In a previous post, Evaluating the Industry Canada CASL regulations: why they are needed, I suggested that close scrutiny needs to be given to Industry Canada’s new draft Electronic Commerce Protection Regulations. CASL’s “ban all” structure makes it imperative that generous regulations be adopted to ensure that the goal’s of Canada’s new anti-spam/anti-malware law (CASL) are met. In another post, Evaluating the Industry Canada CASL regulations: how to assess them, I proposed a framework for assessing the regulations.
I then evaluated the proposed family and personal relationships exception in the post, Evaluating the Industry Canada CASL regulations: family relationships and personal relationships, finding them very troubling and concluding that without rectification CASL would adversely and surprisingly impair the ability of ordinary Canadians to communicate with extended family, friends and acquaintances and people who know each other from being members of the same clubs and associations, from going to school or engaging in recreational activities together, or from business, professional or other settings.
In the post, Evaluating the Industry Canada CASL regulations: the B2B exception (Part I-SMEs), I examined the proposed new business to business exception, focusing on its failure to remedy CASL’s impairment on the start-up and growth of small and medium sized enterprises. In my last post, Evaluating the IC CASL regulations: the B2B exception (Part II-Non-business entities), I showed how the regulations fail to address the harsher burdens CASL places on not-for profit organizations like charities, hospitals, and educational institution than on businesses, even though they have the least resources or wherewithal to bear those burdens.
In this post I will focus on the regulations failure to correct CASL’s jurisdictional overreach. I focus on two issues. First, CASL’s extra-territorial reach over foreign organizations and compliance with principles of international comity. Second, that CASL’s territorial reach will threaten high paying service jobs, research, development and technological innovation in Canada.
As explained in other posts, CASL makes it illegal to send any commercial electronic messages without obtaining prior express consent, providing users with prescribed information, and a prescribed unsubscribe mechanism, unless the message falls into one of the few exceptions provided by the statute. CASL and its regulations also makes it illegal, among other things, to install a computer program on any PC, smartphone, tablet, appliance, or other computer without obtaining prior express consent, making disclosures about the functions of the program, and providing information that enables users to withdraw their consent.
CASL’s strictures far exceed those in other countries. Rather than targeting false and misleading e-mails or those sent in violation of an opt-out request such as in the U.S., or limiting the restrictions to direct marketing messages as in the EU, CASL goes much farther. It does the same thing with its “ban all” approach to “malware”. To the extent that other countries have civil laws that regulate distributing computer programs without consent, they target malware, spyware or similar threats, not programs that are also completely innocuous as CASL does.
Unlike the laws of other countries such as those in the U.S., CASL provides a private right of action to anyone with remedies that includes compensation for actual losses plus damages of up to $1 million per day of non-compensatory (essentially punitive) damages. Class actions are not foreclosed and if certified could lead to threats of massive unprecedented awards to a new generation of CASL litigation trolls that are predicted to emerge. Moreover, these claims could be brought even where no person has suffered any actual damage. For example, a person that as part of some commercial activity makes malware free open source software available without charge to hundreds of thousands of Canadians using an ordinary webwrap (browsewrap) or clickwrap agreement or who using an automated system installs a security patch to prevent hacker attacks, could theoretically face threats of damages in the hundreds of million dollars.
The upshot of all of this is that Canada will have unique and more onerous regimes to comply with than those in other countries. Compliance will require development of new databases, modification of computer systems, changes to websites, user interfaces, and contracting processes and disclosures of information. Organizations that do business in countries other than Canada will have no reason to adopt these standards, except to the extent they want to send CEMs or make software or apps available to Canadians.
The caveat for foreign businesses, however, is that CASL has an extremely broad extra-territorial reach. The anti-spam rules apply to any commercial electronic message that is sent from a foreign computer anywhere in the world to a computer in Canada. Similarly, CASL’s “malware” rules apply to any program that is installed on any computer in Canada. The liability is strict; it does not depend on intent or foreseeability.
CASL’s reach is bound to raise questions of international comity among Canada’s trading partners. Its extensive territorial reach raises questions as to whether it departs from public international principles which justify applying laws extra-territorially. This is an issue that is quite complex. (My book Computer, Internet and Electronic Commerce Law has a chapter of over 200 pages just on this topic.) With the risk of over simplification, increasingly countries base legislative and personal jurisdiction related to Internet delicts on factors that take into account intentional targeting of the forum, intentionally causing harm, or some kind of purposeful availment of the privilege of conducting activities within the forum State. See ,J. McIntyre Machinery, Ltd v Nicastro131 S.Ct. 2780 (2011), Football Dataco Ltd. v Sportradar GmbH, Case C‑173/11, 18 October, 2012.[i] Under CASL organizations from around the world could be liable for massive damages claims without ever intentionally targeting Canadians.
The response by foreign organizations to this territorial overreach will likely vary. Many organizations will learn about CASL and comply with its laws. Many multinational organizations with established businesses in Canada will be in this category. Other organizations may want to comply, but consider the costs of developing specialized processes merely for Canada to be too expensive and consider the liability too onerous. Adapting to CASL will be particularly challenging for innovative organizations whose business models would be constrained by CASL’s e-mail focused technology models and which either can’t be complied with or can’t easily be complied with. The result may well be decisions by foreign organizations not to offer their products or services to Canadians, or to introduce them only after launching in other jurisdictions which don’t require significant technological adaptations or modifications of marketing and promotional approaches. This would be a very unfortunate development for Canadian consumers who would ultimately suffer by having access to less information about products, services, organizations and individuals (including fan sites) they are interested in, less choice in offerings, and potentially even higher prices because of reduced competition.
Other organizations, and there will be many of these, would not know, and have no reason for surmising, that following international standards for distributing software and sending CEMs could result in significant liability under Canadian laws. They may become targets of the CASL litigation trolls that will undoubtedly emerge after CASL comes into effect.
Industry Canada recognized the problem faced by organizations whose customers may inadvertently roam into Canda and receive messages intended to reach them while in their own countries. It proposed an exception for a CEM
that is sent or caused or permitted to be sent by a person located outside Canada or that is sent from a computer system located outside Canada and that relates to a product, good, service or organization located or provided outside Canada that is accessed using a computer system located in Canada if the person sending the message did not know and could not reasonably be expected to know that the message would be accessed using a computer system located in Canada;
The exception is justified. However, it has very limited application as it would require every website or organization opertating on the global Internet to put in place a mechanism to collect personal information or geolocational information on every person to whom it sends CEMs in order to satisfy the due diligence standard. For privacy and other reasons many organizations do not want to collect personal information or location data about their site users. The proposed exception also does not provide any relief to websites that make programs available to download to all comers, leaving every organization worldwide subject to CASL’s unique and more burdensome approaches to distributing software and apps and litigation threats.
CASL’s territorial overreach will also have very significant consequences for Canadian based organizations. CASL forces Canadian individuals and organizations to comply with its laws even when they are interacting completely with persons outside of Canada. The anti-spam rules apply to any commercial electronic message that is sent from a computer located in Canada anywhere in the world. Similarly, CASL’s “malware” rules apply to any program that is installed on any PC, smartphone, tablet or other computer that is located anywhere by a person located in Canada.
This startling jurisdictional reach will create huge disincentives on organizations to invest and operate infrastructure from Canada to support foreign operations. The Information Technology Association of Canada (ITAC), a prominent advocate for the expansion of Canada’s innovative capacity and the strategic use of technology, had the following to say about CASL’s territorial overreach in its submission to the last Industry Canada consultation:
“Given that section 6 of CASL will apply when a computer system located in Canada is used to send or access a CEM, CASL will impact a range of business decisions that could have unintended negative effects on the competitiveness of a wide range of Canadian technology companies. At least three scenarios can be contemplated.
First, Canadian multi-national companies sending messages to non-Canadian customers are incented to use vendors located outside Canada to send those messages, because otherwise the messages will have to comply with CASL. This would result in service jobs leaving the country. ITAC understands that some Canadian organisations that are already contemplating moving their foreign market-related messaging operations outside Canada.
Second, foreign companies deciding where to locate server farms and other facilities related to cloud computing that could be used to send messages or provide services on behalf of vendors located anywhere in the world, to customers located anywhere in the world, may choose against Canada because of the extra cost of complying with CASL. That would have significant unintended negative consequences for the growth of cloud computing in Canada.
Third, Canadian providers of outsourced services to non-Canadian businesses will be at a major disadvantage compared to competitors in other countries. By selecting foreign service providers, the foreign entities can avoid the costs and complications of complying with CASL.”
Of course the implications would not be limited to Canadian businesses. Every organization that chooses to support foreign activities from Canada would be forced to compete with organizations in other countries who would not be subject to these burdens.
The issue was a major one raised during the last consultations. Industry Canada recognized the problem, yet decided not to address it saying:
Another issue concerns the ability for businesses in Canada to send commercial electronic messages to recipients outside of the country on behalf of foreign organizations. Some stakeholders argued in their submissions that CASL would put Canadian businesses at a competitive disadvantage sending commercial electronic messages outside of Canada on behalf of foreign businesses. Analysis indicated that an exemption allowing Canadian businesses to send commercial electronic messages to non-business recipients outside of Canada would create the potential for abuse since these commercial communications would be subject only to the other country’s legislation, if any. Given concerns that such an exemption would create a loophole that could be abused by spammers, and the difficulties inherent in determining the lawfulness of activities in foreign jurisdictions, the suggested exemption is not included in these proposed Regulations in order to maintain the intended balance in the Act.
It is surprising that the Government would fail to address a major issue that would undermine its digital strategy for the development of high technology industries including the fast growing cloud computing, outsourcing, computer help desk, and managed services businesses. How can the difficulties of enforcing CASL against a few spammers take policy preference over significantly impairing huge growth industries for Canada that brings with it jobs, taxes, and first mover advantages? Moreover, how can it be justified given that there are many ways to address the theoretical problem of Canadian based spammers who target only foreign jurisdictions?
A simple fix, as Lorne Salzmam and I proposed previously, is to exempt from CASL those activities that comply with the laws of the destination countries. Courts regularly make findings of foreign law. It is surprising that the Government does not have the confidence that the CRTC could do what the courts regularly do and make findings of foreign law where needed to go after any of these international spammers. If this really is a concern, another approach is to define objective criteria that would make using Canada as a base for spamming or distributing malware illegal. For example, sending false or misleading CEMs or distributing real malware or spyware without consent could be enough to make CASL apply.
CASL’s goal is to promote the use of electronic networks to promote economic activity. Yet, the zealous pursuit of stopping spam would visit far greater harm to Canada’s digital economy than the harm from a few spammers who might choose to locate in Canada solely to send harmful emails into other jurisdictions. In any event, these few cases can be addressed with thoughtful regulatory drafting. CASL will discourage service suppliers from locating or maintaining facilities in Canada. As a result Canada will lose the jobs, taxes and spin-off activities from such businesses. Further, Canada’s participation in a core building block of the digital economy would be reduced. There is no good policy reason for not fixing this problem. CASL should not lessen the attractiveness of Canada as a location to participate in the digital economy.
For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.
[i] In Canada, the real and substantial connection test is often applied to determine the limits of jurisdiction. In Club Resorts Ltd. v. Van Breda, 2012 SCC 17, the Supreme Court recently held that for “Jurisdiction must … be established primarily on the basis of objective factors that connect the legal situation or the subject matter of the litigation with the forum”. In commenting on purely virtual relationships the court stated that “Active advertising in the jurisdiction or, for example, the fact that a Web site can be accessed from the jurisdiction would not suffice to establish that the defendant is carrying on business there. The notion of carrying on business requires some form of actual, not only virtual, presence in the jurisdiction, such as maintaining an office there or regularly visiting the territory of the particular jurisdiction.”