Gregory Hong is an IPilogue Writer and a 1L JD candidate at Osgoode Hall Law School

BetterHelp is a mental health platform that provides online mental health services, “the largest therapy platform in the world. We change the way people approach their mental health and help them tackle life’s challenges by providing accessible and affordable care. With BetterHelp, you can message a professional therapist anytime, anywhere”. reads: “Making professional therapy accessible, affordable, and convenient — so anyone who struggles with life's challenges can get help, anytime and anywhere”. Their primary business is online counseling and therapy provided online through web-based interaction and phone/text communication with professional counselors.

Privacy Misrepresentation

According to the , BetterHelp requires a questionnaire that asks for sensitive mental health information – “such as whether they have experienced depression or suicidal thoughts and are on any medications” – along with personal information. details BetterHelp’s dubious privacy practices, many of which display an egregious lack of concern for privacy interests. The complaint also details the privacy representations made by BetterHelp, some of which have been altered over time. An example of these changes was seen in the intake questionnaire, where a question asking “Are you currently taking any medication?” included a privacy statement that went through a few iterations (emphasis on alteration added in the complaint):

Up to Dec 2020: “Rest assured—any information provided in this questionnaire will stay private between you and your counselor.”

Dec 2020: “Rest assured—this information will stay private between you and your counselor”

Jan 2021: “Rest assured—your health information will stay private between you and your counselor”

Oct 2021: The statement was removed altogether

Revealing Private Information to Advertisers

The FTC release indicates that BetterHelp “did not obtain consumers’ affirmative express consent before disclosing their health data” and “failed to place any limits on how third parties could use consumers’ health information—allowing Facebook and other third parties to use that information for their own internal purposes, including for research and development or to improve advertising”. According to the complaint, BetterHelp used and revealed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes”, including “identify[ing] similar consumers and target[ing] them with advertisements for BetterHelp’s counseling service.”

The Punishment

The FTC has issued a (a legal document that outlines the terms and conditions for resolving a complaint or an investigation related to unfair or deceptive business practices) requiring that BetterHelp return funds – amounting to $7.8 million – to customers whose health data was compromised. ��The proposed order also bans BetterHelp from disclosing health information for advertising, prohibits misrepresenting its sharing practices and requires several changes to company practices regarding health and personal data. BetterHelp writes in that this settlement is “no admission of wrongdoing” and that their “industry-standard practice is routinely used by some of the largest health providers, health systems, and healthcare brands”. The says that this enforcement action is not the first of its kind, as it follows the , and that “the FTC has made it clear of its intent to crack down on the trafficking in sensitive health data by businesses not strictly classified as health care providers and thus not covered by HIPAA, the federal privacy rules that govern the health care industry”. Hopefully, this sets a precedent for more stringent enforcement of good privacy practices, particularly regarding the sale of personal and health information.

The post FTC Punishes BetterHelp for Sharing Mental Health Information with Advertisers appeared first on IPOsgoode.

Ivana Peloza is a 3L JD Candidate at Osgoode Hall Law School. This article was written as a requirement for Prof. Pina D’Agostino’s IP Intensive Program.

The Globe and Mail is Canada’s foremost news media company, a nationally-distributed newspaper with one of the largest circulations in Canada. The newspaper’s print and digital formats reach over 6 million readers every week, with Report on Business magazine reaching over 2.5 million readers every issue in print and digital. When I was placed with The Globe and Mail as part of Osgoode’s IP Intensive program, however, I certainly did not expect the extent to which I would be intertwined in the world of tech. Publishing is, of course, one of the core copyright industries – if not the core industry historically associated with copyright. IP law in publishing, especially at The Globe –�� who is known for being an early provider of digital media and device-agnostic content delivery – goes far beyond copyright infringement and litigation. There are significant overlaps and considerations to think of with the roll-out of a privacy policy, consumer protection laws, and a range of different agreements including those related to advertising, purchase and sale, events, and content production freelancer rights.

Over the course of my time at The Globe, I gained vast and multidisciplinary experience, but three major themes emerged within my practical and research work: privacy, contracts, and data protection. On my very first day, my supervisor (thankfully) lent me a copy of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople by David Tollen to start familiarizing myself with these themes. Complying with privacy regulations, especially in IT contracts, is as important as it can be misunderstood. Especially in an era of rapidly developing regulation and technology surrounding privacy, corporate organizations have a strict duty to continually follow the developments in Canadian privacy and data protection law as it relates to different jurisdictions.

My internship also allowed me to reflect on and speak with my supervisor about the differences – between working in-house versus private practice. For instance, private practice may have an entire staff dedicated to accomplishing just one specific aspect of a privacy or contracts matter whereas in-house lawyers might deal collaboratively with the whole breadth of a legal process. In-house has the potential to, therefore, offer a much greater variety and scope of practice and expertise. If my experience at the Globe has taught me anything, it's that this type of legal work makes the days more interesting, in my opinion!

An in-house legal department is also intimately intertwined with the organization’s commercial decision-making. Learning how to navigate the specific challenges of interdisciplinary brainstorming, drafting, and decision-making was a significant takeaway as well. Often, legal professionals or a corporation’s legal team will be coming late compared to the business process and left out of major contractual decisions. Sometimes, however, as was the case with the incredibly accomplished lawyers who I was lucky enough to learn from at The Globe, just by virtue of experience, the legal professionals have beneficial insight into the commercial deal process. Sometimes this is helpful, sometimes it leads to “spinning of wheels” but the point is there is deal structure expertise that isn’t always brought until after the deal is “set.” One of the jobs is to try to get further upstream – even if you’re not necessarily trying to be involved in the day-to-day happenings – but you need to find a way to have some perspective and plan more effectively.

To this point, I often reflected on a piece of advice I was given on the very first day of the IP Intensive Seminars. When I asked the alumni speakers their advice for someone who has never had a summer legal placement before, Denver Bandstra, Associate at Bereskin & Parr LLP, reminded me that I would get used to it “just like any other job.” Like any job, there will always be work-place procedure and workflow that requires orientation and practice. Learning the workflow of a contract renewal and negotiations, or the day-to-day contrast for an in-house lawyer compared to a private practice lawyer, only comes from experience. The experience given in the IP Intensive program, for that reason, is the most worthwhile part of my legal education so far. And particularly, as all things in IP and technology law are proving to be, developing knowledge and familiarity with data and privacy, the Internet and disruptive technology is worthwhile – not just for a career in IP law, but also for any person using social media in the digital age.

The post The Digital Age of Journalism: My Placement at "The Globe and Mail” appeared first on IPOsgoode.

Disingenuous and Deceptive Behaviour

Prior to the whistleblower revelation of Facebook's involvement in Cambridge Analytica influencing , it had been popularising various quizzes and games on its platform. This was ��to engage users in order to conduct����to check if�� instigation of "emotional contagion” was possible through social media. Succeeding in such attempts, it gave multiple third parties��access to its users’ data (e.g., content posted on Facebook and messages exchanged through Messenger). Thus, it is imperative to regulate such social media platforms. Facebook superficially handles its privacy policies through��, which hampers the meaningful and����from users. Accordingly, the Canadian regulators are making painstaking efforts to protect citizens from such undue influences by penalizing such activities. The Bureau explicitly confirms that����do not in their entirety protect the users to control their respective messenger chats and other private activities. Rather, there are loopholes (such as, installation of third-party apps) by which third parties can access such information rendering enormous profits to Facebook. Though Facebook had contended to refrain from such activities in 2015, that such practice continued until 2018.

Intertwined Relationship of the Regulators in the Privacy Dispute

Due to complexity of the cases and inadequacy of laws in the field of data privacy, the OPC and Competition Commission have gone to great lengths to achieve a comprehensive settlement and enforcement in this case. As both had different approaches and interests, being regulated under different laws, including PIPEDA and the respectively, achieving consistency with regards to regulations can be a challenge. Intertwining both regulators helped in bridging the gap between the “” of federal and provincial privacy laws, while Competition Bureau sought an administrative penalty helping in the enforcement proceedings. Though the OPC has been criticized in the past for lack of enforcement powers, coalition of both regulators has demonstrated benefit to the Canadian privacy regime.

In conclusion, considering the��current scenario, it is foreseeable that more regulators may��interpret privacy issues differently and as per their mandates. This is because the privacy law framework in Canada, and elsewhere, has not entirely addressed online infringement issues and it will take a considerable period of time to develop comprehensive statutes to regulate these novel and often nefarious online activities.

Written by Aishwerya Kansal, IPilogue Contributor. Aishwerya is pursuing Master’s in Law in International Business Laws at Osgoode Hall Law School, and she is also an IP Innovation Clinic Fellow.

��

The post THE ONGOING SAGA: FACEBOOK HEMORRHAGING ITS USERS PRIVACY appeared first on IPOsgoode.

Although any form of digital model that relies on data collection is going to have privacy drawbacks, it is important for app developers to understand the extent to which users are willing to compromise their privacy for the sake of safety and security. Contact-tracing apps have been in slowing the spread of COVID-19 in numerous East Asian countries. The to the implementation of contact-tracing models is the fact that they rely on voluntary participation of individuals who have tested positive for the virus. Examples of successful implementation of smartphone apps for the purposes of containment of COVID-19 outbreaks in Singapore and South Korea show that for these models to be effective, must be willing to participate. With ever-increasing skepticism of the public towards any form of mass data collection following recent scandals such as , convincing the public to opt in to a database where their daily contacts may be stored by private or public entities is undoubtedly going to be difficult.

To help address existing concerns regarding the anonymity of participants, a is attempting to strike a balance between efficacy and privacy-preservation in a newly proposed contact-tracing app. To gather data, the app is mainly going to use the on participants’ smartphones. When two participants come in contact with each other, the Bluetooth signals from their phones will perform a . The app will then keep an individualized record of the participants’ encounters under an anonymous ID and in a case where a user voluntarily discloses that they have tested positive for the virus, the app will inform all of the individuals whom the user had encountered . By using Bluetooth and not revealing the identity of participants, this joint innovation is attempting to move away from the invasive approach of and provides more privacy for its users. Additionally, the Apple-Google digital tool information gathering by passing stored data from one personal device to another as opposed to sending data to local or federal authorities.

Although widespread testing and public cooperation are going to be crucial in preventing future outbreaks, skepticism towards any form of data collection from a privacy standpoint is reasonable. The efficacy of a contact-tracing model is ultimately going to depend on the public’s trust in the program and the joint proposal by Google and Apple is a good attempt at addressing privacy concerns regarding identity disclosure and data collection by the government.

Written by Bonnie Hassanzadeh, IPilogue editor and Clinic Fellow at Osgoode Innovation Clinic.

The post Contact-Tracing Apps in a Post-Lockdown World: Tech Giants Attempt to Address Privacy Concerns in New Proposal appeared first on IPOsgoode.

Far less attention has been paid to how retailers are using the same technology to improve customer loyalty and increase sales.�� For example, has been using facial recognition technology to identify VIPs in its Toronto store.

For brick and mortar retailers, facial recognition technology holds tremendous value. Marketing analysts have described how shoppers interact and behave within the actual retail environment as a Facial recognition technology could potentially provide marketers with the insights they’ve been missing.��

From an IP commercialization perspective, patents represent only a fraction of facial recognition technology’s value. The data extracted by the algorithm is extremely lucrative. However, who can claim ownership rights over this data is not entirely clear cut.��

Who Owns the Data?

Under Canadian law, . Instead, is protected by a number of different privacy laws at the federal and provincial levels. , the federal Personal Information Protection and Electronic Documents Act (PIPEDA) would apply to most retailers.

The economic importance of data has led to increased discussion around the need to create . However, that may not be necessary in this case. It’s uncertain if individuals could claim ownership over the personal information collected by a facial recognition technology program by virtue of their personality rights.����

What are Personality Rights?

Personality rights recognize that individuals have the right to protect their image, name, and voice from commercial exploitation. Several jurisdictions () protect the right through their provincial privacy legislation. provides statutory protection through its Civil Code. In , the right is entirely governed by the common law.��

that are owned by individuals. Like other forms of property, they can be licensed and even inherited upon death.

The limited cases on wrongful appropriation of personality in Canada have involved celebrities or well-known figures, though celebrity is not a requirement. This raises the question of whether individuals could license their personality rights to companies. Licensing personality rights could potentially provide a new revenue stream for individuals and even data brokerages that already buy and sell personal data. For companies, it can create a burdensome problem of ensuring that appropriate permissions have been obtained.

Using someone’s personality for commercial purposes, without their consent is considered a . If successful, a plaintiff may be entitled to an injunction and damages.�� Case law suggests that a successful cause of action will require that (i) the plaintiff can be identified; and (ii) that their image was used for the purpose of commercial gain.

In , the court narrowed the scope of the tort to “endorsement-type situations.” This does not necessarily limit the cause of actions to celebrities endorsing products. The flexible language leaves the door open for courts to consider whether tracking and analyzing a customer’s shopping preferences to customize how they are marketed to would be considered an “endorsement-like situation.”������

While some companies may be able to anonymize the data so that individuals aren’t identified, this may prove more difficult for retailers relying on facial recognition technology to identify customers within their loyalty programs.

Moreover, using someone’s facial identity to increase sales is a primary objective behind the retail sector’s use of the technology.�� For example, in New York, athletic footwear giant uses an algorithm to snap photos of shoppers in-store and rapidly build a profile that can track their emotional cues, for example, how interested they are in a particular product.�� Reebok has expressed hope that ��these insights could be used to customers see while they’re in store.

Remaining Competitive Post-COVID-19 ����
������ ������
The value of facial recognition technology to retailers may be even more important in the aftermath of COVID-19. Although the true financial ramifications of COVID-19 on the global economy are not yet fully known, competition among retailers has always been tough.
In light of this, the pressure to lower customer acquisition costs and keep existing customers is higher. (what a business must spend on marketing to obtain and keep a new customer), is a critical metric that can shine light on a company’s performance and future success. Anything companies can do to lower their marketing costs, while increasing their precision to enhance loyalty, will likely be helpful in

Facial recognition technology offers retailers a promise of improved customer service, lowered costs, and more efficient marketing. While tempting, the technology comes with strings attached and requires ongoing maintenance and vigilance on the retailer’s part to ensure they are compliant with privacy laws and larger public policy goals. Even if personality rights are not engaged, retailers must still be aware of their legal responsibility to safeguard individuals’ personal information under privacy legislation like PIPEDA.��

In a , Kay Firth-Butterfield, Head of AI and Machine Learning at the World Economic Forum (WEF) cautioned companies to be aware of potential problems that AI can introduce, noting that substantial brand value can be lost if the wrong decisions are made about the use of AI. Firth-Butterfield stressed that the fast pace of change surrounding the technology requires companies start thinking about regulatory and governance mechanisms now not later.

The around the use of artificial intelligence by companies. As more jurisdictions are enacting privacy legislation to respond to the growing use of artificial intelligence in commercial settings, businesses may face additional barriers before they can fully implement the technology. Companies could see new compliance requirements that either reflect or closely align with the legislation that is already in force in other jurisdictions, like the General Data Protection Regulation (GDPR) in Europe.

The added expense required to safeguard the information and ensure that staff are trained to use it may not be enough to justify taking on the risk, particularly for small- to mid-size businesses who cannot shield the costs and administrative burdens as easily.��

If there is a silver lining for companies, it may be that that PIPEDA serves a distinct purpose that can be distinguished from other federal and provincial privacy legislation. Namely, PIPEDA must balance protecting individuals’ privacy with the need for commercial organizations to collect and use personal information.��

So while it is unlikely that the OPC will issue recommendations that stifle commercial activity, it would be reasonable for retailers to expect that they will need to take extra precautions to ensure highly sensitive personal information is protected.

Ultimately, it will be for retailers to decide if the benefits outweigh the costs.������

Maggie Vourakes is a JD candidate at Osgoode Hall Law School.

The post Facial Recognition Technology and the Retail Sector: Opportunity or Liability? appeared first on IPOsgoode.

In today’s digital age, the “right to be forgotten” – essentially, the right to withdraw consent over the processing of one’s personal information – is being hotly debated around the world, and it is now gaining momentum in Canada.

The Spanish case

The test case for this ground-breaking ruling originated in Spanish jurisdiction after the Spanish lawyer in question failed in his attempts to get Google to remove links to two old local newspaper publications related to his prior bankruptcy.�� Published at the order of the Spanish Ministry of Labour and Social Affairs, the webpages in question referenced two notices announcing that a real estate property he owned was to be put up for sale at auction so that he could pay off his outstanding social security debts. Given that he had since paid off these debts, the Spanish lawyer wanted that information altered or cast into oblivion.

To accomplish his goal, he filed a complaint with the Spanish Data Protection Agency (AEPD) against the newspaper (namely, its website), Google Spain, and Google Inc. arguing that the information of the legal proceedings contained in the newspaper’s publications was no longer relevant. He contended that those items concerned matters that had already been fully resolved and that their ongoing online presence was infringing his right to privacy and harming his reputation. As it turned out, the AEPD dismissed his claim against the newspaper publication, reasoning that the original information therein had been lawfully published, but it granted the action against Google. Unhappy with the AEPD’s decision, Google Inc. and its subsidiary, Google Spain, filed two separate appeals before the National High Court in Spain to have it annulled.

The Spanish court, in turn, referred a specific set of applicability questions concerning this matter to the CJEU. And, as we now know, the top European court ultimately ruled in favor of the Spanish lawyer. Accordingly, the Luxembourg-based CJEU held that, under existing European data protection laws, Google had to remove links to webpages referring to his outdated and no longer relevant bankruptcy record. The newspaper, however, could leave information about the auction on its website (under European data protection law, news websites, considered as part of the media, enjoy various protections and exemptions). The court’s ruling also made it clear that Internet search engines such as Google function as “data controllers,” and, as such, they must take responsibility for the links they make accessible online.

In brief, the CJEU concluded that, as a rule, an EU citizen’s right to privacy outweighs Google’s economic interest as well as the “interest of internet users” to access old and irrelevant information.

Parallel movement

In ironic parallel to the right to be forgotten movement, thousands of people, also in Spanish jurisdiction, are fighting to “remember” the truths of their country’s uncomfortable past. They are seeking to overturn an amnesty law that pardons crimes – including mass killings, disappearances, torture, and arbitrary detentions – committed during the 36-year dictatorship of General Francisco Franco. Stories about some of the victims of those crimes are featured in the award-winning documentary "The Silence of Others,"��which was screened at the 2018 Hot Docs International Documentary Film Festival.�� To read more about the documentary and an interview with the film's directors, click .

To offer some historical context: in 1977, Spain passed the controversial amnesty law, which formalized an unwritten “pacto del olvido” (“pact of forgetting”). This was reached by the nation's left and right parties following Franco's death, to ease transition into democracy. In line with that pact, Spain’s political leaders effectively agreed to leave memories of those crimes in the distant past.

It is not known whether Google has received takedown requests from anyone accused of having committed crimes in Spain during the Franco era. Google did not respond to several queries about this matter.

Traditionally in Europe, the protection of privacy has been emphasized over that of freedom of speech. In the United States, by contrast, regulators have strongly favored the protection of freedom of speech.

As for implications, the right-to-be-forgotten ruling has implications beyond Spain. Indeed, it has global reach.

Now in Canada

In Canada, the right to be forgotten has attracted similar attention and controversy. Unlike the US originalist constitutional framework, Section 1 of the Canadian Charter of Rights and Freedoms already anticipates that in certain circumstances it will be reasonably necessary to limit the rights and freedoms guaranteed by the Charter. Thus, the recognition of a new right, like the right to be forgotten, which may abridge the constitutionally guaranteed right to free expression, is not very far-fetched in Canada.

Indeed, in January 2018, the Office of the Privacy Commissioner of Canada (OPC) released its draft position paper on online reputation, suggesting that current federal privacy legislation already provides an avenue for the adoption of a similar law in Canada. The Personal Information Protection and Electronic Documents Act (PIPEDA), according to the OPC’s position paper, provides a right to de-index search results and a similar right to source takedown.

Privacy Commissioner Daniel Therrien voiced his support for his office’s position at a recent symposium on the right to be forgotten called, “” in Toronto.��The event was sponsored by Google and organized by the Canadian Journalism Foundation (CJF) and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC). An audio recording of the symposium can be accessed and .

(Photo of Daniel Therrien © Canadian Journalism Foundation)

Therrien's basis for this position is a belief that the Internet has fundamentally changed the ways in which we interact with and process information.�� In particular, information about others is easier to find, easily taken out of context and easily reproduced. At the same time, serious consequences emerge from privacy violations that pose a threat to a person’s reputation. Indeed, Therrien expressed concerns for the potentially detrimental consequences that reputational damage can have in terms of employment and housing, as well as personal and professional relationships.

Enter the elephant in the room

Peter Fleischer, Google’s global privacy lawyer, also speaking at the Toronto symposium, introduced the elephant in the room. Fleischer did not hide his disdain with the right to be forgotten decision.

Fleischer argued that the right to be forgotten is not only incompatible with the right to freedom of expression but is a total breach to this right. Freedom of expression is considered one of the cornerstone features of any modern democratic society. Indeed, freedom of expression is widely held as a means of furthering three core values: (1) acquiring the truth; (2) fostering individual autonomy and self-determination; and (3) strengthening democratic self-governance. It is on these fundamentals that Peter Fleischer rests his case against the recognition of the right to be forgotten.

Constitutional arguments aside, one of the most interesting pieces of information that came out of this symposium was finally getting a window into how the right to be forgotten is implemented, something�� the general public had limited information on up until this point. As the European mandate currently stands, it is search engine operators themselves who are tasked with creating a governance framework for the right to be forgotten. So, while many may have expected, or at least hoped, that it would be the courts or some other privacy-related administrative body that would be tasked with making decisions regarding what content would be de-indexed at the request of an individual, this is not the case.

Indeed, Fleischer explains the responsibility for overseeing the administration of the right falls exclusively on the shoulders of the search engines.

An individual seeking to exercise their right to be forgotten must complete an online web form, after which the form will go to a team at Google specifically established to deal with this matter. The team of legal professionals at Google are essentially tasked with weighing the competing interests implicated in each case. Fleischer explains this is no easy task as the nature of the balancing exercise makes automation highly unlikely. While some cases can be assigned an easy “yes” or “no”, others fall into a grey zone where the answer is not immediately apparent. For such ambiguous cases, Google has an internal process that allows for escalation to more senior professionals who will make the final decision.

(Photo of Olivia Mackenzie and Peter Fleischer © Canadian Journalism Foundation)

Food for thought

Over the next coming months, it is expected that, with the support of Daniel Therrien, we will see considerable movement towards a Canadian version of the right to be forgotten. At the same time, we should ask ourselves whether the search engines themselves are in the best position to oversee implementation. Besides the obvious self-interest concern, this task is also very resource intensive. According to Fleischer, there have been 650, 000 requests pertaining to 2.5 million URLs across the EU to date. So, by outsourcing oversight, do we risk putting smaller search engines with fewer resources out of business? This is one of many questions to consider during this time in limbo.

Roxana Olivera is a Journalist in Residence at Osgoode Hall Law School. Olivia Mackenzie is a JD Candidate at Osgoode Hall Law School.��The authors would like to thank Osgoode students��Natasha Jerome, Ankita Nayar and Carolyn Young for their assistance.

The post The Right to Be Forgotten and the Canadian Landscape appeared first on IPOsgoode.

Karima is also a and the former general counsel and chief legal officer for Research In Motion (now BlackBerry); she was involved in overseeing the development of the company's valuable IP portfolio (with over 44,000 patents) as well as managing its IP litigation.

Karima Bawa

Q1 Do you believe that it is important to have more women involved in the IP system?

There is a growing body of which suggests that increased diversity in the workforce can result in stronger performance. I believe this holds true for the IP system as well. I think women can bring a different perspective to evaluating ideas and can help better support women inventors, particularly those that are designing products that are targeted to women. I think female representation needs to be stronger in all of the different areas that contribute to IP - everything from coming up with the ideas and their expression, to protecting the ideas and their expression (through filing and enforcing IP), to leveraging IP in a commercial context.

Q2 Have you noticed a gender gap in your industry? Is the situation changing?

My own experiences as well as studies in the area point to a gender gap in the IP legal sector.��There are fewer women who are patent agents, patent attorneys and IP litigators (likely because many of them do not have the technical background that is either a real or perceived prerequisite to practicing in these areas of law).��For example, while there are no formal education requirements to become a patent agent in Canada obtaining a position as a patent agent trainee is almost impossible without having a science or engineering degree and because there are still fewer women who are pursuing fields like mathematics or physics or engineering there is an even smaller funnel for the number of women who can become patent agents.��However, the landscape is slowly changing as more women pursue a STEM education and explore fields like biotech and clean tech. Also, women are increasingly becoming experts in other areas of IP law like copyright, trade marks, data privacy and protection (which are increasingly being recognized as valuable).

Q3 Do you think it is more difficult for female innovators and entrepreneurs to secure funding (and, therefore, be able to afford IP costs)?

Recent suggests that the percentage of female founded companies that are venture-backed has not increased since 2012. These studies suggest that it is more challenging for women to secure funding from VCs because they are still predominantly represented by men who tend to pick which businesses they back largely based on “who’s running the ship.”�� Also, according to these studies, because men don’t use the products that many women innovators come up with and they don’t understand the need for these products or have a passion for them. I would agree with these observations, but I would also add from that from my personal experience, it is more challenging for women to secure funding because, it is often more difficult for them to ask for help and women don’t typically have the same extensive network as men do in the financial and VC space.

Q4 Are there unique challenges that female inventors and entrepreneurs face?

In my opinion, one of the most significant challenges for female inventors and entrepreneurs, is the lack of female mentors who hold leadership positions.�� For example, in the IP legal sector, there are still fewer women in leadership positions and therefore young women don’t have leaders and mentors that they can turn to who can support them through issues like maternity leave or how to balance work life and family life.�� Also, there is still an unconscious bias on a number of levels. For example, in a law firm, it is quite often a male partner that owns the client relationship and he may unconsciously disproportionately provide opportunities for his male colleagues with whom he may feel a closer connection. In addition, as alluded to above, women tend not to have the same influential networks that they can call upon.�� Also, a very real challenge which exists for women in all sectors is the fact that women are still the primary care givers in most family situations, and as such they simply can’t dedicate the same amount of time and energy for their professional endeavors because there are only so many hours in the day. As such, we need to have meaningful discussions about the structure of modern-day work, especially in time-intensive professions such as law, and what can be done about helping women who want to have a career and raise a family and actually be successful in both domains.

Q5 How can the innovation and IP ecosystem become more inclusive for under-represented groups, such as female entrepreneurs?

The innovation and IP ecosystem can become more inclusive for women by, as a starting point, encouraging women’s interest and engagement in technical fields (for example STEM). Also, women who are in leadership positions have to take it upon themselves to mentor other young women and to encourage flexible working arrangements and the adoption of programs that support issues tending to affect women like transitions to and from maternity leave.

Men too can play a very powerful role in bringing women along. I for example, had the benefit of working with men who supported my desire to have a family and be actively involved in raising a child because they understood that I needed to be able to have flexibility to remain committed to and passionate about what I was doing in the workplace.

Q6 What type of assistance will benefit female entrepreneurs?

I believe that women should be encouraged to network and that workplaces should find ways to facilitate this recognizing that traditional networking opportunities are sometimes more limited for women who are often already struggling to manage their familial commitments alongside their professional commitments. Also, women should be encouraged (through coaching if needed) to feel comfortable talking about themselves and their achievements and get over the fact that doing so is not boastful (if done appropriately).�� VCs need to have more female representation so that women entrepreneurs and their products aren’t as easily dismissed. And finally, it is important to implement working arrangements that are flexible and that recognize that many women have competing demands, like raising their children or supporting their aging parents, that many men simply don’t.

The post #WorldIPDay Spotlight on Karima Bawa: Securing and Tracking the Exchange of Data Files with 3D Bridge Solutions appeared first on IPOsgoode.

Companies like Facebook, Google (Alphabet), Amazon, and Uber have long presented themselves as creative pioneers who collect and analyze massive amounts of user data to improve the human condition. Savvy marketing and personal acts of altruism have combined to create a calculated image of these companies as rebels and outsiders, doing no evil, working to leverage data analytics to disrupt tired and unimaginative incumbents in order to connect and empower the world. The tech community’s first major crisis occurred via the unbridled economic hype and enthusiasm presaging the , and current big tech companies may be similarly humbled by ongoing pricks to the veneer covering the structural deficiencies of their data-driven business practices. Recently, French President Emmanuel Macron has about the need to “dismantle […] these big giants” as a competition issue, and, here in Canada, there is a growing call for a that prioritizes domestic interests.

Facebook’s current time in the spotlight is just the most recent instance of big tech’s proclivity for moving fast and, unintentionally, breaking the wrong things. Zuckerberg may have inadvertently said as much himself in the immediate wake of the Cambridge Analytica revelations. In an interview with the New York Times, he , “If you had asked me, when I got started with Facebook, if one of the central things I’d need to work on now is preventing governments from interfering in each other’s elections, there’s no way I thought that’s what I’d be doing, if we talked in 2004 in my dorm room.”

Such a revelation may be an instructive lesson for a fresh-faced undergraduate student thinking through the implications of disruptive technologies for the first time. However, they are worrisome when the head of a global technology behemoth who has run the company for over a decade and has utters them.

But they’re not terribly shocking. Since the early 1990s, lawmakers and technologists have advanced the idea of increased connectivity through information and communication technologies (ICTs) as, what then-Secretary of State Hillary Clinton would call them some 20 years later, the . In with the New York Times, Zuckerberg echoed a similar sentiment to defend Facebook’s revenue model: “The thing about the ad model that is really important that aligns with our mission is that — our mission is to build a community for everyone in the world and to bring the world closer together. And a really important part of that is making a service that people can afford. […]Therefore, having it be free and have a business model that is ad-supported ends up being really important and aligned.” However, a from Facebook Vice President Andrew Bosworth that seemingly downplays “the ugly” side of Facebook’s activities effectively punctures this grandiose narrative. Today’s big tech firms have come of light-touch regulation from lawmakers and responded by giving normative and ethical concerns a back seat to connectivity and disruption.

More recently, though, legislators on both sides of the Atlantic have begun to rethink this arrangement. In the European Union (EU), next month’s enforcement date for the new will introduce heavy fines for companies that do not comply with harmonized data privacy regulations. And at a into Russian online disinformation activities during the 2016 Presidential election campaign, Senator Dianne Feinstein from Facebook, Twitter, and Google that “You created these platforms, and now they’re being misused. And you have to be the ones who do something about it—or we will.” Depending on the outcome of Zuckerberg’s appearances this week, the US Congress may begin to make good on Sen. Feinstein’s threat.

Regulating or, in the words of Macron, dismantling big tech will be no easy task. These companies have amassed large stores of data about our innermost feelings and have developed technologies that . These companies have also entranced governments with the promise of jobs and economic prosperity . It is imperative that any attempts to harness big tech for the public good are not done in a knee-jerk or . The challenges these companies and new emerging technologies pose require long-term and strategic thinking around the social, economic, ethical, and democratic impacts of our increasingly data-driven society.

Joseph F. Turcotte is a Senior Editor with the IPilogue and the����Coordinator. He��holds a PhD from the Joint Graduate Program in Communication & Culture (Politics & Policy) at �첥��Ƶ and Ryerson University (Toronto, Canada).

The post Breaking Up With Big Tech? appeared first on IPOsgoode.

Introduction

By means of an innovative and modern directive (Directive 95/46/EC – the “Data Protection Directive”), in 1995, the European Community adopted its first data protection legislation aimed at providing common legal principles (to be implemented by European Union (“EU”) Member States by means of national legislation) to protect personal data and to align the bases of Member States’ provisions in respect to privacy and data protection.

However, the Data Protection Directive was adopted when the Internet was not widely used. The Internet technology has advanced in recent years and has posed new challenges to the protection of individuals’ data. The accelerating take-up of social networking, user-generated content platforms, mobile apps, cloud computing, location-based services, the “Internet of Things” (i.e. the ability of everyday objects to connect to the Internet and to send and receive data, e.g. wearables devices, home automation, etc.) and the growing globalization of data flows have significantly increased the risk for individuals to lose control on their own personal data.

Further, one of the main recurrent complaints about the Data Protection Directive is the lack of actual harmonization, which led to a certain fragmentation in the way personal data protection has been implemented across EU Member States. This resulted in additional costs and administrative burdens for operators as well as widespread uncertainty. This is particularly true for data controllers established in several Member States, who should comply with the requirements and practices in each of the countries where they are established. Guidance provided by the Article 29 Data Protection Working Party, an independent advisory body to the EU Commission set up under Article 29 of the Data Protection Directive (the “Working Party 29”), on several data protection issues certainly contributed to harmonization of data protection principles at EU level, although the Working Party 29’s opinions are not binding.

A uniform and coherent application of the data protection rules among the European countries is fundamental, in light of the proposed creation of the .

Seventeen years after, on January 25, 2012, the EU Commission proposed a new uniform legislation on privacy and data protection in Europe, by means of a General Data Protection Regulation (the “Regulation”) which, once adopted, would be directly applicable in all Member States without the need for national legislation. The Regulation comes together with a proposed directive 5833/12 on the processing of personal data with the purpose to prevent, investigate or prosecute crimes or to adopt criminal sanctions, intended to replace the 2008 Data Protection Framework Decision (see Article 29 Data Protection Working Party’s no. 1/2013, of February 26, 2013, providing further input into the discussions on the draft Police and Criminal Justice Data Protection Directive).

Henceforth, the European legislators have been discussing on the new proposals and on March 12, 2014 the European Parliament adopted its on the Regulation, proposing amendments aimed at enhancing the guarantees on data protection, in respect to the text approved by the EU Commission.

On June 11, 2015, the EU Council (the “Council”) approved its and the discussion among the three organisms (the so-called ‘trilogue’) has officially , with the purpose to reach an agreement and to finalize the approval of the Regulation and the attached directive before the end of 2015.

This article focuses on some of the most groundbreaking provisions of the proposed Regulation which are expected to be a major concerns for in-house counsel, in particular those advising businesses with multi-jurisdictional operations. The Regulation also introduces new provisions that, amongst others, would: (i) make international data transfers easier; (ii) decrease the requirements and the costs of dealing with more than one Privacy Authority with differing rules (so-called “one-stop shop”); (iii) implement specific provisions on the so-called “right to be forgotten,” as interpreted by the European Court of Justice in the Google Spain case (European Court of Justice, decision of May 13, 2014, case C-131/12); (iv) provide for more effective sanctions and penalties to data controllers and data processors.

Territorial Scope of the Regulation

One of the major changes to be brought by the Regulation concerns the territorial scope of the EU data protection laws.

Today, Article 4 of the Data Protection Directive contains the rules governing its territorial scope and jurisdictional reach. According to this provision, the EU rules apply to personal data processing:

• where the processing is carried out in the context of the activities of an “establishment” of the data controller in the territory of the Member State. If the same controller is established in more than one Member State (e.g., by means of subsidiaries), the controller must take the necessary steps to ensure that each of these establishments complies with the obligations laid out by the applicable national law. Security measures depend on the location of a possible processor, as provided in Article 17, paragraph 3 of the Directive; and
• where a controller not established in the EU, for purposes of processing personal data, makes use of “equipment,” automated or otherwise, located on the territory of that Member State, unless such equipment is used only for purposes of transit through the territory of the EU.

Article 3, paragraph 1, of the Regulation, as recently amended by the Council based on the Parliament’s position, would still keep the “establishment criterion” mentioned above for the applicability of its provisions to controllers or processors established in the European Union. In addition to that, however, the Regulation would expand the “use of equipment” criterion currently provided by the European data protection law by making data controllers established outside the EU, but “targeting” EU residents, subject to EU data protection obligations.

Indeed, the Regulation would be applicable whether the processing of personal data concerns:

• the offer of goods or the provision of services to residents in the EU, even where no payment is required (e.g. “free” services, where individuals in fact pay for the service by providing their personal data);
• the monitoring of data subjects’ behavior within the EU. In order to determine whether a processing activity can be considered to ‘monitor the behavior’ of data subjects, it should be ascertained whether individuals are tracked on the Internet with data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes (see Recital 21 of the Regulation, in the text approved by the Council on June 11, 2015).

Because of its potential broad reach, the new criterion poses challenges for businesses directing their activity to the EU and also gives rise to questions on how the Regulation’s requirements can be readily enforced outside the EU.

It is worth mentioning that the Council uses different wording from the position adopted by the Parliament: in fact, the latter proposed that controllers, and even processors not residing in the EU, would be subject to the provisions of the Regulation. In its regarding the proposed regulation, the Working Party 29 stressed the fact that the Regulation should also cover non-EU processors, in order to provide for a legal liability for these subjects.

Automated Data Processing and Profiling

Generally speaking, “profiling” enables an individual personality or aspects of his or her personality – especially behavior, interests and habits – to be determined, analyzed and predicted. “Profiling” of individuals is increasingly used by companies to offer personalized and targeted services (e.g., discounts, special offers and targeted advertisements based on the customer’s profile).

The Data Protection Directive does not contain any specific provision on “profiling”, but it includes a general provision concerning “automated individual decisions” in Article 15, which grants to data subjects the right not to be subject to a decision which “produces legal effects” concerning him or “significantly affects” him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. An automated decision by a bank not to grant credit may fall within the aforementioned provision.
Automated decisions can, however be made in certain cases, notably in the course of entering into or performance of a contract, provided that data subject’s legitimate interests are protected, e.g. by taking arrangements allowing him to express his point of view, or as otherwise provided by the law.

This provision has sometimes been implemented across EU Member States in different ways. It is worth mentioning Italy, where the prohibition to make decisions involving the assessment of a person’s conduct based solely on the automated processing of personal data aimed at defining the data subject’s profile or personality is limited to measures or act taken by judicial or administrative authorities (see article 14 of Legislative Decree of June 30, 2003, no. 196 – the Italian Data Protection Code).

The Regulation builds on Article 15 of the Data Protection Directive and on the Council of Europe’s Recommendation on profiling of November 23, 2010 and it specifically addresses “profiling” of data subjects.

Article 4 of the Regulation defines “profiling” as “any form of automated processing of personal data evaluating personal aspects relating to a natural person, in particular to analyze or predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behavior, location or movements”.

The main provision on profiling is Article 20 of the Regulation (“Automated individual decision making”), which, similar to the Data Protection Directive, grants to the data subject the right not to be subject to a decision based solely on automated processing (like automatic refusal of an online credit application or e-recruiting practices without any human intervention – see Recital 58 of the Regulation), including profiling, which produces legal effects concerning him or her or significantly affects him or her. The Regulations expands the cases in which decision-making based on such processing, including profiling, is allowed, introducing the possibility to carry it out with the data subject’s explicit consent.

Different from the various national provisions adopted in each Member State, profiling would be treated by the new EU rules as a processing alone and, as a consequence, it would require, amongst others, that controllers:

• inform data subjects about the existence of profiling, and the consequences of such profiling;
• obtain a specific and explicit consent for it (unless one of the exceptions provided by the Regulation applies).

This course of action would not be a new one for Italy, where, for example, profiling is traditionally considered as an autonomous processing, which requires a specific consent, separate from the consent for other purposes (such as, marketing purposes). In other European countries, profiling is usually treated as a modality of processing personal data and not as an autonomous processing, therefore it is generally deemed that no specific consent is required for profiling once the controller has obtained consent for marketing purposes.

Conclusion

In conclusion to this brief overview of the most groundbreaking provisions of the proposed Regulation, it is worth reminding that the latter is currently subject to discussions between the Parliament and the Council. Even though it is likely that the proposal will be amendment before the enactment, the general structure would probably remain the same, especially in the parts described above, which represent momentous innovations and will surely ensure effectiveness and confidence in the processing of people’s personal data

The post Compliance with EU Data Protection Regulation appeared first on IPOsgoode.

The latest of international trade deals, the TPP, signed October 5^th, 2015, produced about seven pages of patent provisions that, under Canadian law, leave little impact. The Federal government’s is that Canadian law is already in compliance with these provisions. While this might be true, a more objective analysis of the text could support the argument that the TPP does in fact require some legal reform. However, legal reform would not create new legal obligations, as Canada has already committed to that reform under the newly minted Comprehensive Economic and Trade Agreement ()

Of all the TPP’s patent provisions, three concerning pharmaceutical drug patents are most notable. The first is patent term restoration, which extends patent terms in response to administrative delays. And the third is extended data protection specifically for biologics, a new form of prescription drug.

The first of the TPP’s notable provisions, concerning patent term restoration, can be found in articles and . Both provisions offer patent extensions in response to administrative delays. Article 18.46 grants extensions for patent office delays, and extends pharmaceutical patent terms by a time equal to any “unreasonable” delay in a drug's regulatory approval. Article 18.48 is not currently found in Canadian law, nor under .

The purpose of the provision is to recognize that patent enabled drug monopolies are of little value when drugs cannot be legally sold. This is welcome news for those who believe current patent terms successfully , as lost monopoly time would hinder pharmaceutical development. Also, everyone can appreciate how the provision detaches patent terms from flexible regulatory approval processes, adding certainty to IP investments and assurances against regulatory favouritism. Yet some argue term restoration is a tool for IP owners, used to extend an already sufficient monopoly.

The second notable provision is article , patent linkage. of patent linkage argue that tying marketing approval to previous patents creates space for tactical litigation, which can be used to delay generic competition and, in effect, extend patent terms. Although this was a debated topic during and after TPP negotiations, Canada has already employed for some time, and has also committed to linkage rules similar to the TPP since signing CETA.

The last of the TPP’s notable provisions can be found in articles and , which offer . This type of research is necessary for marketing approval and is an expensive cost of drug development. Supporters of data protection argue these provisions shield drug developers from free-riders, thus incentivizing invention. Though opponents might take issue with adding protecting of information on top of invention.

However, these provisions do not create monopolies on information, the way patents create monopolies on invention. Generic companies are free to rely on the same safety and efficacy data as the patent owners, so long as it is reproduced at their own expense.

The TPP grants a five-year protection on drug efficacy and safety data, and an additional three-year protection on research concerning biologic drugs, so-called large molecule drugs. Biologics are an emerging field of pharmaceuticals, and the extended protection is meant to recognize the often high risk and cost associated with exploratory research.

However, some suggests that a longer term of twelve years would be ideal, even considering this advantage. The TPP's compromise is eight years, which reflects Canada's current .

It is difficult to determine whether the provisions presented in the TPP’s patent chapter will help or harm Canadian interests. This determination will depend in no small part on which perspective the analysis is based. The TPP’s patent provisions are likely not immediately useful for consumers of patented drugs. Patent term restoration, patent linkage, and data protection all serve to strengthen patents.

However, these are welcome provisions from the perspective of drug developers, as they increase the value of existing and new patents. In this sense, perhaps the rules are also good for Canada. For example, biologics were given special protection to encourage investment. Canada’s pharmaceutical research and development sector, one of its largest, would likely benefit from this improvement in market conditions, especially since investment in that sector has recently suffered steady .

Matt Wallace is an IPilogue Editor, JD Candidate at University of New Brunswick, and writes on technology law.

The post Pharmaceuticals Main Attraction in TPP IP Chapter appeared first on IPOsgoode.