I got a call this week from a client asking if Canada’s new anti-spam/anti-malware legislation (CASL) applies to non-Canadian organizations. (It was one of the plethora of calls I got this week on CASL.) When I answered that CASL did indeed apply extra-territorially I was confronted with one of the many gasps of frustration I have also been encountering recently with this law (which several years ago I dubbed Canada’s Anti-Speech Legislation (CASL) because of its major chill on legitimate electronic messages).
CASL compliance is a major challenge for Canadian organizations. The new legislation which regulates sending commercial electronic messages and the installation of computer programs is the toughest law of its kind anywhere. The law, however, doesn’t just apply to Canadian organizations.
The anti-spam provisions apply to any commercial electronic message (CEM) where a computer system located “in Canada is used to send or access the electronic message”. This means that CASL’s consent and unsubscribe strictures apply to foreign messages such as those sent by foreign organizations to Canadian customers or proposed customers and to messages that are stored on foreign servers and accessed from Canada. It applies to emails, instant messages, SMS messages and messages sent to “similar accounts”. Regrettably, no one knows for sure what a CEM is. The CRTC which will enforce CASL says in a FAQ that organizations have to examine each message on a case by case basis to make the determination. Industry Canada tried to clarify what is in scope in its Regulatory Impact Analysis Statement (RIAS), but it did little to clear up the confusion.
But it gets even worse for foreign companies. CASL also has broad prohibitions that make it illegal to install a computer program (whether or not it has any malware or spyware feature) including an update or upgrade onto someone else’s computer without making prescribed disclosures and obtaining a prior express consent. The computer program provisions apply, inter alia, if the computer program is installed on any computer system located in Canada. The law is so broad it applies not only to “apps”, but also to programs in embedded systems including those in vehicles and consumer and industrial products. Accordingly, if you sell or service almost any product to Canadians, either directly or through channels, CASL will likely apply to you.
I described some of the problems associated with this structure in a prior blog post Evaluating the Industry Canada CASL regulations: jurisdictional overreach as follows:
CASL’s strictures far exceed those in other countries. Rather than targeting false and misleading e-mails or those sent in violation of an opt-out request such as in the U.S., or limiting the restrictions to direct marketing messages as in the EU, CASL goes much farther. It does the same thing with its “ban all” approach to “malware”. To the extent that other countries have civil laws that regulate distributing computer programs without consent, they target malware, spyware or similar threats, not programs that are also completely innocuous as CASL does.
Unlike the laws of other countries such as those in the U.S., CASL provides a private right of action to anyone with remedies that includes compensation for actual losses plus damages of up to $1 million per day of non-compensatory (essentially punitive) damages. Class actions are not foreclosed and if certified could lead to threats of massive unprecedented awards to a new generation of CASL litigation trolls that are predicted to emerge. Moreover, these claims could be brought even where no person has suffered any actual damage. For example, a person that as part of some commercial activity makes malware free open source software available without charge to hundreds of thousands of Canadians using an ordinary webwrap (browsewrap) or clickwrap agreement or who using an automated system installs a security patch to prevent hacker attacks, could theoretically face threats of damages in the hundreds of million dollars.
The upshot of all of this is that Canada will have unique and more onerous regimes to comply with than those in other countries. Compliance will require development of new databases, modification of computer systems, changes to websites, user interfaces, and contracting processes and disclosures of information. Organizations that do business in countries other than Canada will have no reason to adopt these standards, except to the extent they want to send CEMs or make software or apps available to Canadians.
The caveat for foreign businesses, however, is that CASL has an extremely broad extra-territorial reach. The anti-spam rules apply to any commercial electronic message that is sent from a foreign computer anywhere in the world to a computer in Canada. Similarly, CASL’s “malware” rules apply to any program that is installed on any computer in Canada. The liability is strict; it does not depend on intent or foreseeability.
CASL’s reach is bound to raise questions of international comity among Canada’s trading partners. Its extensive territorial reach raises questions as to whether it departs from public international principles which justify applying laws extra-territorially. This is an issue that is quite complex. (My book Computer, Internet and Electronic Commerce Law has a chapter of over 200 pages just on this topic.) With the risk of over simplification, increasingly countries base legislative and personal jurisdiction related to Internet delicts on factors that take into account intentional targeting of the forum, intentionally causing harm, or some kind of purposeful availment of the privilege of conducting activities within the forum State. See J. McIntyre Machinery, Ltd v Nicastro131 S.Ct. 2780 (2011), Football Dataco Ltd. v Sportradar GmbH, Case C‑173/11, 18 October, 2012. Under CASL organizations from around the world could be liable for massive damages claims without ever intentionally targeting Canadians.
The response by foreign organizations to this territorial overreach will likely vary. Many organizations will learn about CASL and comply with its laws. Many multinational organizations with established businesses in Canada will be in this category. Other organizations may want to comply, but consider the costs of developing specialized processes merely for Canada to be too expensive and consider the liability too onerous. Adapting to CASL will be particularly challenging for innovative organizations whose business models would be constrained by CASL’s e-mail focused technology models and which either can’t be complied with or can’t easily be complied with. The result may well be decisions by foreign organizations not to offer their products or services to Canadians, or to introduce them only after launching in other jurisdictions which don’t require significant technological adaptations or modifications of marketing and promotional approaches. This would be a very unfortunate development for Canadian consumers who would ultimately suffer by having access to less information about products, services, organizations and individuals (including fan sites) they are interested in, less choice in offerings, and potentially even higher prices because of reduced competition.
Other organizations, and there will be many of these, would not know, and have no reason for surmising, that following international standards for distributing software and sending CEMs could result in significant liability under Canadian laws. They may become targets of the CASL litigation trolls that will undoubtedly emerge after CASL comes into effect.
Like it or not, if you do business in Canada you had better get ready for CASL. The anti-spam provisions come into force in July 2014. The computer programs provisions come into force in January 2015.
To help organizations comply, McCarthy Tétrault has created a web page that compiles useful resources to help in developing and implementing compliance programs. It has also updated its very popular CASL Toolkit to take into account recent developments including the Industry Canada regulations and RIAS and the CRTC regulations and guidance documents.
If you need assistance in understanding and complying with CASL you can request a copy by following the directions at the McCarthy Tétrault website.
For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.