of a digital lock is not prohibited when undertaken for lawful purposes.  This would be consistent with the WIPO Internet treaties and a previous Canadian bill (Bill C-60).

Canwest's Sarah Schmidt features an terrific story in which Industry Minister Tony Clement admits that he has infringed copyright in loading songs onto his iPod.  Like many Canadians, Clement says that he shifted many CDs to his iPod, which now contains over 10,000 songs.  What makes the article noteworthy is not the acknowledgement of infringement – Canadian Heritage Minister James Moore admitted infringing activity in using his PVR last year – but rather the focus on the need to update copyright law by legalizing activities that most Canadians view as perfectly acceptable.  Notes Clement:

"Well you see, you know I think I have to admit it probably runs afoul of the current law because the current law does not allow you to shift formats. So the fact of the matter is I have compact discs that I've transferred, I have compact discs from my children or my wife that I've transferred onto my iPod. None of that is allowable under the current regime. It shows that the current regime is not realistic and is not modern to encompass how people obtain their entertainment in today's world. That's what happens in a family. You do tend to share music that way and I think most people would find that to be perfectly acceptable behaviour. But our current law is so antiquated, it doesn't contemplate that situation."

While Clement clearly envisions updating the law, the article rightly notes that the addition of time shifting or format shifting (which would legalize recording television shows or shifting CDs to an iPod) could still be dependent on the absence of any digital locks.  As I discussed earlier this week in my seven questions for Moore, the presence of a digital lock on a CD, DVD, electronic book, or other device trumps fair dealing rights.  NDP MP Charlie Angus picks up on this issue:

"It's the issue that digital locks supersede everything else. You can provide any other kind of copyright protection guarantees for us to back up, and for research or study, but if there's a digital lock on it, then you get treated the same as an international bootlegger counterfeiter. That's just simply not a reasonable policy to foster innovation or to foster respect for copyright."

Industry Minister Tony Clement introduced two bills yesterday – the Fighting Internet and Wireless Spam Act (C-28) and the Safeguarding Canadians' Personal Information Act (C-29).  I have spoken positively about C-28 (here, here, and here), which is long overdue and should receive swift passage.  By contrast, C-29 is a huge disappointment.  The bill is also long overdue as it features the amendments to Canadian private sector privacy law from a review that began in 2006 and concluded with a report in 2007. 

Just over three years later, the government has introduced a bill that does little for Canadians' privacy, while providing new exceptions for businesses and new powers for law enforcement (David Fraser has helpfully created a redline version of PIPEDA with the proposed changes).  The centrepiece of the bill is a new security breach disclosure provision, but the requirements are very weak when compared with similar laws found elsewhere.  In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good since Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying (given the very high threshold discussed below) safe in the knowledge that there are no financial penalties for failing to do so.


The New Business Exceptions

The business exceptions address several issues:

1. The bill changes the definition of business contact information (which is not treated as personal information) by expressly including business email addresses.  This overturns a successful complaint I filed years ago against the (now defunct) Ottawa Renegades over their use of my email address.  The change further confirms that PIPEDA cannot be used in spam cases, but C-28 should provide far more effective tools. 
2. The bill establishes a new prospective business transaction exception that permits use and disclosure of personal information in various business transactions.  The provision creates some limits on the use of the information, but is designed to address concerns from the business community that PIPEDA could create barriers to mergers and acquisitions as well as other transactions.
3. The bill creates a new exception for the collection, use, and disclosure of personal information contained in a witness statement related to an insurance claim.
4. The bill creates a new work product exception for the collection, use, and disclosure for information produced by an individual in the course of the employment.  There is also an exception for the employer collection, use, and disclosure of employee information to "establish, manage or terminate an employment relationship."
5. The bill creates a new exception for businesses that voluntarily disclose personal information to other organizations for the investigation the breach of an agreement that has been, is being, or is about to be committed.  This exception also extends to disclosure to "prevent, detect or suppress fraud."

Law Enforcement Provisions

Law enforcement also benefits from new provisions, which could have a significant on businesses and individual Canadians.

1. The bill purports to clarify "lawful authority" (ie. disclosure to lawful authority without a court order) but as David Fraser notes it really doesn't clarify much of anything.  Rather, it encourages disclosures without court oversight by confirming that businesses are not required to verify the validity of the lawful authority.
2. Once a business has disclosed personal information to law enforcement, the bill includes a provision blocking it from disclosing the disclosure to the affected individual.  This USA Patriot Act-like provision includes detailed rules on how such disclosures can occur, including mandatory delays and government notifications.  In other words, once a business has disclosed personal information, the bill strongly encourages it to keep its proverbial mouth shut.

Security Breach Disclosure

As for individuals, there is a notable clarification of the meaning of consent, but the big addition is the creation of a security breach disclosure requirement.  Unfortunately, the proposed approach is extremely weak when compared with similar statutes elsewhere.  The security breach requirements include:

• A requirement to report an "material breach of security safeguards involving personal information under its control" to the Privacy Commissioner.  The organization determines whether the breach is material, having regard to the sensitivity of the information, the number of individuals affected, and whether there is a systemic problem.
• A second requirement to report to individuals affected by the breach "if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual."  The organization makes its own determination of whether there is a real risk having regard to the sensitivity of the information and the probability that the personal information has been, is being, or will be misused.  The notification must be given "as soon as feasible."  Notifications may also go to other other organizations if doing so may reduce the risk of harm.

While this is better than the current situation where there is no security breach disclosure requirement, it is far less than the rules found elsewhere.  This proposal sets a very high threshold for disclosure, contains no clear penalties for non-disclosure, and does not feature a private right of action that might be used by individuals to further encourage compliance. 

By comparison, the California law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person.   In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm (other states merely require harm, not significant harm).  Moreover, the California law requires disclosure in the most expedient time possible and without unreasonable delay – far quicker than the Canadian proposal.

Some states also establish tough penalties for failure to promptly notify.  For example, Florida's law provides for penalties of up to $500,000 for failure to notify and up to $50,000 for failure to document non-notifications of security breaches.  Michigan's penalties run up to $750,000.  Moreover, some states (such as Louisiana and New Hampshire) establish private rights of action that provide for civil actions to recover actual damages sustained by individuals in cases of security breaches.  Proposed language in Canada from the Uniform Law Conference of Canada's model data breach notification statute also envisions penalties for non-compliance (though it also includes a "significant harm" threshold).

Security breach disclosure was widely recognized as a major hole in the Canadian law framework, yet this proposal is a major disappointment that falls far short of striking the right balance between protecting Canadians, encouraging appropriate safeguards of personal information, and guarding against overwhelming Canadians with too many notices. When combined with the rest of the bill – which includes new exceptions for work product, new barriers to disclosing disclosures and further encourages disclosures without court oversight – C-29 does not do nearly enough to advance the Canadian privacy law framework in a manner that actually protects personal privacy.

My op-ed in this week's Hill Times (HT version (sub req), homepage version) notes that with reports that a new copyright bill could be introduced this week, thousands of Canadians have been expressing concern with the government's plans, as there are mounting fears that the results from last summer's copyright consultation may be shelved in favour of a repeat of the much-criticized Bill C-61.  

The foundational principle behind C-61 was the primacy of digital locks. When a digital lock (often referred to as digital rights management or technological protection measure) is used – to control copying, access or stifle competition – the lock supersedes virtually all other rights.  The fight over the issue has pitted the tech-savvy Industry Minister Tony Clement, who has reportedly argued for a flexible implementation, against Canadian Heritage Minister James Moore, who has adopted what many view as an out-of-touch approach that would bring back the digital lock provisions virtually unchanged.

Moore has declined to comment on his position, but his approach raises some difficult questions:

1.  Moore has been an outspoken critic of the extension of the private copying levy to iPods, deriding it as the iTax.  He is content to leave the levy on blank CDs in place, yet the forthcoming bill is likely to block personal copying of consumer purchased CDs that contain copy-controls onto blank CDs.  Why does Moore believe it is acceptable for Canadians to pay twice – once for the CD and a second time for the levy on a blank CD – and still face the prospect of violating the law?

2.  Thousands of Canadians buy DVDs from outside the country as they seek content not typically available at home.  Yet DVDs purchased in Europe, Asia, or South America do not work on Canadian DVD players.  The forthcoming bill is likely to block attempts to circumvent the region coding on DVDs and thereby stop Canadians from legally viewing DVDs they have purchased. Is this consistent with Moore's pro-consumer position in other areas?

3.  Documentary film makers and visual artists often use small clips from DVDs in their art.  The use of those works without permission is currently permitted through the criticism and review sections of the fair dealing provision in the Copyright Act.  The forthcoming bill is likely to block unlocking a DVD to use such clips, however, since the presence of a digital lock will trump fair dealing.  In fact, even the much-discussed potential introduction of new artists' exceptions for parody and satire would be limited by locks. What is Moore's plan to allow Canadian creators to complete their art?

4.  The Canadian media regularly rely on the news reporting section of the fair dealing provision to use portions of audio or video without permission. The forthcoming bill is likely to render such activities violations of the law anytime a digital lock guards the audio or video.  Does Moore believe this strikes a fair balance between copyright and freedom of the press?

5.  With the emergence of the Amazon Kindle and Apple iPad, Canadian teachers and students are facing increasing pressure to switch to electronic books.  E-books offer great potential, but also frequently come with restrictive digital locks that have been used to remotely delete content from users' devices in their own homes.  Given the importance of the research and private study sections in the fair dealing provision, is Moore satisfied with an approach that would hamper the use of those sections for a critical part of the education process?

6.  The new copyright bill is likely to reintroduce new exceptions that legalize recording television shows (time shifting) or moving purchased content from one format to another (format shifting).  While consumers will undoubtedly welcome these long overdue reforms, they will likely be contingent on the absence of any digital locks.  Does Moore fear the new rights will be regularly blocked by anti-copying technologies?

7.  Is Moore aware that the solution to all of these concerns is a single provision that would allow Canada to implement the World Intellectual Property Organization's Internet treaties, provide legal protection for digital locks, and preserve the copyright balance by simply confirming that circumvention of a digital lock is not prohibited when undertaken for lawful purposes?