Skip to content.

2019 Year in Review: Technology, Cybersecurity, Privacy, and IP

2019 proved to be another eventful year for technology, privacy, cybersecurity, and intellectual property law. For the first time in several years, significant changes were made to our intellectual property statutes. We also saw an increase in dialogue around artificial intelligence (AI) legal frameworks to govern the ethical and responsible use of AI technologies.

As we look back, the following is summary of some of the key highlights from 2019:


  • Canadian Government Directive on Automated Decision-Making: On April 1, 2019, the Government of Canada’s Directive on Automated Decision-Making (the “ADM Directive”) came into effect, which imposes several requirements on the federal government’s use of automated decision-making systems (“ADM Systems”). The ADM Directive’s goal is to ensure ADM Systems are implemented with the least risk possible, through procedural fairness and due process. Under the ADM Directive, any ADM System that the federal government plans to use must: (a) undergo an algorithmic impact assessment which results in a publicly-released classification of the ADM System in one of four impact levels, and (b) meet a set of requirements based on the assessed impact level (such as a peer review of the ADM System, allowance for human intervention when necessary, and contingency systems). The ADM Directive also imposes additional requirements on all ADM Systems, such as access, diligence, testing, and auditability requirements for licensed software, validating quality of data used in the ADM System, security safeguards, availability of recourse against decisions of ADM Systems for clients, and reporting information on its effectiveness and efficiency.
  • Developments in US AI Regulations: In December of 2018, President Trump signed an executive order prioritizing AI regulation across multiple technologies and industries. In line with the executive order, several developments in AI regulation have since been made:
    • In April 2019, the U.S. House of Representatives and the U.S. Senate introduced the Algorithmic Accountability Act (the “AA Act”), which is intended to regulate AI and machine learning systems to: (a) emphasize the ethical, non-discriminatory use of those systems; and (b) address their impact on data security and privacy of users generally. The AA Act applies to companies with over $50 million in average annual gross receipts, companies which hold personal information of at least 1 million users, or which act primarily as data brokers (and therefore applies to the largest US tech companies). The AA Act would also grant new powers to the Federal Trade Commission to require companies to audit their machine learning systems for bias and discrimination.
    • Some U.S. government agencies have also begun implementing their own regulations. For example, the U.S. Defense Advanced Research Projects Agency has identified the replacement of “black box systems” with “explainable AI” as one of its goals, and the US Food and Drug Administration has released a discussion paper requesting feedback on its draft guidance on the regulation of AI-based medical devices.
  • The EU’s Framework for Trustworthy AI: On April 8, 2019, the European Commission’s High-Level Expert Group on Artificial Intelligence released its voluntary Ethics Guidelines for Trustworthy AI (the “EU Ethics Guidelines”). The EU Ethics Guidelines state that AI systems must be lawful, ethical, and robust to achieve trust in AI, and outline seven practical requirements for trustworthy AI systems: (i) human agency and oversight; (ii) technical robustness and safety; (iii) privacy and data governance; (iv) transparency; (v) diversity, non-discrimination and fairness; (vi) societal and environmental well-being; and (vii) accountability. The EU Ethics Guidelines also provide methods to help realize trustworthy AI, both technical (e.g. testing and validation should be performed by a diverse group of people using multiple metrics) and not (e.g. AI development teams should be diverse in thought, skill, gender and age).
  • OECD Releases Principles on Artificial Intelligence: The Organization for Economic Cooperation and Development (“OECD”) approved the OECD Recommendation on Artificial Intelligence, which intends to foster innovation and trust in AI, while ensuring respect for human rights and democratic values. It presented five principles intended to serve as the basis for policy development: (i) inclusive growth, sustainable development and well-being; (ii) human-centred values and fairness; (iii) transparency and explainability; (iv) robustness, security and safety; and (v) accountability. The OECD encourages governments to further these principles by facilitating public and private investment in research and development of trustworthy AI, investing in the underlying digital infrastructure, empowering people with the skills for AI and supporting workers for a fair transition, and cooperating across borders to share knowledge and develop global technical standards.
  • A Responsible AI Policy Framework: On May 23, 2019, the International Technology Law Association released its Responsible AI: A Global Policy Framework. The framework outlines eight policy principles to encourage development, deployment, and use of AI: (i) ethical purpose and societal benefit; (ii) accountability; (iii) transparency and explainability; (iv) fairness and non-discrimination; (v) safety and reliability; (vi) open data and fair competition; (vii) privacy; (viii) AI and intellectual property (rights protection). The publication also provides commentary from thought leaders on each of the framework’s policy principles and invites stakeholders to continue the dialogue on responsible AI.


  • OPC’s Observations on the Mandatory Data Breach Reporting: On October 31, 2019, the Office of the Privacy Commissioner of Canada (the “OPC”) released an update on the mandatory breach reporting regulations, which came into force under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) on November 1, 2018. During the year following the regulations coming into force, the OPC received 680 breach reports, which was six times the volume of reports that the OPC received during the year prior, when breach reporting to the OPC was voluntary. The OPC highlighted that data breaches remain an ongoing threat for all organizations, and businesses need to be aware of the myriad potential risks and what they should to do tackle them.
  • Canadian Government Announces New Digital Charter: On May 21, 2019, the Honourable Navdeep Bains, Minister of Innovation, Science and Economic Development, announced the launch of Canada’s new Digital Charter. The Digital Charter includes 10 principles (which may evolve over time) to guide how data, trust, and privacy fit into the Canadian government’s plan to grow the Canadian economy through innovation and to build sustainable growth by leveraging digital and data transformation. As a part of that plan, the Canadian government proposed reforms to modernize PIPEDA.
  • The OPC’s Transborder Transfer of Data Consultation: In 2019, the OPC launched, reframed, and dropped a consultation on a proposed reversal of its longstanding guidelines for the cross-border transfers of personal information to third parties for processing. In dropping its consultation, the OPC referenced the Federal Court of Appeal’s (the “FCA”) Erlanger v. Telus Communications Inc. decision, in which the Court held that “Schedule 1 (of PIPEDA) does not lend itself to typical rigorous construction. In these circumstances, flexibility, common sense and pragmatism will best guide the Court.” In relation to its proposed reinterpretation of its guidelines, the OPC expressed that it would be “applying this pragmatic approach in determining that it will maintain the status quo until the law is changed”.
  • Québec Guidelines on Video Surveillance: On February 22, 2019, the Québec Commission d’accès à l’information released its guidelines on video surveillance, which require Québécois businesses to demonstrate a legitimate, important, urgent, and real objective to use image capturing technology and to consider whether the use of such technology is a proportional means to achieve such objective.
  • GDPR Updates: 2019 also marked the first full year that the European Union’s General Data Protection Regulation (“GDPR”) had been in force. Each of the UK’s Information Commissioner’s Office and Ireland’s Data Protection Commission published an update report to provide their insights on the GDPR one year in. Both reports highlighted the increase in the number of data protection complaints and data breach reports, which suggests that: (a) individuals are interested in controlling and protecting their personal information, and will exercise their user rights under the GDPR to do so; and (b) data controllers and processors are respecting individual privacy rights and working towards implementing internal controls to detect and report significant data breaches in order to comply with the GDPR.


  • OSFI and IIROC Release New Mandatory Reporting for Cybersecurity Incidents: On January 24, 2019, the Canadian Office of the Superintendent of Financial Institutions[1] (“OSFI”) published new technology and cybersecurity incident reporting requirements under its Technology and Cyber Security Incident Reporting Advisory (the “OSFI Advisory”). As of March 31, 2019, all Canadian federally regulated financial institutions, including all banks, insurance companies, and pension companies, are required to report technology or cybersecurity incidents that they assess to be of a high or critical severity level, such as cyber attacks, extortion threats, and third party breaches.

Near the end of the year, the Investment Industry Regulatory Organization of Canada[2] (“IIROC”) followed suit and released new mandatory reporting requirements for cybersecurity incidents under IIROC Notice 19-0194 for IIROC Dealer Members, who are now required to submit one report within three days of any cybersecurity incident, and follow-up with an investigation report within 30 days. IIROC Dealer Members should keep in mind that IIROC’s cybersecurity incident reporting obligations are broader than the requirements under privacy law or the OSFI Advisory.


  • Effect of Amendments to Bankruptcy and Insolvency Legislation on IP Licenses: Amendments to the Bankruptcy and Insolvency Act (“BIA”) and the Companies’ Creditors and Arrangement Act (“CCAA”), made under the federal government’s omnibus Bill C-86, came into force on November 1, 2019. The amendments to the BIA and CCAA cover circumstances where IP license rights are preserved in the face of the bankruptcy or insolvency of an IP licensor, including preserving an applicable IP licensee’s use rights in the context of disclaimers, sales or dispositions by trustees in bankruptcy, or through the sale or disposition of the IP assets of an insolvent IP licensor. Gaps still remain in both the BIA and CCAA, such as the lack of definition for “intellectual property” and lack of clear scope for the “right to use” licensed IP concept.
  • College of Patent Agents and Trade-mark Agents Act: Bill C-86 enacted the College of Patent Agents and Trade-mark Agents Act, which established a regulatory college by the same name to provide for licensure, investigations, discipline, and offences for falsely holding oneself out as a patent or trademark agent. To date, the legislation is not fully in force. The Canadian government anticipates that the regulatory college will not be operating at full capacity until late 2020 (at the earliest).


  • Amendments to the Trademarks Act Under Bill C-86: Bill C-86 amended the scope of registrable marks under Trademarks Act to include non-traditional “signs” or “combination of signs” if they are distinctive in Canada, such as colours, textures, scents, holograms, and moving images. The amendment, which came into force on June 17, 2019, aligns Canadian trademark law with the Singapore Treaty, Madrid Protocol and the Nice Agreement that Canada acceded to on March 17, 2019. Other notable amendments to the Trademarks Act include:
    • adding “bad faith” as a ground to invalidate and oppose the registration of a trade-mark, with the aim of hindering the registration of a trade-mark for the sole purpose of extracting value by preventing others from using it;
    • adding a provision (not yet in force) whereby evidence of use within the first three years of registration will be required to enforce trademark registration, which is intended to address criticisms that other revisions to the “use” requirements under the Trademarks Act would give rise to squatting and over-claiming of rights;
    • granting the Registrar of Trademarks the power to strike official mark[3] rights (not yet in force); and
    • a series of changes to the trademarks regime (not yet in force) to modernize the conduct of proceedings before the Registrar of Trademarks and to prevent parties from abusing such proceedings. Changes include granting the Registrar of Trademarks powers to: (a) make confidentiality orders, cost awards, and case management orders; and (b) deem an objection or opposition to be in default and withdrawn, if the default is not remedied after notice.


  • Amendments to the Patent Act Under Bill C-86: Bill C-86 amended the Patent Act to:
    • allow regulations setting basic requirements for written demands sent with respect to patent rights, which aims to stifle perceived abuse by non-practicing entities (so-called patent trolls);
    • codify the file wrapper estoppel principle, which permits a patent’s Canadian prosecution history (i.e. the file wrapper) to be admitted into evidence to rebut a patentee’s representations about patent claim construction;
    • add an experimental purpose exception, where non-commercial or commercial experimentation relating to the subject-matter of a patent is not deemed to be infringement of such patent;
    • provide transferors of standard-essential patents (patents claiming inventions necessary to comply with technical standards) with rights to impose binding licensing obligations on to the transferee of a standard-essential patent; and
    • broaden the exception to infringement for prior users, such that prior use (which includes otherwise infringing acts and preparations for infringing acts) must have been in good faith, without having arisen only because of knowledge obtained from the patent applicant.
  • Trade Agreements Effect on Canadian Patent Law: As part of the Canada-European Union Comprehensive Economic and Trade Agreement, Canada agreed to partially restore the term of patent rights on medicinal ingredients when drugs are delayed from coming to market by regulatory reviews. This year, an innovator brought an application for judicial review from a decision to deny this certificate of supplementary protection for its patent.
  • Canadian Courts Rule on Patent Obviousness: Several court decisions in 2019 hinged on the test for patent obviousness, including:
  • The Courts Outlined the PMPRB’s Jurisdiction: On June 28, 2019, in its decision in Attorney General of Canada v. Galderma Canada Inc., the FCA set aside a determination by the Patented Medicine Prices Review Board (the “PMPRB”). The FCA’s decision provides important guidance for the determination of whether an invention pertains to a medicine, which is a key factor in subsequently determining whether the PMPRB has jurisdiction over a medicine under the Patents Act. In particular, the FCA confirmed that: (a) in determining what is the “invention” for the purposes of section 79 of the Patents Act, that the PMPRB must consider the patent as a whole, including the claims, but without construing the patent as the Court would; and (b) the PMPRB must follow the test set out at section 79(2) of the Patent Act, which provides that “an invention pertains to a medicine if the invention is intended or capable of being used for medicine or for the preparation or production of medicine”. Further, the Court also cautioned that, when determining whether an invention “pertains to” a medicine, the PMPRB should not substitute the test set out in section 79(2) of the Patent Act with a “rational connection” or “merest slender thread” test.
  • Health Canada Published Amendments to Patented Medicines Pricing Regime: In August, the Government of Canada published amendments to the Patented Medicines Regulations (the “Amended Patented Medicines Regulations”), including the framework applicable to price regulation of patented medicines. The Amended Regulations are intended to come into effect July 1, 2020, but two legal challenges in the FC and Quebec Superior Court which have been launched may cause delay.

Four key changes in the Amended Regulations include: (i) new factors for the PMPRB to determine whether a drug price is “excessive” under section 85(1) of the Patent Act; (ii) new disclosure requirements related to the amendments; (iii) new requirements for patentees to report to the PMPRB the actual price or revenue obtained by the patentee for any adjustments made by any party that directly or indirectly purchases or reimburses the medicines; and (iv) an amendment to the schedule of countries that the PMPRB is required to use to compare the price of a drug sold internationally.

  • PMPRB Released Draft Guidelines to Operationalize the Amended Patented Medicines Regulations: The PMPRB released draft guidelines for public consultation, which are intended to operationalize the Amended Patented Medicines Regulations and are set to come into force on July 1, 2020. Key aspects of the PMPRB’s draft guidelines include the following:
    • The new factors under section 85(1) of the Amended Patented Medicines Regulations to determine whether a price is “excessive” would not apply to patented medicines that received a drug identification number prior to August 21, 2019.
    • Patented medicines that received a drug identification number on or after August 21, 2019 would be divided into two categories: (a) Category I, which is intended to cover medicines the PMPRB regard as medicines likely to be at highest risk of excessive pricing and therefore more stringently regulated; and (b) Category II, which is intended to cover all other patented medicines.
    • Notably, the PMPRB’s draft guidelines do not directly address the specific logistics for filing the new information required under the Amended Patented Medicines Regulations, but instead refer to the Patentee’s Guide to Reporting (which has not yet been substantively updated to reflect the new requirements).


  • Amendments to the Copyright Act Under Bill-86: Bill C-86 amended the notice-and-notice regime[4] under the Copyright Act, such that notices for claimed infringement are now expressly prohibited from including (a) an offer to settle; (b) a request or demand for payment or for personal information; (c) any reference to any such offer, request or demand; or (d) any other information that may be prescribed by regulation.
  • Site Blocking Orders Come to Canada: biz: In November, the FC granted Canada’s first site blocking order, in which it ordered certain ISPs in Canada to block access to pirate subscription streaming sites that were infringing the copyrights of the plaintiffs. In deciding whether to grant the injunctive order, the FC applied the standard test set out in Metropolitan Store Ltd.[5] and RJR-MacDonald[6]. When considering whether the balance of convenience weighed in favour of the plaintiffs (in its application of the standard test for injunctive orders), the Court relied on factors used in a UK site-blocking case to determine whether the blocking order was proportional: necessity, effectiveness, dissuasiveness, complexity and cost, barriers to legitimate use or trade, fairness, substitution and safeguards.[7]
  • When Copyright in a Work Transfers to the Crown: Keatley v. Teranet: In Keatley Surveying Ltd. v. Teranet Inc., the Supreme Court of Canada (the “SCC”) unanimously agreed that the opening words of section 12 of the Copyright Act preserve the Crown prerogative,[8] which confers a “property right” on the Crown that grants the Crown a monopoly on printing certain works in perpetuity. The issue in the case was when copyright passes to the Crown under the remaining words of section 12: “prepared or published by or under the direction or control of Her Majesty”. The SCC unanimously recognized that the disjunctive wording could result in the Crown becoming the owner of a copyright under either the “prepared” or “published” prongs. Justice Abella, for the majority, interpreted that:
    • under the “prepared” prong, copyright could vest in the Crown pursuant to section 12 when: (1) an agent or servant of the Crown brings the work into existence for and on behalf of the Crown in the course of his or her employment; and (2) “when the Crown essentially determines whether and how a work will be made”; and
    • under the “published” prong, “a work will only be published by or under the direction or control of the Crown when it can be said that the Crown exercises direction or control over the publication process, including both the person publishing the work and the nature, form and content of the final, published version of a work”.

Applying the interpretation above to the facts of the case, the majority of the SCC decided that when surveyors register or deposit plans of survey in a public registry system (including land titles) and those plans are made available to the public by the Ontario Government (or Teranet, its service provider) the copyright of the survey passes to the Crown.

If you are interested, please also see our Fintech Regulatory Developments: 2019 Year in Review. For more information about our firm’s expertise, please see our Technology, Cybersecurity, Privacy & Data Management, Intellectual Property and IP Litigation pages.


[1] OSFI is an independent federal government agency that regulates and supervises federally regulated financial institutions and pension plans, including banks in Canada, and all federally incorporated or registered trust and loan companies, insurance companies, cooperative credit associations, fraternal benefits societies and private pension plans.

[2] IIROC is a national self-regulatory organization which oversees all investment dealers and trading activity on debt and equity marketplaces in Canada.

[3] Official marks are those badges, crests, emblems, or marks adopted or used by public authorities. Other Amendments to the Trademarks Act clarify that prohibitions against using or registering official marks will not apply in respect of an entity that is not a public authority or no longer exists.

[4] The notice-and-notice regime under the Copyright Act allows copyright owners to give notice of alleged copyright infringement via Internet service providers without needing the infringer’s identity.

[5] [1987] 1 SCR 110.

[6] [1994] 1 SCR 311.

[7] Cartier International AG v. British Sky Broadcasting Ltd., [2016] EWCA Civ 658.

[8] The types of works which the Crown traditionally had the sole right to originally publish included works of religion, statutes and public documents and law reports. Justifications for the continued existence of the Crown prerogative over publishing “include ensuring the preservation, authenticity, accuracy and reliability of certain documents, while simultaneously retaining the discretion of the executive.” The continued subsistence of the Crown prerogative is a derogation from the general rule that copyright is wholly a “creature of statute”.



Stay Connected

Get the latest posts from this blog

Please enter a valid email address