Upload
barry-sookman
View
1.069
Download
2
Embed Size (px)
DESCRIPTION
Submission of Barry Sookman to Industry Canada Notice in the Canada Gazette, Part I Dated January 5, 2013, the Electronic Commerce Protection Regulations
Citation preview
1
Barry B. Sookman
c/o McCarthy Tétrault LLP PO Box 48, Suite 5300 Toronto-Dominion Bank Tower Toronto ON M5K 1E6 Canada Direct Line: (416) 601-7949
Direct Fax: (416) 868-0673 Email: [email protected]
February 4, 2013
Bruce Wallace Director, Security and Privacy Policy Digital Policy Branch Department of Industry Jean Edmonds Tower North 18th Floor, Room 1891D 300 Slater Street Ottawa, ON K1A 0C8
Dear Mr. Wallace:
RE: Industry Canada Notice in the Canada Gazette, Part I Dated January 5, 2013, the Electronic Commerce Protection Regulations
I appreciate the opportunity to provide comments on the above-noted consultations.
I make these comments in my personal capacity and not on behalf of my firm or any of its clients. I write as one of the leading technology lawyers in Canada and the author of a six volume book on Computer, Internet and e-Commerce Law, the most authoritative book on these subjects in Canada. I am also an adjunct Professor of intellectual property law at Osgoode Hall Law School.
I am writing because I am deeply concerned about CASL. The draft regulations partially address some of the major inadvertent consequences with CASL. I support the use of regulations to help CASL achieve its objectives. However, while very useful, the draft regulations do not go far enough. CASL’s structure and many of its implementing provisions are problematic. Without substantial changes CASL, even with the draft regulations, will cause inordinately more harm than good.
Its negative impacts will likely affect all segments of Canadian society. For example some of the likely impacts are the following:
Consumers will be deprived of valuable information they want and need including many transactional and service messages such as notification messages that they will incur roaming charges or that a mortgage or other financial product is coming to term, and the consumers' options in each case. When popular foreign based fan sites stop sending updates to Canadians about their favorite sports celebrity or artist, or about developments in a subject in which they are interested, they will be deprived of information they really want. They will find it harder to get computers, appliances or other electronic devices repaired or serviced by retailers and independent service organizations because of the new rules related to computer programs. They will also
2
pay more for products and services and have less variety because of CASL's effects on competition, especially from foreign countries.
Charities, non-profit and educational organizations, and the health sector, will have new roadblocks that make it more difficult for them to raise money or disseminate important information to their constituencies. Many members of the public will find themselves being removed from mailing lists of charities and not for profit organizations including those catering to medical diseases and health problems because these organizations no longer have consent to send them the newsletter or other information they want and need and are prevented from even seeking consent to ask if they can continue to send the publications.
The telecommunications sector and other organizations that operate networks will be less able to secure their computer systems and networks and consumers’ personal information and to defend themselves against cybercriminals.
Sole proprietorships and other small businesses will be handicapped in building new businesses.
Managed messaging systems and closed messaging systems like social networks and instant messaging services will be burdened by regulations that make no sense in these contexts. There will be impediments to deploying and using them in Canada. Refer a friend based services will be significantly affected.
The high tech industries will be placed in positions where they cannot compete with foreign competitors. Cloud computing, computer outsourcing, and software distribution, maintenance and support businesses that support foreign enterprises will be hurt.
Every organization will have to invest in expensive processes to comply with the new across the board requirements for express consents, disclosures, and unsubscribe formalities. It sounds easy, but it is not. Organizations will be unable to rely on consents they already have such as those obtained under Canada's privacy legislation, PIPEDA. They will have to develop a duplicate and overlapping system for obtaining consents. The types of messages caught are potentially so wide ranging, organizations cannot reasonably know what messages they need to be concerned about. The core definition of commercial electronic message is vague and unworkable. The transitional provisions intended to ease the transition to CASL are ineffective thus forcing organizations to make substantial immediate investments or face class action law suits from the expected CASL litigation trolls under the new private right of action.
All segments of the public will be affected by the restrictions on the use of the Internet to deliver digital products. Digital products including ebooks, newsletters, magazines, music, videos, video games, and software that are delivered using electronic messaging systems like email or instant messaging can be considered commercial electronic messages to which CASL applies, especially if they contain a hyperlink to the vendor's website, the vendor's logos or some information that tells consumers how to get an upgrade, update, warranty service or similar types of products. A new layer of regulation will thus inadvertently be added to digital distribution of products.
3
Individual citizens will have to have express consent before they can send their friends (except perhaps their closest friends), neighbors, schoolmates, acquaintances, colleagues, and certain extended family members emails or other messages that have to do with buying or selling a product or service or encouraging them to engage in any act of a commercial character including trivial things like buying a baby crib, mowing a lawn, or promoting corner lemonade stands.
The public's right to freedom of expression guaranteed by the Charter of Rights and Freedoms will be significantly impinged. It is hard to imagine how CASL’s impingements on the Charter rights of ordinary Canadians and organizations could be considered proportionate, reasonable, and to minimally impair the right to freedom of speech.
CASL and the current draft regulations, taken together, are completely at odds with the Government's policies of reducing red tape, augmenting cyber security, helping small business, fostering digital commerce, and creating rewarding jobs for Canadians.
You may think the above litany of problems is overstated. However, it is CASL’s across the board prohibitions and prescriptive requirements to regulating electronic messages and computer programs, and especially messages that no one would consider to be harmful and programs that are completely innocuous, that causes these significant problems. I am not alone in raising these problems. Many organizations described these problems in commenting on the previous draft regulations. I understand that many organizations still share these views and intend to communicate these concerns in commenting on the latest draft regulations.
I am attaching a series of blog posts that set out my reasons why CASL and its implementing provisions are problematic and why the regulations fall short and do not redress the problems with CASL.
Evaluating the Industry Canada CASL regulations: why they are needed http://www.barrysookman.com/2013/01/14/evaluating-the-industry-canada-casl-regulations-why-they-are-needed/
Evaluating the Industry Canada CASL regulations: how to assess them http://www.barrysookman.com/2013/01/16/evaluating-the-industry-canada-casl-regulations-how-to-assess-them/
Evaluating the Industry Canada CASL regulations: family relationships and personal relationships http://www.barrysookman.com/2013/01/18/evaluating-the-industry-canada-casl-regulations-family-relationships-and-personal-relationships/
Evaluating the Industry Canada CASL regulations: the B2B exception (Part I-SMEs) http://www.barrysookman.com/2013/01/21/evaluating-the-industry-canada-casl-regulations-the-business-to-business-exception-part-i/
Evaluating the IC CASL regulations: the B2B exception (Part II-Non-business entities) http://www.barrysookman.com/2013/01/22/evaluating-the-ic-casl-regulations-the-b2b-exception-part-ii-non-business-entities/
Evaluating the Industry Canada CASL regulations: jurisdictional overreach http://www.barrysookman.com/2013/01/25/evaluating-the-industry-canada-casl-regulations-jurisdictional-overreach/
4
Evaluating the Industry Canada CASL regulations: defining commercial electronic message http://www.barrysookman.com/2013/01/30/evaluating-the-industry-canada-casl-regulations-defining-commercial-electronic-message/
Evaluating the Industry Canada CASL regulations: countering cyber-security threats http://www.barrysookman.com/2013/02/01/evaluating-the-industry-canada-casl-regulations-countering-cyber-security-threats/
Will CASL Hurt Charities? Let Us Count The Ways http://www.barrysookman.com/2013/02/04/will-casl-hurt-charities-let-us-count-the-ways/
Rethinking CASL (Canada’s Anti-SPAM law) http://www.barrysookman.com/2011/05/25/rethinking-fisa/
Electronic Commerce Protection Regulations – Much Work Remains http://www.barrysookman.com/2011/09/20/electronic-commerce-protection-regulations-%e2%80%93-much-work-remains/
The content of those blog posts are attached to this letter for ease of reference and should be considered part of my submission.
In my view, CASL and the current regulations should be subject to independent reviews to determine whether they will do more harm than good. It may be that when CASL was passed all of the inadvertent consequences were not easily forseen. After many years of study, they can now be seen more clearly. It is time to take a sober second look before the serious harms described above are visited on Canadians by CASL. The review should examine the overall economic costs and benefits of CASL and the regulations, taking into account everything that is now known about its likely impacts. It should consider whether the benefits and detrimental impacts of CASL and the draft regulations warrant Canada having the most onerous rules in the world to regulate the dissemination of electronic messages and the installation of computer programs. The reviews should also include an examination of whether the impingements on speech and commerce violate the Charter of Rights and Freedoms and whether the prohibitions are so broad and ambiguous as to be constitutionally too vague to be valid.
I thank you for taking the time to consult with Canadians about the draft regulations. I trust this submission will be helpful in your important deliberations.
Yours truly,
Barry B. Sookman BBS/mb
5
Evaluating the Industry Canada CASL regulations: why they are needed
http://www.barrysookman.com/2013/01/14/evaluating-the-industry-canada-casl-regulations-why-they-are-needed/
January 14th, 2013 by Barry Sookman
Industry Canada has now published its revised draft Electronic Commerce Protection Regulations. These
regulations to Canada’s new anti-spam/anti-malware/spyware law (CASL) are open for comment for a
period of 30 days from the date of their publication, January 5, 2013. The regulations are helpful and a
major improvement over the last draft regulations. They address some key problems with CASL.
However, they don’t address all of the problems and only partially address others.
I have written extensively about CASL’s shortcomings and the problems with the CRTC regulations and
the previous Industry Canada regulations. See, Rethinking CASL (Canada’s Anti-SPAM law), Will it be
illegal to recommend a dentist under Canada’s new anti-spam law (CASL)?, Electronic Commerce
Protection Regulations – Much Work Remains, Fixing CASL: comments on the draft CRTC and Industry
Canada regulations, Reflections on the new CRTC CASL regulations, and CRTC Issues CASL (Canada’s
Anti-Spam Law) Guidelines, background and commentary. Many of the issues that have been raised by
me and others before, during and following the consultations on the regulations still need to be addressed
to ensure that CASL meets its overall objectives. The proposed regulations need substantial amendments
to avoid CASL creating huge and unnecessary compliance problems as well as high penalties and class
action risks for ordinary Canadians including individuals, small, medium and large business and other
organizations that want to communicate electronically.
Many commentators have provided summaries of the draft Industry Canada regulations, in some cases
with suggestions for improvements. See for example, here, here, here, here, here, here, here, and here.
In this and in a series of future blog posts, I intend to go further to elucidate the challenges with CASL and
the draft regulations to make suggestions for amendments. I hope they will generate public discussion
and understanding so that through the regulatory process key flaws in CASL can be fixed before it
becomes law.
In this blog post I want to outline why the Industry Canada regulations are so important.
CASL tackles several problems including among them problems with spam and malware/spyware. There
is a broad consensus that legislation is necessary to combat the most serious problems with them. Other
countries recognized this when passing legislation to tackle serious identifiable types of harmful threats
from them. For example, the U.S. passed the CAN-SPAM Act of 2003. It prohibits e-mails that are sent in
violation of an individual’s opt-out request, or that are fraudulent, false or misleading. The European
Union passed the EU Directive 2002/58/EC on privacy and electronic communications. It targets e-mails
sent for the purposes of direct marketing to individuals. Australia and New Zealand also passed anti-
spam laws. These laws prohibit sending certain commercial electronic messages without the express or
inferred consent of the recipient.
In contrast to the targeted approach to addressing harmful forms of spam, CASL took the unprecedented
approach of making it illegal to send any commercial electronic message without express consent unless
the message falls into a closed set of categories.
6
The types of messages covered are very broad. They extend to a wide range of electronic messages
“that, having regard to the content of the message, the hyperlinks in the message to content on a website
or other database, or the contact information contained in the message, it would be reasonable to
conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity”.
Commercial activity is defined broadly as “any particular transaction, act or conduct or any regular course
of conduct that is of a commercial character, whether or not the person who carries it out does so in the
expectation of profit”.
The closed categories for which consent is not required are CEMs to an individual with whom the sender
stands in a personal or family relationship as defined in regulations; an inquiry or application to a person
engaged in commercial activity; CEMs transmitted by telecommunications service providers (TSPs) in
their role as carriers; and messages related to law enforcement, public safety, the protection of Canada,
the conduct of international affairs or the defence of Canada. There is also deemed implied consent
where there is “an existing business relationship” or “existing non-business relationship” as those terms
are defined in CASL, if the recipient voluntarily discloses his/her email address, or has “conspicuously
published” it. CEMs that do not fall into one or more of the pre-defined categories cannot be sent except
with the express consent of the recipient. CASL and the CRTC regulations also impose formalities related
to the contents of each CEM and the mandated unsubscribe process.
Unlike the anti-spam laws of all of our trading partners, CASL’s regulatory approach does not target only
messages that are false, fraudulent, misleading, or otherwise harmful or unwanted. It also bans sending
economically and socially useful and desirable commercial messages unless there is prior express
consent to sending them. The “ban all” approach to regulating CEMs will inevitably result in individuals,
businesses, not-for-profit entities, educational institutions, charities, private clubs, and political parties
finding themselves barred from communicating with others where they cannot fit into a pre-defined
category and because even sending an electronic message to ask for consent will be illegal.
The approach CASL takes to regulating commercial speech is, as I have pointed out before, akin to trying
to prevent crime by making it an offense for citizens to leave their homes except for purposes that are
listed as exemptions in the Criminal Code or in regulations – regulations that incrementally grow in
number as new non-criminal activities are identified. It would be easy to name obvious initially exempt
purposes such as work, school, and sports. But, with the myriad of diverse human activities, an
unforeseeable plethora of legitimate activities that individuals expect can be legally engaged in in a free
and democratic society would be criminalized. For example, if going camping, bird watching, or attending
the annual Santa Claus parade were not in the class of exempted activities, it would be illegal to do them
until the Government enacts new regulations to exempt them. The same is true with CASL.
CASL’s closed categories of permitted commercial speech has the potential to chill legitimate and
desirable commercial speech that benefits consumers and others by, among other things, reducing the
dissemination of information that is essential to making informed choices and to undermine fundamental
freedoms protected by the Charter of Rights and Freedoms. While limits on free speech are clearly
permitted by the Charter, these limits must be reasonable and justified, with minimal impairment of the
free speech right, and with the limit on free speech being in proportion to the harm that is being targeted.
See, RJR-MacDonald Inc. v. Canada (Attorney General), [1995] 3 S.C.R. 199; Rocket v. Royal College of
Dental Surgeons of Ontario, [1990] 2 S.C.R. 23.
7
Industry Canada has proposed new exceptions for CASL. These are not “loopholes”. They are clearly
needed to ensure the overall goals of CASL are met. In proposing the new exceptions Industry Canada
made the following statement:
Since it [CASL] applies broadly to commercial electronic messages, the Act captures regular business to business communications that are not the types of threats that were intended to be captured within the scope of the Act. To ensure these business communications are not regulated under the Act, the proposed Regulations include exemptions for commercial electronic messages that are
sent within a business; or
sent between businesses that are already in a business relationship, where the messages are sent by an employee, representative, contractor or franchisee and are relevant to the business, role, function or duties of the recipients
Exemptions are also proposed for messages that are solicited or sent in response to complaints and requests. Additional exemptions are proposed for messages sent due to a legal obligation or to enforce a legal right.
Finally, an exemption is proposed for messages relating to an organization located or provided outside of Canada and accessed while the recipient was visiting Canada. The proposed exemption would limit the application of CASL so it does not apply when the sender could not reasonably have been expected to know their messages would be accessed in Canada.
What is telling about these proposals is that in the short time since CASL was passed the Government
recognized that CASL’s “ban all structure” would have inadvertent consequences that need to be fixed.
What has not been expressly acknowledged is that these and many more problems are not merely not
intended by the Government; they are a necessary consequence of CASL’s “ban all” structure.
CASL takes the same approach to malware. Rather than focusing on computer programs that cause
harm – and there are lots of those – it bans the installation of any computer program on any computer,
smartphone, or other computer system without prior express consent. When the legislation was first
introduced as Bill C-27 – the Electronic Commerce Protection Act, it would have made the use of Internet
websites illegal in Canada because it would have been impossible for websites to get express consent to
load html and other programs into a browser before getting users’ consent. After I raised this issue with
CASL’s “ban all” approach including to the Standing Committee on Industry, Science and Technology
studying the bill, changes to fix this “unintended consequence” were adopted by Parliament (now in
s10(8) of CASL).
The proposed regulations contain new and very much needed exceptions to the anti-malware provisions.
They are described by Industry Canada as follows:
Telecommunication service providers and other network service providers had argued for exemptions from the requirement for consent to install software to prevent unauthorized or fraudulent use of a service or system, or to update or upgrade systems on their networks. The exemptions proposed are more limited, allowing installation of computer programs without prior consent where illegal activities pose a threat to the TSP’s networks, or where required for network-wide updates or upgrades. TSPs will continue to need consent to install software to prevent legal activities that are merely unauthorized or suspicious, or where an installation is not required for a system-wide upgrade or update
What is apparent is that without this regulation it would be illegal for telecommunication service providers
to prevent fraudulent and other illegal uses of their systems. This could have severely affected the
8
security and privacy which Canadians expect and which TSPs are required by law to protect. As will be
detailed in another post, this most recently acknowledged problem is just the tip of the unintended iceberg
of consequences of CASL’s flawed structure.
The penalties for contravening CASL are severe. A person who contravenes any of anti-spam provisions
can be liable for a fine of up to $1,000,000 in the case of an individual, and $10,000,000 in the case of
any other person. A person who merely aids in the violation can be liable for a fine of up to the same $1
million dollar maximum per violation. CASL also subjects individuals to damages and penalties under
private right of action provisions which are widely expected to result in class action suits.
CASL’s “ban all” structure makes it imperative that regulations be adopted to ensure that CASL’s
objectives are met. It is possible to deter the most damaging and deceptive forms of spam and malware
in Canada without creating a raft of damaging unintended consequences. However, regulations that
merely add carefully crafted narrow new exceptions will not solve CASL’s structural flaws. Nor will they
meet the Government’s stated objectives for this legislation.
In the next post, I will address the appropriate framework for evaluating Industry Canada’s proposed
regulations.
9
Evaluating the Industry Canada CASL regulations: how to assess them
http://www.barrysookman.com/2013/01/16/evaluating-the-industry-canada-casl-regulations-how-to-assess-them/
January 16th, 2013 by Barry Sookman
In a previous post, Evaluating the Industry Canada CASL regulations: why they are needed, I suggested
that close scrutiny needs to be given to Industry Canada’s new draft Electronic Commerce Protection
Regulations. CASL’s “ban all” structure makes it imperative that regulations be adopted to ensure that the
goals of Canada’s new anti-spam/anti-malware/spyware law (CASL) are met. Their adequacy and
appropriateness should be measured against these and other generally recognized objectives. In this
post I propose to lay out the framework for assessing the regulations.
CASL’s formal title starts off with the words “An Act to promote the efficiency and adaptability of the
Canadian economy by regulating certain activities that discourage reliance on electronic means of
carrying out commercial activities”. The Bill’s summary re-iterates this purpose as does Section 3 which
describes CASL’s purposes as follows:
The purpose of this Act is to promote the efficiency and adaptability of the Canadian economy by
regulating commercial conduct that discourages the use of electronic means to carry out
commercial activities, because that conduct
(a) impairs the availability, reliability, efficiency and optimal use of electronic means to
carry out commercial activities;
(b) imposes additional costs on businesses and consumers;
(c) compromises privacy and the security of confidential information; and
(d) undermines the confidence of Canadians in the use of electronic means of
communication to carry out their commercial activities in Canada and abroad.
The Government has also stated that the key goals of CASL are to “deter the most damaging and
deceptive forms of spam from occurring in Canada and help drive spammers out of Canada” and to
encourage the use of electronic means to carry out commercial activities. The goal is to accomplish these
objectives without negatively impacting legitimate businesses that use electronic means to market their
products and services to Canadians. See Government of Canada, Backgrounder, Questions and
Answers, and Online Threats, Government of Canada Moves to Enhance Safety and Security in the
Online Marketplace. In introducing CASL at second reading, Minister Clement stated that CASL’s
purpose “is not to limit legitimate online business. It is to promote electronic commerce by increasing
confidence in the use of the Internet to carry out business transactions”. Thus the goals of CASL imply
trade-offs: discourage the most damaging a deceptive forms of spam and malware, encourage the use of
electronic communications, and do not negatively impact Canadians or Canadian organizations.
The Charter of Rights and Freedoms also imposes limitations on the permitted encroachments on free
speech including commercial speech. These limits must be reasonable and justified, minimally impair the
free speech right, and be in proportion to the harm that is being targeted. See, RJR-MacDonald Inc. v.
Canada (Attorney General), [1995] 3 S.C.R. 199; Rocket v. Royal College of Dental Surgeons of Ontario,
[1990] 2 S.C.R. 23.
10
In response to the consultations, virtually all commentators focused on CASL’s overreach and imbalance.
They pointed out that the costs and inefficiencies of complying with CASL’s “ban all” approach and
formalities would be significant and were not needed to accomplish the goals of the legislation. They
warned that CASL would unduly impede the use of electronic means of communicating by Canadians.
They said it would put Canadian businesses at competitive disadvantages to their foreign competitors and
result in the loss of jobs, retard the growth of small and start-up businesses, limit the innovation and use
by Canadian organizations of modern messaging platforms, and introduce needless and costly red tape .
See, Electronic Commerce Protection Regulations – Much Work Remains.
In a previous post on the submissions made to the consultations, Lorne Salzman and I summarized
shortcomings identified by numerous Canadians that they asked Industry Canada to address during the
regulatory process:
1. Although all parties support the goal of reducing SPAM and malware, most considered that the
draft regulations fail to address the overreach inherent in CASL. Consequently, CASL plus its
regulations are a disproportionate response to the acknowledged problems of SPAM and
malware.
2. Although many commentators had expected that the proposed regulations would target truly
offensive conduct under CASL and, as well, clarify ambiguities, thereby enabling the law to better
meet the Government’s objectives, this has not occurred. The proposed regulations fail to set out
worthwhile classes of exempt conduct, and they impose extra compliance costs that many
businesses found troubling.
3. Under CASL and the proposed regulations, some inoffensive communications will become
illegal, an overreach that will invite challenges under the freedom of speech provisions of the
Canadian Charter of Rights and Freedom, with unpredictable results.
4. The proposed regulations do not remedy the concerns that CASL will hinder the start-up and
growth of small business.
5. The proposed regulations do not look beyond CASL’s “email-focused” model and consequently
they fail to fit well with other messaging systems. As a result, CASL is not technologically neutral
in its regulatory approach.
6. The proposed regulations fail to address messaging systems where SPAM is not a problem,
such as Common Short Code Messaging, Opt-in Instant Messaging and similar systems, and
where the additional regulation would impose costs, be impractical or impossible to comply with.
7. The proposed regulations fail to address CASL’s territorial overreach, and the consequent risk
to investment and innovation in cloud computing and outsourcing in Canada.
8. The proposed regulations fail to properly clarify what is included under the definition of a CEM,
thereby subjecting non-CEMs to CASL’s unsubscribe and formality requirements.
9. The proposed regulations fail to recognize the value of other, reasonable, approaches to
obtaining consent to send CEMs, such as under existing PIPEDA rules.
10. The proposed regulations fail to clear the confusion in CASL between holders of message
accounts and recipients of messages.
11
The new Electronic Commerce Protection Regulations are helpful and a major improvement over the first
draft regulations. They address some key problems with CASL. However, they don’t address all of the
problems and only partially address others.
According to Industry Canada the new regulations are intended to do the following:
These Regulations address the need to provide clarity and legal certainty to some key terms used
in Canada’s Anti-spam Legislation in order to effectively combat spam and other related
electronic threats in Canada, and to provide relief to businesses through targeted exemptions
where the broad application of the Act would otherwise impede business activities that are not
within the intended scope of the legislation. These Regulations also address the concerns raised
during the last prepublication of proposed Regulations under CASL.
In my view, this suggested framework falls short of what is required for assessing the Industry Canada
regulations. While no complete set of principles can be exhaustive, the assessment of new regulatory
exceptions to CASL should take into account and balance whether with or without a particular exception:
1. CASL would deter and protect consumers and businesses from the most damaging and
deceptive forms of spam and malware from occurring in Canada and help drive spammers out of
Canada.
2. CASL would promote the efficiency and adaptability of the Canadian economy and discourage or
encourage reliance on electronic means of carrying out commercial activities.
3. CASL would impair or enhance the availability, reliability, efficiency and optimal use of electronic
means to carry out commercial activities.
4. CASL would impose additional costs on businesses and consumers.
5. CASL would compromise or protect privacy and the security of confidential information.
6. CASL would undermine or foster the confidence of Canadians in the use of electronic means of
communication to carry out their commercial activities in Canada and abroad.
7. CASL would be technologically neutral.
8. CASL would disadvantage or make Canadian businesses uncompetitive in domestic or foreign
markets.
9. CASL’s prohibitions would comply with the values and constitutionally protected rights of
commercial speech under the Charter of Rights and Freedoms and, in particular, whether the
limits on commercial speech would be reasonable and justified, minimally impair the free speech
right, and be proportionate to the harm that is being targeted by CASL’s prohibitions.
Regulatory changes identified by members of the public that meet these criteria are necessary. They are
not loopholes. In fact, given CASL’s “ban all” impeachments on commercial speech, the Government
should bear the burden of demonstrating that proposed changes to the regulations cannot be justified in
light of the above criteria.
In the next blog posts, I will examine regulations proposed by Industry Canada starting with the definition
of family and personal relationships.
12
Evaluating the Industry Canada CASL regulations: family relationships and personal relationships
http://www.barrysookman.com/2013/01/18/evaluating-the-industry-canada-casl-regulations-family-relationships-and-personal-relationships/
January 18th, 2013 by Barry Sookman
In a previous post, Evaluating the Industry Canada CASL regulations: why they are needed, I suggested
that close scrutiny needs to be given to Industry Canada’s new draft Electronic Commerce Protection
Regulations. CASL’s “ban all” structure makes it imperative that generous regulations be adopted to
ensure that the goals of Canada’s new anti-spam/anti-malware law (CASL) are met. In another post,
Evaluating the Industry Canada CASL regulations: how to assess them, I proposed a framework for
assessing the regulations.
In this post I review the proposed regulations which define “family relationship” and “personal
relationship”. They are important because without them, no person could legally send a family member or
friend a CEM without first receiving express consent and without complying with CASL’s other
requirements, formalities which are completely impractical and unnecessary in these settings.
Family relationships
The proposed regulations would define “family relationship” as follows:
“family relationship” means the relationship between individuals who are connected by
(i) a blood relationship, if one individual is the child or other descendant of the other individual, the
parent or grandparent of the other individual, the brother or sister of the other individual or is of
collateral descent from the other individual’s grandparent,
(ii) marriage, if one individual is married to the other individual or to an individual connected by a
blood relationship to that other individual,
(iii) a common-law partnership, if one individual is in a common-law partnership with the other
individual or with an individual who is connected by a blood relationship to that other individual, or
(iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other
individual or as the child of an individual who is connected by a blood relationship to that other
individual; and
Industry Canada provided the following background to this regulation.
The Act requires that the meaning of “personal relationship” and “family relationship” be set out in
regulations to provide legal certainty as to which relationships will be excepted from the anti-spam
provisions of the Act. The terms are clearly defined in order to establish limits and avoid legal
uncertainty and to prevent potential spammers from exploiting these concepts in order to send
electronic messages without consent.
The proposed Regulations define “family relationship” for the purposes of CASL in a manner that
is in keeping with definitions in the Income Tax Act. They also specify that it is intended to refer to
persons descending from a common grandparent, including aunts, uncles, cousins, nieces, and
nephews.
13
Industry Canada suggests that the appropriate benchmark for defining “family relationship” should be “in
keeping with definitions in the Income Tax Act.” However, the Income Tax Act’s rules related to families
and family members are intended to foster the goals of that Act. For that purpose, a definition that
intentionally narrowly restricts who is family may be justified. However, CASL’s goals are far different from
those of the Income Tax Act. A statute that limits speech, especially between family members, should be
generous in what is excluded in scope.
The average Canadian would consider family relationships that extend beyond first cousins to be part of
their extended families. Yet, CASL treats these relatives as if they were strangers.
Individual Canadians could not imagine a law which makes it illegal to send messages to a second
cousin, great uncle, or other relatives who are not lineal descendants without first obtaining an express
consent. [i] Nor could they envision having to insert in every CEM sent to any such close family member
their address and other contact information, offer an unsubscribe mechanism, and if the message is an
SMS or similar message have a website, merely to send the message.
Under the proposed regulation, sending an email to your second cousin offering to sell a snow blower or
a used baby crib would become illegal. (CASL has no de minimis exception.) It would be illegal to send
an email to a retired great uncle asking for an investment or business advice to help start-up a business.
It would also be illegal for a divorced spouse to email her/his ex-spouse asking for a loan to cover
unexpected expenses or medical bills. The ex-spouse could also insist on unsubscribing from receiving
emails asking for such financial help. A child that e-mails his/her step-parent asking for a loan to cover
tuition would also violate CASL.
Messages sent to relatives who are more distant than lineal descendants are unlikely to be the most
damaging and deceptive forms of spam. There is no need to impair the optimal use of electronic
messaging for messages between family members. In fact, it is hard to see how this narrow definition of
family relationship could be characterized as reasonable, justified and proportionate so as to pass a
Charter of Rights and Freedoms challenge.
One might have suggested that the extremely narrow definition of family relationship would be remedied
by the definition of personal relationship. However that definition is so narrow, it would often not include
extended family members.
Personal relationships
The proposed regulations would define “personal relationship” as follows:
“personal relationship” means the relationship between an individual who sends the message and
the individual to whom the message is sent, if
(i) those individuals have had direct, voluntary, two-way communications and it would be
reasonable to conclude that the relationship is personal taking into consideration all relevant
factors such as the sharing of interests, experiences, opinions and information evidenced in the
communications, the frequency of communication, the length of time since the parties
communicated and if the parties have met in person, and
(ii) the person to whom the message is sent has not indicated that they no longer wish to receive
any commercial electronic messages, or any specified class of such messages, from the person
who sent the message.
14
Industry Canada provided the following background to this regulation.
The proposed Regulations address stakeholder concerns about the definition of “personal
relationship” in the previous version of the proposed Regulations. That previous definition
required certain characteristics of the relationship, including that the people have communicated
within the past two years and have met in person at some point in time. In the consultation, some
stakeholders argued that the two-year time period was arbitrary, and the definition should extend
to virtual relationships where the individuals have never met in person. The challenge in
addressing both of these concerns is to ensure the definition remains limited to close personal
relationships, as intended under the Act. These proposed Regulations eliminate the arbitrary time
period and include virtual relationships by replacing some of the previously mandatory
characteristics of “personal relationships” with factors to be considered in determining if a
relationship is a “personal relationship” for the purposes of the Act. To maintain the balance and
limit the risk that the personal relationship exemption will be abused, the Regulations allow
individuals to express the wish not to receive commercial electronic messages from the sender,
even if the people otherwise choose to remain friends.
The draft regulation artificially defines “personal relationship” with limiting factors that appear intended to
restrict personal relationships to only “best friends” or “close friends”. Yet, the ordinary meaning of the
term is much broader. Under CASL, many friends, colleagues, and acquaintances will not fit within the
definition. This will result in situations ordinary Canadians would find surprising. For example, the
definition might well exclude personal relationships
where individuals know each other from working together closely in a business or
professional setting
where individuals know each other from interacting in other settings including being
members of the same club or association, or from sporting activities, or taking classes
together
where a relationship is an old one but the friends have not stayed in constant touch
where a relationship is new;
where individuals are neighbors; or
where the predominant communications are not in person
While CASL is intended to be technologically neutral, the factor that examines if the parties have met in
person still favours traditional relationships over virtual relationships.
Surprisingly, the following would all likely be illegal under CASL:
E-mailing or sending a BBM message to your child’s teacher to ask him/her to tutor your
child. A child emailing his/her teacher for the same purpose would also be illegal.
A student e-mailing a student a year ahead to buy a textbook or a student trying to sell
used textbooks to students in another grade.
A mother sending out an e-mail to her daughter’s friend to ask her to baby sit.
A child soliciting a parent of a friend to shovel snow or mow a lawn for some extra cash.
15
A child sending out emails to invite neighbors to buy a glass of lemonade at his/her
lemonade stand.
A person e-mailing neighbors on the street asking for a donation to fight a planned
development or environmental threat.
A parent teachers group e-mailing a school principal encouraging him or her to purchase
new equipment or learning materials or to do a renovation that would enhance their
children’s learning or learning environment.
A child e-mailing her parents friends to buy Girl Guide cookies or to sponsor her in a
school event.
Neighbors or acquaintances e-mailing each other to set up a carpool and to share the
costs.
E-mails sent out to acquaintances, colleagues, and business contacts asking them for
sponsorship in a charitable event such as to raise money for cancer research or many
other worthy causes.
E-mailing an old friend who moved away and asking him/her to buy you hockey tickets so
that both of you could see your home team when your visit.
E-mailing an old friend you haven’t spoken to in a while to help find a job or to ask for a
referral or to tell the friend about your new job (and the products and services it sells).
E-mailing an old classmate to ask if he/she would be interested in investing in a new
venture you are starting.
In fact, every e-mail to an acquaintance, colleague, or neighbor that is sent from an office email address
could be found to be an illegal CEM if it merely provides a hyperlink to the sender’s employer’s Internet
home page, if the guidance provided by the CRTC at a recent public meeting accurately interprets CASL.
Of course, it is possible that the sender of these messages might call each of these intended recipients to
ask if they can send them these sorts of messages and provide all of the information prescribed by the
regulations when doing so and also comply with the unsubscribe requirements. But it borders on the
ludicrous to think this should be required.
It would also even be illegal to use an email address already in the sender’s address book to send a
message to an old friend, classmate, or sports buddy asking for consent to send the intended message.
Further, friends could not rely on the “conspicuous publication” or “business card exemption” in s.10(9)(b)
or (c) unless they want to email their friend in their “business or official capacity”.
Since it is impossible, or virtually impossible, to send an SMS message without having a website to
comply with the CRTC regulations, it would also be illegal for the sender to text (SMS) his or her
acquaintance without setting up a website to include the information that the CRTC regulations require be
included in CEMs. The senders, which would include children and other individuals would, shockingly, be
forced to disclose their personal information to the public– information protected by PIPEDA – simply to
send one of these types of messages.
A broader definition of personal relationship would not undermine CASL’s goal of deterring and protecting
individuals from the most damaging and deceptive forms of spam. A restrictive definition is more likely to
16
discourage and impair reliance on electronic means of communicating between individuals. Assuming
individuals would even think to comply, it would impose additional and unnecessary restraints on ordinary
individuals. It is also hard to see how this restrictive definition could be considered reasonable, justified,
and proportionate so as to pass a Charter of Rights and Freedoms challenge.
As explained previously, CASL’s “ban all” approach to regulating CEMs, a term which is incredibly broad
and open ended, will inevitably result in individuals, businesses, not-for-profit entities, educational
institutions, charities, private clubs, and political parties and others finding themselves barred from
communicating with others electronically. These inadvertent consequences need to be fixed. These fixes
are not “loopholes”. However, for every fix that is recognized there are bound to be many others that are
not, especially if the approach to the regulations is to make them narrow. The prudent course is to ensure
that the regulations are generous enough to avoid more of these “inadvertent consequences”.
CASL’s CEM prohibitions are primarily intended to prohibit damaging and deceptive spam. They should
not be targeted at extended families or at children promoting their lemonade stands.
[i] Descent are of two sorts, lineal and collateral. Lineal descent is descent in a direct or right line, as from
father to grandfather to son or grandson. Collateral descent is descent in a collateral or oblique line, that
is, up to the common ancestor and then down from him, as from brother to brother, or between cousins.
Num v. Canada (Citizenship and Immigration), 2005 CanLII 62936, Burnaby Lake Greenhouses v. Her
Majesty The Queen In Right Of The Province Of British Columbia, 2005 BCSC 1682.
17
Evaluating the Industry Canada CASL regulations: the B2B exception (Part I-SMEs)
http://www.barrysookman.com/2013/01/21/evaluating-the-industry-canada-casl-regulations-the-
business-to-business-exception-part-i/
January 21st, 2013 by Barry Sookman
In a previous post, Evaluating the Industry Canada CASL regulations: why they are needed, I suggested
that close scrutiny needs to be given to Industry Canada’s new draft Electronic Commerce Protection
Regulations. CASL’s “ban all” structure makes it imperative that generous regulations be adopted to
ensure that the goals of Canada’s new anti-spam/anti-malware law (CASL) are met. In another post,
Evaluating the Industry Canada CASL regulations: how to assess them, I proposed a framework for
assessing the regulations. I then evaluated the proposed family and personal relationships exception in
the post, Evaluating the Industry Canada CASL regulations: family relationships and personal
relationships, finding them very troubling and materially failing to meet CASL’s objectives.
In this post I will examine the proposed new business to business regulation.
The proposed regulation would create the following new complete exceptions from CASL:
Section 6 of the Act does not apply to a commercial electronic message that is sent by an
employee, representative, contractor or franchisee of an organization
(i) to another employee, representative, contractor or franchisee of the organization and that
concerns the affairs of the organization, or
(ii) to an employee, representative, contractor or franchisee of another organization if the
organizations have a business relationship at the time the message was sent and the message
concerns the affairs of the organization or that person’s role, functions or duties within or on
behalf of the organization;
These new regulations are justified and necessary. They should be retained. However, they only partially
solve the need for business to business exceptions created by CASL. They do nothing, for example, to
remedy that CASL will hinder the start-up and growth of small and medium sized businesses (SMEs)
who, in many cases, do not have and cannot get express consents and need to send out CEMs to
develop business relationships.
Last week, the Honourable Maxime Bernier, Minister of State (Small Business and Tourism), met with
entrepreneurs in Montréal to discuss how to improve Canada’s business environment for SMEs. He
pointed out that “entrepreneurs are key to Canada’s success”. In Canada, SMEs are very important to our
economy, accounting for 99 percent of companies, employing 60 percent of working Canadians, and
contributing to about 40 percent of the GDP. He stressed that the Canadian Government is attempting to
“cut-red tape”, find ways for SMEs to access needed investment capital and to create “a business
environment driven by entrepreneurs that encourages jobs, growth and long-term prosperity for
Canadians.” See, Montréal’s Entrepreneurs Key to Long-Term Growth and Prosperity.
Ironically, CASL will create enormous red tape. It will also hit SMEs very hard and create exactly the
obstacles Minister Bernier seeks to eliminate. The Canadian Federation of Independent Business (CFIB)
warned the Government about this in its submission to the original Industry Canada regulatory
consultations saying:
18
“The proposed regulatory regime “may make it more difficult for smaller businesses to start up
and grow and may even hinder some small-and medium-sized enterprise (SME) members from
providing better and more customized products for their clients”
Unlike established companies, start-up companies do not have existing business relationships or ongoing
business relationships to leverage to give them implied consents to send CEMs. They have to rely on
family and personal relationships, referrals, or on compiling or acquiring lists of contacts to solicit new
business, make new business relationships, and to seek capital investments and customers. CASL will
impede them at every turn, however.
As I previously pointed out, SMEs won’t be able to send CEMs to extended family because of how narrow
the family relationship definition is. The “personal relationship” exception might have helped if it included
relationships between individuals such as friends and acquaintances and people who know each other
from being members of the same clubs and associations, from going to school or engaging in recreational
activities together, or from business, professional or other settings. However, the personal relationship
definition appears to be limited to only “best friends” or close friends”, thus preventing SMEs from
reaching out to these important connections.
SMEs will not be able to rely on the existing business relationship exception because that is only a dream
for most often. An established business can introduce a new product or service to customers including
business and consumer customers. But, an SME doesn’t have that option while it is in startup or growth
mode. CASL favors established businesses over SMEs in respect of the existing business relationship
exception, something the proposed new exception for ongoing business relationships perpetuates and
does not rectify.
It will also be illegal under CASL for an SME to send an introductory CEM to any potential customer or
business partner that seeks consent to send those potential connections a CEM.
The new proposed regulation provides a once in a life time referral exception, but it is also quite narrow,
in part because the referrer has to be connected to both the sender and the recipient by other exceptions.
However, as the family and personal relationship exceptions are narrow and as connections between
persons who have ongoing business relationships (as defined in the new proposed regulation) cannot be
considered, SMEs cannot leverage their important relationships to help start and grow their businesses.
It will also be next to impossible for SMEs to buy lists of contacts to send CEMs because the regulations
related to obtaining consents on behalf of third parties is so onerous and creates such high levels of red
tape and vicarious liability that these important sources of contacts is likely also to dry up. An SME will be
able to access and use existing trade and professional directories to send letters to potential business
partners, investors, customers, and others. They could also use these sources to send electronic
messages legally under PIPEDA. However, this will become illegal under CASL which will impede the
most useful and efficient means for SMEs to start and grow their businesses. SMEs also will not be able
to use the “conspicuously published” or “business card” implied consent exceptions if they are seeking
new connections with non-business organizations such as hospitals or educational institutions. More on
that later.
The new business to business exemption will not help many SMEs who do not have “a business
relationship at the time the message was sent”. They hope to develop one after the message is sent.
Broadening the exception to include this purpose would soften the impacts of CASL on SMEs and would
have not result in consumers receiving unsolicited messages.
19
CASL’s impacts on SMEs is directly contrary to the Government’s policy of reducing red tape and
improving Canada’s business environment for SMEs. Enabling SMEs to use electronic messaging
systems would also not undermine CASL’s goals of deterring and protecting consumers and businesses
from the most damaging and deceptive forms of spam and to drive spammers out of Canada.
To the contrary, rather than focusing on those threats, which CASL may do little to affect in any event,
CASL will impair and discourage the optimal use of electronic means to carry out commercial activities by
SMEs (and others), impediments which they would not have in foreign markets.
The Government’s efforts to combat SPAM will end up hurting legitimate organizations like SMEs who are
really not the problem. In a recent blog post, Is Canada’s Anti-Spam Law a joke?, Allen Mendelsohn
summarised the problem as follows:
The only people or organizations who will work hard to comply with the CASL are legitimate
companies. Sure, the Bells and Krafts of this country have the resources to make sure they
comply. But that small start-up company that could be the next Facebook which uses email as
their only marketing tool? They’re fucked. And that’s fucked. The stated purpose of the CASL is to
“promote the efficiency and adaptability of the Canadian economy”. It will have the opposite effect
on that start-up. The real spammers, the guys running bots and banks of computers from their
basements, have no interest in complying. Sure, put a law on the books that targets these guys
with large penalties. But the onerous nature of the CASL on legitimate businesses is a joke.
And here’s the thing about legitimate Canadian businesses who send CEMs – virtually all of them
already have some opt-out mechanism. I’ve used them, and they work just fine thank you very
much. It’s good business practice to do so. Legitimate businesses don’t want to piss of their
customers or potential customers by spamming them. Legitimate businesses aren’t the ones
sending the spam that’s the problem (such as it is), but they’re the ones who will bear the burden
of the CASL. That’s a joke.
The particular impacts of CASL on SMEs also raises the question as to whether the restraints on SME’s
commercial freedom of speech rights would be found to be reasonable and justified, to minimally impair
the right, and be proportionate to the harm that is being targeted by CASL’s prohibitions so as to
withstand a Charter of Rights and Freedoms challenge.
CASL’s “ban all” approach to regulating CEMs will inevitably have overreach “inadvertent consequences”;
SMEs is one of them. Fixing CASL to prevent this is not a “loophole”. It is good for SMEs, our economy,
jobs, taxes, consumers who benefit from innovative products and services and market competition, and
other members of the public.
In the next post, I will focus on the failure of the new business to business exception to correct the flaws
in CASL that make it even more burdensome for educational institutions, libraries, archives, museums,
hospitals, the health professions, charities, associations, clubs and other non-business organizations to
comply with.
20
Evaluating the IC CASL regulations: the B2B exception (Part II-Non-business entities)
http://www.barrysookman.com/2013/01/22/evaluating-the-ic-casl-regulations-the-b2b-exception-part-ii-non-business-entities/
January 22nd, 2013 by Barry Sookman
In a previous post, Evaluating the Industry Canada CASL regulations: why they are needed, I suggested
that close scrutiny needs to be given to Industry Canada’s new draft Electronic Commerce Protection
Regulations. CASL’s “ban all” structure makes it imperative that generous regulations be adopted to
ensure that the goals of Canada’s new anti-spam/anti-malware law (CASL) are met. In another post,
Evaluating the Industry Canada CASL regulations: how to assess them, I proposed a framework for
assessing the regulations.
I then evaluated the proposed family and personal relationships exception in the post, Evaluating the
Industry Canada CASL regulations: family relationships and personal relationships, finding them very
troubling and concluding that without rectification CASL would adversely and surprisingly impair the ability
of ordinary Canadians to communicate with extended family, friends and acquaintances and people who
know each other from being members of the same clubs and associations, from going to school or
engaging in recreational activities together, or from business, professional or other settings. In my last
post, Evaluating the Industry Canada CASL regulations: the B2B exception (Part I-SMEs), I examined the
proposed new business to business exception, focusing on its failure to remedy CASL’s impairment on
the start-up and growth of small and medium sized enterprises.
In this post I will focus on the regulations` failure to correct the flaws in CASL that make it even more
burdensome for educational institutions, libraries, archives, museums, hospitals, the health professions,
charities, associations, clubs and other non-business organizations to comply with than the compliance
burdens imposed on businesses.
The proposed business to business regulation would create a new complete exception from CASL for a
commercial electronic message like an email (CEM) that is sent by an employee, representative,
contractor or franchisee of an organization “to an employee, representative, contractor or franchisee of
another organization if the organizations have a business relationship at the time the message was sent
and the message concerns the affairs of the organization or that person’s role, functions or duties within
or on behalf of the organization”.
Industry Canada provided the following background to this regulation:
Since it applies broadly to commercial electronic messages, the Act captures regular business to
business communications that are not the types of threats that were intended to be captured
within the scope of the Act. To ensure these business communications are not regulated under
the Act, the proposed Regulations include exemptions for commercial electronic messages that
are.
Since it applies broadly to commercial electronic messages, the Act captures some regular
business communications that are not the types of threats that were intended to be captured
within the scope of the Act. To ensure these business communications are not regulated under
the Act, the Regulations include business to business exemptions for commercial electronic
messages that are sent within a business, or sent between businesses that are already in a
21
business relationship, where the messages are sent by an employee, representative, contractor
or franchisee and are relevant to the business, role, function or duties of the recipients. These
proposed exemptions address many of the most serious concerns raised in the consultations
about the unintended application of CASL to ordinary, transactional business communications.
These new regulations are justified for the reasons given by Industry Canada. They should be retained.
The new regulations, however, only partially solve the “ban all” structural flaws in CASL that results in
having to recognize and appropriately define exceptions rather than directly targeting truly harmful
behavior. This approach to legislation inevitably results in overreach because of the impossibility of
identifying all required exemptions. In this case, it is manifested in CASL’s approach to the “business
relationship” and non-business relationship implied consent exceptions. CASL gives some business
organizations implied consents to send CEMs, while inexplicably denying the same exception to other
organizations such educational institutions, libraries, archives, museums, hospitals, charities,
associations, clubs and other non-business organizations which do not have business relationships with
other persons in many circumstances.
This discriminatory treatment can be seen by examining s.10(9). Pursuant to this provision consent is
implied for the purpose of the spam portion of the Act in the following situations:
(a) the person who sends the message, the person who causes it to be sent or the person who
permits it to be sent has an existing business relationship (an EBR) or an existing non-
business relationship (a non-EBR) with the person to whom it is sent;
(b) the person to whom the message is sent has conspicuously published, or has caused to be
conspicuously published, the electronic address to which the message is sent, the publication is
not accompanied by a statement that the person does not wish to receive unsolicited commercial
electronic messages at the electronic address and the message is relevant to the person’s
business, role, functions or duties in a business or official capacity;
(c) the person to whom the message is sent has disclosed, to the person who sends the
message, the person who causes it to be sent or the person who permits it to be sent, the
electronic address to which the message is sent without indicating a wish not to receive
unsolicited commercial electronic messages at the electronic address, and the message is
relevant to the person’s business, role, functions or duties in a business or official capacity;
(emphasis added)
Business organizations can rely on an “existing business relationship” to avoid obtaining an express
consent. The term “existing business relationship” is defined to require “a business relationship between
the person to whom the message is sent” and the sender which arises from several prescribed conditions
including the purchase of a product, good, or service within a two-year period before the message is sent.
The EBR exemption does not deem a business relationship to exist merely because an organization
engages in a transaction or other activity that meets one of the listed conditions. Accordingly, when
educational institutions, hospitals, medical providers, charities, clubs, and other non-business
organizations provide goods or services to the public they cannot automatically claim the EBR exemption.
For example, when a college or university provides educational services to students, when a hospital or
physician provides medical services to patients, when a charity provides services to the community, or
when organizations such as hospitals and universities collaborate on research, and in the course of those
22
activities send CEMs, none of them will be able to rely on the implied consent EBR exception, unless
serendipitously a business relationship happens to arise from these or other interactions.
One might have surmised that organizations with non-business relationships such as educational
institutions, hospitals, medical professionals, charities, associations, and clubs would be able to benefit
from the same implied consent exception under the “existing non-business relationship” exemption.
However, that exception only applies where there is a non-business relationship between the person to
whom the message is sent and the sender of the message that arises from certain gifts and donations,
volunteer work, and memberships in clubs, associations, or voluntary organizations. It does not include
any other type of relationships, presumably under the false assumption that these organizations only
send CEMs to donors and volunteers or to persons with whom they contract to buy goods or services.
This completely overlooks the plethora of non-business relationships these organizations have with the
community.
The structure of the EBR and non-EBR exceptions also fails to take into account the extremely wide
definition of CEMs which makes virtually all electronic messages which encourage participation in a
commercial activity with the organization or with another organization to be caught by CASL. Yet, the
EBR exception is based on a much narrower notion of the existence of a business relationship. For
example, when a charity sends out a newsletter by email to a list of subscribers which contains
advertisements or which promotes a product or service with a hyperlink to the seller’s website, that
newsletter is likely a CEM. A newsletter from the CNIB with such ads or which otherwise encourage
subscribers to purchase large print calendars, talking watches, easy-view playing cards, or other
accessible products and technologies from third parties that make life with vision loss easier, is an
illustration. Yet, the recipients may have no EBR or non-EBR with the charity. This gap inexplicably
leaves charities and many other non-business organizations without either implied consent exemption in
many cases.
Persons wanting to send to CEMs to non-business organizations without express consent may also not
be able to do so, even though the recipient’s name is conspicuously published on the organization’s
website. The conspicuously published exception does not extend to all messages sent to an organization
that is not a business organization. It applies only where a message is sent to an “electronic address and
the message is relevant to the person’s business, role, functions or duties in a business or official
capacity”. This hinders communications between businesses and non-business organizations,
impediments that do not exist for CEMs sent to a business.
Persons wanting to send to CEMs to non-business organizations without express consent may also not
be able to do so, even though the recipient has disclosed the person’s electronic address without
indicating a wish not to receive unsolicited messages. The “business card” exception would also likely not
extend to all messages sent to an organization that is not a business organization because it applies only
where a message is sent to an “electronic address and the message is relevant to the person’s business,
role, functions or duties in a business or official capacity”. This also hinders communications between
businesses and non-business organizations, impediments that also do not exist for CEMs sent to a
business.
CASL also has a three year transitional provision that recognizes implied consents where there is an
existing business relationship or an existing non-business relationship. If non-business organizations do
not fit into either category for some CEMs for the reasons set out above, then these organizations will be
deprived of the same transitional provisions as businesses. They will thus be required to spend more of
23
their scare resources faster to attempt to comply with a law that businesses are given three years to
transition to.
The draft regulations continue and do not rectify this discriminatory treatment. They would provide
businesses with a complete exemption for a CEM “that is sent by an employee, representative, contractor
or franchisee of an organization” to an employee, representative, contractor or franchisee of another
organization if the organizations have a business relationship at the time the message was sent and the
message concerns the affairs of the organization or that person’s role, functions or duties within or on
behalf of the organization”. Non-business organizations may have a variety of relationships with other
organizations that would not be characterized as business relationships such as, for example,
relationships that focus on education, medical care, charitable services, research, collaboration, and
public affairs, but they could not claim the new exemption. Both business and non-business organizations
should have the exemption for the reasons given by Industry Canada.
CASL’s “ban all” approach to regulating CEMs will inevitably result in not-for-profit entities, educational,
charities, and other organizations finding themselves barred from communicating with others
electronically. They can’t send CEMs without express consent and it will be illegal to send an email or
other electronic message to even ask for consent. These inadvertent consequences flow from CASL’s
flawed “ban all” structure. When all commercial speech is “banned” subject to certain conditions, it is
impossible to enumerate or properly craft or fairly develop all of the needed exceptions to prevent truly
undesirable consequences; in this case, treating non-business organizations more harshly than business
organizations.
There is no good policy reason for treating educational institutions, hospitals, medical providers, charities,
and other non-business organizations more onerously than businesses. In fact, there are good policy
reasons for giving one or more of these groups complete exemptions from the statute. There are also
good reasons for exempting them entirely from the threat of class actions under the private right of action
provisions, in the same way that Parliament exempts or limits the award of statutory damages for
copyright infringement against educational institutions, libraries, museums and archives.
Ensuring that non-business organizations have at least the same implied consent exception as business
organizations would not undermine CASL’s goal of deterring and protecting individuals from the most
damaging and deceptive forms of spam. Not according them the same treatment would adversely impact
their ability to utilize the most modern and efficient messaging systems to accomplish the important public
duties they provide. This is certainly contrary to the goals of CASL. These problems need to be fixed.
These fixes are also not “loopholes”.
24
Evaluating the Industry Canada CASL regulations: jurisdictional overreach
http://www.barrysookman.com/2013/01/25/evaluating-the-industry-canada-casl-regulations-
jurisdictional-overreach/
January 25th, 2013 by Barry Sookman
In a previous post, Evaluating the Industry Canada CASL regulations: why they are needed, I suggested
that close scrutiny needs to be given to Industry Canada’s new draft Electronic Commerce Protection
Regulations. CASL’s “ban all” structure makes it imperative that generous regulations be adopted to
ensure that the goals of Canada’s new anti-spam/anti-malware law (CASL) are met. In another post,
Evaluating the Industry Canada CASL regulations: how to assess them, I proposed a framework for
assessing the regulations.
I then evaluated the proposed family and personal relationships exception in the post, Evaluating the
Industry Canada CASL regulations: family relationships and personal relationships, finding them very
troubling and concluding that without rectification CASL would adversely and surprisingly impair the ability
of ordinary Canadians to communicate with extended family, friends and acquaintances and people who
know each other from being members of the same clubs and associations, from going to school or
engaging in recreational activities together, or from business, professional or other settings.
In the post, Evaluating the Industry Canada CASL regulations: the B2B exception (Part I-SMEs), I
examined the proposed new business to business exception, focusing on its failure to remedy CASL’s
impairment on the start-up and growth of small and medium sized enterprises. In my last post, Evaluating
the IC CASL regulations: the B2B exception (Part II-Non-business entities), I showed how the regulations
fail to address the harsher burdens CASL places on not-for profit organizations like charities, hospitals,
and educational institution than on businesses, even though they have the least resources or wherewithal
to bear those burdens.
In this post I will focus on the regulations failure to correct CASL’s jurisdictional overreach. I focus on two
issues. First, CASL’s extra-territorial reach over foreign organizations and compliance with principles of
international comity. Second, that CASL’s territorial reach will threaten high paying service jobs, research,
development and technological innovation in Canada.
As explained in other posts, CASL makes it illegal to send any commercial electronic messages without
obtaining prior express consent, providing users with prescribed information, and a prescribed
unsubscribe mechanism, unless the message falls into one of the few exceptions provided by the statute.
CASL and its regulations also makes it illegal, among other things, to install a computer program on any
PC, smartphone, tablet, appliance, or other computer without obtaining prior express consent, making
disclosures about the functions of the program, and providing information that enables users to withdraw
their consent.
CASL’s strictures far exceed those in other countries. Rather than targeting false and misleading e-mails
or those sent in violation of an opt-out request such as in the U.S., or limiting the restrictions to direct
marketing messages as in the EU, CASL goes much farther. It does the same thing with its “ban all”
approach to “malware”. To the extent that other countries have civil laws that regulate distributing
computer programs without consent, they target malware, spyware or similar threats, not programs that
are also completely innocuous as CASL does.
25
Unlike the laws of other countries such as those in the U.S., CASL provides a private right of action to
anyone with remedies that includes compensation for actual losses plus damages of up to $1 million per
day of non-compensatory (essentially punitive) damages. Class actions are not foreclosed and if certified
could lead to threats of massive unprecedented awards to a new generation of CASL litigation trolls that
are predicted to emerge. Moreover, these claims could be brought even where no person has suffered
any actual damage. For example, a person that as part of some commercial activity makes malware free
open source software available without charge to hundreds of thousands of Canadians using an ordinary
webwrap (browsewrap) or clickwrap agreement or who using an automated system installs a security
patch to prevent hacker attacks, could theoretically face threats of damages in the hundreds of million
dollars.
The upshot of all of this is that Canada will have unique and more onerous regimes to comply with than
those in other countries. Compliance will require development of new databases, modification of
computer systems, changes to websites, user interfaces, and contracting processes and disclosures of
information. Organizations that do business in countries other than Canada will have no reason to adopt
these standards, except to the extent they want to send CEMs or make software or apps available to
Canadians.
The caveat for foreign businesses, however, is that CASL has an extremely broad extra-territorial reach.
The anti-spam rules apply to any commercial electronic message that is sent from a foreign computer
anywhere in the world to a computer in Canada. Similarly, CASL’s “malware” rules apply to any program
that is installed on any computer in Canada. The liability is strict; it does not depend on intent or
foreseeability.
CASL’s reach is bound to raise questions of international comity among Canada’s trading partners. Its
extensive territorial reach raises questions as to whether it departs from public international principles
which justify applying laws extra-territorially. This is an issue that is quite complex. (My book Computer,
Internet and Electronic Commerce Law has a chapter of over 200 pages just on this topic.) With the risk
of over simplification, increasingly countries base legislative and personal jurisdiction related to Internet
delicts on factors that take into account intentional targeting of the forum, intentionally causing harm, or
some kind of purposeful availment of the privilege of conducting activities within the forum State. See ,J.
McIntyre Machinery, Ltd v Nicastro131 S.Ct. 2780 (2011), Football Dataco Ltd. v Sportradar GmbH, Case
C-173/11, 18 October, 2012.[i] Under CASL organizations from around the world could be liable for
massive damages claims without ever intentionally targeting Canadians.
The response by foreign organizations to this territorial overreach will likely vary. Many organizations will
learn about CASL and comply with its laws. Many multinational organizations with established businesses
in Canada will be in this category. Other organizations may want to comply, but consider the costs of
developing specialized processes merely for Canada to be too expensive and consider the liability too
onerous. Adapting to CASL will be particularly challenging for innovative organizations whose business
models would be constrained by CASL’s e-mail focused technology models and which either can’t be
complied with or can’t easily be complied with. The result may well be decisions by foreign organizations
not to offer their products or services to Canadians, or to introduce them only after launching in other
jurisdictions which don’t require significant technological adaptations or modifications of marketing and
promotional approaches. This would be a very unfortunate development for Canadian consumers who
would ultimately suffer by having access to less information about products, services, organizations and
26
individuals (including fan sites) they are interested in, less choice in offerings, and potentially even higher
prices because of reduced competition.
Other organizations, and there will be many of these, would not know, and have no reason for surmising,
that following international standards for distributing software and sending CEMs could result in significant
liability under Canadian laws. They may become targets of the CASL litigation trolls that will undoubtedly
emerge after CASL comes into effect.
Industry Canada recognized the problem faced by organizations whose customers may inadvertently
roam into Canada and receive messages intended to reach them while in their own countries. It proposed
an exception for a CEM
that is sent or caused or permitted to be sent by a person located outside Canada or that is sent
from a computer system located outside Canada and that relates to a product, good, service or
organization located or provided outside Canada that is accessed using a computer system
located in Canada if the person sending the message did not know and could not reasonably be
expected to know that the message would be accessed using a computer system located in
Canada;
The exception is justified. However, it has very limited application as it would require every website or
organization operating on the global Internet to put in place a mechanism to collect personal information
or geolocational information on every person to whom it sends CEMs in order to satisfy the due diligence
standard. For privacy and other reasons many organizations do not want to collect personal information
or location data about their site users. The proposed exception also does not provide any relief to
websites that make programs available to download to all comers, leaving every organization worldwide
subject to CASL’s unique and more burdensome approaches to distributing software and apps and
litigation threats.
CASL’s territorial overreach will also have very significant consequences for Canadian based
organizations. CASL forces Canadian individuals and organizations to comply with its laws even when
they are interacting completely with persons outside of Canada. The anti-spam rules apply to any
commercial electronic message that is sent from a computer located in Canada anywhere in the world.
Similarly, CASL’s “malware” rules apply to any program that is installed on any PC, smartphone, tablet or
other computer that is located anywhere by a person located in Canada.
This startling jurisdictional reach will create huge disincentives on organizations to invest and operate
infrastructure from Canada to support foreign operations. The Information Technology Association of
Canada (ITAC), a prominent advocate for the expansion of Canada’s innovative capacity and the
strategic use of technology, had the following to say about CASL’s territorial overreach in its submission
to the last Industry Canada consultation:
“Given that section 6 of CASL will apply when a computer system located in Canada is used to
send or access a CEM, CASL will impact a range of business decisions that could have
unintended negative effects on the competitiveness of a wide range of Canadian technology
companies. At least three scenarios can be contemplated.
First, Canadian multi-national companies sending messages to non-Canadian customers are
incented to use vendors located outside Canada to send those messages, because otherwise the
messages will have to comply with CASL. This would result in service jobs leaving the country.
27
ITAC understands that some Canadian organizations that are already contemplating moving their
foreign market-related messaging operations outside Canada.
Second, foreign companies deciding where to locate server farms and other facilities related to
cloud computing that could be used to send messages or provide services on behalf of vendors
located anywhere in the world, to customers located anywhere in the world, may choose against
Canada because of the extra cost of complying with CASL. That would have significant
unintended negative consequences for the growth of cloud computing in Canada.
Third, Canadian providers of outsourced services to non-Canadian businesses will be at a major
disadvantage compared to competitors in other countries. By selecting foreign service providers,
the foreign entities can avoid the costs and complications of complying with CASL.”
Of course the implications would not be limited to Canadian businesses. Every organization that chooses
to support foreign activities from Canada would be forced to compete with organizations in other countries
who would not be subject to these burdens.
The issue was a major one raised during the last consultations. Industry Canada recognized the problem,
yet decided not to address it saying:
Another issue concerns the ability for businesses in Canada to send commercial electronic
messages to recipients outside of the country on behalf of foreign organizations. Some
stakeholders argued in their submissions that CASL would put Canadian businesses at a
competitive disadvantage sending commercial electronic messages outside of Canada on behalf
of foreign businesses. Analysis indicated that an exemption allowing Canadian businesses to
send commercial electronic messages to non-business recipients outside of Canada would create
the potential for abuse since these commercial communications would be subject only to the
other country’s legislation, if any. Given concerns that such an exemption would create a loophole
that could be abused by spammers, and the difficulties inherent in determining the lawfulness of
activities in foreign jurisdictions, the suggested exemption is not included in these proposed
Regulations in order to maintain the intended balance in the Act.
It is surprising that the Government would fail to address a major issue that would undermine its digital
strategy for the development of high technology industries including the fast growing cloud computing,
outsourcing, computer help desk, and managed services businesses. How can the difficulties of enforcing
CASL against a few spammers take policy preference over significantly impairing huge growth industries
for Canada that brings with it jobs, taxes, and first mover advantages? Moreover, how can it be justified
given that there are many ways to address the theoretical problem of Canadian based spammers who
target only foreign jurisdictions?
A simple fix, as Lorne Salzman and I proposed previously, is to exempt from CASL those activities that
comply with the laws of the destination countries. Courts regularly make findings of foreign law. It is
surprising that the Government does not have the confidence that the CRTC could do what the courts
regularly do and make findings of foreign law where needed to go after any of these international
spammers. If this really is a concern, another approach is to define objective criteria that would make
using Canada as a base for spamming or distributing malware illegal. For example, sending false or
misleading CEMs or distributing real malware or spyware without consent could be enough to make
CASL apply.
28
CASL’s goal is to promote the use of electronic networks to promote economic activity. Yet, the zealous
pursuit of stopping spam would visit far greater harm to Canada’s digital economy than the harm from a
few spammers who might choose to locate in Canada solely to send harmful emails into other
jurisdictions. In any event, these few cases can be addressed with thoughtful regulatory drafting. CASL
will discourage service suppliers from locating or maintaining facilities in Canada. As a result Canada will
lose the jobs, taxes and spin-off activities from such businesses. Further, Canada’s participation in a core
building block of the digital economy would be reduced. There is no good policy reason for not fixing this
problem. CASL should not lessen the attractiveness of Canada as a location to participate in the digital
economy.
[i] In Canada, the real and substantial connection test is often applied to determine the limits of
jurisdiction. In Club Resorts Ltd. v. Van Breda, 2012 SCC 17, the Supreme Court recently held that for
“Jurisdiction must … be established primarily on the basis of objective factors that connect the legal
situation or the subject matter of the litigation with the forum”. In commenting on purely virtual
relationships the court stated that “Active advertising in the jurisdiction or, for example, the fact that a
Web site can be accessed from the jurisdiction would not suffice to establish that the defendant is
carrying on business there. The notion of carrying on business requires some form of actual, not only
virtual, presence in the jurisdiction, such as maintaining an office there or regularly visiting the territory of
the particular jurisdiction.”
29
Evaluating the Industry Canada CASL regulations: defining commercial electronic message
http://www.barrysookman.com/2013/01/30/evaluating-the-industry-canada-casl-regulations-
defining-commercial-electronic-message/
January 30th, 2013 by Barry Sookman
In a previous post, Evaluating the Industry Canada CASL regulations: why they are needed, I suggested
that close scrutiny needs to be given to Industry Canada’s new draft Electronic Commerce Protection
Regulations. CASL’s “ban all” structure makes it imperative that generous regulations be adopted to
ensure that the goals of Canada’s new anti-spam/anti-malware law (CASL) are met. In another post,
Evaluating the Industry Canada CASL regulations: how to assess them, I proposed a framework for
assessing the regulations.
I then evaluated the proposed family and personal relationships exception in the post, Evaluating the
Industry Canada CASL regulations: family relationships and personal relationships, finding them very
troubling and concluding that without rectification CASL would adversely and surprisingly impair the ability
of ordinary Canadians to communicate with extended family, friends and acquaintances and people who
know each other from being members of the same clubs and associations, from going to school or
engaging in recreational activities together, or from business, professional or other settings.
In the post, Evaluating the Industry Canada CASL regulations: the B2B exception (Part I-SMEs), I
examined the proposed new business to business exception, focusing on its failure to remedy CASL’s
impairment on the start-up and growth of small and medium sized enterprises. In my last post, Evaluating
the IC CASL regulations: the B2B exception (Part II-Non-business entities), I showed how the regulations
fail to address the harsher burdens CASL places on not-for profit organizations like charities, hospitals,
and educational institution than on businesses, even though they have the least resources or wherewithal
to bear those burdens.
In the post Evaluating the Industry Canada CASL regulations: jurisdictional overreach, I focused on the
regulations failure to correct CASL’s jurisdictional overreach. I focused on two issues. First, CASL’s extra-
territorial reach over foreign organizations and compliance with principles of international comity. Second,
that CASL’s territorial reach will threaten high paying service jobs, research, development and
technological innovation in Canada.
In this post I address the vexing problems posed by CASL’s extra-ordinarily broad definition of
commercial electronic message (CEM) and its implications for organizations and individuals.
The term CEM is defined in an open ended way to be “an electronic message that, having regard to the
content of the message, the hyperlinks in the message to content on a website or other database, or the
contact information contained in the message, it would be reasonable to conclude has as its purpose, or
one of its purposes, to encourage participation in a commercial activity”. Examples deemed to be CEMs
by the law are offers to purchase or sell a product, good, or service or to advertise or promote them.
The message can be in an email, SMS message, instant message, or to an electronic address that is
similar. Some messages transmitted in online portals and online marketplaces and social networks may
be caught. It is unclear which ones are caught and which are not. The content can include text, sound,
voice or images.
30
The message can be a CEM if any of its purposes, even a minor one, is to encourage participation in a
commercial activity, a term that is also broad as it includes any particular transaction, act or conduct or
any regular course of conduct that is of a commercial character. It is also not only what is in a CEM that
counts. Any content that is in a hyperlink can be considered. Members of the CRTC recently told a group
in Toronto that linking to a home page of a business can be enough.
Moreover, the contact information of an organization can be considered. It seems clear as well that an
organization that uses a logo or trademark, especially a famous one like the word mark or a stylized mark
like Coke, in an electronic message could be accused of not using the mark in a mere nominative way,
but rather to use the goodwill associated with the mark so as to promote the brand and the products sold
under it. It will probably take a decade of class action suits to develop a test for distinguishing those two
uses.
Any publication that is sent to members of the public could be caught if it contains an advertisement,
endorsement, or promotion of a product or service, or does do indirectly such as by providing links that
give contact information about where to find a product or service. Newsletters, content feeds sent to email
mail boxes (perhaps also a Google Reader account?), magazines, e-books, photos and even a video
sent by e-mail or instant message could be considered a CEM depending on what ads, commercials,
related materials, hyperlinks, or other information is included. Even the Ontario Reports sent by email
could be a CEM because they contain ads by lawyers and notices of upcoming programs being put on by
the Law Society. Newsletters sent by charities, non-profits, and political parties that ask for donations or
that publicize a lottery such as to raise funding for cancer research could be caught.
The technological taxi that is the Internet will now be potentially encumbered by CASL restrictions.
Delivering something by mail or courier will not be illegal. But deciding to deliver the same content
electronically will be more onerous. We know what the Supreme Court thinks about this. See,
Entertainment Software Association v. Society of Composers, Authors and Music Publishers of Canada,
2012 SCC 34 interpreting the communication to the public right and commenting about the need for
delivery systems to be treated in technologically neutral ways.
The term CEM is very vague and could easily be accused of failing to provide fair notice to citizens of
what conduct is the subject of legal restrictions, a problem that could be raised in one of the expected
challenges under the Charter of Rights and Freedoms. See, R. v. Nova Scotia Pharmaceutical Society,
[1992] 2 SCR 606.
Even more fundamentally, the broader the sweep the less the restrictions can be justified. There is
justification in requiring express consents, form and unsubscribe formalities for false and misleading
messages and in prohibiting messages sent out after a person has notified the sender that the person
doesn’t want to receive any further messages. There is far less justification when even announcing who
you are, identifying yourself, and providing information about where you can be found, and other open
ended factors become inicia in determining illegality. Can you imagine a law that makes it illegal for a
merchant to identify itself in public and to speak unless everyone provides prior express consent? The
legitimacy of the broad prohibitions fall away, especially when tested against Charter values that require
minimum impairment when speech is involved.
What concerns many about the scope of CEMs is its application to consumer friendly service messages
like a notice that roaming charges may be incurred or that a GIC, mortgage, or loan is about to mature.
These types of messages might be construed as implicitly encouraging users to buy roaming minutes or
31
renew these financial products. Messages that go further to give consumers information about their
options – information they surely want – would most likely cross the line. The problems here are twofold.
First, consumers must be given the option to unsubscribe from receiving any CEMs. If a consumer picks
such an option, it would be illegal to send these kinds of messages. It could also even be illegal to send a
consumer a message asking if the consumer meant to unsubscribe from receiving such messages, as
that message might be considered a request for consent to send a CEM, something that is also illegal
under CASL. This is a bad outcome all around.
Second, organizations are attempting to build business models that eliminate paper. But, if consumers
with whom organizations have existing business relationships can unsubscribe from receiving CEMs that
are statements, factual information, subscribed for content, warranty information and other information
(including all of categories of information in s6.6), organizations could never rely on moving away from
also having paper based systems, unless they are willing to give up doing business with those
consumers. This is also a bad outcome and runs counter to fostering a digital strategy for Canada.
Another concern is financial. There are major costs associated with implementing systems to comply with
the consent, unsubscribe, and disclosure requirements of CASL. Organizations need to know which types
of messages are covered in order to develop processes to handle each. There are costs associated with
each decision. Yet, it has become an organizational mind bending problem to figure out what is in and
what is not. You just have to sit through enough meetings as I have in trying to help clients comply with
CASL and hear enough scenarios to realize how unworkable the definition is.
Industry Canada suggested the problem with the ambiguous scope of CEMs could be addressed through
“interpretational guidelines and other guidance material”. However, the public has the right to know what
is legal and what is not, especially when the restrictions involve fundamental freedoms of speech and the
penalties for being off side are so severe.
CASL’s goal was to promote confidence in electronic commerce. It’s hard to be confident about electronic
messages when you don’t know the rules, even identifying yourself by brand or contact information, such
as by hyperlinks produces risks, and when not being able to provide consumers information they want
and need - and then getting blamed for not doing it - is illegal. These problems should be fixed or at least
be ameliorated before CASL becomes law.
32
Evaluating the Industry Canada CASL regulations: countering cyber-security threats
http://www.barrysookman.com/2013/02/01/evaluating-the-industry-canada-casl-regulations-countering-cyber-security-threats/
February 1, 2013 by Barry Sookman
In a previous post, Evaluating the Industry Canada CASL regulations: why they are needed, I suggested
that close scrutiny needs to be given to Industry Canada’s new draft Electronic Commerce Protection
Regulations. CASL’s “ban all” structure makes it imperative that generous regulations be adopted to
ensure that the goals of Canada’s new anti-spam/anti-malware law (CASL) are met. In another post,
Evaluating the Industry Canada CASL regulations: how to assess them, I proposed a framework for
assessing the regulations.
I then evaluated the proposed family and personal relationships exception in the post, Evaluating the
Industry Canada CASL regulations: family relationships and personal relationships, finding them very
troubling and concluding that without rectification CASL would adversely and surprisingly impair the ability
of ordinary Canadians to communicate with extended family, friends and acquaintances and people who
know each other from being members of the same clubs and associations, from going to school or
engaging in recreational activities together, or from business, professional or other settings.
In the post, Evaluating the Industry Canada CASL regulations: the B2B exception (Part I-SMEs), I
examined the proposed new business to business exception, focusing on its failure to remedy CASL’s
impairment on the start-up and growth of small and medium sized enterprises. In my last post, Evaluating
the IC CASL regulations: the B2B exception (Part II-Non-business entities), I showed how the regulations
fail to address the harsher burdens CASL places on not-for profit organizations like charities, hospitals,
and educational institution than on businesses, even though they have the least resources or wherewithal
to bear those burdens.
In the post Evaluating the Industry Canada CASL regulations: jurisdictional overreach, I focused on the
regulations failure to correct CASL’s jurisdictional overreach. I focused on two issues. First, CASL’s extra-
territorial reach over foreign organizations and compliance with principles of international comity. Second,
that CASL’s territorial reach will threaten high paying service jobs, research, development and
technological innovation in Canada.
In the post, Evaluating the Industry Canada CASL regulations: defining commercial electronic message, I
addressed the vexing problems posed by CASL’s extra-ordinarily broad definition of commercial
electronic message (CEM) and its implications for organizations and individuals.
In this post I examine the failure of the regulations to address some of the problems with the computer
programs prohibitions in CASL, prohibitions which if not addressed could impact cyber-security in this
country.
Cyber-security is a major challenge. Organizations around the world face new and different threats daily,
as the recent attacks on the New York Times illustrate. See, Chinese Hackers Infiltrate New York Times
Computers. Vulnerable organizations and their forensic and cyber-security experts increasingly have to
use defensive counter measures to prevent, investigate, and stop these attacks.
Yet, their use could become illegal in Canada if CASL is proclaimed into force without regulations to
prevent this. The problem is that CASL will make it illegal to install a computer program in the course of
33
any commercial activity on any computer system without obtaining prior consent following disclosure of
the function of the computer program, including a detailed description of the program in case the program
falls into one of the categories one would ordinarily consider “malware” or “spyware”. Under CASL an
organization installing a program on a computer of a cyber-thief or criminal in self defence such as to
investigate an attack could be illegal.
During the consultations this problem was raised by various organizations. The Government
acknowledged the problem and proposed a new regulation to exempt telecommunication service
providers (TSPs) from the consent and disclosure requirements to prevent an activity that the TSP
reasonably believes is a contravention of an Act of Parliament and presents an imminent risk to the
security of its network. The exception is narrow and could leave many Canadian organizations powerless
to defend themselves against cyber-threats; in fact it could make them into lawbreakers for using best
practices in the course of their business operations to address the myriad of threats they face every day.
In particular,
Only TSPs are eligible for exemption. Yet, computer systems and computer networks are
used ubiquitously by organizations throughout the country. Many would likely not be a TSP,
even though that term is broadly defined.
There are many threats that require combatting besides those involving breaches of security.
Some unauthorized access to or unauthorized uses of a computer will involve a breach of
security, but not every breach necessarily will.
The legality of stopping attacks will be dependent on the innocent victim reasonable believing
that the perpetrator imminently will commit a violation of Canadian law. Not every cyber-
threat will necessarily meet this standard. Moreover acting to prevent an attack which is
reasonably expected but not imminent could be illegal as would attempting to investigate the
source of past attacks, unless the victim can reasonably conclude that one attack will
imminently lead to another one to its network.
Many Canadian organizations operate cross boarder networks. CASL applies to programs
installed from Canada on foreign computers. Accordingly, a Canadian based organization
could be unable to employ cyber-counter measures from Canada to protect their foreign
networks from attack even if the cyber attack was a violation of the foreign law.
Even more fundamentally, the exemption proposed by Industry Canada would be subject to a condition
that the victim of the cyber security threat must reasonably believe that the cyber criminal consents to the
installation of the counter measure program. As this condition would be unlikely ever to be met, the new
exemption does little to solve the problem which the Government recognized needed to be addressed.
It may be that the Government believes that there is unlikely to be a problem because CASL only applies
if the program installation occurs as part of a commercial activity. This will raise important questions of
interpretation. If defending against cyberthreats becomes part of an organization’s normal business, is it
caught? What about consultants and businesses that specialize in combatting cyber menaces and
security threats? Would their work for victims of cybercrime be part of a commercial activity and thereby
become illegal? When businesses like Microsoft take down or disrupt botnets, is this part of a commercial
activity? See, Inside Microsoft botnet takedowns. Are they all acting for the purposes of public safety,
which is another exception?
34
CASL’s ban all approach to the installation of computer programs without consent will produce many
other inadvertent negative consequences as well. For example, it could be illegal for an organization to
install a program on another computer to comply with law (other than an order). (There is an exemption
for law enforcement.) it is also unknown how an express consent can be obtained for software that is pre-
installed before a device is sold.
There are at least a dozen other problems that have been identified. For example, the prohibitions don’t
only apply to the program manufacturer or publisher. They apply to every dealer, distributor, retailer and
intermediary that does repair, maintenance, back up or reinstallation services, even though they all would
likely not have the relevant information to make the necessary disclosures or be in a position to get
express consents. The prohibitions aren’t limited to PCs, but apply to a program installed on any
computer system which is defined broadly enough to include programs installed on smartphones, motor
vehicles, appliances and other devices that contain electronics that run using software. That is practically
everything today except pillows. Is it really Government policy to make every intermediary who works on
any device that contains software as part of any commercial activity vicariously liable for the
malfeasances of the program developers or publishers and require them to get express consents, or is
this an inadvertent policy choice resulting from CASL’s ban all approach to regulating electronic
commerce involving commercial electronic messages and computer programs?
CASL was intended to foster confidence in using electronic means of doing business. Ensuring that
organizations do not lose the ability to defend themselves from cyberthreats should be a key goal. The
Government should ensure that Canadian organizations will not become lawbreakers when they, like the
New York Times, are hacked and need to investigate and terminate threats. It should also consider
whether CASL was really intended to apply to everyone in the business ecosystem that provides any
services in relation to computer programs.
35
Will CASL Hurt Charities? Let Us Count The Ways
http://www.barrysookman.com/2013/02/04/will-casl-hurt-charities-let-us-count-the-ways/
February 4th, 2013 by Lorne Salzman
Charities, including hospitals, universities, orchestras and other similar not-for-profit organizations will be
hard hit by Canada’s new anti-spam legislation, known as CASL, when it comes into effect later in 2013.
They will face a diminished ability to communicate with their supporters including donors, patients,
volunteers, alumni and other beneficiaries thereby leading, inevitably, to reduced funding and support
even as administrative burdens and costs go up.
The key problem is that CASL’s reach is very wide, and it therefore catches all sorts of electronic
messages that organizations will want to send, even those that don’t seem particularly commercial in
nature. The problem arises from the definition of “commercial electronic message” or CEM. To qualify as
a CEM the message must, as one of its purposes (however minor), “encourage participation in a
commercial activity”. This very broad categorization encompasses many, many activities.
One might think that a message that includes a simple description of a charity’s activities and a request
for a donation could not be a CEM because there is no notion of encouraging participation in a
commercial activity. But think again. Many charities provide inducements to donate, such as newsletters,
magazines, discounts on goods and services, picturesque calendars, invitations to lectures, advance
notification of events, meetings with important people, naming rights for facilities, etc. While some
inducements will be of modest value, some, such as a lunch with a celebrity, will be quite valuable and
lead to very substantial donations as a result. And remember, they all have some value, or else they
would not be offered. Thus, a request for a charitable donation that may well seek to benefit the charity as
its primary objective, can also exhibit elements of a commercial transaction between the donor and the
charity. If this ancillary transaction is found to be sufficiently commercial to be construed as “commercial
activity” under CASL, then the donation request could well become tainted as a CEM.
Even if the donation request came with no accompanying inducement, a charity would still have to be
careful not to run afoul of CASL. For example, if the donation hyperlink in the message takes the reader
to a charity website that, in addition to enabling donations, also refers to the sale of goods and services or
offers the names and hyperlinks of supporting merchants, that might well risk turning an otherwise
innocuous message into a CEM under CASL.
Although the foregoing discussion focuses on charities and donors, parallel issues arise in the
relationships between hospitals and patients and between universities and their alumni, and between all
of these types of non-profit organizations and their volunteers and other supporters and beneficiaries.
Charities can of course take some comfort in the 2-year window of implied consent to send CEMs after
the purchase of goods or services or the making of a charitable donation or furnishing of volunteer work.
Yet this may be much less comfort than it seems. Donors to charities, patients of hospitals, alumni of
universities will often be sent charity newsletters, medical alerts and alumni newsletters for many years
before a response, such as the making of a further donation, the purchase of a new medical device or
test kit or the attendance at an alumni dinner, actually takes place. A 2-year cut-off would therefore
damage the ability of such organizations to continue to communicate with their supporters on an ongoing
basis.
36
The more practical problem is that many organizations will have difficulty knowing which names in their
messaging databases fit the definitions of “existing business relationships” or “existing non-business
relationships” so as to be eligible for the 2-year window reprieve. Indeed, in some cases, the names may
not meet either definition. They may also not have adequate information to establish the dates for the 2-
year window. For example, it is almost inconceivable that a charity will have complete records of who has
performed volunteer work and when, yet the performance of volunteer work is a trigger that starts the 2-
year clock (as is attending a meeting organized by the charity). Because organizations had no pressing
need to record such CASL-relevant data, their databases of messaging names will need careful review –
which will be costly – and it is inevitable that organizations will purge valuable names simply because
they cannot be confidently slotted into an eligibility category.
The suggested solution to this problem is for charities to obtain explicit consent to continue sending such
messages. That entails a campaign (or multiple campaigns) to contact message recipients and ask them
for consent. Not only is this costly for these organizations (which will much prefer to devote their limited
resources to achieving their primary mission rather than fussing with CASL) and annoying for the
message recipients, but a sizeable number of recipients will never respond. Moreover, once CASL
becomes law, the very act of asking for consent will be constrained under CASL because that too can be
construed as sending a CEM in many circumstances (yes, really!). Thus, inevitably, the messaging list will
diminish. With less ongoing communication, the institution sending the messages will see reduced
support from its natural base of supporters.
It doesn’t have to be this way. Other countries have developed anti-spam laws with either more targeted
prohibitions, meaning that message senders of all sorts are not unduly burdened (the USA), and/or have
instituted carve-outs for charities and certain other not-for-profit organizations (Australia). But Canada has
so far rejected these approaches and seems determined to move forward with the stiffest anti-spam law
in the world regardless of the negative consequences for Canadian charities, including hospitals,
universities, orchestras and other similar not-for-profit organizations.
_______________________________________
Lorne Salzman is a lawyer in private practice in Toronto, with a focus on communications law and
competition law. He has spoken and written about CASL and its implications. See lornesalzman.com
37
Rethinking CASL (Canada’s Anti-SPAM law)
http://www.barrysookman.com/2011/05/25/rethinking-fisa/
May 25th, 2011 by Lorne Salzman and Barry Sookman
SPAM is awful. It wastes our time. It clogs the Internet. It is full of scams, malware and fraudulent, false
and misleading messages. Who wouldn’t cheer when Canada finally decided late in 2010 to outlaw
SPAM and related afflictions of malware, spyware, address harvesting and sending false and misleading
commercial electronic messages?
Indeed, there was much satisfaction when Canada’s anti-SPAM law, also known as FISA[2], was given
royal assent on December 15, 2011. After a lengthy and thorough review process, including consultations
and Parliamentary reviews, Canadians could look forward to the toughest anti-SPAM law in the world just
as soon as the regulations were finalized, which is expected this summer.
With FISA passed into law, and expected to come into force by the end of 2011, Canadian businesses
started preparing for a new SPAM-reduced world. They began to scrutinize their use of emails, SMS and
social network communication with existing and prospective customers. They looked at the language for
obtaining consent from these customers, and for allowing them to unsubscribe. They reviewed the
conditions for those customers that may have given implied consent. All of this scrutiny was expected.
Businesses also began to look closely at regulatory aspects of FISA. They began to appreciate the
severe penalties for violating FISA, and thus the risks of failing to fully comply with the new requirements.
Their interest in compliance increased further. And this too was expected.
But a funny thing happened on the way to the SPAM-free utopia. It began to dawn on some that FISA
imposes very significant costs, not just on individual Canadian businesses, but also on the Canadian
economy as a whole. These are costs that Canadians will uniquely bear because FISA is the toughest
anti-SPAM law in the world. And while everyone understood that implementing FISA would not be cost-
free, questions began to be asked about the balance of costs and benefits from complying with FISA.
During the past months, as we have helped numerous Canadian businesses understand FISA and its
impact on their operations. In doing so, we have come to recognize that stakeholders did not fully
appreciate just how costly this law would become for Canada or the dangers it poses to the Canadian
economy. We acknowledge that FISA was thoroughly reviewed before it was passed into law. However,
we have also come to recognize that rather than promoting the “efficiency and adaptability of the
Canadian economy”, as formally stated in FISA’s official title, it may well achieve the opposite result.
In this commentary we will describe some of the challenges presented by FISA. We will focus on the anti-
SPAM provisions, and leave for another day the anti-spyware and other provisions of FISA.
In summary, we have identified the following problems that need to be addressed before FISA’s
regulations are finalized and the law is proclaimed into force:
1) FISA will impede start-up businesses from launching in Canada.
2) FISA will impede Canadian businesses from developing new marketing models over the
Internet.
3) FISA will deter suppliers of service providers, including outsourcing and cloud service
providers, from operating with or maintaining facilities in Canada.
38
4) FISA will deter foreign businesses from offering their products to Canadians via the Internet,
mobile and other communications networks.
5) FISA will impose costs and restrictions on Canadian businesses that their competitors outside
Canada will not have to bear.
6) FISA contains very strong incentives for Canadian businesses to confess wrong-doing, even in
cases of questionable or trivial conduct, thereby tarnishing the reputation of legitimate businesses
in circumstances where the offending conduct is not significant.
7) FISA will chill legitimate commercial speech and thereby undermine fundamental values
protected by the Charter of Rights and Freedoms
Our analysis starts with a brief background introduction to FISA. We then move on to discuss the
problems we have observed.
Overview of FISA’s anti-SPAM provisions
The anti-SPAM and related provisions of FISA have their genesis in a 2005 federal government Task
Force report: Stopping Spam: Creating a Stronger, Safer Internet.[3] The report included a range of
recommendations to fight SPAM including more rigorous law enforcement, public education, policy
development and legislation. Importantly, the Task Force made recommendations that formed the
structure that eventually became FISA including:
Commercial email sent without prior consent — or that is deceptive, fraudulent or malicious — is
SPAM and should be prohibited.
Failure to abide by an opt-in regime for sending unsolicited commercial email should be made an
offence in a stand-alone, technology-neutral SPAM statute.
The use of false or misleading headers or subject lines designed to disguise the origins, purpose
or contents of an email should be made an offence. This should be the case whether the
objective is to mislead recipients or to evade technological filters.
The new offences created should be civil and strict-liability offences, with criminal liability open for
more egregious or repeated offences. There should be meaningful statutory penalties for all
offences outlined above.
There should be an appropriate private right of action available to persons, both individuals and
corporations. There should be meaningful statutory damages available to persons who
successfully bring civil action.
The Task Force recommendations, which by and large were carried over into FISA, were not just
ambitious. They cast a wider net than legislation anywhere else in the world. For example, the U.S. CAN-
SPAM Act of 2003[4] prohibits e-mails that are sent in violation of an individual’s opt-out request, or that
are fraudulent, false or misleading. The EU Directive 2002/58/EC on privacy and electronic
communications targets sending e-mail for the purposes of direct marketing to individuals. The Australia
Spam Act 2003[5] and the New Zealand Unsolicited Electronic Messages Act 2007[6], after which FISA’s
provisions are most closely modelled (but with significant changes which make FISA more encompassing
and more difficult to comply with), prohibit sending certain commercial electronic messages without the
express or inferred consent of the recipient.
39
In contrast to the narrower approach of these other countries, FISA prohibits sending (or causing or
permitting to be sent) any commercial electronic message to any electronic address unless express
consent is given by the recipient, or certain specific exclusions apply.[7]
The exclusions are limited, and encompass the following: (1) some categories of electronic message are
excluded completely; (2) some categories are excluded from the consent requirements, but they must still
comply with certain formalities (for example, contain an unsubscribe mechanism); and (3) very similar to
(2), some categories are deemed to have implied consent, although they must also comply with the
formalities.
The totally excluded categories are: commercial electronic messages to an individual with whom the
person stands in a personal or family relationship as defined in regulations; an inquiry or application to a
person engaged in commercial activity; or messages of a class defined in regulations.[8] There is a
further exception for telecommunications service providers (TSPs) in their role as carriers.[9] Messages
related to law enforcement, public safety, the protection of Canada, the conduct of international affairs or
the defence of Canada are excluded because they are deemed not to be part of a commercial activity.[10]
Then, there are categories of commercial electronic messages which do not require consent, but for
which the prescribed formalities still apply, namely commercial electronic messages that solely involve the
following: (a) provide a quote in response to a request; (b) are in furtherance of previously agreed to
transactions; (c) provide warranty, safety, security, product recall information; (d) provide factual
information about a purchase; (e) provide information about an employment or benefits plan; (f) deliver a
product, service or upgrade; or (g) other exceptions specified in a regulation.[11]
The categories of commercial electronic messages for which there is deemed to be implied consent (and
to which the prescribed formalities still apply) are limited to the following exclusive circumstances:
There is “an existing business relationship” as this term is defined. In summary, this is a
relationship arising from a purchase or barter within 2 years; acceptance of a business,
investment or gaming opportunity with last 2 years; or is related to a contract until 2 years after
expiry; or any inquiry or application within 6 months.[12]
There is an “existing non-business relationship” as this term is defined. In summary, this is a
relationship arising from a donation or gift; volunteer work performed for a registered charity; or
membership, within a 2 year window.[13]
The person to whom the message is sent has “conspicuously published”, or has caused to have
published, an electronic address without a statement that the person does not wish to receive
unsolicited commercial electronic messages at the electronic address and the message is
relevant to the person’s business, role, functions or duties in a business or official capacity.[14]
The person to whom the message is sent has disclosed, to the person who sends the message,
an electronic address without indicating a wish not to receive unsolicited commercial electronic
messages, and the message is relevant to the person’s business, role, functions or duties in a
business or official capacity.[15]
The message is sent in the circumstances set out in the regulations.[16]
Commercial electronic messages that do not fall into one or more of the above exclusions cannot be sent
except with the express consent of the recipient. Obtaining consent has its own requirements. When
requesting consent, the sender must set out clearly and simply: (a) the purpose or purposes for which the
40
consent is being sought; (b) information prescribed in regulations that identifies the person seeking
consent and, if the person is seeking consent on behalf of another person, information prescribed in
regulations that identifies that other person; and (c) any other prescribed information.[17] Sending a
message to obtain consent is deemed to be a commercial electronic message.[18] As such, contacting a
recipient to ask if the sender can send a commercial electronic message is itself SPAM (unless some
exclusion applies).
Moreover, each commercial electronic message that is transmitted by a sender must abide by certain
formalities which require the sender to: (a) set out prescribed information that identifies the person who
sent the message and, if different, on whose behalf it is sent; (b) set out information enabling the person
to whom the message is sent to readily contact the sender (the contact information must be valid for 60
days); and (c) set out the prescribed unsubscribe mechanism.[19]
The unsubscribe mechanism must (a) enable the recipient to indicate, at no cost to them, the wish to no
longer receive any messages, or any specified class of such messages, from the sender, using (i) the
same electronic means by which the message was sent, or (ii) if using those means is not practicable,
any other electronic means that will enable the person to indicate the wish; and (b) specify an electronic
address, or link to a page on the World Wide Web that can be accessed through a web browser, to which
the indication may be sent.[20]
Having described the key elements of FISA, we will now describe some of the problems that we have
encountered as Canadian businesses grapple with its implementation.
FISA Impedes Start-up Companies
Unlike established companies, start-up companies do not have a ready list of electronic contacts they can
approach to market their products. Rather, they will develop emailing lists from a variety of sources and
use them to launch their products. For example, a newly graduated financial advisor may look up the
lawyers and doctors in his/her neighbourhood using a published professional or business directory or
other publication such as a magazine, book, or newspaper and invite them to an educational event. A
newly established orthodontist may send an announcement to dentists in her town, with the electronic
addresses derived from a conference attendance list. A university student wanting to earn some money
as a contract programmer may contact professors and lecturers using their electronic addresses found in
the university catalogue or telephone directory. A new real estate agent in search of listings may want to
contact owners of properties using information recorded in publically available registries.
Although few would find these activities offensive, they will all likely be illegal under FISA.[21] Rather than
using electronic communications, business start-ups will therefore be forced to send their messages
using the post or other more expensive and less convenient and efficient mechanisms, or limit the
persons to whom they can send messages to the limited exception that permits use of conspicuously
published e-mail addresses.[22] The new start-ups could also not rely on the alternative route of using
software that is design to assist them in searching for relevant business or other connections because it
will also be illegal to use such software or electronic addresses gathered using such software under the
amendments to PIPEDA included in FISA.[23]
Although it is easy to say that the FISA impositions on small businesses are not that important, most
countries, Canada included, actively promote small business formation and expansion. Policy-makers
understand that small business is a vital part of the economy in its own right and, as well, that all big
41
businesses were small start-ups at one point. As such, Canada should not want to impede start-up
businesses from making effective use of digital communications to launch and sustain their businesses.
FISA Impedes Use of New Forms of Communications and Business Models
FISA is supposed to be technologically neutral, applying broadly to practically all electronic means of
sending electronic messages. However, the FISA regulatory regime (which prescribes specific formalities
for each message) is modelled on regulating electronic messages that are sent as emails. This focus on
emails means that other forms of electronic messaging, such as those through social networks, do not
easily fit within the FISA framework. As a result, Canadian businesses that wish to exploit new and
developing alternative electronic messaging systems will be impeded by FISA.
As an example, consider an enterprise that wishes to send its commercial electronic messages, with
express consent, by SMS.[24] Because SMS only allows for 140 characters, it will be very difficult if not
impossible in the allotted number of characters to include all of the formalities required for commercial
electronic messages. The SMS message would have to include (a) prescribed information that (1)
identifies the sender and (2) any person on whose behalf the message is sent, (b) information that
enables the recipient to (1) contact the sender or (2) the person on whose behalf the message was sent,
and (c) an unsubscribe mechanism that (1) enables the recipient to indicate, at no cost to him/her a wish
to no longer receive messages (which could be at a separate web location), and (2) specifies an
electronic address or link to the web which can be used to unsubscribe from receiving further
messages.[25] Consider the following difficulties when trying to utilize SMS for a commercial electronic
message:
Can conditions (a)(2), (b)(2), and (c)(2) be met in a message that is only 140 characters? Some
URLs could be as long as the message itself. The same problem will arise in other messaging
services where short messages are the rule, such as Instant Messaging (IM) services.
Where the recipient uses a regular cell phone, not a smart phone, an unsubscribe URL is likely
not accessible by the phone to effect an unsubscribe instruction. Is it still a compliant message? If
not, how can the sender ever know if its messages are compliant given that the sender will not
know what sort of device the recipient is using?
Where the sender wants to permit recipients to unsubscribe using a text message at no cost to
the recipient[26], this will require negotiations with all mobile operators to ensure that the recipient
is not charged for the unsubscribe message – a very cumbersome approach.
Further, it may be challenging for a person using any of these messaging services to seek
express consents from recipients using 140 characters given the request for the consent must
“clearly and simply” provide information setting out the purpose or purposes for which consent is
being requested, information that identifies the requester and another person on whose behalf the
request is made, and other prescribed information.[27]
The result is that unless accommodation is made by means of the regulations or amendment to the
legislation, FISA could make using new and innovative short messaging platforms effectively impractical
to use in Canada for whole categories of commercial speech.[28]
As another example, consider the situation of a social network that allows a recruiter to search the
profiles of members looking for suitable employee prospects, who the recruiter then contacts using the
social network built-in communications tools. Many members would welcome such communications, and
42
therefore they would likely consent to such recruitment messages, presumably at sign-up time. However,
FISA’s design does not easily accommodate such a situation. The recruiter cannot directly request
consent to send a message to a member of the social network because that message would be deemed
to be a commercial electronic message.[29] The social network could try and obtain the member’s
consent for the recruiter to send such messages. However, FISA contemplates that the consent request
must include identification information about the person on whose behalf the consent is being obtained, in
this case the recruiter’s identity.[30] But is this workable when the identity of the recruiter(s) will only be
known much after the consent is granted? Faced with this complexity and uncertainty, recruiters and their
social network partners may well ponder if they should avoid offering these services in Canada.
Consider another business model where a virtual gaming site allows members to offer to buy and sell
virtual objects amongst themselves. Does each member have to obtain consent from the other members
before the messages are sent? Can the social network site request consent in advance for all such
messages among members? Bear in mind that the members only disclose game-playing aliases and not
their real identities. How then can the identification requirements of FISA be satisfied? How practical is it
for each game-player to include an unsubscribe mechanism in every buy-sell offer? If members fail to
comply with these identification or unsubscribe mechanisms, will be social network operator have to
enforce these requirements in order to avoid liability for aiding in a contravention of FISA? Will the
operators of such sites be concerned that they could face accessorial liability for not designing
mechanisms to enable their players to comply with FISA? Will they make necessary changes to their
games or simply exclude Canadians from being able to join their networks?
Consider next a business model where a social network operator offers business coupons to members
and encourages the members to pass the coupons on to friends and social media contacts.[31] As an
incentive, the operator grants a modest incentive to the member for every person that uses such a
passed-on coupon. The passing on of the coupon with an express or implied suggestion as its use is
likely the sending of a commercial electronic message. While some recipients in these models may fit into
the personal or family relationship exemption in FISA,[32] others won’t necessarily fall within these so far
undefined categories. And how many members are likely to include unsubscribe mechanisms when
sending such messages to their contacts? Although one might be tempted to say that no-one will pursue
the members for such trivial transgressions of FISA, the operator that knowingly permits such conduct
might well worry if it will be at risk of being accused of aiding, inducing, procuring or causing to be
procured the doing of any act contrary to the anti-SPAM provisions of FISA.[33]
Faced with the risks of offending FISA, Canadian businesses will be wary of developing (or continuing to
offer) these innovative business models or implementing similar models that are legal in other countries
such as the United States. Or if they do wish to develop them, they will feel a strong incentive to develop
and launch them outside of Canada. The logical port of call for any such developers will be the United
States, with its familiarity to Canadians, vast market, openness to innovation, and ample sources of
funding. Canada, which already faces a tough time in fostering innovation inside our borders, will now be
adding one more reason for Canadians to take their digital economy initiatives south of the border.
FISA Will Deter Service Providers from Locating in Canada
In the foregoing, we have explained impediments that will be faced by start-ups and developers of new e-
commerce models as a result of FISA. But the potential harm to the Canadian economy goes further.
FISA will deter many suppliers from providing innovative services globally using Canadian facilities.
43
Consider the case of a data centre operator that is deciding where to locate a new server farm. If the
operator decides to locate it in Canada, the customers that send electronic commercial messages from
those servers will be subject to FISA for all of those communications – even those where the company is
non-Canadian and the recipients are all non-Canadian. This consequence arises because FISA applies if
a computer system in Canada is used to send or receive the electronic message.[34] The data centre
operator will realize that its customer base will be immediately narrowed if the server farm is located in
Canada and knowledgeable customers will ask the operator that servers in Canada not be used for their
commercial electronic communication purposes.
For the same reasons, FISA will also deter businesses from operating or using cloud services that have
facilities in Canada. In an era of ever-increasing reliance on “cloud computing”, where operators organize
servers in the most efficient manner, operators and their customers would avoid locating cloud services
with facilities in Canada to avoid burdening their foreign customers with onerous obligations they would
not have, and their foreign competitors will not have, if their facilities were located outside of Canada.
Likewise, operators of messaging systems such as e-mail services, social networks, and e-commerce
platforms that serve North American or global enterprises will have a strong reason to avoid locating their
facilities in Canada to ensure that their global users are not regulated by FISA. They would likely relocate
existing Canadian facilities outside of Canada to avoid requiring their non-Canadian customers having to
bear costs and expenses of complying with laws that their competitors do not face.
Even established Canadian businesses, especially global ones, might decide that it is in their interest to
locate their servers, whether in-house or outsourced, outside the country. Many of them will send
commercial electronic communications to non-Canadians. They will not want to take on the FISA-derived
extra costs and restrictions associated with communicating with those non-Canadians from a Canadian
server. Faced with the choice of two servers, one in Canada for FISA-complaint Canadian messages, and
one outside Canada for everything else, many Canadian companies will decide that the most efficient
approach is to ensure that all their servers are located outside Canada.
By discouraging service suppliers from locating or maintaining facilities in Canada, not only does Canada
lose the jobs, taxes and spin-off activities from such businesses, but Canada’s participation in a core
building block of the digital economy is reduced. This in turn lessens the attractiveness of Canada as a
location for other participants in the digital economy.
FISA Will Deprive Canadians of Products and Services From Foreign Businesses
In the foregoing discussion, we have concentrated on the impact of FISA on Canadian businesses and
suppliers to those businesses. But there is another constituency that will be impacted by FISA, namely
consumers.
FISA will of course benefit consumers by hopefully reducing the flow of SPAM. That is the key purpose
behind FISA. But consumers will be negatively impacted by FISA if they cannot benefit from worthwhile
commercial electronic messages simply because foreign companies are unwilling to comply with FISA
and thus decide simply to exclude Canadians from their electronic communication databases. We have
been told by some businesses that the costs of developing specific marketing campaigns for Canadians
could influence whether foreign businesses make the same offers to Canadians that they make to their
customers in other countries.
44
The point to realize is that not all commercial electronic messaging is bad and unwanted (although some
is undoubtedly both). Some is benign, and some may be quite useful. Indeed, in the example above of a
recruiter using social media platforms to contact prospective employees, some may be very welcome.
FISA however risks walling off Canada from the good as well as the bad. And foreign companies,
especially international companies that market and promote products and services on a global basis from
outside Canada, may well decide that Canada is simply not worth the effort and hazards that come with
FISA.
FISA Imposes Costs on Canadian Businesses that Foreign Competitors will not Bear
Canadian businesses are coming to grips with the costs of FISA compliance, and it is not a happy
realization. Businesses that have large contact lists must assess which contacts fit into particular
categories: exempt, express consent, implied consent, no consent. The exempt category will be small for
most businesses. Where express consent has been given, businesses have to figure out if the consent is
sufficient for FISA purposes, now and in the future. Absent express consent, businesses will have to
determine if one of the listed categories of an implied consent can apply. This will be difficult to assess in
many cases.[35] For example, where an individual was entered onto a contact list 5 years ago, how will a
business determine if that person voluntarily disclosed his/her email address, or whether it was
“conspicuously published” or if there exists an existing business relationship that is less than 2 years old?
If the existing business relationship heading is relied on, what sort of routines are in place to determine
customer-by-customer when the 2-year window expires? The answer to each of these question can be
determined, but at a cost – a cost that can be significant for a company with thousands or even millions of
contacts.
It may be simple to suggest that businesses should just communicate with everyone on their contact lists
and ask for express consent. But the response rate from such campaigns is often not large, and
Canadian businesses risk a large contraction of their contact lists, with a consequential impact on their
business models. In some cases, such as the social network recruiter described earlier, it is questionable
if a consent approach is even workable. And, of course, once FISA comes into force, communicating with
a contact to ask for consent will itself be prohibited unless some exemption or implied consent applies.
Further, as noted above, Canadian businesses with substantial numbers of non-Canadian contacts will
face costs of moving their servers outside of Canada in order to service these non-Canadians, and likely
Canadians as well. In the same vein, those Canadian businesses will have to give up any use of cloud
computing that involves Canada-based servers if there is a chance that some commercial electronic
messaging could originate on servers in Canada.
Canadian businesses will also face extra costs as ongoing customers unsubscribe from commercial
electronic messages. The FISA-mandated unsubscribe mechanism must permit the recipient to not
receive any commercial electronic messages, or any specified class of messages. If even a handful of
customers choose the broad unsubscribe option, companies will have to either change their systems to
ensure that innocuous commercial electronic messages are not included in ordinary correspondence
such as billing statements (consider, for example, a mention that mortgage rates are being reduced which
appears in a bank account statement with an offer to extend the mortgage term), or ensure that such
correspondence is sent to those customers by the post or other non-electronic means. All of this can be
done, but clearly at a cost. The problem would be compounded for businesses that contract with their
customers only to communicate electronically. Customers including B2B business partners could
45
arguably use FISA’s unsubscribe right to require communications in a different format and to thereby
trump contractually agreed to terms. This could undermine purely electronic means of doing business
(including data interchange arrangements) and force companies to cease doing business with any person
insisting on an unsubscribe right or to incur substantial costs to do business in less modern and inefficient
way.
In addition to costs of these proactive activities, Canadian businesses will face potentially large costs of
after-the fact compliance by way of substantial fines and class action damages, and associated legal
costs, as further discussed below.
In contrast, most non-Canadian competitors do not face equivalent costs. Although some may elect to
comply with FISA for their Canadian contacts, others may simply abandon services to Canadians. Others
will likely just ignore FISA, expecting that the Canadian regulators will have neither the inclination nor
resources nor the jurisdiction to pursue these offenders.
FISA’s Enforcement Model is Biased Towards Excessive Fault-Finding, which will Tarnish
Legitimate Businesses
The penalties for violating FISA are severe. Companies can be subject to fines[36] of up to $10 million
per violation. The regulations may specify that violations are a day-by-day determination.[37] Officers and
directors can be liable, whether or not the corporation is prosecuted.[38] If the CRTC does not initiate
proceedings, companies can be liable to private action by SPAM recipients, including (most worryingly)
class action claims, for actual damages (which will likely be insignificant), but also an additional private
fine of up to $1 million per day (which is not so insignificant).[39]
The fear of class action claims, which can be very expensive to defend against, will act as a strong
incentive for companies to self-report potential contraventions to the CRTC and submit to voluntary
undertakings and fines. Entering into such an undertaking with the CRTC will exempt the contravention
from private action liability.[40] Although this incentive will help ensure FISA compliance, its undoubted
goal, it will also encourage companies to confess wrong-doing in situations where the impugned conduct
may be questionable or trivial. This will lead to a parade of Canadian businesses being punished under
FISA, with the regulators extolling their enforcement proficiency against these wrong-doers.[41] As such,
the public image of many Canadian businesses will be unfairly tarnished in circumstances where the
offending conduct may not be significant.
Is It Right To Extensively Chill Commercial Electronic Communications?
In the proceeding pages, we have explained the negative impact that FISA will have on Canadian
businesses and consumers. But there is a larger question that should also be asked. Is it right to so
extensively curtail Canadian businesses from engaging in commercial electronic communication, which is,
after all, a form of commercial free speech? This is a big question, with clear constitutional overtones. But
it is a question that should be asked.
FISA’s regulatory approach to SPAM is to broadly ban all commercial electronic messages unless the
messages are sent with prior express consent or fall into an excluded category. The regulatory regime
does not focus, as do most laws that restrict the free speech of Canadians, on prohibiting actions that are
necessarily unwanted, false, fraudulent, misleading or otherwise harmful. It is therefore inevitable that
sending some legitimate, wanted, and economically and socially useful commercial speech will be
rendered illegal.
46
FISA’s curtailment of commercial speech is apparent in a number of ways.
The prohibitions on commercial speech are not narrowly tailored to a limited class of electronic
communications that are more likely than not to be unwanted or harmful such as direct marketing,
pornography, messages sent to consumers that misuse personal information, or messages that
are false, fraudulent, or misleading.
Because FISA extends to “any particular transaction, act or conduct or any regular course of
conduct that is of a commercial character, whether or not the person who carries it out does so in
the expectation of profit”, it will extend to activities of not-for-profit entities, educational institutions,
charities, private clubs, and political fundraising activities, subject the specific exceptions that only
partially exclude some of their commercial electronic messages.
A message that is, on balance, benign or useful, will nonetheless be caught by FISA if only one of
the message’s many purposes would encourage participation in a commercial activity.
FISA’s anti-SPAM provisions provide for extensive accessorial and vicarious liability Under FISA,
liability extends to any person who aids, induces or procures a prohibited act.[42] Businesses are
liable for acts of their employees within the scope of their authority.[43] The liability also extends
to officers, directors, agents, and mandataries if they “directed, authorized, assented to,
acquiesced, or participated in the prohibited act”.[44]
A direct result of the “ban-all” approach taken in FISA will be to shift the onus onto individuals and
businesses to find an exception that would permit their sending electronic messages. However as
described above, FISA also has extremely tough sanctions that can be levied against individuals
or businesses that violate its prohibitions. These sanctions will undoubtedly deter individuals and
businesses from sending messages in circumstances where it is unclear they are entitled to do
so.
The Canadian Charter of Rights and Freedoms protects free speech as one of our highest legal and
societal imperatives.[45] The courts have recognized that Canadian businesses benefit from this
protection and that commercial speech benefits Canadian consumers.[46] While limits on free speech are
clearly permitted, these limits should be reasonable and justified, with minimal impairment of the free
speech right and with the limit on free speech being in proportion to the harm that is being targeted. As
we have come to better understand how companies will be required to operate under FISA, questions
indeed arise as to whether this important principle has been given appropriate regard.
Where Should We Go From Here?
Recognizing that it may be too late to revise the FISA legislation, developing sensible regulations will be
of paramount importance as many of the deficiencies that we have discussed can be remedied in the
regulations. For example, FISA provides significant flexibility to for the regulations to exclude classes of
commercial electronic messages from its scope.[47] FISA also enables the government to create, by
regulation, new broad categories of implied consent.[48] Employing the regulation process in this
remedial manner should not be seen as undermining the basic thrust of FISA, which is to reduce the
volume of SPAM, but rather as properly aligning FISA’s benefits with its costs.
To conclude, we believe that it is time to re-examine FISA – and to do so before the regulations are
finalized and FISA is proclaimed into law. Failing to undertake such a review, and to make appropriate
changes through regulation or otherwise, risks imposing significant burdens on Canadian businesses and
depriving Canadians of beneficial services, thereby undermining the promotion of “the efficiency and
47
adaptability of the Canadian economy” that FISA calls for. Other countries have managed to discover a
different and more proportionate balance between thwarting SPAM and not impeding legitimate electronic
messaging. Canada should seek to do likewise.
[1]Lorne Salzman and Barry Sookman are lawyers with McCarthy Tétrault LLP.
[2] FISA is the acronym for “Fighting Internet and Wireless Spam Act”, a title bestowed in an early version
of the legislation that was eventually passed by the Canadian Parliament. Unfortunately (and unusually),
the final version did not include any such short-form title. Accordingly, some commentators refer to FISA,
while others refer to “CASL”, which is the acronym for Canadian Anti-Spam Legislation, while others
employ yet other titles and abbreviations. For ease of understanding, we will use the term “FISA” in this
commentary.
[3] Available at www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00317.html
[4] www.ftc.gov/bcp/edu/microsites/spam/rules.htm
[5] www.austlii.edu.au/au/legis/cth/consol_act/sa200366/
[6] www.legislation.govt.nz/act/public/2007/0007/latest/DLM405134.html
[7] The breadth of FISA’s prohibitions can be seen from looking at the definitions:
An “electronic message” is an open ended list of message types: a “message sent by any means
of telecommunication, including a text, sound, voice or image message”.
An “electronic address” is an open ended list of types of addresses to which messages may be
sent; it is “an address used in connection with the transmission of an electronic message to (a) an
electronic mail account; (b) an instant messaging account; (c) a telephone account; or (d) any
similar account”.
A “commercial electronic message” is an open ended list of electronic messages “that, having
regard to the content of the message, the hyperlinks in the message to content on a website or
other database, or the contact information contained in the message, it would be reasonable to
conclude has as its purpose, or one of its purposes, to encourage participation in a commercial
activity, including an electronic message that (a) offers to purchase, sell, barter or lease a
product, goods, a service, land or an interest or right in land; (b) offers to provide a business,
investment or gaming opportunity; (c) advertises or promotes anything referred to in paragraph
(a) or (b); or (d) promotes a person, including the public image of a person, as being a person
who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.” An
electronic message that contains a request to send a prohibited message is also deemed to be a
prohibited commercial electronic message.
A “commercial activity” is also broadly defined to mean “any particular transaction, act or conduct
or any regular course of conduct that is of a commercial character, whether or not the person who
carries it out does so in the expectation of profit”. It excludes “any transaction, act or conduct that
is carried out for the purposes of law enforcement, public safety, the protection of Canada, the
conduct of international affairs or the defence of Canada”.
[8] s. 6(5)
48
[9] s. 6(7)
[10] s. 1(1)
[11] s. 6(6)
[12] ss. 10(9) and 10(10)
[13] ss. 10(9) and 10(13)
[14] s. 10(9)(b)
[15] s. 10(9)(c)
[16] s. 10(9)(d)
[17] s. 10(1)
[18] s. 1(3)
[19] ss. 6(2) and 6(3)
[20] ss. 11(1) and 11(2)
[21] Despite problems under FISA, collecting personal information from some of the sources described
above would likely be permissible under PIPEDA (Canada’s federal privacy law) pursuant to regulations
which permit the collection, use and disclosure of personal information that is publically available. See,
Regulations Specifying Publicly Available Information, P.C. 2000-1777 13 December, 2000,
http://www.gazette.gc.ca/archives/p2/2001/2001-01-03/html/sor-dors7-eng.html
[22] s. 10(9)(b). This section has some overlap with the PIPEDA publically available exception. However,
the FISA exception is limited to where the recipient “has conspicuously published, or caused to be
conspicuously published”, the electronic address. It would seem to clearly apply where an individual
publishes his/her email address on a web site. It is much less clear that it applies where an individual
gives his/her email address to an organization and the organization publishes the email address in a
directory or other publication. To fall within the exception one would have to conclude that by giving an
organization an email address, the person who provides the email address “causes” the organization to
publish it – which may be somewhat of a stretch.
[23] s. 82 (adding new s. 7.1(2) to PIPEDA)
[24] Short Message Service (SMS) is a text-based data communications service typically used in
connection with cell phones and smart phones.
[25] ss. 6(2) and 11(1)
[26] s. 11(1).
[27] s. 10(1).
[28] For a real life example of an entrepreneur who recently used Twitter service as a pivotal aid in
launching a new business, see: www.thestar.com/business/smallbusiness/article/985678–twitter-
marketing-word-of-mouth-on-steroids
[29] s. 1(3). It does not appear that this approach would fall within any of the existing exceptions including
the exception for inquiries (s. 6(5)(b)). The message would be an inquiry, but would not necessarily be an
49
inquiry related to the commercial activity of the recipient. It would not fall into the employment benefits
exception either. (s. 6(6)(e)).
[30] s. 10(1). The upcoming regulations are expected to address the identification information that will be
required.
[31] Other innovative businesses also use variations on the “refer a friend” business model.
[32] s. 6(5)(a)
[33] s. 9
[34] s. 12(1)
[35] Consents obtained under PIPEDA cannot be relied upon given PIPEDA recognizes opt-out consents
in many circumstances.
[36] Technically, the fines are referred to as “administrative monetary penalties”. Quaintly, FISA states
that these penalties are “to promote compliance” but not “to punish”. See s. 20.
[37] s. 20(5)(a)
[38] s. 52. Note that there is a “due diligence” defence that may be available in some cases to companies
and their staff. See s.54(1)
[39] s. 51(1)
[40] s. 48(1)
[41] As an example of the CRTC’s press releases when it punishes offenders of the do-not-call regime,
see www.crtc.gc.ca/eng/com100/2010/r101217.htm
[42] s. 9
[43] ss. 32 and 53
[44] ss. 31 and 52
[45] See s. 2(b) of the Charter.
[46] See RJR-MacDonald Inc. v. Canada (Attorney General), [1995] 3 S.C.R. 199; Rocket v. Royal
College of Dental Surgeons of Ontario, [1990] 2 S.C.R. 23.
[47] s. 6(5)(c)
[48] s. 10(9)(d)
50
Electronic Commerce Protection Regulations – Much Work Remains
http://www.barrysookman.com/2011/09/20/electronic-commerce-protection-regulations-
%e2%80%93-much-work-remains/
September 20th, 2011 by Lorne Salzman and Barry Sookman
Canada’s new anti-SPAM/anti-malware law, or CASL, was passed by Parliament in late 2010. The draft
Electronic Commerce Protection Regulations, which were intended to clarify and flesh out the law, were
published for public consultation earlier this summer. Fifty-seven organizations and individuals filed
comments by the September 7, 2011 deadline. The message from these commentators is clear: while all
support the goal of reducing unwanted commercial electronic messages (CEMs) and malware, the draft
regulations miss the mark, and much work remains before CASL can be proclaimed into law.
The CRTC and Industry Canada initiated the public consultation process by issuing the draft regulations
in June and July 2011 respectively. Each organization published their own draft regulations as each has
distinct regulation-making powers under CASL. The CRTC promptly published on its website all the
comments that it received. Industry Canada indicated it will follow suit shortly. That said, most of the
commentators submitted combined comments on the two sets of draft regulations, and thus the CRTC
filings give a good picture of what has been submitted to Industry Canada as well.
Fifty-seven trade and public interest organizations, businesses, and individuals filed comments with the
CRTC. Most of the commentators represented Canadian businesses, large and small. Many industry
associations filed comments, including: Association of Canadian Advertisers (ACA), Association of
International Automobile Manufactuers of Canada (AIAM), Canadian Bankers Association, Canadian Bar
Association (CBA), Canadian Chamber of Commerce, (The Chamber), Canadian Federation of
Independent Business (CFIB), Canadian Life and Health Insurance Association (CLHIA), Canadian
Manufacturers & Exporters (CME), Canadian Marketing Association (CMA), Canadian Real Estate
Association (CREA), Canadian Vehicle Manufacturers’ Association (CVMA), Canadian Wireless
Telecommunications Association CWTA), Direct Sellers Association of Canada (DSAC), Entertainment
Software Association of Canada (ESAC), The Financial Advisors Association of Canada (FAAC),
Information Technology Association of Canada (ITAC), Insurance Bureau of Canada (IBC), Investment
Industry Association of Canada (IIAC), Magazines Canada, Ontario Telecommunications Association
(OTA), Retail Council of Canada (RCA), and The Investment Funds of Canada (IFC). A number of
individual businesses also submitted comments, including: AVLA Audio-Video Licensing Agency Inc.
(AVLA), Bell Canada, Johnson & Johnson Family of Companies in Canada (J&J), Microsoft Canada Inc.
(Microsoft), Primerica Financial Services, Re:Sound, Research In Motion Limited (RIM), Rogers
Communications Partnership (Rogers), Shaw Cablesystems G.P. (Shaw), Tbaytel, TELUS
Communications Company (Telus), and Wells Fargo & Company. Together these organizations represent
hundreds of thousands of Canadian businesses.
Two consumer organizations filed comments: Public Interest Advocacy Centre/ Option consummateurs
(PIAC) and Union des consummateurs.
Some individuals also filed comments. Among them, we personally filed detailed comments with the
CRTC and Industry Canada. These comments followed on from an earlier paper that we published
suggesting that CASL needed rethinking.
51
Canadian businesses all agreed with the goal of reducing unwanted CEMs, or “SPAM”, and malware, but
most expressed concern that the proposed regulations contain significant problems that need to be
addressed. In some cases, the problems are those of omission, namely failure to set out needed
exemptions or needed clarifications. In other cases, the regulations impose requirements that are
unworkable or unduly cumbersome and expensive to operate.
The purpose of this paper is to briefly describe and summarize the key positions parties submitted in their
filings with the CRTC, with a particular focus on the concerns expressed by Canadian businesses and
their representative associations. Distilled to the essence, their comments identify the following concerns:
1. Although all parties support the goal of reducing SPAM and malware, most considered that the draft
regulations fail to address the overreach inherent in CASL. Consequently, CASL plus its regulations are a
disproportionate response to the acknowledged problems of SPAM and malware.
2. Although many commentators had expected that the proposed regulations would target truly offensive
conduct under CASL and, as well, clarify ambiguities, thereby enabling the law to better meet the
Government’s objectives, this has not occurred. The proposed regulations fail to set out worthwhile
classes of exempt conduct, and they impose extra compliance costs that many businesses found
troubling.
3. Under CASL and the proposed regulations, some inoffensive communications will become illegal, an
overreach that will invite challenges under the freedom of speech provisions of the Canadian Charter of
Rights and Freedom, with unpredictable results.
4. The proposed regulations do not remedy the concerns that CASL will hinder the start up and growth of
small business.
5. The proposed regulations do not look beyond CASL’s “email-focused” model and consequently they
fail to fit well with other messaging systems. As a result, CASL is not technologically neutral in its
regulatory approach.
6. The proposed regulations fail to address messaging systems where SPAM is not a problem, such as
Common Short Code Messaging, Opt-in Instant Messaging and similar systems, and where the additional
regulation would impose costs, be impractical or impossible to comply with.
7. The proposed regulations fail to address CASL’s territorial overreach, and the consequent risk to
investment and innovation in cloud computing and outsourcing in Canada.
8. The proposed regulations fail to properly clarify what is included under the definition of a CEM, thereby
subjecting non-CEMs to CASL’s unsubscribe and formality requirements.
9. The proposed regulations fail to recognize the value of other, reasonable, approaches to obtaining
consent to send CEMs, such as under existing PIPEDA rules.
10. The proposed regulations fail to clear the confusion in CASL between holders of message accounts
and recipients of messages.
11. The proposed regulations stipulate that requests for consent be in writing, a requirement that is both
limiting and, in some cases, impractical.
12. Most commentators criticized as unworkable the CRTC’s proposed regulation which requires that
each CEM and each request for consent to send a CEM include the physical and mailing address, a
52
telephone number providing access to an agent or a voice messaging system, an email address and a
web address of the sender and any other electronic address used by the sender.
13. The CRTC’s proposed regulation requiring that each request for consent include a statement that a
consent can be withdrawn using any of the mandatory contact information is contrary to CASL and is
unworkable. It would require organizations to monitor physical and mailing addresses, a telephone
number, an email address and a web address and any other electronic address used by those persons.
14. The CRTC’s proposed regulation is unworkable where it requires that request for consent must be
sought separately for each act described in sections 6 to 8 of CASL.
15. The CRTC’s proposed regulation permitting prescribed information to be made available on the web
is not a practical or technologically neutral solution to the disclosure requirement problems created by
CASL and the proposed regulations.
16. The proposed regulations fail to accommodate a business that does not maintain a web site from
receiving unsubscribe requests. Further, the CRTC’s proposed regulation requiring the unsubscribe
mechanism be performed in no more than two clicks is not technologically neutral or workable in many
circumstances.
17. The heightened consent requirements in Section 5 of the draft CRTC regulations for computer
programs that perform one of the functions listed in Section 10(5) is unworkable. It is impractical to
require that such consents be in writing or to require the ser provide an acknowledgement. Further, there
are many circumstances in which meeting these requirements would be either technically or commercially
unfeasible.
18. Certain of the CRTC’s proposed regulations may be beyond the CRTC’s authority under CASL.
In the following, we expand on the concerns with the proposed regulations that have been identified by
Canadian businesses and their representatives.
1. Although all parties support the goal of reducing SPAM and malware, most considered that the draft
regulations fail to address the overreach inherent in CASL. Consequently, CASL plus its regulations are a
disproportionate response to the acknowledged problems of SPAM and malware.
Although commentators agreed that containing the flood of SPAM and malware is desirable, CASL and
the proposed regulations will impose costs and inefficiencies on Canadians that exceed the benefits.
These costs and inefficiencies are significant. They are not just the substantial compliance costs that
Canadian businesses must bear. They extend to impeding the use of electronic means of communicating,
putting Canadian businesses at competitive disadvantages to their foreign competitors, retarding the
growth of small and start-up businesses, and potentially limiting the use by Canadian businesses of
modern messaging platforms.
A key source of the problem is the design of CASL. Its approach is to forbid practically all commercial
electronic messages, and then prescribe certain exemptions in both the law and the regulations. Thus,
rather than targeting truly offensive conduct in the first place, the law and proposed regulations are based
on the sweeping proposition that, in effect, nothing is permitted except that which is specifically allowed.
CASL takes the same prohibitory approach to regulating the installation of computer programs on
computers, mobile phones, tablets and other devices.
The Chamber, which represents over 192,000 Canadian businesses, had this to say:
53
“The Act and proposed Regulations do not adequately balance the objective of preventing
unwanted, or harmful behaviour with the objectives of ensuring that perfectly legitimate acts are
not made illegal, and preserving the vitality of the Internet for electronic commerce. Furthermore,
they introduce conflicting or unnecessary regulatory regimes that needlessly impose significant
costs on legitimate business.”
”The overly broad language in both the Act and the proposed regulations could circumscribe
legitimate business-to-business activities and inadvertently impact businesses ability to deliver
products and services to consumers.”
“The over-broad scope of the Act and proposed Regulations, the lack of exceptions for socially
valuable activities, unwieldy consent requirements, administrative monetary penalties and
statutory damage provisions that have little relation to actual harm suffered may collectively have
the opposite effect: rather than promoting Canada’s digital economy, the Act and proposed
Regulations may actually create significant impediments to electronic commerce and the
development of the digital sector.”
The Canadian Federation of Independent Business (CFIB) which represents over 108,000 small business
owners from coast-to-coast commented as follows:
“This new level of regulation and oversight on industry seems contrary to the government’s stated
objectives to encourage entrepreneurial growth and reduce the regulatory burden”, based on their
announcements earlier this year designating 2011 the Year of the Entrepreneur, and the creation
of the Red Tape Reduction Commission to tackle red tape”.
The Canadian Wireless Telecommunications Association (CWTA) is the authority on wireless issues,
developments and trends in Canada. It represents cellular, PCS, messaging, mobile radio, fixed wireless
and mobile satellite carriers as well as companies that develop and produce products and services for the
industry. It had this to say:
“The Act and the proposed Regulations are highly prescriptive and create a high degree of
regulation for legitimate commercial messages. This will result in significant compliance costs for
businesses that communicate with their customers electronically”.
“No one wants to permit true spammers to continue operating unfettered, but it would be
antithetical if the result of the Regulations were to dampen bona fide electronic business
activities”
The Entertainment Software Association of Canada (ESAC) represents Canada’s leading interactive
entertainment software publishers and distributors, which collectively accounted for more than 90 per cent
of the $2 billion in entertainment software and hardware sales in Canada in 2009. It stated as follows:
“We are deeply concerned that the extremely broad application of the Act to all forms of electronic
messaging and software, the often onerous and inflexible requirements and the potential for
massive, multi-million dollar liability for inconsequential breaches, will have a negative impact on
the growth of electronic commerce in Canada that outweighs the benefits.”
2. Although many commentators had expected that the proposed regulations would target truly offensive
conduct under CASL and, as well, clarify ambiguities, thereby enabling the law to better meet the
Government’s objectives, this has not occurred. The proposed regulations fail to set out worthwhile
54
classes of exempt conduct, and they impose extra compliance costs that many businesses found
troubling.
In introducing CASL at second reading, Minister Clement stated that CASL’s purpose “is not to limit
legitimate online business. It is to promote electronic commerce by increasing confidence in the use of
the Internet to carry out business transactions”. CASL was passed to “deter the most damaging and
deceptive forms of SPAM from occurring in Canada and help drive spammers out of Canada”[3] and to
encourage the use of electronic means to carry of commercial activities.[4] These goals were intended to
be accomplished without negatively impacting legitimate businesses that use electronic means to market
their products and services to Canadians.[5]
With appropriate regulations, CASL could go a long distance to achieving its goal of deterring the most
damaging and deceptive forms of SPAM and help drive spammers out of Canada. However, virtually all
business commentators contended that the proposed regulations miss the mark. They do not address the
issue of overreach by establishing categories of exempt conduct. Moreover, the proposed regulations add
to the difficulty and cost of compliance with CASL.
The costs and inefficiencies are significant. They are not just the substantial compliance costs that
Canadian businesses must bear. They extend to impeding the use of electronic means of communicating,
putting Canadian businesses at competitive disadvantages to their foreign competitors, retarding the
growth of small and start-up businesses, and potentially limiting the innovation and use by Canadian
businesses of modern messaging platforms.
The Canadian Marketing Association (CMA) is the national voice for Canada’s marketing community. It
stated the following about the regulations:
“The proposed rules, as well as those published by Industry Canada, are problematic,
cumbersome and ultimately serve to negatively impact legitimate marketing practices in Canada
with consequent negative economic impact.”
The Canadian Bankers Association represents over 50 banks and lending institutions in Canada. The
association was critical of the proposed regulations, stating as follows:
“The stated goal of the CRTC Draft Regulations is to clarify the required content and form of
commercial electronic messages (“CEM”) and the request for consent under the Act. It is
disappointing, however, and a cause for concern, that the CRTC Draft Regulations do not
address some of the operational challenges created by the requirements of the Act”
“Several additional requirements and a number of undefined terms have been introduced in the
CRTC Draft Regulations that we believe are problematic for business, exceed best marketing
practices, do little to protect customers from SPAM or malicious software and, therefore, should
be reconsidered”.
“Our members anticipate significant planning and resource implications with respect to the
implementation of the Anti-SPAM Act and the related Regulations (particularly with respect to
technology systems and processes).”
Commentators strongly proposed that Industry Canada use the broad regulatory powers conferred on the
Governor in Council by Section 64(1) to fix CASL to enable it to a achieve its objectives. The Chamber
stated as follows:
55
“Several of the most problematic and unwieldy requirements imposed by the Act can be
addressed by the introduction of judicious regulation that provides ‘greater flexibility and exempts
legitimate forms of electronic communications.”
“The more details that the CRTC can provide, through regulations or interpretation guidelines,
and the more flexibility that is added to the regime, the less the impact on legitimate businesses
and the smoother the transition to the new regime will be, especially for small businesses across
Canada.”
“Using the regulations to achieve a reasonable balance of costs and benefits will be critical if
unintended impacts, such as deterring suppliers of services, impeding businesses from
developing new marketing strategies involving electronic communications and creating material
costs and restrictions on enterprises carrying on business in Canada, are to be avoided.”
3. Under CASL and the proposed regulations, some inoffensive communications will become illegal, an
overreach that will invite challenges under the freedom of speech provisions of the Canadian Charter of
Rights and Freedom, with unpredictable results.
CASL prescriptive approach to regulating commercial speech will see the banning of all commercial
electronic messages unless they are sent with express consent, or a consent which falls into an exclusive
list of exceptions for which consent is deemed to be implied or not to be required and unless they comply
with onerous, and sometimes impossible to meet, form, disclosure, and unsubscribe requirements. This
wide regulatory sweep is bound to impinge on legitimate and beneficial commercial speech thereby
raising concerns as to compliance with the Canadian Charter of Rights and Freedoms.
RIM, one of Canada’s leading telecommunications companies, articulated this concern as follows in a
brief that thoroughly commented on the proposed regulations:
“RIM notes that CASL’s approach to SPAM is to broadly prohibit the sending of all CEMs unless
the messages are sent with express consent or fall into an excluded category. It does not prohibit
just the sending of only unwanted, false, fraudulent, misleading or otherwise harmful messages.
Its “ban all unless allowed” structure guarantees that some legitimate and useful commercial
speech will be become illegal. This restriction on legitimate CEMs, ultimately when challenged,
will have to pass the scrutiny of the Canadian Charter of Rights and Freedoms. The limits on
commercial speech imposed by CASL must be reasonable and justified, with minimal impairment
of the free speech right and with the limits on free speech being in proportion to the harm that is
being targeted.”
“In order to be consistent with the Charter and the intent of Parliament, the government must take
steps in the regulations to ensure that legitimate online commercial activities are not
unnecessarily hindered by CASL, while at the same time curtailing real and harmful SPAM.
Unchanged, CASL will not achieve, and would undermine, some of its most important objectives.”
4. The proposed regulations do not remedy the concerns that CASL will hinder the start up and growth of
small business.
Under CASL, it will be illegal to send a commercial electronic message unless the individual or business
sending the message establishes and maintains a web site to receive unsubscribe requests. [6] Under the
proposed CRTC regulations, the individual or business would have to have a physical and mailing
56
address, a telephone number, an email address and a web address if it wants to obtain consents to send
out CEMs or to send out a CEM. Not every individual or small business can meet these requirements.
Unlike established companies, start-up companies also do not have a ready list of electronic contacts
they can approach to market their products and services. Rather, they have to develop electronic lists
from a variety of sources and use them to launch their products. Although few would find these activities
offensive, they will all be potentially problematic under CASL. Rather than using electronic
communications, business start-ups will be forced to send their messages using the post or other more
expensive and less convenient and efficient mechanisms, or limit the persons to whom they can send
messages to the limited exception that permits use of conspicuously published e-mail addresses.
CFIB expressed its concern as to the impact of CASL and the proposed regulations on small businesses
as follows:
“The proposed regulatory regime “may make it more difficult for smaller businesses to start up
and grow and may even hinder some small-and medium-sized enterprise (SME) members from
providing better and more customized products for their clients”.
“The Draft Regulations propose that all communications must contain the following: the names of
every party involved, physical and mailing address, a telephone number, an email address and a
web address.
The assumption is that every single business in Canada has a website, however only about half of small
businesses have a website yet two-thirds use the web as part of their business.
Newer businesses trying to increase their customer base and garner revenue might not be able to initially
spend money on a new website, but this requirement will force them to take time and money away from
their priorities to comply with the rules”.
The Canadian Real Estate Association (CREA) is one of Canada’s largest single-industry trade
associations, representing more than 100,000 real estate Brokers/agents and salespeople working
through more than 100 real estate Boards and Associations. It stated the following:
“The Draft Regulations raise compliance to impractical levels for small businesses and their
clients, and they go beyond the scope and jurisdiction provided by the government to the CRTC.”
“The CRTC regulations are “putting up unreasonable barriers to legitimate commerce and
eliminating legitimate business tools and communications practices for small business. As a
result, small business will be impeded and opportunities will be lost.”
“The requirement for senders of requests for consent and CEMs to include a web address
effectively excludes persons unless they have a website.”
“Not all businesses that use email have websites – particularly small businesses – and to require
a website is unnecessary, unfair, and costly. In addition, consumers wishing to seek consent on
behalf of another person would be prevented from doing so unless they had a web address.’
5. The proposed regulations do not look beyond CASL’s “email-focused” model and consequently they
fail to fit well with other messaging systems. As a result, CASL is not technologically neutral in its
regulatory approach.
57
Although CASL is supposed to be technologically neutral, applying broadly to all electronic means of
sending electronic messages, the CASL regulatory regime is modelled on regulating electronic messages
that are sent as emails. This focus on emails means that other forms of electronic messaging, such as
instant messaging and those through social networks, do not easily fit within the CASL framework. As a
result, Canadian businesses that wish to exploit new and developing alternative electronic messaging
systems will be impeded by CASL.
The CMA noted this problem as follows:
“In addition, there seems to be an underlying assumption that email communication is the sole or
primary form of electronic communication covered by the Anti-SPAM Act.
Notwithstanding the additional detail included in the CRTC Draft Regulations, we believe they fall short of
properly accommodating other forms of electronic communication (e.g. SMS communications, instant
messaging, text messaging).
Digital communications continue to evolve. To be relevant, the statutory framework needs to “fit” with new
and emerging digital constructs including SMS messages and social media based communications, and
be flexible enough to accommodate future technologies.
The technologically specific regulatory requirements of CASL are also discussed below.
6. The proposed regulations fail to address messaging systems where SPAM is not a problem, such as
Common Short Code Messaging, Opt-in Instant Messaging and similar systems, and where the additional
regulation would impose costs, be impractical or impossible to comply with.
The CASL regulatory regime is modelled on regulating electronic messages that are sent as emails. This
focus on emails means that other forms of electronic messaging, such as those sent using opt-in
messaging systems like RIM’s BBM, other social networks, and short form messaging systems like Short
Code Messages social networks, do not easily fit within the CASL framework. Users who use opt-in
messaging networks will face risks of offending CASL, and operators could face risks of aiding conduct
that is contrary to CASL.
Social networks often operate under rules enforced by contract and by an administration that monitors
and enforces compliance. As such, there are mechanisms in place to control unwanted commercial
electronic messages. Where such protections are in place, CASL’s requirements are not needed, and can
be counter-productive. Faced with the risks of offending CASL, Canadian businesses will be wary of
developing (or continuing to offer) innovative business models or implementing similar models that are
legal in other countries such as the United States.
Numerous commentators asked for new classes of exceptions for these messaging systems. The CWTA
stated the following on this point:
“The Act, and therefore the Regulations have been framed on the basis that every Commercial
Electronic Message will be an email. For CWTA’s membership, this drafting bias causes a
considerable challenge for compliance.”
“Compliances with the form requirements in the Act in the context of CSC messages could be
exceedingly challenging in light of the severe constraints on message size (typically 136 or 140
characters )”.
58
Telus which filed a very comprehensive brief to both sets of regulations, for example, stated the following:
“By imposing an additional layer of regulation on top of existing governance regimes, CASL
threatens to reduce the utility of certain modem messaging platforms, without having a material
impact on the volume of SPAM experienced on those platforms (which is typically none). These
platforms, such as BlackBerry Messenger (BBM) and Common Short Code (CSC) SMS text
messaging, are inherently opt-in environments with existing anti-abuse rules and tools that
empower users to protect themselves from unwanted messages (in the unlikely event that they
should receive any).”
“Application of CASL in these circumstances [where Canadians are already protected by other
regimes, such as through contractual arrangements] would add an unnecessary and inefficient
layer of regulation that would have little to no effect on actual SPAM or malware, and, to the
contrary, could actually reduce the utility (and/or increase the cost) of electronic messaging and
software installation for legitimate purposes.”
RIM made the following submission on this point:
“Some messaging platforms are “closed” such that users can only receive messages from others
in an opt-in contact list. For example, BlackBerry Messenger (BBM) is a strictly opt-in system.
That is, users specifically invite contacts, or accept requests from contacts, before any messages
can be sent between them. As these messaging systems will not allow messages from senders
that the user has not pre-approved, these types of “closed” platforms should be exempted from
the requirements of CASL.
“RIM recommends such an exemption for at least three reasons. First, the user has already
consented to receiving messages. Second, the user has the ability to “unsubscribe” using system
tools. Third, users would find it a burden and unnecessary to comply with the consent, form,
disclosure and unsubscribe requirements, especially given the short message format and the
informality associated with this type of messaging system. Section 2(2) of the CRTC Regulations
does not provide a practical solution to complying with the form requirements of Section 6(2) of
CASL over social networks such as BBM. We also note that there is no equivalent to Section 2(2)
of the CRTC Regulations in Section 4 of the CRTC Regulations to help address obtaining
consents under Section 10(1) or 10(3) of CASL in similar circumstances.”
7. The proposed regulations fail to address CASL’s territorial overreach, and the consequent risk to
investment and innovation in cloud computing and outsourcing in Canada.
CASL applies to commercial electronic messages that are sent from computer systems in Canada to
recipients outside of Canada. As such CASL imposes the Canadian standards of disclosure, consent and
unsubscribe on non-Canadians. This will inevitably discourage the use of Canadian facilities for activities
that are perfectly lawful in other countries.
The problem is particularly troubling where companies rely on cloud computing. Under cloud computing, a
company can use a variety of servers in a variety of locations to perform computing work, including the
sending of messages. The location of the server sending particular messages may vary, depending on
demand and other factors. Under CASL, however, cloud computing activities that are undertaken in
Canada must comply with the CASL requirements, even where the recipients of the messages are
located outside Canada. Faced with this regulatory imposition, companies will be discouraged from
59
operating in Canada. As such, those computer activities, and the jobs and other economic spin-offs that
result, will be lost to Canada.
The Information Technology Association of Canada (ITAC) is the voice of the Canadian information and
communications technologies (ICT) industry. Its member companies account for more than 70 per cent of
the 572,000 jobs, $140.5 billion in revenue, $6.0 billion in R&D investment, $31.4 billion in exports and
$11.4 billion in capital expenditures that the ICT industry contributes annually to the Canadian economy.
ITAC is a prominent advocate for the expansion of Canada’s innovative capacity and for stronger
productivity across all sectors through the strategic use of technology. ITAC had the following to say
about this problem.
“Given that section 6 of CASL will apply when a computer system located in Canada is used to
send or access a CEM, CASL will impact a range of business decisions that could have
unintended negative effects on the competitiveness of a wide range of Canadian technology
companies. At least three scenarios can be contemplated.
First, Canadian multi-national companies sending messages to non-Canadian customers are
incented to use vendors located outside Canada to send those messages, because otherwise the
messages will have to comply with CASL. This would result in service jobs leaving the country.
ITAC understands that some Canadian organisations that are already contemplating moving their
foreign market-related messaging operations outside Canada.
Second, foreign companies deciding where to locate server farms and other facilities related to
cloud computing that could be used to send messages or provide services on behalf of vendors
located anywhere in the world, to customers located anywhere in the world, may choose against
Canada because of the extra cost of complying with CASL. That would have significant
unintended negative consequences for the growth of cloud computing in Canada.
Third, Canadian providers of outsourced services to non-Canadian businesses will be at a major
disadvantage compared to competitors in other countries. By selecting foreign service providers,
the foreign entities can avoid the costs and complications of complying with CASL.”
8. The proposed regulations fail to properly clarify what is included under the definition of a CEM, thereby
subjecting non-CEMs to CASL’s unsubscribe and formality requirements.
Many organizations expressed concerns that CASL deems service, transactional, informational and other
messages to be CEMs, even when they do not by any reasonable interpretation encourage participation
in a commercial activity. This expansion of CASL is due to paragraph 6(6) of CASL which describes a
range of messages which it exempts from the consent requirements without also exempting them from
CASL’s unsubscribe and formality requirements. The problem is that these messaging types would, in
many cases, not be considered CEMS in the first place, but the wording of section 6(6) appears to deem
them to be so. Not only does this confuse what is or is not a CEM, but message recipients will be enabled
to unsubscribe from receiving non-CEMs, a requirement that would create considerable operational
problems for organizations wanting to do business electronically including those that have contracted with
their customers to do business that way. Organizations will need to develop and operate, at additional
cost and expense, non-electronic ways of communicating with third parties. In some cases, it could even
make it illegal for organizations to deliver messages electronically, even though they are required to do so
under other legislation.
60
The CMA stated the following in this regard:
“A fundamental issue with CASL is that of its scope. The definition of commercial electronic
message (CEM) is sufficiently wide that it is conceivable to argue that any and all electronic
communication is commercial in nature. This thereby imposes strict, and costly if not followed
correctly, rules on the delivery of all electronic messages. CASL further confuses the issue by
clearly defining CEM In Section 1(2), exempting certain messaging from consent requirements In
Section 6(6), but still requiring that they meet the unsubscribe requirements laid out in Section
11(1).”
The Canadian Bankers Association addressed this point as follows:
“We note that, while the categories of messages listed in subsections 6 (6) (a) through (f) are
exempt from the consent requirements in subsection 6 (1) (a), it seems that some non-marketing
messages may still be subject to the form and content requirements listed in subsection 6 (2) of
the Anti-SPAM Act and further detailed in the CRTC Draft Regulations.”
“We believe that this is a serious problem with the Anti-SPAM Act, and one which we had hoped
would be addressed through the Regulations. We are concerned, in particular, that subsection
6(6) of the Anti-SPAM Act implies that customers have the ability to opt-out of receiving essential
service messages (e.g. messages that confirm transactions, or that provide warranty, product
recall, safety or security information). We do not believe this was the intent of the legislation”.
“Under a variety of legislation, including the Bank Act, and provincial securities legislation,
financial institutions are largely required to send specific information to their customers and these
types of messages, if sent electronically, should not be regarded as CEMs covered by the Act”.
Telus, which along with the Canadian Bankers Association dealt with this issue in depth, added a further
concern as follows:
“There may be circumstances in which a business might be mandated by law to send certain
information or a certain type of message to its customers and/or the public. This might have to do
with public safety, consumer protection, or some other form of regulation. As it stands now, given
that section 6(6) deems a wide range of messages to be CEMs, there is a risk that compliance
with a legal regime that mandates the sending of certain messages which the CRTC might
consider to be CEMs would put the sender in violation of CASL.”
9. The proposed regulations fail to recognize the value of other, reasonable, approaches to obtaining
consent to send CEMs, such as under existing PIPEDA rules.
Many companies have previously determined that they had consent to send commercial electronic
messages, either because express consent had been given or because it was a reasonable expectation
of the recipients. Indeed, making such determinations would have been part of their compliance with
PIPEDA.[7] These companies now face the need to check that the names on their list of consenting
recipients all either comply with the express consent requirements of CASL, or fit under one of the few
implied consent categories. This can be a daunting and expensive task, given that these lists were
assembled over time and they may be quite extensive. Many commentators questioned the obligation to
comply on an ongoing basis with two overlapping regulatory regimes with the attendant expense of doing
so.
61
The CMA made the following submission on this point:
“As a result of potential contradictions with existing privacy law, the new regime may disqualify
entire databases of personal contact data obtained using responsible consent processes which
meet, and in some cases exceed, the requirements of the Personal Information and Protection of
Electronic Documents Act (PIPEDA). The failure to grandfather existing databases that meet the
requirements of PIPEDA will not reduce the amount of SPAM messages Canadians receive, but
will in turn create a massive financial burden on Canadian organizations.”
The ESAC stated the following:
“The exception for implied consent in the Act is quite narrow and specific, and in light of the
diversity and rapidly changing nature of business communications there is a very significant risk
that a CEM could violate the provision and subject the sender to considerable liability even if
consent could reasonably be inferred from the circumstances simply because it did not happen to
fall within the narrow definition of “existing business relationship”. Furthermore, this inflexible
approach is not only inconsistent with the approach adopted in other jurisdictions, where implied
consent can generally be inferred from the conduct, the nature of the business, and the other
relationships of the intended recipients without limiting it to prescribed circumstances/ but also
with the Personal Information Protection and Electronic Documents Act (PIPEDA), which deems
that consent can be implied where consent may reasonably be inferred from the action or inaction
of the individual.” This creates a significant inconsistency between federal legal regimes intended
to govern relationships with end users. Recognizing implied consents that would be valid under
PIPED would resolve this issue and further render the implied consent regime under the Act
consistent with PIPEDA and other jurisdictions.”
Some commentators are concerned that the closed categories of implied consents are too narrow and
would impede legitimate, recognized and desirable ways of doing business. For example, Re:Sound, a
copyright collective that represents performers and makers of sound recordings, noted that the definition
of the term “existing business relationship” does not include organizations that collectively license
copyright materials under tariffs certified by the Copyright Board. Canada’s copyright collectives which
administer rights on behalf of hundreds of thousands of Canadian artists, composers, performers or other
rights holders would not be able to use many of the publically available materials PIPEDA excludes from
its consent requirements because these exclusions are not carried forward into CASL.
Other commentators noted the failure by the proposed regulations to exempt referral relationships which
are the life blood of many business and professional opportunities.
CREA noted this omission saying the following:
“Canada’s anti SPAM legislation already places an onerous burden on a person making a referral
to act as an intermediary beyond the initial referral, requiring them to obtain consent on behalf of
the professional. However, when combined the requirement for consent to be in writing, as set
out in the draft CRTC regulations, the regime places an “unreasonable and impractical
responsibility on the intermediary and adds insurmountable barriers to the referral process”.
“In practice, it is highly unlikely that a client would be willing to seek consent from the person they
are referring once they become aware of their obligations to provide the information proposed in
the CRTC Regulations, including: the need for the intermediary to identify in writing the
62
professional’s name, business name, mailing address, telephone number, web address and all
electronic addresses belonging to the professional”.
The CFIB made a similar criticism of the lack of an exception for referrals:
“The requirement to have any referral in writing could cause a small business to choose between
non-compliance and a much more difficult, and time-consuming process, thereby putting small-
and medium-sized enterprises in a difficult position and making them less competitive.”
“The process as described in the proposed regulations is not realistic for today’s rapidly changing
business.”
10. The proposed regulations fail to clear the confusion in CASL between holders of message accounts
and recipients of messages.
CASL prohibits sending CEMs unless the person to whom the message is sent has consented to
receiving it, whether the consent is express or implied.[8] CASL states that “a reference to the person to
whom an electronic message is sent means the holder of the account associated with the electronic
address to which the message is sent, as well as any person who it is reasonable to believe is or might
be authorized by the account holder to use the electronic address.”[9]
CASL imposes an unworkable burden in determining who must consent to receiving a CEM in
circumstances in which the holder of an account is different from the person to whom the message is
sent. For example, in business to business communications in which organizations operate, or outsource
the operation of, accounts, consents could conceivably be required both from someone in authority in a
business as well as the intended recipient.
This double requirement poses additional challenges in considering whether a person has an implied
consent to send a CEM. The existing and non-business relationship exception, for example, requires the
person who sends the message to have an existing business relationship or an existing non-business
relationship with the person to whom it is sent.[10] This could potentially require existing relationships
with both the organization and employees of the organization. This double standard is unlikely to be made
out in most cases, unless an inference can be made that a transaction such as a sale to an organization
is sale to its employees.
A similar problem exists with respect to the “conspicuously published” exemption.[11] It cannot
necessarily be assumed that a conspicuously published electronic address has been published by both
the account holder and the person whose electronic address is published.
11. The proposed regulations stipulate that requests for consent be in writing, a requirement that is both
limiting and, in some cases, impractical.
Section 4 of the CRTC proposed regulations requires that a request for consent be in writing, a
requirement that many commentators considered to be unworkable for many organizations and frustrating
for consumers.
The CWTA stated the following:
“The requirement that all requests for consent must be in writing is an onerous obligation for
legitimate marketers with questionable additional benefit to consumers. The requirement is also
inconsistent with requirements for express consent in other contexts.”
63
“In Telecom Decision CRTC 2003-33, the Commission found it appropriate to permit Canadian
carriers to use other forms of express consent as alternatives to written consent. The Privacy
Commissioner of Canada does not prescribe a method of obtaining express consent required
under the Personal Information Protection and Electronic Documents Act (PIPEDA). In fact,
guidance documents from the Office of the Privacy Commission clearly state that consent can be
obtained in person, by phone, by mail, via the Internet, etc, provided the person seeking consent
considers the reasonable expectations of the individual and the circumstances surrounding the
consent”.
CREA stated the following:
“The regulations, when combined with the general prohibition from the Act against obtaining
consent by email in situations where the sender does not have implied consent, results in a
prohibition against obtaining consent orally. This result, combined with the reality that
professionals often use electronic messages to follow up with consumers on earlier telephone or
in-person discussions, create restrictions that do not reflect the realities of business
communication.”
These restrictions would require professionals to write a letter or have consumers sign a document in
person to obtain consent. “This will slow the speed of business and result in lost opportunities while the
professional waits for a response in order to send an electronic message”.
HB Global Advisors Corp explained the impracticality of the “in writing” standard for consents as follows:
“In our view, the writing requirement will effectively preclude organizations from obtaining express
consent for the sending of Commercial Electronic Messages (“CEMs”) in person or over the
phone. By way of example, it is a common practice in the retail sector for express consents to be
obtained verbally at points of sale, at customer service desks or on the phone through customer
service agents. Once the regulations come into force, retailers and other organizations will
practically no longer be able to use these entirely legitimate means of obtaining express consent
of consumers, thus adversely impacting both business and consumers. Valid express consent
can be obtained orally under the Personal Information Protection and Electronic Documents Act
(“PIPEDA”) and provincial private sector privacy legislation, under the CRTC Unsolicited
Telecommunications Rules and at common law. In our view, there is no policy rationale for
imposing the burden of a writing requirement on organizations in the course of obtaining express
consent. Such a requirement, in and of itself, will not serve to advance the purposes of the Act in
any re In our view, the requirements of Section 4 of the Draft Regulations are unnecessarily
onerous and restrictive and will pose significant challenges for organizations seeking to obtain
express consent in compliance with the Act.”
12. Most commentators criticized as unworkable the CRTC’s proposed regulation which requires that
each CEM and each request for consent to send a CEM include the physical and mailing address, a
telephone number providing access to an agent or a voice messaging system, an email address and a
web address of the sender and any other electronic address used by the sender.
Numerous commentators objected to the CRTC’s proposed regulation that requires each request for
consent and each CEM to include “the physical and mailing address, a telephone number providing
access to an agent or a voice messaging system, an email address and a web address of the person
seeking consent and, if different, the person on whose behalf consent is sought and any other electronic
64
address used by those persons”.[12] Businesses considered that this inflexible approach requiring
detailed contact information would be inconsistent with CASL, would impose additional costs for
Canadian businesses and would cause confusion and frustration among consumers.
According to ITAC
“Meeting all of these requirements will be challenging for organisations, particularly when the
message is being sent on behalf of multiple third parties (such as dealers, resellers, franchisees
or affiliates).”
“Including each category of contact information is unnecessary, as section 6(2) of CASL already
requires the disclosure of information that would enable the recipient of a message to “readily
contact” the sender.”
“Including each category of contact information will discourage the use of electronic means to
conduct business, as many internet companies do not maintain a mailing address and telephone
number to receive written and oral communications from consumers, relying instead on electronic
communications.
The ESAC said the following:
“The wide range of contact information that must be provided under subsection 2(1)(d) is
impractical and excessive, and may not be applicable in some cases. The subsection assumes
that all businesses sending CEMs have both physical and mailing addresses, and telephone
numbers with voice messaging, and email addresses, and web addresses where they may be
contacted. While this will generally be true of large companies, many internet start-ups and
independent game developers operate entirely online and do not have physical addresses or
telephone numbers with voicemail. In order to comply with the Regulations, such legitimate e-
commerce businesses will be required to establish all these forms of contact, including a formal
address, which represents an unnecessary and burdensome cost to small early stage technology
companies and game development studios.”
PIAC was one of the few commentators to approve of requiring several modes of contact, although it too
questioned the need for the “any other electronic address” stipulation in Section 2(1)(d).
Numerous commentators were also critical of the requirement to provide “any other electronic address
used by those persons. This requirement was viewed as excessive. ESAC noted that the “requirement to
include all electronic addresses is excessive and will present a massive burden for all but the smallest
companies.” CREA made a similar comment stating: “strictly interpreted, a sender could be required to list
dozens of electronic addresses, which is clearly burdensome, unnecessary, and confusing to
consumers.”
13. The CRTC’s proposed regulation requiring that each request for consent include a statement that a
consent can be withdrawn using any of the mandatory contact information is contrary to CASL and is
unworkable. It would require organizations to monitor physical and mailing addresses, a telephone
number, an email address and a web address and any other electronic address used by those persons.
The Canadian Bankers Association described the problems with the proposed regulation as follows:
“Requiring the sender to include a list of “other electronic address[es]” is onerous and, in any
case, will be of limited use to recipients of CEMs since most Canadian financial institutions
65
operate thousands of electronic addresses, as the term is defined in the Act (e.g., individual e-
mail and telephone accounts assigned to employees), and these addresses change frequently.
“Requiring the sender to continuously monitor every one of these electronic addresses and other
Channels (e.g. mail. telephone, physical address) for withdrawals of consent for an extensive
time period, would be extremely difficult, if not impossible, to implement operationally”.
RIM summarized the problems as follows:
“Subsection 4(e) requires the sender to include a statement telling recipients that they can
withdraw consents using any of this contact information. This regulation is also beyond the power
of the Commission. As noted above, the unsubscribe mechanism is set out in subsection 11(1) of
CASL. The Commission does not have the power under that subsection to prescribe the
particular way in which businesses must permit individuals to unsubscribe to receiving CEMs.
But, requiring a statement telling recipients that they can withdraw consents using any of this
contact information would be an attempt to do indirectly what the Commission cannot do
directly… Lastly, this requirement will mandate that companies and their agents maintain multiple
mechanisms to collect these indications, making it inefficient and costly.
14. The CRTC’s proposed regulation is unworkable where it requires that request for consent must be
sought separately for each act described in sections 6 to 8 of CASL.
Section 4 of the proposed regulation requires that consent “must be sought separately for each act
described in sections 6 to 8 of the Act.”[13] Organizations such as the CLHIA pointed out that it is not
clear what is intended by “sought separately for each act.” Further, it points out that “It does not seem
unreasonable that a single request for consent could expressly identify more than one activity for which
the consent is being sought”.
The ESAC noted that the draft language suggests that consent must be obtained separately for each and
every occasion a message is sent or re-directed or software is installed. “This would effectively negate the
ability to obtain consent for future actions, and create an overwhelming burden for businesses (due to the
vast number of consents) and consumers (who would have to consent before receiving each and every
message).”
15. The CRTC’s proposed regulation permitting prescribed information to be made available on the web
is not a practical or technologically neutral solution to the disclosure requirement problems created by
CASL and the proposed regulations.
The draft CRTC regulations recognize the impracticality for many message types to comply with the form
and disclosure requirements of CASL. The short nature of many message types, such as instant or SMS
messages and those used over social networks could not accommodate the legal formalities mandated
by CASL.
The draft CRTC regulations purport to make it easier for short message types to comply with CASL’s
message form requirements by enabling users to provide prescribed information by using a link to a web
page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single
click or another method of equivalent efficiency at no cost to the person to whom the message is sent.[14]
There are significant limitations with the approach taken. For example, there is no equivalent mechanism
in Section 4 of the draft CRTC regulations to enable users of instant messaging, SMS, or social networks
66
or similar networks to use a link to a web page to make the necessary disclosures to obtain consents
under Section 10(1) or 10(3) of CASL. Accordingly, given the limitations of those networks, it would be
problematic to seek consent to send a CEM using many modern messaging systems. Further, it requires
anyone seeking to use modern messaging systems to have and maintain a website. This will be
especially burdensome on individuals and small businesses. The solution will often not be practically
implementable because the character limitations on short messages cannot even accommodate even the
solution proposed. Nor can the link always be accessed in just “one click”. Moreover, the “one click”
proposal is not technologically neutral. As well, users of mobile devices would often have to pay data
charges and thus cannot be provided at no charge, thereby making the solution unworkable for one of the
fastest growing sectors of the communications marketplace. In any event, there are questions as to
whether it is realistic to impose the disclosure requirements on users of social networks.
The CFIB had the following to say about this solution to the disclosure problems created by CASL
“The assumption is that every single business in Canada has a website, however only about half
of small businesses have a website yet two-thirds use the web as part of their business.”
“Newer businesses trying to increase their customer base and garner revenue might not be able
to initially spend money on a new website, but this requirement will force them to take time and
money away from their priorities to comply with the rules”.
“The reference to a “single Click” in Subsection 2(2) implies that the “link to a web page on the
World Wide Web” is accessed using an Internet connection, but this is unclear, as is the meaning
of “another method of equivalent efficiency.”
“For example, is the provision of a toll-free telephone number which the text message recipient
may use to access the information a ‘method of equivalent efficiency’?”
ITAC said the following:
“Including all of the mandatory information on a single web page is impractical and unnecessarily
restrictive, particularly where a message is being sent on behalf of multiple third parties (such as
dealers, franchisees or affiliates) or using short messaging platforms. Links to additional
information should be permitted.”
The Canadian Bankers Association made the following comments on this point:
“We assume that the underlying purpose of the inclusion of the phrase “at no cost to the person
to whom the message is sent”, is to ensure that consumers are not charged by the sender to
access contact information of the sender or unsubscribe from a CEM.”
“However…there are data costs associated with many forms of digital communication (e.g. as
levied by ISP and mobile telephony service providers) over which a sender of a CEM has limited
knowledge and no control. The recipient of a CEM may subscribe to a ‘pay as you go’ mobile plan
that offers a bundle of minutes for a set fee, so every use of the mobile device results in a cost to
the user, even to dial a toll-free telephone number. Many data plans with Internet services for
mobile devices have a limit over which the user is charged fees to send additional messages or
for additional Internet access.”
ESAC made the following statement:
67
“Subsection (2) specifically requires that the information must be on a “web page” on the “World
Wide Web” that can be accessed by a “single click”. This is not a technologically neutral solution,
and effectively precludes the use of any non-web-based interfaces. The section essentially
dictates the form of communications technology companies are permitted to use. While
subsection (2) does permit information to be accessed by “another method of equivalent
efficiency”, the scope of this provision is unclear. It immediately follows the requirement that the
information be accessed in a “single click”, suggesting that the” method of equivalent efficiency”
only applies to the equivalent of a “click”. If it is intended to be applied more broadly, this must be
clarified.”
“The imposition of a “single click” limit is also problematic. There may be situations where it would
take 2 or more “clicks” to access the complete range of information that the Regulations require.
The fact that all of the prescribed information must be accessible at a “single click” is very
restrictive and inflexible, especially as a single extra “click” may result in significant punitive
measures against the sender.”
16. The proposed regulations fail to accommodate a business that does not maintain a web site from
receiving unsubscribe requests. Further, the CRTC’s proposed regulation requiring the unsubscribe
mechanism be performed in no more than two clicks is not technologically neutral or workable in many
circumstances.
Individuals and organizations cannot send CEMs or request a consent to send a CEM unless they have a
website to disclose the prescribed information and receive unsubscribe requests.[15] This will be onerous
for individuals and small businesses as well as users of social networks.
The requirements also cannot be met for all messaging systems including for messaging systems in
which the subscribe and unsubscribe mechanisms are under the control of a third party. It is also not a
technologically neutral solution.
The ESAC made the following comments on this draft regulation.
“While the Act and proposed Regulations appear to assume that only the sender controls the
transmission of a message, there are many circumstances in which the subscribe and
unsubscribe are actually under the control of a third party (often a messaging platform), and
where it is the user who determines the messages he or she wishes to receive. For instance, in
the case of CEMs sent via social networking sites such as FaceBook or Twitter, it is the social
networking site that establishes the unsubscribe process, and recipients themselves may
unsubscribe without any action required by the sender by simply “un-friending” or “un-following”
or adjusting their settings. Similarly, most mobile “apps” including mobile games include a setting
that permits users to switch notifications that could be construed as CEMs off.”
“The requirement that the recipient be able to unsubscribe in “two clicks” is not a technologically
neutral requirement and appears designed for email messages. Moreover, requiring that the
recipient be able to unsubscribe in “two clicks” is arbitrary. There may be situations where it
would take 3 or more “clicks” to complete the unsubscribe process. Given the potential penalties
associated with the Act, such a limit is punitive.”
68
“Not every communication device or medium to which messages are sent will be web-enabled.
Given the broad application of CASL to all digital technologies, this exception needs greater
flexibility to ensure technologically neutral application.”
The CMA stated the following:
“The restrictive form of the unsubscribe mechanism will effectively prevent the practice of allowing
recipients to select within a preference centre the types of messages to which recipients wish to
unsubscribe, as multiple clicks are typically necessary to allow for the narrowing of a subscription.
This valid practice should not be discouraged as it provides recipients with greater control over
the type of information they receive.”
“The use of the term “click” itself creates problems as it is not technologically neutral. The term
does not allow for the use of platforms such as mobile and tablet.”
“The number of permitted clicks is arbitrary and will result in existing senders of commercial
electronic messages that have otherwise legitimate unsubscribe mechanisms (i.e. that do not
require the recipient to provide a reason, or other types of information, to unsubscribe) having to
alter, at a cost, these mechanisms unnecessarily.”
The Canadian Bankers Association stated:
“The requirement that the unsubscribe mechanism be performed in no more than two “clicks”
does not reflect current industry standard.
At minimum, one click is needed to click on the link to move from the GEM to access the web
page which houses the unsubscribe mechanism, A second click is then needed to select
unsubscribe. A third click is often needed to “confirm” or “submit” the unsubscribe request”.
“A two click requirement may impact current industry practice where the recipient of a CEM is
directed to a web page to select his or her electronic communication preferences…”
The requirement “also appears to directly conflict with the requirement in subsection 11(1) (a) of
the Anti-SPAM Act to enable the recipient of a CEM to indicate his or her wish to no longer
receive “any specified class” of such messages. Depending on the scope of specified classes
offered by the sender of the CEM in the unsubscribe mechanism, it is likely that more than two
clicks would often be required in order to properly perform an unsubscribe mechanism”.
The comments also had considerable criticisms of CASL and the draft regulatory approaches to
regulating “spyware” and other malware. These include the following problems.
17. The heightened consent requirements in Section 5 of the draft CRTC regulations for computer
programs that perform one of the functions listed in Section 10(5) is unworkable. It is impractical to
require that such consents be in writing or to require the user provide an acknowledgement. Further,
there are many circumstances in which meeting these requirements would be either technically or
commercially unfeasible.
The ESAC provided extensive comments on this point.
“The requirement that any description of the specified functions listed in subsection 10(5) of the
Act be brought to the attention of the person from whom consent is being sought “separately from
any other information” is unclear. It suggests that this information must be included in a separate
69
notice. Section 10(4) of the Act already requires that consent for the installation of a computer
program that performs a specified function be separate and apart from the licence agreement, so
requiring an additional, separate notice is excessive, confusing and creates unnecessary
records.”
“The requirement that the consent be obtained, in writing, and include a specific
acknowledgement from the user that they understand and agree that the computer program will
perform the specified functions is deeply problematic. The only way to obtain the
acknowledgement of consent to a specific function will be to generate an electronic message to
be sent to the company. However, this would constitute installing a computer program that
causes an electronic message to be sent, which is also prohibited and for which a separate
consent will be required. This will multiply the number of consents that must be obtained, which
will be extremely onerous for business and overwhelming to the consumer. Further, in the event
that a consumer declines to consent to the transmission of the acknowledgement, the company
will be unable to comply with the requirement and thus be penalized for not obtaining the required
acknowledgement in writing, when the reason for doing so was outside their control.”
“There are many circumstances beyond the permitted exceptions where express consent cannot
be obtained, and attempting to obtain consent (including the prescribed information) would not
only be not technically feasible but disruptive to the end user’s experience. For instance, many
software, mobile “app” and game developers provide frequent updates and upgrades for their
programs, but do so as a courtesy rather than pursuant to formal terms and consequently would
not benefit from the “updates and upgrades” exception. Under these circumstances, consent will
need to be obtained for each separate update, and will need to include all the required
information. This applies even if the user has requested automatic updates, or the developer has
no control over the information that can be provided with an update. This will similarly occur if an
update or upgrade could alter settings or data on a device, as these “functions” trigger enhanced
disclosure obligations and requiring obtaining separate consent regardless of the circumstances
or actual impact on the end user.”
“Many electronic devices are not designed in a manner that would enable them to display a
request for consent or accompanying prescribed information (e.g. some MP3 players, printers,
scanners, appliances, etc.), and are incapable of satisfying the consent requirements (especially
in circumstances where enhanced disclosure would be required).”
Telus also had very extensive comments on this issue:
“However, due to the way section 10(5) is drafted, this provision has the potential to interfere with
common, accepted business practices that are adequately governed by contracts. The concern
arises from the definition of the types of functionalities that trigger the heightened disclosure and
consent requirements. Section 10(10) refers to “any of the following functions that the person who
seeks express consent knows and intends will cause the computer system to operate in a
manner that is contrary to the reasonable expectations of the owner or an authorized user of the
computer system.” One of those functions – the only one that causes TELUS concern at present
– is (c), “changing or interfering with settings, preferences or commands already installed or
stored on the computer system without the knowledge of the owner or an authorized user of the
computer system.”
70
The reality is that within many kinds of client/service provider relationships, there are times when
functionalities and settings are changed in a way that may cause a device to operate in a manner
that the user does not expect. These changes typically take the form of updates, upgrades, or
program installations which, while they might make a device work differently, are technical in
nature and fall within the scope of contractual consents.
Programs may also be installed from time to time for the purposes of network management,
security, diagnostics, technical support or repair, or the detection or prevention of unauthorized or
fraudulent use of a service or system. Installations for these purposes are also typically within the
scope of applicable contracts.”
“…the “alteration of transmission data” provisions include an exception for network management.
Section 7(2) specifies that that rule “does not apply if the alteration is made by a
telecommunications service provider for the purposes of network management.” A
telecommunications service provider may need to install programs from time to time for the
purposes of network management, security, diagnostics, technical support or repair, or the
detection or prevention of unauthorized or fraudulent use of a service or system. In some cases,
particularly anti-fraud measures, it would defeat the purpose to disclose the action to the user and
seek his or her consent.”
18. Certain of the CRTC’s proposed regulations may be beyond the CRTC’s authority under CASL.
Several commentators argue that the CRTC does not have the authority to promulgate the regulations in
the form proposed. Comments filed by the CBA, The Chamber, ITAC and RIM, among others, deal with
these points. Conversely, PIAC maintains that the CRTC indeed has the requisite jurisdiction.
Conclusion
Canadian businesses have identified a number of important concerns with the proposed regulations
under CASL. Unless the proposed regulations are reformulated, many worry that CASL will impede rather
than facilitate e-commerce. It will hurt small and large businesses, cause significant economic harm and
stifle innovation in the use of electronic messaging systems. It will hinder investment and job creation and
drive new and emerging businesses to locate outside of Canada. Its red tape will be costly and inefficient
to comply with.
As a last point, many commentators made suggestions related to the go forward process. For example,
several organizations, such as the Chamber, endorsed the need for a second round of consultations once
revised draft regulations are issued. Many organizations also asked for sufficient lead time from when the
regulations are finalized until the date that CASL comes into legal force. Finally, many comments
contained thoughtful solutions to the problems summarized above. These might well form the basis for
reformulating the existing regulations and for drafting additional regulations.
[3] See http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00521.html
[4] See section 3 of CASL.
71
[5] For additional information on the history, goals and objectives of CASL, see Government of Canada,
Backgrounder, Questions and Answers, and Online Threats, http://www.ic.gc.ca/eic/site/ecic-
ceac.nsf/eng/h_gv00567.html), Government of Canada Moves to Enhance Safety and Security in the
Online Marketplace http://www.ic.gc.ca/eic/site/ic1.nsf/eng/05596.html
[6] CRTC draft regulation Section 2(1), 2(2), 4.
[7] Personal Information Protection and Electronic Documents Act
[8] CASL Section 6(1)
[9] CASL Section 1(1)(5)
[10] CASL Section 10(10)(a)
[11] CASL Section 10(10)(b)
[12] CRTC draft regulation, Sections 2(d) and 4(d)
[13] CRTC draft regulation, Section 4.
[14] CRTC draft regulation, Section 2(2)
[15] CRTC draft regulation Section 2(1), 2(2), 4.
* Updated Sept 21
DOCS 12184947