January 30, 2014
Original Newsletter(s) this article was published in: International Business Bulletin: January 2014
Article By: Henry Chang
On December 15, 2010, Bill C-28, Canada’s anti-spam legislation (the “Act”)1 received Royal Assent. It establishes the following regulatory framework, for the purpose of protecting electronic commerce in Canada:
Most of the Act will come into force on July 1, 2014. However, the provisions dealing with the unsolicited installation of computer programs will come into force on January 15, 2015. In addition, the private right of action provisions will come into force on July 1, 2017.
The Act will be administered by the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner of Canada. Industry Canada will also act as a national coordinating body to promote awareness of the law, to educate consumers, network operators and small businesses, to coordinate work with the private sector, and to conduct research.
The CRTC is generally responsible for ensuring the reliability, safety and effective operation of telecommunications networks in Canada, including the Internet. It will be responsible for enforcing the following prohibitions contained in the Act:
The Competition Bureau currently has a mandate to ensure fair marketplace practices for business and consumers. The Act amends the Competition Act2 in a manner that allows the Competition Bureau to more effectively address false and misleading representations online and deceptive marketplace practices including false headers and website content.
The Privacy Commissioner is currently responsible for protecting the personal information of Canadians. The Act amends the Personal Information Protection and Electronic Documents Act3 in a manner that allows the Office of the Privacy Commissioner of Canada to enforce the following new violations:
The most significant prohibitions contained in the Act will be enforced by the CRTC. A detailed discussion of these prohibitions appears below.
This prohibition addresses the sending of unsolicited commercial electronic messages. According to Subsection 1(2) of the Act, the term “commercial electronic message” is defined as an electronic message for which it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that:
Subsection 1(1) of the Act defines the term “commercial activity” as any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.
Section 6 of the Act prohibits the sending of a commercial electronic message to an electronic address unless:
According to Subsection 2 of the CRTC’s Appendix to Telecom Regulatory Policy CRTC 2012-183 (the “CRTC Regulations”), the following information must be set out in any commercial electronic message:
If it is not practical to include the above information and an unsubscribe mechanism in a commercial electronic message, that information may be posted on a web page by means of a link that is clearly and prominently set out in the message.
The term “electronic message” is defined in Subsection 1(1) of the Act as a message sent by any means of telecommunication, including a text, sound, voice, or image message. This broad definition is intended to include a message sent over any means of telecommunication, including text, sound, voice or image, and therefore implicates voice mail messages, webcam messages, and the exchange of pictures or graphic files by electronic means as well.
The term “electronic address” is also defined in Subsection 1(1) as an address used in connection with the transmission of an electronic message to:
As a result, Section 6 covers virtually all means of electronic communication, with the exception of broadcasting by a broadcasting undertaking (as defined in the Broadcasting Act4), which is explicitly exempted in Section 5.
Section 6 would also be used to prevent phishing attacks. For example, a typical phishing e-mail could appear to be sent from the recipient’s bank, requiring the recipient to send back personal information. In reality, the actual sender is a spammer who is attempting to steal the recipient’s personal information, which the recipient would not otherwise provide.
Section 6 provides several exemptions to the above prohibition, including a commercial electronic message that:
According to Section 2 of the Governor in Council Electronic Commerce Protection Regulations5 (the “Governor in Council Regulations”), the term “family relationship” means that the sender and the recipient are related to one another through marriage, common-law partnership, or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication. “Personal relationship” also means the relationship between sender and recipient, if those individuals have had a direct, voluntary, two-way communication and it would be reasonable to conclude that they have a personal relationship, taking into account any relevant factors such as the sharing of interests, experiences, opinions, and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated, or whether the parties have met in person.
Section 3 of the Governor in Council Regulations also exempts a commercial electronic message that:
Finally, Section 4 of the Governor in Council Regulations exempts the first commercial electronic message that is sent by the sender for the purpose of contacting the recipient following a referral by any individual who has an existing business relationship, an existing non-business relationship, a family relationship, or a personal relationship with the sender or the recipient, and that discloses the full name of the individual or individuals who made the referral and states that the message is sent as a result of the referral.
Subsection 6(8) of the Act confirms that this prohibition does not apply to a commercial electronic message that is:
Clearly, the Act is not intended to apply to telephone calls, faxes, or voicemail messages.
Subsection 12(1) confirms that a person only contravenes Section 6 if the computer system used to send or to access the electronic message is located in Canada.
This prohibition addresses the alteration of transmission data without authorization. Section 7 of the Act prohibits anyone, in the course of a commercial activity, from altering transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless:
However, this prohibition does not apply if the alteration is made by a telecommunications service provider for the purposes of network management.
According to Subsection 11(4), where there is express consent to alter transmission data under Section 7, an unsubscribe mechanism must be provided to the recipient of the electronic message throughout the period covered by the consent and any activation of the unsubscribe option must be put into effect within 10 business days.
According to Subsection 1(1), the term “transmission data” is defined as data that:
The above definition clearly covers any data transmission by means of telephone, Internet, and wireless, outside of the actual substance of the message.
The intent of Section 7 appears to be to capture all steps along the chain of transmission where a spammer or other malevolent communicator could insert some form of problematic technology such as malware or spyware, or fake an identity for the purposes of communication. This should include malicious activities such as man-in-the-middle attacks6, network re-routing, and even Caller-ID spoofing7.
Subsection 12(2) confirms that a person only contravenes Section 7 if a computer system located in Canada is used to send, route, or access the electronic message.
This prohibition addresses the installation of software on computer systems and networks without authorization. It is intended to cover malware, spyware and virus installations, including computer programs that can be hidden in spam messages or accessed through hyperlinks to infected websites.
Section 8 of the Act provides that a person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless:
This prohibition is aimed at the surreptitious installation of spyware and malware, such as the kind that compromise a computer in order to relay spam without the owner’s permission.
According to Subsection 11(5), where there is express consent to download a program onto a person’s computer under Section 8, a mechanism whereby the recipient can send a request to remove or disable the computer program because its function, purpose or other details were not as advertised in the original consent request, has to be provided for a year after the program’s installation. In addition, the providers of the program must grant the request to uninstall, without cost, if the request is made because of misrepresentation of the program in the original request for consent.
Subsection 12(1) confirms that a person will contravene Section 8 only if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions.
As mentioned above, this prohibition will come into force on January 15, 2015.
According to Section 9 of the Act, it is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of Sections 6 to 8.
According to Subsection 10(1) of the Act, a person who seeks express consent under Sections 6 to 8 must clearly and simply set out the following information:
According to Section 5(1) of the Governor in Council Regulations, a person who obtained express consent on behalf of a person whose identity was unknown may authorize any person to use the consent on the condition that the person who obtained it ensures that, in any commercial electronic message sent to the recipient:
According to Section 3 of the CRTC Regulations, a request for consent may be obtained orally or in writing and must be sought separately for each act described in Sections 6 to 9 of the Act and must include:
For the purposes of Section 8 of the Act (installation of computer programs), the person seeking express consent must also clearly and simply describe the function and purpose of the computer program that is to be installed. In addition, if the person knows and intends to cause that computer system to operate in a manner that is contrary to the reasonable expectations of its owner or authorized user, the person requesting consent must clearly and prominently (separately from the license agreement):
According to Subsection 10(5), this extra information must be provided if the installation will do one of the following: (1) collect personal information stored on the computer system; (2) interfere with the recipient’s control of the computer system; (3) change or interfere with the recipient’s existing settings, preferences or commands; (4) change or interfere with data that affects the recipient’s lawful access to it; (5) cause the recipient’s computer system to communicate with another computer system or device without the recipient’s consent; or (6) install a computer program that may be activated by a third party without the knowledge of the recipient. According to Section 5 of the CRTC Regulations, the computer program’s material elements that perform one or more of these functions must be brought to the attention of the person from whom consent is sought separately from any other information provided in the request for consent and an acknowledgement in writing must be obtained from the person from whom consent is being sought, confirming that they understand and agree that the program performs the specified functions.
Express consent is not required for the installation of an update or upgrade to a computer program if express consent was previously given in accordance with Section 10 of the Act, the person who gave the consent is entitled to receive the update or upgrade under the terms of the express consent, and the update or upgrade is installed in accordance with those terms.
According to Subsection 10(8)(a), a person is also deemed to have given express consent to the installation of a computer program if:
Section 6 of the Governor in Council Regulations adds the following additional programs:
According to Subsection 10(9) of the Act, for the purposes of Section 6 (unsolicited electronic messages), consent is implied if:
According to Subsection 10(10), the term “existing business relationship” means a business relationship between the sender (including those who cause or permit the message to be sent) and the recipient, arising from:
According to Subsection 10(12), if the owner of a business has an existing business relationship with another person and the business is subsequently sold, the purchaser who purchases the business is also considered to have an existing business relationship with that other person.
According to Subsection 10(13), the term “existing non-business relationship” means a non-business relationship between the recipient and the sender (including anyone who causes or permits the message to be sent) arising from:
Subsection 7 of the Governor in Council Regulations defines “membership” as the status of having been accepted as a member of a club, association, or voluntary organization in accordance with its membership requirements. It also defines “club, association, or voluntary organization” as a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation, or for any other purpose other than personal profit, if no part of its income is available for the personal benefit of any proprietor, member, or shareholder of that organization unless the proprietor, member or shareholder is an organization whose primary purpose is the promotion of amateur athletics in Canada.
According to Section 66 of the Act, a person’s consent to receive commercial electronic messages from another person is implied until three years after the date that Section 6 comes into force (July 1, 2017) or until they withdraw their consent, whichever comes first, if when that section comes into force (July 1, 2014):
According to Section 67 of the Act, if a computer program was installed on a person’s computer system before Section 8 comes into force (January 15, 2015), their consent to the installation of an update or upgrade to the program is implied until three years after the date on which that section comes into force (July 15, 2018) or until they withdraw their consent, whichever comes first.
Pursuant to Section 20 of the Act, the CRTC has the authority to impose an administrative monetary penalty for any violation of Sections 6 to 9. According to Subsection 20(4), the maximum penalty for a violation is $1,000,000 in the case of an individual and $10,000,000 in the case of any other person.
According to Section 30, violations are not considered criminal offences. Subsection 20(2) also confirms that the purpose of the penalty is to promote compliance with the Act and not to punish violators. Subsection 33 provides for a due diligence defence, but other common law defences can only be used to the extent that they do not conflict with other provisions of the Act.
According to Section 31, an officer, director, agent or mandatary of a corporation may be liable for a violation committed by the corporation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, regardless of whether proceedings are commenced against the corporation itself. In addition, Section 32 states that an employer is also liable for a violation that is committed by their employee acting within the scope of their employment (or their agent or mandatary) acting within the scope of their employment, whether or not the employee is proceeded against or identified.
The Act also contains several criminal offences:
According to Subsection 46(1), every person who commits an offence under Section 42 or 43 is guilty of an offence punishable on summary conviction and is liable:
According to Subsection 46(1) of the Act, a person who alleges that:
may apply to the court for an order of compensation against one or more persons who they allege have committed a violation or reviewable conduct. However, according to Subsection 46(2), no application may be brought later than three years after the day on which the subject matter of the proceeding became known to the applicant.
As mentioned above, this private right of action provision will come into force on July 1, 2017.
According Subsection 60 of the Act, the CRTC, the Commissioner of Competition, and the Privacy Commissioner are authorized to share information with foreign states and international organizations for the purposes of pursuing violations. All such information-sharing arrangements must be in the form of written agreements and they may concern only illegal activity under foreign laws that do not have penal consequences. However, a written agreement can be presumed from the acceptance of a written request for assistance from a foreign state or international organization if it is accompanied by a declaration that assistance between Canada and the requesting party will be reciprocal.
Although the Government of Canada hopes that the Act will discourage spam originating from Canada, it is not expecting to completely eliminate it, since a significant amount of spam originates from other countries. Nevertheless, as Canada is the last of the G8 countries to introduce anti-spam legislation, the Act’s implementation will certainly add to existing global efforts aimed at eliminating spam.
Canadian businesses will need to exercise due diligence in order to ensure that they do not violate the Act. These businesses should review their existing internal policies on the use of commercial electronic messages, in order to ensure compliance once the Act comes into force on July 1, 2014.
1 An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (S.C. 2010, c. 23).
2 R.S.C., 1985, c. C-34.
3 S.C. 2000, c. 5.
4 S.C. 1991, c. 11.
5 81000-2-175 (SOR/DORS).
6 This involves the interception and re-routing of Internet messages between a sender and recipient, making them believe that they are talking directly to each other.
7 This involves causing the telephone network to display a number on the recipient's caller ID display that is not the actual originating telephone number.
This page contains some content that requires additional software to view. To view PDF documents provided on this site you will need a PDF viewer such as Acrobat Reader from Adobe. You can Download Adobe Reader from Adobe for free.