Friday, October 20, 2017

CRTC finds CASL to be constitutional in CompuFinder challenge

On October 19, 2017, the CRTC issued its decision in a constitutional challenge to CASL brought by CompuFinder. You may recall that in 2015, the CRTC levied the largest penalty to date -- $1.1 million -- against CompuFinder. (My previous blog post.) The company challenged the constitutionality of the legislation, primarily on the grounds that it is ultra vires federal jurisdiction (outside of powers granted to the federal parliament under the constitution) and that it violated s. 2(b) of the Charter and could not be saved by s. 1.

For the non-lawyers out there, a law can violate Charter rights but can still be upheld if the infringement is justifiable using s. 1:

1. The Canadian Charter of Rights and Freedoms guarantees the rights and freedoms set out in it subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.

The framework for s. 1 analysis set by the Supreme Court requires all of the following to be met for a limitation on a constitutionally-guaranteed right to be upheld:

1. The limit must be prescribed by law

2. There must be a pressing and substantial objective

3. The means must be proportional
a. The means must be rationally connected to the objective

b. There must be minimal impairment of rights

c. There must be proportionality between the infringement and objective

In my personal view, the decision is incorrect in a number of ways. I think the Commission suffered the same issue that plagues much of the discussion of CASL: the use of the word "spam" in its colloquial sense when the focus really needs to be on what the law really regulates: commercial electronic messages. It is comparing apples to oranges, and statistics like "spam is down in Canada" is only slightly useful in the discussion.

I think the Commission was dramatically wrong in finding that there was a minimal impairment of constitutional rights. This generally asks whether the restriction unduly limits speech or expression that is outside of the scope of the "pressing and substantial objective."

In its decision (Compliance and Enforcement Decision CRTC 2017-367 | CRTC), the CRTC agreed with the government regarding the law's objective:

108. The government’s objective in enacting CASL is revealed within the title of the Act: “to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities….”

109. The Act is clearly focused on e-commerce in Canada as a whole. This is expanded on in the objective clause of the Act (section 3).

110. In the Commission’s view, it is clear that the government’s objective is pressing and substantial. The factual evidence put forward by the Attorney General is detailed and convincingly supports this conclusion. There is an abundance of literature, analyses, reports, and statistical evidence that demonstrate the existence of spam and other electronic threats, the impact that they have on Canadian businesses and consumers, and how countries around the world have been compelled to introduce legislation to address these threats.

Note again the use of the word "spam". The law regulates and generally prohibits "commercial electronic message" and its main defect -- in my view -- is that it goes after "spam" by limiting legitimate expression that is not "spam" and that has little if anything to do with harming confidence in electronic commerce.

However, the Commission did not follow CompuFinder's argument that the law is not minimally impairing.

152. CompuFinder’s argument at this stage is essentially that CASL’s CEM prohibition regime is overbroad, capturing more forms of expression than are necessary to achieve the statute’s purpose.

153. The Attorney General did not directly respond to each specific allegation of the law’s overreach. Instead, its main response to the overbreadth arguments raised by CompuFinder is that the Act does not impose a total ban on the sending of CEMs. Persons wishing to send commercial messages are not barred from using the Internet or email to advertise. In addition, the exceptions and exemptions to the general prohibition contained in section 6 of CASL act as levers that further limit the infringement of freedom of expression.

154. The Commission notes that, as indicated by the Supreme Court in JTI-Macdonald Corp., when interpreting these exceptions and exemptions, specific words should not be considered in isolation; rather, the interpretation must be guided by Parliament’s objective and its global intention sought.

155. In the case of CASL, Parliament’s concern was to combat a multitude of electronic threats that could have deleterious effects on Canada’s e-economy, Canadian businesses, and Canadian Internet users. In pursuing its objectives, Parliament has deliberately narrowed, and empowered the Governor in Council to make regulations narrowing, the applicability of the Act to certain commercial activities (as defined in subsection 1(1) of the Act), and enacted a long series of exceptions, exclusions, and limitations to the application of prohibitions on the sending of CEMs.

156. Examples of these exceptions can be found in subsections 6(5) and 6(6) of CASL and in the provisions regarding excluded messages in section 3 of the Governor in Council regulations. As a result of these and other exceptions and exemptions, the prohibition in section 6 of CASL does not apply to numerous types of CEMs, including those sent by or on behalf of an individual who has a personal or family relationship with the recipient, those consisting of an inquiry relating to a commercial activity engaged in by the recipient, certain notice-giving or transactional messages, and certain intra-organizational and inter-organizational messages.

157. Further, given that, in cases of ambiguity, claims of overbreadth may be resolved by appropriate interpretation, where the application of these exceptions and exclusions are potentially ambiguous, and such ambiguity could potentially lead to overbreadth of the provisions in question, they must be interpreted in the manner that would result in the least possible intrusion upon protected expression, while also respecting the intention of Parliament.

158. Accordingly, the Commission agrees with the Attorney General that the expression limited by CASL is substantially lessened as a result of its exceptions and exemptions. These exceptions, when taken as a whole, significantly narrow the application of section 6 and, as a result, on a balance of probabilities, the impugned provisions do not impair free expression more than necessary to achieve the objectives of CASL. In these circumstances, the limitations on the sending of CEMs, are not unreasonable in light of their legislative purpose.

I disagree with this overall, but I am particularly concerned with what the Commission said in paragraph 157. It essentially said that the law can be made constitutional in some cases by erring on the side of a constitutional interpretation in the event of any ambiguity. That essentially says that the law can remain constitutional because the CRTC enforcement folks can interpret in a manner that scales back its overbreadth. I don't think I know anyone who practices in this area who thinks that the CRTC enforcement folks can be counted on to do that.

I remain of the view that CASL is overbroad and unduly limits protected expression that has nothing to do with protecting consumer confidence in e-commerce. The Commission's decision doesn't change my mind on that at all, and it will be interesting to see if this particular case goes any further.

Thursday, October 19, 2017

My comments on Nova Scotia's Intimate Images and Cyber-protection Act

Note: Because of very short notice, I will not be able to appear at the Nova Scotia Legislature's Law Amendments Committee to provide my views on Nova Scotia's new cyberbullying law. Here are my written comments that will be sent to the Committee for their consideration.

Thank you for the opportunity to provide my views on Bill 27, the Intimate Images and Cyber-protection Act.

I am a lawyer with McInnes Cooper whose practice is focused on internet and privacy law matters. I need to emphasise from the outset that these are my own personal and professional comments, and do not necessarily represent the views of my firm, its clients or any other organizations with which I am associated. I have been practicing in this area of law for over fifteen years. In this context, I am perhaps best known as being a vocal critic of the Cyber-Safety Act and being the lawyer who argued in Court that the old Act was unconstitutional.

If I could first comment on a matter of process, I am disappointed that I am not able to appear before the committee and answer any questions you may have. When this bill was first considered on October 16, 2017, I had less than one business day’s notice of the hearing and was out of town. I was advised on Thursday, October 19 that it would be before the committee on Monday, October 23. That’s one and a half day’s notice and I will be out of town on Monday. If the government were serious about getting this right, surely it would make it easier for experts to appear on the Bill. I am sure the Committee would benefit from testimony from Canadian Civil Liberties Association or the Canadian Bar Association, but these organizations can’t just drop tools, consult with their stakeholders and develop a coherent and helpful position with that kind of notice. I can name  at least five people who have immense expertise in the field of civil rights, cyberbullying, restorative justice and youth suicide who this Committee and Nova Scotians should hear from, but none will have a chance to provide their well-informed and expert views. I do not know if this is peculiar to this bill, but it certainly was the case with the original Cyber-Safety Act and Nova Scotians have suffered as a result.

In the meantime, the government has had a number of targeted consultations. I did meet with Justice officials twice to provide my views, with the final meeting commenting on a draft of the bill. I had some misgivings then which I’ll share with you today.

As I mentioned, I was the lawyer in the case that resulted in the Cyber-Safety Act being declared unconstitutional. I was previously very critical of the law and the former Premier said he “could not disagree with me more”. When that quote was posted by the CBC on their website, that cyberbullied me according to the law’s definition.

While the law was declared unconstitutional on December 10, 2015, it was unconstitutional on the day it was introduced on April 25, 2013, fewer than three weeks after the tragic death of Rehtaeh Parsons.

I stood up in court and called the Cyber-Safety Act a “dumpster fire”. Justice McDougall called it, much more politely, a “colossal failure” as far as the Charter is concerned.  

I argued, and the Court agreed, that the law had two principal failures. The first was that the definition of “cyberbullying” was far, far too broad and would include anything that could hurt someone’s feelings (including legitimate, political speech). The second failure was that a complainant could get a protection order without the alleged cyberbullying ever having an opportunity to defend themselves. The justice of the peace would make a decision on the basis of only hearing one side of the case. And the first that the respondent would hear of it would be when a police officer would show up at their house -- usually at night -- and serve them with the order.

I think both of these issues have been addressed in the new Bill. The definition of “cyberbullying” raises the bar much, much higher. It may be too high, by requiring “malice”, but it does capture communications that are intended to harm the victim. The issue of procedural fairness has certainly been addressed, but I am afraid the pendulum may have swung too far the other way.

The way the Bill sets it out, a victim of cyberbullying has only one option: to commence an application in the Supreme Court of Nova Scotia following the Nova Scotia Civil Procedure Rules. I have 100% confidence in the fairness of a judge of the Supreme Court. But forcing a victim of cyberbullying to start a conventional lawsuit will represent a huge barrier to access to justice.

What I am saying is completely contrary to my own pecuniary self interests. I am a lawyer who practices law in this area. My law partners much prefer that I charge clients for my time and for my services. We have a great pro bono program -- I think it’s one of the best in the country of any law firm that I am familiar with -- but I am not able to take the cases of all victims of cyberbullying. Going to the Supreme Court requires that a victim understand and follow Civil Procedure Rules. They’ll have to read and understand Rules 5, 4, 5, and 6. They have to prepare a notice of application in court and an affidavit, all according to the rules. They’ll have to hire a process server to serve the documents on the respondent. They likely have to be in court across from their tormentor to schedule the next steps and the court hearing. They get a written affidavit from the respondent. They can then maybe file another response affidavit. They can maybe cross-examine the respondent outside of Court, assuming they are in a position to pay a court reporting service to transcribe the cross-examination on an expedited basis. Then they have to file their brief. And then they have their day in Court, except they never get to directly tell a judge their story. They don’t get to testify on their own behalf, since their testimony is only in their affidavit.

I would expect it would cost at least $10,000 for me to represent an applicant in this process. That is daunting. But what’s equally daunting is the prospect of a traumatized cyberbullying victim having to find, let alone understand and precisely follow, the civil procedure rules. That greatly troubles me and I think it should trouble you.

The legislature should seriously consider a different approach. I do not think I have all the answers, but I would suggest that the legislature should consider a less formal approach that still preserves the procedural fairness that was lacking in the old Cyber-safety Act. While the procedure for a peace bond is not without its shortcomings, there should be a procedure through which an applicant can go to court and tell their story. The respondent has the same right to know what is being alleged, to appear, to present their story and possible justification. If neither adduced evidence about some of the essential factors to be considered under the Act, the judge can ask them questions. And a decision follows. This can be before the Supreme Court of Nova Scotia or a judge of the Provincial Court.
I do agree with sidelining the CyberSCAN unit from enforcement of the law. In my experience and in my opinion, they were the wrong tool for the job. While perhaps not representative of all the people with whom they interacted, I consistently heard from and about people whose political or legitimate Charter-protected speech was removed from the internet because they bullied the people into removing it under threat of unspecified “legal action” that could include removing their internet access. It may have been a matter of who they hired for the role or how they were led, but the CyberSCAN unit was part and parcel of the speech suppression that the law represented. When I asked Roger Merrick how the CyberSCAN unit took the Charter into account in doing their jobs, I was told that the legislature took it into account when the bill was passed by this House. That was clearly incorrect.

I do think the CyberSCAN unit or some replacement of it could go good things. Education and awareness is important. Providing support to victims is important. I am sure that victims will need a lot of help in figuring out how to have their day in court, and they can be a resource for that.

One final concern that I have is that the legislation says that if the victim is a minor, their parent or guardian has to commence the application on their behalf. There should be a mechanism by which a minor can do this on their own. First of all, there may be a case where the case relates to intimate images and the minor does not want to tell their parents. Secondly, I can imagine a scenario where the parent is either the perpetrator or is unwilling to help the child. Some safeguard needs to be in place to give a child direct access to the courts.

I do want to take the opportunity to praise the manner in which the non-consensual distribution of intimate images is treated in the statute. By separating this from the definition of cyberbullying, it will effectively shield this from being struck down if the conventional cyberbullying aspect is found to be unconstitutional.

Again, I regret that there was not enough notice for me to appear in person and answer any questions by the Committee. However, I am easy to find and I would be pleased to discuss this important matter with any Committee members or their staffers.

Wednesday, October 11, 2017

Nova Scotia introduces new "secure" ID and licenses; fails to mention use of biometrics

The Government of Nova Scotia just announced that it is introducing new "secure" provincial ID cards and drivers licenses.

What they failed to mention in any of their press releases or in any of the media coverage is that the new system will incorporate facial recognition technology. How this will be used or controlled is still unclear.

I contacted the province, which confirmed the use of facial recognition, but was unable to provide me with any information about the incidence of forgery and fraud that they use to justify the new licenses.

Privacy geeks will recall that the provincial authority in British Columbia offered police the use of their massive biometric database to identify people involved in the Vancouver Stanley Cup riot. (Canadian Privacy Law Blog: ICBC offers up its drivers' license database (with facial recognition) to ID Vancouver rioters) Who controls the database and how it will be used is very important, and very unclear at the moment.

Added later: See below for some follow-up questions and answers.

Here's their media release:

New Secure Driver’s Licence and Photo ID Cards

Transportation and Infrastructure Renewal/Service Nova Scotia

October 10, 2017 12:44 PM

Nova Scotia driver’s licence and photo ID cards will soon be better protected against identity theft, fraud and forgery.

Nova Scotia and the three other Atlantic provinces, are introducing a new, highly secure driver’s licence and photo ID card. Starting in November, the cards will be printed at a central facility shared by all four provinces and mailed to clients within 14 days.

“The main reason for this change is to protect Nova Scotians against identity theft and fraud,” said Lloyd Hines, Minister of Transportation and Infrastructure Renewal. “These changes will help us keep pace with the latest security and technology advances, and bring us in line with the rest of the country.”

Nova Scotians do not need to get a new licence or photo ID card until their current one is up for renewal. Since the cards will no longer be printed at Access Nova Scotia Centres and Registry of Motor Vehicles offices, clients renewing their licence will be given a 30-day temporary document to use until their new licence arrives.

There will be a strict review process before cards are issued to help prevent fraud and identify theft. Highly advanced, anti-counterfeiting security features will also help ensure they cannot be copied using new printing technologies.

"As Nova Scotia's provincial police, the RCMP is pleased to see any initiative that decreases opportunities for fraudulent activity," says Chief Superintendent Marlene Snowman, Nova Scotia RCMP Criminal Operations Officer. "Police officers often rely on the validity of licence information for a variety of reasons so these changes will make a positive difference for frontline officers across the province."

Access Nova Scotia will start to move to the new process for driver’s licences and photo ID cards next month with full implementation expected to be in place by the end of December.

In December 2016, the four Atlantic provinces awarded Gemalto, a world leader in digital security, a five-year contract to produce and mail the driver's licences and photo ID cards.

There is no fee increase for the new driver’s licence and photo ID card. The new cards will be implemented over the next five years as driver’s licences expire.

Edit: I asked the government some follow-up questions and the Q/A is below ...

For more information, visit .

Edit: I had some follow-up questions for the government's spokesperson. Here are my questions and the answers:

The new IDs will bring NS in line with the cutting edge of security features. That being said, protecting the privacy of citizens remains a top priority. The sole purpose of the facial recognition is to help identify individuals attempting to obtain fraudulent duplicate IDs. The province has no authority to share it for any other purpose, with any other entity, unless ordered by the courts. To your specific questions:

1. Will the biometric database be managed by the contractor or by the government? Government

2. If by the government, which department? Transportation and Infrastructure Renewal and Service Nova Scotia.

3. Will the database for NS be combined with those of the other provinces? No

4. Was a privacy impact assessment carried out? If so, by whom? Was it reviewed by the Information and Privacy Commissioner? Yes, the PIA was conducted by Nicom IT and IAP Services (at the department of Internal Services) has participated in the process, reviewed and recommended for approval, also as per their usual practice. It will be provided to the Commissioner for their records.

5. Are there any policies in place or being developed for access to or use of the database, other than administration of the license/ID card system? No.

6. Will any contents of the database be provided to any other government and under what circumstances? No.

7. Will faces in the database be matched to any other database? No.

Friday, October 06, 2017

Nova Scotia introduces new anti-cyberbullying bill

On October 5, 2017, the Nova Scotia Liberal government introduced a new bill to replace the former Cyber-safety Act, which was struck down as unconstitutional (a "colossal failure", said the judge). The Intimate Images and Cyber-protection Act is the result of a serious re-think of all the defects found in the Cyber-safety Act.

Some important differences:

1. The bill has a much more narrow definition of "cyberbullying". The previous law would have considered anything done online that could hurt your feelings to be cyberbullying. In this version, the alleged cyberbully has to maliciously intend to cause harm or has to be reckless with regard to the risk.

(c) "cyber-bullying" means an electronic communication, direct or indirect, that causes or is likely to cause harm to another individual's health or well-being where the person responsible for the communication maliciously intended to cause harm to another individual's health or well-being or was reckless with regard to the risk of harm to another individual's health or well-being, and may include

(i) creating a web page, blog or profile in which the creator assumes the identity of another person,

(ii) impersonating another person as the author of content or a message,

(iii) disclosure of sensitive personal facts or breach of confidence,

(iv) threats, intimidation or menacing conduct,

(v) communications that are grossly offensive, indecent, or obscene,

(vi) communications that are harassment,

(vii) making a false allegation,

(viii) communications that incite or encourage another person to commit suicide,

(ix) communications that denigrate another person because of any prohibited ground of discrimination listed in Section 5 of the Human Rights Act, or

(x) communications that incite or encourage another person to do any of the foregoing;

2. Applications are no longer ex parte. The accused cyberbully has to be given notice of the application and is given an opportunity to appear and respond to the allegations. This fixes the Charter s. 7 defect in the old law.

3. There are a range of defences available. One defect identified in the old Cyber-safety Act was that there were no defences available to an allegation of cyberbullying. In the new bill, there are a few that are intended to protect freedom of expression:

7(2) In an application for an order respecting cyber-bullying under this Act, it is a defence for the respondent to show that

(a) the victim of the cyber-bullying expressly or by implication consented to the making of the communication;

(b) the publication of a communication was, in accordance with the rules of law relating to defamation,

(i) fair comment on a matter of public interest,

(ii) done in a manner consistent with principles of responsible journalism, or

(iii) privileged;

(c) where the respondent is a peace officer acting in the course of the peace officer's duties, that the communication was necessary to prevent a crime or discover, investigate or prosecute the perpetrators of a crime and did not extend beyond what was necessary;

(d) where the respondent is a public officer acting in the course of the duties of the public officer's office, that the communication was necessary to fulfil the duties of that office and did not extend beyond what was necessary.

4. The bill addresses the non-consensual distribution of intimate images separately, which is a good thing. The language for this is essentially drawn from Criminal Code offence of distributing an intimate image without consent, but this bill provides civil remedies including an order for removal.

5. The CyberSCAN unit has no role in enforcement. I heard about a number of instances where the CyberSCAN unit itself bullied people to remove political content, so taking away their ability to do that is a good thing. The downside is that individuals don't have a publicly-funded organization that they can look to for legal remedies.

6. The remedies are all self-help. Applications for orders and damages go only to the Supreme Court of Nova Scotia, using the usual processes for applications under the complicated civil procedure rules. This will lead to self-represented litigants getting lost in the civil justice system or having to hire lawyers. I think I would have preferred a simplified process, similar to a peace bond, in the Nova Scotia Provincial Court.

7. Orders to prevent the identification of victims are virtually automatic. A publication ban to protect the identity of the complainant is automatic if the applicant is a minor and will automatically be granted on request to an applicant related to an intimate images proceeding. This is a good thing, as putting discretion in the hands of the court would discourage applicants from coming forward. They can proceed knowing their identity is protected and they will not be re-victimized by the court process.

8. The bill seems to anticipate possible diversion to restorative justice. How this will play out is anyone's guess, but it makes sense to encourage diversion where appropriate.

I expect I'll have more comments on it as I fully digest it, but these are the principal differences between the old and the new.

The government appears to be planning to spend the next few months consulting publicly, with the bill slated to pass in the spring of 2018.