As previously discussed in this blog, the Digital Privacy Act makes a number of substantive and house-keeping amendments to PIPEDA, and is the end result of multiple legislative attempts over the past several years to make a number of updates to PIPEDA which, for the most part, were without serious controversy.

The major changes now in force are:

1. Confirmation that employers of federally-regulated businesses have implicit consent to deal with their employee information in the context of the employment relationship;  this mirrors similar provisions contained in the Personal Information Protection Act (“PIPA”) of British Columbia and of Alberta.

2. Introduction of a “business transaction” exemption into PIPEDA, similar to the exemption currently set out in PIPA;  PIPEDA-regulated enterprises will now be able to utilize this exemption when buying or selling a business.

3. Addition of an exemption permitting disclosure between organizations for the purpose of investigating a breach of agreement.

4. A requirement that the effectiveness of a consent given to the organization must be considered subjectively in the context of the relevant audience.

5. Clarification of the rules surrounding witness statements, business contact information and employee work product.

The most significant change being made by the Digital Privacy Act is not yet in effect, and will be brought into force by regulation at a future date.  PIPEDA-regulated organizations will now be subject to a compulsory privacy breach reporting system, and a system of fines and penalties will be put in place for failure to comply.  The relevant threshold will be the “real risk of significant harm” test currently used in Alberta’s compulsory  breach reporting regime, which has been in place for several years.  The reporting system will involve both a report to the federal Privacy Commissioner, and a report to the affected individuals.   Regulations will need to be developed and finalized to support this system.

For assistance in assessing the Digital Privacy Act or other privacy law matters, please contact Robert Pakrul of our Information and Privacy Law Group at bpakrul@ahbl.ca or 604-484-1720.

Under CASL, the regulator can impose fines of up to CDN$ 10,000,000.00 per organization and up to CDN$ 1,000,000 per individual for violation of the CASL rules.   Also, commencing in 2017, private lawsuits may be brought against entities in violation of CASL.

This is the first reported fine imposed under the CASL rules.   Previously, the CRTC has worked with organizations which were the subject of complaints to educate and assist them in arranging for appropriate CASL compliance.  The announcement indicated that approximately one quarter of all spam complaints received to date relating to Compu-Finder’s industry sector have involved this particular organization.

More information on Canada’s Anti-spam Legislation can be found in our previous blog post here.

According to the OIPC, while video surveillance systems do not violate PIPA, video cameras are inherently intrusive. Before installing video equipment or activating a surveillance system that was installed by the original developer, a strata corporation must be in a position to justify using the surveillance on the basis of verifiable, specific concerns about residents’ personal safety or the protection of personal and common property that other measures have failed to address (Shoal Point Strata Council, [2009] B.C.I.P.D. 34). Video surveillance cameras must also be strategically placed to capture the security breaches it aims to address. For example, a strata corporation that has experienced a series of vehicle break-ins may be able to justify using video surveillance in the parkade, but may not be able to justify using the same system in the social room. Areas where owners, tenants, occupants, visitors and/or employees would have a reasonable expectation of privacy (e.g. change-rooms and washrooms) are not permitted to be monitored.

Last but certainly not least, the OIPC requires strata corporations to have a bylaw, or alternatively, obtain every owner’s written consent, before installing or activating a video surveillance system.  Since owners, tenants and residents of strata corporations are subject to frequent turnover, maintaining these individual consents can be quite problematic.  As a result, assuming that video surveillance is supported by a ¾ vote resolution of the owners at a General Meeting, it is much easier to pass and register video surveillance bylaws in the Land Title Office. In addition to these bylaws, strata corporations must have a comprehensive written privacy policy in place that governs the video surveillance system as well as all the personal information the strata corporations collects. This policy should be made available to residents upon their request, and when it comes to video surveillance systems, should include the following information: confirmation that the surveillance system is for security reasons; the names of individuals who are authorized to view the surveillance footage and in what circumstances; the number and location of video cameras; the operation time of the video surveillance system; the length of time video footage is retained and how it is securely stored; procedures for how access requests will be made and answered; and procedures for notifying owners, tenants, guests and visitors that the video surveillance system is in operation.

Does your strata corporation need video surveillance bylaws or a privacy policy?  For more information, please contact associate, Lisa Mackie, at 604-484-1759 or lmackie@ahbl.ca.

The legislation, passed in 2010 and fully entitled “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act”, is designed to deter the most dangerous forms of spam in Canada.  However, CASL will impact all organizations due to the broad scope of the regulatory program it introduces.

The full text of CASL and its regulations can be found here on the Industry Canada website.

WHAT’S COVERED?

Commercial electronic messages (CEM), essentially, email. All email. The scope of CASL is far-reaching with significant implications for entities carrying on business in Canada and foreign entities that send CEMs into Canada. Malware, spyware, pretexting and the harvesting of electronic address and personal information will also be regulated under CASL.

THE GENERAL PROHIBITION – DON’T SEND UNSOLICITED CEMS

Under CASL, it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) the message complies with prescribed form and content requirements.

GENERAL REQUIREMENT – CONTENT OF MESSAGES

CASL requires a CEM to be in a form that must: (a) set out prescribed information that identifies the person who sent the message and the person — if different — on whose behalf it is sent; (b) set out information enabling the recipient to readily contact one of the persons referred to in paragraph (a); and (c) set out an unsubscribe mechanism complying with CASL standards. Organizations will want to undertake a review of the content of all their CEMs to ensure they comply with these provisions.  Existing unsubscribe mechanisms may not meet the new standards set out in the CASL. In addition, there is a duty to ensure that the contact information about the sender remains valid for at least 60 days.

EXCEPTIONS

Having cast a broad net of prohibition, CASL provides some relief by designating certain exceptions. Firstly, the consent requirement does not apply to a CEM sent in a personal or family relationship or sent as an inquiry relating to the recipient’s own commercial activity. In addition, the consent requirement does not apply to CEMs that solely:

a) provide requested product/service quotes;

b) further or complete an ongoing commercial transaction previously agreed to;

c) provide product warranty, recall, upgrade or similar information;

d) deal with ongoing subscriptions, memberships or similar relationships; or

e) concern an existing employment relationship.

The Regulations under CASL also exclude CEMs from all provisions of CASL if:

• they are sent within an organization;

• they are sent between organizations that already have a relationship, if the message concerns the activities of the organization to which the message was sent;

• they are sent on platforms where identification and unsubscribe information is conspicuously published and readily available to users, and where duplication of an unsubscribe or identification message would be repetitious;

• they are sent and received within limited access secure and confidential accounts (such as messages which a bank might send to an account holder);

• they are sent in response to a complaint, inquiry or request;

• they are sent on behalf of registered charities or political parties for fundraising purposes.

CASL also prescribes rules permitting certain first-time contact by email to referral prospects, but only if the detailed CASL rules are followed.

OTHER PROHIBITIONS

CASL also regulates the alteration of certain transmission data relating to a CEM, and prohibits the installation of computer programs such as cookies on recipient computers. Again, a prescribed form of consent would be needed, and certain exceptions are prescribed.

CONSENT

As noted above, with consent, CEMs can be sent. CASL sets out guidelines for obtaining consent, either express or implied. Consent can be oral, but a record of the consent needs to be retained. A person seeking consent must provide to the recipient certain information regarding the purpose for which consent is sought.

Further, prescribed information identifying the person seeking consent must be disclosed to recipients. Therefore, consents previously obtained and relied on to populate existing email databases might not continue to be valid.

Organizations will have to ensure on an ongoing basis that the purposes for which consent was originally obtained continue to apply to the substance of all the CEMs subsequently sent. This may limit the ability to use database lists in the future for a secondary use, and when subsequently modifying CEMs a check-back may be required to the scope of the initial consent obtained. CASL also contains some fairly complex rules if the intent is to have consent be available to future unknown third parties who may conduct co-marketing or similar arrangements.

Consent will be implied in certain circumstances,  for:

a) “existing business relationships”, as defined;

b) “existing non-business relationships”, as defined;

c) certain circumstances where the email address of the recipient was made publicly available or voluntarily provided.

Commercial organizations will need to focus on the definition of “existing business relationship” set out in CASL. That definition relies on relationships which are “current”, defined as being within the past two years (or an inquiry or application made in the last six months). As a result, “stale” entries on customer mailing lists may need to be purged unless another exemption or consent provision can be relied on. The definition of “existing non-business relationship” deals with memberships, volunteers, and donations. It establishes a similar two-year purge rule.

TRANSITION PERIOD

For existing relationships involving CEMs, CASL will provide for a three-year transition period under which consent can continue to be implied (unless expressly revoked).

WHY SHOULD I CARE? – PENALTIES

Violators of CASL can be liable to onerous administrative monetary penalties of up to $10 million per organization and up to $1 million per individual. Directors and officers of organizations will want to inform themselves of the potential risks for vicarious liability. Certain conduct also constitutes a statutory offence and, commencing in 2017, private rights of action and potential class actions will be  possible. 

Enforcement of CASL and its administrative monetary penalties has been delegated to the Canadian Radio- Telecommunication Commission (“CRTC”), the Competition Bureau, and the federal Privacy Commissioner. In light of its expanded authority and mandate, the CRTC has published regulations and guidance outlining the form and content to be included in messages and setting out other requirements on the alteration of transmission data in electronic messages, and the installation of computer programs on recipient computers. These regulations will come into force together with the CASL.

START PLANNING NOW

It is important to understand the CASL rules and verify that email practices are harmonized with those rules. Many organizations in Canada are now considering whether to use the CASL transition period for a campaign of seeking express opt-in consent from existing entries on distribution lists in order to confidently maintain them on email distribution lists into the future.  The act of requesting consent is itself potentially a “spam” event, so the exemptions and the transition period take on added importance.

Organizations that purchase email lists may not be able to ensure that the vendor has been in compliance. This will be a new area of risk analysis to be considered on a case by case basis. It may be necessary to start including CASL compliance as a representation and warranty of the vendor in certain transactions.

CASL provides that on the sale of a business, previously obtained consents can pass to the new owner of the business.

FOREIGN ORGANIZATIONS – YOU TOO…

Once in force, the CASL will regulate anyone sending CEMs to Canadian recipients. Entities outside of Canada, such as U.S. businesses, could be susceptible to penalties under this legislation. There is nothing in the CASL which limits its effect to domestic senders of CEMs. Many American companies may be unaware that compliance with Canadian “Do Not Call” rules and existing US anti-spam rules does not necessarily make them automatically compliant with the new CASL rules. While Canada is following other OECD countries by finally implementing its own anti-spam regulation, CASL goes further than many other OECD initiatives by generally requiring a separate and express “opt-in” consent, rather than an “opt-out” regime.

These materials are provided for general information only and do not constitute legal advice. Readers are encouraged to seek legal advice for any particular situation. Please contact Bob Pakrul, a member of the Alexander Holburn Information and Privacy Practice Group listed below for assistance:

Robert Pakrul      rpakrul@ahbl.ca  604.484.1720

In December, 2013 Alberta’s Information and Privacy Commissioner publicly commented on her assessment of what needs to be done to amend PIPA in response to this case.  In a   letter  addressed to the Alberta government, she suggests that only very limited changes are appropriate or necessary.  

Varying degrees of scope of amendment could possibly be advanced to deal with the constitutional issues arising from PIPA’s structure, which establishes a broad prohibition against any information collection, use or disclosure absent consent, providing only selected and specified statutory exemptions.  These potential degrees of scope of amendment included:

a) narrow amendments exempting information collection in a picket line scenario to the extent related to union expressive rights in that narrow context [the particular facts of the United Food case];

b) broader amendments exempting information collection in any context of labour dispute, to the extent related to union expressive rights, even if not in the context of a picket line;

c) even broader amendments exempting information collection in the labour relations sector generally, to the extent related to any party’s expressive rights, even if there is no labour dispute;

d) very broad amendments exempting information collection generally, both within and outside the labour relations context, in any situation where there are legitimate rights of expression which are considered to be protected by the Charter.

In her letter, Alberta’s commissioner advocates that the most appropriate scope of change is the narrowest one, set out in paragraph (a) above.  She believes that this would preserve the delicate balance between freedom of expression rights, and leigitmate privacy expectations of individuals, which PIPA is designed to protect.  She also suggests that given the imposed timeline for rectification, this specific and narrow amendment can be made without waiting for the context of a more comprehensive and general review of the PIPA  legislation.

In January, 2014 the Alberta government announced that it would be bringing forward only selective amendments to PIPA in the fall legislative session, which would focus on and be restricted to unions and picketing.  A more comprehensive review of the PIPA legislation would no doubt occur at a later date.  This effectively defers any debate on the extent to which PIPA should accomodate other and broader rights of expression beyond the narrow facts of the United Food case.

The Alberta amendments will also be observed with interest by other governments.  British Columbia has its own version of PIPA which is very similar in structure to the Alberta legislation.  Although not strictly bound by the November, 2014 deadline, British Columbia would be expected to implement changes to its own PIPA law closely tracking the process which occurs in Alberta.  The federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), is not modelled on the PIPA structure, but does contain privacy restrictions which are substantially similar.   Some remedial amendments to the PIPEDA law might be expected as well.  It is not known how that federal process, if it occurs, would harmonize with current efforts to make more comprehensive changes to PIPEDA, which efforts have become stalled in the Canadian Parliament over the past few years.

Finally, the status of all personal information protection laws enacted in Canada has now been somewhat overshadowed by an initiative in the European Union to re-examine Canadian legislation in this area to assess how closely it meets evolving privacy standards in the European Union.   Stay tuned.

Canada’s new anti-spam legislation (“CASL”) goes further than many prior initiatives in this area, by:

a) generally requiring a separate and express “opt-in” consent, rather than an “opt-out” regime;

b) prescribing required content for a request for such consent;

c) building significant limitations and complexity into the many exemptions under CASL and circumstances where CASL permits consent to be inferred; and

d) in some circumstances, even if a consent exemption is available, requiring the email to still meet prescribed requirements of form and content.

CASL impacts US-based organizations by providing that foreign senders of email into Canada are potentially violating CASL where a computer system located in Canada is used to send or access the message, if the message doesn’t comply with CASL rules.  While any nation’s attempt to extend the effect of its laws beyond its own borders may have some practical and legal limitations, US-based organizations which engage in email traffic into Canada should assess the extent to which their existing forms of email messages and CRM database practices are harmonized with CASL.  Significant fines can potentially be assessed under CASL (up to $10,000,000 per organization), and starting in 2017 there will be the potential for private suits and class actions.

As an illustration of how CASL’s prescriptive rules may differ from current practice, consider the issue of a “stale” entry in a CRM database – the prior customer who has not transacted business with the organization for a few years, or the sales prospect who obtained a product quote last year, but has had no contact since.  Many organization will maintain that CRM database entry and continue to send promotional email “blasts”.  What CASL does is legislate prescriptive purge rules for this type of situation.  CASL creates a definition of “existing business relationship”, permits consent to be inferred for an initial period (2 years for a prior customer, 6 months for a sales prospect), but the consent expires after that period of inactivity.  The email sender would then need to either purge the stale entry off the distribution list for email “blasts”, find a different CASL exemption that might apply, or obtain express opt-in consent in prescribed form from the intended recipient.

CASL also prescribes rules permitting certain first-time contact by email to referral prospects, but only if the detailed CASL rules are followed.

Many commentators have predicted that compliance with CASL will not usually require major adjustments by organizations – but it is important to understand the CASL rules and verify that  email practices are harmonized with those rules.  While most CASL provisions come into force July 1, 2014, there is a three year transition period during which there is a presumption of implied consent.  Many organizations in Canada are now considering whether to use this transition period for a campaign of seeking express opt-in consent from existing entries on distribution lists in order to confidently maintain them on email distribution lists into the future.

CASL also regulates certain other technology-related conduct such as cookies, pretexting, and address harvesting.

More information on CASL can be found at the Canadian government website here, or on our firm’s privacy blog.

About the author:  Bob Pakrul is a partner at Alexander Holburn Beaudin + Lang LLP and practices in the privacy and business law fields. He regularly advises organizations in both the public sector and private sector on privacy compliance.

About Alexander Holburn:  Alexander Holburn is a full-service law firm based in downtown Vancouver, British Columbia, Canada. We have recently been ranked by Canadian Lawyer magazine as one of Western Canada’s Top 10 regional law firms.   Our 70+ lawyers operate across 22 practice areas, offering our clients an integrated service and the knowledge that we have the expertise to advise on any issue that may arise for them. We have developed a number of strategic alliances which  broaden our international reach, allowing us to offer our clients the integrated, global service they would expect from a multinational firm – but without the associated fees. Our clients also benefit from the access to superior technical and educational resources that our full-service status brings. For further information, please visit our website at www.ahbl.ca.

As part of the announcement, the Government also published the final version of the Electronic Commerce Protection Regulations (link at:  http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00211.html ).  Readers of this blog will recall Bob Pakrul’s blog post  in January of this year advising that those Regulations had been published for comment.   Numerous comments were received and many were incorporated into the revised Regulations which were published today.   Some of the most important revisions to the Regulations are as follows:

 Expansion of Exclusions for Consent Requirements

The Regulations exclude commercial electronic messages from all provisions of CASL if:

• they are sent within an organization;
• they are sent between organizations that already have a relationship, if the message concerns the activities of the organization to which the message was sent;
• they are sent on platforms where identification and unsubscribe information is conspicuously published and readily available to users, and where duplication of an unsubscribe or identification message would be repetitious;
• they are sent and received within limited access secure and confidential accounts (such as messages which a bank might send to an account holder);
• they are sent in response to a complaint, inquiry or request;
• they are sent on behalf of registered charities for fundraising purposes; or
• they are sent on behalf of a political party or candidate and have as their main purpose the solicitation of donations.

Delayed Implementation

In an attempt to alleviate some of the impact on business  that might occur if all of CASL come into effect at once, the Government has also delayed the implementation of two important elements of the legislation.  First, the provisions of CASL which govern the installation of computer programs on a person’s computer system in the course of a commercial activity without consent, are delayed until January 15, 2015.  Second, the coming into force of the provisions which give individuals a right to sue an organization for a breach of CASL, are delayed until July 1, 2017.

Next Steps

Organizations who have been putting off seeking consents which would allow them to continue to send legitimate commercial electronic messages to, for example, potential customers or industry contacts, should be developing and implementing a consent campaign in earnest, so that consents have been obtained prior to July 1^st of next year.

In at least one case it appears that the health researcher had only requested the information in anonymized form, as that was all that was needed for the research project.  When the researcher discovered that it had received the data in “raw” or personalized form, the researcher notified the Ministry and returned or destroyed the data.

There is an ongoing controversy over how much of what is in the government’s databanks should be made available, in the public interest,  to researchers and others, or denied to them in the interests of protecting the privacy of those using the provincial health system.  This debate, enhanced by the sensitivity of health information itself, has resulted in the Commissioner implementing some very high standards for public bodies  dealing with health information and health research.   

The Commissioner recently hosted an informal roundtable amongst stakeholders in the health research field, concerning their ability to access necessary data.  The results of that session were published by the Commissioner in August, 2012 here.

The high privacy standards applied in this area have led the Commissioner to issue a number of recommendations to the Ministry on how to improve its privacy practices and procedures.  These are:

 RECOMMENDATION 1

The Ministry should develop and implement additions to the BC Government policy on the use of portable storage devices to require the use of other, more secure, forms of information transfer. Portable storage devices should only be used as a last resort and must always be encrypted.

RECOMMENDATION 2

The Ministry should ensure user privileges are granted and managed based on the need to know and least privilege [least access] principles, ensuring that employees have access only to the minimum amount of personal information they require to perform their employment duties. Access permissions should be assigned consistently and kept up to date.

RECOMMENDATION 3

The Ministry should implement technical security measures to prevent unauthorized transfer of personal information from databases.

RECOMMENDATION 4

The Ministry executive should implement an effective program for monitoring and auditing compliance by employees with privacy controls, and by contracted researchers and academic researchers with privacy provisions in agreements, to enable proactive detection of unauthorized use and disclosure of Ministry information.

RECOMMENDATION 5

The Ministry should ensure that all contracts with contracted researchers and research agreements with academic researchers involving the disclosure of personal health information provide for an appropriate level of security, including privacy protection schedules. These requirements should include limiting the use and disclosure of personal information to specified contractual purposes; taking reasonable security measures to protect personal information; requiring compliance with privacy policies and controls with respect to storage, retention and secure disposal; and requiring notice to the Ministry in the event of a privacy related contractual breach. The Ministry also should use information sharing agreements wherever the substance of an agreement is about information sharing, rather than the provision of services to the Ministry.

RECOMMENDATION 6

The Ministry should develop a comprehensive inventory of all databases containing personal health information. The inventory should be updated regularly and should set out associated information flows relating to collection and disclosure for research purposes.

RECOMMENDATION 7

The roles and responsibilities for privacy belonging to the OCIO and branches throughout the Ministry should be documented and effective overall leadership for the Ministry’s privacy management program clarified. There is a particular need to enhance the Ministry’s internal privacy resources.

RECOMMENDATION 8

The Ministry should develop a Ministry privacy policy that establishes the basic principles of privacy for Ministry employees.

RECOMMENDATION 9

The Ministry should ensure that the Ministry privacy policy specifically incorporates the collection, use and disclosure of health information for research, including addressing when it may be appropriate to release personal information for health research under s. 35 of FIPPA. It should indicate the kind of information that the Ministry can provide to researchers and the security requirements that need to be met.

RECOMMENDATION 10

The Ministry should continue to streamline its information access request approval and delivery processes to reduce time delays in access to information for health research.

RECOMMENDATION 11

The Ministry should ensure that employees with access to databases containing personal health information participate in mandatory privacy training sessions and that their participation is documented.

Other public bodies in this field, in British Columbia and elsewhere, may wish to take note of these recommendations.  In addition, the Commissioner has released some general guidance for all public bodies on implementing better privacy management.  These can be found on the Commissioner’s website here.

In June 2012 hackers infiltrated LinkedIn’s computer system and posted approximately 6.5 million user passwords on the Internet.  Following the breach, LinkedIn increased the security of its password encryption method from a “hashed” format, in which the passwords were converted into an unreadable encrypted format, by adding the additional step of “salting”, in which random values were added to the passwords before they were “hashed”. A class action was filed in November 2012 on behalf of LinkedIn’s Premium Account holders, on the grounds that they had paid a fee for LinkedIn services which included a promise by LinkedIn that their information would be secured in accordance with industry standard protocols and technology. The Plaintiffs based their claim in contract and in negligence.LinkedIn  filed a preliminary motion to dismiss the class action on the grounds that the Complaint filed by the Plaintiffs did not allege sufficient injury to establish the Plaintiffs’ standing to advance the claim in U.S. Federal Court. The Court granted LinkedIn’s motion and identified a number of deficiencies in the proposed class action.

First, the Plaintiffs did not allege in the Complaint that they actually paid for the security services  they alleged were not provided. The LinkedIn User agreement and Privacy Policy for the Premium Account holders was the same as for the non-paying basic membership. The Plaintiffs had not demonstrated that the alleged promise of a particular level of security was part of the contract and therefore could not establish a breach of contract.  As the Plaintiffs based their claim in negligence on an alleged duty of care arising from the contractual duty to provide a certain level of security, the claim of negligence also failed.

Second, the Plaintiffs did not allege that they actually read the Privacy Policy that included the alleged misrepresentation with respect to the level of security provided and therefore could not have relied on the alleged misrepresentation in contracting with LinkedIn.

Finally, the Plaintiffs’ Complaint did not include sufficient facts to establish that they suffered damages resulting from the system breach.  The  Plaintiffs  alleged that they did not receive the security they contracted for and therefore  suffered economic loss as a result of the system breach. However, the alleged economic  loss occurred prior to the system breach and therefore could not be considered “resulting damage” from the breach.  The Plaintiffs did not allege that they had suffered any actual harm as a result of the system breach, for example, theft of their personally identifiable information, nor did they allege that they were exposed to an increased risk of future harm in the form of identity theft or theft of personally identifiable information. Consequently,  the Complaint did not allege the necessary element of resulting damage from the system breach and did not  meet the threshold to maintain an action in U.S. Federal Court.

The dismissal of the Plaintiffs’ Complaint was on terms allowing the Plaintiffs to amend the complaint and, if possible,  correct some or all of the deficiencies such that the Complaint could proceed in U.S. Federal Court.