The Industry Canada CASL regulations and RIAS: a lost opportunity

December 16th, 2013 by Barry Sookman Leave a reply »

If it was not clear enough before that there are many problems with CASL, it became evident when Industry Canada released the final regulations and the Regulatory Impact Analysis Statement (the RIAS). CASL takes an extremely broad “ban all” approach to regulating commercial messages and the installation of computer programs. This structure makes the exceptions particularly important because every CEM sent without consent (and following the prescribed rules) and every computer program installed on any computer (machine or device) without consent (and making the required disclosures) as part of a commercial activity will be illegal. The regulations purport to address some of the major necessarily inadvertent consequences with CASL’s breadth and structure.  See, CASL Industry Canada regulations: summary and comments. However, they fall short in many very important respects.

In this post I will focus on the problems with the computer program provisions Industry Canada identified in the RIAS as being potentially problematic. I will show how the approaches taken to address these problems do not rectify them and will hurt all stakeholders including consumers who will have to pay higher prices and have fewer or delayed products and services choices as a result.

The usefulness of the RIAS

Industry Canada tried to allay some fears about CASL through statements in the RIAS. According to the RIAS Industry Canada and the CRTC also plan to issue new Frequently Asked Questions and Responses on the CRTC and Fightspam.gc.ca websites. These are in addition to the existing CRTC interpretational guidelines. According to Industry Canada these are more appropriate ways of clarifying the intended scope of the Act than further regulations.

The RIAS, guidelines and FAQs are and will be very important documents. CASL is a very complex piece of legislation. Its provisions are so far reaching and ambiguous that, in many instances, compliance is impossible or virtually impossible, or commercially unreasonable to comply with. In many cases, organizations do not know what must be done to comply. The RIAS and the other documents thus play an important role in helping to clarify what the CRTC and Industry Canada are saying must be done to comply with CASL. However, these documents do not have the force of law and are not a substitute for fixing flaws that need more than “clarifications”.

While not having the force of law, the RIAS like debates in Parliament and the proceedings of parliamentary committees can be used as an aid in construing ambiguous legal enactments. See, Astral Media Radio Inc. v. Society of Composers, Authors and Music Publishers of Canada, 2008 FC 1198. In this respect, the RIAS may be useful in proceedings as an aid in clarifying CASL’s intended scope.

Following the guidance in the RIAS, the various guidelines and FAQs may be taken into consideration when the CRTC or a court determines the appropriate remedy for violating CASL.They may possibly also help in establishing the due diligence defenses. However, this is subject to the significant caveat that a mistake of law, that is, a mistake as to what the law is, has been rejected as a defence to regulatory offenses. Therefore, organizations cannot merely rely on statements in the RIAS or other guidance documents without making their own assessments that the guidance provided is right.

There is an exception to the rule that mistake of law is not a defense to a regulatory offense. It is known as “officially induced mistake”. The defence is available where an accused has reasonably relied upon the mistaken legal opinion or advice of an official who is responsible for the administration or enforcement of the particular law. In order for an organization to successfully raise this defence, it would have to show (1) that an error of law or of mixed law and fact was made; (2) that the person who committed the act considered the legal consequences of his or her actions; (3) that the advice obtained came from an appropriate official; (4) that the advice was reasonable; (5) that the advice was erroneous; and (6) that the person relied on the advice in committing the act.

The officially induced mistake doctrine is separate from that of due diligence in that due diligence is a complete defence to a prosecution, while the defence of officially induced mistake acts as an excuse for an accused whose guilt has been established by the prosecution.

The “officially induced mistake” defense is a narrow one and, although it is still evolving, there are questions as to whether it would apply to advice provided in a RIAS, guidance document or FAQ. Further, there are also questions as to whether it would apply in the circumstances of a prosecution by the CRTC as well as to a civil claim under the private right of action. See, La Souveraine, Compagnie d’assurance générale v. Autorité des marchés financiers, 2013 SCC 63, R. v. Jorgensen,  [1995] 4 S.C.R. 55, Corporation de l’École Polytechnique v. Canada, 2004 FCA 127.

Based on the forgoing, while the efforts made by Industry Canada and the CRTC to clarify the intended scope of CASL is laudable, these efforts fall well short of what was required in the circumstances.

Understanding the program provisions

To understand the shortcoming with the regulations and RIAS in respect of the computer program provisions, a basic understanding of how they work is essential.

CASL’s provisions apply to all computer programs that are installed on any type of computer, system, machine, appliance or device as part of a commercial activity. This follows from the broad definitions of the terms “computer program” and “system” which take their meanings from the Criminal Code.

There are hundreds of thousands, if not millions, of computer programs made available to Canadians every day. The programs range from applications on personal computers, tablets and mobile devices to programs that are embedded in consumer products such as automobiles, TV sets, PVRs, home audio systems, household appliances and devices used in homes such as thermostats, security systems, lighting controls, and home networking systems, and an endless variety of other devices including watches, toys, learning systems, hearing aids and other medical devices and so forth. They are also ubiquitous in industrial and business applications.

The programs are distributed in multiple ways. Some are pre-installed; some are downloaded. There are probably also hundreds of thousands if not millions of programs that are embedded in machines, devices, equipment and consumer products. A vast number of programs will not have any user interface that will permit the transmission of messages to users or that will permit users to respond to messages using the devices.

Many products with embedded programs are distributed through one or more distribution and reseller channels. The product manufacturer or software publisher will often have no direct contact with the person installing or supporting the programs or the ultimate users of the programs. Nor, in many cases, will they know how the devices or programs are used.

The programs and the devices in which they are embedded are used by Canadians in every walk of life including individuals such as senior citizens and the disabled. In many instances, the users are heavily reliant on a supplier, manufacturer, or other person to update or upgrade the program including to make available updates to help protect against security and privacy threats or to maintain compatibility with some other device or software.

Despite all of this complexity, CASL’s prescriptive rules apply to all of these situations. Under CASL

  • It will be illegal to install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with the disclosure requirements of subsection 11(5); or (b) the person is acting in accordance with a court order. S8(1)
  • When seeking consent, the purpose of the consent must be disclosed clearly and simply. This includes in general terms the function and purpose of the computer program that is to be installed if the consent is given. s10(1), (3).
  • If the program performs one of the malware or spyware functions listed in s10(5), the person seeking express consent must, when requesting consent, clearly and prominently, and separately and apart from the licence agreement, (a) describe the program’s material elements that perform the function including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and (b) bring those elements to the attention of the person from whom consent is being sought in the prescribed manner.s10(4). The CRTC says an acknowledgement from the user is required.
  • The basic consent and disclosure requirements do not apply to an update or upgrade if (a) there was an original express consent to the program installation or use, (b) if the person who gave the consent is entitled to receive the update or upgrade under the terms of the express consent and, (c) the update or upgrade is installed in accordance with those terms.s10(7).
  • The update or upgrade cannot be installed without obtaining a new express consent if the update or upgrade has one of the malware or spyware features listed in s10(5).
  • A person is considered to expressly consent to the installation of a computer program if (a) the program falls into one of the listed categories in s10(8) e.g., it is a cookie, HTML code, Java Scripts, an operating system, or is any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, but only if (b) the user’s conduct is such that it is reasonable to believe that they consent to the program’s installation. S10(8)
  • The list of programs for which express consent is deemed to exist can be expanded through regulations, but any addition to the list is still subject to the caveat that the user’s conduct is such that it is reasonable to believe that they consent to the program’s installation.s10(8).
  • The prohibitions apply to programs installed from Canada in another country or vice versa. s8(2).

With this background, one can easily see why the regulations were needed and the challenges Industry Canada was trying to deal with in the RIAS.

What computer programs do the prohibitions apply to

Submissions had been made to Industry Canada in the consultation describing the difficulties and in some cases the impossibilities, of obtaining express consents and making required disclosures in all cases where programs are installed. At least four scenarios were identified to Industry Canada as being potentially problematic.

  • A consumer buys a program on a physical media and installs the program on a home computer.
  • A manufacturer pre-installs a program on a computer, machine, device or appliance and directly, or through a channel, sells the product to consumers.
  • A retailer offers computer services such as to install software purchased by a customer or to repair computers which includes installing updates or upgrades to programs or installing and configuring new hardware which includes pre-installed software. Other service providers configure and/or repair other products that includes software or components that include programs such as auto repair shops. While new hardware or software is installed by the service provider,  the program may automatically go to a web site to look for and download an upgrade.
  • A person goes to a website to download a program. It could be a new application. It could also be an update such as a newer printer driver, updated software for a memory card, router, or other peripheral, or a utility program. It could also be an update for some older device that will no longer work after a person upgraded a device for use with a new operating system. The site may be the manufacturer’s or publisher’s site or it may be one of the many aggregator sites that makes these kinds of, often hard to find programs, available. In many cases the site operators have no pre-existing connection with users. Often, and especially in the case of the program aggregator sites, they don’t have any information about the characteristics of the programs that are made available. These sites often do not have any processes in place to obtain express consents or to make special disclosures about the programs being made available. To the extent they obtain consent, they invariable would not obtain it separate and apart from a license agreement, something the CRTC says is required to comply with CASL. Many also do not have any mechanisms in place to collect personal information from each downloader to be able to prove that express consent was obtained in a CASL compliant manner, nor for privacy or other reasons do they want to establish these systems and to have to collect and retain personal information indefinitely merely to demonstrate compliance with CASL.

Industry Canada was aware of these scenarios, but decided not to address them in the regulations. The RIAS contained the following statement which purported to suggest that CASL would not be a problem in those cases where the program is installed by the consumer:

Finally, note that the requirements under CASL for the installation of computer programs only apply to the installation of computer programs on another person’s computer system. CASL will not apply to installations carried out by persons on their own computing devices.

The RIAS does not expressly identify which of the four situations it is dealing with with the above clarification. In example 1, it is clear the consumer is the person doing the installation. The publisher does not need consumers’ consent for the original installation, but would have to put a mechanism in place to obtain an express consent to install an update or upgrade.

In example, 2, the installation is done before the system is sold to a consumer so the prohibition is not immediately triggered. It would be triggered later if an update or upgrade is installed by someone other than the user.

In example 3, the installation of the new software or the software update is most likely covered by CASL as the computer programs are not installed by the user. However, the retailer or repair shop would ordinarily not have the required information necessary to provide the disclosures under CAS. If the installation and configuration of the new hardware is also covered by CASL, again the service provider would not be in a position to comply with CASL. In the case of the hardware or software that would ordinarily be updated on installation, it is unclear whether the service provider or the person making the update available on installation, or both, would be the program installer. In either case it would not appear there is any practical way to make the required disclosures to the consumer or to obtain the consumer’s consent, unless perhaps if the consumer is required to wait while the installation work is being done. In all of these cases, one might expect that at least some retailers and other service providers will cease to offer these types of services to customers to avoid liability they cannot avoid. The providers that put in placer processes to try and comply will have to pass on the extra compliance costs to consumers. Competition will suffer because of the fewer suppliers that will be prepared to assume the risks associated with CASL and consumers will pay higher prices to those that do.  Ultimately, consumers will be hurt by these impractical CASL rules.

In example 4, where a user initiates the act of downloading, there will be a question as to who is installing the program, the user or the person who operates the download site, or both of them acting in concert. If the user initiates the download and is considered the person who installed the program, the problems identified in example 4 would not apply. However, if the person who operates the download site is the person who is considered to be the person who installs the program, then CASL will be virtually impossible to comply with using present well established and accepted business practices. Many of the sites that make programs available do so on a worldwide basis from locations outside of Canada. Many would be well advised to geo-block Canada to avoid CASL’s impractical restrictions. If this happens, consumers will also be hurt by these impractical CASL rules.

Operating systems and cookies

As noted above, a person is considered to expressly consent to the installation of a computer program if (a) the program falls into one of the listed categories in s10(8) e.g., it is a cookie, HTML code, Java Scripts, an operating system, or is any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, but only if (b) the user’s conduct is such that it is reasonable to believe that they consent to the program’s installation.

The vehicle manufacturers were concerned that they would not be able to provide consumers with updates or upgrade to vehicle subsystems. CASL did not define the term operating system. Rather than solve the problem through the regulations, Industry Canada proposed an interpretation of the term “operating system” suggesting it might include programs that are used to operate something.  Using the case of software in automobiles, Industry Canada stated:

In addition, the software on some computer dedicated systems in automobiles may be “operating systems”, such as computers that operate specific functions like braking. There is deemed consent to update that as operating systems under the Act.

The line between an application program and an operating system program may be a difficult one to apply. The braking system example is a good one. Perhaps a court would agree that a system that operates multiple resources in a braking system is an operating system. But, even if it is, surely not all of the resources it manages that contains programs would be. The response therefore does not address the real problem the vehicle manufacturers were worried about.

As noted from the above statement, Industry Canada also provided guidance that s10(7) does not apply to updates or upgrades to software of the type listed in s10(8). This guidance is welcome as it confirms that an update to a program for which express consent is deemed to exist also applies to the update, as long as the user’s conduct is such that it is reasonable to believe that they consent to the program’s installation.

Industry Canada also suggested that notwithstanding that s10(8) deems an express consent to install “cookies”, they are likely not programs covered by the Act.

Some stakeholders have also highlighted concerns that “cookies” might be interpreted as computer programs for the purposes of CASL. As section 10(8) of CASL states, a person is considered to expressly consent to the installation of a computer program if the program is “a cookie” and the conduct of the person indicates their consent to its use. Insofar as cookies are not executable computer programs, and they cannot carry viruses and cannot install malware, and are simply lines of text or data that are read from a web browser, they are not computer programs for the purposes of CASL.

Network security and TSPs

Industry Canada noted in the RIAS that stakeholders expressed concern that CASL would impair their ability to take action to address threats to the security of their networks, which would be counter to the purposes of the Act. To address this concern, using the regulatory making power in para. 10(8)(a)(vi) of the Act, the regulations amended the previous draft language to provide for deemed consent for a Telecommunications Service Provider (TSP) to install computer programs to protect the security of the network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network.

The new exception specifies the following programs:

(a) a program that is installed by or on behalf of a telecommunications service provider solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network;

The submissions to industry Canada had urged the Government to recognize that many organizations besides telecommunications service and Internet Service Providers (ISPs) like Bell and Rogers operate networks that need to be protected including networks operated by banks, vehicle manufacturers, retailers and others.

The concern originated from the definition of TSP which is defined to be a person who, independently or as part of a group or association, provides telecommunications services. The term “telecommunications service” is defined to means a service, or a feature of a service, that is provided by means of telecommunications facilities, whether the telecommunications service provider owns, leases or has any other interest in or right respecting the telecommunications facilities and any related equipment used to provide the service.

It was considered possible to interpret these terms as either being limited to entities that provide telecom services like Bell or Rogers or more broadly to entities that provide any kind of services such as a banking service if they use telecommunications facilities in doing so.

Rather than clarifying the definition of TSP or that the exception applies broadly to network providers, Industry Canada used the RIAS to clarify that the latter broader interpretation of TSP is the right one. It stated the following in this regard:

Note that CASL provides a broad definition of a Telecommunications Service Provider (TSP), which includes any persons who together or independently provides a telecommunications service. These services include features of services delivered by means of telecommunications facilities including network routers and servers, regardless whether the provider owns, leases or has any interest in or right to the equipment and software used to provide the telecommunications service….

The Regulations provide deemed consent for any companies or individuals who together or independently provide a telecommunications service, defined in the Act as a Telecommunications Service Provider (TSP), to install a computer program for the limited purposes of protecting the security of all or part of its network from a current and identifiable threat to its availability, reliability, efficiency, or optimal use…

It should also be noted, that auto manufacturers may be TSPs for the purposes of CASL when they run computing networks such as GM’s OnStar or Ford’s Sync…

It is unfortunate that Industry Canada did not use the regulations to clarify the meaning of the term TSP so as to ensure that operators of all networks used by consumers could be protected from threats to the availability, reliability, efficiency or optimal use of their networks without running afoul of the law.

Submissions to the Industry Canada consultation also asked for the regulations to be broad enough to enable network providers to also provide security updates and upgrades to devices connected to networks in order to protect consumers. The draft regulation does not delineate where the end nodes of a network end. Does it extend only to components of the network under the TSPs control or would it extend to devices that connect to the networks such as to components of mobile devices or braking systems in automobiles? The RIAS hints that it may extend to connected devices, but did not clarify the extent to which applications on connected devices would be covered. This is unfortunate because consumers rely on TSPs to secure connected devices from network attacks. If the regulation is read narrowly it could limit TSP’s abilities to protect consumers.

CASLs current structure makes it impossible to specify any programs as exceptions which are not subject to the limitation that the deemed consent applies only as long as the user’s conduct is such that it is reasonable to believe that they consent to the program’s installation. In the case of network security, however, the TSP may not always be able to conclude that all users of its network were consenting to the installation of the program. What was required was a complete exception to section 8 to ensure that network operators could take proactive steps to protect consumers. The as drafted limitation may also prevent TSPs from taking steps necessary to secure their networks and protect customers.

Network updates

As noted by Industry Canada, stakeholders expressed concern that CASL would impair their ability to update or upgrade their networks. To address this concern, the regulations also provide deemed consent for TSPs to install software on devices across all or part of a network for update and upgrade purposes.

The new exception specifies the following programs:

(b) a program that is installed, for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network;

As with the security exception, the network update exception raises questions not fully answered by the RIAS such as:

  • Will the definition of TSP be broad enough to include all networks such as those operated by vehicle manufacturers, appliance manufacturers and others who provide products and services to consumers?
  • Where is the end node of the network such as the network of a vehicle manufacturer?
  • How will TSPs be able to conclude that all users of its network are consenting to the installation of the program?

The lack of clarity of the scope of the exception might well result in network operators refusing to provide consumers with updates and upgrades they make available in other countries, or to delay making them available here, to avoid the punitive liability regime imposed by CASL.

Correcting program failures

Stakeholders had expressed concern in the consultation that CASL would hamper their ability to install software updates or upgrades to computer programs and systems. Some stakeholders argued that they should not be required to get consent every time they install an update or upgrade. Multiple reasons were given for this such as the following:

  • Obtaining consent and making required disclosures is often impossible or impractical. The problems with the retailers and download sites described above are two examples.
  • In some circumstances, there are technical limitations that make compliance impossible or very difficult. For example, a thermostat may be installed in a home by a local contractor. The thermostat device has no UI to ask for consent, to transmit disclosures to users, or to enable users to reply to any requests for consents or to provide an acknowledgement. Devices are often updated over the Internet with transmissions of updates sent to an IP address of the device (in this case the thermostat) making the request. The manufacturer or other supplier of the update may not have another way to obtain the required consent or make the required disclosure. Sales channels often do not require ultimate resellers to collect personal information from consumers to be passed all the way up the distribution channel to the manufacturer or distributer of the update. In fact, there would be challenges under PIPEDA to establish this new network for the collection and disclosure of personal information to multiple third parties.
  • Updates and upgrades are required to enhance security, privacy, or safety, to maintain compatibility with third party products or services, and to correct bugs or other deficiencies.
  • International practices in the applicable vertical sector e.g. applications software, household appliances, vehicle manufacturing and other sectors do not have these unique CASL requirements and manufacturers, suppliers, distributors and resellers sought to avoid the significant cost and expense (which would have to be passed onto Canadian consumers) of developing unique update and upgrade processes just for Canada.

Industry Canada rejected most of these submissions, even the request that it not be illegal to install updates and upgrades to programs to enhance the security or privacy of consumers programs without first obtaining an express consent (except where it is done by TSPs to protect their networks or there is a program failure, or it can be argued that the update is needed for public safety reasons). Industry Canada responded to stakeholder submissions stating:

Some stakeholders argued that they should not be required to get consent every time they install an update or upgrade. CASL provides a three year transitional period to continue updates and upgrades to existing computer programs, after which they will be required to get express consent to continue updates in the future, if they don’t fall under one of the exemptions.

Instead Industry Canada adopted a more limited exception than what had been asked for specifying

(c) a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose.

The implicit policy choice made by Industry Canada is that while TSPs can act to protect consumers from security threats as long as the threats are to their networks, publishers of software or manufacturers of products including products used by senior citizens and the disabled cannot. Apparently, consumer protection is more important for users of networks that for other consumer products.

Public Safety

The RIAS points out that even if programs are installed as part of a commercial activity, they will be excluded from the Act if required for reasons of public safety. According to the RIAS:

Note that the Act only applies to computer programs installed in the course of commercial activity, a defined term that excludes public safety and other purposes, so issues of public safety. However, for software issues that are not matters of public safety, the Regulations provide for deemed consent for the installation of computer programs that are necessary to correct a failure in the operation of a computer system or program that is already installed.

Form of consent for updates and upgrades

The RIAS also provides guidance on the form of consent required to install an update or upgrade. According to the RIAS:

For updates and upgrades to computer programs installed after CASL comes into force, the Act allows companies to get the consent of the owner or authorized user for future updates or upgrades to the computer program at the same time they obtain consent for the original installation, or when the user is downloading. That is, when a computer program is installed, consent must in general be requested in accordance with the Act, but there are no requirements for the form of a request for consent to install updates and upgrades, whether that consent is requested in advance or when the update or upgrade is installed.

Although not specifically referenced, the statement appears to reflect the provisions of s10(7)(b) which states that an update or upgrade can be installed if there is an express consent if the person who gave the consent is entitled to receive the update or upgrade under the terms of the express consent and, the update or upgrade is installed in accordance with those terms.

When the “malware” and “spyware” features of a program must be disclosed

Under s.10(4), if the program performs one of the malware or spyware functions listed in s10(5), the person seeking express consent must, when requesting consent describe the program’s material elements that perform the function including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system.

The section 10(5) functions are described as follows:

(5) A function referred to in subsection (4) is any of the following functions that the person who seeks express consent knows and intends will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or an authorized user of the computer system:

(a) collecting personal information stored on the computer system;

(b) interfering with the owner’s or an authorized user’s control of the computer system;

(c) changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;

(d) changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;

(e) causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;

(f) installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system; and

(g) performing any other function specified in the regulations.

The combined wording of ss.10(4) and 10(5) strongly suggested that disclosure was only required both when one of the listed items in paragraphs (a) to (g) existed and if the person seeking express consent knows and intends to cause the computer system to operate in that manner contrary to the reasonable expectations of the owner. This was confirmed in the RIAS which stated the following.

Note that the reasonability test that is built in to the deemed consent provision of CASL also applies as a mechanism to reduce the risk of abuse of deemed consent in these Regulations. In addition, the requirements of section 10(4) of the Act to describe functions in section 10(5) only come into play when consent has to be requested. Furthermore, the notice requirements in section 10(4) only apply when the person seeking consent knows and intends for the function listed in section 10(5) to cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user of the computer system

Existing programs

There are hundreds of thousands, if not millions, of computer programs already installed on systems throughout Canada. CASL applies to all of these programs for at least two reasons. It will be illegal to installed updates or upgrades to them unless there was an original express consent to install the programs that included a consent to install the update or upgrade or unless a new express consent is obtained. Secondly, it will be illegal for a person that installed a program to have that program transmit information to the person without having obtaining an express consent to do so. Many existing programs are regularly updated automatically (as desired by consumers) or require the transmission of information to a person for the program to continue to operate. All this will become illegal starting in January 2015 for previously installed programs.

For the vast majority of programs currently in use the users would not have provided express consents to receive updates or upgrades. Moreover, the original suppliers of the programs often would not have any records including contact information such as email addresses of the persons receiving the updates or upgrades. Nor could emails even be sent out to many users asking for consent if this is done as part of a commercial activity without violating the anti-spam portions of CASL.

The transitional provisions were designed to temporarily alleviate these problems. The wording of s.67 section reads as follows:

If a computer program was installed on a person’s computer system before section 8 comes into force, the person’s consent to the installation of an update or upgrade to the program is implied until the person gives notification that they no longer consent to receiving such an installation or until three years after the day on which section 8 comes into force, whichever is earlier.

Under CASL there appeared to be only two ways in which a new update or upgrade could be installed for an existing program. If the update or upgrade is treated as a new program, then express consent would be required. If reliance was going to be placed on a prior consent associated with the first installation, then there would need to be (a) an original express consent to the program installation or use, (b) an entitled to receive the update or upgrade under the terms of the express consent and, (c) the update or upgrade has to be installed in accordance with those terms.

On its face, s67 did not appear to meet the standards required to permit updates or upgrades to be installed for legacy programs because only implied and not express consent is deemed to be given. Industry Canada had been aware that the efficacy of s.67 was in doubt. The best approach would have been to amend s.67 or to have enacted a regulation that would have provided a mechanism to make the transition work, or better still to have completely grandfathered all existing programs given the impossibility of obtaining consents for the ubiquity of all legacy programs even during the 3 year period.

Instead, Industry Canada tried to alleviate the anxiety over the introduction of the program provisions by noting in the RIAS that there is a three year transitional period allowing updates and upgrades to programs installed prior to the coming-into-force of CASL. However, this repetition of the existence of the transition period does not explain how it can apply, unless it is agreed by everyone including the CRTC and the class action bar that the word implied in section 67 really means express so that the section can achieve its intended function.

Vehicle manufacturers were concerned that they would be unable to meet consumer expectations because  CASL did not completely grandfather the right to provide updates and upgrades to previously installed programs. Industry Canada did not suggest that the transitional provisions would solve their problems. Instead, it suggested that their problems would be solved by the exceptions in the regulations to permit installation of updates or upgrades to networks and to correct failures in computer programs,

Auto manufacturers were also concerned that the three year transitional period in section 67 would limit their ability to continue to install updates or upgrades to computer programs on automobiles. To address this concern, these Regulations specify that express consent of an individual is deemed for updates and upgrades to computer programs that are installed across all or part of the auto manufacturer’s network, and the installation of computer programs to correct failures in the operation of the computer system or an existing program.

As explained above, however, those two exceptions have limitations that do not fully address the requirements the vehicle manufacturers claimed were needed to provide the functionality their consumers want and need.

Conclusions

The computer program provisions in CASL are very problematic. The final regulations do not solve many of the key problems. The RIAS provides some helpful guidance, but the guidance does not have the force of law, or solve the key problems. No other country has taken such a broad approach to regulating the installation of programs including programs that do not remotely resemble “malware” or “spyware”. Perhaps the regulatory approach adopted in CASL would have had fewer inadvertent consequences a decade ago when they were being formulated. In 2014, computer programs are ubiquitous and the over the top “ban all” approach makes little sense. The spam provisions are also extremely problematic and were also only partially fixed.

CASL’s goals were to facilitate the use of the Internet and eCommerce. Yet, it’s final rules will have the opposite effects.

The final Industry Canada regulations were delayed for years while the Government deliberated about how to address the fundamental structural flaws in CASL. In the end, the approach taken was to correct some problems and to leave the rest to be clarified in the RIAS and guidance documents. This was the wrong public policy choice. Unfortunately, it will result in rules that continue to be impractical or impossible to comply with. Ultimately, all stakeholders including consumers will be hurt by this decision.

For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.

Print Friendly
Advertisement