Canada’s regulations to limit unwanted email messages from businesses have been four years in the making, but if organizations representing the business community get their way, it could unravel much faster than that.
Canada’s Anti-Spam Legislation (CASL) is set to come into effect July 1 and requires businesses to receive consent from consumers before sending them commercial messages via email or any other digital channel. But members of the business community and lawyers critical of the new law say the first organization fined by the enforcement regime will likely challenge it in court on the basis that it violates the Charter’s protection of free speech. In this case, it would be a limitation on commercial speech.
The new regime governing the sending of email and other so-called “commercial electronic messages” (CEMs – covering instant messages and social media too) is too strict, says Scott Smith, director of intellectual property and innovation policy at the Chamber of Commerce. Canada is one of the few countries to require an opt-in by the consumer to receive messages, instead of just allowing them to opt-out.
So what’s to be done?
Asked directly if he knew of any groups organizing a court challenge to CASL, Smith responded: “There’s been some discussion about that at the chamber … we haven’t come to any conclusions yet.”
Join us in Toronto May 22 to get CASL compliant:
CASL received Royal Assent to be passed into law in December 2010. But it’s taken years of consultation sessions held by Industry Canada and the Canadian Radio-television Telecommunications Commission (CRTC), several revisions made to the wording of the regulations, and a lot of waiting to finally come to the point where it will be actively enforced. Three government bodies will coordinate enforcement of the anti-spam bill: the Competition Bureau, the Privacy Commissioner of Canada, and the CRTC.
Anti-spam bill actually anti-free speech?
Should CASL be brought to court on the basis it violates free speech, a judge would have to balance the consumer’s right to privacy against the commercial right to free speech, says Barry Sookman, a partner at Toronto-based McCarthy Tetrault LLP. While it’s clear that CASL does limit freedom of commercial speech in some situations, a judge could deem that those are reasonable limitations because they protect the privacy of would-be message recipients. If the legislation limits speech only to the extent that it needs to in order to meet its goals, it’s a good law. If it goes too far, then it infringes on the Charter.
For Sookman, CASL represents one of the biggest threats to free speech on the Internet in Canada.
“There’s nothing like it that has this much of a lockdown on speech,” Sookman says. “That’s why I say it won’t be able to stand up to a Charter challenge.”
Industry Canada says CASL will come into effect July 1 as planned and that lawmakers took the Charter into consideration when creating the legislation. In a statement emailed to ITBusiness.ca in response to a request for an interview, an Industry Canada spokesperson said that when Parliament passed the bill into law, they agreed that it was consistent with the Charter. (CASL received support from all three major political parties in the House of Commons.)
Other lawyers disagree. Michael Geist holds the Canada Research Chair in Internet and e-commerce law at the University of Ottawa. He points out the bill went through a vetting process that included review by Department of Justice lawyers before being passed into law. Opposition to the new law has been overblown, he says.
“There’s been an awful lot of hyperbole and exaggeration about CASL,” he says. “Rather than actually talking about what the legislation really involves … we get a lot of people up in arms about legislation that is far from the horror story that it’s made out to be.”
If CASL is challenged in court, Geist says it’s a more likely scenario that a judge would make smaller tweaks to areas where the law is overbearing, rather than throw out the entire piece of legislation wholesale. The law could be modified to add another exemption, for example, in addition to the exemptions already built in to the legislation.
CASL legislation a ‘bundle of spaghetti’
What could also be at issue with CASL is whether the law is clear enough. A court could test whether it’s reasonable to expect most businesses to understand exactly what messages they’re allowed to send without consent and when they need to obtain consent before sending a message. Privacy lawyer David Fraser characterizes CASL as convoluted and nonsensical.
“They’ve had to go back to the drawing board a number of times, but they didn’t just scrap it and start from scratch,” he says. “In a way it’s like a big bundle of spaghetti when you have to find out where the threads go.”
CASL is lowering the bar on what proof is required to fine organizations compared to other legislation, Fraser says. There’s terminology in the bill that’s not clearly understood, and other areas where the intent of the sender could make the difference between compliance and a violation.
Sookman agrees the law is too vague. “The legislation is in fact impossible to comply with in a perfect way,” he says. “In some cases its just technologically impossible to comply with it.”
He gives the example of sending a SMS message. The limited character length of those messages makes it impractical to notify the recipient of who sent it and how to unsubscribe in each individual message.
But Geist disagrees, saying the law is “perfectly clear” after being through three years of debate and consultation process involving business groups. “You get people that screamed for reforms and now because they get those reforms they asked for, it’s unclear?” he says. “That’s pretty rich.”
A coalition of 15 business associations including the Chamber of Commerce, Canadian Federation of Independent Businesses, Canadian Marketing Association, Information Technology Association of Canada, Canadian Bankers Association, and the Canadian Wireless Telecommunications Association have sent comments and official submissions regarding CASL to Industry Canada. A review of the law is planned for three years from now, thanks to a clause built into the legislation.
For now, businesses should be gathering opt-in consent from customers to send email communications to them, and they should ensure they are in compliance with CASL by Canada Day.
Canada’s business landscape is a relatively stable one and a good place to operate in for 2014, Borden Ladner Gervais says, but there will be growing areas of risk that organizations must be concerned about for the year ahead – including several technology trends.
In BLG’s second risk assessment for 2014, it identifies the push for equity-based crowdfunding as a concern. “Crowdfunding sidesteps the cost and expense of venture capital and private placements, and it also skips due diligence and other investor protections,” BLG states.
The mention of crowdfunding as a major risk before many provinces have finished considering the issue is a curious one. Final regulations around creating exemptions for private equity crowdfunding of startups could contain limits on what a single investor can put into a company, thereby limiting risk as well. While part of the point of allowing equity-based crowdfunding for startups is to avoid the expensive paperwork and audits required to become certified to receive funding on the traditional investment market, that’s not to say there can’t be some sort of basic steps that ensure accountability for each deal.
Saskatchewan became the first Canadian province to allow equity-based crowdfunding earlier this month, when the Financial and Consumer Affairs Authority announced an Equity Crowdfunding Exemption. It comes with regulations that require both the investor and the business to be located in Saskatchewan, and limits individual investments in a business to $1,500. BLG doesn’t make it clear why it thinks crowdfunding is a major risk concern in 2014, or who will be shouldering that risk, but if the most any individual stands to lose is $1,500, it’s hard to see why it’s a major concern.
The seventh top risk of 2014 will be related to Canada’s Anti-Spam Legislation (CASL) that comes into force July 1. BLG rightfully points out that while individual right to legal action won’t take effect until 2017, businesses that send email as part of regular activities could still be fined by the enforcement agencies to the tune of up to $10 million. Since compliance with existing privacy laws won’t be enough to satisfy the new legislation, BLG advises that organizations act now and be ready for a landscape where a consumer complaint about spam could lead to serious monetary penalties.
The eighth top risk is electronic data, BLG states. Data has perhaps never been spread across such a wide spectrum of locations, BLG reasons, with mobile endpoints multiplying as employees bring smartphones and tablets to work, and corporate data residing in the cloud, company servers, and everywhere in between. Companies’ responsibility to protect employee and customer data will turn into a greater risk next year, BLG says. “Reputational risk is a huge concern, but it would pale in comparison to the damage to the organization if client or employee data were actually compromised.”
Finally, social media rounds out the risks for business. Thanks to one-button syndication tools (such as a retweet) in the hands of every online user, any business can easily be defamed, denigrated, or discriminated against more easily than ever. Businesses must treat social media postings like any other document and consider it a legitimate channel to be served legal notice on, BLG warns.
Canada’s new anti-spam legislation (CASL) marks a huge shift from previous government efforts to deal with spam and that is a good thing, according to industry experts. But while they are optimistic about new powers granted to authorities under CAL, privacy and security analysts believe a spam reporting centre (SRC) dubbed “The Freezer” wouldn’t be much of a threat to spammers.
What began as Bill C-28, CASL covers substantially more ground than previous anti-spam legislation this country has and is even more comprehensive that the United State’s CAN-SPAM Act of 2003, according to John Lawford, counsel for the Ottawa-based Public Interest Advocacy Group. For instance, CAN-SPAM is business-centric, it allows marketers to e-mail almost anyone at least once unless the recipient unsubscribes. It does not require “express consent” from the recipient. By contrast, CASL compels businesses to obtain express consent from recipients and requires businesses to provide an opt-out mechanism for people who do not want to receive further messages from them.
Both Lawford and Claudiu Popa, principal of security consultancy firm Informatica Corp., however, agree that the spam reporting centre (SRC) or Freezer being planned by the government is mostly about media hype.
The government recently put out an invitation for businesses to bid on a $700,000 project that will enable people to report spam to authorities. The Freezer will be staffed by employees who will evaluate the complaints. The gathered data will also be used as evidence in case of legal proceedings against the alleged offender, according to Stéfanie Power, representative of Industry Canada.
The data will be shared among the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada. These are the three government bodies that will work together to enforce CASL. The Competition Bureau is a law enforcement agency under Industry Canada.
“This is just window dressing, a total distraction from the main issue,” Lawford said of The Freezer.
Lawford doubts if much of the data received by the SRC will be used for prosecution purposes. “At best, if the SRC is implemented properly, the data can be used for research purposes.”
For example, he said, information collected by the SRC can be used to established spam trends such as how what vectors spammers are gravitating towards. ”Let’s hope this is what they do with the SRC and that it doesn’t end up as a boondoggle,” said Lawford.
Popa of Informatica says the SRC is a useless duplication of anti-spam efforts. “The browsers are already doing a good job of filtering spam. The spam we receive on our inbox represents a small number that get past the filter.”
Asking people to transmit this spam message one more time to the SRC only ads to additional Internet traffic and becomes a burden that will tie down researchers in the facility from accomplishing anything substantial, he said. “This simply adds another step to the process and ironically enables spam to be transmitted over the Internet one more time.”
“A better way of dealing with spam is to educate marketers about what consent means and to make it compelling for them to follow Internet rules and respect people’s rights,” said Popa.
“Most of the servers generating spam are outside the government’s jurisdiction, how can this bill be effective against companies based outside Canada?” asked Popa.
Bradley Freedman, technology law specialist at the Toronto-based law firm Borden Ladner Gervais LLP said the bill has two provisions that make it exceptional. “One is that Bill C-28 allows individuals who have appropriate intent to commence a civil lawsuit against a party for breach of the law. This could include class action lawsuits.”
On the other hand, the bill also has a self-reporting component. This provision, modelled after a similar contained in the U.S. CAN-SPAM Act, allows individuals or businesses that have inadvertently breached the anti-spam law to report their actions to the appropriate enforcement authority, said Freedman. “If they confess they have breached the law and correct their practices there will be no issuance of violation and this will preclude civil action.”
Lawford said the CASL might best be looked at as something similar to the do-not-call list. The registry of people who did not want to receive marketing calls had been called ineffective and costly in the beginning but years later has managed to curb unwanted marketing calls and has made people happy.
ITBusiness.ca contacted three government bodies involved in the SRC to get their view on the argument that the “The Freezer” would just be duplicating security measures already conducted by browsers and ISPs.
The CRTC was not able to provide an interview as of press time. Industry Canada sent an email response explaining that the SRC was not meant as an enforcement tool.
The SRC’s primary role is data collection and analysis, Industry Canada explains. When operational, the SRC will accept various types of unsolicited electronic messages forwarded by individuals and organizations in Canada. These will include, but not be limited to, spam, malware, spyware, SMS and false and misleading representations involving the use of any means of telecommunications.
“The SRC will not have any role in enforcement of the legislation other than collecting information and making it available to the three enforcement agencies as required for their own enforcement activities,” a spokesperson writes. “The centre will be responsible for identifying and analyzing trends in spam and other related threats to electronic commerce.”
Privacy amendments lack teeth, critics say
Basically, he said, all three bodies have access to the SRC’s database and will use the information they obtain to pursue their distinct mandate.
In the case of OPC, it has assembled a team comprised of investigators, technologists, policy analysts and in house legal counsel, said Hutchinson. The commission will focus on two types of violations:
* The collection of personal information through illicit access to other people’s computer systems; and
* Electronic address harvesting, where bulk e-mail lists are compiled through mechanisms that include the use of computer programs to automatically mine the Internet for addresses.
The CRTC will be responsible for investigations regarding the sending of unsolicited commercial electronic messages, the alteration of transmission data and the installation of software without consent.
The Competition Bureau will address false or misleading representations and deceptive marketing practices in the electronic marketplace.
“We are reviewing our existing investigative process in light of potential complaints under CASL, and collaborating closely with our colleagues at the CRTC, the Competition Bureau and Industry Canada to ensure everything from public education to enforcement will be handled in a coordinated manner,” he said.
The Privacy Commissioner of Canada wants to beef up privacy laws to keep up with the pace of the digital age and its endless thirst for acquiring personal information, the office announced today.
Commissioner Jennifer Stoddart has charted a roadmap to what a modern privacy protection framework might look like with a position paper made available online. In it, she calls for reforms strengthening the Personal Information Protection and Electronic Documents Act (PIPEDA) that governs commercial activities across the country, save for Quebec, Alberta, and British Columbia, which have provincial privacy laws in place. Stoddart calls for the power to impose fines when needed, a requirement of organizations that suffer personal information breaches to notify affected individuals, increase in law enforcement transparency, and a way to hold organizations to account when they violate privacy laws.
The Federal Court could also order statutory damages to be paid for breaking privacy laws, Stoddart writes, without the requirement that an affected party prove a direct loss as a result of the violation. A minimum and a maximum amount for the fines would be set as guidelines for the court. Stoddart points to Canada’s Anti-Spam Legislation (CASL) as an example of legislation that uses fines in this way – legislation that is soon to be implemented and is meant to deter unwanted e-mail correspondence between businesses and consumers.
Mandatory reporting of privacy breaches by organizations are needed because “over the past few years, there have been a number of high-profile data breaches both in Canada and abroad that compromised the personal information of Canadians,” Stoddart writes. This can result in harms such as identity theft, financial loss, damage to credit ratings, or even physical harm. Stoddart is concerned Canadian organizations aren’t doing enough to ensure protection of customer data under their protection.
The Privacy Commissioner’s office has been no stranger to the challenges posed to guarding personal privacy in a connected world. Since the last PIPEDA review in 2006, it has conducted several investigations against major web brands that deal with the personal details of Canadians.
A 2009 investigation into Facebook resulted in the social network making changes such as a more clear distinction between deleting and deactivating an account and further controls into what third-party applications are able to do.
Stoddart also oversaw a 2010 investigation into Google’s collection of Wi-Fi data using Street View cars collected personal information from Canadians with unprotected networks. Stoddart expressed concern with Google’s “careless” approach with personal information and made recommendations for a governance model that would prevent such occurrences in the future.
Last year, the Privacy Commissioner investigated 25 websites visited regularly by Canadians and found six had unsafe privacy practices. It didn’t disclose the websites, but followed up with the offenders to get the privacy leaks plugged.
Stoddart says the complexity of these cases and the follow-up efforts made by her office are taking a lot of resources. She’s looking for the law to hold companies legally accountable to changes requested by her office.
Parliament is required to review PIPEDA and the aspects dealing with data protection every five years. The last review was started in 2006 and a final report on that review was issued by a committee in May 2007.
Align your brand with leading journalistic reviews on topics of your choice. Demonstrate your company’s expertise. Build awareness and leads.
Formatted much like a digital magazine and viewable on any device, Page Books provide you with the perfect opportunity to profile your brand and/or your expertise together with a collection of syndicated content sourced from IT World Canada media properties.
FOR MORE INFORMATION ABOUT PageBooks, CONTACT:
Brad McBride, VP Sales, firstname.lastname@example.org, 416.290.0240, ext. 354
David Hamilton, Senior Account Manager, email@example.com, 416.290.0240, ext. 125
Desere Cowin, Senior Account Executive, firstname.lastname@example.org, 416.290.0240, ext. 174
Join us in Toronto May 22 to get CASL compliant: