E-LAW… What is the Law? Electronic Signatures, Clickwrap Terms and Conditions, and Privacy on the Internet David T. Ullmann Minden Gross Grafstein & Greenstein LLP Introduction This presentation will cover the following topics: Electronic signatures Canadian legislation related to same Creation and Enforceability of Electronic Contracts Privacy and legislation Current privacy cases What is a Signature? What is a signature? • the essential function of a signature is to link a person with a document or as the Lords say: “The essential requirement of signing is the affixing, either by writing by a pen or pencil or by otherwise impressing on the document one’s name or signature so as to personally authenticate the document.” Lord Evershed English Court of Appeal 1954 What is a Signature?................ Why are agreements signed? • specific legislative or common law requirements • evidence of assent to the terms and conditions of an agreement • form of identity that ensures the parties know who they are contracting with None of these factors change because the contract is now online What is a Signature?................ Barry Sookman summarized the essentials of a signature at common law: • It authenticates a document • Can be accomplished through the use of some mechanical means such as a rubber stamp, printing, typewriting, or fax What is a Signature?................ Any mark adopted by a person with an attempt to authenticate the document may constitute a signature. What is a Signature?................ Use of a PIN number as even a number have been recognized as a signature. A symbol such as a printed name in the body of a document will not constitute a signature unless it is executed or adopted by a party with the intention to authenticate the document. What is a Signature?................ Legibility is not a condition precedent. The name of the signatory may be placed in the document by a third party, acting under authority from the signatory, unless the signature is one which requires the personal signature of the person. Therefore, a signature is more than just a written “John Hanncock” signed in person by the person bound by the document Types of Electronic Signatures How Does this Apply On-Line? “An electronic signature is a generic, technology neutral term and refers to the universe of all the various methods by which one can “sign” an electronic record.” Electronic Signatures............... Examples of electronic signatures: • a name typed at the end of an email message • a PIN number • a uniquely configured physical device such as a chip intended to be used with card readers • a password • a digitized form of manual signature • biometric identifiers such as a fingerprint, voiceprint, retinal scan, iris scan, etc. • clicking on an “I Agree” button or check box • digital signatures using encryption and certification authorities Secure Electronic Signatures (aka Advanced Electronic Signatures) Public key encryption (PKI) Each party has a mathematically-related pair of public and private “keys” for encrypting and decrypting messages. The sender encrypts a message “fingerprint” using his private key. The recipient then decrypts it using the sender’s public key. The recipient then sends confirmation using his private key which the sender decrypts using the recipients public key. It’s supposedly impossible to deduce a private key from its public counterpart. Legislation: Personal Information Protection Electronic Documents Act (“PIPEDA”) Takes opt-in approach. Minister is responsible for passing regulations permitting e-signatures. 500 ministries will set their own rules and forms Canadian Legislation All of the provinces, the federal government and one territory have enacted legislation regarding electronic commerce and contracting. The provincial and territorial Acts are based largely on the Uniform Electronic Commerce Act which endorses the use and acceptance of electronic contracts Canadian Legislation………... Law has to adapt to technological realities. Consider Public Documents Act, R.S.C. 1985. “Unless some act relating thereto expressly so provides, no commission or other public document…is required to be on parchment, but, when written or printed wholly or in part on paper, is as valid in all respects as if written or printed on parchment.” -consider the example of an indenture Canadian Legislation…….. Province Statute Date Enacted Alberta Electronic Transactions Act April 1, 2003 British Columbia Electronic Transactions Act April 19, 2001 Manitoba Electronic Commerce and Information Act Royal Assent (partly in force – part on using electronic means under designated laws has yet to be proclaimed). New Brunswick Electronic Transactions Act March 31, 2002 Newfoundland & Labrador Electronic Commerce Act December 13, 2001 Nova Scotia Electronic Commerce Act November 30, 2000 Ontario Electronic Commerce Act October 16, 2000 PEI Electronic Commerce Act May 15, 2001 Québec An Act to establish a legal framework for information technology. November 1, 2001 Saskatchewan Electronic Information and Documents Act November 1, 2000, (amended 2002 c.18) Yukon Electronic Commerce Act March 27, 2001 Ontario’s Electronic Commerce Act What does it do? • establish rules by which government bodies and organizations may communicate and transact with the public • applies generally to legal requirements and transactions governed by Ontario law Legislation: Electronic Commerce Act Works on an opt-out basis. Excludes some classes of documents. Some statues require writing like Copyright Act Evidentiary issues unresolved. Non est factum Handwritten signatures are also subject to fraud. “One of the characteristics of an ink-on-paper signature is that the person who relies on it takes the risk that it is not genuine.” Legislation Ontario Key Sections Section 6: requirement that someone provide a document in writing is satisfied where it is: • accessible so as to be usable for subsequent Ontario ECA reference; and • capable of being retained Key Sections………………………….. Section 5: A legal requirement that a document be in writing is satisfied where the electronic document is “accessible so as to be usable for subsequent reference”. Section 11: “a legal requirement that a document be signed is satisfied by an electronic signature”. “electronic signature” means electronic information that a person creates or adopts in order to sign a document that is in, attached to, or associated with the document. Key Sections………………………….. Section 19: “An offer, the acceptance of an offer, or any other matter that is material to the formation or operation of a contract may be expressed, • by means of electronic information or an electronic document; or • by an act that is intended to result in electronic communication, such as, • touching or clicking on an appropriate icon or other place on, a computer screen, or • speaking.” In other words: electronic contracts are real and will be enforceable. Other Legislation Consumer Protection Act Competition Act Click – Shrink - Browse Website or license pop-up terms. Just what are you “I agree”ing to? Shrink-Wrap What is Shrink Wrap? Acceptable provided terms are reasonable. Enforceability: Click-Wrap Click-Wrap the Web equivalent In Rudder v. Microsoft (1999), 2 C.P.R. (4th) 474, the plaintiffs were presented with a Member Agreement upon loading the software from disk onto their computers and again when going online to access the MSN website. Click-Wrap……………………. Rudder, continued… Both presentations of the Member Agreement allowed the terms to be viewed by scrolling through the text and required the user to click on an “I Agree” button before proceeding. The Ontario court enforced the choice of law and forum selection clause (requiring that claims be brought in Washington) in the Member Agreement. Enforceability: Browse Wrap Do you have to actually click on the license and have it pop up? This is the concept of Browse Wrap. Browse Wrap...……………….. In Specht v. Netscape Communications Corp., the software in question could be downloaded from Netscape’s website simply by clicking a button labeled “download”. The download page contained an invitation to view the software license and a link to the license that was visible only if the user scrolled to the bottom of the page; users were not required to specifically assent to the agreement (or even read it) before downloading the software. Not sufficient evidence of either notice or assent to create a contract that included the terms of the license agreement. The Second Circuit Court of Appeals affirmed. See also Ticketmaster Corp. vs. Tickets.Com, Inc. Amendments to Electronic Contracts Canadian Case: Kanitz v. Rogers Cable Inc. Canadian Court upheld the Browse Wrap and, by inference, the Click Wrap. See also Comb et al v. Paypal Inc. in US. Amendments to Electronic Contracts…... Whether onerous terms, including power to amend contract unilaterally and practical effect of arbitration clause is still an issue. Electronic Signatures and Contracts Conclusion Signatures will move online. The law will enforce contracts made online where those contracts aren’t unconscionable and there is true assent . Questions of authenticity remain unresolved. Don’t be distracted by evidentiary issues. Conclusion……………………………. Recommend paper backup to anything important. Remember paper is not always perfect either. Technology shouldn’t replace human due diligence. Every commercial enterprise will be subject to the Act in 4 months. For Now: Federally regulated private sector and out of province exchange of personal information Health Information JANUARY 1, 2004 – P-Day Commercial use of personal information within individual provinces Or provinces will have “substantially similar” Acts. The Act in Brief “Personal Information” “Commercial Activity” Consent Access Challenge accuracy Safeguards Ten Privacy Principles 1. Accountability An organization is responsible for personal information under its control and should designate an individual or individuals who are accountable for the organization’s compliance with the following principles. 2. Identify The Purpose An organization must identify the purposes for collecting personal information at or before the time the information is collected. Ten Privacy Principles……….. 3. Obtain Consent The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when inappropriate. 4. Limit Collection The collection of personal information should be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. Ten Privacy Principles……….. 5. Limit Use, Disclosure, And Retention Personal information should not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfillment of those purposes. Ten Privacy Principles……….. 6. Be Accurate Personal information should be as accurate, complete, and up-to-date as is necessary for the purpose for which it is to be used. 7. Use Appropriate Safeguards Personal information should be protected by security safeguards appropriate to the sensitivity of the information. Ten Privacy Principles……….. 8. Be Open An organization should make readily available to individuals specific information about its policies and practices relating to the management of personal information. 9. Give Individuals Access Upon request, an individual should be informed of the existence, use and disclosure of his or her personal information and shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Ten Privacy Principles……….. 10. Challenging Compliance An individual should be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization’s compliance. Exceptions to the consent and access principles Specific circumstances - consent Mandatory refusal of access - access Permissive refusal of access - access Why Comply? Statutory Reasons Practical Reasons Statutory Reasons Power of individual - file complaint - Federal Court - injunction - damages Statutory watchdog Statutory review process Statutory Reasons: Current Events 176 findings Examples: • Automated VISA information • Employee objects to use of Bank account number on pay statement • Broadcaster Website • Bank failed to respond to inquiry • Airline vacation incident • Improper collection and use of SIN Examples of Findings Finding Number 94 - Individual Objects to Request for Information as Condition of Supply of Service Summary: Collection of Credit Card information can be reasonable if you are extending credit to the individual (such as renting a car or providing a service like a phone) Examples of Findings.................... Finding Number 71 – Collection Use of Electronic Signatures by Courier Company Summary: A procedure that may be good for marketing and may be requested by some customers can still be in violation of PIPEDA if there is a lack of informed consent at the time the information is collected. Examples of Findings.................... Finding Number 56 – Telephone Company Demands Identification From New Subscribers Summary: Consent is needed even when the use of information appears obvious. Examples of Findings.................... Finding Number 48 – Applicant for Services Object to Providing Credit Card or Bank Account Information Summary: Credit Card information can be requested for the purpose of processing payment Examples of Findings.................... Finding Number 46 – Bank Accused of Inappropriately Demanding Birth Dates from Account Applicants Summary: Limit collection to necessary data only. Examples of Findings.................... Finding Number 42 – Air Canada Allows 1% of Aeroplan Members to “Opt Out” of Information Sharing Practices Summary: Saving money by sending out information to only a small sample of the total number of customers effected by your privacy policy will not be acceptable. People should have to opt in to their information being shared, rather than having to opt out to prevent the sharing of their information. Practical Consequences DoubleClick Scenario: • Internet based advertising services • Cookies • Merged with Abacus Direct Corporation Plan/Strategy: • Abacus Alliance. DoubleClick Result: • Unfavorable media coverage • 3 state and federal investigations and several class-action lawsuits • Abacus Alliance plan put on hold in March, 2000 RealNetworks Scenario: • RealJukeBox • RealJukeBox software transmitting data to database (i.e. User I.D. and list of songs) • No consent Plan/Strategy: • Monitoring system to help market new CDs RealNetworks………………… Result: • Unfavorable media coverage • Statement of Chairman and C.E.O.: “We made a mistake in not being clear enough to our users about what kind of data was being generated and transmitted by the use of RealJukeBox” Program cancelled Practical Consequences Toysmart.com E-Privacy = E-Commerce Border Skirmishes • Canada vs. Int’l Community Strategic Alliance Inhibitor Depresses the Sticker Price “Privacy compliance is going to be for e-businesses what environmental compliance is for industrial businesses.” Recommendations Privacy Policy Address the 10 principles and tailor to your organization • Not boilerplate and not U.S. based Privacy Policy………………… Identify Purpose • Be clear Obtain Consent • Provide “opt-in” control or at least an “opt-out” option Limit Collection • Be consistent with identified purpose Limit Use, Disclosure and Retention • No other use unless consent obtained Privacy Policy………………… Be Accurate • Standards; Chief Privacy Officer Use Appropriate Safeguards • Indicate level of security in place for greater credibility Be Open • Invite comments from users Privacy Policy………………… Access and Compliance • Have mechanism to permit individuals to check and correct their information; Chief Privacy Officer Easy to find Privacy Policy………………… General Suggestions Easy to understand Statement re minors Statement re sale of information Update as necessary Not just a privacy policy Internal Security/Employee Awareness Consider Privacy Seals (independent audit) Consider external privacy advisory board Privacy & Terrorism Security vs. Privacy “Strong public support for security raises the risk of abridging civil liberties.” National – Dec. 2001 “I’d rather have a bill with some imperfections than no bill at all.” Irwin Colter - MP Liberal Nov. 21, 2001 “Privacy is not an absolute right.” Privacy Commissioner Ontario – Anne Cavonkian – Jan. 25, 2002 Anti-Terrorism Act Passed in 12 weeks Allows Privacy Act over-ride in certain circumstances Workplace Consequences? Background checks on employees Surveillance in the workplace Conclusion Privacy past its zenith? Provincial laws.