P. 1
Sookman Salzman ITCAN Spam Slides

Sookman Salzman ITCAN Spam Slides

|Views: 1,651|Likes:
Published by barry sookman
Sookman Salzman ITCAN Spam Slides
Sookman Salzman ITCAN Spam Slides

More info:

Categories:Types, Business/Law
Published by: barry sookman on Jan 26, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/18/2011

pdf

text

original

IT.

CAN QUARTERLY ROUNDTABLE SERIES

Impacts of the New Anti-SPAM and Anti-Spyware Legislation (Bill C-28)
January 26, 2011

Barry B. Sookman Direct Line: (416) 601-7949 E-Mail: bsookman@mccarthy.ca
Doc # 10027070

Lorne P. Salzman Direct Line: (416) 601-7867 E-Mail: lsalzman@mccarthy.ca 1

Why businesses need to be concerned about the Bill C-28

2

Scope and Approach
¬ ¬ SPAM - transmitting any commercial electronic message is illegal unless there is consent; it is an excluded category; and message is in a prescribed form. (s.6) Malware - it is illegal as part of a commercial activity to install any computer program -good or bad-onto someone’s computer unless there is express consent and the prescribed disclosures are made. (s.8) Spyware - it is illegal as part of a commercial activity to install any computer program onto someone’s computer that transmits data of any kind from that computer unless there is consent and the prescribed disclosures are made. (s.8) Message routing - it is illegal to alter transmission data to route a message to an unintended destination. (s.7) Broad protection against false and misleading representations extending to header information, subject matter lines, URLs, and the message itself. (s.75 and 77) Broad protection against collecting individuals’ electronic addresses using automated tools primarily designed for this purpose and collecting personal information over the internet by accessing a computer in violation of federal laws. (s.82) Burden of proof for consents is on the person alleging they have it. (s.13) The regulations will significantly affect the interpretation of the Act and are not yet published. Scope will be significantly impacted by the regulations.
3

¬

¬ ¬ ¬

¬ ¬

Very high liability
¬ ¬ Administrative monetary penalties (AMPS) with caps up to $1 million for an individual and $10 million for anyone else. (s.20(4)) Private rights of action by anyone affected by a prohibited act (s.47(1)) with liability that consists of: ¬ compensation for loss, damages and expenses; and ¬ extensive awards that are capped at: ¬ $1 million per day for breach of SPAM, malware, spyware, message routing, address and personal information harvesting, and Competition Act provisions; ¬ $1 million for each act of aiding, inducing, or procuring a breach of the SPAM, malware and spyware, and message routing provisions, plus liability up to $1 million per day for breach of SPAM, malware, spyware, and message routing provisions. ¬ Risks of class actions.

4

Extensive accessorial and vicarious liability
¬ ¬ ¬ Liability extends to any person who aids, induces or procures a prohibited act. (s.9) Scope? Businesses are liable for acts of their employees within the scope of their authority. (s.32, s.53) Liability extends to officers, directors, agents, mandataries if they directed, authorized, assented to, acquiesced, or participated in the prohibited act. (s.31, s.52) Scope-acquiesced? Businesses liable for employees businesses liable for “aiding” businesses liable for massive AMPS and damages class actions officers and directors ultimately liable. Businesses need to put policies and processes in place to reduce risk. Insurance?

¬

¬ ¬

5

Extensive extra-territorial effects
¬ ¬ ¬ The provisions of Bill C-28 could impact activities undertaken outside Canada. The anti-spam provisions apply to any message where a computer system located “in Canada is used to send or access the electronic message”. (s.13(1)) The message altering provisions also applies to messages if a “computer system located in Canada is used to send, route or access the electronic message”. (s.13(2)) Other prohibitions – real and substantial connections test? Legislation has worldwide impacts that foreign entities will not expect. Bill C-28 is significantly more onerous than any international counterpart. This will mandate Canada specific processes for doing business in Canada or with Canadians using facilities located outside of Canada.

¬ ¬ ¬ ¬

6

Anti-SPAM Provisions

7

Background: on SPAM provisions
¬ In its 2005 Report, the Task Force recommended “new legislation as required to fill any gaps identified in existing laws” (“Task Force”). The Bill purports to implement the recommendations of the Task Force. Internationally there are many precedents for dealing with SPAM including: ¬ U.S.-CAN - SPAM Act 2003 (US CAN SPAM); ¬ EU Directive 2002/58/EC on privacy and electronic communications (EU Directive); ¬ Australia Spam Act 2003 (Australia Spam Act); ¬ Singapore Spam Control Act 2007 (Singapore Spam Act); and ¬ UK Privacy and Electronic Communications Regulations 2003 (UK Spam Act).

¬

8

Background: on SPAM provisions
¬ The anti-SPAM provisions depart significantly from other international anti-spam legislation which: ¬ applies to e-mails that are sent in violation of an individual’s opt-out request, or are fraudulent, false or misleading (US CAN SPAM); ¬ applies to e-mail for the purposes of direct marketing to individuals (EU Directive, UK Act); and ¬ applies to a defined list of commercial electronic messages that relate to direct marketing (Australia Spam Act; NZ Spam Act) applies to a defined list of commercial electronic messages that relate to direct marketing that are sent in bulk (Singapore Spam Act). ¬ ¬ “Commercial electronic message” in Bill C-28 by contrast is defined in a open ended way. International entities need to understand the broad scope of the SPAM provisions and adapt their business processes to the extent they carry on business in Canada or deal with Canadians.

9

The Anti-SPAM Prohibition
¬ 6(1) It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless: a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and b) the message complies with subsection (2). Note: ¬ The section extends “send” “or cause” “or permit” to be sent. So a director is liable for “acquiescing” in an employee “aiding” someone to “permit” a message to be sent. ¬ Messages can’t be sent without a consent which must be express or a limited subset of conditions where consent is implied ¬ Messages must comply with prescribed formalities.

10

What messages and messaging systems are included
¬ “electronic message” means a message sent by any means of telecommunication, including a text, sound, voice or image message. (s1(1)) (But, excludes voice messages covered by the “Do Not Call List”, fax messages, voice recordings. (s.6(8)) “electronic address” means an address used in connection with the transmission of an electronic message to (a) an electronic mail account; (b) an instant messaging account; (c) a telephone account; or (d) any similar account. (s.1(1)) A “commercial electronic message” is “an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (b) offers to provide a business, investment or gaming opportunity; (c) advertises or promotes anything referred to in paragraph (a) or (b); or (d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.

¬

¬

11

What messages and messaging systems are included
¬ “commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada. Applies as well to an electronic message that contains a request to send a prohibited message. (s.1(3)) Note how open ended Electronic Messages can be “sent by any means of telecommunication” Electronic Addresses include ”any similar account” which will continually change Commercial Electronic Messages fall into non-exclusive list of Electronic Messages.

¬ ¬

12

What messages and messaging systems are included
¬ Do the provisions apply to accounts with: ¬ E-mail e.g. Gmail, hotmail, exchange; ¬ IM (BBM, Google talk); ¬ Social networks e.g., LinkedIn, Facebook, Twitter tweets and direct messages; ¬ Geo-location services; ¬ E-commerce portals where there are accounts; and ¬ Message boards. ¬ ¬ Businesses and their employees communicate for commercial purposes using multiple sources. Policies are needed for obtaining consents and complying with format requirements for each platform used to send commercial electronic messages.

13

General exceptions to anti-SPAM provisions
¬ ¬ ¬ ¬ ¬ ¬ Messages to an individual to whom the person has a personal or family relationship as defined in regulations. (s.6(5)) An inquiry of or application related to a commercial activity. (s.6(5)) A class defined in regulations. (s.6(5)). Don’t know what they are. To telecom service providers when they enable transmissions of messages. (s6(7)). Messages related to law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada. (s.(1), s.6(4)) The consent requirement in para. 1(a) does not apply to certain commercial electronic messages e.g., providing a quote in response to a request, furtherance of previously agreed to transactions, warranty, safety, security, product recall information, factual information about a purchase, information about an employment or benefits plan, delivering a product, service or upgrade, or another exception specified in a regulation. (s.6(6)) Will businesses develop policies that rely on specific exceptions for consent, even when the formality requirements are not also exempted?

¬

14

Getting consents to send commercial electronic messages
¬
¬

Express consents
A person who seeks express consent must, when requesting consent, set out clearly and simply the following information: (a) the purpose or purposes for which the consent is being sought; (b) prescribed information that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, prescribed information that identifies that other person; and (c) any other prescribed information. (s.10(1)). See also (2). How do businesses obtain express consents to send a commercial electronic message when sending an electronic message to get consent is itself a commercial electronic message for consent is required? (s.1(3)) Implied Consents Consents to collect, use or disclose information under PIPEDA are not necessary valid for the purposes of Bill C-28. Bill C-28 will create a conflicting consent regime with the consent regime in PIPEDA since “implied consents” are a list of closed categories. Businesses cannot rely on PIPEDA consents to use personal information since the regimes are different e.g., disclosure standards, standards for determining implied consents, and exceptions are not the same.
15

¬

¬ ¬ ¬ ¬

Implied consents to send commercial electronic messages
¬ A consent is implied for the purpose of the anti-SPAM provisions only if: a) there is “an existing business relationship” or an “existing non-business relationship”, as those terms are defined. (s.10(9)) ¬ “Existing business relationship” is a relationship arising from a purchase or barter within 2 years; acceptance of a business, investment or gaming opportunity with last 2 years; related to a contract until 2 years after expiry; any inquiry or application with 6 months. (s.10(10)) “Existing non-business relationship” is a non-business relationship arising from a donation or gift; volunteer for a charity; membership, within a 2 year window. (s.10(13))

¬

b) the person to whom the message is sent has “conspicuously published” the electronic address without a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity; c) the person to whom the message is sent has disclosed, to the person who sends the message, his/her electronic address without indicating a wish not to receive SPAM, and the message is relevant to the person’s business, role, functions or duties in a business or official capacity; or d) the message is sent in the circumstances set out in the regulations. 16

Format requirements for electronic messages
¬ The electronic messages must be in a form that conforms to the prescribed requirements and must: a) set out prescribed information that identifies the person who sent the message; b) set out information enabling the person to whom the message is sent to readily contact the sender (the contact information must be valid for 60 days); and c) set out the prescribed unsubscribe mechanism. (s.6(2) & (3)). ¬ The unsubscribe mechanism must (a) enable the recipient to indicate, at no cost to them, the wish to no longer receive any messages, or any specified class of such messages, from the sender, using (i) the same electronic means by which the message was sent, or (ii) if using those means is not practicable, any other electronic means that will enable the person to indicate the wish; and (b) specify an electronic address, or link to a page on the World Wide Web that can be accessed through a web browser, to which the indication may be sent. (s.11(1) & (2)) Is it possible to comply with these rules for all media? Can regulations solve the problem? Businesses need to develop policies and processes for how to comply with format requirements for every category of message formats for all included media. These will

¬ ¬

need continual review.
17

Malware and Spyware Provisions

18

The prohibition
¬ 8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless: (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with [the disclosure requirements of] subsection 11(5); or the person is acting in accordance with a court order.

(b)

Implied consents cannot be relied upon. Only express consents are valid, assuming compliance with the disclosure requirements. Written agreements or click-wraps will comply. Web wrap agreements will likely not comply.

19

Scope of prohibition
¬ Applies to “computer programs” (defined in subsection 342.1(2) of the Criminal Code) as meaning “data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function”. Computer programs are not limited to malware or spyware. Installed on another person’s “computer system” ” (defined in subsection 342.1(2) of the Criminal Code) as meaning “a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function”. Computer systems could include: PCs, phones, smartphones, DARs, tablets like the iPad, ebook readers, the “Cloud”, websites and web services, servers, industrial machines, appliances, autos, and other consumer products.

¬ ¬

¬

20

Scope of prohibition
¬ Covers acts of “installing” a computer program. ‘Install’ is not defined in the legislation. What is included e.g., downloading, program execution, successful running of install program, integration of the code onto a computer system such as by changing the registry, making the program executable at a later time, modifying existing software? Covers to “cause an electronic message to be sent” from the computer. ¬ “electronic message” means a message sent by any means of telecommunication, including a text, sound, voice or image message. Not limited to personal information or privacy violations; extends to usage information; performance data; monitoring data; ¬ “to be sent” –involves a requirement for a transmission, but does not explicitly require any reception of data.

¬

21

Getting express consents to comply with “malware” and “spyware” provisions
¬ Obtaining consent: A person who seeks express consent must, when requesting consent, set out clearly and simply the following information: (a) the purpose or purposes for which the consent is being sought; (b) prescribed information that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, prescribed information that identifies that other person; and (c) any other prescribed information.” (s.10(1)). Withdrawal of consent: If the computer program installed meets one of the specified “malware” or “spyware” criteria in s.10(5), the person who installs the program with consent must for 1 year provide an electronic address to which a request can be sent to remove or disable the computer program if the requestor believes that the function, purpose or impact of the computer program installed under the consent was not accurately described when consent was requested; and if the consent was based on an inaccurate description of the material elements of the enumerated function or functions, must, without cost to the person who gave consent, assist that person in removing or disabling the computer program as soon as feasible. (s.11(5))

¬

22

Disclosure requirements to comply with “malware” and “spyware” provisions
Two levels of disclosure required when obtaining consent. ¬ Minimum Disclosure: A person who seeks express consent, must when requesting consent, also, in addition to setting out any other prescribed information, must clearly and simply describe, in general terms the function and purpose of the computer program that is to be installed if the consent is given. (s.10(3)) Enhanced Disclosure: If the computer program meets one of the specified “malware” or “spyware” criteria in s.10(5), “the person who seeks express consent must, when requesting consent, clearly and prominently, and separately and apart from the licence agreement, (a) describe the program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and (b) bring those elements to the attention of the person from whom consent is being sought in the prescribed manner”. The enhances disclosure standard applies where the program collects personal information; interferes with control of the computer; changes or interferes with settings preferences or commands; obstructs, interrupts, or interferes with access to data; causes the computer to communicate with another computer without authorization, installing a bot, or something set out in the regulations, but not merely transmission data. (s.10(5) &(6)) How to determine the appropriate disclosure to meet the specific type of computer program?

¬

¬

¬

23

Exceptions for Software Updates, Upgrades and Patches
¬ Express consent and the minimum disclosure are not required for the installation of an update or upgrade so long as the installation or use of the computer program being updated was expressly consented to and the person who gave the consent is entitled to, and does receive the update under the terms of the express consent. (s.10(7)). This exception does not extend to the enhanced disclosure requirement.

¬

24

Exclusions from the consent and disclosure requirements
¬ A person is considered to expressly consent to the installation of a computer program if: a) the program is: i. ii. a cookie, HTML code,

iii. Java Scripts, iv. an operating system, v. any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or

vi. any other program specified in the regulations; and b) ¬ ¬ the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation. (s.11(8)) What type of programs are referred to in para. (v)? Note, there is no express waiver of the disclosure requirement, but disclosure is only required where express requests are being sought.

25

Altering Transmission Data provisions

26

The prohibition
¬ S.7.1(1) It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless (a) the alteration is made with the express consent of the sender or the person to whom the message is sent, and the person altering or causing to be altered the data complies with subsection 11(4); or (b) the alteration is made in accordance with a court order. (2) Subsection (1) does not apply if the alteration is made by a telecommunications service provider for the purposes of network management.

¬

27

Getting express consents to comply with “altering transmission data” provision
¬ Obtaining consent: A person who seeks express consent must, when requesting consent, set out clearly and simply the following information: (a) the purpose or purposes for which the consent is being sought; (b) prescribed information that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, prescribed information that identifies that other person; and (c) any other prescribed information.” (s.10(1))

28

Address and personal information harvesting provisions

29

Address harvesting amendments to PIPEDA – s. 82 of Bill C-28
¬ 7.1(2) Paragraphs 7(1)(a), (c) and (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of (a) the collection of an individual’s electronic address, if the address is collected by the use of a computer program that is designed or marketed primarily for use in generating or searching for, and collecting, electronic addresses; or (b) the use of an individual’s electronic address, if the address is collected by the use of a computer program described in paragraph (a). “electronic address” defined to mean “an address used in connection with (a) an electronic mail account; (b) an instant messaging account; or (c) any similar account”. Note: The collection of electronic addresses prohibition is not tied to any SPAM-related activity. The effect of this is to remove certain exceptions related to the collection and use of personal information in PIPEDA.

¬

¬ ¬

30

Address harvesting amendments to PIPEDA
¬ PIPEDA s.7(1) An organization may collect personal information without the knowledge or consent of the individual only if: a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way; b) the collection is solely for journalistic, artistic or literary purposes; c) ¬ the information is publicly available and is specified by the regulations.

PIPEDA s.7(2) An organization may, without the knowledge or consent of the individual, use personal information only if: a) in the course of its activities, the organization becomes aware of information that it has reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for the purpose of investigating that contravention; b) it is used for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual; c) it is used for statistical, or scholarly study or research, purposes that cannot be achieved without using the information, the information is used in a manner that will ensure its confidentiality, it is impracticable to obtain consent and the organization informs the Commissioner of the use before the information is used;

(c.1) it is publicly available and is specified by the regulations. ¬ Exception set out in clause 4.3 of Schedule 1: consent is required for the collection, use, or disclosure or personal information, except where inappropriate.

31

Personal information harvesting amendments to PIPEDA
¬ 7.1(3) Paragraphs 7(1)(a) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of (a) the collection of personal information, through any means of telecommunication, if the collection is made by accessing a computer system or causing a computer system to be accessed in contravention of an Act of Parliament; or (b) the use of personal information that is collected in a manner described in paragraph (a). “access” is defined to mean “to program, to execute programs on, to communicate with, to store data in, to retrieve data from, or to otherwise make use of any resources, including data or programs on a computer system or a computer network. “computer program” and “computer system” are broadly defined as in the SPAM provisions . The collection of personal information does not have to be SPAM-related. Note, the access to a computer system must be “in contravention of an Act of Parliament”. Compare to wording in s.7(1)(b) which apply to “a breach of an agreement or a contravention of the laws of Canada or a province.” The effect of this is also to remove certain exceptions related to the collection and use of personal information. Note also the removal of the exception in s.7(1)(b): “it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province”. 32

¬

¬ ¬ ¬

¬ ¬

Competition Act Provisions

33

Competition Act
¬ Bill C-28 adds to existing Competition Act provisions prohibiting false or misleading representations to promote a business interest of the supply or use of a product ¬ Numbering of Competition Act amendments is particularly confusing ¬ Investigation/enforcement by Competition Bureau ¬ Bureau has sought and obtained sizeable fines in the past for deceptive marketing practices ¬ Bureau is seeking $10m fine against Rogers for alleged misleading advertising

34

Competition Act new s. 74.011 and s. 52.01
¬ prohibits representation that is false or misleading in a material respect in electronic message ¬ prohibits false or misleading representation in ¬ sender information in electronic message ¬ subject matter information in electronic message ¬ locater ¬ look at general impression and literal meaning ¬ ¬ ¬ only first prohibition states “in a material respect” no “to the public” concept no concept of exception for consent or existing business relationship

35

Definitions (s. 70(2))

¬ “sender information” means the part of an electronic message — including the data relating to source, routing, addressing or signalling — that identifies or purports to identify the sender or the origin of the message ¬ “subject matter information” means the part of an electronic message that purports to summarize the contents of the message or to give an indication of them ¬ “locator” means a name or information used to identify a source of data on a computer system, and includes a URL ¬ “electronic message” is widely defined, same as in Bill C-28

36

Competition Act – Discussion Examples
¬ Sender Information ¬ VISA <security@onlineupdate.com> ¬ Locator ¬ www.bmosecuritylink.com ¬ Subject Matter Information ¬ Fly Ottawa to Calgary for $299 return ¬ Lose 20 Pounds in 3 Weeks ¬ Our best sale of the year ¬ Exclusive upgrade offer from ABC Hotels ¬ Aggressive e-mail subject matter language poses substantial risk to senders

37

Enforcement Measures

38

Bill C-28 Enforcement
¬ Bill C-28 is complicated ¬ The Bill contains amendments to several statutes, and contemplates inter-related actions by several agencies and enforcement routes

39

Enforcement Routes
¬ CRTC – spam, spyware, message misrouting ¬ Competition Bureau – false or misleading messages or components ¬ criminal ¬ reviewable ¬ Privacy Commissioner – improper harvesting of personal information ¬ Private actions – all of the above ¬ class actions

40

CRTC
¬ CRTC designates enforcement officers (SPAM police?) (s. 14) ¬ can issue preservation demand, notice to produce documents, can apply for search warrants ¬ EO issues notice of violation (like parking ticket) (s.22) ¬ sets out AMPS amount ¬ C-28 provides factors for determining penalty (s.20(3)) ¬ previous history of contraventions ¬ financial benefit received from offending activity ¬ ability to pay ¬ other ¬ offender must either pay or ask CRTC panel to rule (s. 24) ¬ A Commission review is decided on balance of probabilities (s. 25) ¬ appeal to FCA is possible, with leave on question of fact (s. 27)

41

CRTC
¬ undertakings possible (i.e negotiated outcome, may include payment requirement) (s. 21) ¬ sizeable AMPS possible (s. 20) ¬ <$1m for individuals ¬ <$10m for corporations ¬ possible director/officer liability (s. 31) ¬ due diligence defence (s. 33) ¬ what does this mean as a practical matter? ¬ ignore DNCL repealing provisions as there is no intention to proclaim these anytime soon (s. 90)

42

Competition Act
¬ Criminal prosecution (s. 75) ¬ for egregious situations ¬ “knowingly or recklessly” makes a representation… ¬ fines/imprisonment possible ¬ allows private right of action for damages ¬ Reviewable conduct (s. 77) ¬ prohibition orders ¬ publication of corrective notice (more SPAM?) ¬ AMPS ¬ corporation = <$10m 1st offence; <$15m subsequent ¬ new private right of action

43

PIPEDA
¬ Bill C-28 expands the concept of privacy under PIPEDA to include harvesting an individual’s electronic address and collecting personal information by accessing a computer system in contravention of a federal law. ¬ Privacy Commissioner can investigate and take appropriate action as in other privacy complaints. ¬ However, a private right of action is now available as additional enforcement right.

44

Private Right of Action (ss. 47-51)
¬ Contravention Trigger (s. 47) ¬ Bill C-28, s. 6-9 (unless CRTC has taken enforcement action or agreed to undertaking – s.48) ¬ does s. 48 provide an incentive to self-report and settle with CRTC? ¬ Competition Act for reviewable conduct of false or misleading representations ¬ PIPEDA provisions re harvesting personal addresses/information

45

Private Right of Action
¬ Recovery (s. 51(1)) ¬ compensation for loss or expense ¬ “private” fines ¬ <$1m/day for all above triggered items ¬ <$1m/event for aid, induce, procure s. 6-8 contravention + <1$m/day if actual s.6-8 contravention ¬ court is given list of factors to consider (s. 51(3)) ¬ person’s history of contraventions ¬ ability to pay ¬ financial benefit received by offender ¬ other ¬ class action implications
46

VANCOUVER
Suite 1300, 777 Dunsmuir Street P.O. Box 10424, Pacific Centre Vancouver BC V7Y 1K2 Tel: 604-643-7100 Fax: 604-643-7900 Toll-Free: 1-877-244-7711

MONTRÉAL
Suite 2500 1000 De La Gauchetière Street West Montréal QC H3B 0A2 Tel: 514-397-4100 Fax: 514-875-6246 Toll-Free: 1-877-244-7711

CALGARY
Suite 3300, 421 7th Avenue SW Calgary AB T2P 4K9 Tel: 403-260-3500 Fax: 403-260-3501 Toll-Free: 1-877-244-7711

QUÉBEC
Le Complexe St-Amable 1150, rue de Claire-Fontaine, 7e étage Québec QC G1R 5G4 Tel: 418-521-3000 Fax: 418-521-3099 Toll-Free: 1-877-244-7711

TORONTO
Box 48, Suite 5300 Toronto Dominion Bank Tower Toronto ON M5K 1E6 Tel: 416-362-1812 Fax: 416-868-0673 Toll-Free: 1-877-244-7711

UNITED KINGDOM & EUROPE
125 Old Broad Street, 26th Floor London EC2N 1AR UNITED KINGDOM Tel: +44 (0)20 7489 5700 Fax: +44 (0)20 7489 5777

OTTAWA
Suite 200, 440 Laurier Avenue West Ottawa ON K1R 7X6 Tel: 613-238-2000 Fax: 613-563-9386 Toll-Free: 1-877-244-7711

47

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->