Electronic Signatures............

advertisement
E-LAW… What is the Law?
Electronic Signatures,
Clickwrap Terms and
Conditions, and Privacy on
the Internet
David T. Ullmann
Minden Gross Grafstein & Greenstein LLP
Introduction
This presentation will cover the following
topics:
 Electronic signatures
 Canadian legislation related to same
 Creation and Enforceability of Electronic
Contracts
 Privacy and legislation
 Current privacy cases
What is a Signature?
 What is a signature?
• the essential function of a signature is to link a
person with a document
or as the Lords say:
“The essential requirement of signing is the
affixing, either by writing by a pen or pencil
or by otherwise impressing on the document
one’s name or signature so as to personally
authenticate the document.”
Lord Evershed English Court of Appeal 1954
What is a Signature?................
 Why are agreements signed?
• specific legislative or common law
requirements
• evidence of assent to the terms and conditions
of an agreement
• form of identity that ensures the parties know
who they are contracting with
 None of these factors change because the
contract is now online
What is a Signature?................
 Barry Sookman summarized the essentials
of a signature at common law:
• It authenticates a document
• Can be accomplished through the use of some
mechanical means such as a rubber stamp,
printing, typewriting, or fax
What is a Signature?................
 Any mark adopted by a person with an
attempt to authenticate the document may
constitute a signature.
What is a Signature?................
 Use of a PIN number as even a number
have been recognized as a signature.
 A symbol such as a printed name in the
body of a document will not constitute a
signature unless it is executed or adopted by
a party with the intention to authenticate the
document.
What is a Signature?................
 Legibility is not a condition precedent.
 The name of the signatory may be placed in
the document by a third party, acting under
authority from the signatory, unless the
signature is one which requires the personal
signature of the person.
 Therefore, a signature is more than just a
written “John Hanncock” signed in person
by the person bound by the document
Types of
Electronic Signatures
How Does this Apply On-Line?
“An electronic signature is a generic,
technology neutral term and refers to the
universe of all the various methods by
which one can “sign” an electronic record.”
Electronic Signatures...............
 Examples of electronic signatures:
• a name typed at the end of an email message
• a PIN number
• a uniquely configured physical device such as a chip
intended to be used with card readers
• a password
• a digitized form of manual signature
• biometric identifiers such as a fingerprint, voiceprint,
retinal scan, iris scan, etc.
• clicking on an “I Agree” button or check box
• digital signatures using encryption and certification
authorities
Secure Electronic Signatures
(aka Advanced Electronic Signatures)
 Public key encryption (PKI)
 Each party has a mathematically-related pair of
public and private “keys” for encrypting and
decrypting messages.
 The sender encrypts a message “fingerprint” using
his private key. The recipient then decrypts it
using the sender’s public key.
 The recipient then sends confirmation using his
private key which the sender decrypts using the
recipients public key.
 It’s supposedly impossible to deduce a private key
from its public counterpart.
Legislation:
Personal Information Protection
Electronic Documents Act (“PIPEDA”)
 Takes opt-in approach.
 Minister is responsible for passing
regulations permitting e-signatures.
 500 ministries will set their own rules and
forms
Canadian Legislation
 All of the provinces, the federal government
and one territory have enacted legislation
regarding electronic commerce and
contracting.
 The provincial and territorial Acts are based
largely on the Uniform Electronic
Commerce Act which endorses the use and
acceptance of electronic contracts
Canadian Legislation………...
 Law has to adapt to technological realities.
 Consider Public Documents Act, R.S.C.
1985.
“Unless some act relating thereto expressly
so provides, no commission or other public
document…is required to be on parchment,
but, when written or printed wholly or in
part on paper, is as valid in all respects as if
written or printed on parchment.”
-consider the example of an indenture
Canadian Legislation……..
Province
Statute
Date Enacted
Alberta
Electronic Transactions Act
April 1, 2003
British Columbia
Electronic Transactions Act
April 19, 2001
Manitoba
Electronic Commerce and Information Act
Royal Assent (partly
in force – part on
using electronic
means under
designated laws has
yet to be
proclaimed).
New Brunswick
Electronic Transactions Act
March 31, 2002
Newfoundland
& Labrador
Electronic Commerce Act
December 13, 2001
Nova Scotia
Electronic Commerce Act
November 30, 2000
Ontario
Electronic Commerce Act
October 16, 2000
PEI
Electronic Commerce Act
May 15, 2001
Québec
An Act to establish a legal framework for
information technology.
November 1, 2001
Saskatchewan
Electronic Information and Documents Act
November 1, 2000,
(amended 2002 c.18)
Yukon
Electronic Commerce Act
March 27, 2001
Ontario’s
Electronic Commerce Act
 What does it do?
• establish rules by which government bodies and
organizations may communicate and transact
with the public
• applies generally to legal requirements and
transactions governed by Ontario law
Legislation:
Electronic Commerce Act
 Works on an opt-out basis.
 Excludes some classes of documents.
 Some statues require writing like Copyright Act
 Evidentiary issues unresolved.
 Non est factum
 Handwritten signatures are also subject to fraud.
“One of the characteristics of an ink-on-paper
signature is that the person who relies on it takes
the risk that it is not genuine.”
Legislation Ontario
Key Sections
 Section 6: requirement that someone
provide a document in writing is satisfied
where it is:
• accessible so as to be usable for subsequent
Ontario ECA reference; and
• capable of being retained
Key Sections…………………………..
 Section 5: A legal requirement that a document be
in writing is satisfied where the electronic
document is “accessible so as to be usable for
subsequent reference”.
 Section 11: “a legal requirement that a document
be signed is satisfied by an electronic signature”.
 “electronic signature” means electronic
information that a person creates or adopts in
order to sign a document that is in, attached to, or
associated with the document.
Key Sections…………………………..
 Section 19: “An offer, the acceptance of an offer,
or any other matter that is material to the
formation or operation of a contract may be
expressed,
• by means of electronic information or an electronic
document; or
• by an act that is intended to result in electronic
communication, such as,
• touching or clicking on an appropriate icon or other place on, a
computer screen, or
• speaking.”
 In other words: electronic contracts are real and
will be enforceable.
Other Legislation
 Consumer Protection Act
 Competition Act
Click – Shrink - Browse
 Website or license pop-up terms.
 Just what are you “I agree”ing to?
Shrink-Wrap
 What is Shrink Wrap?
 Acceptable provided terms are reasonable.
Enforceability: Click-Wrap
 Click-Wrap the Web equivalent
 In Rudder v. Microsoft (1999), 2 C.P.R.
(4th) 474, the plaintiffs were presented with
a Member Agreement upon loading the
software from disk onto their computers and
again when going online to access the MSN
website.
Click-Wrap…………………….
 Rudder, continued…
 Both presentations of the Member
Agreement allowed the terms to be viewed
by scrolling through the text and required
the user to click on an “I Agree” button
before proceeding.
 The Ontario court enforced the choice of
law and forum selection clause (requiring
that claims be brought in Washington) in the
Member Agreement.
Enforceability: Browse Wrap
 Do you have to actually click on the license
and have it pop up?
 This is the concept of Browse Wrap.
Browse Wrap...………………..
 In Specht v. Netscape Communications Corp., the software




in question could be downloaded from Netscape’s website
simply by clicking a button labeled “download”.
The download page contained an invitation to view the
software license and a link to the license that was visible
only if the user scrolled to the bottom of the page; users
were not required to specifically assent to the agreement
(or even read it) before downloading the software.
Not sufficient evidence of either notice or assent to create a
contract that included the terms of the license agreement.
The Second Circuit Court of Appeals affirmed.
See also Ticketmaster Corp. vs. Tickets.Com, Inc.
Amendments to
Electronic Contracts
 Canadian Case: Kanitz v. Rogers Cable Inc.
 Canadian Court upheld the Browse Wrap
and, by inference, the Click Wrap.
 See also Comb et al v. Paypal Inc. in US.
Amendments to Electronic Contracts…...
 Whether onerous terms, including power to
amend contract unilaterally and practical
effect of arbitration clause is still an issue.
Electronic Signatures
and Contracts
Conclusion
 Signatures will move online.
 The law will enforce contracts made online
where those contracts aren’t unconscionable
and there is true assent .
 Questions of authenticity remain
unresolved.
 Don’t be distracted by evidentiary issues.
Conclusion…………………………….
 Recommend paper backup to anything
important.
 Remember paper is not always perfect
either.
 Technology shouldn’t replace human due
diligence.
Every commercial enterprise
will be subject to the Act in 4
months.
For Now:
 Federally regulated private sector and out of
province exchange of personal information
 Health Information
JANUARY 1, 2004 – P-Day
 Commercial use of personal information
within individual provinces
 Or provinces will have “substantially similar”
Acts.
The Act in Brief
 “Personal Information”
 “Commercial Activity”
 Consent
 Access
 Challenge accuracy
 Safeguards
Ten Privacy Principles
1. Accountability
An organization is responsible for personal
information under its control and should
designate an individual or individuals who
are accountable for the organization’s
compliance with the following principles.
2. Identify The Purpose
An organization must identify the purposes
for collecting personal information at or
before the time the information is collected.
Ten Privacy Principles………..
3. Obtain Consent
The knowledge and consent of the
individual are required for the collection,
use or disclosure of personal information,
except when inappropriate.
4. Limit Collection
The collection of personal information
should be limited to that which is necessary
for the purposes identified by the
organization. Information shall be collected
by fair and lawful means.
Ten Privacy Principles………..
5. Limit Use, Disclosure, And Retention
Personal information should not be used or
disclosed for purposes other than those for
which it was collected, except with the
consent of the individual or as required by
the law. Personal information shall be
retained only as long as necessary for
fulfillment of those purposes.
Ten Privacy Principles………..
6. Be Accurate
Personal information should be as accurate,
complete, and up-to-date as is necessary for
the purpose for which it is to be used.
7. Use Appropriate Safeguards
Personal information should be protected
by security safeguards appropriate to the
sensitivity of the information.
Ten Privacy Principles………..
8. Be Open
An organization should make readily available
to individuals specific information about its
policies and practices relating to the
management of personal information.
9. Give Individuals Access
Upon request, an individual should be informed
of the existence, use and disclosure of his or her
personal information and shall be able to
challenge the accuracy and completeness of the
information and have it amended as appropriate.
Ten Privacy Principles………..
10. Challenging Compliance
An individual should be able to address a
challenge concerning compliance with the above
principles to the designated individual or
individuals for the organization’s compliance.
Exceptions to the consent and
access principles
 Specific circumstances - consent
 Mandatory refusal of access - access
 Permissive refusal of access - access
Why Comply?
 Statutory Reasons
 Practical Reasons
Statutory Reasons
 Power of individual - file complaint
- Federal Court
- injunction
- damages
 Statutory watchdog
 Statutory review process
Statutory Reasons:
Current Events
 176 findings
Examples:
• Automated VISA information
• Employee objects to use of Bank account
number on pay statement
• Broadcaster Website
• Bank failed to respond to inquiry
• Airline vacation incident
• Improper collection and use of SIN
Examples of Findings
 Finding Number 94 - Individual Objects to
Request for Information as Condition of
Supply of Service
 Summary: Collection of Credit Card
information can be reasonable if you are
extending credit to the individual (such as
renting a car or providing a service like a
phone)
Examples of Findings....................
 Finding Number 71 – Collection Use of
Electronic Signatures by Courier
Company
 Summary: A procedure that may be good
for marketing and may be requested by
some customers can still be in violation of
PIPEDA if there is a lack of informed
consent at the time the information is
collected.
Examples of Findings....................
 Finding Number 56 – Telephone Company
Demands Identification From New
Subscribers
 Summary: Consent is needed even when
the use of information appears obvious.
Examples of Findings....................
 Finding Number 48 – Applicant for
Services Object to Providing Credit Card
or Bank Account Information
 Summary: Credit Card information can
be requested for the purpose of
processing payment
Examples of Findings....................
 Finding Number 46 – Bank Accused of
Inappropriately Demanding Birth Dates
from Account Applicants
 Summary: Limit collection to necessary
data only.
Examples of Findings....................
 Finding Number 42 – Air Canada Allows
1% of Aeroplan Members to “Opt Out” of
Information Sharing Practices
 Summary: Saving money by sending out
information to only a small sample of the
total number of customers effected by
your privacy policy will not be
acceptable. People should have to opt in
to their information being shared, rather
than having to opt out to prevent the
sharing of their information.
Practical Consequences
DoubleClick
 Scenario:
• Internet based advertising services
• Cookies
• Merged with Abacus Direct Corporation
 Plan/Strategy:
• Abacus Alliance.
DoubleClick
 Result:
• Unfavorable media coverage
• 3 state and federal investigations and several
class-action lawsuits
• Abacus Alliance plan put on hold in March,
2000
RealNetworks
 Scenario:
• RealJukeBox
• RealJukeBox software transmitting data to
database (i.e. User I.D. and list of songs)
• No consent
 Plan/Strategy:
• Monitoring system to help market new CDs
RealNetworks…………………
 Result:
• Unfavorable media coverage
• Statement of Chairman and C.E.O.:
“We made a mistake in not being clear enough
to our users about what kind of data was
being generated and transmitted by the use
of RealJukeBox”
 Program cancelled
Practical Consequences
 Toysmart.com
 E-Privacy = E-Commerce
 Border Skirmishes
• Canada vs. Int’l Community
 Strategic Alliance Inhibitor
 Depresses the Sticker Price
“Privacy compliance is going to be for e-businesses
what environmental compliance is for industrial
businesses.”
Recommendations
 Privacy Policy
 Address the 10 principles and tailor to your
organization
• Not boilerplate and not U.S. based
Privacy Policy…………………
 Identify Purpose
• Be clear
 Obtain Consent
• Provide “opt-in” control or at least an “opt-out”
option
 Limit Collection
• Be consistent with identified purpose
 Limit Use, Disclosure and Retention
• No other use unless consent obtained
Privacy Policy…………………
 Be Accurate
• Standards; Chief Privacy Officer
 Use Appropriate Safeguards
• Indicate level of security in place for greater
credibility
 Be Open
• Invite comments from users
Privacy Policy…………………
 Access and Compliance
• Have mechanism to permit individuals to check
and correct their information; Chief Privacy
Officer
 Easy to find
Privacy Policy…………………
General Suggestions
 Easy to understand
 Statement re minors
 Statement re sale of information
 Update as necessary
Not just a privacy policy
 Internal Security/Employee Awareness
 Consider Privacy Seals (independent audit)
 Consider external privacy advisory board
Privacy & Terrorism
Security vs. Privacy
 “Strong public support for security raises
the risk of abridging civil liberties.”
National – Dec. 2001
 “I’d rather have a bill with some
imperfections than no bill at all.”
Irwin Colter - MP Liberal Nov. 21, 2001
 “Privacy is not an absolute right.”
Privacy Commissioner Ontario –
Anne Cavonkian – Jan. 25, 2002
Anti-Terrorism Act
 Passed in 12 weeks
 Allows Privacy Act over-ride in certain
circumstances
Workplace Consequences?
 Background checks on employees
 Surveillance in the workplace
Conclusion
 Privacy past its zenith?
 Provincial laws.
Download