Andre Leduc of Industry Canada gave a talk yesterday to the Council of Chief Privacy Officers at a Webinar organized by the Conference Board of Canada on the status of Canada’s anti-spam law, CASL. Andre Leduc is a Senior Policy Advisor (Spam, Cryptography and Cybercrime) with Industry Canada and was one of the architects of CASL. He has also been integrally involved in developing the Industry Canada regulations.
Andre Leduc said that CASL is likely to come into force in late 2013 at the earliest and June or July 2014, at the latest. It is most likely to be proclaimed into force early in 2014. Ultimately, this will be a decision of the Minister.
The revised draft Industry Canada CASL Regulations will be published in the Canada Gazette on January 5, 2013 for a 30 day comment period. The original Industry Canada regulations were published for comments in July 2011. Fifty-seven organizations and individuals filed comments. As I reported earlier, the message from those commentators was clear: while all support the goal of reducing unwanted commercial electronic messages (CEMs) and malware, CASL was very problematic and the original draft regulations did not do enough to fix or clarify significant shortcomings that would have negatively impacted consumers and other individuals, not for profit organizations, sole proprietorships, start-ups, small, medium, and large sized businesses, and the investment and use of innovative new communications and cloud computing technologies.
In May 2012, Andy Kaplan-Myrth of Industry Canada provided an outline of what was likely going to be included in the revised Industry Canada regulations. Andre Leduc provided further information. The full details of the regulations will not be known until they are published. Here is a summary of what is expected.
Exemptions for Specific Classes of CEMs
The revised regulations will completely exempt five business practices which were not intended to be targeted by CASL.
Business to Business Exemption: There will be two new exceptions falling within a new business to business exemption.
The first is an exemption for a CEM that is sent by an employee, representative, contractor or franchisee of an organisation to another employee, representative, contractor or franchisee of that organization and that concerns the business affairs of that organization.
The second is an exemption for a CEM sent by an employee, representative, franchisee or contractor of another organization if the organizations have an ongoing business relationship at the time the message was sent and the message is relevant to that person’s business, role, functions or duties in a business or official capacity. The concept of an ongoing business relationship is not dependant on a fixed period like the implied consent existing business relationship definition. It can be longer or shorter depending on whether there is a relationship of a business nature that is “ongoing”.
Messages sent in response to a request: This exemption fixed an unintended problem in s.6(5) which would have made it illegal to send consumers CEMs in response to a request for information. The new regulation will provide an exemption for messages that are sent in response to requests, inquiries or complaints allowing businesses to respond to requests without requiring additional consent.
Messages sent to enforce a legal right: The regulations provide exemptions for messages sent due to a legal obligation or to enforce a legal right including a pending legal right. Examples include messages sent for debt collection, licensing, enforcing contractual obligations, enforcing court orders, and enforcement of foreign legal rights.
Messages sent by a foreign business to a foreign recipient, but accessed while roaming in Canada: There will be an exemption for CEMs sent by a foreign business to a foreign recipient that is accessed while roaming in Canada, provided that the sender could not reasonably know that the message would be received in Canada.
Third Party Referrals: A new exemption for a single CEM sent as a result of a referral if: (i) the individual who sends the message discloses in the message the ordinary or full name of the person who made the referral, and (ii) the individual who made the referral has a family relationship, personal relationship or an existing business relationship with both the person who sends the message and the person to whom the message is sent.
Exemptions for TSPs
The regulations will include two new exemptions for telecommunications service providers to permit the installation of computer programs without consent. The first is to permit the installation of a computer program on another computer to prevent illegal activities that presents risks to the security of the TSP’s network. The second is for the installation of a computer program across an entire network for the purpose of preventing illegal activities that present a risk to network security or to permit network wide updates or upgrades.
The definition of “personal relationship” will be broadened so as to include virtual as well as in person personal relationships. It will be expanded to mean the relationship, other than in relation to a commercial activity, between an individual who sends the message and the individual to whom the message is sent, that is direct and the individuals have had voluntary, two-way communications; and it would be reasonable to conclude taking into consideration factors including the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated and whether the parties have met in person that the relationship is personal; unless the person to whom the message is sent has clearly indicated the wish to no longer no longer receive any commercial electronic messages or any specified class of such messages, from the person who sent the message.
The definition of family relationship will also be expanded. Essentially, it will exempt links back to common grandparents to permit CEMS to be sent to first cousins, nieces and nephews. However, second cousins are out. The criteria for being exempt for memberships, clubs, and associations will also be expanded.
There will also be a new exemption from the consent requirement for the purpose of obtaining consents on behalf of unknown third parties.
The new regulations will help address some of the major problems with CASL that were identified during the consultations on the regulations. The proposed regulations underscore, however, the architectural problems with CASL’s ban all approach to commercial speech. They address some of the glaring problems with that approach, but necessarily cannot include the plethora of other identified and heretofore unknown restrictions on legitimate speech. CASL still remains highly problematic.
It appears that the new proposed regulations will not address the following problems:
Jurisdiction and cloud computing: The Government will not fix CASL to prevent putting cloud computing models and providing hosting or outsourcing services in support of foreign business operations at risk. CASL’s overbroad territorial reach will result in computer data centers, and the important high tech jobs that go with them, locating outside of Canada in more innovation friendly jurisdictions.
Grandfathering PIPEDA consents: The failure to grandfather existing PIPEDA compliant consents will cause Canadian businesses to make wasted investments to obtain new CASL compliant consents.
Short messaging systems and social networks: Andre Leduc indicated that the regulations will remain “mute” with respect to rectifying challenges with CASL that will impede the use of short messaging systems and social networks, some of the most innovative mediums of communications.
Clarifying what are CEMs s.6.6 of CASL potentially deems ordinary service messages to be CEMs, creating the possibility that individuals can unsubscribe from receiving them electronically. Romy Ochmann St-Jean, Legal Counsel at CRTC, clarified at a meeting that this was not intended. However, the ambiguity in the wording has created widespread fears about the ability of Canadian organizations to carry on business electronically without fears of class action lawsuits.
The proposed regulations also do not fix the new problems with CASL resulting from the CRTC’s regulations and new Guidelines.