Documente Academic
Documente Profesional
Documente Cultură
Doc # 10027070 1
Why businesses need to be
concerned about the Bill C-28
2
Scope and Approach
¬ SPAM - transmitting any commercial electronic message is illegal unless there is
consent; it is an excluded category; and message is in a prescribed form. (s.6)
¬ Malware - it is illegal as part of a commercial activity to install any computer program
-good or bad-onto someone’s computer unless there is express consent and the
prescribed disclosures are made. (s.8)
¬ Spyware - it is illegal as part of a commercial activity to install any computer program
onto someone’s computer that transmits data of any kind from that computer unless
there is consent and the prescribed disclosures are made. (s.8)
¬ Message routing - it is illegal to alter transmission data to route a message to an
unintended destination. (s.7)
¬ Broad protection against false and misleading representations extending to header
information, subject matter lines, URLs, and the message itself. (s.75 and 77)
¬ Broad protection against collecting individuals’ electronic addresses using automated
tools primarily designed for this purpose and collecting personal information over the
internet by accessing a computer in violation of federal laws. (s.82)
¬ Burden of proof for consents is on the person alleging they have it. (s.13)
¬ The regulations will significantly affect the interpretation of the Act and are not yet
published. Scope will be significantly impacted by the regulations.
3
Very high liability
¬ Administrative monetary penalties (AMPS) with caps up to $1 million for an
individual and $10 million for anyone else. (s.20(4))
¬ Private rights of action by anyone affected by a prohibited act (s.47(1)) with
liability that consists of:
¬ compensation for loss, damages and expenses; and
¬ extensive awards that are capped at:
¬ $1 million per day for breach of SPAM, malware, spyware, message
routing, address and personal information harvesting, and Competition
Act provisions;
¬ $1 million for each act of aiding, inducing, or procuring a breach of the
SPAM, malware and spyware, and message routing provisions, plus
liability up to $1 million per day for breach of SPAM, malware, spyware,
and message routing provisions.
¬ Risks of class actions.
4
Extensive accessorial and vicarious liability
¬ Liability extends to any person who aids, induces or procures a prohibited act.
(s.9) Scope?
¬ Businesses are liable for acts of their employees within the scope of their
authority. (s.32, s.53)
¬ Liability extends to officers, directors, agents, mandataries if they directed,
authorized, assented to, acquiesced, or participated in the prohibited act. (s.31,
s.52) Scope-acquiesced?
¬ Î Businesses liable for employeesÎ businesses liable for “aiding”Î businesses
liable for massive AMPS and damagesÎ class actionsÎ officers and directors
ultimately liable.
¬ Î Businesses need to put policies and processes in place to reduce risk.
¬ Î Insurance?
5
Extensive extra-territorial effects
¬ The provisions of Bill C-28 could impact activities undertaken outside Canada.
¬ The anti-spam provisions apply to any message where a computer system
located “in Canada is used to send or access the electronic message”. (s.13(1))
¬ The message altering provisions also applies to messages if a “computer system
located in Canada is used to send, route or access the electronic message”.
(s.13(2))
¬ Other prohibitions – real and substantial connections test?
¬ Î Legislation has worldwide impacts that foreign entities will not expect.
¬ Î Bill C-28 is significantly more onerous than any international counterpart.
¬ Î This will mandate Canada specific processes for doing business in Canada or
with Canadians using facilities located outside of Canada.
6
Anti-SPAM Provisions
7
Background: on SPAM provisions
¬ In its 2005 Report, the Task Force recommended “new legislation as required to
fill any gaps identified in existing laws” (“Task Force”). The Bill purports to
implement the recommendations of the Task Force.
¬ Internationally there are many precedents for dealing with SPAM including:
¬ U.S.-CAN - SPAM Act 2003 (US CAN SPAM);
¬ EU Directive 2002/58/EC on privacy and electronic communications (EU
Directive);
¬ Australia Spam Act 2003 (Australia Spam Act);
¬ Singapore Spam Control Act 2007 (Singapore Spam Act); and
¬ UK Privacy and Electronic Communications Regulations 2003 (UK Spam
Act).
8
Background: on SPAM provisions
¬ The anti-SPAM provisions depart significantly from other international anti-spam
legislation which:
¬ applies to e-mails that are sent in violation of an individual’s opt-out request,
or are fraudulent, false or misleading (US CAN SPAM);
¬ applies to e-mail for the purposes of direct marketing to individuals (EU
Directive, UK Act); and
¬ applies to a defined list of commercial electronic messages that relate to
direct marketing (Australia Spam Act; NZ Spam Act) applies to a defined list
of commercial electronic messages that relate to direct marketing that are
sent in bulk (Singapore Spam Act).
¬ “Commercial electronic message” in Bill C-28 by contrast is defined in a open
ended way.
¬ Î International entities need to understand the broad scope of the SPAM
provisions and adapt their business processes to the extent they carry on
business in Canada or deal with Canadians.
9
The Anti-SPAM Prohibition
10
What messages and messaging systems
are included
¬ “electronic message” means a message sent by any means of
telecommunication, including a text, sound, voice or image message. (s1(1)) (But,
excludes voice messages covered by the “Do Not Call List”, fax messages, voice
recordings. (s.6(8))
¬ “electronic address” means an address used in connection with the transmission
of an electronic message to (a) an electronic mail account; (b) an instant
messaging account; (c) a telephone account; or (d) any similar account. (s.1(1))
¬ A “commercial electronic message” is “an electronic message that, having
regard to the content of the message, the hyperlinks in the message to content on
a website or other database, or the contact information contained in the message,
it would be reasonable to conclude has as its purpose, or one of its purposes, to
encourage participation in a commercial activity, including an electronic
message that (a) offers to purchase, sell, barter or lease a product, goods, a
service, land or an interest or right in land; (b) offers to provide a business,
investment or gaming opportunity; (c) advertises or promotes anything referred to
in paragraph (a) or (b); or (d) promotes a person, including the public image of a
person, as being a person who does anything referred to in any of paragraphs (a)
to (c), or who intends to do so.
11
What messages and messaging systems
are included
¬ “commercial activity” means any particular transaction, act or conduct or any
regular course of conduct that is of a commercial character, whether or not the
person who carries it out does so in the expectation of profit, other than any
transaction, act or conduct that is carried out for the purposes of law enforcement,
public safety, the protection of Canada, the conduct of international affairs or the
defence of Canada.
¬ Applies as well to an electronic message that contains a request to send a
prohibited message. (s.1(3))
¬ ÎNote how open endedÎ Electronic Messages can be “sent by any means of
telecommunication”ÎElectronic Addresses include ”any similar account” which
will continually changeÎ Commercial Electronic Messages fall into non-exclusive
list of Electronic Messages.
12
What messages and messaging systems
are included
¬ Do the provisions apply to accounts with:
¬ E-mail e.g. Gmail, hotmail, exchange;
¬ IM (BBM, Google talk);
¬ Social networks e.g., LinkedIn, Facebook, Twitter tweets and direct
messages;
¬ Geo-location services;
¬ E-commerce portals where there are accounts; and
¬ Message boards.
¬ Î Businesses and their employees communicate for commercial purposes using
multiple sources.
¬ ÎPolicies are needed for obtaining consents and complying with format
requirements for each platform used to send commercial electronic messages.
13
General exceptions to anti-SPAM
provisions
¬ Messages to an individual to whom the person has a personal or family
relationship as defined in regulations. (s.6(5))
¬ An inquiry of or application related to a commercial activity. (s.6(5))
¬ A class defined in regulations. (s.6(5)). Don’t know what they are.
¬ To telecom service providers when they enable transmissions of messages.
(s6(7)).
¬ Messages related to law enforcement, public safety, the protection of Canada, the
conduct of international affairs or the defence of Canada. (s.(1), s.6(4))
¬ The consent requirement in para. 1(a) does not apply to certain commercial
electronic messages e.g., providing a quote in response to a request, furtherance
of previously agreed to transactions, warranty, safety, security, product recall
information, factual information about a purchase, information about an
employment or benefits plan, delivering a product, service or upgrade, or another
exception specified in a regulation. (s.6(6))
¬ Î Will businesses develop policies that rely on specific exceptions for consent,
even when the formality requirements are not also exempted?
14
Getting consents to send commercial
electronic messages
¬ Express consents
¬ A person who seeks express consent must, when requesting consent, set out clearly
and simply the following information: (a) the purpose or purposes for which the consent
is being sought; (b) prescribed information that identifies the person seeking consent
and, if the person is seeking consent on behalf of another person, prescribed
information that identifies that other person; and (c) any other prescribed information.
(s.10(1)). See also (2).
¬ How do businesses obtain express consents to send a commercial electronic message
when sending an electronic message to get consent is itself a commercial electronic
message for consent is required? (s.1(3))
¬ Implied Consents
¬ Consents to collect, use or disclose information under PIPEDA are not necessary valid
for the purposes of Bill C-28.
¬ Bill C-28 will create a conflicting consent regime with the consent regime in PIPEDA
since “implied consents” are a list of closed categories.
¬ Î Businesses cannot rely on PIPEDA consents to use personal information since the
regimes are different e.g., disclosure standards, standards for determining implied
consents, and exceptions are not the same.
15
Implied consents to send commercial
electronic messages
¬ A consent is implied for the purpose of the anti-SPAM provisions only if:
a) there is “an existing business relationship” or an “existing non-business relationship”, as
those terms are defined. (s.10(9))
¬ “Existing business relationship” is a relationship arising from a purchase or barter
within 2 years; acceptance of a business, investment or gaming opportunity with
last 2 years; related to a contract until 2 years after expiry; any inquiry or
application with 6 months. (s.10(10))
¬ “Existing non-business relationship” is a non-business relationship arising from a
donation or gift; volunteer for a charity; membership, within a 2 year window.
(s.10(13))
b) the person to whom the message is sent has “conspicuously published” the electronic
address without a statement that the person does not wish to receive unsolicited
commercial electronic messages at the electronic address and the message is relevant
to the person’s business, role, functions or duties in a business or official capacity;
c) the person to whom the message is sent has disclosed, to the person who sends the
message, his/her electronic address without indicating a wish not to receive SPAM, and
the message is relevant to the person’s business, role, functions or duties in a business
or official capacity; or
d) the message is sent in the circumstances set out in the regulations.
16
Format requirements for electronic
messages
¬ The electronic messages must be in a form that conforms to the prescribed
requirements and must:
a) set out prescribed information that identifies the person who sent the message;
b) set out information enabling the person to whom the message is sent to readily
contact the sender (the contact information must be valid for 60 days); and
c) set out the prescribed unsubscribe mechanism. (s.6(2) & (3)).
¬ The unsubscribe mechanism must (a) enable the recipient to indicate, at no cost to
them, the wish to no longer receive any messages, or any specified class of such
messages, from the sender, using (i) the same electronic means by which the message
was sent, or (ii) if using those means is not practicable, any other electronic means that
will enable the person to indicate the wish; and (b) specify an electronic address, or link
to a page on the World Wide Web that can be accessed through a web browser, to
which the indication may be sent. (s.11(1) & (2))
¬ Î Is it possible to comply with these rules for all media? Can regulations solve the
problem?
¬ Î Businesses need to develop policies and processes for how to comply with format
requirements for every category of message formats for all included media. These will
need continual review.
17
Malware and Spyware Provisions
18
The prohibition
Î Implied consents cannot be relied upon. Only express consents are valid,
assuming compliance with the disclosure requirements.
Î Written agreements or click-wraps will comply. Web wrap agreements will
likely not comply.
19
Scope of prohibition
20
Scope of prohibition
21
Getting express consents to comply with
“malware” and “spyware” provisions
¬ Obtaining consent: A person who seeks express consent must, when requesting
consent, set out clearly and simply the following information: (a) the purpose or
purposes for which the consent is being sought; (b) prescribed information that
identifies the person seeking consent and, if the person is seeking consent on
behalf of another person, prescribed information that identifies that other person;
and (c) any other prescribed information.” (s.10(1)).
¬ Withdrawal of consent: If the computer program installed meets one of the
specified “malware” or “spyware” criteria in s.10(5), the person who installs the
program with consent must for 1 year provide an electronic address to which a
request can be sent to remove or disable the computer program if the requestor
believes that the function, purpose or impact of the computer program installed
under the consent was not accurately described when consent was requested;
and if the consent was based on an inaccurate description of the material
elements of the enumerated function or functions, must, without cost to the person
who gave consent, assist that person in removing or disabling the computer
program as soon as feasible. (s.11(5))
22
Disclosure requirements to comply with
“malware” and “spyware” provisions
Two levels of disclosure required when obtaining consent.
¬ Minimum Disclosure: A person who seeks express consent, must when requesting
consent, also, in addition to setting out any other prescribed information, must clearly and
simply describe, in general terms the function and purpose of the computer program that is
to be installed if the consent is given. (s.10(3))
¬ Enhanced Disclosure: If the computer program meets one of the specified “malware” or
“spyware” criteria in s.10(5), “the person who seeks express consent must, when
requesting consent, clearly and prominently, and separately and apart from the licence
agreement, (a) describe the program’s material elements that perform the function or
functions, including the nature and purpose of those elements and their reasonably
foreseeable impact on the operation of the computer system; and (b) bring those elements
to the attention of the person from whom consent is being sought in the prescribed
manner”.
¬ The enhances disclosure standard applies where the program collects personal
information; interferes with control of the computer; changes or interferes with settings
preferences or commands; obstructs, interrupts, or interferes with access to data; causes
the computer to communicate with another computer without authorization, installing a bot,
or something set out in the regulations, but not merely transmission data. (s.10(5) &(6))
¬ Î How to determine the appropriate disclosure to meet the specific type of computer
program?
23
Exceptions for Software Updates,
Upgrades and Patches
¬ Express consent and the minimum disclosure are not required for the installation
of an update or upgrade so long as the installation or use of the computer
program being updated was expressly consented to and the person who gave the
consent is entitled to, and does receive the update under the terms of the express
consent. (s.10(7)).
¬ Î This exception does not extend to the enhanced disclosure requirement.
24
Exclusions from the consent and
disclosure requirements
¬ A person is considered to expressly consent to the installation of a computer
program if:
a) the program is:
i. a cookie,
ii. HTML code,
iii. Java Scripts,
iv. an operating system,
v. any other program that is executable only through the use of another
computer program whose installation or use the person has previously
expressly consented to, or
vi. any other program specified in the regulations; and
b) the person’s conduct is such that it is reasonable to believe that they
consent to the program’s installation. (s.11(8))
¬ Î What type of programs are referred to in para. (v)?
¬ Î Note, there is no express waiver of the disclosure requirement, but disclosure
is only required where express requests are being sought.
25
Altering Transmission Data
provisions
26
The prohibition
27
Getting express consents to comply with
“altering transmission data” provision
¬ Obtaining consent: A person who seeks express consent must, when requesting
consent, set out clearly and simply the following information: (a) the purpose or
purposes for which the consent is being sought; (b) prescribed information that
identifies the person seeking consent and, if the person is seeking consent on
behalf of another person, prescribed information that identifies that other person;
and (c) any other prescribed information.” (s.10(1))
28
Address and personal information
harvesting provisions
29
Address harvesting amendments to
PIPEDA – s. 82 of Bill C-28
¬ 7.1(2) Paragraphs 7(1)(a), (c) and (d) and (2)(a) to (c.1) and the exception set out
in clause 4.3 of Schedule 1 do not apply in respect of (a) the collection of an
individual’s electronic address, if the address is collected by the use of a computer
program that is designed or marketed primarily for use in generating or searching
for, and collecting, electronic addresses; or (b) the use of an individual’s electronic
address, if the address is collected by the use of a computer program described in
paragraph (a).
¬ “electronic address” defined to mean “an address used in connection with (a) an
electronic mail account; (b) an instant messaging account; or (c) any similar
account”.
¬ Î Note: The collection of electronic addresses prohibition is not tied to any
SPAM-related activity.
¬ Î The effect of this is to remove certain exceptions related to the collection and
use of personal information in PIPEDA.
30
Address harvesting amendments to
PIPEDA
¬ PIPEDA s.7(1) An organization may collect personal information without the knowledge or consent
of the individual only if:
a) the collection is clearly in the interests of the individual and consent cannot be obtained in a
timely way;
b) the collection is solely for journalistic, artistic or literary purposes;
c) the information is publicly available and is specified by the regulations.
¬ PIPEDA s.7(2) An organization may, without the knowledge or consent of the individual, use personal
information only if:
a) in the course of its activities, the organization becomes aware of information that it has
reasonable grounds to believe could be useful in the investigation of a contravention of the laws
of Canada, a province or a foreign jurisdiction that has been, is being or is about to be
committed, and the information is used for the purpose of investigating that contravention;
b) it is used for the purpose of acting in respect of an emergency that threatens the life, health or
security of an individual;
c) it is used for statistical, or scholarly study or research, purposes that cannot be achieved
without using the information, the information is used in a manner that will ensure its
confidentiality, it is impracticable to obtain consent and the organization informs the
Commissioner of the use before the information is used;
(c.1) it is publicly available and is specified by the regulations.
¬ Exception set out in clause 4.3 of Schedule 1: consent is required for the collection, use, or
disclosure or personal information, except where inappropriate.
31
Personal information harvesting
amendments to PIPEDA
¬ 7.1(3) Paragraphs 7(1)(a) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of
Schedule 1 do not apply in respect of (a) the collection of personal information, through any
means of telecommunication, if the collection is made by accessing a computer system or
causing a computer system to be accessed in contravention of an Act of Parliament; or (b) the
use of personal information that is collected in a manner described in paragraph (a).
¬ “access” is defined to mean “to program, to execute programs on, to communicate with, to
store data in, to retrieve data from, or to otherwise make use of any resources, including data
or programs on a computer system or a computer network.
¬ “computer program” and “computer system” are broadly defined as in the SPAM provisions .
¬ ÎThe collection of personal information does not have to be SPAM-related.
¬ Î Note, the access to a computer system must be “in contravention of an Act of Parliament”.
Compare to wording in s.7(1)(b) which apply to “a breach of an agreement or a contravention
of the laws of Canada or a province.”
¬ Î The effect of this is also to remove certain exceptions related to the collection and use of
personal information.
¬ Î Note also the removal of the exception in s.7(1)(b): “it is reasonable to expect that the
collection with the knowledge or consent of the individual would compromise the availability or
the accuracy of the information and the collection is reasonable for purposes related to
investigating a breach of an agreement or a contravention of the laws of Canada or a
province”.
32
Competition Act Provisions
33
Competition Act
34
Competition Act new s. 74.011 and s.
52.01
¬ prohibits representation that is false or misleading in a material respect in
electronic message
¬ prohibits false or misleading representation in
¬ sender information in electronic message
¬ subject matter information in electronic message
¬ locater
¬ look at general impression and literal meaning
¬ Î only first prohibition states “in a material respect”
¬ Î no “to the public” concept
¬ Î no concept of exception for consent or existing business relationship
35
Definitions (s. 70(2))
36
Competition Act – Discussion
Examples
¬ Sender Information
¬ VISA <security@onlineupdate.com>
¬ Locator
¬ www.bmosecuritylink.com
¬ Subject Matter Information
¬ Fly Ottawa to Calgary for $299 return
¬ Lose 20 Pounds in 3 Weeks
¬ Our best sale of the year
¬ Exclusive upgrade offer from ABC Hotels
¬ ÎAggressive e-mail subject matter language poses substantial risk to senders
37
Enforcement Measures
38
Bill C-28 Enforcement
39
Enforcement Routes
40
CRTC
41
CRTC
42
Competition Act
43
PIPEDA
44
Private Right of Action (ss. 47-51)
45
Private Right of Action
CALGARY QUÉBEC
Suite 3300, 421 7th Avenue SW Le Complexe St-Amable
Calgary AB T2P 4K9 1150, rue de Claire-Fontaine, 7e étage
Tel: 403-260-3500 Québec QC G1R 5G4
Fax: 403-260-3501 Tel: 418-521-3000
Toll-Free: 1-877-244-7711 Fax: 418-521-3099
Toll-Free: 1-877-244-7711
TORONTO
Box 48, Suite 5300 UNITED KINGDOM & EUROPE
Toronto Dominion Bank Tower 125 Old Broad Street, 26th Floor
Toronto ON M5K 1E6 London EC2N 1AR
Tel: 416-362-1812 UNITED KINGDOM
Fax: 416-868-0673 Tel: +44 (0)20 7489 5700
Toll-Free: 1-877-244-7711 Fax: +44 (0)20 7489 5777
OTTAWA
Suite 200, 440 Laurier Avenue West
Ottawa ON K1R 7X6
Tel: 613-238-2000
Fax: 613-563-9386
Toll-Free: 1-877-244-7711
47