The new anti-spam and anti-spyware legislation has such a broad reach and is so complex that organizations that conduct business online will need to reassess their business practices for sending commercial electronic messages or face stiff new penalties that can go up to $1 million for individuals and $10 million for corporations for each violation, according to experts.
Expected to come into force by September at the latest, Bill C-28 received royal assent just before the Christmas holidays, giving Canada the legislation against spam and spyware that privacy advocates say is long overdue. Bill C-28, whose name is so long that it is commonly referred to as the Fighting Internet and Wireless Spam Act, will prohibit sending unsolicited commercial electronic messages, including e-mails, text, sound, voice or image messages, unless recipients give consent, either express or implied. Its scope appears to be so broad that its reach likely extends to popular social media platforms such as Facebook, LinkedIn, Twitter and the like, though that will likely be the subject of court interpretation, say legal observers.
“It’s a very broad statute,” remarked Michael Fekete, a partner with Osler, Hoskin & Harcourt LLP who practices in information technology, e-commerce and privacy. “It just doesn’t cover what we would normally refer to as spam but any commercial electronic message, with very few exceptions. It also covers a lot of things including spyware but even there the provisions just don’t deal with malicious software code that might be installed surreptitiously. It covers the installation of any computer program on another’s person’s computing device,” including smart phones.
The new act also marks a “real shift” in the way that personal information is regulated, added Fekete. Unlike in the Personal Information Protection and Electronics Documents Act (PIPEDA), which uses a principle-based approach to consent, Bill C-28 adopts a rules-based approach which will compel organizations to “consider how the rules impact on their activities in each and every case when sending out a commercial electronic message,” added Fekete.
Under the new regime, the notion of consent is key. Organizations must “clearly and simply” set out the purpose for which consent is being sought and identify the organization seeking the consent. But as points out Montreal lawyer Charles Morgan, there is a “long list of exceptions, and the exceptions will be supplemented by regulations.” The regulations, though they have yet to be drafted, are expected to be coming out by this March, following which there will likely be a 60-day comment period.
“What makes it complex is that there’s an overall general prohibition that applies with respect to spam and spyware,” noted Morgan, leader of McCarthy Tétrault LLP’s technology group practice in Montreal. “Everything is prohibited unless it falls within exceptions.”
Making matters even more complicated for organizations is that the way the new Act was drafted the rules are spread out across many different sections of different laws. The new Act, an updated version of Bill C-27 which died on the order paper in December 2009, amends four existing acts including PIPEDA, the Competition Act, the Telecommunications Act and the Canadian Radio-television and Telecommunications Act. Organizations doing business online will therefore have to carefully scrutinize the new Act as well as examine “all of the different pieces” of different existing acts in order to ensure compliance, said Fekete.
“It creates real challenges for companies in terms of compliance,” said Fekete. “It will require a lot of diligence on behalf of lawyers and clients to make sure they set up their processes and systems appropriately.”
Otherwise the penalties they face can be steep. Under the Act, directors and officers can be held personally liable if they authorized or acquiesced in the offence while employers can be held vicariously liable for actions of their employees acting within the scope of their authority. Though the Office of the Privacy Commissioner can take measures against the collection of personal information via access to a computer and the unauthorized compiling or supplying of lists of electronic addresses, it is the Competition Tribunal and surprisingly the Canadian Radio-television and Telecommunications Commission (CRTC) who have the powers to impose administrative monetary penalties.
“It’s surprising that the CRTC has been given such power,” said an information technology lawyer. “The federal government did not want to create a new tribunal, presumably just from a cost standpoint. And for whatever reason, they were not too crazy about just giving the Privacy Commissioner a lot of power.”
That’s not something that seems to bother consumer activist organizations such as the Public Interest Advocacy Centre (PIAC) so long as the CRTC, the Competition Bureau, and Privacy Commissioner conduct “intense enforcement efforts,” particularly during the initial phases of the new law.
“We’re supportive of the approach,” said John Lawford, counsel and research analyst with PIAC, a non-profit organization. “I hope that the anti-spam bill will help reduce spam but also phishing and other fraudulent emails that cost Canadians millions every year.”
In the meantime organizations doing business online will have their work cut out, and should begin reviewing their operations now before the new law kicks in.
“Frankly most organizations will have to change their current business practice in some way or another in order to be compliant,” said Morgan, author of “Halsbury’s Laws of Canada — Communications.” “It’s not that it’s impossible to comply, it’s that compliance will require change – and non-compliance is subject to steep penalties.”