I finally had a chance to start working on this transcription. This is still a work in progress. Please note I do not own the copyrights and the contents of this interview. This was a fun way for me to educate myself on the professional insights Mr. Martin Kratz provides in the IP legal industry. Hope this can be of use to those who are interested in the topic. I will be adding timestamps after the entire interview has been transcribed.
Interview Time Index (MM:SS) and Topic
Can you describe up to five major challenges you have faced and your solutions to these challenges that would be of value to businesses today.
I’ll try to do that and my comments aren’t in any specific order. A fundamental challenge or perhaps a series of challenges are change itself, with the economy and the technical environment and the drivers behind them continue to change at an amazing pace that creates a variety of challenges to maintain relevance.
Early on, my solution was to adopt and embrace change. Not fear or seek to avoid it. Some of the tactical approaches I used were to seek to think ahead of the changes and to try to be well prepared for them. So for me, teaching and writing and being involved in law report has helped me to see a bigger picture to therefore be better prepared for it. The current change that was occurring and to anticipate what might be the issues in the near future. The lesson for businesses assuming that you think that that’s a good idea is if you think that’s a good idea: not to fear change in the world but rather seek to understand what is driving the change, seek how it can be turned into an advantage, what might be the next opportunity, what might be the missing step or the balling step to a phenomena that’s occurring.
Another challenge that occurred is that I can sometimes see things or find connections that others don’t see. I don’t mean ESP (extra sensory perception) or anything like that, but sometimes see nuances or connections that others don’t seem to miss. It can be a challenge because that can set you apart from others. I had a summer job as an engineering student where I managed institutional research projects at several major universities and research institutes. I had to find a way to identify the problem that the researcher was having to find a solution to the problem and then find a way for the researcher to discover that solution.
And the lesson for business for me is to think about your audience what they need and how they need to be informed and to communicate in a way that is meaningful to them. Another challenge is that I can think very quickly, and often can’t find an answer very quickly. In primary school, that became a problem. In math exams as I had an answer but I had to actually slow down and show the steps by which I got the answer.
And I think to translate that challenge into a lesson for business is to let the customer know what you’re doing for them and why, not merely the result. And it’s a great way to avoid into being offside or to avoid making a mistake.
Another challenge is to seek to find balance in life and I’ve sought in my life to try to give with passion a third of my time to my family, a third to my work and a third to my community. And I guess assuming that that is something that people think is a good idea, the lesson for business is to seek to find balance as an individual so you can have the endurance for stable and committed long-term effort in business.
Martin, those are some very good lessons that you are sharing with the audience and thank you for that. Now let’s drove deeper here, you have so many deep insights as an ICP – Information Communication Technology Pioneer, also as an Intellectual Property Legal Pioneer. So from your viewpoint, what are the top five future challenges for business executives today and what are the solutions.
I think there is a number of learning that I can share and hopefully be of benefit. The first is, Intellectual Property rights provide the framework on which most of the ICT world operates. As a result of an understanding of that framework is important to executives in the ICP field so some basic education is going to help them deal with the amount of information and the kind of issues they confront.
A challenge for ICP-executives is how to manage the tension between the efforts of some current industries to seek even higher degrees of protection for ICT innovation. The tradeoff for providing such innovative protection is that we enrich the current generation at the expense of future generations which are less able to build on what came before. In the past innovation has always been based on using what built before .if we make the barrier to the next stage to innovation too high, then the ultimate result may be that the pace of innovation slows and the barriers to the next generation of innovation are increased. The impact may only be appreciated across decades, we may need to endure the effective and intense self-interested lobbying resulting in much higher protection leading to a generation of enforcement litigation and transactional burdens which may require the pendulum to swing slowly back. The question will be whether North America can maintain long-term international leadership innovation by creating such barriers to the next generation of innovators.
Another key challenge for ICT executives is how they address the issue of Internet privacy. We build an Internet culture that is used to the pervasion of free services such as Google Search and Gmail and a wide range of services, all of which really can only be sustained through advertising. There is an inherent tensional desire of individuals not to be embarrassed or to have their personal details manipulated or used in harmful ways. Yet users have this expectation of privacy that want free services. And in Canada and Europe users have fairly strong tools to exercise if they feel their personal information has been improperly disclosed. Internet businesses need to be very clear what they will do with user personal information and make real efforts to educate users about those uses. Transparency about information handling practices is a cornerstone of getting informed consent from users. As well a focus on provision of adequate security is a growing focus for online business.
Another current challenge is the migration of ICT services to the cloud. I suggest ICT executives, CIOs, CPOs, need to avoid fearing loss of their empires but rather look at how they can harness aspects of this trend and continue to add value to their businesses. Cloud-based solutions often offer dramatic cost savings but require careful consideration of addressing compliance requirements, such as performance, privacy, security and the like. I think the solution includes looking at clouds services that meets the business compliance requirements and offer transparency, security, control around the business’s data and related issues while providing cost-saving over the alternatives.
Another challenge for ICT executives is the challenge of risks of the bring your own device polices while still providing flex-build elements of the solution are to continue to concentrate on t eh business’s business security requirements and ensure any solutions that meet those needs are implemented. User training is also an important and essential element in seeking to minimize security risks. Social media has moved into the mainstream and as result executives need to have meaningful and thoughtful policies around what if anything employees may use social media for in the workplace. How and what services might be permitted. There is a generational challenge looming for executives as younger workers expect to be free to express themselves using social media even in the workplace. Thoughtless expression poses serious liability for the employer. The executive will be seeking to manage an option and enforcement around those policies.
Those are some very important issues and let’s take time to explore them a little later in the interview. Really thought-provoking areas. What od you see as the next five disruptive that business executives should be watching for, from a legal perspective.
As already discussed, some disruptive innovations that create new legal challenges include the start-cloud computing. Security and privacy protocols and issues leading at cloud service providers service are important issues. Mobile computing raise evolving security risks for mobile apps access from mobile devices. And the challenge of brining your own device policies, all of these issues have rapidly evolved in the workplace. And in the way which works work to engage with competing resources. Social media again, having transformative impact on our society. Threshold issues for executives determine the degree to which they include social media in their communication strategy and correspondingly educating employees about thoughtful uses of social media, locational technology provide businesses unique promotional opportunities, but if used, can pose security, privacy, personal risks to user and reputational and direct liability for business. Businesses using those technologies need to think through how they protect users from misuse of such tools, there is growing use of interest in using 3D printers that are claimed to increase the risk of IP infringement.
Having that said, these tools are no different than existing digital copy and dissemination tools in terms of IP infringement risks. I think merely the types of rights which can be infringed have changed. Another innovation is the use of IP rights themselves, and especially patent rights as a tool to seek to extract value from successful businesses. An example substantial value realized from the sale of Nortel’s patent portfolio or the recently announced purchase by Microsoft Nokia, which includes two billion payment for a license to Nokia’s patent rights. The focus on strong value produced by patent rights has driven a focus for ICT businesses to seek patent protection for their innovation combined with a strong change in the sector there is a minefield of patent rights businesses need to be aware of. This requires companies that are relying on creating innovative new technologies to ensure they are not at risk at infringing third-party rights. This has always been the case. But the institutionalization claimed patent organizations has increased the importance of addressing these risks early in the innovation process. The crawlery is that for investors in an ICT company, the existence of a strong, active patenting program is even more attractive as I discussed with the Nortel and Nokia examples, there are main patent portfolio for a business on the downside may be an enduring value, as a result has become very attractive for them.
Now your breakups are very interesting issues and I have a question I’m going to ask later on about the controversies in the marketplace. I guess what strikes me is because I do research as well and colleagues do some research at all. And I work with colleagues in some research sometimes there is a kind of feeling, that patent sometimes reduce innovation in a sense. You see a lot of litigation occurring in the news or you hear a lot of litigation in the news companies suing other companies and so on for patent infringement but then you know there are some researchers feel that this sort of innovation would be interesting to hear your thoughts on this later on.
Let’s drove deeper into some of the topics you already mentioned. And this question is about what are some privacy client’s obligation, user’s need to consider before they adopt a cloud-based solution and I’m talking about the private sector and public sector.
Thank you Steven, in my view a key factor in each customer’s decision whether to adopt cloud-based solutions is understanding if the solution meets the client’s c compliance requirements. And in Canada, key compliance issues are privacy and security because we have mandatory privacy and security obligations and those are applicable both for the private sector and the public sector. And I will differentiate between those two while there is a lot of similarities, the rules are generally the same. The initial point is that the law requires that an organization is responsible for personal information that is in its custody or under its control. organization engages the services of another person by contractor or otherwise, that organization remains responsible for those services and for that Peron’s compliance efforts. Similarly, the organization is responsible for personal information in its possession and control. Including information transferred to third party for processing. And the organization has an obligation to use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
In Canada, a private sector entity is free to use cloud-based solutions, but in each case, they have to be satisfied that each business has adequate control of the security arrangements in place. And where other regulatory rules and industry standards are applicable, those rudiments also have to be addressed. Where the cloud-based service provider is not located in Canada, the security and privacy concerns do not change. The business remains primarily responsible for compliance for the federal privacy commissioner has ruled businesses using a foreign service provider must inform users of that fact and unique risks of any in that respect. Similarly, the Federal Privacy Commissioner has repeatedly ruled that use of US-based cloud-service providers or other outsource providers is lawful for Canadian private sector entities.
As an example in the PIDEA case 313, the bank CIBC was amending its cardholder agreement and notified all Visa customers that it was using a US service provider and advised a possibility of the US law enforcement agencies may be able to access personal information under lawful process. There was no opt out available, a complaint was filed. The Federal Privacy Commissioner found that the PIDEA does not prohibit use of foreign-based service providers. Canadian organizations must have provisions in place when using a third-party service provider to ensure an desirable level of protection. And in this case, the contract CIBC provided had security and confidentiality guarantees, oversight monitoring and provision for an audit of services, and that throughout CIBC maintain custody and control of the information. The privacy commissioner in these facts said that personal information in the hands of a foreign third-party service provider is subject to the laws of that country and no contractual provisions can override those laws. But in the privacy commissioner’s view, it is clear as a comparable legal risk that the personal information of Canadians held by any organization and any service provider whether in Canada or US can be obtained by government agencies through the provisions of Canadian or US law and at the very least a company in Canada that outsources information processing. The us should notify its customers that the information may be available to US agents under lawful order in that country. CIBC had done so so the complaint was not well founded. In Canada, a private sector entity is also free to use Canadian-based cloud service providers and as for private sector entities the public sector entity must be satisfied that adequate control and security arrangements in place. In Canada other than in British Columbia and Nova Scotia a public sector entity also create foreign-based cloud-based solution. British Columbia and Nova Scotia have limited ability of a public entity to host data outside of Canada and there are some exceptions but this does make it difficult for public sector entities in those provinces to benefit from competitive cloud-based services. Where the cloud-based service provider is not located in Canada, the security and privacy concerns don’t change. Public sector entity remains primarily responsible for compliance with those obligations. And privacy commissioners have ruled that use of US-based service providers are lawful for Canadian public sector entities.
If you have a global organization let’s say based in Canada, let’s say the data resides in the US in the cloud but the global organization which means that there is personal records held in Asia and Europe and throughout Africa and so on. What are the implications of that.
First let’s start by saying that generally privacy laws apply to activities not to locations. And so the activities of collecting, of using, of storing of disclosing that will trigger the possible applicability of privacy law. In the global example you are talking about, I think what you’re talking about is Asian, European, and north Americans that are being collected and store in united states processed whether in Canada or in the United States so that means the laws of each of those jurisdictions is likely to be engaged. What global organization therefore do is to assess all of the legal regimes that could be applicable to their information handling practices and seek to develop a synthesized set of privacy policies and practices that allow them to be compliant in all jurisdictions and their privacy policies typically reflect that kind of integrated approach in order words they typically will adopt unless it’s conceptual or particularly unusual sort of the minimum or most restrictive practices as most applicable to the entire organization
Now that is interesting, increasingly with the cloud you get a smaller, in fact nonprofit organizations who have been able at a very cost establish a global footprint but I can see all of these legal implications of that and requiring actually the considerable legal advice as to what the legal implications are. How is that managed if you have all these smaller organizations including non-profits worldwide, perhaps they don’t have that ability or the resources to do this. Are there any sort of resources they can make use of at lowering cost or to help in this endeavor.
A principal point, a business has the responsibility to comply with the laws and jurisdictions to which it is subject regardless of size or its capability. And if you think from the perspective of the individual who if we use privacy as an example, whose personal information is being protected, they should expect equal levels of compliance by the global multi-national and by the small innovative startup. Both of which have to address the same compliance obligations. So there is an advantage for the global party because they have more resources, more reputation. Their infrastructure allows them to have built information-handling practices that are more likely to be compliant with the many regimes in which they iterate. So the tools available to smaller companies are to consider hiring people that have that kind of global experience as part of the workforce for the smaller companies, because there is a business case that smaller companies making about, seeking to provide international solutions. The second approach they seek to use is in their agreements limit their liability to certain practices where they have a high level of confidence that they might be compliant. We see some cloud-based vendors for example – provide assurances these are their privacy compliance for the United States or for Canada, but being resistant about assuming unlimited liability for jurisdictions where they haven’t done the work yet to ensure they satisfy the local law requirements.
The third approach that could be used is to look to industry associations, professional associations as sources of best practices in terms of compliance, these are problems faced by everyone in the industry and so often industry associations or conferences or professional organizations will be a source for information and best practice sharing.
Now you are a quite an active blogger, you’ve written articles in this area and also one or more books in this area. Do you have any recommendation for resources for audience?
I think that a starting point of excellent materials are the website of the Office of Information and Privacy Commissioner of the provinces and the Federal Privacy Commissioner. Those privacy commissioners work very closely and proactively at seeking to identify issues.
For example, recently, the Federal Privacy Commissioner in conjunction with several provincial counterparts has issued guidelines on behavioural advertising. They address issues of protection of personal information of minors, they address issues surrounding cloud computing. They have specific checklists and guidelines around cloud computing agreements and the kind of issues we consider in those types of transactions. So there is a wealth of work that is already been done in this area. Those are resources that are really available and generally well thought through. The decisions of the Privacy Commissioners are really influential but they don’t override the decisions of the courts which do look ultimately at the overriding constitutional legal framework in which they operate. There are some cases people might also look at. For those who are interested at a more professional deeper level. There are a number of textbooks in this area that will give you a deeper analysis of those privacy obligations and requirements.
Now earlier and actually throughout this discussion you talked about cloud computing that kind of brings to mind this question. What are some contractual issues in cloud computing?
Well, the starting point is to look at what the cases and the decisions of Privacy Commissioners has suggested. What I’m speaking to now are what has been specifically commented on litigation and those cases suggest that core provisions are around establishment and control over the information, confidentiality and provision of adequate security. So contracts with cloud computing service providers should ideally include or address some of the falling kinds of issues. There should be covenants addressing disclosure of information other than for purposes for which the cloud service provider is expressly retained. There should be covenants requiring the service provider to maintain specific privacy, security and backup standards for the personal information.
