Indeed, there was much satisfaction when Canada’s anti-SPAM law, also known as FISA[2], was given royal assent on December 15, 2011.  After a lengthy and thorough review process, including consultations and Parliamentary reviews, Canadians could look forward to the toughest anti-SPAM law in the world just as soon as the regulations were finalized, which is expected this summer.

With FISA passed into law, and expected to come into force by the end of 2011, Canadian businesses started preparing for a new SPAM-reduced world. They began to scrutinize their use of emails, SMS and social network communication with existing and prospective customers. They looked at the language for obtaining consent from these customers, and for allowing them to unsubscribe. They reviewed the conditions for those customers that may have given implied consent. All of this scrutiny was expected.

Businesses also began to look closely at regulatory aspects of FISA. They began to appreciate the severe penalties for violating FISA, and thus the risks of failing to fully comply with the new requirements. Their interest in compliance increased further. And this too was expected.

But a funny thing happened on the way to the SPAM-free utopia.  It began to dawn on some that FISA imposes very significant costs, not just on individual Canadian businesses, but also on the Canadian economy as a whole. These are costs that Canadians will uniquely bear because FISA is the toughest anti-SPAM law in the world.  And while everyone understood that implementing FISA would not be cost-free, questions began to be asked about the balance of costs and benefits from complying with FISA.

During the past months, as we have helped numerous Canadian businesses understand FISA and its impact on their operations.  In doing so, we have come to recognize that stakeholders did not fully appreciate just how costly this law would become for Canada or the dangers it poses to the Canadian economy.  We acknowledge that FISA was thoroughly reviewed before it was passed into law.  However, we have also come to recognize that rather than promoting the “efficiency and adaptability of the Canadian economy”, as formally stated in FISA’s official title, it may well achieve the opposite result.

In this commentary we will describe some of the challenges presented by FISA.  We will focus on the anti-SPAM provisions, and leave for another day the anti-spyware and other provisions of FISA.

In summary, we have identified the following problems that need to be addressed before FISA’s regulations are finalized and the law is proclaimed into force:

1)      FISA will impede start-up businesses from launching in Canada.

2)      FISA will impede Canadian businesses from developing new marketing models over the Internet.

3)      FISA will deter suppliers of service providers, including outsourcing and cloud service providers, from operating with or maintaining facilities in Canada.

4)      FISA will deter foreign businesses from offering their products to Canadians via the Internet, mobile and other communications networks.

5)      FISA will impose costs and restrictions on Canadian businesses that their competitors outside Canada will not have to bear.

6)      FISA contains very strong incentives for Canadian businesses to confess wrong-doing, even in cases of questionable or trivial conduct, thereby tarnishing the reputation of legitimate businesses in circumstances where the offending conduct is not significant.

7)      FISA will chill legitimate commercial speech and thereby undermine fundamental values protected by the Charter of Rights and Freedoms.

Our analysis starts with a brief background introduction to FISA.  We then move on to discuss the problems we have observed.

Overview of FISA’s anti-SPAM provisions

The anti-SPAM and related provisions of FISA have their genesis in a 2005 federal government Task Force report: Stopping Spam: Creating a Stronger, Safer Internet.[3] The report included a range of recommendations to fight SPAM including more rigorous law enforcement, public education, policy development and legislation. Importantly, the Task Force made recommendations that formed the structure that eventually became FISA including:

• Commercial email sent without prior consent — or that is deceptive, fraudulent or malicious — is SPAM and should be prohibited.
• Failure to abide by an opt-in regime for sending unsolicited commercial email should be made an offence in a stand-alone, technology-neutral SPAM statute.
• The use of false or misleading headers or subject lines designed to disguise the origins, purpose or contents of an email should be made an offence. This should be the case whether the objective is to mislead recipients or to evade technological filters.
• The new offences created should be civil and strict-liability offences, with criminal liability open for more egregious or repeated offences. There should be meaningful statutory penalties for all offences outlined above.
• There should be an appropriate private right of action available to persons, both individuals and corporations. There should be meaningful statutory damages available to persons who successfully bring civil action.

The Task Force recommendations, which by and large were carried over into FISA, were not just ambitious. They cast a wider net than legislation anywhere else in the world. For example, the U.S. CAN-SPAM Act of 2003[4] prohibits e-mails that are sent in violation of an individual’s opt-out request, or that are fraudulent, false or misleading. The EU Directive 2002/58/EC on privacy and electronic communications targets sending e-mail for the purposes of direct marketing to individuals. The Australia Spam Act 2003[5] and the New Zealand Unsolicited Electronic Messages Act 2007[6], after which FISA’s provisions are most closely modelled (but with significant changes which make FISA more encompassing and more difficult to comply with), prohibit sending certain commercial electronic messages without the express or inferred consent of the recipient.

In contrast to the narrower approach of these other countries, FISA prohibits sending (or causing or permitting to be sent) any commercial electronic message to any electronic address unless express consent is given by the recipient, or certain specific exclusions apply.[7]

The exclusions are limited, and encompass the following: (1) some categories of electronic message are excluded completely; (2) some categories are excluded from the consent requirements, but they must still comply with certain formalities (for example, contain an unsubscribe mechanism); and (3) very similar to (2), some categories are deemed to have implied consent, although they must also comply with the formalities.

The totally excluded categories are: commercial electronic messages to an individual with whom the person stands in a personal or family relationship as defined in regulations; an inquiry or application to a person engaged in commercial activity; or messages of a class defined in regulations.[8] There is a further exception for telecommunications service providers (TSPs) in their role as carriers.[9] Messages related to law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada are excluded because they are deemed not to be part of a commercial activity.[10]

Then, there are categories of commercial electronic messages which do not require consent, but for which the prescribed formalities still apply, namely commercial electronic messages that solely involve the following: (a) provide a quote in response to a request; (b) are in furtherance of previously agreed to transactions; (c) provide warranty, safety, security, product recall information; (d) provide factual information about a purchase; (e) provide information about an employment or benefits plan; (f) deliver a product, service or upgrade; or (g) other exceptions specified in a regulation.[11]

The categories of commercial electronic messages for which there is deemed to be implied consent (and to which the prescribed formalities still apply) are limited to the following exclusive circumstances:

• There is “an existing business relationship” as this term is defined. In summary, this is a relationship arising from a purchase or barter within 2 years; acceptance of a business, investment or gaming opportunity with last 2 years; or is related to a contract until 2 years after expiry; or any inquiry or application within 6 months.[12]
• There is an “existing non-business relationship” as this term is defined. In summary, this is a relationship arising from a donation or gift; volunteer work performed for a registered charity; or membership, within a 2 year window.[13]
• The person to whom the message is sent has “conspicuously published”, or has caused to have published, an electronic address without a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity.[14]
• The person to whom the message is sent has disclosed, to the person who sends the message, an electronic address without indicating a wish not to receive unsolicited commercial electronic messages, and the message is relevant to the person’s business, role, functions or duties in a business or official capacity.[15]
• The message is sent in the circumstances set out in the regulations.[16]

Commercial electronic messages that do not fall into one or more of the above exclusions cannot be sent except with the express consent of the recipient. Obtaining consent has its own requirements. When requesting consent, the sender must set out clearly and simply: (a) the purpose or purposes for which the consent is being sought; (b) information prescribed in regulations that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, information prescribed in regulations that identifies that other person; and (c) any other prescribed information.[17] Sending a message to obtain consent is deemed to be a commercial electronic message.[18] As such, contacting a recipient to ask if the sender can send a commercial electronic message is itself SPAM (unless some exclusion applies).

Moreover, each commercial electronic message that is transmitted by a sender must abide by certain formalities which require the sender to: (a) set out prescribed information that identifies the person who sent the message and, if different, on whose behalf it is sent; (b) set out information enabling the person to whom the message is sent to readily contact the sender (the contact information must be valid for 60 days); and (c) set out the prescribed unsubscribe mechanism.[19]

The unsubscribe mechanism must (a) enable the recipient to indicate, at no cost to them, the wish to no longer receive any messages, or any specified class of such messages, from the sender, using (i) the same electronic means by which the message was sent, or (ii) if using those means is not practicable, any other electronic means that will enable the person to indicate the wish; and (b) specify an electronic address, or link to a page on the World Wide Web that can be accessed through a web browser, to which the indication may be sent.[20]

Having described the key elements of FISA, we will now describe some of the problems that we have encountered as Canadian businesses grapple with its implementation.

FISA Impedes Start-up Companies

Unlike established companies, start-up companies do not have a ready list of electronic contacts they can approach to market their products. Rather, they will develop emailing lists from a variety of sources and use them to launch their products. For example, a newly graduated financial advisor may look up the lawyers and doctors in his/her neighbourhood using a published professional or business directory or other publication such as a magazine, book, or newspaper and invite them to an educational event. A newly established orthodontist may send an announcement to dentists in her town, with the electronic addresses derived from a conference attendance list. A university student wanting to earn some money as a contract programmer may contact professors and lecturers using their electronic addresses found in the university catalogue or telephone directory. A new real estate agent in search of listings may want to contact owners of properties using information recorded in publically available registries.

Although few would find these activities offensive, they will all likely be illegal under FISA.[21] Rather than using electronic communications, business start-ups will therefore be forced to send their messages using the post or other more expensive and less convenient and efficient mechanisms, or limit the persons to whom they can send messages to the limited exception that permits use of conspicuously published e-mail addresses.[22] The new start-ups could also not rely on the alternative route of using software that is design to assist them in searching for relevant business or other connections because it will also be illegal to use such software or electronic addresses gathered using such software under the amendments to PIPEDA included in FISA.[23]

Although it is easy to say that the FISA impositions on small businesses are not that important, most countries, Canada included, actively promote small business formation and expansion. Policy-makers understand that small business is a vital part of the economy in its own right and, as well, that all big businesses were small start-ups at one point.  As such, Canada should not want to impede start-up businesses from making effective use of digital communications to launch and sustain their businesses.

FISA Impedes Use of New Forms of Communications and Business Models

FISA is supposed to be technologically neutral, applying broadly to practically all electronic means of sending electronic messages. However, the FISA regulatory regime (which prescribes specific formalities for each message) is modelled on regulating electronic messages that are sent as emails. This focus on emails means that other forms of electronic messaging, such as those through social networks, do not easily fit within the FISA framework. As a result, Canadian businesses that wish to exploit new and developing alternative electronic messaging systems will be impeded by FISA.

As an example, consider an enterprise that wishes to send its commercial electronic messages, with express consent, by SMS.[24] Because SMS only allows for 140 characters, it will be very difficult if not impossible in the allotted number of characters to include all of the formalities required for commercial electronic messages. The SMS message would have to include (a) prescribed information that (1) identifies the sender and (2) any person on whose behalf the message is sent, (b) information that enables the recipient to (1) contact the sender or (2) the person on whose behalf the message was sent, and (c) an unsubscribe mechanism that (1) enables the recipient to indicate, at no cost to him/her a wish to no longer receive messages (which could be at a separate web location), and (2) specifies an electronic address or link to the web which can be used to unsubscribe from receiving further messages.[25] Consider the following difficulties when trying to utilize SMS for a commercial electronic message:

• Can conditions (a)(2), (b)(2), and (c)(2) be met in a message that is only 140 characters?  Some URLs could be as long as the message itself.  The same problem will arise in other messaging services where short messages are the rule, such as Instant Messaging (IM) services.
• Where the recipient uses a regular cell phone, not a smart phone, an unsubscribe URL is likely not accessible by the phone to effect an unsubscribe instruction.  Is it still a compliant message?  If not, how can the sender ever know if its messages are compliant given that the sender will not know what sort of device the recipient is using?
• Where the sender wants to permit recipients to unsubscribe using a text message at no cost to the recipient[26], this will require negotiations with all mobile operators to ensure that the recipient is not charged for the unsubscribe message – a very cumbersome approach.
• Further, it may be challenging for a person using any of these messaging services to seek express consents from recipients using 140 characters given the request for the consent must “clearly and simply” provide information setting out the purpose or purposes for which consent is being requested, information that identifies the requester and another person on whose behalf the request is made, and other prescribed information.[27]

The result is that unless accommodation is made by means of the regulations or amendment to the legislation, FISA could make using new and innovative short messaging platforms effectively impractical to use in Canada for whole categories of commercial speech.[28]

As another example, consider the situation of a social network that allows a recruiter to search the profiles of members looking for suitable employee prospects, who the recruiter then contacts using the social network built-in communications tools. Many members would welcome such communications, and therefore they would likely consent to such recruitment messages, presumably at sign-up time. However, FISA’s design does not easily accommodate such a situation. The recruiter cannot directly request consent to send a message to a member of the social network because that message would be deemed to be a commercial electronic message.[29] The social network could try and obtain the member’s consent for the recruiter to send such messages. However, FISA contemplates that the consent request must include identification information about the person on whose behalf the consent is being obtained, in this case the recruiter’s identity.[30] But is this workable when the identity of the recruiter(s) will only be known much after the consent is granted? Faced with this complexity and uncertainty, recruiters and their social network partners may well ponder if they should avoid offering these services in Canada.

Consider another business model where a virtual gaming site allows members to offer to buy and sell virtual objects amongst themselves. Does each member have to obtain consent from the other members before the messages are sent? Can the social network site request consent in advance for all such messages among members? Bear in mind that the members only disclose game-playing aliases and not their real identities. How then can the identification requirements of FISA be satisfied? How practical is it for each game-player to include an unsubscribe mechanism in every buy-sell offer? If members fail to comply with these identification or unsubscribe mechanisms, will be social network operator have to enforce these requirements in order to avoid liability for aiding in a contravention of FISA? Will the operators of such sites be concerned that they could face accessorial liability for not designing mechanisms to enable  their players to comply with FISA? Will they make necessary changes to their games or simply exclude Canadians from being able to join their networks?

Consider next a business model where a social network operator offers business coupons to members and encourages the members to pass the coupons on to friends and social media contacts.[31] As an incentive, the operator grants a modest incentive to the member for every person that uses such a passed-on coupon. The passing on of the coupon with an express or implied suggestion as its use is likely the sending of a commercial electronic message. While some recipients in these models may fit into the personal or family relationship exemption in FISA,[32] others won’t necessarily fall within these so far undefined categories. And how many members are likely to include unsubscribe mechanisms when sending such messages to their contacts? Although one might be tempted to say that no-one will pursue the members for such trivial transgressions of FISA, the operator that knowingly permits such conduct might well worry if it will be at risk of being accused of aiding, inducing, procuring or causing to be procured the doing of any act contrary to the anti-SPAM provisions of FISA.[33]

Faced with the risks of offending FISA, Canadian businesses will be wary of developing (or continuing to offer) these innovative business models or implementing similar models that are legal in other countries such as the United States. Or if they do wish to develop them, they will feel a strong incentive to develop and launch them outside of Canada. The logical port of call for any such developers will be the United States, with its familiarity to Canadians, vast market, openness to innovation, and ample sources of funding. Canada, which already faces a tough time in fostering innovation inside our borders, will now be adding one more reason for Canadians to take their digital economy initiatives south of the border.

FISA Will Deter Service Providers from Locating in Canada

In the foregoing, we have explained impediments that will be faced by start-ups and developers of new e-commerce models as a result of FISA. But the potential harm to the Canadian economy goes further. FISA will deter many suppliers from providing innovative services globally using Canadian facilities.

Consider the case of a data centre operator that is deciding where to locate a new server farm.  If the operator decides to locate it in Canada, the customers that send electronic commercial messages from those servers will be subject to FISA for all of those communications – even those where the company is non-Canadian and the recipients are all non-Canadian. This consequence arises because FISA applies if a computer system in Canada is used to send or receive the electronic message.[34] The data centre operator will realize that its customer base will be immediately narrowed if the server farm is located in Canada and knowledgeable customers will ask the operator that servers in Canada not be used for their commercial electronic communication purposes.

For the same reasons, FISA will also deter businesses from operating or using cloud services that have facilities in Canada. In an era of ever-increasing reliance on “cloud computing”, where operators organize servers in the most efficient manner, operators and their customers would avoid locating cloud services with facilities in Canada to avoid burdening their foreign customers with onerous obligations they would not have, and their foreign competitors will not have, if their facilities were located outside of Canada.

Likewise, operators of messaging systems such as e-mail services, social networks, and e-commerce platforms that serve North American or global enterprises will have a strong reason to avoid locating their facilities in Canada to ensure that their global users are not regulated by FISA. They would likely relocate existing Canadian facilities outside of Canada to avoid requiring their non-Canadian customers having to bear costs and expenses of complying with laws that their competitors do not face.

Even established Canadian businesses, especially global ones, might decide that it is in their interest to locate their servers, whether in-house or outsourced, outside the country. Many of them will send commercial electronic communications to non-Canadians. They will not want to take on the FISA-derived extra costs and restrictions associated with communicating with those non-Canadians from a Canadian server. Faced with the choice of two servers, one in Canada for FISA-complaint Canadian messages, and one outside Canada for everything else, many Canadian companies will decide that the most efficient approach is to ensure that all their  servers are located outside Canada.

By discouraging service suppliers from locating or maintaining facilities in Canada, not only does Canada lose the jobs, taxes and spin-off activities from such businesses, but Canada’s participation in a core building block of the digital economy is reduced. This in turn lessens the attractiveness of Canada as a location for other participants in the digital economy.

FISA Will Deprive Canadians of Products and Services From Foreign Businesses

In the foregoing discussion, we have concentrated on the impact of FISA on Canadian businesses and suppliers to those businesses. But there is another constituency that will be impacted by FISA, namely consumers.

FISA will of course benefit consumers by hopefully reducing the flow of SPAM. That is the key purpose behind FISA. But consumers will be negatively impacted by FISA if they cannot benefit from worthwhile commercial electronic messages simply because foreign companies are unwilling to comply with FISA and thus decide simply to exclude Canadians from their electronic communication databases. We have been told by some businesses that the costs of developing specific marketing campaigns for Canadians could influence whether foreign businesses make the same offers to Canadians that they make to their customers in other countries.

The point to realize is that not all commercial electronic messaging is bad and unwanted (although some is undoubtedly both). Some is benign, and some may be quite useful. Indeed, in the example above of a recruiter using social media platforms to contact prospective employees, some may be very welcome.

FISA however risks walling off Canada from the good as well as the bad. And foreign companies, especially international companies that market and promote products and services on a global basis from outside Canada, may well decide that Canada is simply not worth the effort and hazards that come with FISA.

FISA Imposes Costs on Canadian Businesses that Foreign Competitors will not Bear

Canadian businesses are coming to grips with the costs of FISA compliance, and it is not a happy realization. Businesses that have large contact lists must assess which contacts fit into particular categories: exempt, express consent, implied consent, no consent. The exempt category will be small for most businesses. Where express consent has been given, businesses have to figure out if the consent is sufficient for FISA purposes, now and in the future. Absent express consent, businesses will have to determine if one of the listed categories of an implied consent can apply.  This will be difficult to assess in many cases.[35] For example, where an individual was entered onto a contact list 5 years ago, how will a business determine if that person voluntarily disclosed his/her email address, or whether it was “conspicuously published” or if there exists an existing business relationship that is less than 2 years old? If the existing business relationship heading is relied on, what sort of routines are in place to determine customer-by-customer when the 2-year window expires? The answer to each of these question can be determined, but at a cost – a cost that can be significant for a company with thousands or even millions of contacts.

It may be simple to suggest that businesses should just communicate with everyone on their contact lists and ask for express consent. But the response rate from such campaigns is often not large, and Canadian businesses risk a large contraction of their contact lists, with a consequential impact on their business models. In some cases, such as the social network recruiter described earlier, it is questionable if a consent approach is even workable. And, of course, once FISA comes into force, communicating with a contact to ask for consent will itself be prohibited unless some exemption or implied consent applies.

Further, as noted above, Canadian businesses with substantial numbers of non-Canadian contacts will face costs of moving their servers outside of Canada in order to service these non-Canadians, and likely Canadians as well. In the same vein, those Canadian businesses will have to give up any use of cloud computing that involves Canada-based servers if there is a chance that some commercial electronic messaging could originate on servers in Canada.

Canadian businesses will also face extra costs as ongoing customers unsubscribe from commercial electronic messages.  The FISA-mandated  unsubscribe mechanism must permit the recipient to not receive any commercial electronic messages, or any specified class of messages.  If even a handful of customers choose the broad unsubscribe option, companies will have to either change their systems to ensure that innocuous commercial electronic messages are not included in ordinary correspondence such as billing statements (consider, for example, a mention that mortgage rates are being reduced which appears in a bank account statement with an offer to extend the mortgage term), or ensure that such correspondence is sent to those customers by the post or other non-electronic means. All of this can be done, but clearly at a cost.  The problem would be compounded for businesses that contract with their customers only to communicate electronically.  Customers including B2B business partners could arguably use FISA’s unsubscribe right to require communications in a different format and to thereby trump contractually agreed to terms.  This could undermine purely electronic means of doing business (including data interchange arrangements) and force companies to cease doing business with any person insisting on an unsubscribe right or to incur substantial costs to do business in less modern and inefficient way.

In addition to costs of these proactive activities, Canadian businesses will face potentially large costs of after-the fact compliance by way of substantial fines and class action damages, and associated legal costs, as further discussed below.

In contrast, most non-Canadian competitors do not face equivalent costs. Although some may elect to comply with FISA for their Canadian contacts, others may simply abandon services to Canadians. Others will likely just ignore FISA, expecting that the Canadian regulators will have neither the inclination nor resources nor the jurisdiction to pursue these offenders.

FISA’s Enforcement Model is Biased Towards Excessive Fault-Finding, which will Tarnish Legitimate Businesses

The penalties for violating FISA are severe. Companies can be subject to fines[36] of up to $10 million per violation. The regulations may specify that violations are a day-by-day determination.[37] Officers and directors can be liable, whether or not the corporation is prosecuted.[38] If the CRTC does not initiate proceedings, companies can be liable to private action by SPAM recipients, including (most worryingly) class action claims, for actual damages (which will likely be insignificant), but also an additional private fine of up to $1 million per day (which is not so insignificant).[39]

The fear of class action claims, which can be very expensive to defend against, will act as a strong incentive for companies to self-report potential contraventions to the CRTC and submit to voluntary undertakings and fines. Entering into such an undertaking with the CRTC will exempt the contravention from private action liability.[40] Although this incentive will help ensure FISA compliance, its undoubted goal, it will also encourage companies to confess wrong-doing in situations where the impugned conduct may be questionable or trivial. This will lead to a parade of Canadian businesses being punished under FISA, with the regulators extolling their enforcement proficiency against these wrong-doers.[41] As such, the public image of many Canadian businesses will be unfairly tarnished in circumstances where the offending conduct may not be significant.

Is It Right To Extensively Chill Commercial Electronic Communications?

In the proceeding pages, we have explained the negative impact that FISA will have on Canadian businesses and consumers. But there is a larger question that should also be asked. Is it right to so extensively curtail Canadian businesses from engaging in commercial electronic communication, which is, after all, a form of commercial free speech? This is a big question, with clear constitutional overtones. But it is a question that should be asked.

FISA’s regulatory approach to SPAM is to broadly ban all commercial electronic messages unless the messages are sent with prior express consent or fall into an excluded category. The regulatory regime does not focus, as do most laws that restrict the free speech of Canadians, on prohibiting actions that are necessarily unwanted, false, fraudulent, misleading or otherwise harmful. It is therefore inevitable that sending some legitimate, wanted, and economically and socially useful commercial speech will be rendered illegal.

FISA’s curtailment of commercial speech is apparent in a number of ways.

• The prohibitions on commercial speech are not narrowly tailored to a limited class of electronic communications that are more likely than not to be unwanted or harmful such as direct marketing, pornography, messages sent to consumers that misuse personal information, or messages that are false, fraudulent, or misleading.
• Because FISA extends to “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit”, it will extend to activities of not-for-profit entities, educational institutions, charities, private clubs, and political fundraising activities, subject the specific exceptions that only partially exclude some of their commercial electronic messages.
• A message that is, on balance, benign or useful, will nonetheless be caught by FISA if only one of the message’s many purposes would encourage participation in a commercial activity.
• FISA’s anti-SPAM provisions provide for extensive accessorial and vicarious liability Under FISA, liability extends to any person who aids, induces or procures a prohibited act.[42] Businesses are liable for acts of their employees within the scope of their authority.[43] The liability also extends to officers, directors, agents, and mandataries if they “directed, authorized, assented to, acquiesced, or participated in the prohibited act”.[44]
• A direct result of the “ban-all” approach taken in FISA will be to shift the onus onto individuals and businesses to find an exception that would permit their sending electronic messages. However as described above, FISA also has extremely tough sanctions that can be levied against individuals or businesses that violate its prohibitions. These sanctions will undoubtedly deter individuals and businesses from sending messages in circumstances where it is unclear they are entitled to do so.

The Canadian Charter of Rights and Freedoms protects free speech as one of our highest legal and societal imperatives.[45] The courts have recognized that Canadian businesses benefit from this protection and that commercial speech benefits Canadian consumers.[46] While limits on free speech are clearly permitted, these limits should be reasonable and justified, with minimal impairment of the free speech right and with the limit on free speech being in proportion to the harm that is being targeted.  As we have come to better understand how companies will be required to operate under FISA, questions indeed arise as to whether this important principle has been given appropriate regard.

Where Should We Go From Here?

Recognizing that it may be too late to revise the FISA legislation, developing sensible regulations will be of paramount importance as many of the deficiencies that we have discussed can be remedied in the regulations. For example, FISA provides significant flexibility to for the regulations to exclude classes of commercial electronic messages from its scope.[47] FISA also enables the government to create, by regulation, new broad categories of implied consent.[48] Employing the regulation process in this remedial manner should not be seen as undermining the basic thrust of FISA, which is to reduce the volume of SPAM, but rather as properly aligning FISA’s benefits with its costs.

To conclude, we believe that it is time to re-examine FISA – and to do so before the regulations are finalized and FISA is proclaimed into law. Failing to undertake such a review, and to make appropriate changes through regulation or otherwise, risks imposing significant burdens on Canadian businesses and depriving Canadians of beneficial services, thereby undermining the promotion of “the efficiency and adaptability of the Canadian economy” that FISA calls for. Other countries have managed to discover a different and more proportionate balance between thwarting SPAM and not impeding legitimate electronic messaging. Canada should seek to do likewise.

[1] Lorne Salzman and Barry Sookman are lawyers with McCarthy Tétrault LLP.

[2] FISA is the acronym for “Fighting Internet and Wireless Spam Act”, a title bestowed in an early version of the legislation that was eventually passed by the Canadian Parliament. Unfortunately (and unusually), the final version did not include any such short-form title. Accordingly, some commentators refer to FISA, while others refer to “CASL”, which is the acronym for Canadian Anti-Spam Legislation, while others employ yet other titles and abbreviations. For ease of understanding, we will use the term “FISA” in this commentary.

[3] Available at www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00317.html

[4] www.ftc.gov/bcp/edu/microsites/spam/rules.htm

[5] www.austlii.edu.au/au/legis/cth/consol_act/sa200366/

[6] www.legislation.govt.nz/act/public/2007/0007/latest/DLM405134.html

[7] The breadth of FISA’s prohibitions can be seen from looking at the definitions:

• An “electronic message” is an open ended list of message types: a “message sent by any means of telecommunication, including a text, sound, voice or image message”.

• An “electronic address” is an open ended list of types of addresses to which messages may be sent; it is “an address used in connection with the transmission of an electronic message to (a) an electronic mail account; (b) an instant messaging account; (c) a telephone account; or (d) any similar account”.

• A “commercial electronic message” is an open ended list of electronic messages “that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (b) offers to provide a business, investment or gaming opportunity; (c) advertises or promotes anything referred to in paragraph (a) or (b); or (d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.” An electronic message that contains a request to send a prohibited message is also deemed to be a prohibited commercial electronic message.

• A “commercial activity” is also broadly defined to mean “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit”. It excludes “any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada”.

[8] s. 6(5)

[9] s. 6(7)

[10] s. 1(1)

[11] s. 6(6)

[12] ss. 10(9) and 10(10)

[13] ss. 10(9) and 10(13)

[14] s. 10(9)(b)

[15] s. 10(9)(c)

[16] s. 10(9)(d)

[17] s. 10(1)

[18] s. 1(3)

[19] ss. 6(2) and 6(3)

[20] ss. 11(1) and 11(2)

[21] Despite problems under FISA, collecting personal information from some of the sources described above would likely be permissible under PIPEDA (Canada’s federal privacy law) pursuant to regulations which permit the collection, use and disclosure of personal information that is publically available. See, Regulations Specifying Publicly Available Information, P.C. 2000-1777 13 December, 2000, http://www.gazette.gc.ca/archives/p2/2001/2001-01-03/html/sor-dors7-eng.html

[22] s. 10(9)(b). This section has some overlap with the PIPEDA publically available exception. However, the FISA exception is limited to where the recipient “has conspicuously published, or caused to be conspicuously published”, the electronic address. It would seem to clearly apply where an individual publishes his/her email address on a web site. It is much less clear that it applies where an individual gives his/her email address to an organization and the organization publishes the email address in a directory or other publication. To fall within the exception one would have to conclude that by giving an organization an email address, the person who provides the email address “causes” the organization to publish it – which may be somewhat of a stretch.

[23] s. 82 (adding new s. 7.1(2) to PIPEDA)

[24] Short Message Service (SMS) is a text-based data communications service typically used in connection with cell phones and smart phones.

[25] ss. 6(2) and 11(1)

[26] s. 11(1).

[27] s. 10(1).

[28] For a real life example of an entrepreneur who recently used Twitter service as a pivotal aid in launching a new business, see: www.thestar.com/business/smallbusiness/article/985678–twitter-marketing-word-of-mouth-on-steroids

[29] s. 1(3). It does not appear that this approach would fall within any of the existing exceptions including the exception for inquiries (s. 6(5)(b)). The message would be an inquiry, but would not necessarily be an inquiry related to the commercial activity of the recipient. It would not fall into the employment benefits exception either. (s. 6(6)(e)).

[30] s. 10(1). The upcoming regulations are expected to address the identification information that will be required.

[31] Other innovative businesses also use variations on the “refer a friend” business model.

[32] s. 6(5)(a)

[33] s. 9

[34] s. 12(1)

[35] Consents obtained under PIPEDA cannot be relied upon given PIPEDA recognizes opt-out consents in many circumstances.

[36] Technically, the fines are referred to as “administrative monetary penalties”. Quaintly, FISA states that these penalties are “to promote compliance” but not “to punish”. See s. 20.

[37] s. 20(5)(a)

[38] s. 52. Note that there is a “due diligence” defence that may be available in some cases to companies and their staff. See s.54(1)

[39] s. 51(1)

[40] s. 48(1)

[41] As an example of the CRTC’s press releases when it punishes offenders of the do-not-call regime, see www.crtc.gc.ca/eng/com100/2010/r101217.htm

[42] s. 9

[43] ss. 32 and 53

[44] ss. 31 and 52

[45] See s. 2(b) of the Charter.

[46] See RJR-MacDonald Inc. v. Canada (Attorney General), [1995] 3 S.C.R. 199; Rocket v. Royal College of Dental Surgeons of Ontario, [1990] 2 S.C.R. 23.

[47] s. 6(5)(c)

[48] s. 10(9)(d)

The documents in the possession of the PMO and offices of Ministers were held not to be in the control of a government institution and were therefore not subject to the Act. The Court held that the agenda of former Prime Minister Jean Chrétien in the possession of the RCMP and the PCO were under the control of a “government institution”. However, they were not subject to disclosure because 19(1) of the Access to Information Act prohibits the head of a government institution from releasing any record that contains personal information as defined in s. 3 of the Privacy Act. Section 3(j) of the Privacy Act creates an exception by allowing for the disclosure of personal information where such information pertains to an individual who is or was an officer or employee of a government institution and where the information relates to the position or function of the individual.  The Supreme Court agreed with the Federal Court of Appeal that this exception did not apply as the Prime Minister could not be viewed as an officer of a government institution.

In rendering its decision the Supreme Court did not express any opinion as to whether the Prime Minister’s agenda, or parts thereof, were “personal information” as defined in s. 3 of the Privacy Act. It didn’t deal with the issue as the parties agree that the Prime Minister’s agenda fell within the general definition of personal information in the Privacy Act. That Act defines the term as meaning “information about an identifiable individual that is recorded in any form” and goes on to include a non-exclusive list of examples.

It is too bad that the issue of whether the Prime Minister’s agenda, or portions thereof, were personal information was conceded and not argued before the Court. The issue of what is personal information is one in which lower appellant courts have recently been focusing on.

For example, the Ontario Court of Appeal in Citi Cards Canada Inc. v. Pleasance, 2011 ONCA 3 recently held that financial information pertaining to a debtor, collected and used by a financial institution in the course of a mortgage transaction was personal information under PIPEDA. In its reasons for decision the Court stressed that the term was to be given “a very elastic definition”. According to the Court:

I also agree with the application judge that the information Citi Cards seeks from the Banks is “personal information” of the debtor.  “Personal information” is defined in s. 2(1) of the Act.  It “means information about an identifiable individual.”

This is a very elastic definition, and should be interpreted in that fashion to give effect to the purpose of the Act.  There can be no doubt that financial information pertaining to a debtor, collected and used by a financial institution in the course of a mortgage transaction – including the particulars of, and the balance owing on the debtor’s mortgage – is “information about an identifiable individual.”  Current mortgage balances are not information that is publicly available.

This information is collected and used by the Banks for purposes of administering the mortgage; it is not collected or used for purposes of facilitating another judgment creditor’s execution on its judgment.  As the purpose of the Act – expressed in s. 3 cited above – indicates, what is balanced is the individual’s right to privacy in his or her personal information, on the one hand, and the organization’s need to collect or use the information, on the other hand.  The Act does not contemplate a balancing between the privacy rights of the individual and the interests of a third-party organization that may by happenstance have commercial dealings with the individual that make the targeted information attractive to it.

The Alberta Court of Appeal recently also canvassed the scope of the term personal information in Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94. Under the Alberta Personal Information Protection Act “personal information” is defined to mean “information about an identifiable individual”. In interpreting this definition the Court ruled that driver’s licence numbers were personal information but that vehicle licence numbers were not. The Court reached this conclusion reasoning that to fall within the definition information must directly identify the individual and have a precise connection to the individual and must relate to the individual and not to some object or property.

The “identifiable individual” term has two components. Firstly, the individual must be “identifiable”. Generic and statistical information is thereby excluded, and the personal information (here the relevant number) must have some precise connection to one individual. Secondly, the information must relate to an individual. Information that relates to objects or property is, on the face of the definition, not included. The key to the definition is the word “identifiable”. The Act is designed to regulate and protect information that is uniquely connected to one person. An important (although not the only) purpose of the Act is to control the use of information that would enable “identity theft”, that is, information that is used to distinguish one individual from another in financial and commercial transactions. This can be seen by reviewing the type of information that is dealt within the more specific provisions and exceptions in the Act. The definition is not primarily aimed at information about that individual’s opinions, choices and status in life.

Further, to be “personal” in any reasonable sense the information must be directly related to the individual; the definition does not cover indirect or collateral information. Information that relates to an object or property does not become information “about” an individual, just because some individual may own or use that property. Since virtually every object or property is connected in some way with an individual, that approach would make all identifiers “personal” identifiers. In the context of the statute, and given the purposes of the statute set out in s. 3, it is not reasonable to expand the meaning of “about an individual” to include references to objects that might indirectly be affiliated or associated with individuals. Some identification numbers on objects may effectively identify individuals. Many, however, are not “about the individual” who owns or uses the object, they are “about the object”.

The adjudicator’s conclusion that the driver’s licence number is “personal information” is reasonable, because it (like a social insurance number or a passport number) is uniquely related to an individual. With access to the proper database, the unique driver’s licence number can be used to identify a particular person: Gordon v. Canada (Minister of Health), 2008 FC 258 (CanLII), 2008 FC 258, 324 F.T.R. 94, 79 Admin. L.R. (4th) 258 at paras. 32-4. But a vehicle licence is a different thing. It is linked to a vehicle, not a person. The fact that the vehicle is owned by somebody does not make the licence plate number information about that individual. It is “about” the vehicle. The same reasoning would apply to vehicle information (serial or VIN) numbers of vehicles. Likewise a street address identifies a property, not a person, even though someone may well live in the property. The licence plate number may well be connected to a database that contains other personal information, but that is not determinative. The appellant had no access to that database, and did not insist that the customer provide access to it.

It is also contrary to common sense to hold that a vehicle licence number is in any respect private. All vehicles operated on highways in Alberta must be registered, and must display their licence plates in a visible location: Traffic Safety Act, R.S.A. 2000, c. T-6, ss. 52(1)(a) and 53(1)(a). The requirement that a licence plate be displayed is obviously so that anyone who is interested in the operation of that vehicle can record the licence plate. The fact that the licence plate number might be connected back to personal information about the registered owner is obvious, but the Traffic Safety Act nevertheless requires display of the licence plate. Control of that information is provided by controlling access to the database. It makes no sense to effectively order, as did the adjudicator, that everyone in the world can write down the customer’s licence plate number, except the appellant.

In summary, the adjudicator’s conclusion that a driver’s licence number is “personal information” is reasonable. The conclusion that a licence plate number is also “personal information” is not reasonable, and the adjudicator’s ruling must be set aside insofar as it dealt with licence plate numbers.

Had the Supreme Court addressed the personal information status of the various elements of the Prime Minister’s agenda, it might have used the occasion to expound upon the meaning of that term. But, given the procedural posture of the case, the Court was not required to do so.

The privacy issues raised by online tracking, profiling and targeting and cloud computing raise many questions with important public policy and economic implications. The report, by and large, raises and does a good job of explaining the issues and challenges. Beyond explaining general principles, it does not purport to provide any real guidelines. After discussing the issues and generally applicable principles, the OPC asked for further comments and input on most of the intriguing questions.

The report did contain a few notable observations about how PIPEDA applies to certain online activities. These were mostly in areas that the OPC has already provided guidance. For example, the OPC repeated its views on its interpretation of the term personal information saying:

The OPC has generally taken a broad and contextual approach in determining whether certain information is or is not personal information. Of note is a finding from 2003, in which it was concluded that the information stored by temporary and permanent cookies was personal information. The Office has also determined that an IP address is personal information if it can be associated with an identifiable individual.

Other noteworthy examples include an investigation into the collection and use of Global Positioning System information placed in a company’s vehicles, in which it was concluded that such information is personal information since it could be linked to specific employees driving the vehicles. It was noted that the employees were identifiable even if they are not identified at all times to all users of the system. Information collected through radio frequency identification tags (RFID) to track and locate baggage, retail products and individual purchases may constitute the personal information of any identifiable individual associated with those items.

The OPC also summarized its guidelines for the use of opt-out consents:

The OPC has had opportunity to consider the use of opt-out in a number of different contexts. A common use of opt-out is in the context of using or disclosing personal information for secondary purposes of marketing. Secondary purposes are additional to those for which the information needed to be collected in the first place. The Office considers that an organization must satisfy the following requirements when using opt-out, for example, to obtain consent for secondary marketing purposes:

The personal information must be demonstrably non-sensitive in nature and context.

The information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.

The organization’s purposes must be limited and well-defined, and stated in a clear and understandable manner.

As a general rule, organizations should obtain consent for the use or disclosure at the time of collection.

The organization must establish a convenient procedure for opting out of, or withdrawing consent to, secondary purposes. The opt-out should take effect immediately and prior to any use or disclosure of personal information for the proposed new purposes.

A very difficult issue in cloud environments is to determine who is responsible for obtaining consents for the collection, use and disclosure of personal information that is handled in such environments. The OPC continues to draw a distinction, between “consumer services” and “business services.” Where the cloud service is offered directly to consumers, the provider, according to the OPC, is the “data controller”. However, where the services are offered to enterprise customers, the provider is the “data processor”.

Generally speaking, in Louise’s case, when she uses her social networking site or e-mail for fun, the social networking site or e-mail provider is the data controller. When she wishes to use a cloud service to help her handle her jewellery customer data, the provider is a data processor and Louise is the data controller. This distinction is important because it means that when Louise is the data controller, she has certain obligations to her customers in terms of privacy protection.

Unfortunately, the report does not provide any statutory basis for this distinction. Nor does the report explain how the EU concepts of “processor” and “controller” conceptually  fit within the structure of PIPEDA.

Bill C-28, Fighting Internet and Wireless Spam Act, is the re-introduction of the Electronic Commerce Protection Act (ECPA). It is essentially the Bill as passed by the House of Commons just before the olympics with a few changes. Most of the changes are to harmonize the language to drafting conventions or to clarify the legislative intent.

The Bill is a major improvement over the initial version of the ECPA which was significantly improved during the Industry Committee review.

The Bill would do the following:

• Prohibit the sending of commercial electronic messages without prior consent.

• Prohibit alteration of transmission data to route the message to an unintended destination.

• Prohibit installation or use of spyware in the course of commercial activities (there are exceptions for cookies, html code, java scripts and operating systems).

• Amend the Competition Act to prohibit false or misleading commercial representations made electronically.

• Amend PIPEDA to prohibit the collection of personal information by means of unauthorized access to computer systems in violation of federal laws, and the unauthorized automated compiling of lists of electronic addresses.

Bill C-29 is a new piece of legislation that will amend PIPEDA. It would do the following:

• Exclude business contact information from being personal information.

.• Specify the elements of valid consent (“the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting”).

• Require organizations to report material data breaches of personal information to the Privacy Commissioner of Canada, and to notify affected individuals when the breach poses a real risk of significant harm, such as identity theft or fraud, or damage to reputation.

• Create exceptions for prospective and completed business transactions such as the purchase of an organization or assets, M&A transactions, financings and loans, taking security, lease or license transactions, other arrangements to conduct a business activity.

• Permit organizations to collaborate with government institutions, such as law enforcement and security agencies that have requested personal information, in the absence of a warrant, subpoena, or order.