That’s the title of my Slaw post for today.  It reads as follows:

Pending legislation always makes good fodder for lawyers to comment on in annual predictions articles. The pending anti-spam legislation has resulted in several such comments.

In my predictions article scheduled for publication next week, I comment that:

The Federal anti-spam legislation that was expected to be in force in 2011 is still waiting for regulations to be passed before coming into force. The draft regulations received a lot of criticism, and may be revised prior to the Act coming into force. The Act will be a compliance headache for many organizations, unless the regulations effectively narrow the broad definition of Spam. The Act is intended to provide tools to stop what we all understand to be spam. But the Act defines spam to include e-mails that many businesses or charities routinely send that the recipients probably would not consider to be spam.

Michael Geist predicts that in July:

Nearly one year after proposing anti-spam regulations, the government unveils modified regulations and seeks further public comment before the law takes effect. The new regulations establish a series of new exceptions to the law consistent with the demands of several marketing groups.

Barry Sookman has written a detailed analysis entitled Will it be illegal to recommend a dentist under Canada’s new anti-spam law (CASL)? in which he suggests that the legislation may indeed be that overreaching. It is worth a read to get a flavour for how complex this can get, and what the unintended consequences may be.

This legislation and its pending regulations merit a close watch this year. While its intentions are good, I believe it has the potential to waste far more time, money and effort for businesses and charities attempting to comply, than it will save by the amount of real spam it might reduce. And I’m not sure whether appropriate regulations can temper it sufficiently.

Another wrinkle is that the Supreme Court of Canada’s December decision that said the proposed Canadian Securities Act was not within the legislative authority of Parliament has some wondering if the same fate might be in store for parts of the anti-spam legislation.

That’s the title of my Slaw post for today.  It reads as follows.

The draft regulations under the anti-spam legislation have attracted a lot of comments, most them negative. See this article by Lorne Salzman and Barry Sookman for a detailed summary.

In essence, the common theme is that the legislation and draft regs will be a compliance burden on business and charities, and the regulations don’t do anything to temper that.

From the article:

Unless the proposed regulations are reformulated, many worry that CASL will impede rather than facilitate e-commerce. It will hurt small and large businesses, cause significant economic harm and stifle innovation in the use of electronic messaging systems. It will hinder investment and job creation and drive new and emerging businesses to locate outside of Canada. Its red tape will be costly and inefficient to comply with.

I agree with that sentiment. The fundamental problem is the approach taken by the very lengthy and detailed legislation. Instead of focusing it’s effect on what most of us would call spammers, it focuses on a very broad definition of spam. That definition includes email and other electronic communication that most of us would not consider to be spam. Which means that every business and organization in Canada has to pay attention to this legislation and take efforts to comply with the detailed requirements, or face the possibility of massive fines.

There is not, for example, a volume threshold. So 1 email sent to 1 person can be considered spam.

It would have been much less invasive, for example, if it allowed an opt-out process, and made it an offense to not follow that request. If the sender is a legitimate business or organization, it would follow that request. And most people would be satisfied to know that business X was not able to contact them again.

In my view the regulations need to somehow make the law less intrusive, and less of a burden.

For the London Free Press.  March 21, 2011

Read this on Canoe

The anti-spam bill — Bill C-28 — was passed in December and is expected to be in force later this year. The main goal of the Act is the prevention of spam, but it also contains anti-spyware provisions.

Canadian software creators — indeed any entity selling software to Canadians — will need to review the Act, given the significant potential fines and consequences to directors and officers if there is a violation.

The goal is to eliminate the spyware, malware, and other malicious software which has essentially gone unregulated.

You might recall the Sony copy protection rootkit scandal which occurred in 2005 where Sony music CD’s automatically installed digital rights management software on users’ computers without their knowledge or consent. This software made operating systems more vulnerable to third-party attacks and could be used to collect and transmit information about computer use back to Sony. Under the act, such practices will be prohibited.

The Act applies to all software — good or bad — installed on someone’s computer. The definitions include any electronic instructions that execute to perform a function on any device capable of executing them.

That is extremely broad. It will include software installed on things such as smart phones, tablets, e-book readers and– since almost everything includes some kind of computing power these days — even things such as PVR’s and cars.

The Act prohibits the installation of computer programs and the transmission of electronic messages from a computer program unless the creator of the software has the express consent of the owner or authorized user of the computer system.

Express consent may only be obtained if there is a notice to the user containing prescribed information about the software, and clearly and simply describes the function and purpose of the program or program update to be installed.

In addition, if a program performs certain undesirable functions then more prominent and explicit disclosure is required. The Act contains a list of undesirable functions often found in spyware, malware, and other types of malicious software, including:

Collecting personal information stored on the computer;

Interfering with the authorized user’s control of the computer; 

Unknowingly changing or interfering with data; 

Unknowingly changing or interfering with settings, preferences or commands;

Causing the computer system to communicate with another computer system; and  

Installing a program that may be activated by a third party without the user’s knowledge.

 If software contains one of these functions, the program distributor must clearly and prominently bring to the attention of the user the reasonably foreseeable impacts of these functions.

Software vendors will have to consider how their software works, how the Act might come into play, and what permissions are required. They may need to amend their end user license agreements (EULAs) to comply. Some circumstances will require specific permission with full disclosure before the change can be made, regardless of the contents of a EULA.

Software vendors may want to consider whether changing from a traditional installed software model to a hosted SAAS or cloud model will avoid some of these issues.

For the London Free Press – March 7, 2011

Read this on Canoe

The anti-spam bill — Bill C-28 — was recently passed, and will be in force this year. It gives new tools to fight spam, but unfortunately defines spam so broadly that it will affect how most organizations conduct business.

Businesses can’t just ignore the legislation. Remedies include fines of up to $1 million for individuals, $10 million for others, and private rights of action. Directors and officers can be liable if they authorized or acquiesced in the offence. Employers are liable for the actions of their employees acting within the scope of their authority.

The Act applies to the sending of commercial electronic messages that many of us would not consider spam. An e-mail to just one person you met at an event who you consider a potential customer may be considered spam.

The legislation starts with a broad definition of “commercial electronic message,” and says you cannot send such a message unless it fits within a specific exemption. It will be important to figure out the boundaries of “commercial activity.”

“Electronic message” is broadly defined to include a message sent via e-mail, instant message, phone, or “any similar account.” This encompasses forms of social media, depending on how the message is directed.

In some circumstances you can send the message, but must include accurate information about the sender, and a way to opt out of future messages.

Messages will not be considered spam if the recipient has consented to receiving the message. But it is up to the sender to show the recipient has consented if there is a complaint.

The Act has extensive provisions defining what amounts to explicit or implicit consent. It includes things we might expect, such as on-going business, personal or family relationships. There is also an exemption for “existing non-business relationships” which include donations, volunteer work, or memberships that have occurred within the last two years. Charities will need to review these provisions carefully, as they will affect how they approach prospective patrons, donors and volunteers. Also exempted are messages to those who publish their address or have provided you with their address — so long as the message is relevant. That means since my e-mail address is published on my firm’s website and other places, you may be able to e-mail me with anything relevant to the practice of law — but you won’t be able to e-mail me trying to sell me a trip. If I hand you my business card, the same applies.

So while the intention of the Act is to control what we all understand as spam, it has the potential to affect many things we may not consider spam. Similar to privacy legislation, this Act will no doubt lead to situations where we will consider it spam if we receive it, but not consider the same thing spam if we send it. Until we see drafted regulations, we aren’t sure what a typical organization must do to comply with the legislation. We will need to sort that out over the next few months.

That’s the title of my Slaw post for today.  It reads as follows.

I just finished listening to another IT-Can teleconference on the anti-spam act, this one presented by Barry Sookman and Lorne Salzman of McCarthy Tetrault.  For those wanting more detail, slides will be posted soon on the IT-Can website, the McCarthy Tetrault website, and Barry’s blog.

It reinforced my earlier concerns that this legislation is going to affect almost every business or organization.  Many of its provisions strike me as a sledgehammer to kill a fly approach.  Some of the highlights from the teleseminar are as follows:

Why be concerned?

There are large penalties for violations.  They include extensive awards for private actions, including class actions.

There is broad vicarious liability – which extends to mere acquiescence, including  officer and director liability .

It will be important to have policies and processes to mitigate, and to look at D&O insurance to see if it is covered.

The act applies where there is any connection to Canada – even just routing through Canada or accessing from Canada brings conduct under the act.

The act is a significant departure from other spam legislation in other countries, so foreign entities can’t rely on processes they have developed to comply with other spam legislation.

Various definitions, eg “electronic message”, are open ended non-exclusive lists.

It is thus crucial to think about various forms of electronic messaging, such as social networking, text messaging, etc.  Different solutions may be required for different platforms.

Where consent is required or obtained  – need to express both the purpose and yet to be prescribed information.  But sending a message to get consent is itself considered spam.

Consents obtained for PIPEDA may not be good enough for this.  “Implied” means something different here than in PIPEDA.

The spyware sections deal with any software – good or bad – installed on someone’s computer.  Applies to computer programs and computer systems as defined in Criminal code – which is very broad.  Would include smartphones, e-book readers, cars. etc.

There is a minimum disclosure required for normal programs.  If it crosses the spyware threshold – more prominent and explicit disclosure is required.  There is an exception for non-harmful things that would automatically load – like Javascript.

The e-mail collection (harvesting) sections alter PIPEDA.  These sections are not tied to spam related activity.  Need to look at to what extent email addresses are collected for any reason.  Damages are attached  to this – which is not otherwise the case in PIPEDA.

It amends Competition Act to add specific provisions for electronic communications to deceptive marketing practices regime that already exists. 

Adds 4 new deceptive marketing practices:

1. if make false or misleading misrepresentation in electronic message in a material respect
2. if make false or misleading  misrepresentation in sender portion
3. if include false or misleading information in subject area
4. if there is false or misleading  misrepresentation in locator (eg url).

It is noteworthy that only # 1 says “in a material respect”.  Also that there is no notion of these needing to go to the public – so numbers sent and the type of recipient doesn’t matter.  There is no notion of consent or pre-existing relationship here.

Consider e.g. an email that says “fly from X to Y for $200”, with a body that goes on to set limits on time, taxes, extras, etc.  Is that a contravention?  Or “lose 20 pounds in 4 weeks” –  or “our best sale of the year”.

CRTC will deal with spam and spyware aspects of the Act.  It will designate enforcement officers (aka “spam police”).  They have broad powers to investigate and enforce.

Undertakings  (a negotiated settlement) may be common.

Due diligence defenses are available – but unclear what would be required to meet that.

The penalties are “per violation”.  Not clear what a violation is – eg. If send the same email more than once, are they separate violations?

The Act includes language that could replace the do not call phone regime with this.  The feeling is that this is there in case this is desired in the future, but that there are no current plans to do that.

Private right of action can apply to any misconduct under the Act, including the amended provisions in PIPEDA or the Competition Act.  Remedies include compensation for loss and expenses, “private fines” (statutory damages) really as a bonus for pursuing the action.  Up to a $ 1,000,000 per day, or $1,000,000 per event for some things.

That’s the title of my Slaw post for today.  It reads as follows.

I just listened to a teleseminar by the Canadian IT-Law Association on the Anti-spam act, primarily discussing the CRTC’s role.  Here are a few points that were raised.

The act is expected to come into force in September.  Regulations may be published for comment as early as late February or March.

The regulations will be crucial.  It will be important to look at them during draft stage and comment where necessary.

There will be an overlap in jurisdiction between the CRTC, Privacy Commissioner, and Competition Bureau, though CRTC is primary.

The CRTC role as enforcer is fairly new.  The do not call list was its first real enforcement mandate, as opposed to a supervisory and licensing role.

CRTC has power to issue preservation demands to telecommunication service providers, to issue production orders, and warrants for entry and inspection.

Penalties are AMPs, or Administrative Monetary Penalties.  They can be imposed by the CRTC without going to court.  The Act says they are not intended to punish, but to deter.  AMPs have in the past been described as unconstitutional.

CRTC can apply to court for an injunction, can issue a restraining order, and can enter into undertakings (i.e. a form of settlement).  Are also some offences under act, e.g. if fail to comply with an order.

A private right of action is included in the Act.  For actual damages – or for statutory damages.  Class actions are possible.

Once an undertaking is entered into, it restricts all other actions, including the private right of action.  (It will be interesting to see if a defendant in a class action would immediately go to the CRTC and try to enter into an undertaking.)

The CRTC will have a significant budget for enforcement.

That’s the title of my Slaw post for today.  It reads as follows:

The anti-spam bill – Bill C-28 – was recently passed, and is expected to be in force sometime later this year.

If you think it won’t affect you because you don’t send mass emails trying to sell random products, and don’t infest other people’s computers with spyware, you would be wrong.

It applies to the sending of commercial electronic messages that many of us would not consider to be spam.  An email to just one person that you consider a potential customer or client who you met at an event may fall into the prohibitions.  And it applies to other forms of electronic communications, such as instant messages, and various kinds of social media.

It can also apply to software updates in certain circumstances.

So while the intention is to control what we all understand as spam and spyware, it has the potential to affect many things that we may not intuitively consider spam or spyware.  Similar to privacy legislation, this Act will no doubt lead to situations where our first reaction is to label it spam or spyware if we receive it, but not consider the same thing spam or spyware if we send it.

There are details that will be covered in yet to be drafted regulations.  Personally, I would like to see some kind of volume threshold where it is deemed not to be spam if it’s a targeted message sent to a small number of individuals.

Until we see the regulations, it is going to be hard to give specific advice to a typical business or organization as to what they must do to comply.  Many things that could potentially affect a typical business fit threshold situations that might result in a different answer depending on the regulations.  The penalties are significant, so it’s not legislation to be taken lightly.  Remedies include fines of up to $1,000,000 for individuals, $10,000,000 for others, and private rights of action.

Some things are “reviewable conduct”, meaning that it is subject to the investigatory and order making powers of the Privacy or Competition Commissioners.

The act is long and complex, and includes amendments to four existing acts – the CRTC Act, Competition Act, PIPEDA, and Telecommunications Act.

Directors and officers can be personally liable if they authorized or acquiesced in the offence.  Employers are vicariously liable for the actions of their employees acting within the scope of their authority.

While we await the regulations, here are some things to ponder for those who don’t consider themselves spammers.

The act starts with a broad definition of “commercial electronic message”, and says that you can’t send them unless it fits within a specific exemption.  One of the keys will be to figure out what the boundaries are of “commercial activity”.

“Electronic message” is broadly defined to include a message to email, instant message, phone, or “any similar account”.  That could include things like a twitter direct message – but I would think not a general tweet to people who choose to follow you.

In some circumstances you can send the message, but must include accurate information about the sender, and a way to opt out of future messages.

It is not spam if the recipient consented to receive the message.  The Act has extensive provisions defining what amounts to explicit or implicit consent.  It includes things we might expect, such as on ongoing business, personal or family relationship – some of which have two year windows.  Also exempted are messages to those who publish their address or have provided you with their address – so long as the message is relevant.  I suspect that means that since my email address is published on our firm web site and other places, you will be able to email me with anything relevant to the practice of law – but you won’t be able to email me trying to sell me a trip.

Or if I hand you my business card, the same applies.

It is up to the sender to show that they have consent if there is a complaint.  So will we need to track that to be safe, i.e. somehow track that you got my address from our web site, or the card I handed you?

Directors and officers personal liability will be tempered if they can show diligence.  Since almost everyone in an organization routinely sends email, tweets, etc., organizations may want to set up policies and training programs to educate employees and reduce potential corporate, director and officer liability.

Exemptions for an “existing non-business relationship” includes donations, volunteer work, or memberships – with a two year window.  Charities will need to review these provisions carefully, as they will affect how they approach prospective donors and volunteers.

One example to think about is a press release.  Those sending a press release will need to think about the purpose of the release, and who is on the email list.  Is it being sent beyond traditional news services?  Does the fact that a recipient has published their email address on their firm’s website mean that they can or cannot get the release depending on the content of the release?  Does the fact, for example, that my email address is listed on my newspaper column mean I can be sent emails that could not be sent if my address was only on our firm web site?  Does it make a difference that I may be listed somewhere on a list of journalists because I write a newspaper column?  Are bloggers considered the same as journalists?  Does it make a difference if my address is disclosed on various social media platforms, such as Facebook, LinkedIn, Twitter, or .tel?  

Am I restricted from sending personalized individual emails to a handful of influential people active on social media who I hope will spread whatever message I want to get out?  Am I going to have to analyse each recipient to see how close or distant a connection they have under the exemptions, or how their email address has been published?

Will the answer be different if I send it to them as direct message on twitter, rather than by email?

How will senders possibly track all this, or find the time to do so?

Those creating and selling software will need to consider how this affects them.  The Act adopts the broad definitions of “computer program” and “computer system” from the criminal code.  It thus applies to any electronic instructions that execute to perform a function, on any device capable of executing them.  That would include phones and tablets.  And since almost everything includes some kind of computing power these days – might some of these provisions affect things such as PVR’s or cars?

The Act has provisions that affect software that collects personal information.  Certain functions will require specific permission, such as anything that changes or interferes with settings, interferes with a user’s control, or causes it to communicate with another computer.  Consider, for example, how that might apply to software that is licensed for a specific term that automatically stops working at the end, or allows the vendor to cripple it for non-payment.

Software vendors may have to amend their EULA’s to comply.  And some circumstances will require specific permission with full disclosure before the change can be made, regardless of the contents of a EULA.  So software vendors will have to think through how their software works, how the Act might come into play, and what permissions are required. 

Another thought for software vendors is whether changing from a traditional installed software model to a hosted SAAS or cloud model will avoid some of these issues.

Stay tuned for more as the regulations are drafted and we come to grips with the ramifications.  There will no doubt be a lot written about this over the next few months, as well as educational opportunities.

For the London Free Press – December 13, 2010

Read this on Canoe

Proposed legislation could have major implications for businesses, consumers

Development and innovation of technology inevitably breeds new laws to regulate that technology. For lawyers practising Information Technology law, there is a considerable amount of potential new law to digest.

For example, Bill C-28, the Fighting Internet and Wireless Spam Act, brings in several anti-spam measures. While this is welcome by most people, the language may take in things we may not consider to be spam and affect how typical businesses communicate. Since the penalties are significant, we need to take a close look at this act before it takes effect to understand what it will mean for a typical business or organization.

Bill C-29 would make several changes to the Personal Information Protection and Electronic Documents Act. Most of these were expected – and welcome – because they address issues arising from the current law.

But there are new parts that could use clarification. Language that tries to clarify what constitutes “lawful authority” to release information to law enforcement when requested doesn’t make clear what proof or threshold of proof is required. It also contains language requiring that the privacy commissioner and affected individuals be notified of breaches in some circumstances. The language has threshold tests, which on the surface are not as clear as they might be. If this language stays, it may take a decision by the privacy commissioner and/or a court to clarify the threshold.

Bill C-32, the Copyright Modernization Act, is the latest of several attempts to amend the Copyright Act. Controversial elements include digital lock provisions that would let publishers trump user rights. Much has been written about this, including a book entitled From Radical Extremism to Balanced Copyright: Canadian Copyright and the Digital Agenda, written by several copyright experts.

Bill C-51, which would amend the Criminal Code, Competition Act and Mutual Legal Assistance in Criminal Matters Act a.k.a. Investigative Powers for the 21st Century Act, is the latest effort to give law enforcement more access to electronic communications.

But what proponents call “lawful access” bills, critics deride as “awful access” bills. They question whether making things easier for law enforcement is worth the significant erosion in privacy and extra costs to Internet service providers.

These bills may have far-reaching practical implications, not only for many businesses and organizations, but also for consumers.

Take a look at this post entitled Don’t Let Halloween Haunt You for examples of spam messages to avoid in case they get through your filters.

As I’ve said before, be skeptical about communications that carry either really good news, really bad news, or that require some immediate action to avoid a dire consequence.

That’s the title of my Slaw post for today.  It reads as follows.

The Canadian government introduced two important new bills yesterday. Bill C-29 amends PIPEDA – I’ll leave commentary on that to David Fraser.

Bill C-28 is the “Fighting Internet and Wireless Spam Act” or FISA.  It is essentially the same as the “Electronic Commerce Protection Act” that was proposed previously. Here is Industry Canada’s news release, and the bill itself.

It targets the sending of what we would typically call spam, or unwanted commercial email, as well as spyware and phishing.

From the news release:

The proposed FISA is intended to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help drive spammers out of Canada.

The proposed FISA legislation provides a comprehensive regulatory regime that uses economic disincentives to protect electronic commerce and is modelled on international best practices. To enforce the legislation, the bill would use the expertise, and expand the mandates, of the three enforcement agencies: the Canadian Radio-television and Telecommunications Commission, Competition Bureau Canada and the Office of the Privacy Commissioner of Canada.

Industry Canada will act as a national coordinating body to increase consumer and business awareness and education, to further coordinate work with the private sector and to conduct research and intelligence gathering.

The bill is quite long and detailed. Monetary penalties are significant ($1 million for individuals, $10 million for businesses). A private right of action will allow anyone to take civil action against violators.

The bill essentially defines spam as a commercial message sent via email, IM, phone, or similar method. Sending spam is prohibited unless the recipient has consented, and the message contains certain prescribed information identifying the sender and how to unsubscribe.

That definition is extremely broad, and would capture things no one would consider spam  – so it goes on to describe several exceptions, such as providing requested information, or warranty or product recall information, or where there is a specifically defined “existing business relationship”.

One thing I find interesting is that the volume of the messages does not seem to be important. In other words, 1 email or text message to 1 recipient can be considered spam.

One of the exceptions is a message “that is sent by or on behalf of an individual to another individual with whom they have a personal or family relationship, as defined in the regulations. “

The bill clearly applies to what we all call spam. Hopefully it will be an effective tool to help reduce spam that comes from Canada.

We can’t, though, simply think that the bill only applies to spamers, and that we don’t have to pay attention to it. 

We will have to consider carefully how it applies to what we as lawyers and our clients do that will be caught by this. To some extent, the regulations will be important. For example, will a “personal relationship” include a situation where I meet someone at a social or networking event or meeting who might be a potential client, and then follow up later with an email to that person?

When the bill gets passed (from what I’ve seen there is a good chance it will be), and the regulations get drafted, we will have to take some time to figure out in more detail how this affects things that well intentioned businesses (and lawyers) do that they don’t consider to be spam.