Big Data: Legal Aspects under Canadian Law

“Big Data” refers to datasets whose size is beyond the ability of typical database software tools to capture, store, and analyze.¹ In an October 2014 speech delivered at the Canadian Institute for the Administration of Justice, Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis Branch at the Office of the Privacy Commissioner of Canada, remarked that, while Big Data is not a new technology, it is a new technological trend that allows for the “[processing] of huge volumes of data across varying sources, using much more powerful algorithms, to identify underlying patterns and correlations that can predict future outcomes.”² It comes as no surprise, therefore, that businesses, advertisers, policy-makers, and researchers are increasingly using Big Data to spot and exploit trends.

This rise in the collection and use of Big Data has led many to question whether current Canadian law can meet the need to regulate an industry where private information can be exposed and capitalized upon. Companies and technology professionals are also keen to learn how and to what extent they can protect and use this increasingly valuable economic asset.

This Special Report addresses three of the areas where the law and Big Data intersect: intellectual property law, regulatory law, and contract law.

Intellectual Property Ownership and Big Data

Copyright in Databases

It is an established principle of Canadian copyright law that copyright cannot exist in ideas or data alone.³ However, it can apply to certain forms that data takes, such as tables, graphs, or databases.

The Copyright Act⁴ is the governing statute for copyright law in Canada. Under the Copyright Act, copyright exists “in every original literary, dramatic, musical and artistic work”. After the 1993 North American Free Trade Implementation Act,⁵ the Copyright Act was amended to protect “compilations”. The definition of “compilations” includes works that “[result] from the selection or arrangement of data.”⁶ Therefore, assessing the originality of the compilation of data is key to determining whether or not copyright exists in a database.

This question was addressed at the Federal Court of Appeal in the 1997 case Tele-Direct (Publications) Inc. v. American Business Information, Inc.
⁷ Tele-Direct claimed copyright in respect of the organization of subscriber information and the collection of additional data contained in “Yellow Pages” directories published by Tele-Direct. Two of the main issues before the Court were: 1) what was the correct approach for assessing the originality of a compilation, and 2) whether the compilation involved a sufficient degree of skill, judgment, or labour to qualify for copyright protection.⁸

The Court held that the selection or arrangement of data results in a protected compilation only if the end result qualifies as an original intellectual creation. For a compilation of data to be original, it must be a work that was independently created by the author, and display at least a minimal degree of skill, judgment and labour in its overall selection or arrangement.⁹

In 2004, the issue of originality in the context of copyright reached the Supreme Court in the landmark case CCH Canadian Ltd. v. Law Society of Upper Canada.¹⁰ While the case was not directly about databases, it dealt with the threshold for “originality”. In the case, the Court rejected both the “sweat of the brow” test for originality, as well as the U.S. favoured test that originality requires a work to be independently created and possess some minimal degree of creativity.¹¹ Instead, the Court held that, for a work to be considered “original,” it must be the product of an author’s exercise of skill and judgment.¹² Furthermore, the skill and judgment required to produce the work must not be so trivial that it could be characterized as a purely mechanical exercise.¹³

The Copyright Act entitles the copyright owner to “the sole right to produce or reproduce the work or any substantial part thereof in any material form whatever.”¹⁴ If a copyright is infringed, the owner of the copyright is also entitled to all remedies by way of injunction, damages, accounts, delivery up and otherwise that are or may be conferred by law for the infringement of a right.¹⁵

While certain protections for database owners exist under the Canadian copyright regime, claims for copyright infringement of databases raise practical problems. If copyright infringement occurs only when a “substantial” part of a database is copied (as outlined in the Copyright Act), what if only some information is copied? Furthermore, merely using or accessing a database is unlikely to garner protection under the Copyright Act, either.

Copyright in Software

While information in a database cannot be copyrighted, data integration software, database management systems, and data analytics software can be copyrighted as “computer programs” under the Copyright Act.

A “computer program” is considered a “literary work” for purposes of the Copyright Act, and is defined as “a set of instructions or statements, expressed, fixed, embodied or stored in any manner, that is to be used directly or indirectly in a computer in order to bring about a specific result”.¹⁶ Therefore, infringement would occur where a computer program is copied without authorization from the owner of the copyright.

The Copyright Act provides some exceptions for use of computer programs that would otherwise be infringement under the Copyright Act. This includes copying for purposes of a backup,¹⁷ as well as copying a program once for the purposes of making it compatible with a computer that is solely for personal use.¹⁸ The term “software” has also been given a broad meaning to include data files.¹⁹

It is important to note that the same standards of originality apply when determining whether a computer program is subject to copyright protection. For example, in Delrina Corp. v. Triolet Systems Inc., the Ontario Court of Appeal held that computer programming that is dictated by the operating system or reflects common programming practices is not original expression and will not receive copyright protection.²⁰ The Federal Court has also held that, as a general principle, the owner of the copyright in a computer program does not have copyright in the user’s data, unless there is an agreement stating otherwise.²¹

No Database Right in Canada

There is no database right in Canada — meaning additional protections are not afforded to the original creator of a database. This is a marked difference from the European Union, where the EU Database Directive²² provides that databases which, “by reason of the selection or arrangement of their contents constitute the author’s own intellectual creation”, are protected by copyright, and any temporary or permanent reproduction is prohibited.²³

While some lobbying efforts have occurred to institute a similar policy in Canada,²⁴ the strongest statutory intellectual property protections for databases continue to flow from the Copyright Act and surrounding case law.

Patentability of Software

Canada’s Patent Act²⁵ does not specifically mention “software”, which is generally considered by the Patent Office to be an “abstract scheme” and consequently not an invention that can be patented.²⁶ However, if software does more than just calculations, it may be patentable. Specifically, computer programs integrated with hardware could receive patent protection, as could programs that produce an outcome based on recovered data.²⁷

Regulating Big Data

Federal Personal Information Protection and Electronic Documents Act

In Canada, data protection is the principle area of regulation when it comes to capturing and storing personal information. Data protection is governed by both federal and provincial legislation. The federal Personal Information Protection and Electronic Documents Act²⁸ (“PIPEDA”) came into full force in 2004 and regulates how organizations and businesses collect, use, and disclose personal information in the course of commercial activities.²⁹

PIPEDA’s stated purpose is to:

establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.³⁰

Under PIPEDA, organizations must obtain an individual’s consent when they collect, use, or disclose an individual’s personal information.³¹ “Personal Information” is defined broadly and includes any information about an identifiable individual, other than basic information about employees of an organization.³² Personal information can be used only for the purpose for which it was collected, and individuals also have a right to access personal information held by an organization.

Of particular note in terms of Big Data is that PIPEDA allows for implied consent, depending on the sensitivity of the information being collected.³³ As such, a key question is whether notices are clear enough such that Big Data processes can be reasonably anticipated by users based on that notice.³⁴

The federal government can also exempt certain organizations from PIPEDA if provinces in which they operate have adopted substantially similar privacy legislation — to date, this includes Quebec, British Columbia, and Alberta, and, in matters relating to health care, Ontario, New Brunswick, and Newfoundland and Labrador.³⁵ As a result, PIPEDA does not apply to certain entities in these provinces, but it will still apply to all interprovincial and international activities.

PIPEDA also sets out a code for the protection of personal information and lists 10 principles that businesses must abide by:

• accountability;

• identifying purposes;

• consent;

• limiting collection;

• limiting use, disclosure, and retention;

• accuracy;

• safeguards;

• openness;

• individual access; and

• challenging compliance.³⁶

Amendments to PIPEDA

There is no question the world has changed since PIPEDA was enacted. While PIPEDA brought about a broad, national regulatory framework, it is questionable whether it is up to the task of handling the challenges of changing technology and Big Data. In the roughly 10 years since PIPEDA came into full force, huge technological developments have occurred. The explosion of social media, as well as the ability to track Internet usage and collect personal information, has created new data at a staggering rate. According to a 2013 report by IBM, 2.5 quintillion bytes of data are created daily and 90 percent of the world’s data that exists today was created in the last two years.³⁷ Canadians have done their part — averaging approximately 40 hours a month online (twice the world average).³⁸

With the changes and growth of Big Data, some have questioned whether the compliance and enforcement provisions in PIPEDA are strong enough to ensure compliance as the value of tapping into personal information grows. The Office of the Privacy Commissioner of Canada released a position paper calling for substantial changes to PIPEDA to address the challenges of Big Data and the growing number of Internet companies looking to cash in on the “treasure trove” of personal information they have amassed.³⁹ Jennifer Stoddart, the Privacy Commissioner at the time of the report, stated in announcing the position paper that “the purpose of our privacy law … is no longer being met … [it] lacks mechanisms strong enough to ensure organizations invest appropriately in privacy”.⁴⁰

On June 18, 2015, Bill S-4, better known as the Digital Privacy Act,⁴¹ received Royal Assent and is now law, although several sections have yet to come into force. The Digital Privacy Act makes significant changes to PIPEDA, including requiring mandatory breach reporting to both the Privacy Commissioner and the affected individuals, and instituting additional fines of up to C$100,000 (U.S.$77,234).

Key amendments to PIPEDA that organizations should be aware of include the following:

The Definition of ‘Consent’ Has Changed

While PIPEDA specified that knowledge and consent were required, the Digital Privacy Act adds the additional requirement that it must be reasonable to expect that the individual understands what he or she is consenting to, i.e., that he or she understands the nature, purpose and consequences of the collection, use or disclosure. Clear, simple language should be used when requesting consent, particularly when dealing with vulnerable populations such as children.

Breach Reporting to the Commissioner Will Become Mandatory

The Digital Privacy Act introduces, for the first time, mandatory reporting at the federal level in Canada. The Commissioner must be notified of any breach that creates a real risk of significant harm to an individual. The definition of significant harm is broad, and includes bodily harm, humiliation and damage to reputation, as well as identity theft and financial loss, among others. The breach must be reported “as soon as feasible”, although how the Commissioner evaluates what constitutes an appropriate timeframe has yet to be determined. This requirement will come into force by Order in Council, at an unspecified date.

Organizations Will Be Required to Report Breaches to the Impacted Individuals (not yet in force)

All individuals who may reasonably face a real risk of significant harm from the breach must also be notified directly and “as soon as feasible” following the breach. This notification must allow the individual to understand how the breach may impact him or her and what steps he or she can take to reduce or mitigate the risk, as the case may be. This requirement will come into force by Order in Council, at an unspecified date.

The Commissioner May Report Breaches to the Public

Prior to the Digital Privacy Act, the Commissioner had a narrow power to make any information relating to personal information management practices public if it was in the public interest. The Digital Privacy Act significantly broadens this power to include any information that comes to the Commissioner’s knowledge during the exercise of his or her powers or duties.

Failure to Report a Breach or a Lack of Record-Keeping May Result in Significant Fines

The Digital Privacy Act introduces fines of up to C$100,000 (U.S.$77,234) for failing to report any breach to both the Commissioner and the impacted individual as soon as feasible after the breach. Organizations may also be fined up to C$100,000 (U.S.$77,234) for failing to maintain records of any breach. It is not yet clear how these provisions will be interpreted — whether the C$100,000 (U.S.$77,234) limit will apply per organization, per breach event, per individual affected, or in some other way. For example, if 10 subscribers’ personal information was taken from an organization on two different days, and the breaches were not reported, the maximum fine might be C$100,000 (U.S.$77,234), C$200,000 (U.S.$154,469), C$1 million (U.S.$772,344) or possibly some other number.

Cross-Border Transfer of Big Data

The transfer of personal information outside Canada is often undertaken by sending physical files, sending digital copies, or storing information on remote servers. Increasingly, Big Data is transferred and stored on remote servers outside Canada, or “in the cloud”. Organizations need to be cautious of the implications that transferring Big Data (in particular, data containing personal information) outside Canada creates. Most importantly, the legislative matrix that regulates the data will likely change and notification obligations may be imposed.

The federal Privacy Commissioner has noted that, where personal information is transferred to a foreign third party, that information is subject to the laws of the foreign country, and no contract or contractual provision can override those laws. Thus, the Commissioner has stated that, while consent is not required, at the very least, an organization in Canada that transfers personal information to a foreign third party should notify affected individuals, depending on the sensitivity of the personal information, that their information may be stored or accessed outside Canada and of the potential impact this may have on their privacy rights.

Unlike under PIPEDA, it is a mandatory requirement for organizations to notify individuals before transferring personal information to a foreign service provider under Alberta’s Personal Information Protection Act.⁴² One issue that this could create in business transactions is that notifying individuals of the collection, use or disclosure of their personal information during a business transaction may breach non-disclosure or confidentiality agreements between the transacting parties. Weighing notification requirements under any applicable privacy legislation alongside confidentiality obligations requires a thorough risk analysis.

The Future of Regulation

While PIPEDA will likely continue to be the chief source of regulation for Big Data in the near term, changes may be on the way through both domestic and international regulatory efforts.

For example, the Office of the Privacy Commissioner of Canada, along with a host of other national data protection authorities, in October 2014 endorsed the Global Cross Border Enforcement Cooperation Arrangement, which aims to foster data protection compliance by organizations processing personal data across borders⁴³. The Arrangement encourages cooperation between enforcement authorities by facilitating the sharing of information about enforcement-related activity and investigations and, where appropriate, the coordination of enforcement efforts.⁴⁴ At the same conference, a resolution on Big Data was also endorsed which outlined the ramifications that Big Data can have on privacy, and called upon all parties making use of Big Data to, among other things, obtain valid consent, support transparency, and provide individuals access to information collected about them.⁴⁵

Aside from these international efforts, on the domestic front, more provinces could enact PIPEDA-like legislation, and other legislation may have indirect impacts on the regulation of Big Data. For example, the highly controversial Bill C-51 (which has been given the short title of Anti-terrorism Act, 2015) would expand the ability of Canadian government agencies to share personal information, as well as expand the mandate of the Canadian Security Intelligence Service, in order to combat terrorism.⁴⁶

Contracting and Big Data

In addition to intellectual property rights and regulatory processes, an important part of the legal landscape when it comes to Big Data is contract law.

When entering into a contract dealing with data — whether it be licensing, ownership, or risk allocation — parties can add both flexibility and certainty to their data management processes that go beyond the confines of legislation such as the Copyright Act and PIPEDA. This includes the ability to determine who owns the data, who it can be shared with, and to what extent it can be used.

However, contracts are limited in that they provide rights that are enforceable only against the other parties to the contract, not third parties. So, while contracts can play an important role in managing risk and ensuring compliance with various regulatory regimes, parties cannot simply contract away obligations in jurisdictions where they fall under the application of data and privacy laws.

For example, where personal information is transferred to a foreign third party, that information is subject to the laws of the foreign country, and no contract or contractual provision can override those laws. Of some concern has been the USA PATRIOT Act,⁴⁷ which gives the U.S. government access to data stored in the U.S.

For this reason, the Privacy Commissioner of Canada issued the following guidelines:

• Canadian-based organizations are obliged to ensure a comparable level of protection when storing or transferring data outside Canada. This means generally having a contract or contractual provision in place to protect, to the extent possible, the confidentiality and security of the personal information while in the hands of the foreign service provider;

• Depending on the sensitivity of the personal information, organizations should notify individuals that their information may be stored or accessed outside Canada and of the potential impact this may have on privacy rights; and

• Organizations should be transparent about their handling and security policies and practices involving personal information stored or transferred outside Canada.

Ensuring adequate contractual provisions are in place to protect both the information and the organization should play an important part in any business transaction that involves personal information and privacy legislation.

In light of the above, some of the things to consider when drafting an agreement include the following:

• Covenants should comply with applicable data privacy legislation, regulations, and related policies;

• The agreement should contain fulsome records management provisions in respect of retaining, storing, and disposing of particular records;

• The agreement should include express, positive obligations to promptly provide the other party with incident notifications — including for data security breaches and privacy breaches;

• Background checks ought to be considered for personnel who will, or are reasonably anticipated to, have access (including remote access) to any sensitive information;

• The agreement’s governance framework must contain a very clear accountability framework for the management and escalation of data integrity and security concerns and incidents. Building in preventative and anticipatory response mechanisms will be paramount;

• Although privacy obligations are, to an extent, mandated by legislation, the agreement can and should impose comparatively greater obligations — and should be quite prescriptive;

• The agreement should consider cyber insurance, if appropriate, that includes privacy liability coverage and cyber liability coverage; and

• Risk allocation provisions will be very important. The interplay of representations, warranties, indemnities and liability is generally hotly contested in the area of cybersecurity because the jurisprudence is emerging.

The consequences for failure to comply with data privacy legislation can impact all aspects of a business, and can lead to regulatory fines and penalties, class actions, and shareholder actions. Ensuring contracts limit exposure to these types of consequences should be a priority when it comes to transactions that include personal information.

Conclusion

As the authors of an oft-cited article in Foreign Affairs put it:

Big data is poised to reshape the way we live, work, and think. A worldview built on the importance of causation is being challenged by a preponderance of correlations. The possession of knowledge, which once meant an understanding of the past, is coming to mean an ability to predict the future. The challenges posed by big data will not be easy to resolve.⁴⁸

From understanding their customers to targeting advertisements, opportunistic companies are seeking out ways to monetize the vast amounts of data being generated today. This will have major ramifications not only for privacy and the information that exists about individuals in databases, but also for the legal mechanisms that must protect and regulate an entire industry some have called the “oil” of the next generation.