Law and technology

The Law Commission has released its fourth and final report on privacy law. One of its key recommendations is data breach notification, or as the Commission puts it:

… notification should be mandatory in cases where notification will enable people to take steps to mitigate a risk of significant harm, or where the breach is a serious one (for example, because the information is particularly sensitive).

Notification should be made to the individual whose information has been compromised, and also to the Office of the Privacy Commissioner.

This would be a major – and welcome – change from the status quo, which is that agencies (e.g. companies holding personal information) are generally under no legal obligation (unless such obligation is assumed) to report data breaches. Sir Geoffrey Palmer commented on the situation last year:

Another subject on which we are contemplating some changes is data breach notification… Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

(The Law Commission’s issues paper discussing data loss is here). The recommendation comes at the same time as the EU is grappling with imposing a uniform notification regime across member states.

A data breach notification regime, while imposing some compliance cost on organisations, is a necessary thing in today’s world.

Recently I had my own example of when such a regime might have been useful, when my bank informed me that I had “suspicious activity” on my credit card – a large transaction from Portugal. What was curious was that I had only had that card for a few months, and had not used it much at all (and not online at all). The card could have been physically copied somehow, but if one of the few merchants who I had used it with had lost the data via hacking, there is no obligation for them to advise me of the loss – nor any other information that may have been lost with it.

The example of credit cards was specifically mentioned by Law Commissioner Professor John Burrows in announcing the recommendation:

“People have a right to know if their information has been compromised in a serious way”, said Law Commissioner Professor John Burrows. “Then they can take measures to protect themselves (such as cancelling credit cards), or can at least prepare themselves for any consequences of the breach.”

It will be interesting to see how the details of such a regime are eventually formulated.

IPONZ has published a draft explanatory note on the patentability of computer programs based on the Patents Bill (as currently drafted). Fortunately, the good people at IPONZ have not had the same difficulty in understanding the clear exclusion of computer programs that a small number of patent attorneys seem to have had.

They also appear to have sifted through several submissions from patent attorneys that sought to relitigate the Bill itself in amusingly emotive terms, rather than just comment on the guidelines as requested.

IPONZ has provided a clear, concise note. Some extracts:

31. Many of the interested parties who made submissions on the draft guidelines argued that the Commerce Select Committee intended that so-called “embedded” computer programs should remain patentable, with other “non-embedded” computer programs being excluded from patent protection. However, it is clear from the Committee’s report that the Committee rejected the idea of making a distinction between “embedded” and “non-embedded” computer programs in this way.

32. Instead, the Committee decided to recommend a simple exclusion, as this would exclude computer programs from patent protection, but would not prevent the grant of patents for inventions involving “embedded”computer programs. It seems clear from these comments that the Committee did not intend that the mere fact that an invention involves a computer program should be sufficient, in itself, to make an invention unpatentable.

That is exactly right. For whatever reason, some patent attorneys seemed to have great difficulty with that simple proposition, and much of the FUD being put out by those looking to overturn the software patent exclusion focused on the apparent “confusion” surrounding embedded software. The explanatory note succinctly summarises the Committee’s clear recommendation.

33. On this basis, computer programs are not patentable under clause 15(3A), whether or not they are “embedded” programs. However, inventions that involve a computer program (as opposed to inventions which are a computer program) are likely to fall outside the scope of clause 15(3A) and be patentable.

Which is how other patentable inventions, containing non-patentable constituent parts, are treated.

34. … The exclusion cannot be avoided by claiming the program in combination with conventional computing hardware. Such claims are effectively claims to the computer program and allowing them would circumvent the purpose of the exclusion.

35. For example, claims to the computer program when running on a suitable computer, or claims to the program recorded on a carrier such as a disk or memory card would not be allowable. On this basis claims of the form “a computer program product comprising computer program code adapted, when loaded on a computer, to do X” (so-called Beauregard claims) will be rejected.

This is good. There can be a lot of nonsense to try to avoid exclusions. By definition, all software runs on a computer, so a claim that the invention is the program “when running” should hardly be expected to avoid a computer program exclusion.

One thorny issue on the periphery of the software patent debate is business method patents. They are really a separate issue (controversy). The note makes a only few comments on them, including:

41. Where the contribution is assessed as a method or process that falls outside the computer program exclusion, claims to a computer program that would cause a suitable computer to carry out the method may be allowable.

The progress of the Bill remains understandably low priority, and its future is also somewhat uncertain given that a new Minister will take over the Bill from Simon Power. However MPs at last month’s NetHui said that Simon Power had that week advised that the software exclusion would remain (confirming earlier statements).

The Rules Committee of the High Court has released its final draft of new rules on civil discovery. This is the final stage of a long-running process to update the often troublesome rules relating to discovery, in particular electronic discovery. The latest rules are available here (pdf).

Background

For those who are lucky enough not to have been involved in civil litigation, discovery is a legal process that requires each side in the case to “discover” all relevant documents to the other side – the legal equivalent of laying your cards on the table. That doesn’t just mean documents that support your case – parties are also obliged to produce damaging documents. There are only limited grounds for refusing to disclose documents, such as legal privilege, and even then certain steps must be followed.

Unfortunately, discovery has become often a very difficult and time-consuming (and therefore expensive) part of modern commercial litigation. The general rules of discovery were laid down in the nineteenth century, when most documents could only be produced by hand or at significant cost. It was also a lot more obvious what a “document” was back then – usually ink on paper.

In recent years there has been an explosion in the amount, and type, of documents in business. The most obvious are computer documents (Word docs, spreadsheets, etc) and email. Most significant businesses are now heavily reliant on electronic communications. Documents still include paper files, faxes, and accounts, but also include modern documents such as databases, text messages, and even tweets, and huge amounts of documents can be created during the course of an ordinary day. As a result, parties to litigation are often required to handle huge volumes of documents. In large litigations I am involved in, it is common to have tens of thousands of emails and other electronic documents in play.

Reform

The discovery reform aims to modernise the rules to improve the discovery process for the benefit of litigants, and better reflect the modern realities of business and society. I have submitted on the first draft rules, and note a few highlights and changes in the proposed final draft:

• Parties must co-operate on discovery (oh, were it always that way!) and ensure “technology is used efficiently and effectively”. (8.2)
• Parties “must take all reasonable steps to preserve [relevant documents]”, including ensuring that “documents in electronic form which are potentially discoverable [be] preserved in readily retreivable form even if they would otherwise be deleted in the ordinary course of business” (8.3). This is a significant and powerful rule that imposes an express duty to preserve electronic records (see below for more details). When a dispute arises, it may be a prudent strategy to put the other party on express notice of this duty.
• The rules introduce two types of discovery – standard and tailored (8.6). Thankfully, the proposed threshhold of 200 documents for tailored discovery (previously called non-standard discovery) has been dropped. Even small commercial litigations tend to have far more than 200 documents these days!
• Parties must undertake a “reasonable search” for electronic documents, which includes some room for negotiation over whether it is or isn’t unduly costly to do so in certain cases (8.14).
• Original native files (that are discoverable) are to be provided on request (8.27(4)). While I had proposed clearer language here, the rule is still to that effect.
• Documents are to be exchanged by way of PDF where possible (sched 9, clause 1).
• The proposed requirement of chronological ordering is not mandatory – a different order may be applied if more convenient (sched 9, clause 2).
• Exchanged documents should be DRM free (well, it’s not quite as explicit as I had proposed but it’s a start) (sched 9, clause 6.8).

Duty to preserve documents

The most notable change for non-lawyers is the duty to preserve evidence, in particular electronic records. Unlike in the US, there is no tort of “spoilation of evidence” in New Zealand. There can still be serious consequences for destroying evidence, but the threshhold is unclear and there has not generally been a positive duty to preserve documents for the purposes of potential litigation.

The proposed rule 8.3 will change that. It requires a person who knows that a document is “reasonably likely” to be relevant to a legal dispute (whether or not any dispute has arisen) to take “all reasonable steps to preserve that document”. The term “knows” here is likely to be taken as meaning “ought reasonably to know”.

In particular, the rule will require that potentially relevant electronic documents “must be preserved in readily retrievable form even if they would otherwise be deleted in the ordinary course of business”.

The most obvious type of document here is email. Many businesses let their users fully manage their own emails. If a user deletes an email from their inbox, it may be impossible to recover. This new rule will require prudent businesses to ensure there are proper processes in place for retaining important emails. Under the new Limitation Act, it may be necessary to ensure retention of some records for up to 15 years, which is the duration of the new law’s “longstop” limitation period.

The proposed rules do not set out a penalty for failing to preserve documents, but a Court may make adverse findings, or even impose more serious sanctions such as contempt of court, against a party who fails to preserve documents.

While it is far from Sarbanes-Oxley, this change is welcome and good for the interests of justice.

The rules are expected to be implemented by early 2012.

The Government has confirmed that online peer-to-peer will be made possible in New Zealand as part of the long-awaited overhaul of securities laws. A recently released Cabinet paper says:

Peer-to-peer lenders are effectively precluded from operating in New Zealand given the regulatory regime. Licensing is intended to introduce a regulatory regime proportionate to the risks that they pose. The licensing criteria will look at the character and background of the key individuals involved, and also a limited assessment of organisational processes.

This is welcome news for what could be a niche fledgling market in New Zealand. However, as tends to be the nature with securities law, the devil may lie in the yet-to-be-determined detail.

Submissions on the Copyright (Infringing File Sharing) Regulations are due this week (27 May 2011). The key part of my submission as follows:

Response to Question 4: (“Should the suggested requirements be included in regulations? Should there be any other information requirements and why?”)

One of the most critical issues in determining whether IP infringement has occurred is proving the complainant’s rights to the IP in question. The suggested requirements do not adequately address this critical issue.

Sections 122D(2)(a) and 122E(2)(a) simply require a notice to “identify the rights owner”. Paragraph 13(e) simply proposes that a notice include “name of copyright work and name of owner of that work”. This is inadequate. Because there is no “register of copyright works”, and because of complex international IP rights management, it is generally impossible for an account holder or IPAP to confirm whether a complainant is in fact the rights owner of the relevant work.

For the complaint to have a desirable level of integrity, the complainant should be required to provide more than a mere “identification” or “description” of the work allegedly infringed. The complainant should be required to provide an affidavit confirming they are the owner of the identified work, or the duly authorised agent of the owner of the work, at the date of the alleged infringment.

This is a simple requirement, and would allow the IPAP, the account holder, and (if necessary) the Tribunal to proceed on the basis that the ostensible rights owner does in fact own (or have the necessary rights in) the work at the centre of the alleged infringing activity (in the absence of evidence to the contrary).

I therefore propose amending paragraph 13(h) of the Discussion Document requirements to read:

h. an affidavit from the rights owner that they are the owner of that work, or the duly authorised agent of the owner of the work, at the date of the alleged infringment, and to the best of their knowledge, the information provided to the IPAP is true and correct.

The row in Britain over the naming of footballer Ryan Giggs online (and subsequently in Parliament),  in contravention of a “super-injunction”, raises the same issues as New Zealand has experienced recently: can injunctions and other forms of name suppression work in the age of social networking?

British PM David Cameron appears to have accepted the reality of the situation:

“It’s not fair on the newspapers if all the social media can report this and the newspapers can’t,” he said. “So the law and the practice has got to catch up with how people consume media today.”

This is a strong indication that the UK will change its law (or least its policy) on injunctions. In New Zealand, the Government and officials have not yet grasped the nettle. In 2009, the New Zealand Law Commission published a detailed report on name suppression in this country. It noted:

Where information as to the identity of someone appearing before a court is already in the public domain, it will not generally be appropriate to grant name suppression. The law will not undertake an exercise in futility, which would bring its own authority and processes into disrepute. [3.65]

However, the Commission did not really address the issue of internet publication. As I wrote at the time:

Yet in many recent cases involving name suppression, that is precisely what has occurred. Twitter, Facebook and other local and international web sites are routinely used to blithely report (or more often, speculate on) the identity of the individual… There is every reason to think this phenomenon will become more and more common… If the law is not to permit exercises in futility, this issue may need to be revisited again before long.

There can be very good reasons for name suppression and other forms of injunctions. But it is not a question of right or wrong anymore. The fact is that such orders can (and therefore will) be made a mockery of, with relative impunity online. An English judge’s issuing of an injunction against Twitter users, and Ryan Gigg’s now-futile attempt to sue anonymous Twitter users, seem distinctly King Canute-esque.

The Government is set to update the Companies Act 1993 to allow the use of electronic communications for certain formal notices and procedures.

Currently, the law permits shareholder meetings to be held via the following methods (Schedule 1, section 3 of the Companies Act 1993):

(a) by a number of shareholders, who constitute a quorum, being assembled together at the place, date, and time appointed for the meeting; or

(b) subject to the constitution of the company, by means of audio, or audio and visual, communication by which all shareholders participating and constituting a quorum, can simultaneously hear each other throughout the meeting.

There is no formal provision for electronic communication (although certain electronic means do meet the existing requirements). The Regulatory Reform Bill, which received its first reading recently, will improve that by allowing meetings by shareholders to be held by:

(a) being assembled together at the time and place appointed for the meeting; or

(b) participating in the meeting by means of audio, audio and visual, or electronic communication; or

(c) by [sic] a combination of both of the methods described in paragraphs (a) and (b).

Currently, notices to individual shareholders may be sent via the following means:

(a) delivered to that person; or

(b) posted to that person’s address or delivered to a box at a document exchange which that person is using at the time; or

(c) sent by facsimile machine to a telephone number used by that person for the transmission of documents by facsimile.

Again, there is no express provision for modern electronic communication such as email. It is reasonably arguable (and in practice does happen) that delivery by email falls under (a), however companies (especially those with large shareholder bases) may be reluctant to take such chances.

The option to receive notices electronically is not so much for the company’s benefit, but for the shareholders’. Accordingly, the new law does not force shareholders to accept electronic communications, but gives them the option (binding on the company):

(3A) … a shareholder or creditor may notify the company—

(a) that the shareholder or creditor wishes to receive the document by electronic means; and

(b) of the electronic address to which the document is to be delivered.

(3B) Notification in accordance with subsection (3A) may be made in respect of a particular document or documents, or in respect of all documents to be served.

(3C) The company must comply with a notification made under subsection (3A).

Note that the company must comply with the shareholder’s specified mode of electronic communication. The new law does not limit what the modes are, so in theory a shareholder could request to be sent documents via Facebook or Twitter.

This is a sensible reform, as many modern business people are far more likely to have ready access to their electronic communications, than to a document posted to a physical address.

The Electronic Transactions Act 2002 will apply to any questions over the time of dispatch and receipt.

Law firm Chapman Tripp has published an article criticising the Government’s decision to exclude software from patentability. While the article makes some valid points, it does not deal with some points fairly.

The article claims:

The [software patent] exclusion was the product of intense and successful lobbying by members of the “free and open source” software movement… In its April 2010 report to Parliament on the Patents Bill, the Commerce Select Committee acknowledged that the free software movement had convinced it that computer programs should be excluded from patentability.

I’m sure this assertion of mighty lobbying power (the ability to sway an all-party, unanimous recommendation no less) would be flattering to any professional lobbyist, let alone FOSS supporters – if only it were true (it is not evidenced in the Commerce Committee report). A range of entities made submissions against software patents, including the statutorily independent University of Otago, InternetNZ, a number of small businesses (and my independent self, I modestly add). There were also submissions the other way, though interestingly the most submissions in favour of retaining software patents were from patent attorney law firms. It is also notable that other organisations including NZICT, which is a strong supporter of software patents and engaged in heavy after-the-event lobbying, did not make any submissions on the issue.

The article adds the comment:

The Committee said that “software patents can stifle innovation and competition, and can be granted for trivial or existing techniques”. The Committee provided no analysis or data to support that proposition.

The fact that a Committee “provided no analysis or data” to support its recommendations is hardly noteworthy – that is not it’s job. Submitters provide analysis and data to the Committee, not the other way around. The material in support of the proposition is in the submissions.

The article sets up an unfair straw-man argument:

Free software proponents reckon that software should be free and, as a result, they generally oppose intellectual property rights. They say that IP rights lock away creativity and technology behind pay-walls which smother innovation. Most authors, inventors and entrepreneurs take the opposite view.

I don’t claim to know what “free software proponents’” views on all manner of IP rights are, but when it comes to software patents in New Zealand, the evidence strongly suggests that the “authors, inventors and entrepreneurs” of software (FOSS or not) are opposed to software patents (see my posts here and here). This includes major companies, including NZ’s biggest software exporter Orion Health (see Orion Health backs moves to block patents).

While the New Zealand Computer Society poll showing 81% member support for the exclusion is not scientific, it is at least indicative. In any case, opponents of the new law (mainly law firms) have consistently asserted a high level of opposition to the exclusion without any evidence to support that view.

The article leads to the warning:

If New Zealand enacted an outright ban on computer-implemented inventions we would be breaking international law. … Article 27(1) of TRIPs says that WTO members must make patents available for inventions “without discrimination as to… the field of technology…”.

The authors rightly point out that breaching TRIPs could result in legal action against the Government by another country. However, that conclusion is premised on the basis that software is an “invention”. A number of processes and outcomes are not recognised as inventions for the purpose of patent law in different countries, including mathematical algorithms and business methods. The question of whether software is (or should be) an invention was commented on by a Comptroller-General of the UK Patent Office:

Some have argued that the TRIPS agreement requires us to grant patents for software because it says “patents shall be available for any inventions … in all fields of technology, provided they are…..capable of industrial application”. However, it depends on how you interpret these words.

Is a piece of pure software an invention? European law says it isn’t.

The New Zealand Bill does not say that a computer program is an invention that is not patentable. It says, quite differently, that a computer program is “not a patentable invention”, along with human beings, surgical methods, etc.

Article 27 has reportedly rarely been tested (twice in 17 years), and never in relation to software. The risk of possibly receiving a complaint under a provision (untested) of a multilateral agreement is not new. The New Zealand Law Society notes this in its submission on the Patents Bill (which does not address software patents):

The proposal to exclude plant varieties under [the new Act] is because New Zealand has been in technical breach of the 1978 Union for the Protection of New Varieties of Plants (UPOV) treaty since it acceded to it in November 1981.

What’s 30 years of technical breach between friends? Therefore, in fairness I would add a “third way” of dealing with the software patent exclusion: leave it as it is, and see how it goes (which is, after all, what the local industry appears to want). As I wrote last year, “Pressure to conform with international norms (if one emerges) and trading partner requirements may force a change down the track, but the New Zealand decision was born of widely supported policy …”

If the ban on software patents as it currently stands does not make it into law (which is a possibility, despite clear statements from the Minister of Commerce that it will), it won’t be the end of the world. In fact, it will be the status quo. There are pro’s and con’s to software patents, and the authors are quite right that New Zealand will be going out on a limb by excluding them. The law can be changed again if need be. In the meantime, I refer again (unashamed self-cite) to my article covering the other, and much more popular, ways of protecting and commercialising software.

The Minister of Justice, Simon Power, has announced a review into the “wild west” of the internet:

It’s a bit of a Wild West out there in cyberspace at the moment, because bloggers and online publishers are not subject to any form of regulation or professional or ethical standards.

The idea of some sort of a review of how our laws “intersect” with the internet has been kicking around for a while now, but the above statement by the Minister sets a rather draconian and disconcerting tone for the review. Regulation of bloggers? Bloggers and ethics?! As for the suggestion (via the term “Wild West”) that law doesn’t apply to the internet, well that is simply incorrect.

Fortunately, the Minister curbs his enthusiasm by saying that due to the “enormous scope of this whole issue”, the review will focus on:

• How to define ‘news media’ for the purposes of the law.
• Whether and to what extent the jurisdiction of the Broadcasting Standards Authority and/or the Press Council should be extended to cover currently unregulated news media, and if so what legislative changes would be required to achieve this.
• Whether existing criminal and civil remedies for wrongs such as defamation, harassment, breach of confidence, and privacy are effective in the new media environment, and if not whether alternative remedies are available.

Of these, it is really only the third issue that is likely to have any substance. The first two points may address relatively small issues (such as extending BSA jurisdiction to online transmission of broadcast content). Beyond that, it will show how difficult – and, hopefully, undesirable – it is to “regulate” the internet much beyond where it is now. There is no prospect of any “regulation” of bloggers beyond existing laws, or of subjecting private comment to professional bodies such as the Press Council (which is not even a statutory organisation, and has no official powers).

The third issue will be where the most interest lies. There is no question that criminal and civil remedies do extend to the internet, as recent incidents such as the prosecution of a blogger for breaching a name suppression order demonstrate. But there is scope for further consideration of some of these issues.

Take harassment for example. I recently heard from two separate individuals who are the targets (allegedly) of vicious online smearing and bullying, mainly on Facebook. One of them told me that it was a deliberate campaign to wreck her marriage, and was causing enormous personal distress. Now what can be done about that? In many cases, the answer is very little. The review may be an opportunity to brainstorm and see if some solution or framework can be arrived at to allow genuine victims to get some assistance. Draconian regulation is not the answer, nor is possible, but there may be some sensible steps that can be taken.

Preference vs protectionism

Labour MP Clare Curran has entered the Kiwi Jobs Bill into the private members’ ballot. The bill aims to “determine whether the NZ Government can have a policy that gives preference to local procurement without breaching our international trade obligations”. The bill would apply to IT procurement, which has prompted some differences of opinion from the industry. For something as universal as IT, anything that is simply protectionist would be irrational and detrimental. But an increase in transparency and the promotion of open standards (if the Bill does that) would be welcomed.

IT & the new Limitations Act

Under the Limitation Act 1950, the general rule is that a person cannot bring a claim in contract or tort more than 6 years after the cause of action arose. As a result, business records (including electronic data) should generally be kept for at least 6 years (although other acts impose specific rules, for example 7 years for certain accounting information under the Tax Administration Act). However, over the years many quirks and wrinkles have been introduced into the picture, resulting in some uncertainty.

A replacement Limitation Bill received its first reading earlier this month. The bill tidies up and simplifies limitation periods. Importantly, it proposes to introduce (for most matters) a “longstop” limitation period of 15 years. As a result, prudent businesses will want to keep some records for 15 years. This sounds like a very long time and, of course, raises some practical issues, but expanding storage capabilities mean disk/cloud space should not be burdensome for most businesses. However, there can be a downside to keeping records – in that they may be discoverable in litigation – so this rather dry subject does require some thought in each case.

Record keeping risk?

On a related note, a new survey shows that most Kiwi businesses do not have documented procedures for recovering from an IT disaster. Besides the business interruption risk, there could be significant third-party legal risks from a catastrophic data loss. For example, a firm that has assumed responsibility for holding records for clients (e.g. accountants, architects, engineers, lawyers, etc) could be liable in negligence for their clients’ business interruption following the record-holder’s data loss, in certain circumstances.

ISP search concerns

Is the Copyright (Infringing File Sharing) Bill a wolf in sheep’s clothing when it comes to secret surveillance? Civil liberties lawyer Michael Bott thinks so, and wants better notification requirements for electronic searches.