Andy Kaplan-Myrth of Industry Canada spoke last week at a well-attended joint meeting of the Toronto Computer Lawyer’s Group and the CBA on Canada’s new anti-spam/spyware law (CASL). Specifically he talked about the upcoming revised Industry Canada regulations. Andy is a policy analyst with IC and is one of the people in charge of producing these regulations.
Here is a short summary of what was discussed from notes taken by James Gannon. One caveat, any questions that Andy answered related to interpretation of the statute were his personal opinion and not those of Industry Canada or the CRTC.
Timing:
The second draft of the Industry Canada regulations have been prepared. They still must be approved by the Minister and Treasury Board before being published for comment. Treasury Board will only meet once more before summer recess and it is quite busy. If the Treasury Board does get to the CASL regs, they will be published mid-June. If the Treasury Board does not get to the regulations this session, it will consider them at its next meeting in October. Andy is hopeful that the Treasury Board will get to them in June, but it is not certain.
Once the draft regs are published, there will be a 30-day consultation period before final regs are prepared. According to Andy, IC has already taken into account the feedback from the previous consultation, so it will be more interested in hearing comments about the changes that were made to the new regs rather than other problems with CASL.
CASL will come into force some time in 2013. There will be a 3-6 month grace period before CASL comes into force. It is not clear when that period would begin to run.
IC Regulations:
The new draft regulations have tweaked the definition of “personal relationship” so that it is more expansive and covers personal relationships that are purely virtual where the people have never met. The original regs required an in person meeting.
IC has created 4 new exceptions. These exceptions will apply to all of s.6 of CASL, not just the consent requirements. Accordingly. commercial electronic messages (CEMs) fitting into these categories will be exempt from the consent, form and unsubscribe requirements. They are:
- CEMs sent within an organization such as to employees.
- CEMs between organizations that are related to the businesses of those organizations. This is being called a “B2B” exception, but it appears that the exception might be limited to non-solicitation emails related to businesses in the same industry. Unfortunately, he did not elaborate on the scope of this exception. He gave as an example employees of two banks emailing each other to discuss “banking matters”.
- CEMS required to be sent by law (i.e. in furtherance of requirements under the Consumer Protection Act or e-commerce statutes).
- Responses to an inquiry.
Questions:
Somebody asked about service/transactional emails (for instance, those confirming an online purchase). These types of emails do not currently seem to be included in CASL’s definition of CEM, yet they are exempted from the consent requirements in s.6(6), potentially implying that the other requirements in CASL (form and unsubscribe) would apply. Andy responded that the definition of CEM should stand on its own and s.6(6) should not be used to interpret what would or would not be considered a CEM. Many in the audience asked that the CRTC publish an interpretive bulletin confirming this point.
Many questions focused on referrals and 3rd party consents. The audience was worried that many “tell a friend” campaigns would induce violations of CASL. Andy said campaigns that say “send this to your friends” should be not be considered to induce CASL violations, but ones that reward forwarding or signing up “as many emails as you can” may be inducing violation of CASL. As this is only Andy’s personal opinion, businesses will want to think carefully about how these campaigns are structured.
PIPEDA consents will not be grandfathered.
Many questions were asked about what constitutes an “express consent” under CASL. Andy responded that the government does not want to prescribe exactly what the requirements might be, although pre-checked boxes should be okay.
Many questions were asked about the proper evidence that would be required to demonstrate consent. Andy said that proving consent based on a database entry should suffice if the organization has consistent policies and practices that employees are aware of and adhere to, and are periodically audited.
Requests for consent that have already been obtained do not have to comply with the form requirements to be valid once CASL is in effect. Accordingly, existing express consents can be grandfathered even if the requests for such consents did not comply with the form requirements in the CRTC regulations.
Jurisdiction: CASL will continue to apply to all messages sent from Canada, even if no intended recipients are in Canada. When challenged that this requirement will drive service providers and jobs away from Canada, Andy replied that it would be impossible to create an exception that doesn’t allow spamming foreign countries.
Warranties: When asked if CASL will allow warranty update emails, Andy responded that a warranty is a form of contract, so a warranty-related email sender can rely on the existing business relationship exception.
Spyware: The regs will contain an exception for telecommunication service providers to allow remote software installs and updates.
Margot Patterson has a few additional comments on Andy’s talk which you can access here.
Comments:
The new exemptions from CASL’s strictures and are much needed. It is good to hear that the Government has listened, in part, to the very extensive feedback received during the consultations on the regulations.
It appears that the new proposed regulations will far short in several key areas. In particular:
- Grandfathering PIPEDA Consents: The failure to grandfather existing PIPEDA compliant consents will cause Canadian businesses to make huge and largely wasted investments to obtain new CASL compliant consents. It is very difficult to obtain express consents from all existing customers as most people fail to respond to solicitations and such solicitations will become illegal under CASL. During the transition period existing business relationships will be recognized. However, the EBR exception is no panacea as most institutions have not tracked which of their customers fall within the relatively narrow strictures of this definition. To use it, businesses would have to spend countless resources to try and determine which of its real connections fall within the EBR definition. For new start-ups the transitional provisions are of little value. On a go forward basis there is also no good reason for not recognizing PIPEDA compliant consents or inferred consents which are considered valid in other countries including Australia.
- Jurisdiction: It is unfathomable that the Government would put cloud computing models at risk in Canada because of some theoretical enforcement problem of spammers using a Canadian facility to spam into another country. There are many viable solutions to this supposed problem. For example, an exemption to send CEMs into another country could be legal if the CEMs complied with the recipient country’s own spam laws. Another possibility would be to exempt CEMs only if they either meet the laws of the foreign country or if they meet some minimum requirements that truly prevent Canada from becoming a spam haven e.g. the CEMs are not false or misleading, are not sent without express or implied consent or in violation of an opt-out request.
- Referrals: The problem with referrals will hit many industries including real estate agents, financial planners and brokers. Here again, there are many potential solutions that can balance CASL’s objectives of stemming unwanted CEMs while not undermining legitimate and desirable referrals.
- Short Messaging Systems: Andy did not mention any relief for Canadians who want to use short messaging systems like SMS or IM messaging systems. Even with the amended CRTC regulations, it will be next to impossible for Canadians to legally use these messaging systems to send CEMs. It is surprising that legislation that is intended to promote the use of new messaging systems would place Canada at a competitive disadvantage when it comes to their use.
- Obtaining Consents on Behalf for Third Parties: It also appears that there will be no new exception that will pragmatically enable organisations like social networks and e-commerce sites to obtain consents to allow their users to send messages to other site users. The draft existing regulations are so exacting and punitive that new and innovative services may well have to be disabled or not launched for the Canadian marketplace.
It is good to see that some progress is being made to revamp the challenges imposed by CASL. However, unless IC addresses the other key problems that were ubiquitously raised during the consultations, CASL will actually make it more difficult for Canadians to use electronic networks for ecommerce. CASL will stifle innovation in key technologies including cloud computing and modern means of telecommunications, and will burden Canadian businesses with hefty compliance costs and red tape. All of these things will hurt Canada’s competitive position in the digital economy and some of the restrcitions will likely impinge on Canadians’ rights of freedom of expression under the Charter.
The Government also needs to consider lengthening the grace period, at least as it relates to proclaiming the anti-spam parts of CASL into force. Many businesses have been waiting to see exactly what will be needed to comply. Until the regulations are finalized it is impossible to know what the rules will be.
CASL needs fixing. Let’s get on with it. There is a lot at stake for Canada’s digital economy and the fundamental freedoms of Canadians.