Industry Canada has now published its revised draft Electronic Commerce Protection Regulations. These regulations to Canada’s new anti-spam/anti-malware/spyware law (CASL) are open for comment for a period of 30 days from the date of their publication, January 5, 2013. The regulations are helpful and a major improvement over the last draft regulations. They address some key problems with CASL. However, they don’t address all of the problems and only partially address others.
I have written extensively about CASL’s shortcomings and the problems with the CRTC regulations and the previous Industry Canada regulations. See, Rethinking CASL (Canada’s Anti-SPAM law), Will it be illegal to recommend a dentist under Canada’s new anti-spam law (CASL)?, Electronic Commerce Protection Regulations – Much Work Remains, Fixing CASL: comments on the draft CRTC and Industry Canada regulations, Reflections on the new CRTC CASL regulations, and CRTC Issues CASL (Canada’s Anti-Spam Law) Guidelines, background and commentary. Many of the issues that have been raised by me and others before, during and following the consultations on the regulations still need to be addressed to ensure that CASL meets its overall objectives. The proposed regulations need substantial amendments to avoid CASL creating huge and unnecessary compliance problems as well as high penalties and class action risks for ordinary Canadians including individuals, small, medium and large business and other organizations that want to communicate electronically.
Many commentators have provided summaries of the draft Industry Canada regulations, in some cases with suggestions for improvements. See for example, here, here, here, here, here, here, here, and here.
In this and in a series of future blog posts, I intend to go further to elucidate the challenges with CASL and the draft regulations to make suggestions for amendments. I hope they will generate public discussion and understanding so that through the regulatory process key flaws in CASL can be fixed before it becomes law.
In this blog post i want to outline why the Industry Canada regulations are so important.
CASL tackles several problems including among them problems with spam and malware/spyware. There is a broad consensus that legislation is necessary to combat the most serious problems with them. Other countries recognized this when passing legislation to tackle serious identifiable types of harmful threats from them. For example, the U.S. passed the CAN-SPAM Act of 2003. It prohibits e-mails that are sent in violation of an individual’s opt-out request, or that are fraudulent, false or misleading. The European Union passed the EU Directive 2002/58/EC on privacy and electronic communications. It targets e-mails sent for the purposes of direct marketing to individuals. Australia and New Zealand also passed anti-spam laws. These laws prohibit sending certain commercial electronic messages without the express or inferred consent of the recipient.
In contrast to the targeted approach to addressing harmful forms of spam, CASL took the unprecedented approach of making it illegal to send any commercial electronic message without express consent unless the message falls into a closed set of categories.
The type of messages covered are very broad. They extend to a wide range of electronic messages “that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity”. Commercial activity is defined broadly as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit”.
The closed categories for which consent is not required are CEMs to an individual with whom the sender stands in a personal or family relationship as defined in regulations; an inquiry or application to a person engaged in commercial activity; CEMs transmitted by telecommunications service providers (TSPs) in their role as carriers; and messages related to law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada. There is also deemed implied consent where there is “an existing business relationship” or “existing non-business relationship” as those terms are defined in CASL, if the recipient voluntarily discloses his/her email address, or has “conspicuously published” it. CEMs that do not fall into one or more of the pre-defined categories cannot be sent except with the express consent of the recipient. CASL and the CRTC regulations also impose formalities related to the contents of each CEM and the mandated unsubscribe process.
Unlike the anti-spam laws of all of our trading partners, CASL’s regulatory approach does not target only messages that are false, fraudulent, misleading, or otherwise harmful or unwanted. It also bans sending economically and socially useful and desirable commercial messages unless there is prior express consent to sending them. The “ban all” approach to regulating CEMs will inevitably result in individuals, businesses, not-for-profit entities, educational institutions, charities, private clubs, and political parties finding themselves barred from communicating with others where they cannot fit into a pre-defined category and because even sending an electronic message to ask for consent will be illegal.
The approach CASL takes to regulating commercial speech is, as I have pointed out before, akin to trying to prevent crime by making it an offense for citizens to leave their homes except for purposes that are listed as exemptions in the Criminal Code or in regulations – regulations that incrementally grow in number as new non-criminal activities are identified. It would be easy to name obvious initially exempt purposes such as work, school, and sports. But, with the myriad of diverse human activities, an unforeseeable plethora of legitimate activities that individuals expect can be legally engaged in in a free and democratic society would be criminalized. For example, if going camping, bird watching, or attending the annual Santa Claus parade were not in the class of exempted activities, it would be illegal to do them until the Government enacts new regulations to exempt them. The same is true with CASL.
CASL’s closed categories of permitted commercial speech has the potential to chill legitimate and desirable commercial speech that benefits consumers and others by, among other things, reducing the dissemination of information that is essential to making informed choices and to undermine fundamental freedoms protected by the Charter of Rights and Freedoms. While limits on free speech are clearly permitted by the Charter, these limits must be reasonable and justified, with minimal impairment of the free speech right, and with the limit on free speech being in proportion to the harm that is being targeted. See, RJR-MacDonald Inc. v. Canada (Attorney General),  3 S.C.R. 199; Rocket v. Royal College of Dental Surgeons of Ontario,  2 S.C.R. 23.
Industry Canada has proposed new exceptions for CASL. These are not “loopholes”. They are clearly needed to ensure the overall goals of CASL are met. In proposing the new exceptions Industry Canada made the following statement:
Since it [CASL] applies broadly to commercial electronic messages, the Act captures regular business to business communications that are not the types of threats that were intended to be captured within the scope of the Act. To ensure these business communications are not regulated under the Act, the proposed Regulations include exemptions for commercial electronic messages that are
- sent within a business; or
- sent between businesses that are already in a business relationship, where the messages are sent by an employee, representative, contractor or franchisee and are relevant to the business, role, function or duties of the recipients.
Exemptions are also proposed for messages that are solicited or sent in response to complaints and requests. Additional exemptions are proposed for messages sent due to a legal obligation or to enforce a legal right.
Finally, an exemption is proposed for messages relating to an organization located or provided outside of Canada and accessed while the recipient was visiting Canada. The proposed exemption would limit the application of CASL so it does not apply when the sender could not reasonably have been expected to know their messages would be accessed in Canada.
What is telling about these proposals is that in the short time since CASL was passed the Government recognized that CASL’s “ban all structure” would have inadvertent consequences that need to be fixed. What has not been expressly acknowledged is that these and many more problems are not merely not intended by the Government; they are a necessary consequence of CASL’s “ban all” structure.
CASL takes the same approach to malware. Rather than focusing on computer programs that cause harm – and there are lots of those – it bans the installation of any computer program on any computer, smartphone, or other computer system without prior express consent. When the legislation was first introduced as Bill C-27 – the Electronic Commerce Protection Act, it would have made the use of Internet websites illegal in Canada because it would have been impossible for websites to get express consent to load html and other programs into a browser before getting users’ consent. After I raised this issue with CASL’s “ban all” approach including to the Standing Committee on Industry, Science and Technology studying the bill, changes to fix this “unintended consequence” were adopted by Parliament (now in s10(8) of CASL).
The proposed regulations contain new and very much needed exceptions to the anti-malware provisions. They are described by Industry Canada as follows:
Telecommunication service providers and other network service providers had argued for exemptions from the requirement for consent to install software to prevent unauthorized or fraudulent use of a service or system, or to update or upgrade systems on their networks. The exemptions proposed are more limited, allowing installation of computer programs without prior consent where illegal activities pose a threat to the TSP’s networks, or where required for network-wide updates or upgrades. TSPs will continue to need consent to install software to prevent legal activities that are merely unauthorized or suspicious, or where an installation is not required for a system-wide upgrade or update.
What is apparent is that without this regulation it would be illegal for telecommunication service providers to prevent fraudulent and other illegal uses of their systems. This could have severely affected the security and privacy which Canadians expect and which TSPs are required by law to protect. As will be detailed in another post, this most recently acknowledged problem is just the tip of the unintended iceberg of consequences of CASL’s flawed structure.
The penalties for contravening CASL are severe. A person who contravenes any of anti-spam provisions can be liable for a fine of up to $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person. A person who merely aids in the violation can be liable for a fine of up to the same $1 million dollar maximum per violation. CASL also subjects individuals to damages and penalties under private right of action provisions which are widely expected to result in class action suits.
CASL’s “ban all” structure makes it imperative that regulations be adopted to ensure that CASL’s objectives are met. It is possible to deter the most damaging and deceptive forms of spam and malware in Canada without creating a raft of damaging unintended consequences. However, regulations that merely add carefully crafted narrow new exceptions will not solve CASL’s structural flaws. Nor will they meet the Government’s stated objectives for this legislation.
In the next post, I will address the appropriate framework for evaluating Industry Canada’s proposed regulations.
For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.