The legality of recommending a dental surgeon to someone with a toothache should be a no-brainer. But under CASL sending anyone an email, IM, or other electronic message that encourages participation in a commercial activity may be illegal. Even recommending a dentist to a person with a toothache could be illegal under CASL. In fact, in many instances it would be impossible for the average Canadian to comply with all of CASL’s strictures even if all they wanted to do was recommend a dentist to someone with a toothache.

To determine whether a person will be able to legally email a recommendation for a dentist to someone asking for one without worrying about violating CASL, the average Canadian will have to make a number of legal determinations.

The first is whether the email or other electronic message is a “commercial electronic message” (a “CEM”).  An email would be an electronic message. To be a CEM the message including any links in the message need only encourage participation in a commercial activity. It is not limited to encouraging participation in a commercial activity with the sender of the message.

My email to my relative may well have been a CEM because it contained a recommendation and encouragement to purchase services from a dental surgeon and because the link to the clinic would display the clinic’s website which contains a description of clinic’s services, hours of operation, contact details, and other information about the clinic designed to solicit patients and new business. The referral to another dentist to recommend a dental surgeon would not likely have been enough to make the email a CEM on its own. However, since an email is a CEM if any part of it encourages participation in a commercial activity, the email as a whole would still likely be a CEM.

The next question is whether CASL contains any exceptions that make its internationally unprecedented onerous requirements inapplicable. There is an exception that permits a CEM to be sent to a person who has a personal or family relationship with the sender, as defined in the regulations. Since only draft regulations are available, we don’t know for sure whether sending a CEM to one’s relatives, friends or others will be illegal or not if CASL is not complied with. However, if we assume that the regulations that are ultimately finalized will be at least as broad as the draft CRTC and Industry Canada regulations, we can make some preliminary conclusions.

Under the draft Industry Canada regulations family relationship and personal relationship are defined as follows:

(a) “family relationship” means the relationship between individuals who are connected by

(i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or of collateral descent from the other individual’s grandparent,

(ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,

(iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual; and

(iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual; and

(b) “personal relationship” means the relationship, other than in relation to a commercial activity, between an individual who sends the message and the individual to whom the message is sent, if they have had an in-person meeting and, within the previous two years, a two-way communication.

Under these definitions some of my relatives and I would have a “family relationship”. For example, CASL exempts sending CEMs to parents, siblings, children, and other lineal descendants. I could also respond to an email with an email recommending a dentist to my aunts and uncles and first and second cousins as they are of “collateral descent” to my grandparents without violating CASL.[1]

Once you get past the obvious close “family” relationships, however, the average Canadian would need to have the knowledge of an estates, family, tax or immigration lawyer to know whether their family member is someone to whom they can recommend a dentist without being subject to CASL’s strictures.[2] Recommending a dentist would likely be illegal if sent by email, for example, to a great uncle or aunt or someone more removed than a second cousin, or members of their immediate families, unless CASL’s strictures are complied with.

CASL exempts certain friends where they fit into the “personal relationship” class, as defined in the regulations. However, CASL and its prohibitions against sending emails and other electronic messages that are CEMs would apply to a variety of other situations the average Canadian would never expect. It would apply to sending a recommendation to a friend you went to high school or university with, played a sport or went to camp with, were members of the same club, or simply had lost touch with, and hadn’t spoken or “had a two-way communication” within the last two years. It would apply to a friend who had moved away for a few years and was moving back and needed a dentist. You couldn’t email a friend of a friend to recommend a dentist, without violating CASL. You couldn’t recommend one to your brother or sister’s friend, or the parents of your child’s friend. You couldn’t reply to an email to recommend a dentist by email to a person you met at a party from out of town, but that you didn’t have a chance to directly speak to.

You also couldn’t send an instant message to someone recommending a dentist you had been conversing with over Facebook, even though you may have shared family pictures and videos with the person as well as had real time live video chats with the person continuously over the course of years. CASL does not recognize virtual friends as “friends”, even though many people would, at least in some circumstances.

Trying to help others by recommending a dentist to remedy a toothache could also be illegal in many other circumstances. If the person asking for help is not within the definition of “family relationship” or “personal relationship”, making a recommendation using email could be illegal. For example, if you are a lawyer negotiating a deal with out of town lawyers and are asked by email for a recommendation to a dentist to address a sudden toothache, none of the CASL exceptions would apply. They would also not apply to helping out a person you had just met related to a commercial activity e.g. a sales meeting with an out of town potential customer or supplier.

Unless the person asking for help is totally excluded from CASL by virtue of being in the “family relationship” or “personal relationship” classes, the next question the average Canadian will need to know before responding to a request for help is whether the person has the consent of the recipient to respond to the email. Again, one would have thought that it was a no-brainer that a person could reply to an email asking for a dental recommendation since one could easily imply or infer consent from the request. However, unlike New Zealand and Australia, Canada has chosen not to recognize inferred consents as valid under CASL. CASL also excludes all implied consents unless the relationship between the parties falls into the tightly defined categories of “existing business relationship” or “existing non-business relationship”, or several other limited classes in Section 10(9). In the case of a request for a dental referral, none of them are necessarily going to be applicable. Neither would any of the exceptions in Section 6(6) which sets out specific circumstances in which the requirement for an express consent is waived.

In these circumstances, a person could only respond to the email request if the request itself can be construed as an “express consent” to respond with a recommendation. CASL does not define the term “express consent”. It likely means an affirmative consent – something more than the type of consent that can be implied under paragraph 4.3.7 of Schedule 1 to PIPEDA,[3] or inferred from the circumstances. From a form perspective, it may also require that the consent be in a verifiable form including in writing or in an electronic format.[4] If so construed, an oral consent would not be recognized as a valid consent.

It is unclear whether a person asking for a recommendation gives an express consent (as contrasted with an implied or inferred consent) to reply with a recommendation. It is even more unclear whether a request for help includes an express consent for a third party, such as in my case, my wife, to give her recommendations. In the circumstances, there would be little doubt that my wife would have had implied or inferred consent. But, that would not have been enough to make her reply legal under CASL. CASL even makes it illegal to ask someone for consent to send him or her a CEM. Calling to ask permission wouldn’t help either since CASL’s draft regulations require all requests for consent to be in writing. So as absurd as it seems, it would not be clear that my wife or I would have had consent under CASL needed to make recommendations to the person in need of dental services –  even in reply to the person’s own email asking for help. Even more incredibly, there would be no legally recognized way to even ask for the consent.

Even assuming my wife and I had express consent to send the email replies, the emails would still need to comply with CASL (and its regulations’) formalities. In particular, our emails, to be legal, would need to

(a) set out prescribed information that identifies the person who sent the message;

(b) set out information enabling the person to whom the message is sent to readily contact the sender (the contact information must be valid for 60 days; and

(c) set out the prescribed unsubscribe mechanism.

Under the draft CRTC regulations, our email replies would have been illegal unless they contained our names and our “physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address”.

It seems absurd that my wife and I would be forced to disclose our personal information – information protected by PIPEDA – simply to reply to an email requesting a recommendation for a dental surgeon. However, CASL compels every individual who sends a CEM on their own account to disclose this personal information. In fact, CASL makes all anonymous commercial speech in the form of CEMs illegal in Canada, regardless of the circumstances.

Moreover, it would be illegal to send the recommendations unless the other CASL requirements including having a web address and a voice mail system are met. My wife doesn’t have a web site. While I have this blog, it is not set up to receive communications under CASL. Accordingly, when CASL is proclaimed into force, we would not be able to reply to requests for recommendations in a manner that meets CASL’s identification requirements.

It doesn’t end there. CASL also sets out extremely onerous requirements for an unsubscribe mechanism which must be included with all CEMs. Under CASL, the unsubscribe mechanism must

(a) enable the recipient to indicate, at no cost to them, the wish to no longer receive any CEMs, or any specified class of such messages, from the sender, using (i) the same electronic means by which the message was sent, or (ii) if using those means is not practicable, any other electronic means that will enable the person to indicate the wish; and

(b) specify an electronic address, or link to a page on the World Wide Web that can be accessed through a web browser, to which the indication may be sent.

Under the draft CRTC regulations, the unsubscribe mechanism must also be able to be performed in no more than two clicks or another method of equivalent efficiency.

So, incredibly, under CASL, unless one of the “family” or “personal” relationship exemptions applies, neither my wife nor I could legally respond to a request for a recommendation for a dentist unless we also included in our emails the above unsubscribe options to the hapless requestor. CASL would require the average Canadian to license the same kind of “unsubscribe” tools that have become common place with commercial newsletters and mailouts – just to be able to recommend a dentist to a person with a toothache.

It is also interesting to consider the position of the dentists who were asked for email recommendations for dental surgeons. Their recommendations would likely also be CEMs. If they responded directly to my wife or me, they may, depending on our relationship with them, have an existing business relationship which would permit them to reply to us without an express consent. However, they would likely not have had express consent to send recommendations directly to my relative, nor would any consent to send these CEMs be implied under CASL. The dentists wouldn’t even have been able to pick up a phone to call to get permission to send recommendations electronically or send an email asking for permission. Accordingly, it would likely be illegal for the dentists to reach out electronically to my relative with recommendations for an oral surgeon. It also seems unlikely they would even think to comply with CASL’s identification and unsubscribe requirements. Their best legal course of action would be to refuse to help – and leave my relative without important information needed to assess what dental surgeon to retain. Ironically, they could communicate with my relative through conventional mail or by phone, methods usually seen as more intrusive forms of communications.

The strictures of CASL will also apply to other electronic formats including messages sent using instant messaging systems like BlackBerry Messenger (BBM) and other social networks, and SMS messages. They would also likely apply to recommendations forwarded using services such as Groupon or Livingsocial. However, it is virtually impossible to practically comply with all of CASL’s formalities using these messaging types – even assuming it is desirable to have these formalities apply in the circumstances.[5]

Consider for example if the request for the recommendation for the dental surgeon had been received via an SMS message. It would likely be impossible for the average Canadian to respond to the message via an SMS message. As noted above, CASL requires each CEM to include detailed identification information as well as an unsubscribe mechanism. It is impossible to include all of this information in the 140 character space limits that this messaging format permits.

The draft CRTC regulations provide an alternative that is equally unworkable. They provide that:

If it is not practicable to include the information referred to in subsection (1) and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act in a commercial electronic message, that information may be provided by a link to a web page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single click or another method of equivalent efficiency at no cost to the person to whom the message is sent.

The CRTC draft regulations would require individual Canadians, young and old, to do the following merely to reply to a request for a dental recommendation using SMS:

• Have or establish a web site.
• Publically post on the web site the individual’s PIPEDA protected personal information including physical and mailing address, telephone number and email address.
• Establish a mechanism to receive unsubscribe requests and disclose this on the individual’s web site.
• Include in the reply SMS message the dental recommendation and in the same 140 character space limit “clearly and prominently set out” the web link. Some links can be more than 140 characters. So this would force individuals to find link shortening tools that work on the person’s mobile phone and to copy the results into the SMS message. Even then, it is hard to see how the recommendation and the links could be included in only 140 characters.
• Find a way to make the individual’s web site accessible in a single click from the SMS message. (On my phone it takes at least two clicks. One to select the link, the other to engage it.)

Consider next if the request for the recommendation for the dental surgeon had been received via an instant message from a BBM user. Again, it would likely be impossible for the average Canadian to respond to the message via BBM. Since it would not be practical to include all of the identification and unsubscribe information in a BBM message, individual Canadians would need to do the same things as a person replying using SMS. This is as unworkable for BBM and other IM messaging systems as it is for SMS messaging.

CASL is touted as being technologically neutral. But only part of it is. A CEM is defined, essentially, to include email, IM, telephone and similar messaging systems. However, the message form, prescribed requirements, and unsubscribe mechanisms are firmly rooted in a PC based email architecture, with work around add-ons that permit, without necessarily enabling, compliance using another specific technology – the web.  This asymmetrical approach to technological neutrality makes it a problem today – even before CASL is proclaimed into force. One can well imagine that as the technologies of communication evolve, CASL will increasingly hinder the innovation and deployment of new technologies and business models in Canada. This will undoubtedly disadvantage Canadians, who alone will be subject to laws as stringent and prescriptive as CASL.

It is obvious that the strictures of CASL are not limited to requests for dental surgeons. They would apply to requests that ordinary Canadians routinely get. They would apply ubiquitously to recommendations for any product or service including recommendations for doctors, lawyers and other professionals, restaurants, financial planners, stockbrokers, bankers, real estate agents, car dealers, bakers, plumbers, electricians and other contractors, retail stores, movers, babysitters, school tutors, and so forth – you name it. They would also apply to prevent individuals whose business life blood relies on third party recommendations from reaching out electronically to prospective new clients. For example, a real estate agent could not email a friend of a satisfied customer for a potential listing at the suggestion of the customer. Nor could a stockbroker make a “cold email call” to a friend of a customer at the suggestion of the customer.

It is also obvious that CASL could apply also to a myriad of other situations in which email or other electronic means are used in relation to a commercial activity. For example it could apply to a kid trying to buy or sell a baseball or hockey card; a student trying to buy or sell high school, college or university used textbooks; a mother trying to hire a new babysitter; or a kid soliciting a parent of a friend to shovel snow or mow a lawn for some extra cash. It goes on and on – you can only imagine.

CASL also makes it illegal for anyone to “aid, induce, procure or cause to be procured” breaching the anti-spam and its other provisions. Accordingly, it would also be illegal for a parent to help his or her child buy or sell the baseball or hockey card or the school textbooks or to solicit customers for snow shoveling by electronic means. Conceivably, providing access to a home computer with permission to use it for these purposes could be enough to create liability.

CASL and its strictures could apply to an unlimited and unpredictable set of activities engaged in by individuals, professionals, and large and small businesses including start-up businesses. Yet, its list of exceptions is narrow and can only change through a slow reactive regulatory process. Meanwhile, kids selling baseball cards or trying to make some needed money cutting grass, students trying to buy a used textbook to save money, mothers trying to hire babysitters for a needed night out, and others would have to set up websites, establish unsubscribe mechanisms and publically disclose their personal information on the web to try and comply with CASL just to do those basic things.

While on vacation I also thought about the occasional emails I get from my local cottage street association asking for a financial donation to help fund issues of importance to our neighborhood (my cottage is close to the riding of Minister Clement, who was originally the Minister responsible for CASL). Sending these emails will become illegal under CASL. No one has expressly consented to receiving them. But, it is implied, or at least inferred, by most everyone that such emails are wanted. In some cases the individuals receiving the emails would have “personal relationships” (as defined in the draft Industry Canada regulations) with the street volunteer who sends out the emails. In some cases they would not. None of the other exceptions in CASL would apply to dispense with obtaining express consents to send out the  emails. The local street volunteer is also unlikely to want to disclose his or her PIPEDA protected personal information merely to send emails to members of the street “association”. The street volunteer is also unlikely to be able to comply with CASL’s formality requirements which include having a web address and a formal unsubscribe mechanism.  (So will many unregistered charities which will also be very significantly impacted by the restrictions in CASL.) So, when CASL comes into force, the street volunteer will either likely continue as before illegally, or stop because CASL stifles using electronic means of communication.

The volunteer may need think long and hard before violating CASL, however, because the penalties for violation can be severe. Every person who contravenes any of anti-spam provisions can be liable for a fine (an administrative monetary penalty or AMP). The maximum penalty per violation is a $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person. A person who merely aids in the violation – for example, the parent who helps a child get a snow shoveling job – can be liable for a fine of up to the same $1 million dollar maximum per violation. CASL also subjects individuals to damages and penalties under the private right of action provisions. The penalties can reach a maximum of $200 for each contravention not to exceed $1,000,000 for each day on which it occurred.

It is highly unlikely that the CRTC would seek the maximum penalties against individuals for some of the activities described here, assuming it even decided to prosecute individuals for some of these kinds of transgressions. However, individuals who know about these potential fines – such as the dentist who is asked for a recommendation or the street volunteer- might well decide that the risks associated with CASL to them outweigh the socially beneficial activities they were inclined to engage in.

It is ironic that under the Bill-C-11 (The Copyright Modernization Act) , the Government plans to lower the current cap on statutory damages from a maximum of $20,000 for each work infringed in the proceeding to a maximum $5,000 for all works infringed where the infringement is for a non-commercial purpose. Yet, when it comes to CEMs, CASL would make individuals liable for up to $1 million dollars per violation.

It is hard to imagine that Parliament could have intended to make electronic communications responding to requests for recommendations for needed information illegal. Nor is it conceivable that Parliament intended to make it illegal for local neighborhood associations to communicate electronically. Nor is it likely that many of the other problems described here could have been intended by Parliament. I very much doubt, for example, that Parliament intended to make kids buying or selling baseball cards or mothers trying to hire babysitters, or people trying to help them with these things, worry about CASL. But, CASL potentially affects everyone.

My colleague Lorne Salzman and I have pointed out elsewhere, that CASL will have many more unintended consequences including:

1)      FISA will impede start-up businesses from launching in Canada.

2)      FISA will impede Canadian businesses from developing new marketing models over the Internet.

3)      FISA will deter suppliers of service providers, including outsourcing and cloud service providers, from operating with or maintaining facilities in Canada.

4)      FISA will deter foreign businesses from offering their products to Canadians via the Internet, mobile and other communications networks.

5)      FISA will impose costs and restrictions on Canadian businesses that their competitors outside Canada will not have to bear.

6)      FISA contains very strong incentives for Canadian businesses to confess wrong-doing, even in cases of questionable or trivial conduct, thereby tarnishing the reputation of legitimate businesses in circumstances where the offending conduct is not significant.[6]

Numerous organizations filed detailed submissions with Industry Canada and the CRTC in response to the draft regulations. They pointed out a multitude of unintended consequences with CASL that would make doing business in Canada electronically difficult, expensive, and in some cases impossible. The submissions pointed out how CASL could stifle innovation and put Canada at a competitive disadvantage relative to our trading partners, none of which have taken such an onerous or prescriptive approach to regulating electronic commerce. A summary of the comments can be found here. The Government is currently reviewing these submissions to determine if changes to the regulations, or additional regulations, are required to address these problems.

The problems identified above can be somewhat alleviated by adding new exceptions to CASL by regulation. However, regulations which merely incrementally add more narrow exceptions to address newly identified problems will not solve the fundamental structural problem with CASL. CASL bans all commercial speech in the form of commercial electronic messages – whether wanted or unwanted – unless the specific class of the message falls into an identified exception, and unless its strictures are also met. This approach inevitably will ban some – probably a lot of – desirable and constitutionally protected speech. Incrementally creating new exemptions to address newly recognized impingements on commercial speech will not solve the structural problems with CASL. It would be playing wac-a-mole with basic freedoms of Canadians. (CASL takes the same “ban-all” approach to computer programs, making illegal the installation of any program –good or bad- without express consent and compliance with other requirements.)

The approach CASL takes to commercial speech is akin to trying to prevent crime by making it an offense for citizens to leave their homes except for purposes that are listed as exemptions in the Criminal Code or in regulations – regulations that incrementally grow in number as new non-criminal activities are identified. It would be easy to name obvious initially exempt purposes such as work, school, and sports. But, with the myriad of diverse human activities, an unforeseeable plethora of legitimate activities that individuals expect can be legally engaged in in a free and democratic society would be criminalized. For example, if going camping, bird watching, or attending the annual Santa Claus parade were not in the class of exempted activities, it would be illegal to do them until the Government enacts new regulations to exempt them. The same is true with CASL.

One of the greatest problems with CASL is that it will chill and make legitimate commercial speech illegal. It will undermine fundamental freedoms protected by the Charter of Rights and Freedoms. My colleague Lorne Salzman and I raised this issue previously. So did a number of entities who made submissions to Industry Canada and the CRTC on the draft regulations.[7]

Following the Supreme Court of Canada’s decision in the Reference re Securities Act, 2011 SCC 66 case, questions might also be asked about the Federal Parliament’s constitutional jurisdiction to enact major portions of CASL including the anti-spam, anti-spyware, and address harvesting provisions. It may be that CASL would do better than the proposed national security regulator proposal as it does not interfere with property and establishes rules to address threats to commerce. However, it does regulate matters of a contractual nature such as consents and disclosures related to contractual activities and has similarities to provincial consumer protection legislation.

In light of the very substantial questions about, and problems with, CASL, once its regulations are finalized, the Government should consider referring the constitutionality of CASL including its compliance with the Charter of Rights and Freedoms to the Supreme Court of Canada.

Of course, steps could be taken to fix CASL before it is proclaimed into force. These measures could also help CASL survive the inevitable Charter challenge once it becomes law. But, merely tinkering with CASL through the regulatory process will not be enough. And it certainly won’t help you if you need a dentist when out of town.

[2] See Wikipedia “Cousins” http://en.wikipedia.org/wiki/Cousin

[3] Individuals can give express consent under PIPEDA in several ways. For example:

(a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;

(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;

[4] See, Collection and Debt Repayment Practices Regulation, Alta Reg 194/1999, (Fair Trading Act) Consolidated Regulations of Alberta; Regulation respecting the Taxation Act, RRQ, c I-3, r 1; Income Tax Regulations, CRC, c 945, (Income Tax Act) Consolidated Regulations of Canada

[5] See, Fixing CASL: comments on the draft CRTC and Industry Canada regulations; Electronic Commerce Protection Regulations – Much Work Remains; Rethinking FISA

[6] See, Fixing CASL: comments on the draft CRTC and Industry Canada regulations; Electronic Commerce Protection Regulations – Much Work Remains; Rethinking FISA

[7] Rethinking FISA

The CRTC draft regulations are as follows:

1. In these Regulations, “Act” means An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.

INFORMATION TO BE INCLUDED IN COMMERCIAL ELECTRONIC MESSAGES

2. (1)   For the purposes of subsection 6(2) of the Act, the following information must be set out in any commercial electronic message:

(a)   the name of the person sending the message and the person, if different, on whose behalf it is sent;

(b)   if the message is sent on behalf of another person, a statement indicating which person is sending the message and which person on whose behalf the message is sent;

(c)   if the person who sends the message and the person, if different, on behalf of whom it is sent carry on business by different names, the name by which those persons carry on business; and

(d)   the physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address of the person sending the message and, if different, the person on whose behalf the message is sent and any other electronic address used by those persons.

(2)   If it is not practicable to include the information referred to in subsection (1) and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act in a commercial electronic message, that information may be provided by a link to a web page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single click or another method of equivalent efficiency at no cost to the person to whom the message is sent.

FORM OF COMMERCIAL ELECTRONIC MESSAGES

3. (1)   The information referred to in section 2 and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently.

(2)   The unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be able to be performed in no more than two clicks or another method of equivalent efficiency.

INFORMATION TO BE INCLUDED IN A REQUEST FOR CONSENT

4. For the purposes of subsections 10(1) and (3) of the Act, a request for consent must be in writing and must be sought separately for each act described in sections 6 to 8 of the Act and must include

(a)   the name of the person seeking consent and the person, if different, on whose behalf consent is sought;

(b)   if the consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought;

(c)   if the person seeking consent and the person, if different, on whose behalf consent is sought carry on business by different names, the name by which those persons carry on business;

(d)   the physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address of the person seeking consent and, if different, the person on whose behalf consent is sought and any other electronic address used by those persons; and

(e)   a statement indicating that the person whose consent is sought can withdraw their consent by using any contact information referred to in paragraph (d).

SPECIFIED FUNCTIONS OF COMPUTER PROGRAMS

5. A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.

Industry Canada published additional draft regulations on July 8, 2011. There is also a 60 day period for commenting on these regulations. These draft regulatons read as follows:

PERSONAL RELATIONSHIP AND FAMILY RELATIONSHIP

2. For the purposes of paragraph 6(5)(a) of the Act

1. (a) “family relationship” means the relationship between individuals who are connected by
   1. (i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or of collateral descent from the other individual’s grandparent,
   2. (ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,
   3. (iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual; and
   4. (iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual; and
2. (b) “personal relationship” means the relationship, other than in relation to a commercial activity, between an individual who sends the message and the individual to whom the message is sent, if they have had an in-person meeting and, within the previous two years, a two-way communication.

CONDITIONS FOR USE OF CONSENT

3. (1) For the purposes of paragraph 10(2)(b) of the Act, a person who obtained express consent on behalf of a person whose identity was unknown may authorize any person to use the consent on the condition that the person who obtained consent ensures that, in any commercial electronic message sent to the person from whom consent was obtained,

1. (a) the person who obtained consent is identified; and

1. (b) the authorized person provides an unsubscribe mechanism that, in addition to meeting the requirements set out in section 11 of the Act, allows the person from whom consent was obtained to withdraw their consent from the person who obtained consent or any other person who is authorized to use the consent.

(2) The person who obtained consent must ensure that, on receipt of an indication of withdrawal of consent by the authorized person who sent the commercial electronic message, that authorized person notifies the person who obtained consent that consent has been withdrawn from, as the case may be,

1. (a) the person who obtained consent;
2. (b) the authorized person who sent the commercial electronic message; or
3. (c) any other person who is authorized to use the consent.

(3) The person who obtained consent must inform, without delay, a person referred to in paragraph 2(c) of the withdrawal of consent on receipt of notification of withdrawal of consent from that person.

(4) The person who obtained consent must give effect to a withdrawal of consent and, if applicable, ensure that a person referred to in paragraph 2(c) gives effect to the withdrawal of consent, in accordance with subsection 11(3) of the Act.

MEMBERSHIP, CLUB, ASSOCIATION AND VOLUNTARY ORGANIZATION

4. (1) For the purposes of paragraph 10(13)(c) of the Act, membership is the status of having been accepted as a member of a club, association or voluntary organization in accordance with the membership requirements of the club, association or organization.

(2) For the purposes of paragraph 10(13)(c) of the Act, a club, association or voluntary organization is a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization the primary purpose of which is the promotion of amateur athletics in Canada.

*Updated after the Industry Canada draft regulations were published.

Eric Goldman’s blog has a post that summarizes two recent US cases which deal this issue under US law. The first case is Experi-Metal v. Comerica Bank, 09-14890 (E.D. Mich.Jun. 13, 2011). The plaintiff was a victim of a phishing attack which resulted in unauthorized wire transfers from its accounts of more than $1.9 million. The bank was found liable for the unrecovered portion because, according to the court, it should have detected and/or stopped the fraudulent wire activity earlier.

The second case is Patco Construction Co. v. People’s United Bank, d/b/a Ocean Bank, 09-cv-005003 (D. Me. May 27, 2011). Here an unknown third party made a series of unauthorized withdrawals of more than $500,000 over several days using Patco’s user credentials and passwords. The magistrate judge ruled that the bank’s security processes were commercially reasonable, even though not perfect. As a result, the loss was allocated to the bank’s customer.

If the attacks on networked connected systems keep occurring, which appears very likely given the escalating problem with cyber-crime, we can expect many more cases like Exeri-Metal and Patco to address who bears the risks of losses in these cases.

The slides include a summary of the following cases and statutory materials:

Privacy:

Cite Cards Canada Inc. v. Pleasance, 2011 ONCA 3

Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94

State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2010 FC 736

Nammo v. TransUnion of Canada Inc., 2010 FC 1284

Randall v. Nubodys Fitness Centres, 2010 FC 681

Stevens v. SNF Maritime Metal Inc., 2010 FC 1137

Vancouver (City) v Ward, 2010 SCC 27

Hannaford Bros. Co. Customer Data Security Breach Litigation 4 A.3d 492 (Sup, Ct. Me. 2010)

Paul v Providence Health System 240 P.3d 1110 (2010)

Doe 1 v. AOL LLC 719 F.Supp.2d 1102 (N.D.Cal. 2010)

LaCourt v. Specific Media, Inc. 2011 WL 1661532 (C.D.Cal. Apr. 28, 2011)

Claridge v. RockYou, Inc.  2011 WL 1361588 (N.D.cal. Apr. 11, 2011)

Jones v. Tsige, 2011 ONSC 1475

CTB v. News Group Newspapers Ltd & Anor [2011] EWHC 1326 (QB)

City of Ontario, Cal. v. Quon, 130 S. Ct. 2619

R. v. Cole, 2011 ONCA 218

U.S. v. Warshak 631 F.3d 266 (6th Cir. 2010)

FCC v. AT&T INC., 562 US__ (2011)

Holmes v. Petrovich Development Co. 191 Cal. App. 4th 1047

Bigstone v. St. Pierre, 2011 SKCA 34

Mosley v. UK (EU Ct. Human Rights) (10 May 2011)

Sparks v. Dubé, 2011 NBQB 40

Warman v. Wilkins-Fournier, 2011 ONSC 3023

Contracts and Electronic Agreements:

Seidel v. TELUS Communications Inc., 2011 SCC 15

AT&T Mobility LLC v. Conception, 2011 WL 1561956 (U.S. Sup. Ct. 2011)

Evans v. Linden Research, Inc., 2011 WL 339212 (E.D.Pa. 2011)

St-Arnaud v. Facebook Inc., 2011 QCCS 1506

Grosvenor v. Qwest Communications Intern., Inc., 2010 WL 3906253 (D. Colo. 2010)

Hoffman v. Supplements Togo Management, LLC, 2011 WL 1885675 (N.J.Super.A.D. 2011)

Roling v. E*Trade Securities, LLC, 756 F. Supp. 2d 1179 (N.D. Cal. 2010)

Patco Const. Co., Inc. v. People’s United Bank, 2011 WL 2174507 (D.Me. May 27, 2011)

Harold H. Huggins Realty, Inc. v. FNC, Inc., 575 F.Supp. 2d 696, 708 (D.Md. 2008) 

U.S. v. Nosal 2011 WL 1585600 (9th. Cir. Apr 28, 2011)

United Stats v. Rodriguez, 628 F. 3d 1258, (11th Cir. 2010)

Facebook, Inc. v. Power Ventures, Inc. 2010 WL 3291750 (N.D.cal.2010)

Naldi v. Grunberg, 908 N.Y.S.2d 639 (N.Y.A.D. 2010)

Golden Ocean Group Ltd. v Salgaocar Mining Industries PVT Ltd. & Anor [2011] EWHC 56 (Comm) (21 January 2011) 

Barwick v. Government Employee Ins. Co., Inc. 2011 Ark. 128 (Sup. Ct. Ark. 2011)

Distinct Fortune Ltd. v. Hyndland Investment Co. Ltd. [2010] HKEC 2013

Yazdani v. Canada (Citizenship and Immigration), 2010 FC 885

Contract and License Issues:

De Beers UK Ltd. v. Atos Origin It Services UK Ltd. [2010] EWHC 3276 (16 December 2010) 

Vernor v. Autodesk, Inc. 621 F.3d 1102 (9th Cir. 2010)

MDY Industries, LLC v Blizzard Entertainment, Inc. 2010 WL 5141269 (9th.Cir. 2010)

London Borough of Southwark v. IBM UK Ltd. [2011] EWHC 549 (17 March 2011) 

Agence France Presse v. Morel, 2011 WL 147718 (S.D.N.Y.2011)

Baidu, Inc. v. Register.com, Inc., 2010 WL 2900313 (S.D.N.Y.2010)

Facebook, Inc. v. Pacific NorthWest Software, Inc., 2011 WL 1843509 (9th Cir. 2011)

Patents and Trade-marks

Amazon.com, Inc. v. Attonrey General of Canada, 2010 FC 1011

Microsoft Crop. V I4I Limited Partnership 564 U.S. __ (2011)

Global-Tech Appliances, Inc. v. SEB S.A., 563 U.S. __ (2011)

Board of Trustees of Leland Stanford Junior University v. Roche Molecular Systems, Inc., 563 U.S. ___(2011)

Rosetta Stone Ltd. v. Google Inc., 730 F. Supp. 2d 531 (E.D. Vir. 2010)

Jurin v Google Inc., 2011 WL 572300 (E.D.Cal.2011)

Private Career Training Institutions Agency v. Vancouver Career College (Burnaby) Inc., 2010 BCSC 765 

Network Automation Inc. v Advanced Systems Concepts Inc, 638 F.3d 1137 (9th.Cir.2011)

Microsoft Corp. v. Shah, 2011 WL 108954 (W.D.Wash. 2011)

Masterpiece Inc. v. Alavida Lifestyles Inc., 2011 SCC 27

Copyright:

Sirius Canada Inc. v. CMRRA/SODRAC, 2010 FCA 348

Harmony Consulting Ltd. v. G.A. Foss Transport Ltd., 2011 FC 340

Telstra Corporation Limited v. Phone Directories Company Pty Ltd. [2010] FCAFC 149 (15 December 2010)

Acohs Pty Ltd. v. Ucorp Pty Ltd. [2010] FCA 577 (10 June 2010)

Roadshow Films Pty Ltd. v  iiNet Limited, [2011] FCAFC 23

REFERENCE for a preliminary ruling from the Nejvyšší správní soud (Czech Republic) ECJ 22 December, 2010

SAS Institute Inc. v. World Programming Ltd. [2010] EWHC 1829 (Ch) (23 July 2010) 

SAS Institute Inc v World Programming Ltd [2010] EWHC 3012 (Ch) (22 November 2010) 

The Newspaper Licensing Agency Ltd. v. Meltwater Holding BV [2010] EWHC 3099 (Ch) (26 November 2010) 

La société Des Auteurs des Arts Visuels et de L’image Fixe Visual Auteurs (SAIF) v. Google France  S.A.R.L. and Google Inc., Paris Court of Appeal, Jan. 26, 2011

Google v Copiepresse et al, Brussels Court of Appeal (9th Chamber) May 5, 2011

Media C.A.T. Ltd. v. A [2010] EWPCC 17 (01 December 2010) 

The Authors Guild et al v. Google Inc.  2011 WL 986049 (S.D.N.Y. 2011)

US v. ASCAP, 2010 WL 3749292 (2nd. Cir. Sept. 28, 2010)

Kernal Records Oy v. Mosley,  2011 WL 2223422 (S.D.Fla. Jun. 7, 2011)

Seng-Tiong Ho v. Taflove, 2011 WL 2175878 (7th.Cir, 2011)

The declaration on the Internet made the link between the Internet and innovation as follows:

For business, the Internet has become an essential and irreplaceable tool for the conduct of commerce and development of relations with consumers. The Internet is a driver of innovation, improves efficiency, and thus contributes to growth and employment…

The Internet has become a major driver for the global economy, its growth and innovation…

Their implementation must be included in a broader framework: that of respect for the rule of law, human rights and fundamental freedoms, the protection of intellectual property rights, which inspire life in every democratic society for the benefit of all citizens. We strongly believe that freedom and security, transparency and respect for confidentiality, as well as the exercise of individual rights and responsibility have to be achieved simultaneously. Both the framework and principles must receive the same protection, with the same guarantees, on the Internet as everywhere else…

The Internet and its future development, fostered by private sector initiatives and investments, require a favourable, transparent, stable and predictable environment, based on the framework and principles referred to above. In this respect, action from all governments is needed through national policies, but also through the promotion of international cooperation…

The leaders recognized the importance of framework laws and means for enforcing intellectual property laws on the Internet.

With regard to the protection of intellectual property, in particular copyright, trademarks, trade secrets and patents, we recognize the need to have national laws and frameworks for improved enforcement. We are thus renewing our commitment to ensuring effective action against violations of intellectual property rights in the digital arena, including action that addresses present and future infringements. We recognize that the effective implementation of intellectual property rules requires suitable international cooperation of relevant stakeholders, including with the private sector. We are committed to identifying ways of facilitating greater access and openness to knowledge, education and culture, including by encouraging continued innovation in legal on line trade in goods and content, that are respectful of intellectual property rights.

The leaders also gave special recognition of the need for protecting privacy in the Internet context using common approaches.

The effective protection of personal data and individual privacy on the Internet is essential to earn users’ trust. It is a matter for all stakeholders: the users who need to be better aware of their responsibility when placing personal data on the Internet, the service providers who store and process this data, and governments and regulators who must ensure the effectiveness of this protection. We encourage the development of common approaches taking into account national legal frameworks, based on fundamental rights and that protect personal data, whilst allowing the legal transfer of data.

The leaders acknowledged the importance of addressing key concerns of all G8 nations for protecting the security of networks against the ever growing criminal and terrorist threats.

The security of networks and services on the Internet is a multi-stakeholder issue. It requires coordination between governments, regional and international organizations, the private sector, civil society and the G8’s own work in the Roma-Lyon group, to prevent, deter and punish the use of ICTs for terrorist and criminal purposes. Special attention must be paid to all forms of attacks against the integrity of infrastructure, networks and services, including attacks caused by the proliferation of malware and the activities of botnets through the Internet. In this regard, we recognize that promoting users’ awareness is of crucial importance and that enhanced international cooperation is needed in order to protect critical resources, ICTs and other related infrastructure. The fact that the Internet can potentially be used for purposes that are inconsistent with the objectives of peace and security, and may adversely affect the integrity of critical systems, remains a matter of concern. Governments have a role to play, informed by a full range of stakeholders, in helping to develop norms of behaviour and common approaches in the use of cyberspace. On all these issues, we are determined to provide the appropriate follow-up in all relevant fora.

The leaders also focused on the importance of innovation in the knowledge economy. The declaration highlighted the importance of having strong and robust intellectual property systems as a catalyst to innovation.

We agree on the necessity of a level playing field in the innovation area, including a strong and robust intellectual property system as an incentive to innovation and a catalyst for growth. We acknowledge the important role of the World Intellectual Property Organization (WIPO) in developing a broad approach to intellectual property in support of business friendly, robust and efficient national intellectual property systems. Renewing our support to the principles of the patent system, we attach great importance to its promotion and development. We encourage increased international action to strengthen patent quality, and call for improved diffusion of patent information, particularly critical for SMEs and research centres. We support transparency in technology markets and call for the improvement of market places for trading rights. We invite WIPO, in close cooperation with Member States and other relevant entities, to intensify its work in these three areas. In addition we note the importance of enforcement in order to incentivise innovation and protect innovation once developed.

You clearly had fun trying to come up with a name. Some of you suggested a few names. Some suggestions were serious (more or less). Others were hysterical, many reflecting your thoughts about the Bill, or about SPAM. Here are your proposals to name the Bill.

Please read them and let me know which ones you like or would choose. You can email me (bsookman@mccarthy.ca) or post comments on my blog with your recommended name and short name, if applicable. My partner Lorne Salzman and I will select the winning name (and the winner of the McCarthy’s gift) after getting your input.

Eyjafjallajökull – the name of the volcano in Iceland that disrupted so much flight travel in Europe last year. No one (outside of Iceland) could pronounce the name and like this Bill, no one will be able to remember the full name so let’s give it a label we will at least remember – to see, if not say. (John Leblanc)

Canada Risible Anti-spam Propoundment or CRAP for short. (Richard Owens)

Spam²⁴ Act. Surely relying on the Wisdom of The Hitchhikers Guide to the Universe, the name then should be:  Spam⁴² Act. BUT since spam is transmitted over the Internet and Google is a very important term in relation to the Internet and the number Googol sounds very close to Google, we could call it: Spam^googol Act (David Bilinsky)

One is reminded of that Python bit profiling an otherwise forgotten composer, Johann Gambolputty de von Ausfern- schplenden- schlitter- crasscrenbon- fried- digger- dingle- dangle- dongle- dungle- burstein- von- knacker- thrasher- apple- banger- horowitz- ticolensic- grander- knotty- spelltinkle- grandlich- grumblemeyer- spelterwasser- kurstlich- himbleeisen- bahnwagen- gutenabend- bitte- ein- nürnburger- bratwustle- gerspurten- mitz- weimache- luber- hundsfut- gumberaber- shönedanker- kalbsfleisch- mittler- aucher von Hautkopft of Ulm.Given the Pythonic origin of the term “Spam”, the best short name for the new Act would have to be similarly surreal, irrelevant and disrespectful. Hence my vote for the “Fish-Slapping Dance Act, 2011“. (David Basskin)

Given some of the potential concerns Barry identifies due to overbreadth or sloppy drafting, how about the Law of Unintended Consequences? (Richard Pfohl)

How about:  “An Act to Amend other Acts and do some other things.” The government could use the same name for all future legislation. And they could advertise it as the A++ Act. Very efficient and no less informative… (Michael Erdle)

I’m fond of the Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam  Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam Act.(It’s even shorter the current name.) (Eric Boehm)

P.P.P.S. At least no one has (yet) suggested naming the Act for someone, especially a child, who has died in painful circumstances. (Wallace Mclean)

The eCommerce Holy Grail Act. (Get it? Spam – Monty Python- Holy Grail)  (Peter Ruby)

Green Eggs and Spam? (Bernice Karn)

I call dibs on the “Canada Spam-a-Lot Act”. (Bernice Karn)

ASS Law (Anti Spam and Spyware Law)? (Bradley Freedman)

Oh heck let’s mix French and English. Sans-Spam Act (David Bilinsky)

Spam-a-Little (Mary Hemmings)

Internet Wish Act – as in I wish that the anti-spam provisions by the government in this act could actually be enforced without bankrupting the public service. By the way, my Visa has limited internet purchase capacity…an email from germany told me so! WISH could stand for Wise Interneters Suspect Havoc (so they read the screen to delete spam) ((Shaunna Mireau)

How about Anti-Malware Act? Short and bilingual… (Michel Racicot)

Since the statute deals with spam and spyware, and various other nasty practices, perhaps the generic “Anti-malware Act” would be appropriate. I expect that most people who do not live and breathe computers may not recognize the term, but it’s still a good one, and a title can be educational as well as convenient. I learn that the recognized Canadian French equivalent is ‘maliciel’, a formation from the very elegant ‘logiciel’ for software (in France that tends to be called ‘le soft’, but we should prefer the elegance of the Canadian formation). So: “Loi contre le maliciel”.  The ‘original’ title was, I believe, the ‘Electronic Commerce Protection Act’, which is fine except that it gives no hint as to the contents. The ‘Fight Internet Spam Act’ is OK, though a little tendentious – better than a lot of political titles. (John Gregory)

Canadian Anti-Spam Act, which can be further shortened to CASPA. (Lorne Salzman)

Can-Can Spam Act since I’ve been telling people it is sort of the Canadian version of the US Can-Spam Act! (Joel Guralnick)

Using the logic of the DaVinci’s Code (or the “USA PATRIOT ACT”), we should refer to the law as the PEACE Act (or perhaps the e-PEACE Act). “An Act to Promote the Efficiency and Adaptability of the Canadian Economy [...] (Charles Morgan)

I’d like to suggest “The CORE Discourse Act” . I am most certainly not a lawyer, but what I understand of C-28 suggests to me an attempt to describe and moderate Corporate Responsibility in Electronic Discourse.  (Scott Elcomb)

And don’t forget “Canada’s Anti-Spam Legislation” (CASL) which is how the legislation is now described (without the acronym) on the Industry Canada site. CASL gets my vote, but the ultimate decision might be made by Justice Laws.  (Bruce Tattrie)

Canadian Legislation Against Spam & Spyware Act (or CLASS Act, because it’s a CLASS Act that invites a lot of CLASS Action…)  (James Gannon)

Canadian Anti-Spam, Anti-Spyware Act (CASASA, pronounced “Que c’est ça?” in French) (James Gannon)

The Bill has no short title. As a result different terms and acronyms are being used to refer to it including the ECPA, FISA, FIWSA, the SPAM Bill, the Anti-SPAM Legislation, and the Anti-SPAM and Anti-Spyware Bill.

The Bill needs a short title we can all agree on. I am asking you to help decide what we call it.

Some Background

On April 24, 2009, the Government introduced Bill C-27. It had a short title called the Electronic Commerce Protection Act. Its acronym was the ECPA. It received second reading in the House of Commons. The ECPA died on the Order Paper, however, when it reached the stage of second reading in the Senate, due to the prorogation of Parliament on December 30, 2009.

On 25 May 2010, the Government introduced Bill C-28. This bill was based substantially on Bill C-27. At first reading in the House of Commons, the short title of the Bill was Fighting Internet and Wireless Spam Act. It was also known by the acronyms FIWSA or FISA.

Bill C-28 was reviewed by the Standing Committee on Industry, Science and Technology. On Tuesday, November 2, 2010, the Committee voted to amend the Bill to remove the short title. The amendment was initiated by NDP MP Brian Masse during the following exchange in the Committee hearings over the short title:

Mr. Brian Masse:

I have just one last quick question. I noticed that the short title of the bill has been amended. We’ve had some things around that. Who suggested that the short title be changed?

Mrs. Janet DiFrancesco:

The short title of the bill was provided to us.

I also can’t tell you why they dropped a letter out of it. I don’t what happened to the “W” to go with the initials FISA, but that was the acronym they also gave us when it was tabled.

Mr. Brian Masse:

I suspected as much.

Thank you very much for your answers. I appreciate them.

Thank you, Mr. Chair. I’m all done.

The Chair:

There are 92 clauses, so we’ll postpone the short title, as is the practice per Standing Order 75(1).

(Clauses 2 to 92 inclusive agreed to)

(On clause 1—Short title)…

The Chair:

Shall the short title carry?

Mr. Brian Masse:

No, I’m not going to agree to the short title. First of all, it wasn’t from the department. We got into these silly games of naming bills with these little titles here and there. I’m not going to give them this; it’s just ridiculous to do this type of stuff. I haven’t seen this in the years I’ve been here, so I’m not supporting this nonsense.

The Chair:

Okay.

Mr. Anthony Rota:

Mr. Chair, just for clarification, if we vote in favour of the title, then it has a title. If we vote against the short title, then it has no title. Am I correct?

The Chair:

That’s right. We’ll report it back that way. We’ll still have the long title.

Mr. Anthony Rota:

I just wanted to clarify that. Thank you.

The Chair:

Shall the short title carry? Can I see a show of hands?

(Clause 1 negatived)

The Chair: It’s defeated.

Shall the title carry?

Some hon. members: Agreed.

The Chair: Shall the bill as amended carry?

Some hon. members: Agreed.

The Chair: Shall I report the bill, as amended to the House?

Some hon. members: Agreed.

The Chair: Shall the committee order a reprint of the bill?

Some hon. members: Agreed.

The Chair: Gentlemen, that’s very good work. We have no meeting on Thursday.

The meeting’s adjourned.

The Bill eventually passed the House of Commons and the Senate before being given Royal Assent on December 15, 2010. It awaits publication of the regulations and then proclamation, which is expected to occur in the fall of this year.

You Name the Bill

Bill C-28 is going to be with us for a long time. It is legislation that is very complex and will undoubtedly result in considerable study, litigation (including class action proceedings) and enforcement proceedings before the CRTC. (The Bill is summarized here, here, here, and here.)

We need a common way of referring to it. We need a short title. What do you think it should be?

I encourage you to email me (bsookman@mccarthy.ca) or post comments on my blog with your recommended short name (and/or acronym) and the reasons for choosing it. I will list the top few suggested names along with some of the main reasons for suggesting it and ask people to let me know their preferences.*

What do you recommend we call the Bill and why?

One of the people to recommend the winning name will be given a McCarthy Tétrault branded gift as a reward for his/her skill.

* By participating, you confirm you are okay with me attributing (or not attributing) suggestions to you, unless you let me know otherwise.

The legislation creates significant vicarious and accessorial liability for companies and for their officers and directors with the potential for administrative penalties of up to $10 million and damages awards which can reach $1 million per day or per breach.

Accordingly, you will want to learn about this new legislation and how to comply with its many provisions. To help you do so, I am posting slides prepared by Lorne Salzman and I for the  IT Can Roundtable presentation we gave earlier today on the impacts of Bill C-28.

Sookman Salzman ITCAN Spam Slides

The Act prohibits organizations from sending commercial electronic messages unless the recipient has given express or implied consent. A “commercial” electronic message is an electronic message where one of its purposes is to encourage participation in commercial activity. An “electronic message” is defined broadly to include any “message sent by any means of telecommunication, including a text, sound, voice or image message.” This covers e-mails, text messages, instant messages, “tweets” or Facebook® postings, but excludes two-way voice communication, faxing to a telephone account or accessing a voice mailbox.

When requesting express consent to send a commercial electronic message, an organization must “clearly and simply” set out the purpose(s) for which consent is being sought and identify the organization seeking the consent. However, consent is not required to send a commercial electronic message where the purpose is to:

• provide a quote or estimate in response to a request;
• facilitate, complete or confirm a pre-agreed commercial transaction;
• provide warranty, product recall or safety information to a purchaser of goods;
• provide information related to an ongoing subscription, membership, account or loan;
• provide information related to an employment relationship; or
• deliver a pre-authorized product, goods or service, including product updates and upgrades.

Consent to receive messages can also be implied, most notably where:

• the sender and the recipient have an existing business relationship or non-business relationship (e.g., membership in a club), where the relationship arose within the past two years or is pursuant to a contract in effect in the past two years;
• the recipient has “conspicuously published” its electronic address and has not indicated a desire to not receive unsolicited commercial electronic messages, and the message is relevant to the recipient’s business role; or
• the recipient has provided its electronic address to the sender without indicating a wish not to receive unsolicited commercial electronic messages, and the message is relevant to the recipient’s business role.

The Act also requires that all commercial electronic messages must identify the sender, include the sender’s contact information, and provide an “unsubscribe” mechanism so that recipient can opt out of receiving future communications.

In addition, if a program performs certain potentially undesirable functions, it must bring its “foreseeable impacts” to the attention of the user. The prescribed list of undesirable functions includes:

• collecting personal information stored on the computer system;
• interfering with the user’s control of the computer system;
• changing or interfering with settings or preferences on the computer system without the user’s knowledge;
• interfering with access to or use of that data on the computer system;
• causing the computer system to communicate with another computer system without the authorization of the user; or
• installing a computer program that may be activated by a third party without the knowledge of the user.

These requirements apply not only to personal computers and computer servers, but also to any electronic device that allows for the installation of third-party programs — such as smartphones and tablets. Programs are exempted from these requirements only if it is reasonable to conclude from the recipient’s conduct that the recipient consented to the installation of the programs (e.g., HTML code, Web cookies, javascript code, operating systems, patches and add-ons). Program upgrades and updates are also exempt if the recipient consented to the initial installation and is entitled to receive upgrades or updates.

Amendments to the Competition Act and PIPEDA²

The Act amends the Competition Act to prohibit false or misleading representations in the sender description, subject matter field or message field of an electronic message, or in the URL or other locater on a webpage. Senders will have to be particularly wary of making overly boastful statements in subject matter lines in an attempt to catch readers’ attention.

The Act also amends PIPEDA, to prohibit the collection of personal information by means of unauthorized access to computer systems, and the unauthorized compiling of lists of electronic addresses (sometimes called “address harvesting”).

The Act also creates a private right of action that allows any business or consumer to take civil action directly against anyone who violates the Act, or the new false or misleading representations provisions of the Competition Act. The Act contemplates that a litigant will be able to recover its actual damages and additional amounts that could amount to as much as $1 million per day. These latter provisions will undoubtedly excite the plaintiff class action bar.

• review and update website privacy policies and terms and conditions to ensure proper consents for the collection of personal information and/or the installation of computer programs on dynamic websites;
• review and update their forms for obtaining express consent to send commercial electronic messages (including e-mail or newsletters), or install software programs to ensure that the forms satisfy the prescribed requirements;
• re-examine their procedures for documenting the receipt of consent, as the onus will rest on senders and software developers to prove they obtained consent;
• ensure that any commercial electronic message contains the prescribed information and an unsubscribe mechanism that is operational for the specified period;
• deal with unsubscribe requests within the requisite time frame;
• ensure that any process that involves online collection of e-mail addresses or other personal information complies with the amendments to the PIPEDA;
• generally review and revise marketing, advertising and external communication practices to comply with the requirements of the Act and the new provision of the Competition Act; and
• in the case of software developers:
  • examine their program-installation procedures to ensure that information about the function and purpose of the program is provided prior to installation;
  • if the program performs one of the prescribed undesirable functions, the disclosure mechanism will also need to describe the foreseeable impacts of these functions; and
  • revise end-user licence agreements (EULAs) to ensure that consent to install patches and upgrades is expressly obtained before installation of computer programs.

² Personal Information Protection and Electronic Documents Act, which is the primary federal statute that addresses privacy matters.

As noted in our last update, Canadian Government Launches Consultations on Encryption Controls, Canadian authorities have been consulting with the business community on how the mass market exemption for encryption items is interpreted and administered in jurisdictions outside Canada. This appears to be part of an effort to address concerns that, because of the burdens imposed by the permit regime, Canadian companies are not on a level playing field with their competitors in the United States and other countries when it comes to the sale of their products and technology in international markets.

Ancillary Encryption

Recently, another encryption control issue has arisen, this time regarding the liberalization of international controls over “ancillary encryption” items. These are items that contain or are designed to work with encryption, but encryption is not their primary function. These goods, software and related technology still require permits in order to be exported or transferred from Canada.

In December of 2009, the Wassenaar Arrangement Participating States, including Canada, agreed to exempt from export control items incorporating information security cryptography that is ancillary to and not the primary function of those items. The exemption has been implemented in the form of a Note to the Wassenaar Arrangement Category 5 — Part 2 (“Information Security”) as follows:

Note 4: Category 5 — Part 2 does not apply to items incorporating or using “cryptography” and meeting all of the following:

Provided these conditions are met, exporters of these items should no longer be required to undertake the process of applying for and obtaining an export permit prior to supplying their customers outside of Canada. However, the Canadian government does not anticipate incorporating these provisions into law until the end of 2010 or early 2011.

Broadbase Permit Pending Implementation

In an attempt to address concerns that Canadian companies will be put at a competitive disadvantage by this implementation delay, the Export Controls Division of Foreign Affairs and International Trade Canada has developed a new broadbase permit that may be applied for, and that, under certain conditions, will permit these shipments or transfers to proceed. Once the broadbase permit has been negotiated and obtained, the exporter is free to ship or transfer such items without any reporting requirements, although recordkeeping requirements still apply.

A procedure has been established to allow ancillary cryptography exporters to apply for these permits under certain terms and conditions, including the following:

1. The exporter provides full technical specifications with sufficient detail to disclose the true nature of the goods, their country of manufacture, their intended application, and the justification for qualifying for the ancillary exemption.
2. The permit will not authorize exports to any end-user directly or indirectly involved in research, development or production of chemical, biological and nuclear weapons, or any missile program; or to any country on Canada’s Area Control List (currently Burma and Belarus, and soon North Korea will be added) or any other country subject to existing Canadian economic sanctions.
3. The exporter must maintain all records necessary to determine compliance with Canadian legal requirements for a period of six years after the date of export from Canada.

Until the Wassenaar Arrangement exemption for ancillary encryption is fully implemented into Canadian law, exporters will have to apply for and obtain an individual broadbase permit before exporting these items or transferring related technology. After implementation of this new exemption, exporters will be able to self-classify exports and transfers without having to notify the Export Controls Division.

Continuing Challenge of Canadian Encryption Controls

Many Canadian companies continue to struggle with the burden imposed by Canada’s broad system of encryption controls.

Vendors are often surprised to learn that the export or transfer of their encryption goods and technology requires a permit before shipment to their foreign customers. Often, they first discover this when the Canada Border Services Agency detains these goods just prior to export. Others fail to realize that transfers of related technology that do not involve physical shipments also require a permit – these technology transfers can occur as a result of communications by fax or e-mail, during teleconferences or training sessions, or by remote server download or upload.

Because failure to obtain a permit prior to exporting or transferring controlled goods or technology can attract heavy penalties — and, often more significantly, can lead to long delays in order fulfillment and lost business — it is important that any organization dealing in encryption or items designed to work with encryption carefully address these issues to minimize risk exposure and administrative burden.

McCarthy Tétrault’s International Trade and Investment Law Group has significant expertise in encryption controls, and regularly assists clients in developing solutions to compliance and enforcement issues in this area. We are available to advise on these or any other export control, economic sanctions or trade matters.