This paper summarizes selected developments in Canadian Internet law during 2013. This paper is an overview of significant developments rather than an exhaustive review. Reference to current legislation, regulatory policies and guidelines, and case law is essential for anyone addressing these issues in practice.

A. TRADEMARKS AND THE INTERNET

1. Infringing Domain Name

Trans-High Corporation v. Hightimes Smokeshop and Gifts Inc., 2013 FC 1190, involved a dispute over the defendant's use of the HIGHTIMES trademark and trade name and related domain name, which the plaintiff claimed was an infringement of the plaintiff's well-known HIGH TIMES trademark used in association with the High Times Magazine and other goods and a website operated using the domain name hightimes.com. The defendant operated a retail shop named "High Times Smoke Shop & Gifts" and a website using the domain name hightimesniagarafalls.com. The court held that the defendant had infringed the plaintiff's trademark, and awarded damages, an injunction and costs. The injunction included an order that the defendant transfer to the plaintiff registered ownership and control over thehightimesniagarafalls.com domain name and all other domain names registered by the defendant containing the words "high times" or any confusingly similar mark.

2. Canadian Domain Name Arbitrations

(a) Overview

Certain disputes involving alleged bad faith registration of .ca domain names may be resolved by arbitration pursuant to the Domain Name Dispute Resolution Policy (known as the CDRP) mandated by the Canadian Internet Registration Authority (CIRA). The CDRP's mandatory administrative dispute resolution process is binding on .ca domain name registrants because it is incorporated by reference into .ca domain name registration agreements. The CDRP is modeled on the Uniform Domain-Name Dispute-Resolution Policy that applies to .com, .org, .net and other domain names.

To invoke the CDRP, a complainant must satisfy the CIRA Canadian presence requirements for registrants in respect of the disputed domain name or be the owner of a trade-mark registered in the Canadian Intellectual Property Office that is the basis of the complaint. To succeed in a CDRP proceeding, a complainant must: (a) prove that the disputed domain name is confusingly similar to a mark in which the complainant had rights prior to the date of registration of the disputed domain name and continues to have such rights; (b) prove that the registrant registered the disputed domain name in bad faith; and (c) provide "some evidence" that the registrant has no legitimate interest in the disputed domain name. Even if a complainant proves (a) and (b) and provides some evidence of (c), the registrant will succeed in the proceeding if the registrant proves that the registrant has a legitimate interest in the disputed domain name. The CDRP provides non-exhaustive lists of circumstances that demonstrate bad faith registration of a disputed domain name and legitimate interest in a disputed domain name.

(b) Decisions

There were 30 CDRP decisions, involving 44 domain names, issued in 2013. A complete list is available at www.cira.ca. Complaints continue to be upheld more frequently than they are dismissed. During 2013, 23 complaints were successful and 7 complaints were dismissed.

The 2013 CDRP decisions illustrate the following principles:

  • The addition of a generic or descriptive word or a geographic indicator to a domain name does not distinguish the domain name from a trademark and might serve to reinforce the confusing similarity between the domain name and the trademark. (Intertek Testing Services NA Ltd. v. Intertek Oil and Gas and/or Canada Oil & Gas Recruitment Agency, CIRA No. 244, November 15, 2013; Carey International Inc. v. Simonetti, CIRA No. 241, October 3, 2013; Americana International Ltd. v. Bench Clothing Store Inc., CIRA No. 238, September 17, 2013; Vanguard Trademark Holdings USA, LLC v. Danier, CIRA No. 234, July 11, 2013; Oakley Inc. v. Ieyzhen, CIRA No. 233, July 9, 2013; General Motors LLC v. DS1 Design, CIRA No. 231, May 29, 2013; Swarovski Aktiengesellschaft v. Unknown, CIRA No. 227, May 1, 2013; L'Oreal SA & L'Oreal Canada Inc. v. Silva, CIRA No. 226, May 1, 2013.)
  • There continues to be inconsistency regarding the appropriate test for determining whether the registrant is a competitor of the complainant, as required by CDRP section 3.5(c). Most decisions take the view that that business competition is necessary, and that merely competing for Internet traffic is not sufficient. (Intertek Testing Services NA Ltd. v. Intertek Oil and Gas and/or Canada Oil & Gas Recruitment Agency, CIRA No. 244, November 15, 2013; StudentUniverse.ccom Inc. v. Winer, CIRA No. 243, November 12, 2013; Electronic Products Recycling Association v. Rivard, CIRA No. 242, November 11, 2013; Design First Kitchen & Bath Interiors Inc. v. Stone Beach Design Inc., CIRA No. 235, July 31, 2013; The Calgary Exhibition & Stampede Limited v. Squires, CIRA No. 229, May 10, 2013.)
  • The CDRP does not prohibit a second complaint regarding the same domain name involving the same parties, unless the second complaint is brought to harass the registrant. (American Girl, LLC v. Page, CIRA No. 239, September 30, 2013.)
  • For the purpose of determining whether a complainant engaged in reverse domain name hijacking under CDRP section 4.6, "colour of right" means that the complainant had an honest belief that the facts advanced by the complainant were true and could entitle the complainant to the relief sought. (Design First Kitchen & Bath Interiors Inc. v. Stone Beach Design Inc., CIRA No. 235, July 31, 2013; Visionary Motorsports Ltd. v. MC Motorsports Canada Ltd., CIRA No. 230, May 27, 2013.)
  • Mere assertions that a registrant does not have a legitimate interest in a domain name do not satisfy the CDRP requirement that a complainant provide "some evidence" that the registrant does not have a legitimate interest in a domain name. (American Girl, LLC v. Page, CIRA No. 216, January 9, 2013; Vanguard Trademark Holdings USA, LLC v. Danier, CIRA No. 234, July 11, 2013.)
  • The registration of a domain name for the benefit of an undisclosed beneficial owner is a violation of CIRA's Registration Agreement, and holding a registration in calculated violation of CIRA's Registrant Agreement constitutes bad faith on the part of the registrant and the beneficial owner of a domain name. (ArcelorMittal SA v. NETNIC Corporation Protective Registration Services, CIRA No. 221, January 29, 2013.)
  • Threatening to kill the complainant's lawyer is a relevant consideration is determining the registrant's bad faith. (Intertek Testing Services NA Ltd. v. Intertek Oil and Gas and/or Canada Oil & Gas Recruitment Agency, CIRA No. 244, November 15, 2013.)

B. COPYRIGHT AND THE INTERNET

1. Damages for Internet Copyright Infringement

Twentieth Century Fox Film Corp. v. Hernandez, December 3, 2013, Toronto T-1618-13 2013 (FC), involved claims for infringement of copyright in the popular television programs The Simpsons and Family Guy. The defendant created unauthorized copies of the programs and made them available for downloading, copying and streaming from various websites. The plaintiff applied for default judgment against the defendant Hernandez. The court held that the defendant's infringement was in bad faith and for commercial purposes, and resulted in revenue to the defendant on the false pretence that the defendant's activities were lawful. The court held that statutory damages would be insufficient to achieve the goal of punishment and deterrence, reasoning that the defendant's repeated, unauthorized, blatant, high-handed and intentional misconduct, and callous disregard for the plaintiff's copyright, was deserving of punitive damages. The court awarded $10,000,000 statutory damages, $500,000 punitive and exemplary damages, interest and substantial indemnity costs. The court also issued a wide injunction restraining the defendant against further infringement of The Simpsons and Family Guy television programs or any other present or future works in which the plaintiff owns copyright.

C. CONTRACTS AND THE INTERNET

1. Consumer Contract Made by Email/Online Process

Ghaed v. Telus Communications Co., 2013 BCSC 1675, involved a dispute over the enforceability of a fixed-term contract for the provision of telecommunication services. The plaintiff, a retired psychiatrist, employed several people to assist him in the management of his business. The plaintiff's office manager had discussions with the defendant's sales representative about a new telecommunication services bundle. The defendant emailed a copy of a proposed services contract to the plaintiff's business email address. The contract was for a 36-month term, and required the plaintiff to pay a termination fee if the contract was terminated early. The contract required the plaintiff to sign the contract with an electronic signature. Documentary evidence established that someone with authority to use the plaintiff's business email address viewed and accepted the contract by clicking an "I Accept" button, which caused an electronic signature to be added to the electronic version of the contract. The online process then allowed the person who accepted the contract to save or print the contract in .PDF format. The contract was then automatically emailed back to the defendant, who then began providing the services. The plaintiff used the services from July 2010 to October 2011, and then terminated the services. The defendant informed the plaintiff of the termination fee and sent a copy of the contract to the plaintiff. The plaintiff refused to pay the termination fee. The plaintiff's lawyer tried to settle the dispute, but the settlement was not concluded. The plaintiff then sued the defendant for declarations and for damages for the defendant's alleged breach of the Business Practices and Consumer Protection Act. The plaintiff argued that he was not obligated to pay the early termination fee because the contract was a distance contract for a continuing service regulated by the Business Practices and Consumer Protection Act, which permitted the plaintiff to cancel the contract without further obligation within seven days after the plaintiff first received a copy of the contract in October 2011. The court rejected the plaintiff's argument on the basis that the plaintiff had authorized his office manager to accept the contract and that the online contracting process used in July 2010 had given the office manager the opportunity to save or print a copy of the contract, and therefore the defendant had delivered the contract to the plaintiff at the time the contract was made. The court also found that the settlement discussions had resulted in a binding settlement, which the plaintiff had wrongfully repudiated. The court dismissed the plaintiff's claim for damages against the defendant, with costs to the defendant.

2. Sponsorship Agreement Made by Email

Vancouver Canucks Limited Partnership v. Canon Canada Inc., 2013 BCSC 866, involved a dispute over an alleged sponsorship agreement. The parties engaged in negotiations for the renewal of an equipment supply agreement and a related sponsorship agreement through discussions confirmed by email correspondence that referred to the terms of the previous agreement between the parties. The email correspondence did not state that there would be no binding agreement until formal contract documents were signed. The parties completed the business discussions just before the 2008/2009 hockey season. The plaintiff fully activated the defendant's sponsorship benefits. The parties then began negotiating the written contracts. The parties signed a written equipment supply contract. The parties disagreed over the termination provisions of the sponsorship contract, and the defendant ended the negotiations taking the position that there was no binding sponsorship agreement. The plaintiff signed equipment supply and sponsorship agreements with a different supplier, and sued the defendant for breach of contract. The plaintiff claimed that a binding sponsorship agreement was formed through email correspondence, and that the defendant repudiated the agreement by terminating negotiations before the formal contract was signed. The defendant argued that the emails were not intended to be a binding agreement but were merely an agreement to agree that was conditional upon the negotiation and execution of a written contract, and did not confirm agreement on all essential terms. The defendant also argued that the defendant's representative who sent the emails did not have authority to bind the defendant. The court rejected the defendant's arguments and held that there was a binding sponsorship agreement that had been repudiated by the defendant. The court held that the emails created an enforceable sponsorship agreement because both parties intended to form a contract, both parties believed they had a sponsorship agreement on the basis of the email correspondence, and the email correspondence was sufficiently certain and confirmed the parties' agreement on all essential terms (parties, price and subject matter) and other terms incorporated by reference from the previous sponsorship agreement. The court also held that the defendant's representative had the defendant's authority to make the defendant's offer (communicated by email) that resulted in the sponsorship agreement, even if the representative did not have authority to sign the formal contract document. The court found the defendant liable for breach of contract, and awarded the plaintiff $826,000 in damages.

D. PRIVACY AND THE INTERNET

1. Manitoba Privacy Information Protection and Identity Theft Prevention Act

In September 2013, Manitoba enacted the Personal Information Protection and Identity Theft Prevention Act (PIPITPA) to regulate the collection, use and disclosure of personal information by organizations in the private sector in Manitoba. PIPITPA will come into force on a date to be set by proclamation. PIPITPA is substantially similar to the Alberta Personal Information Protection Act (which was ruled unconstitutional by the Supreme Court of Canada in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers Local 401, 2013 SCC 62), but takes a different approach regarding various issues including breach notification and private enforcement. PIPITPA provides that an organization must, as soon as reasonably practicable and in the prescribed manner, notify an individual if personal information about the individual that is in the organization's custody or under the organization's control is stolen, lost or accessed in an unauthorized manner, unless the organization is satisfied that it is not reasonably possible for the personal information to be used unlawfully or if an investigating law enforcement agency instructs the organization not to give notice. PIPITPA permits an individual to sue an organization for damages arising from the organization's failure to protect personal information in the organization's custody or under the organization's control or failure to provide a required data security breach notification.

2. Privacy Commissioner Conducts Internet Privacy Sweep

In May 2013, the Office of the Privacy Commissioner of Canada participated in an international Internet Privacy Sweep to assess website privacy practice transparency, including the following issues: does the website have a privacy policy, how difficult is it to find information about the website's privacy practices, is there readily available information for addressing privacy questions and concerns and is the website's privacy policy readable? In August 2013, the Office issued a preliminary report regarding its assessment of over 300 website privacy policies. The report identified good examples of transparency - consumer oriented privacy policies providing relevant and helpful information, including both online and in-store privacy practices. The report also reported some bad results: (a) approximately 20 percent of websites either listed no privacy contact or made it difficult to find contact information for a privacy officer; (b) some privacy policies provided limited useful information or took a legalistic approach and merely claimed legal compliance; (c) 10 percent of websites did not have a privacy policy; (d) 10 percent of websites had a privacy policy that was difficult to find (e.g. a policy buried in a lengthy legal notice or terms and conditions of use); and (e) some privacy policies provided so little transparency that the websites may as well have had no privacy policy at all.

3. Guidance for Website Privacy Policy

In August 2013, the Office of the Information and Privacy Commissioner of British Columbia issued a guidance document entitled "Practical Suggestions for Your Organization's Website's Privacy Policy" (www.oipc.bc.ca/guidance-documents/1561). The guidance document reminds that the purpose of a website privacy policy is to explain the website owner's personal information practices. The guidance document sets out the basics of what an organization should consider when developing a website privacy policy and suggestions for both content and style of an effective privacy policy.

4. Report on IP Addresses and Privacy

In May 2013, the Office of the Privacy Commissioner of Canada issued a report entitled "What an IP Address Can Reveal About You" (www.priv.gc.ca/information/research-recherche/2013/ip_201305_e.asp), prepared by the Office's Technology Analysis Branch, to examine the privacy implications of access to "subscriber information", such as email addresses, mobile phone numbers and Internet protocol addresses. The report concludes that subscriber information "can be used to develop very detailed portraits of individuals providing insight into one's activities, tastes, leanings and lives". The report also states that knowledge of subscriber information "can provide a starting point to compile a picture of an individual's online activities" and provide other information that can be sensitive in nature and can be used to uncover further information about an individual. The report notes that as information technologies become more common, the more sensitive and revealing subscriber information becomes.

E. CRIMINAL LAW MATTERS

1. Warrant for Interception of Text Messages

R. v. Telus Communications Co., 2013 SCC 16, involved an application by Telus to quash a general warrant and assistance order obligating Telus to produce, on a prospective daily basis, all text messages sent and received by two subscribers and related subscriber information. The Ontario Superior Court held that the warrant was valid, reasoning that the warrant did not authorize the interception of messages because it applied only to previously sent messages stored in Telus' systems rather than to messages in progress. The Supreme Court of Canada allowed the appeal and quashed the warrant and assistance order. The majority of the court reasoned that text messaging is, in essence, an electronic conversation, and should be subject to the same protections (i.e. a wiretap authorization) to which private communications are entitled under the Criminal Code. The majority reasoned (at para. 5): "Technical differences inherent in new technology should not determine the scope of protection afforded to private communications." Accordingly, the majority held that text messages, even if stored on a service provider's computer system, are subject to the warrant provisions that apply to the prospective interception of private communications, and not to the residual, general warrant provisions that apply only if other warrant provisions are not applicable. The dissenting court minority held that the general warrant was appropriate because it required the disclosure (not interception) of text messages previously intercepted and stored by Telus for its own lawful purposes.

2. Specific Warrant Required for Search of Computer Devices

R. v. Vu, 2013 SCC 60, involved an application to exclude evidence of marijuana grow-op offences found in personal computers and a smart phone on the basis that the evidence was seized by the police in violation of the accused's Charter rights because the search warrant did not expressly authorize the search of computer devices. The traditional legal framework holds that a warrant to search a place for certain things allows the police to look for those things anywhere in the place where they might reasonably be, and the police do not require specific, prior authorization to search in receptacles such as cupboards and filing cabinets. The Supreme Court of Canada held that computers give rise to particular privacy concerns and must be treated differently than other kinds of receptacles. The court reasoned that a computer device (both traditional personal computers as well as smartphones) potentially gives police access to vast amounts of information that users cannot control and that users might not even be aware of (including information that is automatically generated without the user's knowledge) or might believe has been permanently deleted, and that a computer device connected to the Internet might give police remote access to information stored in locations that are not the authorized place of the search. The court also reasoned that computer devices store immense amounts of sensitive personal information that can touch the "biographical core of personal information" and might enable the police to access intimate details about a user's interests, habits and identity.

For those reasons, the court held that a computer search requires specific pre-authorization, which means that if police seek a warrant to search a place and intend to search computers found within the place, then the police must satisfy the authorizing justice that they have reasonable grounds to believe that the computers will contain the things they are looking for. Also, if police conducting a warranted search come across a computer device that might contain material for which the police are authorized to search but the warrant does not give them specific, prior authorization to search computers, then the police may seize the device but must obtain further search authorization before searching the device. The purpose of the prior authorization process is to allow the authorizing justice to balance the privacy interest of the individual against the interest of the state in investigating criminal activity before state intrusion occurs. The court noted, however, that the rule requiring specific, prior judicial authorization to search a computer device might not apply in all circumstances in which police come across a computer in the course of an investigation.

The court concluded that the computer search violated the accused's Charter rights, but nevertheless held that the evidence obtained as a result of the search should not be excluded pursuant to Charter section 24(2). The court reasoned that the police believed on reasonable grounds that the search of the computer was authorized by the warrant, the computer search did not step outside the purposes for which the warrant had been issued and did not include forensic examination, and the evidence was reliable, real evidence that was important to the adjudication of the charges on their merits.

3. Warrantless Search of Work Computer

R. v. McNeice, 2013 BCCA 98, involved an appeal from a criminal conviction for accessing child pornography. The conviction resulted from a police search and seizure of a laptop computer owned by the defendant's employer (a B.C. school district) and used by the defendant (an elementary school principal) for both work purposes and nonwork purposes. The police search resulted from an international child pornography operation. The police took the work computer with the employer's consent, but without a search warrant. The police analyzed the hard drive and recovered previously-deleted child pornography that had been downloaded from the Internet. The court of appeal followed the Supreme Court of Canada decision in R. v. Cole and held that although the defendant's Charter section 8 right was breached, the evidence was properly admitted. Applying the reasoning in R. v. Cole, 2012 SCC 53, the court of appeal held that the defendant had a reasonable, subjective expectation of privacy in the deleted Internet files containing pornography, and therefore the police search of the computer constituted a breach of the defendant's Charter section 8 right to be secure against unreasonable search or seizure. The court reasoned that the school district did not have a policy prohibiting use of the laptop for personal purposes, the defendant's deleting the computer files was consistent with an intention to destroy the information or conceal the information from view by anyone else, and the defendant's expectation of privacy regarding the deleted files was reasonable even though the computer was not password-protected. Nevertheless, the court held that the admission of the Internet files into evidence would not bring the administration of justice into disrepute. The court reasoned that the warrantless police search (which was conducted before the R. v. Cole decision) was not the most serious kind of violation of Charter rights and society had a significant interest in having child pornography charges against an elementary school principal determined through a full and fair trial based on all relevant evidence.

4. Charter Right to Internet Search for Defence Counsel

R. v. McKay, 2013 ABPC 13, involved the criminal prosecution of a 19-year-old charged with drunk driving. The accused was given a standard Charter warning about the right to legal counsel, and was provided with access to a standard telephone, telephone books, a toll-free number for additional information and 411 for information about phone numbers. The accused made one phone call, but the results were not satisfactory and the accused did not ask to make another call because he believed he was entitled to only one call. The accused testified that he usually uses a Google search of the Internet to access required information, and that he did not understand that 411 was a "viable search engine". The court held that Charter section 10(b), which provides that an arrested or detained person has the right to retain and instruct counsel without delay and to be informed of that right, requires the police to provide a detained or arrested person with use of the Internet to find a lawyer. The court reasoned that information accessible using the Internet may be more current and detailed than information available in a telephone book or using 411 or a toll-free number. The court also reasoned that the computer generation (individuals born after 1980) are more familiar and comfortable with the Internet than with other kinds of information resources. For those reasons, the court held that the accused's section 10(b) Charter right was violated because he was not given access to the Internet to search for defence counsel.

5. No Charter Right to Internet Search for Defence Counsel

R. v. Franczak, 2013 ABPC 226, involved the criminal prosecution of a 50-year-old businessman charged with drunk driving. The accused was given a standard Charter warning about the right to legal counsel, and responded "no" when asked if he wanted to call a lawyer. The accused was not provided with access to a police telephone, but the accused used his own smartphone (which had Internet access) to check emails and text a friend. The accused testified that he did not think that a lawyer could do anything to help him. The court held that Charter section 10(b) does not require the police to inform a detained or accused person that he has a right to access the Internet. The court distinguished the decision in R. v. McKay on the basis that the accused in that case was from the computer generation. In contrast, the case before the court involved a 50-year-old highly successful businessman who knew how to use 411 and telephone books, used his own mobile phone and could have contacted a lawyer had he wanted to do so. The court noted that judicial precedent did not support the argument than a detained or accused person has a right to access the Internet to conduct research for general legal information, rather than simply to obtain contact information for suitable legal counsel. The court reasoned that a "sweeping change in policy" to require police to offer a detained or accused person Internet access should come from a superior court. For those reasons, the court held that Charter section 10(b) does not impose on police a general obligation to tell a detained or accused person that they have the right to access the Internet to facilitate contacting legal counsel.

F. REGULATORY MATTERS

1. Canada's Anti-Spam Law

Canada's anti-spam and online fraud act (commonly known as CASL) creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties (including personal liability for corporate directors and officers) designed to prohibit unsolicited or misleading commercial electronic messages (CEMs) and deter other forms of online fraud (such as identity theft, phishing and spyware).

(a) In Force Dates

On December 4, 2013, the Government issued an order specifying that CASL will come into force on July 1, 2014, except that provisions imposing restrictions on the installation of computer programs will come into force on January 15, 2015, and provisions regarding enforcement through a private right of action will come into force on July 1, 2017.

(b) Electronic Commerce Protection Regulations

On December 4, 2013, Industry Canada published its Electronic Commerce Protection Regulations (81000-2-175) for CASL. The regulations define some key terms and concepts (family relationship, personal relationship, and membership in a club, association or voluntary organization) contained in CASL. The regulations also specify a number of significant exclusions to the restrictions regarding CEMs:

  • a CEM sent within an organization concerning the activities of the organization;
  • a CEM sent from one organization to another organization if the organizations have a relationship and the message concerns the activities of the recipient organization;
  • a CEM sent in response to a request, inquiry or complaint or is otherwise solicited by the person to whom the message is sent;
  • a CEM sent to a person to satisfy a legal or juridical obligation, to provide notice of an existing or pending right, legal or juridical obligation, court order, judgment or tariff, to enforce a right, legal or juridical obligation, court order, judgment or tariff, or to enforce a right arising under a law of Canada, of a province or municipality of Canada or of a foreign state;
  • a CEM sent and received on an electronic messaging service if the required information and unsubscribe mechanism are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication;
  • a CEM sent to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account to the person who receives the message;
  • a CEM if the person who sends the message or causes or permits it to be sent reasonably believes the message will be accessed in an authorized foreign state and the message conforms to the law of the foreign state that addresses conduct that is substantially similar to conduct prohibited under CASL section 6;
  • a CEM sent by or on behalf of a registered charity and the message has as its primary purpose raising funds for the charity; and
  • a CEM sent by or on behalf of a political party or organization, or a person who is a candidate for publicly elected office, and the message has as its primary purpose soliciting a contribution as defined in the Canada Elections Act.

The regulations also provide that the consent to receive a CEM required by CASL does not apply to the first CEM sent for the purpose of contacting the individual to whom the message is sent following a referral by any individual who has an existing business relationship, an existing non-business relationship, a family relationship or a personal relationship with the person who sends the message, as well as any of those relationships with the individual to whom the message is sent and that discloses the full name of the individual or individuals who made the referral and states that the message is sent as a result of the referral.

The regulations also specify conditions for the use of a consent to CEMs obtained by a person on behalf of other persons whose identity was unknown. The conditions make the person who obtained the consent responsible for compliance with certain requirements for the content of CEMs sent by other persons pursuant to the consent and for prompt notification and implementation by other persons of a withdrawal of the consent.

The regulations also specify additional kinds of computer programs for which a person's consent to install is presumed.

(c) Guidance Documents

On December 4, 2013, Industry Canada published a Regulatory Impact Analysis Statement (http://fightspam.gc.ca/eic/site/030.nsf/eng/00271.html) to explain the Electronic Commerce Protection Regulations and how they address stakeholder concerns expressed in comments on draft regulations.

On December 18, 2013, Canadian Radio-television and Telecommunications Commission published a Frequently Asked Questions document to provide guidance for compliance with CASL (www.crtc.gc.ca/eng/casl-lcap.htm).

On December 20, 2013, Industry Canada published a Frequently Asked Questions document to provide guidance for compliance with CASL (http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00050.html).

2. Nova Scotia Anti-Cyberbullying Law

In August and September 2013, the Nova Scotia Cyber-safety Act was proclaimed in force. The stated purpose of the Act is to provide safer communities by creating administrative and court processes that can be used to address and prevent cyberbullying. The Act broadly defines "cyberbullying" as any electronic communication through the use of technology that is intended or ought reasonably to be expected to cause fear, intimidation, humiliation, distress or other damage or harm to any other person's health, emotional well-being, self-esteem or reputation, and includes assisting or encouraging such communication in any way. The Act also provides that a parent commits cyberbullying if the parent's minor child (under 19 years of age) engages in cyberbullying and the parent knows of the cyberbullying and its likely consequences and fails to prevent the cyberbullying from continuing. The Act establishes a procedure for cyberbullying victims or their parents or other persons to apply to court for protection orders. The Act creates a statutory tort of cyberbullying and permits cyberbullying victims to sue cyberbullies for damages, injunctions and other appropriate orders. The Act provides that in some circumstances a parent is jointly and severally liable for cyberbullying damages awarded against the parent's minor child (under 19 years of age). The Act amended the Nova Scotia Education Act to impose duties on teachers, support staff and principals to respond to cyberbullying. The Act also amended the Nova Scotia Safer Communities and Neighbourhoods Act to establish a comprehensive procedure for cyberbullying victims to apply to a Director of Public Safety for a cyberbullying prevention order.

3. Provincial Regulation of Internet Pharmacy

Ontario College of Pharmacists v. 1724665 Ontario Inc., 2013 ONCA 381, involved regulatory proceedings by the Ontario College of Pharmacists against individuals and corporations involved in operating an Internet pharmacy that sold generic prescription drugs to Americans through the www.globalpharmacycanada.com website. The corporations and individuals involved in operating the Internet pharmacy were located in Belize, the United States and Canada, and none of them were authorized under Ontario law to sell prescription drugs in Ontario. The seller of the drugs was a Belize company that referred to itself as "Global Pharmacy Canada" and directed customers to contact customer service agents "located in Toronto, Canada" and employed by an Ontario company. The service agents took customer orders, processed payments and ensured that orders were filled in India and shipped directly to the customer. The drugs were sourced in India and never entered Canada. The customers were American, and technological measures were used to prevent computers with a Canadian IP address from accessing the Internet pharmacy website. The Ontario College of Pharmacists brought legal proceedings against the respondents to stop them from selling prescription drugs from any location in Ontario. The respondents argued that they were not subject to the jurisdiction of the Ontario College of Pharmacists because the Belize company (the seller of the drugs) had no physical presence in Ontario, had no Ontario personnel, did not advertise to Ontario residents, did not import drugs into Ontario and did not sell drugs to Ontario residents. The court rejected that argument, reasoning that the substance of the online transaction was a sale that took place through the customer service center in Ontario. The court held that the Belize company and the Ontario company operated jointly to run the Internet pharmacy business.

The court also held that the Ontario College of Pharmacists has authority to protect persons located outside Ontario against conduct that occurs within Ontario. The court reasoned (at para. 76): "If a company trades on Ontario's reputation for quality and strong regulatory standards, and sites a critical part of the sales process in Ontario, it will be subject to Ontario's regulation".

4. Accessible Websites and Web Content

The Accessibility for Ontarians with Disabilities Act, 2005 provides for the development and implementation of accessibility standards in order to achieve accessibility for Ontarians with disabilities with respect to goods, services, information and other matters. The Integrated Accessibility Standards Regulation issued under the Act provides details of the accessibility requirements, exceptions, and relevant definitions. Starting on January 1, 2014, the Act requires that all new Internet websites of private sector large organizations (organizations with 50 or more employees in Ontario) and web content on those sites conform to the World Wide Web Consortium's Web Content Accessibility Guidelines (WCAG) 2.0 at Level A. Starting on January 1, 2021, the Act requires that all Internet websites and web content of private sector large organizations conform to the WCAG 2.0 at Level AA. Those requirements are subject to limited exceptions, including where meeting the requirements is not practicable. Failure to comply with the Act can result in administrative penalties of up to $100,000.

G. EMPLOYMENT/LABOUR RELATIONS AND THE INTERNET

1. Just Termination for Unauthorized Access to Data

Steel v. Coast Capital Savings Credit Union, 2013 BCSC 527, involved a claim for wrongful dismissal by a technology services employee who was dismissed after she was found to have accessed without permission a confidential document in another employee's confidential personal folder on the organization's computer system. The plaintiff, a helpdesk analyst who had been employed for over twenty years, was able to access any document or file on the organization's computer system, subject to compliance with a specific protocol that included obtaining permission of other relevant employees. The plaintiff accessed a confidential document regarding the allocation of employee parking spaces without required permission in breach of the applicable protocol and for the plaintiff's personal purposes (not as part of the plaintiff's duties). The plaintiff acknowledged accessing the document without permission, but argued that the misconduct did not constitute just cause for dismissal in the circumstances. The court held that the plaintiff's conduct constituted just cause for dismissal because the plaintiff "occupied a position of great trust in an industry in which trust is of central importance" and "fundamental to the employment relationship", and the plaintiff violated that trust by accessing the confidential document for her own purposes and in breach of applicable protocols.

2. Wrongful Termination for Receiving Pornographic Emails

Asurion Canada Inc. v. Brown, 2013 NBCA 13, involved an action for wrongful dismissal by two employees who were dismissed for violations of a workplace Internet acceptable use policy. The plaintiffs, a customer service representative and a call centre supervisor, each received unsolicited emails that attached pornographic images. The emails were sent to the plaintiffs by a common friend, a non-employee, for humorous purposes and were received by the plaintiffs at their work computers. The plaintiffs deleted or transferred the emails to a personal email address and did not share the emails with anyone at work. The defendant's employee handbook included guidelines for use of voicemail, email and computers that expressly prohibited employees from "accessing, transmitting, receiving or storing any information that is discriminatory, profane, harassing or defamatory in any way (e.g. sexually explicit or racially discriminatory materials)". The trial judge held that the dismissals of the plaintiffs were an unjustified, disproportionately severe penalty. The employer appealed. The court of appeal dismissed the appeal, primarily on the basis that the summary dismissal of the plaintiffs, longstanding employees with unblemished records of dedicated service, who were not "morality instructors" and who did not share the emails with other employees to implicate a workplace harassment concern, was disproportionate in the circumstances. The court reasoned (at para. 37) that the circumstances did not justify the employer's "'puritanical' or 'absolutist' approach to discipline for an employee's receipt and in solo viewing of sexually-explicit material in the relative privacy provided by his or her cubicle" when the images were "perfectly legal adult pornography" and did not violate any provision of the Criminal Code. The court of appeal also observed that the relevant employee handbook provision was not plainly worded and did not clearly prohibit receiving unsolicited email with pornographic images.

3. Facebook Postings Constitute Workplace Harassment

Perez-Moreno v. Kulczycki, 2013 HRTO 1074, involved a complaint by a management employee alleging workplace harassment based on comments about the complainant posted on Facebook by the respondent employee. The comments related to a workplace incident and were racially derogatory. The employer was not a party to the proceeding. The complainant claimed that the Facebook postings were humiliating, damaging to the complainant's character, work and personal life, and had other negative effects. The tribunal found that the respondent's workplace-related Facebook postings constituted workplace harassment, which is defined in the Human Rights Code (Ontario) as "a course of vexatious comment or conduct that is known or ought reasonably to be known to be unwelcome". The tribunal refused to order the respondent removed from the shared workplace, and instead ordered the respondent to complete an online-training course entitled "Human Rights 101".

H. INTERNET DEFAMATION

1. Rejection of U.S. Single Publication Rule

Shtaif v. Toronto Life Publishing Co. Ltd., 2013 ONCA 405, involved defamation claims regarding an article published in Toronto Life magazine and on the Toronto Life website. The plaintiffs complained about the print version of the article but did not sue over it. When the plaintiffs became aware of an Internet version of the article, the plaintiffs gave timely notice under the Libel and Slander Act (Ontario) and sued promptly afterwards. The defendants brought a motion for summary judgment on various grounds, including the plaintiffs' delay in commencing the lawsuit. The motion was partially successful and partially unsuccessful. On appeal, the court of appeal considered various issues involving the interpretation and application of the Libel and Slander Act (Ontario), the Limitation Act (Ontario) and the common law of defamation. Most importantly, the court of appeal refused to apply the American "single publication rule" to bar the plaintiffs' defamation claim regarding the Internet publication. The single publication rule provides that a defamation plaintiff has a single cause of action, which arises at the first publication of an alleged libel regardless of the number of copies of the publication that are distributed or sold. The court of appeal reasoned that the single publication rule was not applicable for three reasons: (1) the rule is not consistent with the provisions of the Libel and Slander Act (Ontario); (2) the rule was implicitly rejected by previous decisions of the court; and (3) the single publication rule should not be applied to publications in different mediums of communication (print media and the Internet), particularly given the power of the Internet to damage reputation. The rejection of the single publication rule is consistent with the British Columbia Court of Appeal decision in Carter v. B.C. Federation of Foster Parents Association, 2005 BCCA 398.

2. No Fair Comment Defence for Website Defamation

Mainstream Canada v. Staniford, 2013 BCCA 341, involved defamation claims regarding disparaging comments about the plaintiff's salmon farming business published in press releases and posted on the website of The Global Alliance Against Industrial Aquaculture (GAAIA). The trial judge dismissed the defamation claims on the basis that the comments were defamatory but the defendant was entitled to invoke a fair comment defence. A fair comment defence requires that a defamatory comment be an expression of opinion on a known set of facts that are notorious, contained in the defamatory publication or sufficiently referenced to be contained in other specified documents so that the reader is in a position to assess or evaluate the comment. The trial judge reasoned that the factual basis for the defamatory comments could be found in research papers for which there were hyperlinks on the GAAIA website. The court of appeal granted the plaintiff's appeal on the basis that the trial judge erred in finding the fair comment defence was established, because the press release and website publication did not clearly state or sufficiently reference the factual basis for the defamatory statements. The court of appeal held that it was not sufficient for the fair comment defence for the relevant facts on which the defamatory comments were made to be contained on GAAIA website pages that were not alleged to contain defamatory comments or in hyperlinked documents unless those other website pages or hyperlinked documents were identified by a clear reference to contain the facts. The court acknowledged that the factual basis for a defamatory publication might be sufficiently referenced if the publication advises the reader that a hyperlinked document contains facts upon which the defamatory comment is based and sets out where in the document the facts are contained. The court of appeal awarded the plaintiff $25,000 general damages, $50,000 punitive damages and special costs of the trial to punish the defendant for his reprehensible conduct in the litigation. The court of appeal also issued a permanent injunction restraining the defendant from publishing similar defamatory statements in the future.

3. Website Defamation Not Protected by Privilege

Rubin v. Ross, 2013 SKCA 21 (leave to appeal refused [2013] S.C.C.A. No. 181 (QL)), involved defamation claims regarding disparaging comments about the plaintiff made in a workplace harassment grievance complaint and related bulletins posted by the defendants and their union on public bulletin boards in a university veterinary hospital, mailed to 1,400 union members, and posted on the union's publicly accessible website. The published documents related to claims against the plaintiff hospital director and the hospital. An initial hearing of the grievance determined that the claims had no merit. The union then published the grievance complaint and bulletins for the ostensible purpose of seeking information from other union employees that could substantiate the claims. The hospital demanded that the union remove the complaint from the union's website, but the union refused to do so. As a result of the union's actions, the plaintiff voluntarily resigned his position and eventually left the hospital for a teaching position in Arizona. The plaintiff sued the union and its representatives for defamation. The union then removed the documents from the union website. The defendants disputed that the bulletins and grievance notice were defamatory, and alternatively asserted defences of absolute and qualified privilege. The trial judge found that the bulletins and grievance notice were defamatory, but held that the defence of qualified privilege applied. The plaintiff appealed. The court of appeal held that the bulletins and grievance notice were not protected by privilege. The court held that the defence of absolute privilege was not applicable, because the ostensible purpose of the publications – to find corroborating witnesses – was not so intimately connected with the grievance process as to justify the extension of the defence of absolute privilege, and because the publication of the defamatory was too extensive. The court also held that the defence of qualified privilege was not applicable on various grounds, including because the publications were made to persons who were not union members or hospital employees and therefore had no reciprocal interest in receiving the publications. The court reasoned (at para. 58) that the Internet "is not a tool that can be used to expand qualified privilege so as to justify the broad publication of a defamatory statement, but rather it exacerbates the libel". The court also held that it was irrelevant that the plaintiff did not prove that the website publication had been accessed by a member of the public. The court of appeal awarded the plaintiff $100,000 general damages.

4. Anonymous Internet Defamation

Manson v. John Doe No. 1, 2013 ONSC 628, involved defamation claims by the plaintiff lawyer against an unknown defendant relating to a series of shocking, disgusting, outrageous, racist and provocative statements posted anonymously to various websites and sent to the plaintiff's employer. The plaintiff was unable to identify the defendant, and the defendant refused to comply with a court order requiring the defendant to identify himself. The defendant did not file a statement of defence. The court observed (at para. 20) that "[t]here are few things more cowardly and insidious than an anonymous blogger who posts spiteful and defamatory comments about reputable members of the public and then hides behind the electronic curtain provided by the Internet". The court noted that the defendant did not apologize, retract or attempt to justify the defamatory statements, continued to post defamatory statements after the lawsuit was commenced, sought to victimize the plaintiff, acted maliciously and in an oppressive manner, malevolently refused to comply with a court order, and engaged in conduct that deliberately and maliciously increased the plaintiff's legal costs. The court awarded $100,000 general damages, $50,000 aggravated damages, $50,000 punitive damages and costs on a substantial indemnity basis.

5. Email Distribution Increases Harm

McDonald v. Keo, 2013 NWTSC 81, involved defamation claims regarding disparaging comments about the plaintiff in a letter that was distributed in both electronic and paper formats. The letter was obtained by print and broadcast media outlets, and stories repeating the allegations were published in newspapers, on radio and on media websites. An independent investigation established that the disparaging comments about the plaintiff were unsubstantiated. The plaintiff sued for defamation. The defendants did not file a defence or appear at the hearing. The court held that the letter was defamatory, and awarded the plaintiff $162,000 general and special damages and costs. In assessing damages, the court noted that by choosing to distribute the letter by email, the defendants "created a significant risk of further publication beyond the intended recipients" (at para. 33), and the fact that the media obtained the letter and repeated the defamatory statements added to the plaintiff's humiliation.

6. Application for Pre-trial Injunction to Remove YouTube Video

Asselin v. McDougall, 2013 ONSC 1716, involved defamation claims regarding disparaging comments about the plaintiff made in two videos posted by the defendants to their YouTube channel and disparaging comments in relation to the videos posted on the YouTube channel by other users. The videos related to dealings between the defendants and the plaintiff municipal official in connection with construction work at the defendants' business premises. The plaintiff claimed that the defendants' critical commentary in the videos and offensive comments posted by viewers of the videos were defamatory, and argued that the defendants were liable for viewers' posted comments. The defendants defended the comments based on qualified privilege, fair comment and free expression, and disputed that they were liable for comments posted by YouTube users. The plaintiff applied for a pre-trial injunction requiring the defendants to remove the videos and comments. The court dismissed the injunction application, reasoning that an injunction in a defamation case is "an extraordinary remedy, granted sparingly, in the clearest of cases and only to the extent necessary", and that the Internet should not be less free for expression than other media. The court held that the plaintiff had not established that the defendants' statements were manifestly defamatory or that irreparable harm would result if the injunction were not granted. The court held that it was for a jury to determine whether the defendants had deliberately adopted and endorsed defamatory comments posted by other YouTube users and were therefore liable for those comments. On the issue of irreparable harm, the court noted that the videos had been viewed less than 5,000 times and the defendants had exigible assets.

I. MISCELLANEOUS

1. Cyber Security Guidance from OSFI

On October 23, 2013, the Office of the Superintendent of Financial Institutions of Canada (OSFI) issued a memorandum entitled "Cyber Security Self-Assessment Guidance" (www.osfi-bsif.gc.ca/app/DocRepository/1/eng/notices/osfi/cbrsk_e.pdf) to assist federally regulated financial institutions (FRFIs) in the self-assessment of their preparedness for cyber-attacks. The memorandum explains that OSFI expects a FRFI's senior management to review their institution's cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks. The memorandum also indicates that a FRFI's board of directors, or committee of the board, should regularly review and discuss the institution's cyber risk management practices. The memorandum includes a detailed self-assessment template that covers the following broad areas: (1) organization and resources; (2) cyber risk and control assessment; (3) situational awareness; (4) threat and vulnerability risk management; (5) cyber security incident management; and (6) cyber security governance. The template explains that the self-assessment should focus on the institution's current state of cyber security practices on an enterprise-wide basis, and should include the institution's material outsourcing arrangements (as defined by OSFI's Guideline B-10) and critical IT service providers (including related subcontracting arrangements). The memorandum encourages FRFIs to use the self-assessment template to assess their current level or preparedness for cyber-attacks and to develop and maintain effective cyber security practices. The memorandum also notes that OSFI might request FRFIs complete the template during future supervisory assessments.

2. Cyber Security Guidance from CSA

On September 26, 2013, the Canadian Securities Administrators (CSA) issued Staff Notice 11-326 Cyber Security (www.bcsc.bc.ca/uploadedFiles/securitieslaw/policy1/11-326%20%5BCSA%20Staff%20Notice%5D.pdf) to remind issuers, registrants and regulated entities of the importance of cyber security risk management. The Staff Notice identifies two major types of increasingly frequent and sophisticated cyber threats - denial of service (DoS) attacks and advanced persistent threats (APTs). The Staff Notice advises issuers, registrants and regulated entities to consider how to manage cyber security risk, regularly review their cyber security control measures, consider the need for cyber security risk disclosures in prospectuses or continuous disclosure filings, and consider whether they are managing the cyber security risk in accordance with prudent business practices. The Staff Notice notes that the CSA will consider those issues in its review of issue disclosure and in its oversight of registrants and regulated entities.

3. Online Behavioural Advertising Principles

In September 2013 the Digital Advertising Alliance of Canada, a consortium of Canadian advertising and marketing associations, launched the Your Ad Choices program and issued a guidance document entitled "Canadian Self- Regulatory Principles for Online Behavioural Advertising" (www.youradchoices.ca/the-principles), all with the stated purpose of establishing a consumer-friendly, voluntary framework for the collection of online data to facilitate the delivery of online behavioural advertising (OBA) in a manner consistent with Canadian privacy laws and the Self-Regulatory Principles for Online Behavioural Advertising issued by the Digital Advertising Alliance in the United States. The Your Ad Choices program and the Principles are a direct response to the Privacy and Online Behavioural Advertising guidelines issued by the Office of the Privacy Commissioner of Canada (www.priv.gc.ca/information/guide/2011/gl_ba_1112_e.pdf). The Principles focus on education, notice and transparency, consumer control, data security, sensitive data and accountability. Companies that participate in the program can use the AdChoices icon to clearly inform consumers about data collection and use practices. Companies can also register to be listed on the Ad Choices online consumer opt-out tool to opt out from receiving behavioural advertising from any or all of the participating companies listed on the tool. Advertising Standards Canada is responsible for monitoring compliance with the Principles and handling consumer complaints concerning possible non-compliance with the Principles.

4. Securities Regulation of Internet Roadshows

Effective August 18, 2013, Canadian Securities Administrators (CSA) amended National Policy 47-201 to specify recommended procedures for road shows held on the Internet or by other electronic means. The recommended procedures include: (a) making a copy of a filed prospectus available to each viewer before the road show transmission; (b) including appropriate visual disclaimers that the roadshow information is not complete; (c) sending an electronic copy of the prospectus to each roadshow viewer in accordance with the guidelines contained in National Policy 11-201; and (d) controlling access to a roadshow, by using password protection or a similar mechanism, in order to ensure that all viewers are identified and have been offered a prospectus.

This paper is an abridged version of a chapter in Annual Review of Law & Practice, 2014, Continuing Legal Education Society of British Columbia.

About BLG

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.