The CRTC draft regulations are as follows:

1. In these Regulations, “Act” means An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.

INFORMATION TO BE INCLUDED IN COMMERCIAL ELECTRONIC MESSAGES

2. (1)   For the purposes of subsection 6(2) of the Act, the following information must be set out in any commercial electronic message:

(a)   the name of the person sending the message and the person, if different, on whose behalf it is sent;

(b)   if the message is sent on behalf of another person, a statement indicating which person is sending the message and which person on whose behalf the message is sent;

(c)   if the person who sends the message and the person, if different, on behalf of whom it is sent carry on business by different names, the name by which those persons carry on business; and

(d)   the physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address of the person sending the message and, if different, the person on whose behalf the message is sent and any other electronic address used by those persons.

(2)   If it is not practicable to include the information referred to in subsection (1) and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act in a commercial electronic message, that information may be provided by a link to a web page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single click or another method of equivalent efficiency at no cost to the person to whom the message is sent.

FORM OF COMMERCIAL ELECTRONIC MESSAGES

3. (1)   The information referred to in section 2 and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently.

(2)   The unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be able to be performed in no more than two clicks or another method of equivalent efficiency.

INFORMATION TO BE INCLUDED IN A REQUEST FOR CONSENT

4. For the purposes of subsections 10(1) and (3) of the Act, a request for consent must be in writing and must be sought separately for each act described in sections 6 to 8 of the Act and must include

(a)   the name of the person seeking consent and the person, if different, on whose behalf consent is sought;

(b)   if the consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought;

(c)   if the person seeking consent and the person, if different, on whose behalf consent is sought carry on business by different names, the name by which those persons carry on business;

(d)   the physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address of the person seeking consent and, if different, the person on whose behalf consent is sought and any other electronic address used by those persons; and

(e)   a statement indicating that the person whose consent is sought can withdraw their consent by using any contact information referred to in paragraph (d).

SPECIFIED FUNCTIONS OF COMPUTER PROGRAMS

5. A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.

Industry Canada published additional draft regulations on July 8, 2011. There is also a 60 day period for commenting on these regulations. These draft regulatons read as follows:

PERSONAL RELATIONSHIP AND FAMILY RELATIONSHIP

2. For the purposes of paragraph 6(5)(a) of the Act

1. (a) “family relationship” means the relationship between individuals who are connected by
   1. (i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or of collateral descent from the other individual’s grandparent,
   2. (ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,
   3. (iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual; and
   4. (iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual; and
2. (b) “personal relationship” means the relationship, other than in relation to a commercial activity, between an individual who sends the message and the individual to whom the message is sent, if they have had an in-person meeting and, within the previous two years, a two-way communication.

CONDITIONS FOR USE OF CONSENT

3. (1) For the purposes of paragraph 10(2)(b) of the Act, a person who obtained express consent on behalf of a person whose identity was unknown may authorize any person to use the consent on the condition that the person who obtained consent ensures that, in any commercial electronic message sent to the person from whom consent was obtained,

1. (a) the person who obtained consent is identified; and

1. (b) the authorized person provides an unsubscribe mechanism that, in addition to meeting the requirements set out in section 11 of the Act, allows the person from whom consent was obtained to withdraw their consent from the person who obtained consent or any other person who is authorized to use the consent.

(2) The person who obtained consent must ensure that, on receipt of an indication of withdrawal of consent by the authorized person who sent the commercial electronic message, that authorized person notifies the person who obtained consent that consent has been withdrawn from, as the case may be,

1. (a) the person who obtained consent;
2. (b) the authorized person who sent the commercial electronic message; or
3. (c) any other person who is authorized to use the consent.

(3) The person who obtained consent must inform, without delay, a person referred to in paragraph 2(c) of the withdrawal of consent on receipt of notification of withdrawal of consent from that person.

(4) The person who obtained consent must give effect to a withdrawal of consent and, if applicable, ensure that a person referred to in paragraph 2(c) gives effect to the withdrawal of consent, in accordance with subsection 11(3) of the Act.

MEMBERSHIP, CLUB, ASSOCIATION AND VOLUNTARY ORGANIZATION

4. (1) For the purposes of paragraph 10(13)(c) of the Act, membership is the status of having been accepted as a member of a club, association or voluntary organization in accordance with the membership requirements of the club, association or organization.

(2) For the purposes of paragraph 10(13)(c) of the Act, a club, association or voluntary organization is a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization the primary purpose of which is the promotion of amateur athletics in Canada.

*Updated after the Industry Canada draft regulations were published.

Indeed, there was much satisfaction when Canada’s anti-SPAM law, also known as FISA[2], was given royal assent on December 15, 2011.  After a lengthy and thorough review process, including consultations and Parliamentary reviews, Canadians could look forward to the toughest anti-SPAM law in the world just as soon as the regulations were finalized, which is expected this summer.

With FISA passed into law, and expected to come into force by the end of 2011, Canadian businesses started preparing for a new SPAM-reduced world. They began to scrutinize their use of emails, SMS and social network communication with existing and prospective customers. They looked at the language for obtaining consent from these customers, and for allowing them to unsubscribe. They reviewed the conditions for those customers that may have given implied consent. All of this scrutiny was expected.

Businesses also began to look closely at regulatory aspects of FISA. They began to appreciate the severe penalties for violating FISA, and thus the risks of failing to fully comply with the new requirements. Their interest in compliance increased further. And this too was expected.

But a funny thing happened on the way to the SPAM-free utopia.  It began to dawn on some that FISA imposes very significant costs, not just on individual Canadian businesses, but also on the Canadian economy as a whole. These are costs that Canadians will uniquely bear because FISA is the toughest anti-SPAM law in the world.  And while everyone understood that implementing FISA would not be cost-free, questions began to be asked about the balance of costs and benefits from complying with FISA.

During the past months, as we have helped numerous Canadian businesses understand FISA and its impact on their operations.  In doing so, we have come to recognize that stakeholders did not fully appreciate just how costly this law would become for Canada or the dangers it poses to the Canadian economy.  We acknowledge that FISA was thoroughly reviewed before it was passed into law.  However, we have also come to recognize that rather than promoting the “efficiency and adaptability of the Canadian economy”, as formally stated in FISA’s official title, it may well achieve the opposite result.

In this commentary we will describe some of the challenges presented by FISA.  We will focus on the anti-SPAM provisions, and leave for another day the anti-spyware and other provisions of FISA.

In summary, we have identified the following problems that need to be addressed before FISA’s regulations are finalized and the law is proclaimed into force:

1)      FISA will impede start-up businesses from launching in Canada.

2)      FISA will impede Canadian businesses from developing new marketing models over the Internet.

3)      FISA will deter suppliers of service providers, including outsourcing and cloud service providers, from operating with or maintaining facilities in Canada.

4)      FISA will deter foreign businesses from offering their products to Canadians via the Internet, mobile and other communications networks.

5)      FISA will impose costs and restrictions on Canadian businesses that their competitors outside Canada will not have to bear.

6)      FISA contains very strong incentives for Canadian businesses to confess wrong-doing, even in cases of questionable or trivial conduct, thereby tarnishing the reputation of legitimate businesses in circumstances where the offending conduct is not significant.

7)      FISA will chill legitimate commercial speech and thereby undermine fundamental values protected by the Charter of Rights and Freedoms.

Our analysis starts with a brief background introduction to FISA.  We then move on to discuss the problems we have observed.

Overview of FISA’s anti-SPAM provisions

The anti-SPAM and related provisions of FISA have their genesis in a 2005 federal government Task Force report: Stopping Spam: Creating a Stronger, Safer Internet.[3] The report included a range of recommendations to fight SPAM including more rigorous law enforcement, public education, policy development and legislation. Importantly, the Task Force made recommendations that formed the structure that eventually became FISA including:

• Commercial email sent without prior consent — or that is deceptive, fraudulent or malicious — is SPAM and should be prohibited.
• Failure to abide by an opt-in regime for sending unsolicited commercial email should be made an offence in a stand-alone, technology-neutral SPAM statute.
• The use of false or misleading headers or subject lines designed to disguise the origins, purpose or contents of an email should be made an offence. This should be the case whether the objective is to mislead recipients or to evade technological filters.
• The new offences created should be civil and strict-liability offences, with criminal liability open for more egregious or repeated offences. There should be meaningful statutory penalties for all offences outlined above.
• There should be an appropriate private right of action available to persons, both individuals and corporations. There should be meaningful statutory damages available to persons who successfully bring civil action.

The Task Force recommendations, which by and large were carried over into FISA, were not just ambitious. They cast a wider net than legislation anywhere else in the world. For example, the U.S. CAN-SPAM Act of 2003[4] prohibits e-mails that are sent in violation of an individual’s opt-out request, or that are fraudulent, false or misleading. The EU Directive 2002/58/EC on privacy and electronic communications targets sending e-mail for the purposes of direct marketing to individuals. The Australia Spam Act 2003[5] and the New Zealand Unsolicited Electronic Messages Act 2007[6], after which FISA’s provisions are most closely modelled (but with significant changes which make FISA more encompassing and more difficult to comply with), prohibit sending certain commercial electronic messages without the express or inferred consent of the recipient.

In contrast to the narrower approach of these other countries, FISA prohibits sending (or causing or permitting to be sent) any commercial electronic message to any electronic address unless express consent is given by the recipient, or certain specific exclusions apply.[7]

The exclusions are limited, and encompass the following: (1) some categories of electronic message are excluded completely; (2) some categories are excluded from the consent requirements, but they must still comply with certain formalities (for example, contain an unsubscribe mechanism); and (3) very similar to (2), some categories are deemed to have implied consent, although they must also comply with the formalities.

The totally excluded categories are: commercial electronic messages to an individual with whom the person stands in a personal or family relationship as defined in regulations; an inquiry or application to a person engaged in commercial activity; or messages of a class defined in regulations.[8] There is a further exception for telecommunications service providers (TSPs) in their role as carriers.[9] Messages related to law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada are excluded because they are deemed not to be part of a commercial activity.[10]

Then, there are categories of commercial electronic messages which do not require consent, but for which the prescribed formalities still apply, namely commercial electronic messages that solely involve the following: (a) provide a quote in response to a request; (b) are in furtherance of previously agreed to transactions; (c) provide warranty, safety, security, product recall information; (d) provide factual information about a purchase; (e) provide information about an employment or benefits plan; (f) deliver a product, service or upgrade; or (g) other exceptions specified in a regulation.[11]

The categories of commercial electronic messages for which there is deemed to be implied consent (and to which the prescribed formalities still apply) are limited to the following exclusive circumstances:

• There is “an existing business relationship” as this term is defined. In summary, this is a relationship arising from a purchase or barter within 2 years; acceptance of a business, investment or gaming opportunity with last 2 years; or is related to a contract until 2 years after expiry; or any inquiry or application within 6 months.[12]
• There is an “existing non-business relationship” as this term is defined. In summary, this is a relationship arising from a donation or gift; volunteer work performed for a registered charity; or membership, within a 2 year window.[13]
• The person to whom the message is sent has “conspicuously published”, or has caused to have published, an electronic address without a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity.[14]
• The person to whom the message is sent has disclosed, to the person who sends the message, an electronic address without indicating a wish not to receive unsolicited commercial electronic messages, and the message is relevant to the person’s business, role, functions or duties in a business or official capacity.[15]
• The message is sent in the circumstances set out in the regulations.[16]

Commercial electronic messages that do not fall into one or more of the above exclusions cannot be sent except with the express consent of the recipient. Obtaining consent has its own requirements. When requesting consent, the sender must set out clearly and simply: (a) the purpose or purposes for which the consent is being sought; (b) information prescribed in regulations that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, information prescribed in regulations that identifies that other person; and (c) any other prescribed information.[17] Sending a message to obtain consent is deemed to be a commercial electronic message.[18] As such, contacting a recipient to ask if the sender can send a commercial electronic message is itself SPAM (unless some exclusion applies).

Moreover, each commercial electronic message that is transmitted by a sender must abide by certain formalities which require the sender to: (a) set out prescribed information that identifies the person who sent the message and, if different, on whose behalf it is sent; (b) set out information enabling the person to whom the message is sent to readily contact the sender (the contact information must be valid for 60 days); and (c) set out the prescribed unsubscribe mechanism.[19]

The unsubscribe mechanism must (a) enable the recipient to indicate, at no cost to them, the wish to no longer receive any messages, or any specified class of such messages, from the sender, using (i) the same electronic means by which the message was sent, or (ii) if using those means is not practicable, any other electronic means that will enable the person to indicate the wish; and (b) specify an electronic address, or link to a page on the World Wide Web that can be accessed through a web browser, to which the indication may be sent.[20]

Having described the key elements of FISA, we will now describe some of the problems that we have encountered as Canadian businesses grapple with its implementation.

FISA Impedes Start-up Companies

Unlike established companies, start-up companies do not have a ready list of electronic contacts they can approach to market their products. Rather, they will develop emailing lists from a variety of sources and use them to launch their products. For example, a newly graduated financial advisor may look up the lawyers and doctors in his/her neighbourhood using a published professional or business directory or other publication such as a magazine, book, or newspaper and invite them to an educational event. A newly established orthodontist may send an announcement to dentists in her town, with the electronic addresses derived from a conference attendance list. A university student wanting to earn some money as a contract programmer may contact professors and lecturers using their electronic addresses found in the university catalogue or telephone directory. A new real estate agent in search of listings may want to contact owners of properties using information recorded in publically available registries.

Although few would find these activities offensive, they will all likely be illegal under FISA.[21] Rather than using electronic communications, business start-ups will therefore be forced to send their messages using the post or other more expensive and less convenient and efficient mechanisms, or limit the persons to whom they can send messages to the limited exception that permits use of conspicuously published e-mail addresses.[22] The new start-ups could also not rely on the alternative route of using software that is design to assist them in searching for relevant business or other connections because it will also be illegal to use such software or electronic addresses gathered using such software under the amendments to PIPEDA included in FISA.[23]

Although it is easy to say that the FISA impositions on small businesses are not that important, most countries, Canada included, actively promote small business formation and expansion. Policy-makers understand that small business is a vital part of the economy in its own right and, as well, that all big businesses were small start-ups at one point.  As such, Canada should not want to impede start-up businesses from making effective use of digital communications to launch and sustain their businesses.

FISA Impedes Use of New Forms of Communications and Business Models

FISA is supposed to be technologically neutral, applying broadly to practically all electronic means of sending electronic messages. However, the FISA regulatory regime (which prescribes specific formalities for each message) is modelled on regulating electronic messages that are sent as emails. This focus on emails means that other forms of electronic messaging, such as those through social networks, do not easily fit within the FISA framework. As a result, Canadian businesses that wish to exploit new and developing alternative electronic messaging systems will be impeded by FISA.

As an example, consider an enterprise that wishes to send its commercial electronic messages, with express consent, by SMS.[24] Because SMS only allows for 140 characters, it will be very difficult if not impossible in the allotted number of characters to include all of the formalities required for commercial electronic messages. The SMS message would have to include (a) prescribed information that (1) identifies the sender and (2) any person on whose behalf the message is sent, (b) information that enables the recipient to (1) contact the sender or (2) the person on whose behalf the message was sent, and (c) an unsubscribe mechanism that (1) enables the recipient to indicate, at no cost to him/her a wish to no longer receive messages (which could be at a separate web location), and (2) specifies an electronic address or link to the web which can be used to unsubscribe from receiving further messages.[25] Consider the following difficulties when trying to utilize SMS for a commercial electronic message:

• Can conditions (a)(2), (b)(2), and (c)(2) be met in a message that is only 140 characters?  Some URLs could be as long as the message itself.  The same problem will arise in other messaging services where short messages are the rule, such as Instant Messaging (IM) services.
• Where the recipient uses a regular cell phone, not a smart phone, an unsubscribe URL is likely not accessible by the phone to effect an unsubscribe instruction.  Is it still a compliant message?  If not, how can the sender ever know if its messages are compliant given that the sender will not know what sort of device the recipient is using?
• Where the sender wants to permit recipients to unsubscribe using a text message at no cost to the recipient[26], this will require negotiations with all mobile operators to ensure that the recipient is not charged for the unsubscribe message – a very cumbersome approach.
• Further, it may be challenging for a person using any of these messaging services to seek express consents from recipients using 140 characters given the request for the consent must “clearly and simply” provide information setting out the purpose or purposes for which consent is being requested, information that identifies the requester and another person on whose behalf the request is made, and other prescribed information.[27]

The result is that unless accommodation is made by means of the regulations or amendment to the legislation, FISA could make using new and innovative short messaging platforms effectively impractical to use in Canada for whole categories of commercial speech.[28]

As another example, consider the situation of a social network that allows a recruiter to search the profiles of members looking for suitable employee prospects, who the recruiter then contacts using the social network built-in communications tools. Many members would welcome such communications, and therefore they would likely consent to such recruitment messages, presumably at sign-up time. However, FISA’s design does not easily accommodate such a situation. The recruiter cannot directly request consent to send a message to a member of the social network because that message would be deemed to be a commercial electronic message.[29] The social network could try and obtain the member’s consent for the recruiter to send such messages. However, FISA contemplates that the consent request must include identification information about the person on whose behalf the consent is being obtained, in this case the recruiter’s identity.[30] But is this workable when the identity of the recruiter(s) will only be known much after the consent is granted? Faced with this complexity and uncertainty, recruiters and their social network partners may well ponder if they should avoid offering these services in Canada.

Consider another business model where a virtual gaming site allows members to offer to buy and sell virtual objects amongst themselves. Does each member have to obtain consent from the other members before the messages are sent? Can the social network site request consent in advance for all such messages among members? Bear in mind that the members only disclose game-playing aliases and not their real identities. How then can the identification requirements of FISA be satisfied? How practical is it for each game-player to include an unsubscribe mechanism in every buy-sell offer? If members fail to comply with these identification or unsubscribe mechanisms, will be social network operator have to enforce these requirements in order to avoid liability for aiding in a contravention of FISA? Will the operators of such sites be concerned that they could face accessorial liability for not designing mechanisms to enable  their players to comply with FISA? Will they make necessary changes to their games or simply exclude Canadians from being able to join their networks?

Consider next a business model where a social network operator offers business coupons to members and encourages the members to pass the coupons on to friends and social media contacts.[31] As an incentive, the operator grants a modest incentive to the member for every person that uses such a passed-on coupon. The passing on of the coupon with an express or implied suggestion as its use is likely the sending of a commercial electronic message. While some recipients in these models may fit into the personal or family relationship exemption in FISA,[32] others won’t necessarily fall within these so far undefined categories. And how many members are likely to include unsubscribe mechanisms when sending such messages to their contacts? Although one might be tempted to say that no-one will pursue the members for such trivial transgressions of FISA, the operator that knowingly permits such conduct might well worry if it will be at risk of being accused of aiding, inducing, procuring or causing to be procured the doing of any act contrary to the anti-SPAM provisions of FISA.[33]

Faced with the risks of offending FISA, Canadian businesses will be wary of developing (or continuing to offer) these innovative business models or implementing similar models that are legal in other countries such as the United States. Or if they do wish to develop them, they will feel a strong incentive to develop and launch them outside of Canada. The logical port of call for any such developers will be the United States, with its familiarity to Canadians, vast market, openness to innovation, and ample sources of funding. Canada, which already faces a tough time in fostering innovation inside our borders, will now be adding one more reason for Canadians to take their digital economy initiatives south of the border.

FISA Will Deter Service Providers from Locating in Canada

In the foregoing, we have explained impediments that will be faced by start-ups and developers of new e-commerce models as a result of FISA. But the potential harm to the Canadian economy goes further. FISA will deter many suppliers from providing innovative services globally using Canadian facilities.

Consider the case of a data centre operator that is deciding where to locate a new server farm.  If the operator decides to locate it in Canada, the customers that send electronic commercial messages from those servers will be subject to FISA for all of those communications – even those where the company is non-Canadian and the recipients are all non-Canadian. This consequence arises because FISA applies if a computer system in Canada is used to send or receive the electronic message.[34] The data centre operator will realize that its customer base will be immediately narrowed if the server farm is located in Canada and knowledgeable customers will ask the operator that servers in Canada not be used for their commercial electronic communication purposes.

For the same reasons, FISA will also deter businesses from operating or using cloud services that have facilities in Canada. In an era of ever-increasing reliance on “cloud computing”, where operators organize servers in the most efficient manner, operators and their customers would avoid locating cloud services with facilities in Canada to avoid burdening their foreign customers with onerous obligations they would not have, and their foreign competitors will not have, if their facilities were located outside of Canada.

Likewise, operators of messaging systems such as e-mail services, social networks, and e-commerce platforms that serve North American or global enterprises will have a strong reason to avoid locating their facilities in Canada to ensure that their global users are not regulated by FISA. They would likely relocate existing Canadian facilities outside of Canada to avoid requiring their non-Canadian customers having to bear costs and expenses of complying with laws that their competitors do not face.

Even established Canadian businesses, especially global ones, might decide that it is in their interest to locate their servers, whether in-house or outsourced, outside the country. Many of them will send commercial electronic communications to non-Canadians. They will not want to take on the FISA-derived extra costs and restrictions associated with communicating with those non-Canadians from a Canadian server. Faced with the choice of two servers, one in Canada for FISA-complaint Canadian messages, and one outside Canada for everything else, many Canadian companies will decide that the most efficient approach is to ensure that all their  servers are located outside Canada.

By discouraging service suppliers from locating or maintaining facilities in Canada, not only does Canada lose the jobs, taxes and spin-off activities from such businesses, but Canada’s participation in a core building block of the digital economy is reduced. This in turn lessens the attractiveness of Canada as a location for other participants in the digital economy.

FISA Will Deprive Canadians of Products and Services From Foreign Businesses

In the foregoing discussion, we have concentrated on the impact of FISA on Canadian businesses and suppliers to those businesses. But there is another constituency that will be impacted by FISA, namely consumers.

FISA will of course benefit consumers by hopefully reducing the flow of SPAM. That is the key purpose behind FISA. But consumers will be negatively impacted by FISA if they cannot benefit from worthwhile commercial electronic messages simply because foreign companies are unwilling to comply with FISA and thus decide simply to exclude Canadians from their electronic communication databases. We have been told by some businesses that the costs of developing specific marketing campaigns for Canadians could influence whether foreign businesses make the same offers to Canadians that they make to their customers in other countries.

The point to realize is that not all commercial electronic messaging is bad and unwanted (although some is undoubtedly both). Some is benign, and some may be quite useful. Indeed, in the example above of a recruiter using social media platforms to contact prospective employees, some may be very welcome.

FISA however risks walling off Canada from the good as well as the bad. And foreign companies, especially international companies that market and promote products and services on a global basis from outside Canada, may well decide that Canada is simply not worth the effort and hazards that come with FISA.

FISA Imposes Costs on Canadian Businesses that Foreign Competitors will not Bear

Canadian businesses are coming to grips with the costs of FISA compliance, and it is not a happy realization. Businesses that have large contact lists must assess which contacts fit into particular categories: exempt, express consent, implied consent, no consent. The exempt category will be small for most businesses. Where express consent has been given, businesses have to figure out if the consent is sufficient for FISA purposes, now and in the future. Absent express consent, businesses will have to determine if one of the listed categories of an implied consent can apply.  This will be difficult to assess in many cases.[35] For example, where an individual was entered onto a contact list 5 years ago, how will a business determine if that person voluntarily disclosed his/her email address, or whether it was “conspicuously published” or if there exists an existing business relationship that is less than 2 years old? If the existing business relationship heading is relied on, what sort of routines are in place to determine customer-by-customer when the 2-year window expires? The answer to each of these question can be determined, but at a cost – a cost that can be significant for a company with thousands or even millions of contacts.

It may be simple to suggest that businesses should just communicate with everyone on their contact lists and ask for express consent. But the response rate from such campaigns is often not large, and Canadian businesses risk a large contraction of their contact lists, with a consequential impact on their business models. In some cases, such as the social network recruiter described earlier, it is questionable if a consent approach is even workable. And, of course, once FISA comes into force, communicating with a contact to ask for consent will itself be prohibited unless some exemption or implied consent applies.

Further, as noted above, Canadian businesses with substantial numbers of non-Canadian contacts will face costs of moving their servers outside of Canada in order to service these non-Canadians, and likely Canadians as well. In the same vein, those Canadian businesses will have to give up any use of cloud computing that involves Canada-based servers if there is a chance that some commercial electronic messaging could originate on servers in Canada.

Canadian businesses will also face extra costs as ongoing customers unsubscribe from commercial electronic messages.  The FISA-mandated  unsubscribe mechanism must permit the recipient to not receive any commercial electronic messages, or any specified class of messages.  If even a handful of customers choose the broad unsubscribe option, companies will have to either change their systems to ensure that innocuous commercial electronic messages are not included in ordinary correspondence such as billing statements (consider, for example, a mention that mortgage rates are being reduced which appears in a bank account statement with an offer to extend the mortgage term), or ensure that such correspondence is sent to those customers by the post or other non-electronic means. All of this can be done, but clearly at a cost.  The problem would be compounded for businesses that contract with their customers only to communicate electronically.  Customers including B2B business partners could arguably use FISA’s unsubscribe right to require communications in a different format and to thereby trump contractually agreed to terms.  This could undermine purely electronic means of doing business (including data interchange arrangements) and force companies to cease doing business with any person insisting on an unsubscribe right or to incur substantial costs to do business in less modern and inefficient way.

In addition to costs of these proactive activities, Canadian businesses will face potentially large costs of after-the fact compliance by way of substantial fines and class action damages, and associated legal costs, as further discussed below.

In contrast, most non-Canadian competitors do not face equivalent costs. Although some may elect to comply with FISA for their Canadian contacts, others may simply abandon services to Canadians. Others will likely just ignore FISA, expecting that the Canadian regulators will have neither the inclination nor resources nor the jurisdiction to pursue these offenders.

FISA’s Enforcement Model is Biased Towards Excessive Fault-Finding, which will Tarnish Legitimate Businesses

The penalties for violating FISA are severe. Companies can be subject to fines[36] of up to $10 million per violation. The regulations may specify that violations are a day-by-day determination.[37] Officers and directors can be liable, whether or not the corporation is prosecuted.[38] If the CRTC does not initiate proceedings, companies can be liable to private action by SPAM recipients, including (most worryingly) class action claims, for actual damages (which will likely be insignificant), but also an additional private fine of up to $1 million per day (which is not so insignificant).[39]

The fear of class action claims, which can be very expensive to defend against, will act as a strong incentive for companies to self-report potential contraventions to the CRTC and submit to voluntary undertakings and fines. Entering into such an undertaking with the CRTC will exempt the contravention from private action liability.[40] Although this incentive will help ensure FISA compliance, its undoubted goal, it will also encourage companies to confess wrong-doing in situations where the impugned conduct may be questionable or trivial. This will lead to a parade of Canadian businesses being punished under FISA, with the regulators extolling their enforcement proficiency against these wrong-doers.[41] As such, the public image of many Canadian businesses will be unfairly tarnished in circumstances where the offending conduct may not be significant.

Is It Right To Extensively Chill Commercial Electronic Communications?

In the proceeding pages, we have explained the negative impact that FISA will have on Canadian businesses and consumers. But there is a larger question that should also be asked. Is it right to so extensively curtail Canadian businesses from engaging in commercial electronic communication, which is, after all, a form of commercial free speech? This is a big question, with clear constitutional overtones. But it is a question that should be asked.

FISA’s regulatory approach to SPAM is to broadly ban all commercial electronic messages unless the messages are sent with prior express consent or fall into an excluded category. The regulatory regime does not focus, as do most laws that restrict the free speech of Canadians, on prohibiting actions that are necessarily unwanted, false, fraudulent, misleading or otherwise harmful. It is therefore inevitable that sending some legitimate, wanted, and economically and socially useful commercial speech will be rendered illegal.

FISA’s curtailment of commercial speech is apparent in a number of ways.

• The prohibitions on commercial speech are not narrowly tailored to a limited class of electronic communications that are more likely than not to be unwanted or harmful such as direct marketing, pornography, messages sent to consumers that misuse personal information, or messages that are false, fraudulent, or misleading.
• Because FISA extends to “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit”, it will extend to activities of not-for-profit entities, educational institutions, charities, private clubs, and political fundraising activities, subject the specific exceptions that only partially exclude some of their commercial electronic messages.
• A message that is, on balance, benign or useful, will nonetheless be caught by FISA if only one of the message’s many purposes would encourage participation in a commercial activity.
• FISA’s anti-SPAM provisions provide for extensive accessorial and vicarious liability Under FISA, liability extends to any person who aids, induces or procures a prohibited act.[42] Businesses are liable for acts of their employees within the scope of their authority.[43] The liability also extends to officers, directors, agents, and mandataries if they “directed, authorized, assented to, acquiesced, or participated in the prohibited act”.[44]
• A direct result of the “ban-all” approach taken in FISA will be to shift the onus onto individuals and businesses to find an exception that would permit their sending electronic messages. However as described above, FISA also has extremely tough sanctions that can be levied against individuals or businesses that violate its prohibitions. These sanctions will undoubtedly deter individuals and businesses from sending messages in circumstances where it is unclear they are entitled to do so.

The Canadian Charter of Rights and Freedoms protects free speech as one of our highest legal and societal imperatives.[45] The courts have recognized that Canadian businesses benefit from this protection and that commercial speech benefits Canadian consumers.[46] While limits on free speech are clearly permitted, these limits should be reasonable and justified, with minimal impairment of the free speech right and with the limit on free speech being in proportion to the harm that is being targeted.  As we have come to better understand how companies will be required to operate under FISA, questions indeed arise as to whether this important principle has been given appropriate regard.

Where Should We Go From Here?

Recognizing that it may be too late to revise the FISA legislation, developing sensible regulations will be of paramount importance as many of the deficiencies that we have discussed can be remedied in the regulations. For example, FISA provides significant flexibility to for the regulations to exclude classes of commercial electronic messages from its scope.[47] FISA also enables the government to create, by regulation, new broad categories of implied consent.[48] Employing the regulation process in this remedial manner should not be seen as undermining the basic thrust of FISA, which is to reduce the volume of SPAM, but rather as properly aligning FISA’s benefits with its costs.

To conclude, we believe that it is time to re-examine FISA – and to do so before the regulations are finalized and FISA is proclaimed into law. Failing to undertake such a review, and to make appropriate changes through regulation or otherwise, risks imposing significant burdens on Canadian businesses and depriving Canadians of beneficial services, thereby undermining the promotion of “the efficiency and adaptability of the Canadian economy” that FISA calls for. Other countries have managed to discover a different and more proportionate balance between thwarting SPAM and not impeding legitimate electronic messaging. Canada should seek to do likewise.

[1] Lorne Salzman and Barry Sookman are lawyers with McCarthy Tétrault LLP.

[2] FISA is the acronym for “Fighting Internet and Wireless Spam Act”, a title bestowed in an early version of the legislation that was eventually passed by the Canadian Parliament. Unfortunately (and unusually), the final version did not include any such short-form title. Accordingly, some commentators refer to FISA, while others refer to “CASL”, which is the acronym for Canadian Anti-Spam Legislation, while others employ yet other titles and abbreviations. For ease of understanding, we will use the term “FISA” in this commentary.

[3] Available at www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00317.html

[4] www.ftc.gov/bcp/edu/microsites/spam/rules.htm

[5] www.austlii.edu.au/au/legis/cth/consol_act/sa200366/

[6] www.legislation.govt.nz/act/public/2007/0007/latest/DLM405134.html

[7] The breadth of FISA’s prohibitions can be seen from looking at the definitions:

• An “electronic message” is an open ended list of message types: a “message sent by any means of telecommunication, including a text, sound, voice or image message”.

• An “electronic address” is an open ended list of types of addresses to which messages may be sent; it is “an address used in connection with the transmission of an electronic message to (a) an electronic mail account; (b) an instant messaging account; (c) a telephone account; or (d) any similar account”.

• A “commercial electronic message” is an open ended list of electronic messages “that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (b) offers to provide a business, investment or gaming opportunity; (c) advertises or promotes anything referred to in paragraph (a) or (b); or (d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.” An electronic message that contains a request to send a prohibited message is also deemed to be a prohibited commercial electronic message.

• A “commercial activity” is also broadly defined to mean “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit”. It excludes “any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada”.

[8] s. 6(5)

[9] s. 6(7)

[10] s. 1(1)

[11] s. 6(6)

[12] ss. 10(9) and 10(10)

[13] ss. 10(9) and 10(13)

[14] s. 10(9)(b)

[15] s. 10(9)(c)

[16] s. 10(9)(d)

[17] s. 10(1)

[18] s. 1(3)

[19] ss. 6(2) and 6(3)

[20] ss. 11(1) and 11(2)

[21] Despite problems under FISA, collecting personal information from some of the sources described above would likely be permissible under PIPEDA (Canada’s federal privacy law) pursuant to regulations which permit the collection, use and disclosure of personal information that is publically available. See, Regulations Specifying Publicly Available Information, P.C. 2000-1777 13 December, 2000, http://www.gazette.gc.ca/archives/p2/2001/2001-01-03/html/sor-dors7-eng.html

[22] s. 10(9)(b). This section has some overlap with the PIPEDA publically available exception. However, the FISA exception is limited to where the recipient “has conspicuously published, or caused to be conspicuously published”, the electronic address. It would seem to clearly apply where an individual publishes his/her email address on a web site. It is much less clear that it applies where an individual gives his/her email address to an organization and the organization publishes the email address in a directory or other publication. To fall within the exception one would have to conclude that by giving an organization an email address, the person who provides the email address “causes” the organization to publish it – which may be somewhat of a stretch.

[23] s. 82 (adding new s. 7.1(2) to PIPEDA)

[24] Short Message Service (SMS) is a text-based data communications service typically used in connection with cell phones and smart phones.

[25] ss. 6(2) and 11(1)

[26] s. 11(1).

[27] s. 10(1).

[28] For a real life example of an entrepreneur who recently used Twitter service as a pivotal aid in launching a new business, see: www.thestar.com/business/smallbusiness/article/985678–twitter-marketing-word-of-mouth-on-steroids

[29] s. 1(3). It does not appear that this approach would fall within any of the existing exceptions including the exception for inquiries (s. 6(5)(b)). The message would be an inquiry, but would not necessarily be an inquiry related to the commercial activity of the recipient. It would not fall into the employment benefits exception either. (s. 6(6)(e)).

[30] s. 10(1). The upcoming regulations are expected to address the identification information that will be required.

[31] Other innovative businesses also use variations on the “refer a friend” business model.

[32] s. 6(5)(a)

[33] s. 9

[34] s. 12(1)

[35] Consents obtained under PIPEDA cannot be relied upon given PIPEDA recognizes opt-out consents in many circumstances.

[36] Technically, the fines are referred to as “administrative monetary penalties”. Quaintly, FISA states that these penalties are “to promote compliance” but not “to punish”. See s. 20.

[37] s. 20(5)(a)

[38] s. 52. Note that there is a “due diligence” defence that may be available in some cases to companies and their staff. See s.54(1)

[39] s. 51(1)

[40] s. 48(1)

[41] As an example of the CRTC’s press releases when it punishes offenders of the do-not-call regime, see www.crtc.gc.ca/eng/com100/2010/r101217.htm

[42] s. 9

[43] ss. 32 and 53

[44] ss. 31 and 52

[45] See s. 2(b) of the Charter.

[46] See RJR-MacDonald Inc. v. Canada (Attorney General), [1995] 3 S.C.R. 199; Rocket v. Royal College of Dental Surgeons of Ontario, [1990] 2 S.C.R. 23.

[47] s. 6(5)(c)

[48] s. 10(9)(d)

The Bill has no short title. As a result different terms and acronyms are being used to refer to it including the ECPA, FISA, FIWSA, the SPAM Bill, the Anti-SPAM Legislation, and the Anti-SPAM and Anti-Spyware Bill.

The Bill needs a short title we can all agree on. I am asking you to help decide what we call it.

Some Background

On April 24, 2009, the Government introduced Bill C-27. It had a short title called the Electronic Commerce Protection Act. Its acronym was the ECPA. It received second reading in the House of Commons. The ECPA died on the Order Paper, however, when it reached the stage of second reading in the Senate, due to the prorogation of Parliament on December 30, 2009.

On 25 May 2010, the Government introduced Bill C-28. This bill was based substantially on Bill C-27. At first reading in the House of Commons, the short title of the Bill was Fighting Internet and Wireless Spam Act. It was also known by the acronyms FIWSA or FISA.

Bill C-28 was reviewed by the Standing Committee on Industry, Science and Technology. On Tuesday, November 2, 2010, the Committee voted to amend the Bill to remove the short title. The amendment was initiated by NDP MP Brian Masse during the following exchange in the Committee hearings over the short title:

Mr. Brian Masse:

I have just one last quick question. I noticed that the short title of the bill has been amended. We’ve had some things around that. Who suggested that the short title be changed?

Mrs. Janet DiFrancesco:

The short title of the bill was provided to us.

I also can’t tell you why they dropped a letter out of it. I don’t what happened to the “W” to go with the initials FISA, but that was the acronym they also gave us when it was tabled.

Mr. Brian Masse:

I suspected as much.

Thank you very much for your answers. I appreciate them.

Thank you, Mr. Chair. I’m all done.

The Chair:

There are 92 clauses, so we’ll postpone the short title, as is the practice per Standing Order 75(1).

(Clauses 2 to 92 inclusive agreed to)

(On clause 1—Short title)…

The Chair:

Shall the short title carry?

Mr. Brian Masse:

No, I’m not going to agree to the short title. First of all, it wasn’t from the department. We got into these silly games of naming bills with these little titles here and there. I’m not going to give them this; it’s just ridiculous to do this type of stuff. I haven’t seen this in the years I’ve been here, so I’m not supporting this nonsense.

The Chair:

Okay.

Mr. Anthony Rota:

Mr. Chair, just for clarification, if we vote in favour of the title, then it has a title. If we vote against the short title, then it has no title. Am I correct?

The Chair:

That’s right. We’ll report it back that way. We’ll still have the long title.

Mr. Anthony Rota:

I just wanted to clarify that. Thank you.

The Chair:

Shall the short title carry? Can I see a show of hands?

(Clause 1 negatived)

The Chair: It’s defeated.

Shall the title carry?

Some hon. members: Agreed.

The Chair: Shall the bill as amended carry?

Some hon. members: Agreed.

The Chair: Shall I report the bill, as amended to the House?

Some hon. members: Agreed.

The Chair: Shall the committee order a reprint of the bill?

Some hon. members: Agreed.

The Chair: Gentlemen, that’s very good work. We have no meeting on Thursday.

The meeting’s adjourned.

The Bill eventually passed the House of Commons and the Senate before being given Royal Assent on December 15, 2010. It awaits publication of the regulations and then proclamation, which is expected to occur in the fall of this year.

You Name the Bill

Bill C-28 is going to be with us for a long time. It is legislation that is very complex and will undoubtedly result in considerable study, litigation (including class action proceedings) and enforcement proceedings before the CRTC. (The Bill is summarized here, here, here, and here.)

We need a common way of referring to it. We need a short title. What do you think it should be?

I encourage you to email me (bsookman@mccarthy.ca) or post comments on my blog with your recommended short name (and/or acronym) and the reasons for choosing it. I will list the top few suggested names along with some of the main reasons for suggesting it and ask people to let me know their preferences.*

What do you recommend we call the Bill and why?

One of the people to recommend the winning name will be given a McCarthy Tétrault branded gift as a reward for his/her skill.

* By participating, you confirm you are okay with me attributing (or not attributing) suggestions to you, unless you let me know otherwise.

The legislation creates significant vicarious and accessorial liability for companies and for their officers and directors with the potential for administrative penalties of up to $10 million and damages awards which can reach $1 million per day or per breach.

Accordingly, you will want to learn about this new legislation and how to comply with its many provisions. To help you do so, I am posting slides prepared by Lorne Salzman and I for the  IT Can Roundtable presentation we gave earlier today on the impacts of Bill C-28.

Sookman Salzman ITCAN Spam Slides

The Act prohibits organizations from sending commercial electronic messages unless the recipient has given express or implied consent. A “commercial” electronic message is an electronic message where one of its purposes is to encourage participation in commercial activity. An “electronic message” is defined broadly to include any “message sent by any means of telecommunication, including a text, sound, voice or image message.” This covers e-mails, text messages, instant messages, “tweets” or Facebook® postings, but excludes two-way voice communication, faxing to a telephone account or accessing a voice mailbox.

When requesting express consent to send a commercial electronic message, an organization must “clearly and simply” set out the purpose(s) for which consent is being sought and identify the organization seeking the consent. However, consent is not required to send a commercial electronic message where the purpose is to:

• provide a quote or estimate in response to a request;
• facilitate, complete or confirm a pre-agreed commercial transaction;
• provide warranty, product recall or safety information to a purchaser of goods;
• provide information related to an ongoing subscription, membership, account or loan;
• provide information related to an employment relationship; or
• deliver a pre-authorized product, goods or service, including product updates and upgrades.

Consent to receive messages can also be implied, most notably where:

• the sender and the recipient have an existing business relationship or non-business relationship (e.g., membership in a club), where the relationship arose within the past two years or is pursuant to a contract in effect in the past two years;
• the recipient has “conspicuously published” its electronic address and has not indicated a desire to not receive unsolicited commercial electronic messages, and the message is relevant to the recipient’s business role; or
• the recipient has provided its electronic address to the sender without indicating a wish not to receive unsolicited commercial electronic messages, and the message is relevant to the recipient’s business role.

The Act also requires that all commercial electronic messages must identify the sender, include the sender’s contact information, and provide an “unsubscribe” mechanism so that recipient can opt out of receiving future communications.

In addition, if a program performs certain potentially undesirable functions, it must bring its “foreseeable impacts” to the attention of the user. The prescribed list of undesirable functions includes:

• collecting personal information stored on the computer system;
• interfering with the user’s control of the computer system;
• changing or interfering with settings or preferences on the computer system without the user’s knowledge;
• interfering with access to or use of that data on the computer system;
• causing the computer system to communicate with another computer system without the authorization of the user; or
• installing a computer program that may be activated by a third party without the knowledge of the user.

These requirements apply not only to personal computers and computer servers, but also to any electronic device that allows for the installation of third-party programs — such as smartphones and tablets. Programs are exempted from these requirements only if it is reasonable to conclude from the recipient’s conduct that the recipient consented to the installation of the programs (e.g., HTML code, Web cookies, javascript code, operating systems, patches and add-ons). Program upgrades and updates are also exempt if the recipient consented to the initial installation and is entitled to receive upgrades or updates.

Amendments to the Competition Act and PIPEDA²

The Act amends the Competition Act to prohibit false or misleading representations in the sender description, subject matter field or message field of an electronic message, or in the URL or other locater on a webpage. Senders will have to be particularly wary of making overly boastful statements in subject matter lines in an attempt to catch readers’ attention.

The Act also amends PIPEDA, to prohibit the collection of personal information by means of unauthorized access to computer systems, and the unauthorized compiling of lists of electronic addresses (sometimes called “address harvesting”).

The Act also creates a private right of action that allows any business or consumer to take civil action directly against anyone who violates the Act, or the new false or misleading representations provisions of the Competition Act. The Act contemplates that a litigant will be able to recover its actual damages and additional amounts that could amount to as much as $1 million per day. These latter provisions will undoubtedly excite the plaintiff class action bar.

• review and update website privacy policies and terms and conditions to ensure proper consents for the collection of personal information and/or the installation of computer programs on dynamic websites;
• review and update their forms for obtaining express consent to send commercial electronic messages (including e-mail or newsletters), or install software programs to ensure that the forms satisfy the prescribed requirements;
• re-examine their procedures for documenting the receipt of consent, as the onus will rest on senders and software developers to prove they obtained consent;
• ensure that any commercial electronic message contains the prescribed information and an unsubscribe mechanism that is operational for the specified period;
• deal with unsubscribe requests within the requisite time frame;
• ensure that any process that involves online collection of e-mail addresses or other personal information complies with the amendments to the PIPEDA;
• generally review and revise marketing, advertising and external communication practices to comply with the requirements of the Act and the new provision of the Competition Act; and
• in the case of software developers:
  • examine their program-installation procedures to ensure that information about the function and purpose of the program is provided prior to installation;
  • if the program performs one of the prescribed undesirable functions, the disclosure mechanism will also need to describe the foreseeable impacts of these functions; and
  • revise end-user licence agreements (EULAs) to ensure that consent to install patches and upgrades is expressly obtained before installation of computer programs.

² Personal Information Protection and Electronic Documents Act, which is the primary federal statute that addresses privacy matters.

In May of this year, we sent an e-Alert that reviewed the concerns many Canadian businesses had expressed with the first draft of Bill C-27 – the Electronic Commerce Protection Act (ECPA). The Bill was criticized for containing overly broad anti-spam and anti-spyware provisions that would have rendered illegal many common legitimate commercial practices. It would have potentially exposed businesses to millions of dollars in fines and liabilities for activities that were unrelated to sending spam emails or installing spyware programs.

Since then, officials at Industry Canada and MPs on the Standing Committee on Industry, Science and Technology (INDU) have made substantial amendments to the Bill to address the concerns raised by Canadian businesses.  However, some problems remain.

Amendments to the ECPA

The INDU Committee completed its clause-by-clause review of the ECPA on Monday, October 26. Among the amendments recommended by the committee:
• The spam provisions will not extend to electronic messages that (a) provide a quote or estimate; (b) facilitate, complete or confirm an existing commercial transaction; (c) provide warranty information; (d) provide information related to an ongoing subscription, membership, account or loan; (e) provide information related to an employment relationship; or (f) deliver a product, goods or a service, including product updates and upgrades.
• The spam provisions will also not extend to messages sent to a published e-mail address, where the message is relevant to the person’s type of business so is not considered spam.
• The anti-spam laws will now only apply to messages that are sent or accessed from within Canada. Messages that are merely routed through a Canadian server will not be subject to the Bill.
• The disclosure requirements for the installation of computer programs were changed from describing the “function, purpose and impact” of the program to simply the “function and purpose.” However, if a program performs certain undesirable functions, it must bring their foreseeable impacts to the attention of the user. The prescribed list of undesirable functions is similar to those found in international anti-spyware law precedents.
•The anti-spyware law was also amended to create exceptions for software updates, upgrades and patches.
• Certain programs were excluded from the consent requirements of the anti-spyware law, including web cookies, HTML code, Javascript and operating systems.
• The maximum damage award for a contravention of the anti-spyware provision was changed from $200 per contravention to $1 million for each day on which a contravention occurred.
• Transitional provisions were included so that businesses have up to three years to obtain consent to send messages from existing business contacts. Similarly, if a computer program was already installed before the ECPA comes into force, the user’s consent to updates and upgrades can be implied for up to three years.

While these amendments would alleviate a number of concerns that were expressed with respect to the ECPA, a key amendment to Section 78 that had sought to preserve the ability to collect personal information to investigate breaches of law was not adopted by the Committee.

PIPEDA Provisions

Under the original draft of the Bill, PIPEDA would have been amended to make it illegal to collect “personal information, through any means of telecommunication, if the collection is made by accessing a computer system or causing a computer system to be accessed without authorization.”  There were no exceptions to this prohibition.
Business groups such as the Canadian Chamber of Commerce, ITAC and others were concerned that the new prohibition was not subject to the usual PIPEDA exceptions, including the exception that permits the collection of personal information for the purposes of investigating breaches of an agreement or the contravention of a federal or provincial law.

The business community was worried that s.78 could have been construed to prevent the collection of personal information over the Internet to investigate contraventions of law including: fraud such as bank, insurance, and credit card fraud; money laundering, securities violations, theft, misappropriation, or unauthorized use of confidential information/personal information; violations of business practices legislation; defamation; workplace-related sexual harassment; computer hacking, including committing the criminal offences associated with theft of telecommunications services, making unauthorized use of a computer, or mischief in relation to data; identity theft or impersonation; and violations of copyright by peer-to-peer networks and other infringers.

The government had tabled amendments to fix this potentially serious flaw in the Bill, however, during the final day of Committee hearings, the government withdrew its proposed amendment and the flawed bill is being sent to Parliament for Third Reading. If the proposed amendments are not made before the Bill becomes law, there could be serious implications for private and public law enforcement in Canada.

Conclusion

Bill c-27 will now go to the Senate before becoming law. It will have major implications on software licensing practices as well as on how businesses collect and use personal information in their electronic communications. Since the Bill will become law soon, it is essential that businesses review their practices concerning sending electronic messages, their privacy policies, and software licence and maintenance agreements to ensure compliance with the ECPA.

Technologies affected by this provision include commercial electronic messages sent by e-mail, instant messaging and mobile phones ― and probably also messages sent using social networks, chat groups, Internet forums, business networks, and websites where users have accounts. The ECPA would prohibit sending “an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity.” The types of communication technologies that are subject to the prohibition are open-ended, and the messages that are sent must include prescribed content and be in a prescribed form.

The requirements for obtaining express consent are stringent and the circumstances in which an implied consent can be relied upon are limited. It is not possible to seek consent electronically, because such a request itself would be a prohibited electronic message. Consent is implied only where the sender has an existing relationship with the recipient.

Restrictions on Software InstallationAlthough the government’s stated intent in introducing this bill is to stop the spread of unlawful programs engaged in “the collection of personal information through illicit access to computer systems,” the ECPA would actually prohibit a business from installing any computer program on any person’s computer without obtaining express consent. As currently drafted, this provision would outlaw any program, patch, upgrade or add-on installed without express consent.

The ECPA would also require, before any software is installed on a computer, that the person requesting consent “describe clearly and simply the function, purpose and impact of every computer program that is to be installed.” The provisions in the ECPA would apply not only to personal computers but to a whole host of devices, from iPhones and BlackBerry® devices to mainframe computers, even though many do not have the capability of displaying consent forms and relaying consent.

Administrative PenaltiesThe ECPA would make the violation of the above provisions subject to “administrative monetary” penalties of up to $1 million in the case of an individual, or $10 million in the case of a non-individual. These high penalties can be exacted without any right to a trial, and a conviction can be entered on proof of only a “balance of probabilities.” This liability would also extend to employers, officers, directors or agents of a company. It also appears to include a statutory damages regime that could result in an order to pay “a maximum of $200 for each contravention of the provision, not exceeding $1,000,000 for each day on which one or more of those contraventions occurred.” This liability would also extend to employers, officers and directors of a company.

The bill also contains a new private right of action for any person who alleges that they are affected by an act or omission that constitutes a contravention of Section 5 of the Personal Information Protection and Electronic Documents Act, which relates to a collection or use of information described in subsection 7.1(2) or (3) of that act. This would appear to now expose Canadian business to extensive new liabilities for the use or disclosure of personal information without the knowledge or consent of individuals. Officers, directors, and employers would also be potentially liable for their employees’ actions.

Over the last decade, the Internet has become an essential tool for conducting commercial activity. If passed, this bill would prohibit the formation of new business relationships over the Internet or through e-mail. It would stultify the use of the Internet for the distribution of software and software upgrades. It also contains very high penalties for breach, penalties that are particularly disconcerting given the wide and ambiguous nature of the bill.

If your business will be impacted by the ECPA, we recommend that you make submissions to the House of Commons Standing Committee on Industry, Science and Technology, setting out your concerns.

Restrictions on Commercial Electronic Messages