E-LAW… What is the Law?

Electronic Signatures, Clickwrap Terms and

Conditions, and Privacy on the Internet

David T. Ullmann Minden Gross Grafstein & Greenstein LLP

Introduction

This presentation will cover the following topics:

Electronic signatures Canadian legislation related to same Creation and Enforceability of Electronic

Contracts Privacy and legislation Current privacy cases

What is a Signature?

What is a signature?• the essential function of a signature is to link a

person with a document

or as the Lords say:

“The essential requirement of signing is the affixing, either by writing by a pen or pencil or by otherwise impressing on the document one’s name or signature so as to personally authenticate the document.”

Lord Evershed English Court of Appeal 1954

What is a Signature?................

Why are agreements signed?• specific legislative or common law

requirements• evidence of assent to the terms and conditions

of an agreement• form of identity that ensures the parties know

who they are contracting with

None of these factors change because the contract is now online

What is a Signature?................

Barry Sookman summarized the essentials of a signature at common law:• It authenticates a document• Can be accomplished through the use of some

mechanical means such as a rubber stamp, printing, typewriting, or fax

What is a Signature?................

Any mark adopted by a person with an attempt to authenticate the document may constitute a signature.

What is a Signature?................

Use of a PIN number as even a number have been recognized as a signature.

A symbol such as a printed name in the body of a document will not constitute a signature unless it is executed or adopted by a party with the intention to authenticate the document.

What is a Signature?................

Legibility is not a condition precedent. The name of the signatory may be placed in

the document by a third party, acting under authority from the signatory, unless the signature is one which requires the personal signature of the person.

Therefore, a signature is more than just a written “John Hanncock” signed in person by the person bound by the document

Types of Electronic SignaturesHow Does this Apply On-

Line?

“An electronic signature is a generic, technology neutral term and refers to the universe of all the various methods by which one can “sign” an electronic record.”

Electronic Signatures............... Examples of electronic signatures:

• a name typed at the end of an email message

• a PIN number

• a uniquely configured physical device such as a chip intended to be used with card readers

• a password

• a digitized form of manual signature

• biometric identifiers such as a fingerprint, voiceprint, retinal scan, iris scan, etc.

• clicking on an “I Agree” button or check box

• digital signatures using encryption and certification authorities

Secure Electronic Signatures

(aka Advanced Electronic Signatures) Public key encryption (PKI)

Each party has a mathematically-related pair of public and private “keys” for encrypting and decrypting messages.

The sender encrypts a message “fingerprint” using his private key. The recipient then decrypts it using the sender’s public key.

The recipient then sends confirmation using his private key which the sender decrypts using the recipients public key.

It’s supposedly impossible to deduce a private key from its public counterpart.

Legislation:Personal Information Protection

Electronic Documents Act (“PIPEDA”)

Takes opt-in approach. Minister is responsible for passing

regulations permitting e-signatures. 500 ministries will set their own rules and

forms

Canadian Legislation

All of the provinces, the federal government and one territory have enacted legislation regarding electronic commerce and contracting.

The provincial and territorial Acts are based largely on the Uniform Electronic Commerce Act which endorses the use and acceptance of electronic contracts

Canadian Legislation………... Law has to adapt to technological realities. Consider Public Documents Act, R.S.C.

1985.“Unless some act relating thereto expressly so provides, no commission or other public document…is required to be on parchment, but, when written or printed wholly or in part on paper, is as valid in all respects as if written or printed on parchment.”

-consider the example of an indenture

Canadian Legislation……..

Province Statute Date Enacted

Alberta Electronic Transactions Act April 1, 2003

British Columbia Electronic Transactions Act April 19, 2001

Manitoba Electronic Commerce and Information Act Royal Assent (partly in force – part on using electronic means under designated laws has yet to be proclaimed).

New Brunswick Electronic Transactions Act March 31, 2002

Newfoundland & Labrador

Electronic Commerce Act December 13, 2001

Nova Scotia Electronic Commerce Act November 30, 2000

Ontario Electronic Commerce Act October 16, 2000

PEI Electronic Commerce Act May 15, 2001

Québec An Act to establish a legal framework for information technology.

November 1, 2001

Saskatchewan Electronic Information and Documents Act November 1, 2000, (amended 2002 c.18)

Yukon Electronic Commerce Act March 27, 2001

Ontario’sElectronic Commerce

Act

What does it do?• establish rules by which government bodies and

organizations may communicate and transact with the public

• applies generally to legal requirements and transactions governed by Ontario law

Legislation:Electronic Commerce Act

Works on an opt-out basis. Excludes some classes of documents. Some statues require writing like Copyright Act Evidentiary issues unresolved. Non est factum Handwritten signatures are also subject to fraud.

“One of the characteristics of an ink-on-paper signature is that the person who relies on it takes the risk that it is not genuine.”

Legislation OntarioKey Sections

Section 6: requirement that someone provide a document in writing is satisfied where it is: • accessible so as to be usable for subsequent

Ontario ECA reference; and• capable of being retained

Key Sections…………………………..

Section 5: A legal requirement that a document be in writing is satisfied where the electronic document is “accessible so as to be usable for subsequent reference”.

Section 11: “a legal requirement that a document be signed is satisfied by an electronic signature”.

“electronic signature” means electronic information that a person creates or adopts in order to sign a document that is in, attached to, or associated with the document.

Key Sections………………………….. Section 19: “An offer, the acceptance of an offer,

or any other matter that is material to the formation or operation of a contract may be expressed, • by means of electronic information or an electronic

document; or

• by an act that is intended to result in electronic communication, such as,

• touching or clicking on an appropriate icon or other place on, a computer screen, or

• speaking.”

In other words: electronic contracts are real and will be enforceable.

Other Legislation

Consumer Protection Act Competition Act

Click – Shrink - Browse

Website or license pop-up terms. Just what are you “I agree”ing to?

Shrink-Wrap

What is Shrink Wrap? Acceptable provided terms are reasonable.

Enforceability: Click-Wrap

Click-Wrap the Web equivalent In Rudder v. Microsoft (1999), 2 C.P.R.

(4th) 474, the plaintiffs were presented with a Member Agreement upon loading the software from disk onto their computers and again when going online to access the MSN website.

Click-Wrap……………………. Rudder, continued… Both presentations of the Member

Agreement allowed the terms to be viewed by scrolling through the text and required the user to click on an “I Agree” button before proceeding.

The Ontario court enforced the choice of law and forum selection clause (requiring that claims be brought in Washington) in the Member Agreement.

Enforceability: Browse Wrap

Do you have to actually click on the license and have it pop up?

This is the concept of Browse Wrap.

Browse Wrap...……………….. In Specht v. Netscape Communications Corp., the software

in question could be downloaded from Netscape’s website simply by clicking a button labeled “download”.

The download page contained an invitation to view the software license and a link to the license that was visible only if the user scrolled to the bottom of the page; users were not required to specifically assent to the agreement (or even read it) before downloading the software.

Not sufficient evidence of either notice or assent to create a contract that included the terms of the license agreement.

The Second Circuit Court of Appeals affirmed. See also Ticketmaster Corp. vs. Tickets.Com, Inc.

Amendments to Electronic Contracts

Canadian Case: Kanitz v. Rogers Cable Inc. Canadian Court upheld the Browse Wrap

and, by inference, the Click Wrap. See also Comb et al v. Paypal Inc. in US.

Amendments to Electronic Contracts…...

Whether onerous terms, including power to amend contract unilaterally and practical effect of arbitration clause is still an issue.

Electronic Signaturesand Contracts

Conclusion

Signatures will move online. The law will enforce contracts made online

where those contracts aren’t unconscionable and there is true assent .

Questions of authenticity remain unresolved.

Don’t be distracted by evidentiary issues.

Conclusion…………………………….

Recommend paper backup to anything important.

Remember paper is not always perfect either.

Technology shouldn’t replace human due diligence.

Every commercial enterprise will be subject to the Act in 4 months.

For Now: Federally regulated private sector and

out of province exchange of personal information

Health InformationJANUARY 1, 2004 – P-Day

Commercial use of personal information within individual provinces

Or provinces will have “substantially similar” Acts.

The Act in Brief

“Personal Information” “Commercial Activity” Consent Access Challenge accuracy Safeguards

Ten Privacy Principles

1. AccountabilityAn organization is responsible for personal information under its control and should designate an individual or individuals who are accountable for the organization’s compliance with the following principles.

2. Identify The PurposeAn organization must identify the purposes for collecting personal information at or before the time the information is collected.

Ten Privacy Principles………..3. Obtain Consent

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when inappropriate.

4. Limit CollectionThe collection of personal information should be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Ten Privacy Principles………..5. Limit Use, Disclosure, And Retention

Personal information should not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfillment of those purposes.

Ten Privacy Principles………..6. Be Accurate

Personal information should be as accurate, complete, and up-to-date as is necessary for the purpose for which it is to be used.

7. Use Appropriate SafeguardsPersonal information should be protected by security safeguards appropriate to the sensitivity of the information.

Ten Privacy Principles………..8. Be Open

An organization should make readily available to individuals specific information about its policies and practices relating to the management of personal information.

9. Give Individuals AccessUpon request, an individual should be informed of the existence, use and disclosure of his or her personal information and shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Ten Privacy Principles………..

10. Challenging ComplianceAn individual should be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization’s compliance.

Exceptions to the consent and access principles

Specific circumstances - consent Mandatory refusal of access -

access Permissive refusal of access -

access

Why Comply?

Statutory Reasons Practical Reasons

Statutory Reasons Power of individual - file complaint

- Federal Court- injunction- damages

Statutory watchdog Statutory review process

Statutory Reasons: Current Events

176 findingsExamples:

• Automated VISA information

• Employee objects to use of Bank account number on pay statement

• Broadcaster Website• Bank failed to respond to inquiry• Airline vacation incident• Improper collection and use of SIN

Examples of Findings

Finding Number 94 - Individual Objects to Request for Information as Condition of Supply of Service

Summary: Collection of Credit Card information can be reasonable if you are extending credit to the individual (such as renting a car or providing a service like a phone)

Examples of Findings....................

Finding Number 71 – Collection Use of Electronic Signatures by Courier Company

Summary: A procedure that may be good for marketing and may be requested by some customers can still be in violation of PIPEDA if there is a lack of informed consent at the time the information is collected.

Examples of Findings....................

Finding Number 56 – Telephone Company Demands Identification From New Subscribers

Summary: Consent is needed even when the use of information appears obvious.

Examples of Findings....................

Finding Number 48 – Applicant for Services Object to Providing Credit Card or Bank Account Information

Summary: Credit Card information can be requested for the purpose of processing payment

Examples of Findings....................

Finding Number 46 – Bank Accused of Inappropriately Demanding Birth Dates from Account Applicants

Summary: Limit collection to necessary data only.

Examples of Findings....................

Finding Number 42 – Air Canada Allows 1% of Aeroplan Members to “Opt Out” of Information Sharing Practices

Summary: Saving money by sending out information to only a small sample of the total number of customers effected by your privacy policy will not be acceptable. People should have to opt in to their information being shared, rather than having to opt out to prevent the sharing of their information.

Practical Consequences

DoubleClick Scenario:

• Internet based advertising services

• Cookies

• Merged with Abacus Direct Corporation

Plan/Strategy:• Abacus Alliance.

DoubleClick

Result:• Unfavorable media coverage• 3 state and federal investigations and several

class-action lawsuits• Abacus Alliance plan put on hold in March,

2000

RealNetworks

Scenario:• RealJukeBox• RealJukeBox software transmitting data to

database (i.e. User I.D. and list of songs)• No consent

Plan/Strategy:• Monitoring system to help market new CDs

RealNetworks…………………

Result:• Unfavorable media coverage• Statement of Chairman and C.E.O.:

“We made a mistake in not being clear enough to our users about what kind of data was being generated and transmitted by the use of RealJukeBox”

Program cancelled

Practical Consequences

Toysmart.com E-Privacy = E-Commerce Border Skirmishes

• Canada vs. Int’l Community

Strategic Alliance Inhibitor Depresses the Sticker Price“Privacy compliance is going to be for e-businesses

what environmental compliance is for industrial businesses.”

Recommendations

Privacy Policy Address the 10 principles and tailor to your

organization• Not boilerplate and not U.S. based

Privacy Policy………………… Identify Purpose

• Be clear Obtain Consent

• Provide “opt-in” control or at least an “opt-out” option

Limit Collection• Be consistent with identified purpose

Limit Use, Disclosure and Retention• No other use unless consent obtained

Privacy Policy………………… Be Accurate

• Standards; Chief Privacy Officer

Use Appropriate Safeguards• Indicate level of security in place for greater

credibility

Be Open• Invite comments from users

Privacy Policy………………… Access and Compliance

• Have mechanism to permit individuals to check and correct their information; Chief Privacy Officer

Easy to find

Privacy Policy…………………General Suggestions

Easy to understand Statement re minors Statement re sale of information Update as necessary

Not just a privacy policy

Internal Security/Employee Awareness Consider Privacy Seals (independent audit) Consider external privacy advisory board

Privacy & Terrorism

Security vs. Privacy “Strong public support for security raises

the risk of abridging civil liberties.” National – Dec. 2001

“I’d rather have a bill with some imperfections than no bill at all.”

Irwin Colter - MP Liberal Nov. 21, 2001 “Privacy is not an absolute right.”

Privacy Commissioner Ontario –

Anne Cavonkian – Jan. 25, 2002

Anti-Terrorism Act

Passed in 12 weeks Allows Privacy Act over-ride in certain

circumstances

Workplace Consequences?

Background checks on employees Surveillance in the workplace

Conclusion

Privacy past its zenith? Provincial laws.