Upload
dentons
View
648
Download
4
Tags:
Embed Size (px)
Citation preview
Canada’s Anti-Spam Law (CASL)Apps, Software, and other Computer Programs
Margot Patterson
Jawaid Panjwani
December 2014
Dentons Canada LLP
Canada’s Anti-Spam Law (CASL)
Dentons Canada LLP 2
• CASL was enacted in December 2010
• CASL is intended to promote e-commerce by deterring spam, identity
theft, phishing, spyware, viruses, botnets, and misleading commercial
representations online
• CASL creates new offences, enforcement mechanisms and
penalties
• The “commercial electronic message” (email, text) requirements entered
into force on July 1 2014
• The “computer program installation” provisions enter into force on
January 15, 2015
Canada’s Anti-Spam Law (CASL) – Overview
3
• Scope: Who, Where, What
• Exclusions
• Updates and Upgrades
• Obtaining Consent
• Enforcement
• Next Steps: Transition Period, Compliance Program
Dentons Canada LLP
Scope: Who
Dentons Canada LLP 4
• A person who installs or causes to be installed a computer program on
any other person’s computer system or, having so installed or caused to
be installed a computer program, causes an electronic message to be
sent from that computer system.
• The person who installs the program or causes it to be installed may be:
Software Developer Software Vendor
Scope: Who
Dentons Canada LLP 5
Software Developer Software Vendor
Either or both could be liable.
Was their action:
a necessary cause leading to the installation?
reasonably proximate to the installation?
sufficiently important toward the end result of causing the installation?
[CRTC Staff policy interpretation, November 2014]
Scope: Who
Dentons Canada LLP 6
Also…
Potential vicarious liability. CASL expressly includes:
• directors, officers, agents or mandataries of a corporation
• employers of employees acting within the scope of employment
Therefore consider:
• necessary training, policies (see CRTC Guidelines to help businesses
develop corporate compliance programs; and
• the “due diligence defence” available under CASL
[Compliance and Enforcement Information Bulletin CRTC 2014-326]
Scope: Where
Dentons Canada LLP 7
Activities outside Canada may be caught
Computer system receiving the program in Canada
OR
Installer is in Canada
OR
Installer is operating under direction of person in Canada
[CASL section 8(2)]
CASL Section 8
8
Scope: What
The “computer program” provision
Dentons Canada LLP
CASL Section 8
Dentons Canada LLP 9
8. (1) A person must not, in the course of a commercial activity,
install or cause to be installed a computer program on any
other person’s computer system or, having so installed or caused
to be installed a computer program, cause an electronic message
to be sent from that computer system, unless
• (a) the person has obtained the express consent of the owner
or an authorized user of the computer system and complies
with subsection 11(5); or
• (b) the person is acting in accordance with a court order.
CASL Section 8 – Commercial Activity
Dentons Canada LLP 10
8. (1) A person must not, in the course of a commercial activity, install or cause to
be installed a computer program on any other person’s computer system or, having
so installed or caused to be installed a computer program, cause an electronic
message to be sent from that computer system, unless […]
“commercial activity” means any particular transaction, act or conduct or
any regular course of conduct that is of a commercial character, whether or
not the person who carries it out does so in the expectation of profit, other
than any transaction, act or conduct that is carried out for the purposes of
law enforcement, public safety, the protection of Canada, the conduct of
international affairs or the defence of Canada.
[CASL section 1(1)]
CASL Section 8 – Computer Program / System
Dentons Canada LLP 11
8. (1) A person must not, in the course of a commercial activity, install or cause to
be installed a computer program on any other person’s computer system or,
having so installed or caused to be installed a computer program, cause an
electronic message to be sent from that computer system, unless […]
• “computer program” means data representing instructions or
statements that, when executed in a computer system, causes the
computer system to perform a function;
• “computer system” means a device that, or a group of interconnected
or related devices one or more of which, (a) contains computer programs
or other data, and (b) pursuant to computer programs, (i) performs logic
and control, and (ii) may perform any other function
[subsection 342.1(2) of the Criminal Code]
CASL Section 8 – Install or Cause to be Installed
Dentons Canada LLP 12
8. (1) A person must not, in the course of a commercial activity, install or cause to
be installed a computer program on any other person’s computer system or,
having so installed or caused to be installed a computer program, cause an
electronic message to be sent from that computer system, unless […]
“install or cause to be installed” is not defined
(However, the CRTC has taken the position that concealed or undisclosed
secondary software is an example of “cause to be installed”. See slide 17)
CASL Section 8 – Owner or Authorized User
Dentons Canada LLP 13
A person must not install …unless the person has obtained the express consent
of the owner or an authorized user of the computer system.
An owner or authorized user includes anyone that has permission to use
a particular device or computer system. For example:
[CRTC: CASL Requirements for Installing Computer Programs]
Owner Authorized User
Employer Employee
Device/computer owner Child, spouse or other relative for their sole use
Lessor Lessee
Owner Repair company / employee doing repair
requested by owner
CASL Section 8 – Self-Installed Programs
Dentons Canada LLP 14
8. (1) A person must not, in the course of a commercial activity, install or cause to
be installed a computer program on any other person’s computer system or,
having so installed or caused to be installed a computer program, cause an
electronic message to be sent from that computer system, unless […]
• The CRTC has taken the position that CASL does not apply where
owners or authorized users install software on their own computer
devices or systems
[Source: CASL Requirements for Installing Computer Programs]
CASL Section 8 – Self-Installed Programs
Dentons Canada LLP 15
Examples – when you own the system / device
CASL does not apply where you yourself:
• Buy an app from an app store and download it on your own device
• Buy software on a CD and install it on your computer
• Download software from a website and install it on your device
• Install an update on a previously installed app
CASL does not apply where:
• A business installs software on business devices used by its employees
[Source: CASL Requirements for Installing Computer Programs]
CASL Section 8 – Self-Installed Programs
Dentons Canada LLP 16
Example – firmware
CASL does not apply where:
• The manufacturer “self-installs” software on the system or device during
the manufacturing process
Note:
• If you will be installing updates or upgrades to that firmware, you will still
need express consent for those.
[Based on CRTC Staff policy interpretation November 2014]
CASL Section 8 – Undisclosed Programs
Dentons Canada LLP 17
However:
• The CRTC has taken the position that concealed or undisclosed
secondary software is not “self-installed”. Instead, you “caused that
software to be installed”. CASL applies to that software.
[Source: CASL Requirements for Installing Computer Programs]
CASL does not apply to
self-installation
CASL DOES apply to software that a
person has “caused to be installed”
Free game app …with concealed malware
CD …with concealed software that executes when
CD is inserted into device
Software …that later installs update “in the background”
without prompting or informing user
CASL Section 8 – Electronic Message
Dentons Canada LLP 18
8. (1) A person must not, in the course of a commercial activity, install or cause to
be installed a computer program on any other person’s computer system or, having
so installed or caused to be installed a computer program, cause an electronic
message to be sent from that computer system, unless […]
“electronic message” means a message sent by any means of
telecommunication, including a text, sound, voice or image message.
[CASL section 1(1)]
CASL Section 10
19
Exclusions
Dentons Canada LLP
CASL Section 10 – Excluded Computer Programs
Dentons Canada LLP 20
Where the person’s conduct is such that it is reasonable to believe that
they consent to the program’s installation, you can install the following
programs without seeking consent:
• Cookies
• HTML
• JavaScript
• Operating system
• Program that is executable through another program that the user
previously expressly consented to
[CASL section 10(8)(a)and (b)]
[CASL Requirements for Installing Computer Programs]
CASL Section 10 – Excluded Computer Programs
Dentons Canada LLP 21
….and also:
Where the user’s conduct is such that it is reasonable to believe that they
consent to the program’s installation,
• software can be installed solely to correct a failure (e.g. bug) in a
computer system; and
• a TSP* can install software without consent to protect network security
from a current and identifiable threat; or update or upgrade network.
*telecommunications service provider: business or person who, independently or as part
of a group or association, provides “telecommunications services”. TSP may either own or
lease its equipment or software. [CASL section 1(1)]
[CASL section 10(8)(a)and (b); Electronic Commerce Protection Regulations, s. 6]
[CASL Requirements for Installing Computer Programs]
CASL Section 10 – Excluded Computer Programs: Cookies
Dentons Canada LLP 22
Cookies
• For CASL purposes, cookies are non executable computer programs that
cannot carry viruses or install malware.
• A person is considered to consent to the installation of a cookie if the
person's conduct is such that it is reasonable to believe that they
consent.
[CASL section 10(8)(a)(i) and (b)]
[CASL Requirements for Installing Computer Programs]
CASL Section 10 – Excluded Programs: Operating System
Dentons Canada LLP 23
Operating System
• For CASL purposes, operating systems are “a type of computer program
that have special access to the hardware of a computer system, and act
as a platform to allow other computer programs to make use of the
hardware”.
• Examples: “Microsoft Windows, Mac OS/iOS, Linux, Android, Unix and
Blackberry OS, among others.”
• A person is considered to consent to the installation of an OS if the
person's conduct is such that it is reasonable to believe that they
consent.
[CASL section 10(8)(a)(iv) and (b)]
[Source: CASL Requirements for Installing Computer Programs]
CASL Section 10
24
Updates and Upgrades
Dentons Canada LLP
CASL Section 10 – Updates / Upgrades
Dentons Canada LLP 25
Updates and Upgrades:
• change or replace previously installed software;
• usually with newer or better version, new features;
• to bring the computer system up to date or improve it.
Examples: “changing the version of an operating system, an office suite,
an anti-virus program, or various other tools”
[Source: CASL Requirements for Installing Computer Programs]
CASL Section 67 – Updates / Upgrades: Transition
Dentons Canada LLP 26
If a computer program was installed on a person’s computer system
before January 15, 2015 you have implied consent to install updates or
upgrades to the program until:
• the user withdraws consent, or
• January 15, 2018
…whichever comes first.
[CASL section 67]
CASL Section 10 – Updates / Upgrades
Dentons Canada LLP 27
Scenario: You install the software before January 15, 2015
User’s consent to the update or upgrade is installed until January 15,
2018, or user withdraws consent to receive future updates /upgrades.
Scenario: You install the software January 15, 2015 or later
Get express consent to install the software, and for any updates and
upgrades to it.
Scenario: You want to install an update or upgrade, the software was
installed January 15, 2015 or later, and you did not obtain express
consent to install updates or upgrades
Get express consent to install the update or upgrade.
CASL Section 10 – Updates / Upgrades
Dentons Canada LLP 28
Scenario: User self-installs the update or upgrade
No consent required.
Scenario: New program is executable through another program that the
user previously expressly consented to, and user’s conduct is such that it
is reasonable to believe that user consents to the program’s installation.
No consent required.
[CASL section 10(8)(a)(v)]
CASL Section 10
29
Obtaining Consent
Dentons Canada LLP
CASL Section 10 – Basic Consent
Dentons Canada LLP 30
Image source: Compliance and Enforcement Information Bulletin CRTC 2012-548
Requirement
The reason you are seeking consent
Who is seeking consent
(e.g., name of the company; or if consent is sought on behalf
of another person, that person's name)
If consent is sought on behalf of another person, a
statement indicating which person is seeking consent and
which person on whose behalf consent is being sought;
The mailing address and one other piece of contact
information
(phone number, email address, or URL)
A statement indicating that the person whose consent is
sought can withdraw their consent
A description in general terms of the functions and
purpose of the computer program to be installed
CASL Section 10 – Enhanced Consent
Dentons Canada LLP 31
If the program has an “intrusive” function (see below), contrary to the
user’s reasonable expectations:
• collects personal information
• interferes with user control of the system
• changes or interferes with:
• settings / preferences / commands without user knowledge
• data in a manner that obstructs / interrupts / interferes with user access
• causes the system to communicate with another system or device, without
user consent
• installs a program that can be activated by a third party without user
knowledge
…you will need enhanced consent
CASL Section 10 – Enhanced Consent
Dentons Canada LLP 32
If the program has an “intrusive” function, that is contrary to the user’s
reasonable expectations, you will need enhanced consent.
In addition to obtaining Basic Consent, you must also
Clearly and prominently…
Separate and apart from the license agreement…
• Describe to the user what the program does in relation to the “intrusive”
functions and why it does it.
• Describe to the user the impact of those functions on the operation of the
computer system.
CASL Section 11 – Removing a Program
Dentons Canada LLP 33
If the program performs an “intrusive” function and the user believes
that when you installed it, you did not accurately describe that function, or
its impact:
For a period of 1 year after installation:
• The owner or authorized user can ask you to assist in disabling or
removing the program. You must do this “as soon as feasible”, at no cost.
• You must provide the person who consented to the installation with an
electronic address where they can send their request.
[CASL section 11(5)]
Enforcement
Enforcement - CRTC
Canadian Radio-television and Telecommunications Commission (CRTC):
primary enforcement agency
Has authority to impose administrative monetary penalties (AMPs)
Maximum penalty is $10 million for an organization, per violation
Relevant factors include purpose of penalty, nature & scope of violation,
history, financial benefit, ability to pay
Enforcement tools include:
• Preservation Demands
• Notices to Produce
• Search Warrants
• Compliance Undertakings with CRTC
See: http://www.crtc.gc.ca/eng/casl-lcap.htm
Enforcement – Liability, Due Diligence
• Onus is on you to show consent to install, not on the complainant
• Directors and officers’ liability / Employers’ liability
• Importance of “due diligence”:
• No liability where due diligence taken to prevent the violation
See: Compliance and Enforcement Information Bulletin CRTC 2014-326
Enforcement – Private Right of Action
• Private Right of Action (in effect July 1, 2017)
• For individual or organization affected by a contravention: can obtain court
order for compensation
• Acts or omissions
• Remedies include compensation for loss or damage suffered or expenses
incurred, and a maximum penalty of $1 million per day
• for contravening the software provisions (CASL section 8); or
• for aiding, inducing, procuring a violation
• Class Actions?
[CASL sections 47, 51]
Transition Period
Compliance Program
Next Steps
Next Steps – Transition Period
Three-Year Transition Period
• Until January 15, 2018:
• Implied consent for updates and upgrades to software installed before
January 15, 2015
• In all cases, recipient can still withdraw consent at any time
• You must obtain CASL-compliant express consent during the three-
year transition period, to continue to install updates and upgrades after
January 15, 2018
[CASL section 67]
Next Steps – Audit and Checklist
CASL Audit
• Conduct an audit of online communications with clients, prospects,
and third parties, including:
• processes for installation of software updates/upgrades
CASL Checklist
• Review against CASL requirements:
• available exceptions
• disclosure, consent
See: Compliance and Enforcement Information Bulletin CRTC 2014-326
Next Steps – Review and Update
Review and update:
• Update forms and procedures that document consent
• Update existing customer service processes
• Include information/training for employees, management, Board of
Directors
• Address third-party contract requirements (limitation of liability,
representations & warranties)
• Consider insurance (traditional policies may not cover)
See: Compliance and Enforcement Information Bulletin CRTC 2014-326
Next Steps: Compliance Program
Dentons Canada LLP 42
CRTC Information Bulletin “to provide general guidance and best practices
for businesses on the development of corporate compliance programs”:
Components of a corporate compliance program:
• Senior management involvement
• Risk assessment
• Written corporate compliance policy
• Record keeping
• Training program
• Auditing and monitoring
• Complaint-handling system
• Corrective (disciplinary) action
See: Compliance and Enforcement Information Bulletin CRTC 2014-326
More Information
43
More Information on CASL:
http://www.dentons.com/en/issues-and-opportunities/anti-spam-legislation.aspx
Questions?
Margot [email protected] (613) 783-9693
Jawaid [email protected](613) 783-9632
The preceding presentation contains
examples of the kinds of issues companies
dealing with Canada’s Anti-Spam Law
(CASL) could face.
If you are faced with one of these issues,
please retain professional assistance as
each situation is unique.
Dentons Canada LLP
44