71
McCarthy Tétrault Advance™ Building Capabilities for Growth McCarthy Tétrault LLP / mccarthy.ca 12921930 Montreal Bar (Committee of In- House Counsel of the Montreal Bar) Canada’s Anti-spam Law – An FAQ Barry B. Sookman Direct Line: (416) 601-7949 E-Mail: [email protected] November 7, 2013

Sookman montreal bar_casl_talk

Embed Size (px)

DESCRIPTION

Canada's anti-spam law an FAQ

Citation preview

Page 1: Sookman montreal bar_casl_talk

McCarthy Tétrault Advance™Building Capabilities for Growth

McCarthy Tétrault LLP / mccarthy.ca 12921930

Montreal Bar (Committee of In-House Counsel of the Montreal Bar)

Canada’s Anti-spam Law – An FAQ

Barry B. SookmanDirect Line: (416) 601-7949E-Mail: [email protected] November 7, 2013

Page 2: Sookman montreal bar_casl_talk

PART 1: ANTI-SPAM

McCarthy Tétrault LLP / mccarthy.ca 12921930 2

Page 3: Sookman montreal bar_casl_talk

Question:

Do businesses support CASL in its current form?

McCarthy Tétrault LLP / mccarthy.ca 12921930 3

Page 4: Sookman montreal bar_casl_talk

Coalition of Business and Technology Associations submission to Industry Canada:¬“We have now been working with CASL for over two years and have a better appreciation of the compliance challenges and the potential for unintended consequences resulting from CASL‟s regulatory approach much more than we did when CASL was passed by Parliament. The inclusion in CASL of both open ended prohibitions and prescriptive requirements makes it very difficult to anticipate all of the impacts that CASL will have. We are now more concerned than ever that CASL will actually result in more harm than benefit to the Canadian economy and to digital commerce. We are also concerned that the harm will be exacerbated by the potential for litigation under the private rights of action.”

What do businesses think about CASL?

McCarthy Tétrault LLP / mccarthy.ca 12847414McCarthy Tétrault LLP / mccarthy.ca 12921930 4

Page 5: Sookman montreal bar_casl_talk

What do businesses think about CASL?

What does the Canadian Chamber of Commerce think about CASL:

¬ “Without significant modifications to the regulations, this legislation will impede commercial speech, an essential ingredient of market competitiveness. Canadian companies will be at a distinct disadvantage when communicating outside our borders in countries that do not have the same stringent requirements, since the legislation and compliance costs will apply to Canadian companies even when operating outside our borders but will not apply to companies operating in the country where the message is received.”

McCarthy Tétrault LLP / mccarthy.ca 12921930 5

Page 6: Sookman montreal bar_casl_talk

Question:Do charities support CASL in its current form?

McCarthy Tétrault LLP / mccarthy.ca 12921930 6

Page 7: Sookman montreal bar_casl_talk

Imagine Canada submission to Industry Canada:“Legislation and regulations aimed at controlling spam in Canada should not be so overly broad in scope that they impede and make more costly the electronic communications of registered charities, including universities, for purposes such as fundraising.”

What do charities think about CASL?

McCarthy Tétrault LLP / mccarthy.ca 12921930 7

Page 8: Sookman montreal bar_casl_talk

Question:Do not-for profits support CASL in its current form?

McCarthy Tétrault LLP / mccarthy.ca 12921930 8

Page 9: Sookman montreal bar_casl_talk

Ontario Nonprofit Network submission to Industry Canada:

“Small and mid-size charitable and nonprofit organizations cannot comply with CASL and its regulations and undertake their day-to-day work. There is a fundamental conflict that will either impede their work in communities or, as noncompliant, leave them vulnerable to potentially prohibitive fines and private actions.

The legislation and regulation will place undue financial and administrative burden on those nonprofit organizations which attempt to comply.

The prohibitive costs and risks associated with requiring that charities and nonprofit organizations manage and maintain express and implied consent records across their complex databases and ever-changing community connections and relationships is not justified given their negligible participation in the generation of spam.”

What do not-for profits think about CASL?

McCarthy Tétrault LLP / mccarthy.ca 12921930 9

Page 10: Sookman montreal bar_casl_talk

Question:

Are the anti-spam prohibitions based on international standards?

McCarthy Tétrault LLP / mccarthy.ca 12921930 10

Page 11: Sookman montreal bar_casl_talk

CASL is unique and unprecedentedCountry Applies To Notes

Canada(CASL)

“any electronic message that, having regard to the content of the message, … it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity”

Consent to receive the message can generally only be implied where there is an existing relationship type (within the last 2 years)

U.S.(CAN-SPAM Act of 2003)

“any electronic message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service”

Prohibitions on unsolicited messages are limited to messages that are fraudulent or misleading (s.4), those that do not contain prescribed information (s.5) or those sent in violation of an opt out request.

Australia(Spam Act 2003)

“a commercial electronic message is an electronic message, where … it would be concluded that the purpose, or one of the purposes, of the message is [among an exclusive list of purposes related to advertising and offering goods and services]”

Consent can be inferred from the conduct, business and relationships of the persons concerned.

New Zealand(Unsolicited Electronic Messages Act 2007)

“commercial electronic message means an electronic message that markets or promotes [goods or services], or assists or enables a person to obtain dishonestly a financial advantage or gain from another person…”

Consent can be inferred from the conduct, business and relationships of the persons concerned.

Singapore (Spam Control Act 2007)

“a commercial electronic message is an electronic message, where … it would be concluded that the primary purpose of the message is [among an exclusive list of purposes related to advertising and offering goods and services]”

Prohibitions on unsolicited messages are limited to messages that are “sent in bulk” (s.6 & 11)

Hong Kong(Unsolicited Commercial Messages Ordinance)

“commercial electronic message means an electronic message the purpose, or one of the purposes, of which is [among an exclusive list of purposes related to advertising and offering goods and services]”

Prohibitions on unsolicited messages are limited to those that are sent using “automated means” (s.18 & 19) or “with the intent to deceive or mislead” (s.20)

McCarthy Tétrault LLP / mccarthy.ca 12921930 11

Page 12: Sookman montreal bar_casl_talk

Question:Is CASL’s enforcement regime like PIPEDA’s?

McCarthy Tétrault LLP / mccarthy.ca 12921930 12

Page 13: Sookman montreal bar_casl_talk

Very High Liability

¬ Administrative monetary penalties (AMPS) with caps up $10 million for a corporation. (s.20(4))

¬ Private rights of action by anyone affected by a prohibited act (s.47(1)) with liability that consists of:¬ compensation for loss, damages and expenses; and ¬ extensive awards that are capped at:

¬ $1 million per day for breach of SPAM, malware, spyware, message routing, address and personal information harvesting, and Competition Act provisions;

¬ $1 million for each act of aiding, inducing, or procuring a breach of the SPAM, malware and spyware, and message routing provisions, plus liability up to $1 million per day for breach of SPAM, malware, spyware, and message routing provisions.

¬ Risk of class actions.

McCarthy Tétrault LLP / mccarthy.ca 12921930 13

Page 14: Sookman montreal bar_casl_talk

Extensive Accessorial and Vicarious Liability

¬ Liability extends to any person who aids, induces or procures a prohibited act. (s.9)

¬ Senders of CEMs are liable for acts of their employees within the scope of their authority. (s.32, s.53)

¬ Liability extends to officers, directors, and agents if they directed, authorized, assented to, acquiesced, or participated in the prohibited act. (s.31, s.52)

¬ Does the risk make sense?

McCarthy Tétrault LLP / mccarthy.ca 12921930 14

Page 15: Sookman montreal bar_casl_talk

Question:Will CASL impede Canada’s development of cloud computing, Canadian data centre operations and multi-national outsourcing?

McCarthy Tétrault LLP / mccarthy.ca 12921930 15

Page 16: Sookman montreal bar_casl_talk

Territorial reach¬ The anti-spam provisions apply to any message where a computer

system located “in Canada is used to send or access the electronic message”. (s.12(1))

¬ ITAC: “CASL will impact a range of business decisions that could have unintended negative effects on the competitiveness of a wide range of Canadian technology companies...

¬ “First, Canadian multi-national companies sending messages to non-Canadian customers are incented to use vendors located outside Canada to send those messages....

¬ Second, foreign companies deciding where to locate...facilities related to cloud computing... may choose against Canada because of the extra cost of complying with CASL...

¬ Third, Canadian providers of outsourced services to non-Canadian businesses will be at a major disadvantage compared to competitors in other countries.”

16McCarthy Tétrault LLP / mccarthy.ca 12921930 16

Page 17: Sookman montreal bar_casl_talk

Question: Do the anti-spam prohibitions apply only to email, SMS, and IM accounts?

McCarthy Tétrault LLP / mccarthy.ca 12921930 17

Page 18: Sookman montreal bar_casl_talk

What messaging systems are covered?

¬ “electronic address” means an address used in connection with the transmission of an electronic message to (a) an electronic mail account; (b) an instant messaging account; (c) a telephone account; or (d) any similar account. (s.1(1))

¬ Which of these are included in whole or in part?

¬ Opt-in closed messaging systems

¬ Social networks

¬ Online portals

¬ Behavioral advertising messages that are triggered by the use of an account

¬ IP addresses

McCarthy Tétrault LLP / mccarthy.ca 12921930 18

Page 19: Sookman montreal bar_casl_talk

Question:

Are the message content types limited to text or do they include books and video games?

McCarthy Tétrault LLP / mccarthy.ca 12921930 19

Page 20: Sookman montreal bar_casl_talk

What messages are covered?

¬ “electronic message” means a message sent by any means of telecommunication, including a text, sound, voice or image message. (s1(1)) (But, excludes interactive two-way voice communication between individuals, fax messages to a telephone account, voice recordings to a telephone account. (s.6(8))

¬ “Message: “a piece of information that is sent or given to someone: an important idea that someone is trying to express in a book, movie, speech, etc.” Webster Online Dictionary

¬ Anything sent to an electronic address that contains content such as text, sound, voice or image including in attachments or in a link from content?

McCarthy Tétrault LLP / mccarthy.ca 12921930 20

Page 21: Sookman montreal bar_casl_talk

Question:Is the definition of CEM limited to a closed category of advertising or promotional messages?

McCarthy Tétrault LLP / mccarthy.ca 12921930 21

Page 22: Sookman montreal bar_casl_talk

What is a CEM?¬ A “commercial electronic message” is an electronic message

that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (b) offers to provide a business, investment or gaming opportunity; (c) advertises or promotes anything referred to in paragraph (a) or (b); or (d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so. (s.1(2))

¬ How does one evaluate the effects of including hyperlinks, corporate logos, contact information?

¬ Does “one of its purposes” have to be a material purpose?

McCarthy Tétrault LLP / mccarthy.ca 12921930 22

Page 23: Sookman montreal bar_casl_talk

What is a commercial activity?¬ A “commercial activity” is any particular transaction, act or conduct or any

regular course of conduct that is of a commercial character whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs of the defence of Canada” (s.1(1)).

¬ How clear is the term? See, Decision P2013-d-01, 2013 CanLII 6291 (AB OIPC)

¬ “A commercial activity is any transaction, act, conduct, or regular course of conduct that is of a commercial character. While admittedly somewhat circular, the definition does not say that a commercial activity is an activity that is “commercial”. Rather, an activity must have a commercial “character”. To me, the definition is meant to capture activities that are more or less commercial, or appear to be commercial by most accounts. To adapt a colloquial phrase, if it looks like a commercial activity, and walks like a commercial activity, then it is a commercial activity.”

McCarthy Tétrault LLP / mccarthy.ca 12921930 23

Page 24: Sookman montreal bar_casl_talk

Question:

Will it be illegal to send a person a message asking for consent to send a CEM?

McCarthy Tétrault LLP / mccarthy.ca 12921930 24

Page 25: Sookman montreal bar_casl_talk

What is a CEM?

¬ An electronic message that contains a request for consent to send a CEM is also considered to be a commercial electronic message. s1(3).

McCarthy Tétrault LLP / mccarthy.ca 12921930 25

Page 26: Sookman montreal bar_casl_talk

Question: Will CASL make it illegal to send safety, security, or product recall information to a consumer that had unsubscribed from receiving advertising or promotional messages?

McCarthy Tétrault LLP / mccarthy.ca 12921930 26

Page 27: Sookman montreal bar_casl_talk

The consent requirement does not apply to a CEM that solely (s.6(6)):

¬provides a quote or estimate... if the quote or estimate was requested;

¬facilitates, completes or confirms a commercial transaction;

¬provides warranty information, product recall information or safety or security information about a product, goods or a service;

¬provides notification of factual information about (i) the ongoing subscription or use or ongoing purchase by the person to whom the message is sent of a product, goods or a service offered under a subscription, membership, account, loan or similar relationship;

¬provides information directly related to an employment relationship or related benefit plan;

¬delivers a product, goods or a service, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction...

Are transactional/information messages CEMs?

McCarthy Tétrault LLP / mccarthy.ca 12921930 27

Page 28: Sookman montreal bar_casl_talk

Question:Will CASL make it illegal•for a child to send out emails to invite neighbors to buy a glass of lemonade at his/her lemonade stand? •for a child to email the parent of a friend asking to baby sit, or to shovel snow, or mow a lawn for some extra school money or to buy Girl Guide cookies or to sponsor her in a school event?

McCarthy Tétrault LLP / mccarthy.ca 12921930 28

Page 29: Sookman montreal bar_casl_talk

Personal relationships (draft regulation)

¬ “personal relationship” means the relationship between an individual who sends the message and the individual to whom the message is sent, if

¬ (i) those individuals have had direct, voluntary, two-way communications and it would be reasonable to conclude that the relationship is personal taking into consideration all relevant factors such as the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated and if the parties have met in person, and

¬ (ii) the person to whom the message is sent has not indicated that they no longer wish to receive any commercial electronic messages, or any specified class of such messages, from the person who sent the message.

McCarthy Tétrault LLP / mccarthy.ca 12921930 29

Page 30: Sookman montreal bar_casl_talk

Question:Will CASL make it illegal for an ex-wife to ask her ex-husband for a loan to pay medical bills or to send children to university?

McCarthy Tétrault LLP / mccarthy.ca 12921930 30

Page 31: Sookman montreal bar_casl_talk

Family relationships (draft regulation)

¬ “family relationship” means the relationship between individuals who are connected by

¬ (i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or is of collateral descent from the other individual’s grandparent,

¬ (ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,

¬ (iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual, or

¬ (iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual; 

McCarthy Tétrault LLP / mccarthy.ca 12921930 31

Page 32: Sookman montreal bar_casl_talk

Question:

Will CASL make it illegal to send messages within a business without complying with the CASL consent, message content, and unsubscribe requirements?

McCarthy Tétrault LLP / mccarthy.ca 12921930 32

Page 33: Sookman montreal bar_casl_talk

B2B (draft regulation)

(a) that is sent by an employee, representative, contractor or franchisee of an organization

(i) to another employee, representative, contractor or franchisee of the organization and that concerns the affairs of the organisation, or

(ii) to an employee, representative, contractor or franchisee of another organization if the organizations have a business relationship at the time the message was sent and the message concerns the affairs of the organization or that person’s role, functions or duties within or on behalf of the organization;

McCarthy Tétrault LLP / mccarthy.ca 12921930 33

Page 34: Sookman montreal bar_casl_talk

Question:Will CASL make it illegal to send messages based on a referral?

McCarthy Tétrault LLP / mccarthy.ca 12921930 34

Page 35: Sookman montreal bar_casl_talk

Referrals (draft regulation)4. (1) Paragraph 6(1)(a) of the Act does not apply to the first commercial electronic message that is sent by an individual for the purpose of contacting the individual to whom the message is sent following any referral by one or more individuals who have an existing business relationship, an existing non-business relationship, a personal relationship or a family relationship with the individual who sends the message as well as any of those relationships with the individual to whom the message is sent and that discloses the full name of the individual or individuals who made the referral and states that the message is sent as a result of the referral.

referrer message sender recipient

McCarthy Tétrault LLP / mccarthy.ca 12921930 35

Page 36: Sookman montreal bar_casl_talk

Question:Can organizations rely on implied PIPEDA consents (existing or in the future)?

McCarthy Tétrault LLP / mccarthy.ca 12921930 36

Page 37: Sookman montreal bar_casl_talk

Implied consents to send CEMs

Implied Consents¬ Consents to collect, use or disclose information under PIPEDA or

provincial privacy laws are not necessarily valid for the purposes of CASL.

¬ CASL will create a conflicting consent regime with the consent regime in PIPEDA and provincial privacy laws since “implied consents” are a list of closed categories.

¬ Consents cannot be inferred by conduct as in Australia or New Zealand.

¬ PIPEDA consents are not “grandfathered”.

McCarthy Tétrault LLP / mccarthy.ca 12921930 37

Page 38: Sookman montreal bar_casl_talk

Question:Will organizations be able to rely on the “existing business relationship” implied consent exception?

McCarthy Tétrault LLP / mccarthy.ca 12921930 38

Page 39: Sookman montreal bar_casl_talk

Implied consents to send CEMs

s10(10)(a) the purchase or lease of a product, goods, a service, land or an interest or right in land, within the 2-year period immediately before the day on which the message was sent;

¬ Businesses may not have existing databases which can be immediately used to determine whether there has been a purchase within the two year period.

¬ A significant effort would be entailed to determine whether any given customer falls within the two year window.

¬ The existing business relationship is entity specific – the relationship must be between the entity sending the CEM and the recipient e.g., a person with an account with one company has an EBR with that entity, but an affiliate cannot rely upon that consent.

McCarthy Tétrault LLP / mccarthy.ca 12921930 39

Page 40: Sookman montreal bar_casl_talk

Question:Will organizations be able to obtain express consents to send CEMs in Terms of Use or EULAs?

McCarthy Tétrault LLP / mccarthy.ca 12921930 40

Page 41: Sookman montreal bar_casl_talk

Requests for consent

CRTC Guidelines

6. The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. The underlying objective is that the specific requests for consent in question must be clearly identified to the persons from whom the consent is being sought. For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.

McCarthy Tétrault LLP / mccarthy.ca 12921930 41

Page 42: Sookman montreal bar_casl_talk

Question:

Will organizations be able to obtain express consents by using pre-checked boxes in click-wrap agreements?

McCarthy Tétrault LLP / mccarthy.ca 12921930 42

Page 43: Sookman montreal bar_casl_talk

McCarthy Tétrault LLP / mccarthy.ca 12921930 43

Page 44: Sookman montreal bar_casl_talk

Question:Will organizations be able to rely on the transitional provisions?

McCarthy Tétrault LLP / mccarthy.ca 12921930 44

Page 45: Sookman montreal bar_casl_talk

Transitional provisions Commercial electronic messages:

¬ A person’s consent to receiving commercial electronic messages from another person is implied until the person gives notification that they no longer consent to receiving such messages from that other person or until 3 years after the day on which section 6 comes into force, whichever is earlier, if, when that section comes into force,

¬ (a) those persons have an existing business relationship or an existing non-business relationship, as defined in subsection 10(10) or (13), respectively, without regard to the period mentioned in that subsection; and

¬ (b) the relationship includes the communication between them of commercial electronic messages. (s. 66)

¬ Problems: ¬ PIPEDA consents are not necessarily grandfathered.¬ How can an entity know if the EBR or Non-EBR exceptions apply?

McCarthy Tétrault LLP / mccarthy.ca 12921930 45

Page 46: Sookman montreal bar_casl_talk

PART 2 : COMPUTER PROGRAMS

McCarthy Tétrault LLP / mccarthy.ca 12921930 46

Page 47: Sookman montreal bar_casl_talk

Question:What countries have anti-malware/spyware laws that are similar to those in CASL?

McCarthy Tétrault LLP / mccarthy.ca 12921930 47

Page 48: Sookman montreal bar_casl_talk

McCarthy Tétrault LLP / mccarthy.ca 12921930 48

Page 49: Sookman montreal bar_casl_talk

The prohibition

8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless:

(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with [the disclosure requirements of] subsection 11(5); or

(b) the person is acting in accordance with a court order.

McCarthy Tétrault LLP / mccarthy.ca 12921930 49

Page 50: Sookman montreal bar_casl_talk

Question:

Must organizations disclose the functions and features of computer programs when getting consent to install them?

McCarthy Tétrault LLP / mccarthy.ca 12921930 50

Page 51: Sookman montreal bar_casl_talk

Disclosure requirements to comply with “malware” and “spyware” provisions

Two levels of disclosure required when obtaining consent.

1. Minimum Disclosure: A person who seeks express consent, must when requesting consent, also, in addition to setting out any other prescribed information, must clearly and simply describe, in general terms the function and purpose of the computer program that is to be installed if the consent is given. (s.10(3))

McCarthy Tétrault LLP / mccarthy.ca 12921930 51

Page 52: Sookman montreal bar_casl_talk

2. Enhanced Disclosure: If the computer program meets one of the specified “malware” or “spyware” criteria in s.10(5), “the person who seeks express consent must, when requesting consent, clearly and prominently, and separately and apart from the licence agreement, (a) describe the program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and (b) bring those elements to the attention of the person from whom consent is being sought in the prescribed manner”.

Disclosure requirements to comply with “malware” and “spyware” provisions

McCarthy Tétrault LLP / mccarthy.ca 12921930 52

Page 53: Sookman montreal bar_casl_talk

¬ Enhanced Disclosure: The enhanced disclosure standard applies where

¬ the program performs functions that the person knows and intends will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user of the computer

¬ collects personal information;

¬ interferes with control of the computer;

¬ changes or interferes with settings preferences or commands;

¬ obstructs, interrupts, or interferes with access to data;

¬ causes the computer to communicate with another computer without authorization,:

¬ installing a computer program that can be activated by a third party:

¬ installing a bot, or something set out in the regulations;

¬ but not merely transmission data. (s.10(5) &(6)).

Disclosure requirements to comply with “malware” and “spyware” provisions

McCarthy Tétrault LLP / mccarthy.ca 12921930 53

Page 54: Sookman montreal bar_casl_talk

Question:Will organizations be able to make the required disclosures in their EULAs?

McCarthy Tétrault LLP / mccarthy.ca 12921930 54

Page 55: Sookman montreal bar_casl_talk

CRTC Regulations, s.5

5.    A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.

Enhanced disclosure in regulations

McCarthy Tétrault LLP / mccarthy.ca 12921930 55

Page 56: Sookman montreal bar_casl_talk

Question:

Will every organization that makes computer programs available (whether on a standalone basis or embedded in a product or device) have to develop functionality or processes to uninstall or disable a program in the field?

McCarthy Tétrault LLP / mccarthy.ca 12921930 56

Page 57: Sookman montreal bar_casl_talk

Withdrawal of consent: If the computer program installed meets one of the specified “malware” or “spyware” criteria in s.10(5), the person who installs the program with consent must for 1 year provide an electronic address to which a request can be sent to remove or disable the computer program if the requestor believes that the function, purpose or impact of the computer program installed under the consent was not accurately described when consent was requested; and if the consent was based on an inaccurate description of the material elements of the enumerated function or functions, must, without cost to the person who gave consent, assist that person in removing or disabling the computer program as soon as feasible. (s.11(5))

Withdrawal of consent for “spyware” functionality

McCarthy Tétrault LLP / mccarthy.ca 12921930 57

Page 58: Sookman montreal bar_casl_talk

Getting express consents to send CEMSCRTC reg s.4. For the purposes of subsections 10(1) and (3) of the Act, a request for consent may be obtained orally or in writing and must be sought separately for each act described in sections 6 to 8 of the Act and must include

(a) the name by which the person seeking consent carries on business, if different from their name, if not, the name of the person seeking consent;

(b) if the consent is sought on behalf of another person, the name by which the person on whose behalf consent is sought carries on business, if different from their name, if not, the name of the person on whose behalf consent is sought;

(c) if consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought; and

(d) the mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought; and

(e) a statement indicating that the person whose consent is sought can withdraw their consent.

McCarthy Tétrault LLP / mccarthy.ca 12921930 58

Page 59: Sookman montreal bar_casl_talk

Question:Do the requirements to make disclosures and to obtain express consents apply only where the device has a UI and interactive capabilities that will support these processes?

McCarthy Tétrault LLP / mccarthy.ca 12921930 59

Page 60: Sookman montreal bar_casl_talk

What systems does CASL apply to?

¬ “computer system” (defined in subsection 342.1(2) of the Criminal Code) means “a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function”.

McCarthy Tétrault LLP / mccarthy.ca 12921930 60

Page 61: Sookman montreal bar_casl_talk

Question:

Does the consent to install a program permit the installation of updates or upgrades?

McCarthy Tétrault LLP / mccarthy.ca 12921930 61

Page 62: Sookman montreal bar_casl_talk

Exceptions for Software Updates, Upgrades and Patches

The formalities for obtaining express consent (ss10(1) and (3)) are not required for the installation of an update or upgrade so long as the installation or use of the computer program being updated was expressly consented to and the person who gave the consent is entitled to, and does receive the update under the terms of the express consent. (s.10(7))

Problem:¬ There is no express exception that permits installation of an

update or upgrade without consent.

¬ Must the original consent to install a program include a consent to install updates or upgrades?

McCarthy Tétrault LLP / mccarthy.ca 12921930 62

Page 63: Sookman montreal bar_casl_talk

Question:

Will CASL’s computer program provisions impede the development of computer and telecom support from Canada to other countries?

McCarthy Tétrault LLP / mccarthy.ca 12921930 63

Page 64: Sookman montreal bar_casl_talk

Territorial application of the program provisions

The provisions apply “if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions.” s8(2).

McCarthy Tétrault LLP / mccarthy.ca 12921930 64

Page 65: Sookman montreal bar_casl_talk

Question:Will CASL impede network management and the security of networks?

McCarthy Tétrault LLP / mccarthy.ca 12921930 65

Page 66: Sookman montreal bar_casl_talk

New exceptions (draft regulation)

¬ 6. The following computer programs are specified for the purposes of subparagraph 10(8)(a)(vi) of the Act:

¬ (a) a program that is installed by or on behalf of a telecommunications service provider solely to prevent activities that the telecommunications service provider reasonably believes are in contravention of an Act of Parliament and which present an imminent risk to the security of its network; or

(b) a program that is installed, for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network.

¬ Note: exemptions are subject to condition that “the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation”. (s.10(8))

McCarthy Tétrault LLP / mccarthy.ca 12921930 66

Page 67: Sookman montreal bar_casl_talk

Question:

Is CASL constitutional?

McCarthy Tétrault LLP / mccarthy.ca 12921930 67

Page 68: Sookman montreal bar_casl_talk

Is CASL constitutional?

¬ Do the restrictions on speech associated with the anti-spam and computer program provisions minimally impair freedom of expression?

¬ Is the definition of CEM “vague”?

¬ Is the enforcement regime and especially AMPs really a criminal law?

¬ Does CASL impinge on Provincial powers respecting property and civil rights?

McCarthy Tétrault LLP / mccarthy.ca 12921930 68

Page 69: Sookman montreal bar_casl_talk

¬ Canada’s anti-spam law, too much of a good thing ¬ Evaluating the Industry Canada CASL regulations: my

submission to the consultation ¬ CASL flaws not Festivus grievances¬ CRTC Issues CASL (Canada’s Anti-Spam Law)¬ Reflections on the new CRTC CASL regulations¬ McCarthy Tetrault CASL Toolkit

Some readings

McCarthy Tétrault LLP / mccarthy.ca 12921930 69

Page 70: Sookman montreal bar_casl_talk

¬ Available @ www.mccarthy.ca and www.barrysookman.com

McCarthy Tétrault LLP / mccarthy.ca 12921930 70

Want the slides?

Page 71: Sookman montreal bar_casl_talk

VANCOUVERSuite 1300, 777 Dunsmuir StreetP.O. Box 10424, Pacific CentreVancouver BC V7Y 1K2Tel: 604-643-7100 Fax: 604-643-7900 Toll-Free: 1-877-244-7711

CALGARYSuite 3300, 421 7th Avenue SWCalgary AB T2P 4K9Tel: 403-260-3500 Fax: 403-260-3501 Toll-Free: 1-877-244-7711

TORONTOBox 48, Suite 5300Toronto Dominion Bank TowerToronto ON M5K 1E6Tel: 416-362-1812 Fax: 416-868-0673 Toll-Free: 1-877-244-7711

MONTRÉALSuite 25001000 De La Gauchetière Street WestMontréal QC H3B 0A2Tel: 514-397-4100 Fax: 514-875-6246 Toll-Free: 1-877-244-7711

QUÉBECLe Complexe St-Amable1150, rue de Claire-Fontaine, 7e étageQuébec QC G1R 5G4Tel: 418-521-3000 Fax: 418-521-3099 Toll-Free: 1-877-244-7711

UNITED KINGDOM & EUROPE125 Old Broad Street, 26th FloorLondon EC2N 1ARUNITED KINGDOMTel: +44 (0)20 7489 5700 Fax: +44 (0)20 7489 5777

McCarthy Tétrault LLP / mccarthy.ca 12921930 71