As matters currently stand, statistics confirm that TSPs tend to be cooperative and will hand over user data in response to 94% of RCMP requests. This 'voluntary sharing' regime is troubling because it manages to avoid even the most rudimentary of oversight and tracking typically associated with police surveillance. Reports suggest tens of thousands of requests for information are voluntarily complied with each year, and there is little information on the scope or parameters of these requests (although the majority of these are currently limited to subscriber identification information). Indeed, the only real oversight of this information sharing regime is the obligation on TSPs to limit disclosures to scenarios where 'lawful authority' has been identified.

Bill C-12 erodes this obligation in a few ways. First, it broadens the entities covered by 7(3)(c.1) to include not only law enforcement agencies, but those requesting the information in order to perform 'policing services' (Clause 6(6)). While purportedly aimed at facilitating community policing, this broadening is deeply concerning in light of increasing attempts in other jurisdictions to outsource policing tasks to private security firms, or even to privatize policing altogether. It also raises concerns in light of the vast amounts of customer surveillance currently envisioned for TSPs by other jurisdictions in the name of cybersecurity.

Second, it defines 'lawful authority' in a rather vague manner as referring to 'any lawful authority other than' a subpoena, warrant or court order (Clause 6(12). This suggests that merely displaying a police badge might be enough to meet the 'lawful authority' criteria, and TSPs are free to give away their customers data at will.

Finally, and perhaps most concerning, Bill C-12 immunizes organizations from any obligation whatsoever to even verify the validity of any lawful authority offered (Clause 6(12)).

Taken together, these provisions set the stage to a dramatic expansion of the TSP voluntary sharing regime currently in place well beyond the limited amount of subscriber identification information that is its current focus. This is in spite of the fact that the constitutionality of this information sharing has been questioned in R. v. Trapp, 2011 SKCA 143, where the Saskatchewan Court of Appeal found a reasonable expectation of privacy exists in voluntarily disclosed subscriber data (although see Trapp's sister case, R. v. Spencer, 2011 SKCA 144 which concludes there is no reasonable expectation of privacy in similar contexts — the ISP contractual terms being the operative difference). The incentives to expand this regime are already operating in other jurisdictions, and are sure to manifest in Canada soon. They may already be operative here. We would not know, as far from imposing even rudimentary reporting obligations, TSPs are prevented from ever disclosing such sharing has occurred without first seeking permission from the requesting agency (section 9(2.1) of PIPEDA).

b. bypassing safeguards in the discovery process

Another concerning element of Bill C-12 is the way in which it removes current PIPEDA provisions that limit the conditions under which TSPs and other organizations can hand over customer information in order to help someone sue one of their customers.

Clause 6(9) puts in place a 'litigation exception' that will effectively bypass privacy safeguards carefully built into the discovery process. Currently, in order to obtain information relevant to a lawsuit from a non-party such as an ISP, litigants must convince the Court the information is relevant, that their lawsuit is bona fide and/or that they have a prima facie case, and that the information cannot be obtained from a more readily available source (see: BMG Canada Inc. v. Doe, 2005 FCA 193; Warman v. Wilkins-Fournier, 2010 ONSC 2126; and more recently Voltage Pictures LLC v. Doe, 2011 FC 1024).

These safeguards are critical to ensure that the civil litigation system impacts on rights to privacy and anonymous expression in a disproportionate manner. Prohibitions on voluntary information disclosures in this context are critical. Often, requests addressed to TSPs and similar companies for identification information are accompanied by legal threats (if you don't comply, we will include you in the lawsuit). There are few incentives in place for TSPs to undertake costly legal fights in these contexts. Absent legal protection, most are likely to simply hand over the data and be rid of the matter.

This is why other jurisdictions (and, until Bill C-12 came along, Canada) have in place legal protections preventing such disclosures. In the U.S., for example, absent a court order, handing over customer information to a civil litigant is a criminal violation of the Stored Communications Protection Act, 18 U.S.C. 2072(a)(1), which holds that anyone "providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service." No litigation exception exists.

c. illusory breach notification obligations

Finally, where Bill C-12 attempts to add some privacy protective measures by putting in place a desperately needed breach notification regime, it falls flat by severely undermining the effectiveness of this regime. One study of the regime, conducted by the Public Interest Advocacy Centre, concludes that the regime is "too weak" to ensure user expectations with respect to notification are met. This is in part because the legislation was drafted a few years back now, and has not kept up with proposals in other jurisdictions, and partly due to apparent efforts to avoid obligations to put in place costly technical safeguards to address breaches.

Breach notification is critical for a number of reasons. To begin with, it allows users of services to take corrective measures to avoid identity theft and related harms in scenarios where their personal data has been exposed. Second, it provides a valuable source of information regarding the scope and nature of cyber security breaches and the effectiveness of data security procedures. Finally, it puts in place important incentives for organizations to take adequate steps to ensure their users' data is secure. The objectives of security breach notification (SBN) are summarized in the White House's recent privacy protection framework:

Notice helps consumers protect themselves against harms such as identity theft. It also provides companies with incentives to establish better data security in the first place. The SBN model is also gaining acceptance internationally as a performance-based requirement that effectively protects consumers.

Currently, an organization that discovers a breach in safeguards has little incentive to tell anyone it has occurred. The counter incentives to disclosure are high — great embarrassment for the organization, potential loss of customers, potential regulatory scrutiny of existing safeguards to see if the problem has been adequately addressed, potential added regulatory obligations to adopt further safeguards beyond those adopted at great cost. Under such conditions, the only real incentive to disclose is the risk of getting caught knowingly hiding a breach.

In this sense the idea of implementing a breach notification regime is a good one, as 47 of the 52 U.S. states have found. Indeed, the U.S. has plans to enact federal breach notification legislation as part of its cybersecurity strategy. The Europeans are similarly in the process of adopting EU-wide data breach notification obligations.

The problem is that the breach notification regime sketched out in Clause 11 of Bill C-12 is designed in a manner that will impose on subjective organization decision-making so minimally as to be almost counterproductive.

To begin with, the standards employed by Bill C-12 are so high and subjective that they will provide minimal real incentive for companies to disclose specific breaches as they occur. C-12 employs a two-tier reporting structure, where all "material breaches" must be reported to the Privacy Commissioner, while whenever a breach imposes a "real risk of significant harm" onto an individual she must be notified.

tier 2: real risk of significant harm (disclose to affected individuals)

As a starting point, the second 'real risk of significant harm' reporting tier is problematic. The standard itself 'real risk of significant harm' is significantly higher than that under consideration elsewhere. The US proposal (which will only apply to organizations with over 10,000 users) obligates user notification whenever it is reasonably believed that sensitive identifiable information has been accessed or acquired unless there is no reasonable risk of harm or fraud whatsoever. The EU proposal goes further, obligating organizations to notify users in any scenario where a data breach "is likely to adversely affect the protection of the personal data or privacy" of an individual (proposed Article 29).

Second, the standard itself is far too subjective to be effective. Even well-meaning organizations faced with a decision — disclose that this breach occurred or not — will find it difficult to err on the side of disclosure given the many counter incentives in place. In this sense, subjectivity is likely to work against disclosure, particularly in scenarios that threaten the reputation of an organization or that may lead to forced regulatory adoption of expensive technical safeguards. Yet this second standard is subjective in the extreme as organizations are given an array of factors to weigh and counter-weigh.

'Significant harm' is defined to include 'bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record and damage to or loss of property." (proposed sub-section 10.2(2)) This is a solid definition of significant harm, and should be credited for its inclusion of oft-ignored privacy harms such as humiliation, damage to relationships, and loss of professional opportunities. However, it remains left to organizations to decide which of these factors are implicated and whether the information in question is capable of, say, humiliation, or merely embarrassment.

To further complicate matters, proposed sub-secti0n 10.2(3) of Bill C-12 defines 'real risk of significant harm' as a product of two other factors: (a) the sensitivity of the information involved in the bread, and (b) the probability the information will be misused. Of these, the 'sensitivity' factor is one that, historically, has proven a workable standard. Indeed, Principle 4.3.4 of PIPEDA provides guidance on how to determine 'sensitive information':

Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

This has been supplemented by court decisions as well as many findings by Federal and Provincial Privacy Commissioners. In this particular context, organizations will be able to draw on additional guidance from proposed sub-section 10.2(2).

The second factor — (b) the probability that the information will be misused — is not only subjective and difficult to quantify, but will in most cases be more or less impossible to determine. To begin with, the very term 'misuse' undermines, to some extent, the list of factors defining 'significant harm' and found in sub-section 10.2(2). Is it a misuse of information to reveal true facts that may harm an individual's reputation? Is it a misuse of information to expose an individual's true religious beliefs in a way that might humiliate her?

More problematic is the fact that probability of misuse will depend on whether the information falls into the hands of someone who is will to take advantage of it. Excepting scenarios where it is clear that a specific set of information was purposefully targeted for access by an individual with nefarious intentions, this will by no means be evident. It is a staple of cybersecurity breaches that it is often unclear who breached a system and for what purpose. In other types of breaches, such as the paradigmatic 'lost USB key full of data' scenario, it is equally uncertain precisely who ends up with the data and what they might do with it.

The worst impact of this factor, however, will be on cybersecurity. Many cybersecurity vulnerabilities are of a nature that can be exploited without any trace being left behind. When the vulnerability is eventually discovered, by an industrious security researcher or otherwise, there will typically be no indication whether it has been exploited yet or not, even where it involves very sensitive financial information that would be highly useful for fraud and identity theft. Given such ambiguities, this second factor is likely broad enough to potentially defeat many if not any data breach scenarios. Particularly in situations where a vulnerability has been discovered, but it is not clear whether it has been exploited yet or not.

Why is this problematic? For one thing, the incentive to audit technical safeguards with a great deal of due diligence or face public outcry is significantly diminished where organizations know they will be able to address breach discovery internally. Second, where one organization discovers a breach, there is no obligation to disclose to the public so as to ensure that others to not repeat the same mistake. If discovered by an external security researcher, there is always the possibility the researcher will make the issue public, but in many cases organizations are more likely to issue legal threats against disclosure than assistance in the reporting process.

The U.S. and E.U. proposals set the 'report to affected individuals' bar far lower in an attempt to better capture these types of scenarios. However, there are problems associated with over-reporting to individuals as well — notification fatigue. Breaches have become frequent enough that individuals are likely to receive numerous notifications over time, and the likelihood of a remedial user response diminishes with each subsequent notification.

tier 1: material breach (report to OPC)

Now, a properly calibrated two-tier breach notification system can alleviate these concerns. The first tier controls disclosure to a third party — the Privacy Commissioner of Canada, in our case — and is set at a significantly lower level in order to provide objective oversight over organization decisions to 'go public'. Further, more rigorous reporting of breaches to a central body is important so that we can better understand the scope and nature of cybersecurity vulnerabilities. Finally, even low-level breaches can be indicative of security flaws that need to be addressed in order to avoid a more serious breach. This may strain OPC resources, but given the benefits of a reporting regime of this type, it is well worth the added effort.

Bill C-12 adopts a two-tier reporting obligation of this nature. However, the first reporting tier is not designed to meet this objective (seemingly in response to TSP concerns raised by the specter of costly regulator-imposed technical safeguards to remedy vulnerabilities revealed by breaches reported to the Privacy Commissioner). Instead of setting the first tier bar low, so as to catch the majority of breaches that might be of interest in light of the objectives identified above, Bill C-12 is carefully designed to ensure it imposes neither a higher, nor a lower standard than that found in tier two. This means that some breaches may qualify as posing a 'real risk of significant harm' (tier 2 disclose to individual) but not a 'material breach' (tier 1 report to OPC) or vice versa.

This is achieved by adopting a different, but overlapping set of standards for tier 1 and tier 2 disclosures. A tier 1 disclosure obligates organizations to report 'any material breach of security safeguards' to the Commissioner (proposed sub-section 10.1(1)). The set of factors defining 'material breach' include: the sensitivity of the information, the number of individuals involved, and 'an assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.'

'Sensitivity of the information' overlaps with the same factor as found in the tier 2 definition of 'real risk of significant harm', however, in this instance, it is not modified by the descriptive factors found in proposed sub-section 10.2(2). This means that, for any given breach, an organization may assess the 'sensitivity' factor differently for tier 1 and tier 2 reporting, but whether the outcome favours disclosure to the Privacy Commissioner over disclosure to the individual will depend on the specific scenario. 'Number of individuals affected' is fairly straightforward, but is notable in that it is not at all a factor relating to an assessment of 'real risk of significant harm'.

The final 'systemic' factor is the most problematic element of the 'material breach' definition. Where a breach involves sensitive information and affects a large number of individuals, the organization may still avoid disclosure if, in its own assessment, it does not deem the breach to be indicative of a 'systemic' problem. As with the 'number of individuals' factor, the 'systemic' criteria does not in any way overlap with any tier 2 'real risk of significant harm' factors.

This means that in cases where sensitive information relating to one individual alone has been breached, in a scenario where a high likelihood of misuse is evident, the individual might be notified, but not the OPC, or even the general public. This is problematic because there will be no record of the breach and, more importantly, there will be no one to verify objectively whether the organization effectively dealt with the cause of the breach in a manner likely to prevent its repetition. The OPC can only initiate an investigation into a suspected breach of Principle 4.3.7 of PIPEDA (obligation to put in place reasonable technical safeguards) if it is first notified of the breach. The EU proposal, by comparison, would obligates organizations to disclose any personal data breach to a regulator along with information on the cause of the breach as well as on how the organization intends to prevent the breach from recurring (proposed Article 28.4).

Similarly, the Uniform Law Commission of Canada draft Breach Notification Act similarly obligates organizations to "promptly file a report respecting any unauthorized access or disclosure with the Commissioner." (Sub-ection 101(3)). As with the E.U. proposal, the ULC draft requires details regarding the nature of the breach and steps taken to remedy it to be on included in the report (Section 102).

In conclusion, the great innovation of a two-tier notification system employed by Bill C-12 is entirely undermined by the use of overly high, overly subjective and overlapping standards. Instead of operating as a well-needed oversight mechanism designed , the 1st tier to ensure that "the judgment about the degree of risk is subject to review by the Commissioner, and not left solely to the holder, who may have conflicting interests."

no incentive to comply with the Act

Bill C-12 is also lacking in the 'teeth' department. To begin with, in those scenarios where an organization decides a breach is 'material' but does not raise 'risk of significant harm', the OPC is not granted the power to force the company to disclose. If it wanted to do this, it would need to initiate an investigation (which can take as long as 16 months [page 72]) and then find the organization in non-compliance.

While the Finding itself may act as a 'notification' to the public (assuming the OPC drops its historic aversion to 'naming and shaming' mal-doers), the OPC does not at this time have the power to issue fines for non-compliance or penalties for damages caused.

If these were to be sought, the OPC (or a complainant) would need to take the complaint to federal court (a costly process involving a trial de novo under section 14 of PIPEDA). But, even then, no damages-based incentive for non-compliance will be forthcoming. PIPEDA currently allows judges to issue three types of remedies for breaches of the statute: an order to correct its practices (16(a)); an order to publish corrective actions taken (16(b)); and an order for damages including humiliation (16(c)). Unfortunately, while Clause 14 of Bill C-12 expands subsection 16(a) to include remedies for elements of the data breach notification regime, it does not do so for sections 16 (b)-(c). One wonders why a complainant would ever bother taking non-compliance to court or, for that matter, why an organization would err on the side of compliance.

Finally, with respect to failures to disclose tier 1 'material breaches' (assuming such failures are ever discovered), Bill C-12 does not even permit the federal court to order an organization to correct its future practices with respect to compliance with this obligation. Subsection 16(a) is only extended to mandate compliance with tier 2 'risk of significant harm' obligations, while violations of the 'material breach' reporting obligation are expressly excluded from 16(a) remedies. This means that the OPC and even the Federal Court will be powerless to stop organizational notification policies designed in a way that allows for repeated mis-classifications of 'material breaches'.

The penalty for failing to disclose a material breach or a breach leading to a 'real risk of significant harm' is….nothing. The worst possible result of non-compliance is delayed disclosure of a failure to notify. But that incentive is already in place. While the OPC has recently signaled its intention to call for order making and fine imposing powers in general (presumably these would cover the breach notification regime as well as existing PIPEDA obligations), there appears to be little Government will to update PIPEDA or improve privacy protections. Delays over PIPEDA's mandatory 5 year review (slated to have been completed last year) and Bill C-12 itself is evidence of that. As currently designed, the worst possible result of non-compliance by an organization is delayed public exposure that the organization failed to notify the public of the breach. But that incentive is already in place.

It turns out that the existing production orders are difficult to challenge, quite broad in scope, and quite broad in scope. This raises legitimate concerns for upcoming the production orders envisioned in lawful access legislation, which will employ broader standards in more scenarios related to potentially sensitive information.

Ex Parte & not subject to strict review

The production order provisions currently in the Criminal Code include a provision permitting third parties to apply for an exemption from the scope of the order production would be "unreasonable" (Criminal Code s. 487.015(b)). The media organizations sought an exemption on the grounds that the orders were "premature, overly broad and capture vast amounts of material not relevant to any crime; that they fail to account for the special position of journalists requiring proof of true necessity and absence of alternate sources" (para 21).

The court rejected these grounds, citing Tele-Mobile Co. v. Ontario, 2008 SCC 12 in its conclusion that the 'unreasonableness' referred to in the exemption clause is limited to considerations of practical impact, cost of compliance, etc. Substantive factors going to the validity of the order cannot contribute to 'unreasonableness' under s. 487.015(b).

This meant the substantive concerns with the ex parte order would be considered under the Garofoli standard of review: based on the record before the authorizing judge, could that justice, acting judiciously, have granted the order.

Production Standards are very broad

The standard employed in production orders at issue is one of 'reasonable grounds to believe the data sought will afford evidence respecting the commission of an offence'. This is higher than the 'reasonable ground to suspect information will assist an investigation' standard that will feature in a number of the new proposed lawful access orders.

The applicants in Vancouver Sun argued the production orders failed to meet this standard because much of the material sought will not disclose evidence of criminal activities. The footage was recorded "within a large area of downtown before and after the riot…the [production order] does not adequately connect the specific images recorded to the offences committed." While there are certainly images of offences being committed within the materials at issue, much of the footage relates to innocent activity. So untargeted an order is essentially a fishing expedition.

While the production orders were eventually rejected on a technicality, Justice Harris did not accept the majority of substantive overbreadth arguments. The question is not whether all the material sought will provide evidence of individuals actually committing offences (para. 46). Rather, the test is one of whether there are grounds to believe:

"…the material sought would, not just taken by itself but in relation to other things, afford evidence with respect to the commission of at least some of the specified offences." (para 48 quoting CBC v. British Columbia, [1994] 32 CR (4th) 256 (B.C. S.C.))

What this means is that photos that are not directly linked to any criminal incident, but rather show people in the general vicinity during the general time window of the riot (give or take) are within scope because it is "relevant to the issue of identification of those involved in committing offences, even where the image…is captured in a different place from where the offence was committed." (para. 39)

Presumably, the images collected will feed the VPD's growing image-fuelled riot investigation apparatus which currently includes a 'tag your friends' website and, apparently, the use of facial recognition techniques built in to ICBC's biometric-enabled drivers license database.

Charter assistance may be challenging

As section 8 of the Charter was not raised, this was a case of statutory interpretation alone. Given that the images were taken in public, one wonders whether a reasonable expectation of privacy could have been effectively asserted by any of those included in the extensive footage covered by the production orders. Canadian laws have always recognized some, albeit potentially reduced, expectations of privacy in easily observable public activities (R. v. Wise, 1 SCR 257). Recent case law from the U.S. Supreme Court suggests that extensive or pervasive public surveillance might trigger stronger privacy expectations than would otherwise be the case (see US v. Jones, 565 U.S. __, (2012)). Regardless, the need to show no more than a tangential connection between the images (and the people in them) on the one hand, and any actual offences on the other might be a cause of concern.

Justice Harris recognizes this. He states in his judgement that he was initially "concerned by both the geographic and temporal scope of the production orders" (para 52) in light of the time and location of actual offences, and that the request "struck [him] as broad."

Unfortunately, these concerns were not enough to second guess the Justice of the Peace who initially issued the order. This demonstrates a serious deficiency with ex parte orders in general — they cannot be challenged in the first instance, and by the time a second instance arises, it is no longer a matter of 'correctness', but whether the initial decision was 'reasonable'. As production orders are almost by definition ex parte, these types of deficiencies in breadth of review are likely to recur.

Most troubling is the impending application of these types of production orders to a wide range of Internet and mobile data, including tracking (GPS) data and interaction (transmission) data. Not only do these new types of production orders afford access to vast and potentially very sensitive types of data, but they will be available, via production order, at a significantly lower standard than that employed above. Police need only demonstrate a 'reasonable suspicion' that the material sought "will assist" in an investigation. Working backwards "somewhat broad" orders approved on ex parte application in Vancouver Sun. We may be moving closer to those 'fishing expeditions' our system of constitutional and legislative safeguards are intended to avoid.

The injunction in question would have required Scarlet, the ISP, to monitor all activity on its network, filtering for hash tags of files identified as within the repertoire of the plaintiff. While the technical feasibility of this filtering exercise has been questioned, the Court rested its decision to overrule the Belgian court’s injunction on firmer, more principled grounds. Specifically, the Court found that an injunction of this character violates the rights to privacy and potentially the right to receive or impart information:

51 It is common ground, first, that the injunction requiring installation of the contested filtering system would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data because they allow those users to be precisely identified.

52 Secondly, that injunction could potentially undermine freedom of information since that system might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications. Indeed, it is not contested that the reply to the question whether a transmission is lawful also depends on the application of statutory exceptions to copyright which vary from one Member State to another. Moreover, in some Member States certain works fall within the public domain or can be posted online free of charge by the authors concerned.

53 Consequently, it must be held that, in adopting the injunction requiring the ISP to install the contested filtering system, the national court concerned would not be respecting the requirement that a fair balance be struck between the right to intellectual property, on the one hand, and the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information, on the other.

The Court also issued a friendly reminder that, while protection of Intellectual Property is a right protected by the EU Charter, there is “nothing whatsoever in the wording of that provision or in the Court’s case-law to suggest that that right is inviolable and must for that reason be absolutely protected.”

Notably, the decision equates ‘filtering’ — where network equipment such as deep packet inspection equipment is calibrated to search for specific files or activities, in this case, likely hash tags — with mass monitoring of user activity. Common counter arguments to this are that ‘filtering’ does not involve mass surveillance, because only the specifically sought infringing activity is identified, while little or no information about other activity is collected. The Court appears to accept, however, that mass monitoring for infringing activity is a serious invasion of privacy even where the only results it yields are to identify infringing works.

Second, the decision is notable in that it recognized the threat to freedom of expression posed by a filtering system of this kind, which is likely to capture legal content along with allegedly infringing content. Indeed, as the Canadian experience has proven, identifying specific files or even applications mid-network while avoiding over-inclusiveness is no easy task! It is greatly complicated where user rights such as fair dealing or fair use complicate what is ‘legal’ and what is not.

The decision is not likely to be the last word on the issue. US legislatures are struggling with a law that will permit entire domain names to be wiped from the DNS system on allegation of IP infringement and it is not clear how this decision will impact on France’s HADOPI ‘3 strikes and you’re out’ system, or on the UK Digital Economy Act’s objective of implementing a similar graduated response regime (the UK act is also under court challenge).

The decision could have implications for Canadian copyright enforcement. While Canadian copyright law (inclusive of coming amendments in Bill C-11, the Copyright Modernization Act), does not envision liability for ISPs for infringing activities of users such as file-sharing, injunctions against ISPs similar to that raised in SABAM are available under Canadian law.

Given our Court’s recent willingness to take into account Charter rights in the development of common law protections in general, there is hope that freedom of expression and privacy will guide any application of this injunction power. Further, as intellectual property rights (or even regular property rights) are excluded from our Charter, countervailing rights of expression and privacy should weigh more heavily in the balance than in the EU.

While many of our ISPs already track use of file-sharing applications voluntarily, in order to carry out their traffic management policies, this should not mean privacy expectations are diminished in any way. To begin with, the type of monitoring envisioned in SABAM is more intrusive than that currently carried out by Canadian ISPs. Current ISP practice is to filter for metrics in order to identify specific applications (BitTorrent clients, for example) while SABAM required filtering of specific files. (The middle case — filtering to block an entire website or service such as Pirate’s Bay or Newzbin2 deemed to be ‘infringing’, has been tentatively approved by UK courts.) Second, the CRTC, in carrying out the privacy-protection component of its mandate, has ordered Canadian ISPs to refrain from using information gained from traffic management practices for any other purpose. These two conditions, taken together, should bolster privacy expectations Canadians can reasonably advance in this context, if the issue were to arise.

Second, our Supreme Court has a solid track for protecting online innovation and freedom of expression and adopting a balanced approach to copyright enforcement.

One common mechanism for doing so is to impose liability on them for the activity of others. Secondary liability of this kind is typically different in character from stricter liability regimes applied directly to primary authors, and includes a ‘notice’ element. This means intermediaries are not typically obligated to take pre-emptive steps against downstream infringing content, but must still take specific actions upon being asked to or being made aware of alleged rights infringement or face liability in their own right. Common law obligations arising from such notification may include various categories of takedown requirements: a blogger taking down a ‘flagged’ defamatory (or, perhaps, as IP infringing) comment/post after being notified; a blogging platform taking down a blog that has been ‘flagged'; a domain name registrar seizing the domain of a flagged blogging platform; an ISP blocking access to an IP address of a flagged service. Even more aggressive responses have been undertaken by intermediaries voluntarily under threat of liability. Some have adopted a ‘3 strikes’ policy, where 3 accusations of copyright infringement against a customer leads to disconnection, as settlement in a lawsuit initiated by copyright holders.

What does all this have to do with hyperlinking? While a hyperlinker is not an intermediary, she shares essential characteristics with most intermediaries, in that both play primarily facilitative roles. The intermediary provides access to content created by others, while the hyperlinker merely draws reader’s attention to that content. Crookes squarely raises the question of the extent to which we should be making individuals liable for what others have done. In answering this question within the context of defamatory publication, the SCC adopted an approach that affirms a basic, but critical principle of common law — that individuals should not easily be made responsible for the actions of others. As secondary responsibility is at the core of intermediary liability issues, Crookes may inform the Court's ultimate stance on the latter. We are likely to see the question of intermediary liability recur in Canada in the future, so it is worthwhile speculating on ways the Crookes decision may impact on any such future consideration.

a. Freedom of expression and the Internet
In keeping with its recent jurisprudence (see Abella, J., para. 32 for a synopsis of this trend), the majority ruling in Crookes justified its decision on the grounds that existing defamation common law principles conflict with a Charter right, and should adopt to account for this. What is interesting is the manner in which the Court leveraged free expression in this case to “avoid[] a formalistic application of the traditional publication rule” [Abella, J., para. 25].

This ‘leveraging’ is evident in the following majority statement:

The Internet cannot, in short, provide access to information without hyperlinks. Limiting their usefulness by subjecting them to the traditional publication rule would have the effect of seriously restricting the flow of information and, as a result, freedom of expression. The potential “chill” in how the Internet functions could be devastating, since primary article authors would unlikely want to risk liability for linking to another article over whose changeable content they have no control. Given the core significance of the role of hyperlinking to the Internet, we risk impairing its whole functioning. Strict application of the publication rule in these circumstances would be like trying to fit a square archaic peg into the hexagonal hole of modernity. (Abella, J., para. 36)

The Court appears to be drawing links between the right to free expression on the one hand, and the utility of the hyperlinking mechanism, the free flow of information and, more broadly, the Internet itself. The importance of the Internet as a communicative platform has recently been tied to the freedom of expression by the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression:

Unlike any other medium, the Internet enables individuals to seek, receive and impart information and ideas of all kinds instantaneously and inexpensively across national borders. By vastly expanding the capacity of individuals to enjoy their right to freedom of opinion and expression, which is an “enabler” of other human rights, the Internet boosts economic, social and political development, and contributes to the progress of humankind as a whole.

This is an important development when viewed within a growing international discourse on the interaction between freedom of expression, the proper role of Internet intermediaries and the need to achieve various public policy objectives such as protecting reputation online. This discourse is also gravely concerned with the detrimental impact to freedom of expression that will result from saddling intermediaries with liability for the content of others. Notification-based intermediary liability will, in effect, transform allegations of wrongdoing into restraints on speech quickly, cheaply, and typically before any judicial processing of such allegations has occurred. The reverse onus is then placed on often under-funded users to challenge this claim in court.

In his report, the UN Special Rapporteur unpacked these concerns in greater detail:

…a notice-and-takedown system is…subject to abuse by both State and private actors. Users who are notified by the service provider that their content has been flagged as unlawful often have little recourse or few resources to challenge the takedown. Moreover, given that intermediaries may still be held financially or in some cases criminally liable if they do not remove content upon receipt of notification by users regarding unlawful content, they are inclined to err on the side of safety by overcensoring potentially illegal content. Lack of transparency in the intermediaries’ decisionmaking process also often obscures discriminatory practices or political pressure affecting the companies’ decisions. Furthermore, intermediaries, as private entities, are not best placed to make the determination of whether a particular content is illegal, which requires careful balancing of competing interests and consideration of defences.

Our own Supreme Court flagged similar concerns (albeit in the context of copyright infringement) in its assessment of authorization-based intermediary liability in SOCAN v. Bell:

The knowledge that someone might be using neutral technology to violate copyright …is not necessarily sufficient to constitute authorization, which requires a demonstration that the defendant did “(g)ive approval to; sanction, permit; favour, encourage” (CCH, at para. 38) the infringing conduct. I agree that notice of infringing content, and a failure to respond by “taking it down” may in some circumstances lead to a finding of “authorization”. However, that is not the issue before us. Much would depend on the specific circumstances. An overly quick inference of “authorization” would put the Internet Service Provider in the difficult position of judging whether the copyright objection is well founded, and to choose between contesting a copyright action or potentially breaching its contract with the content provider.

The potential impact on expression that motivated the SCC in Crookes is magnified significantly in the context of intermediary liability. Much as with the hyperlinker, intermediaries are chilled from communicating the content of others by the threat of notice-based liability. As with hyperlinker chill, fear of liability causes intermediaries to err on the side of over inclusion. Most accusations of defamation are treated as legitimate, because the intermediary (or hyperlinker) is not in a good position to assess defences such as justification (or, with respect to copyright, fair dealing).

The impact of intermediary chill, however, is more significant than with hyperlinkers, as it is applied platform wide and impacts on downstream expression as well. In a notice-takedown regime, it amounts in effect to a restraint on downstream expression. The primary speaker is prevented from making her statement because the intermediary prevents them from doing so. With notice-takedown liability, this occurs before a judicial finding of defamation has been issued as the intermediary must react quickly to avoid liability in their own right. Such an approach is at odds with the Courts hesitant approach towards issuing injunctions in defamation cases, an option viewed as an “exceptional remedy” reserved for cases where the statements at issue are “manifestly defamatory” (See Canadian National Railway v. Google Inc., 2010 ONSC 3121). Far from applying this rigid standard, notice-takedown regimes are strict liability once the notice has been received, meaning a statement ultimately found defamatory (but still far short of the ‘manifestly’ standard) will lead to liability for the inactive intermediary. Further, as noted above, intermediaries are not remotely well-placed to make such assessments, whether manifest or not.

Where Intermediary liability leads to user disconnection, it is a particularly thorny issue, as it can deprive users from access to an entire communications medium on the basis of one minor facet of their use of that medium. Yet intermediaries are increasingly pushed, under threat of liability, towards adopting voluntary disconnection policies. This raises issues of proportionality, as it involves denying users who have committed one form of infringement (copyright, for example) from access to an entire platform of expression:

The Special Rapporteur is cognizant of the fact that, like all technological inventions, the Internet can be misused to cause harm to others … The Special Rapporteur emphasizes that censorship measures should never be delegated to private entities, and that intermediaries should not be held liable for refusing to take action that infringes individuals’ human rights … While blocking and filtering measures deny users access to specific content on the Internet, States have also taken measures to cut off access to the Internet entirely. The Special Rapporteur considers cutting off users from Internet access, regardless of the justification provided, including on the grounds of violating intellectual property rights law, to be disproportionate and thus a violation of article 19, paragraph 3, of the International Covenant on Civil and Political Rights.

Once in place, these voluntary disconnection programs are difficult to dislodge, even after liability issues are clarified ex post. As a broader ‘reconsideration’ of the publication rule appears imminent (Crookes para. 42), and in the absence of a legislative response to defamatory intermediary liability, the buffer provided by Crookes against the use of common law liability as a means of chilling free expression may potentially play a role in defining future intermediary liability or lack thereof.

b. Passive instrumentality of Internet intermediaries
Another factor relied upon by the majority in rejecting hyperlink liability is the passivity of the act of hyperlinking. Historically, even the most tangential participation in the publication chain was sufficient to incur liability. The majority in Crookes points, for example, to the printer’s servant found a publisher in his own right for an act no more significant than the ‘clamping down’ of the printing press (Abella, J., para. 18).

However, as the majority points out, this principle has slowly eroded over time. The Court referred in particular to two UK cases, one against an ISP and one against a search engine and a web host, in concluding: “[r]ecently, jurisprudence has emerged suggesting that some acts are so passive that they should not be held to be publication.” (see paras. 21; also 89-90).

In Metropolitan International Schools Ltd. v. Designtechnica Corp., [2009] EWHC 1765, Justice Eady of the U.K. Queen’s Bench held at paras. 63-64, consistently with Crookes, that where intermediary conduct is limited to merely ‘facilitating access’ or is ‘passively instrumental’ with respect to allegedly defamatory content, publication has not occurred irregardless of whether the plaintiff has requested a takedown or not. Liability remains with the primary author, in such scenarios, and it appears that factors such as ‘passivity’ and ‘instrumentality’ will play a factor in defining the scope of liability. Knowledge and control appear to play a significant (but not determinative) role in assessing the level of passivity, with both factors being necessary, if not sufficient. However, some legislative regimes such as Chile’s recent copyright law have recognized that intermediaries can only be deemed to have ‘knowledge of infringement’ after they are provided with judicial notice of infringing content. If ‘control’ and ‘passivity’ are to be adopted as a new touchstone for publication-based liability, the question of what will qualify as sufficient ‘control’ remains open.

c. Defamatory vindication & control
This focus on primary as opposed to secondary authors as the proper home for vindication also played a significant role in shaping the majority decision. In refusing to apply the traditional publication rule to hyperlinkers, it held:

[40] Where a defendant uses a reference in a manner that in itself conveys defamatory meaning about the plaintiff, the plaintiff’s ability to vindicate his or her reputation depends on having access to a remedy against that defendant. In this way, individuals may attract liability for hyperlinking if the manner in which they have referred to content conveys defamatory meaning; not because they have created a reference, but because, understood in context, they have actually expressed something defamatory…

[41] Preventing plaintiffs from suing those who have merely referred their readers to other sources that may contain defamatory content and not expressed defamatory meaning about the plaintiffs will not leave them unable to vindicate their reputations. As previously noted, when a hyperlinker creates a link, he or she gains no control over the content linked to. If a plaintiff wishes to prevent further publications of the defamatory content, his or her most effective remedy lies with the person who actually created and controls the content.

[42] Making reference to the existence and/or location of content by hyperlink or otherwise, without more, is not publication of that content. Only when a hyperlinker presents content from the hyperlinked material in a way that actually repeats the defamatory content, should that content be considered to be “published” by the hyperlinker. Such an approach promotes expression and respects the realities of the Internet, while creating little or no limitations to a plaintiff’s ability to vindicate his or her reputation.

While the majority left to another day the question of what constitutes ‘hyperlinking in a manner that conveys defamatory meaning’ (a concurring opinion by McLachlin, C.J. and Fish, J., suggests an ‘endorsement’ standard while the majority may have opted for something more rigorous), the concept that responsibility rests with the primary author is consistent with the normative underpinnings of defamation, if not its historical tendency to catch all participants in its publication web. A finding of defamation is not solely a compensatory regime. A judicial declaration that the author of a statement was ‘wrong’ offers the plaintiff vindication:

This case involves international defendants and activities, suggesting caution and restraint. However, I agree with the motion judge that even if the Ontario judgment is unenforceable in the United States, a judgment would have significant value to Black as a vindication of his Ontario reputation. Black v. Breeden, 2010 ONCA 547, (Ont. C.A.), leave to appeal to S.C.C. granted.

Normatively speaking, it is difficult to see how refusing to remove a comment made on a blog upon request, or to block access to one of the trillions of websites to which an ISP facilitates access is an act that calls for this type of ‘vindication’. Absent liability, many if not most Internet intermediaries premise their takedown decisions on the desire to facilitate interactions on their platform, not necessarily on their approval or disapproval of any single comment. In any case, as pointed out above, intermediaries are not very well placed to assess the defamatory nature of such content (particularly where complex legal concepts such as justification, fair comment or fair dealing must be considered).

There may be practical reasons for maintaining some form of intermediary liability. The Court stresses repeatedly that hyperlinkers have no control over the underlying content — indeed, once the linked content is removed, the hyperlink is immediately stripped of any defamatory import. This is different for intermediaries, who may exercise control over the originating content and restrict access to it. But, stripped of the need for ‘vindication’, what is left are practical considerations and these may well be outweighed by the detrimental impact on free expression that may ensue from imposing liability.

d. Section 230 of US CDA ‘creation or development’
In reaching its decision on the scope of hyperlinking liability, the Supreme Court also relied on part on section 230 of the U.S. Communications Decency Act, a provisions which grants immunity to all Internet intermediaries for any (allegedly) defamatory content where were not involved in its creation or development (Crookes, paras. 28, 103). The premise underlying s. 230 is that online intermediaries should not be held responsible for the content of others:

The purpose of this statutory immunity is not difficult to discern. Congress recognized the threat that tort-based lawsuits pose to freedom of speech in the new and burgeoning Internet medium. The imposition of tort liability on service providers for the communications of others represented, for Congress, simply another form of intrusive government regulation of speech. Section 230 was enacted, in part, to maintain the robust nature of Internet communication and, accordingly, to keep government interference in the medium to a minimum. In specific statutory findings, Congress recognized the Internet and interactive computer services as offering "a forum for a true diversity of political discourse, unique opportunities for cultural development, and myriad avenues for intellectual activity…None of this means, of course, that the original culpable party who posts defamatory messages would escape accountability. (Zeran v. America Online Inc., 129 f. 3d 327 (4th Circ., 1997)

While Canadian common law does not currently reflect CDA s. 230, the Court’s willingness to adapt common law third party liability in order to prevent excessive chill of expression may bode well for those concerned with the broader question of Intermediary liability and, more generally, for those concerned with online speech as the Court subjects the “one writer/any act/one reader paradigm” to “further scrutiny” in the future.