You are on page 1of 47

IT.

CAN QUARTERLY ROUNDTABLE SERIES

Impacts of the New Anti-SPAM and
Anti-Spyware Legislation (Bill C-28)
January 26, 2011

Barry B. Sookman Lorne P. Salzman
Direct Line: (416) 601-7949 Direct Line: (416) 601-7867
E-Mail: bsookman@mccarthy.ca E-Mail: lsalzman@mccarthy.ca

Doc # 10027070 1
Why businesses need to be
concerned about the Bill C-28

2
Scope and Approach
¬ SPAM - transmitting any commercial electronic message is illegal unless there is
consent; it is an excluded category; and message is in a prescribed form. (s.6)
¬ Malware - it is illegal as part of a commercial activity to install any computer program
-good or bad-onto someone’s computer unless there is express consent and the
prescribed disclosures are made. (s.8)
¬ Spyware - it is illegal as part of a commercial activity to install any computer program
onto someone’s computer that transmits data of any kind from that computer unless
there is consent and the prescribed disclosures are made. (s.8)
¬ Message routing - it is illegal to alter transmission data to route a message to an
unintended destination. (s.7)
¬ Broad protection against false and misleading representations extending to header
information, subject matter lines, URLs, and the message itself. (s.75 and 77)
¬ Broad protection against collecting individuals’ electronic addresses using automated
tools primarily designed for this purpose and collecting personal information over the
internet by accessing a computer in violation of federal laws. (s.82)
¬ Burden of proof for consents is on the person alleging they have it. (s.13)
¬ The regulations will significantly affect the interpretation of the Act and are not yet
published. Scope will be significantly impacted by the regulations.

3
Very high liability
¬ Administrative monetary penalties (AMPS) with caps up to $1 million for an
individual and $10 million for anyone else. (s.20(4))
¬ Private rights of action by anyone affected by a prohibited act (s.47(1)) with
liability that consists of:
¬ compensation for loss, damages and expenses; and
¬ extensive awards that are capped at:
¬ $1 million per day for breach of SPAM, malware, spyware, message
routing, address and personal information harvesting, and Competition
Act provisions;
¬ $1 million for each act of aiding, inducing, or procuring a breach of the
SPAM, malware and spyware, and message routing provisions, plus
liability up to $1 million per day for breach of SPAM, malware, spyware,
and message routing provisions.
¬ Risks of class actions.

4
Extensive accessorial and vicarious liability

¬ Liability extends to any person who aids, induces or procures a prohibited act.
(s.9) Scope?
¬ Businesses are liable for acts of their employees within the scope of their
authority. (s.32, s.53)
¬ Liability extends to officers, directors, agents, mandataries if they directed,
authorized, assented to, acquiesced, or participated in the prohibited act. (s.31,
s.52) Scope-acquiesced?
¬ Î Businesses liable for employeesÎ businesses liable for “aiding”Î businesses
liable for massive AMPS and damagesÎ class actionsÎ officers and directors
ultimately liable.
¬ Î Businesses need to put policies and processes in place to reduce risk.
¬ Î Insurance?

5
Extensive extra-territorial effects

¬ The provisions of Bill C-28 could impact activities undertaken outside Canada.
¬ The anti-spam provisions apply to any message where a computer system
located “in Canada is used to send or access the electronic message”. (s.13(1))
¬ The message altering provisions also applies to messages if a “computer system
located in Canada is used to send, route or access the electronic message”.
(s.13(2))
¬ Other prohibitions – real and substantial connections test?
¬ Î Legislation has worldwide impacts that foreign entities will not expect.
¬ Î Bill C-28 is significantly more onerous than any international counterpart.
¬ Î This will mandate Canada specific processes for doing business in Canada or
with Canadians using facilities located outside of Canada.

6
Anti-SPAM Provisions

7
Background: on SPAM provisions

¬ In its 2005 Report, the Task Force recommended “new legislation as required to
fill any gaps identified in existing laws” (“Task Force”). The Bill purports to
implement the recommendations of the Task Force.
¬ Internationally there are many precedents for dealing with SPAM including:
¬ U.S.-CAN - SPAM Act 2003 (US CAN SPAM);
¬ EU Directive 2002/58/EC on privacy and electronic communications (EU
Directive);
¬ Australia Spam Act 2003 (Australia Spam Act);
¬ Singapore Spam Control Act 2007 (Singapore Spam Act); and
¬ UK Privacy and Electronic Communications Regulations 2003 (UK Spam
Act).

8
Background: on SPAM provisions
¬ The anti-SPAM provisions depart significantly from other international anti-spam
legislation which:
¬ applies to e-mails that are sent in violation of an individual’s opt-out request,
or are fraudulent, false or misleading (US CAN SPAM);
¬ applies to e-mail for the purposes of direct marketing to individuals (EU
Directive, UK Act); and
¬ applies to a defined list of commercial electronic messages that relate to
direct marketing (Australia Spam Act; NZ Spam Act) applies to a defined list
of commercial electronic messages that relate to direct marketing that are
sent in bulk (Singapore Spam Act).
¬ “Commercial electronic message” in Bill C-28 by contrast is defined in a open
ended way.
¬ Î International entities need to understand the broad scope of the SPAM
provisions and adapt their business processes to the extent they carry on
business in Canada or deal with Canadians.

9
The Anti-SPAM Prohibition

¬ 6(1) It is prohibited to send or cause or permit to be sent to an electronic address
a commercial electronic message unless:
a) the person to whom the message is sent has consented to receiving it,
whether the consent is express or implied; and
b) the message complies with subsection (2).
Î Note:
¬ The section extends “send” “or cause” “or permit” to be sent. So a director is
liable for “acquiescing” in an employee “aiding” someone to “permit” a
message to be sent.
¬ Messages can’t be sent without a consent which must be express or a limited
subset of conditions where consent is implied
¬ Messages must comply with prescribed formalities.

10
What messages and messaging systems
are included
¬ “electronic message” means a message sent by any means of
telecommunication, including a text, sound, voice or image message. (s1(1)) (But,
excludes voice messages covered by the “Do Not Call List”, fax messages, voice
recordings. (s.6(8))
¬ “electronic address” means an address used in connection with the transmission
of an electronic message to (a) an electronic mail account; (b) an instant
messaging account; (c) a telephone account; or (d) any similar account. (s.1(1))
¬ A “commercial electronic message” is “an electronic message that, having
regard to the content of the message, the hyperlinks in the message to content on
a website or other database, or the contact information contained in the message,
it would be reasonable to conclude has as its purpose, or one of its purposes, to
encourage participation in a commercial activity, including an electronic
message that (a) offers to purchase, sell, barter or lease a product, goods, a
service, land or an interest or right in land; (b) offers to provide a business,
investment or gaming opportunity; (c) advertises or promotes anything referred to
in paragraph (a) or (b); or (d) promotes a person, including the public image of a
person, as being a person who does anything referred to in any of paragraphs (a)
to (c), or who intends to do so.

11
What messages and messaging systems
are included
¬ “commercial activity” means any particular transaction, act or conduct or any
regular course of conduct that is of a commercial character, whether or not the
person who carries it out does so in the expectation of profit, other than any
transaction, act or conduct that is carried out for the purposes of law enforcement,
public safety, the protection of Canada, the conduct of international affairs or the
defence of Canada.
¬ Applies as well to an electronic message that contains a request to send a
prohibited message. (s.1(3))
¬ ÎNote how open endedÎ Electronic Messages can be “sent by any means of
telecommunication”ÎElectronic Addresses include ”any similar account” which
will continually changeÎ Commercial Electronic Messages fall into non-exclusive
list of Electronic Messages.

12
What messages and messaging systems
are included
¬ Do the provisions apply to accounts with:
¬ E-mail e.g. Gmail, hotmail, exchange;
¬ IM (BBM, Google talk);
¬ Social networks e.g., LinkedIn, Facebook, Twitter tweets and direct
messages;
¬ Geo-location services;
¬ E-commerce portals where there are accounts; and
¬ Message boards.
¬ Î Businesses and their employees communicate for commercial purposes using
multiple sources.
¬ ÎPolicies are needed for obtaining consents and complying with format
requirements for each platform used to send commercial electronic messages.

13
General exceptions to anti-SPAM
provisions
¬ Messages to an individual to whom the person has a personal or family
relationship as defined in regulations. (s.6(5))
¬ An inquiry of or application related to a commercial activity. (s.6(5))
¬ A class defined in regulations. (s.6(5)). Don’t know what they are.
¬ To telecom service providers when they enable transmissions of messages.
(s6(7)).
¬ Messages related to law enforcement, public safety, the protection of Canada, the
conduct of international affairs or the defence of Canada. (s.(1), s.6(4))
¬ The consent requirement in para. 1(a) does not apply to certain commercial
electronic messages e.g., providing a quote in response to a request, furtherance
of previously agreed to transactions, warranty, safety, security, product recall
information, factual information about a purchase, information about an
employment or benefits plan, delivering a product, service or upgrade, or another
exception specified in a regulation. (s.6(6))
¬ Î Will businesses develop policies that rely on specific exceptions for consent,
even when the formality requirements are not also exempted?

14
Getting consents to send commercial
electronic messages
¬ Express consents
¬ A person who seeks express consent must, when requesting consent, set out clearly
and simply the following information: (a) the purpose or purposes for which the consent
is being sought; (b) prescribed information that identifies the person seeking consent
and, if the person is seeking consent on behalf of another person, prescribed
information that identifies that other person; and (c) any other prescribed information.
(s.10(1)). See also (2).
¬ How do businesses obtain express consents to send a commercial electronic message
when sending an electronic message to get consent is itself a commercial electronic
message for consent is required? (s.1(3))
¬ Implied Consents
¬ Consents to collect, use or disclose information under PIPEDA are not necessary valid
for the purposes of Bill C-28.
¬ Bill C-28 will create a conflicting consent regime with the consent regime in PIPEDA
since “implied consents” are a list of closed categories.
¬ Î Businesses cannot rely on PIPEDA consents to use personal information since the
regimes are different e.g., disclosure standards, standards for determining implied
consents, and exceptions are not the same.

15
Implied consents to send commercial
electronic messages
¬ A consent is implied for the purpose of the anti-SPAM provisions only if:
a) there is “an existing business relationship” or an “existing non-business relationship”, as
those terms are defined. (s.10(9))
¬ “Existing business relationship” is a relationship arising from a purchase or barter
within 2 years; acceptance of a business, investment or gaming opportunity with
last 2 years; related to a contract until 2 years after expiry; any inquiry or
application with 6 months. (s.10(10))
¬ “Existing non-business relationship” is a non-business relationship arising from a
donation or gift; volunteer for a charity; membership, within a 2 year window.
(s.10(13))
b) the person to whom the message is sent has “conspicuously published” the electronic
address without a statement that the person does not wish to receive unsolicited
commercial electronic messages at the electronic address and the message is relevant
to the person’s business, role, functions or duties in a business or official capacity;
c) the person to whom the message is sent has disclosed, to the person who sends the
message, his/her electronic address without indicating a wish not to receive SPAM, and
the message is relevant to the person’s business, role, functions or duties in a business
or official capacity; or
d) the message is sent in the circumstances set out in the regulations.

16
Format requirements for electronic
messages
¬ The electronic messages must be in a form that conforms to the prescribed
requirements and must:
a) set out prescribed information that identifies the person who sent the message;
b) set out information enabling the person to whom the message is sent to readily
contact the sender (the contact information must be valid for 60 days); and
c) set out the prescribed unsubscribe mechanism. (s.6(2) & (3)).
¬ The unsubscribe mechanism must (a) enable the recipient to indicate, at no cost to
them, the wish to no longer receive any messages, or any specified class of such
messages, from the sender, using (i) the same electronic means by which the message
was sent, or (ii) if using those means is not practicable, any other electronic means that
will enable the person to indicate the wish; and (b) specify an electronic address, or link
to a page on the World Wide Web that can be accessed through a web browser, to
which the indication may be sent. (s.11(1) & (2))
¬ Î Is it possible to comply with these rules for all media? Can regulations solve the
problem?
¬ Î Businesses need to develop policies and processes for how to comply with format
requirements for every category of message formats for all included media. These will
need continual review.
17
Malware and Spyware Provisions

18
The prohibition

¬ 8. (1) A person must not, in the course of a commercial activity, install or
cause to be installed a computer program on any other person’s computer
system or, having so installed or caused to be installed a computer program,
cause an electronic message to be sent from that computer system, unless:
(a) the person has obtained the express consent of the owner or an authorized
user of the computer system and complies with [the disclosure
requirements of] subsection 11(5); or
(b) the person is acting in accordance with a court order.

Î Implied consents cannot be relied upon. Only express consents are valid,
assuming compliance with the disclosure requirements.
Î Written agreements or click-wraps will comply. Web wrap agreements will
likely not comply.

19
Scope of prohibition

¬ Applies to “computer programs” (defined in subsection 342.1(2) of the Criminal
Code) as meaning “data representing instructions or statements that, when
executed in a computer system, causes the computer system to perform a
function”.
¬ Î Computer programs are not limited to malware or spyware.
¬ Installed on another person’s “computer system” ” (defined in subsection
342.1(2) of the Criminal Code) as meaning “a device that, or a group of
interconnected or related devices one or more of which, (a) contains computer
programs or other data, and (b) pursuant to computer programs, (i) performs logic
and control, and (ii) may perform any other function”.
¬ Î Computer systems could include: PCs, phones, smartphones, DARs, tablets
like the iPad, ebook readers, the “Cloud”, websites and web services, servers,
industrial machines, appliances, autos, and other consumer products.

20
Scope of prohibition

¬ Covers acts of “installing” a computer program. ‘Install’ is not defined in the
legislation. What is included e.g., downloading, program execution, successful
running of install program, integration of the code onto a computer system such
as by changing the registry, making the program executable at a later time,
modifying existing software?
¬ Covers to “cause an electronic message to be sent” from the computer.
¬ “electronic message” means a message sent by any means of
telecommunication, including a text, sound, voice or image message. Not
limited to personal information or privacy violations; extends to usage
information; performance data; monitoring data;
¬ Î “to be sent” –involves a requirement for a transmission, but does not
explicitly require any reception of data.

21
Getting express consents to comply with
“malware” and “spyware” provisions
¬ Obtaining consent: A person who seeks express consent must, when requesting
consent, set out clearly and simply the following information: (a) the purpose or
purposes for which the consent is being sought; (b) prescribed information that
identifies the person seeking consent and, if the person is seeking consent on
behalf of another person, prescribed information that identifies that other person;
and (c) any other prescribed information.” (s.10(1)).
¬ Withdrawal of consent: If the computer program installed meets one of the
specified “malware” or “spyware” criteria in s.10(5), the person who installs the
program with consent must for 1 year provide an electronic address to which a
request can be sent to remove or disable the computer program if the requestor
believes that the function, purpose or impact of the computer program installed
under the consent was not accurately described when consent was requested;
and if the consent was based on an inaccurate description of the material
elements of the enumerated function or functions, must, without cost to the person
who gave consent, assist that person in removing or disabling the computer
program as soon as feasible. (s.11(5))

22
Disclosure requirements to comply with
“malware” and “spyware” provisions
Two levels of disclosure required when obtaining consent.
¬ Minimum Disclosure: A person who seeks express consent, must when requesting
consent, also, in addition to setting out any other prescribed information, must clearly and
simply describe, in general terms the function and purpose of the computer program that is
to be installed if the consent is given. (s.10(3))
¬ Enhanced Disclosure: If the computer program meets one of the specified “malware” or
“spyware” criteria in s.10(5), “the person who seeks express consent must, when
requesting consent, clearly and prominently, and separately and apart from the licence
agreement, (a) describe the program’s material elements that perform the function or
functions, including the nature and purpose of those elements and their reasonably
foreseeable impact on the operation of the computer system; and (b) bring those elements
to the attention of the person from whom consent is being sought in the prescribed
manner”.
¬ The enhances disclosure standard applies where the program collects personal
information; interferes with control of the computer; changes or interferes with settings
preferences or commands; obstructs, interrupts, or interferes with access to data; causes
the computer to communicate with another computer without authorization, installing a bot,
or something set out in the regulations, but not merely transmission data. (s.10(5) &(6))
¬ Î How to determine the appropriate disclosure to meet the specific type of computer
program?

23
Exceptions for Software Updates,
Upgrades and Patches
¬ Express consent and the minimum disclosure are not required for the installation
of an update or upgrade so long as the installation or use of the computer
program being updated was expressly consented to and the person who gave the
consent is entitled to, and does receive the update under the terms of the express
consent. (s.10(7)).
¬ Î This exception does not extend to the enhanced disclosure requirement.

24
Exclusions from the consent and
disclosure requirements
¬ A person is considered to expressly consent to the installation of a computer
program if:
a) the program is:
i. a cookie,
ii. HTML code,
iii. Java Scripts,
iv. an operating system,
v. any other program that is executable only through the use of another
computer program whose installation or use the person has previously
expressly consented to, or
vi. any other program specified in the regulations; and
b) the person’s conduct is such that it is reasonable to believe that they
consent to the program’s installation. (s.11(8))
¬ Î What type of programs are referred to in para. (v)?
¬ Î Note, there is no express waiver of the disclosure requirement, but disclosure
is only required where express requests are being sought.

25
Altering Transmission Data
provisions

26
The prohibition

¬ S.7.1(1) It is prohibited, in the course of a commercial activity, to alter or cause to
be altered the transmission data in an electronic message so that the message is
delivered to a destination other than or in addition to that specified by the sender,
unless (a) the alteration is made with the express consent of the sender or the
person to whom the message is sent, and the person altering or causing to be
altered the data complies with subsection 11(4); or (b) the alteration is made in
accordance with a court order.
¬ (2) Subsection (1) does not apply if the alteration is made by a
telecommunications service provider for the purposes of network management.

27
Getting express consents to comply with
“altering transmission data” provision
¬ Obtaining consent: A person who seeks express consent must, when requesting
consent, set out clearly and simply the following information: (a) the purpose or
purposes for which the consent is being sought; (b) prescribed information that
identifies the person seeking consent and, if the person is seeking consent on
behalf of another person, prescribed information that identifies that other person;
and (c) any other prescribed information.” (s.10(1))

28
Address and personal information
harvesting provisions

29
Address harvesting amendments to
PIPEDA – s. 82 of Bill C-28
¬ 7.1(2) Paragraphs 7(1)(a), (c) and (d) and (2)(a) to (c.1) and the exception set out
in clause 4.3 of Schedule 1 do not apply in respect of (a) the collection of an
individual’s electronic address, if the address is collected by the use of a computer
program that is designed or marketed primarily for use in generating or searching
for, and collecting, electronic addresses; or (b) the use of an individual’s electronic
address, if the address is collected by the use of a computer program described in
paragraph (a).
¬ “electronic address” defined to mean “an address used in connection with (a) an
electronic mail account; (b) an instant messaging account; or (c) any similar
account”.
¬ Î Note: The collection of electronic addresses prohibition is not tied to any
SPAM-related activity.
¬ Î The effect of this is to remove certain exceptions related to the collection and
use of personal information in PIPEDA.

30
Address harvesting amendments to
PIPEDA
¬ PIPEDA s.7(1) An organization may collect personal information without the knowledge or consent
of the individual only if:
a) the collection is clearly in the interests of the individual and consent cannot be obtained in a
timely way;
b) the collection is solely for journalistic, artistic or literary purposes;
c) the information is publicly available and is specified by the regulations.
¬ PIPEDA s.7(2) An organization may, without the knowledge or consent of the individual, use personal
information only if:
a) in the course of its activities, the organization becomes aware of information that it has
reasonable grounds to believe could be useful in the investigation of a contravention of the laws
of Canada, a province or a foreign jurisdiction that has been, is being or is about to be
committed, and the information is used for the purpose of investigating that contravention;
b) it is used for the purpose of acting in respect of an emergency that threatens the life, health or
security of an individual;
c) it is used for statistical, or scholarly study or research, purposes that cannot be achieved
without using the information, the information is used in a manner that will ensure its
confidentiality, it is impracticable to obtain consent and the organization informs the
Commissioner of the use before the information is used;
(c.1) it is publicly available and is specified by the regulations.
¬ Exception set out in clause 4.3 of Schedule 1: consent is required for the collection, use, or
disclosure or personal information, except where inappropriate.
31
Personal information harvesting
amendments to PIPEDA
¬ 7.1(3) Paragraphs 7(1)(a) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of
Schedule 1 do not apply in respect of (a) the collection of personal information, through any
means of telecommunication, if the collection is made by accessing a computer system or
causing a computer system to be accessed in contravention of an Act of Parliament; or (b) the
use of personal information that is collected in a manner described in paragraph (a).
¬ “access” is defined to mean “to program, to execute programs on, to communicate with, to
store data in, to retrieve data from, or to otherwise make use of any resources, including data
or programs on a computer system or a computer network.
¬ “computer program” and “computer system” are broadly defined as in the SPAM provisions .
¬ ÎThe collection of personal information does not have to be SPAM-related.
¬ Î Note, the access to a computer system must be “in contravention of an Act of Parliament”.
Compare to wording in s.7(1)(b) which apply to “a breach of an agreement or a contravention
of the laws of Canada or a province.”
¬ Î The effect of this is also to remove certain exceptions related to the collection and use of
personal information.
¬ Î Note also the removal of the exception in s.7(1)(b): “it is reasonable to expect that the
collection with the knowledge or consent of the individual would compromise the availability or
the accuracy of the information and the collection is reasonable for purposes related to
investigating a breach of an agreement or a contravention of the laws of Canada or a
province”.

32
Competition Act Provisions

33
Competition Act

¬ Bill C-28 adds to existing Competition Act provisions prohibiting false or
misleading representations to promote a business interest of the supply
or use of a product
¬ Numbering of Competition Act amendments is particularly confusing
¬ Investigation/enforcement by Competition Bureau
¬ Bureau has sought and obtained sizeable fines in the past for deceptive
marketing practices
¬ Bureau is seeking $10m fine against Rogers for alleged misleading
advertising

34
Competition Act new s. 74.011 and s.
52.01
¬ prohibits representation that is false or misleading in a material respect in
electronic message
¬ prohibits false or misleading representation in
¬ sender information in electronic message
¬ subject matter information in electronic message
¬ locater
¬ look at general impression and literal meaning
¬ Î only first prohibition states “in a material respect”
¬ Î no “to the public” concept
¬ Î no concept of exception for consent or existing business relationship

35
Definitions (s. 70(2))

¬ “sender information” means the part of an electronic message —
including the data relating to source, routing, addressing or signalling —
that identifies or purports to identify the sender or the origin of the
message
¬ “subject matter information” means the part of an electronic message
that purports to summarize the contents of the message or to give an
indication of them
¬ “locator” means a name or information used to identify a source of data
on a computer system, and includes a URL
¬ “electronic message” is widely defined, same as in Bill C-28

36
Competition Act – Discussion
Examples
¬ Sender Information
¬ VISA <security@onlineupdate.com>
¬ Locator
¬ www.bmosecuritylink.com
¬ Subject Matter Information
¬ Fly Ottawa to Calgary for $299 return
¬ Lose 20 Pounds in 3 Weeks
¬ Our best sale of the year
¬ Exclusive upgrade offer from ABC Hotels
¬ ÎAggressive e-mail subject matter language poses substantial risk to senders

37
Enforcement Measures

38
Bill C-28 Enforcement

¬ Bill C-28 is complicated
¬ The Bill contains amendments to several statutes, and contemplates
inter-related actions by several agencies and enforcement routes

39
Enforcement Routes

¬ CRTC – spam, spyware, message misrouting
¬ Competition Bureau – false or misleading messages or components
¬ criminal
¬ reviewable
¬ Privacy Commissioner – improper harvesting of personal information
¬ Private actions – all of the above
¬ class actions

40
CRTC

¬ CRTC designates enforcement officers (SPAM police?) (s. 14)
¬ can issue preservation demand, notice to produce documents, can apply for
search warrants
¬ EO issues notice of violation (like parking ticket) (s.22)
¬ sets out AMPS amount
¬ C-28 provides factors for determining penalty (s.20(3))
¬ previous history of contraventions
¬ financial benefit received from offending activity
¬ ability to pay
¬ other
¬ offender must either pay or ask CRTC panel to rule (s. 24)
¬ A Commission review is decided on balance of probabilities (s. 25)
¬ appeal to FCA is possible, with leave on question of fact (s. 27)

41
CRTC

¬ undertakings possible (i.e negotiated outcome, may include payment
requirement) (s. 21)
¬ sizeable AMPS possible (s. 20)
¬ <$1m for individuals
¬ <$10m for corporations
¬ possible director/officer liability (s. 31)
¬ due diligence defence (s. 33)
¬ what does this mean as a practical matter?
¬ ignore DNCL repealing provisions as there is no intention to proclaim
these anytime soon (s. 90)

42
Competition Act

¬ Criminal prosecution (s. 75)
¬ for egregious situations
¬ “knowingly or recklessly” makes a representation…
¬ fines/imprisonment possible
¬ allows private right of action for damages
¬ Reviewable conduct (s. 77)
¬ prohibition orders
¬ publication of corrective notice (more SPAM?)
¬ AMPS
¬ corporation = <$10m 1st offence; <$15m subsequent
¬ new private right of action

43
PIPEDA

¬ Bill C-28 expands the concept of privacy under PIPEDA to include
harvesting an individual’s electronic address and collecting personal
information by accessing a computer system in contravention of a federal
law.
¬ Privacy Commissioner can investigate and take appropriate action as in
other privacy complaints.
¬ However, a private right of action is now available as additional
enforcement right.

44
Private Right of Action (ss. 47-51)

¬ Contravention Trigger (s. 47)
¬ Bill C-28, s. 6-9 (unless CRTC has taken enforcement action or
agreed to undertaking – s.48)
¬ does s. 48 provide an incentive to self-report and settle with
CRTC?
¬ Competition Act for reviewable conduct of false or misleading
representations
¬ PIPEDA provisions re harvesting personal addresses/information

45
Private Right of Action

¬ Recovery (s. 51(1))
¬ compensation for loss or expense
¬ “private” fines
¬ <$1m/day for all above triggered items
¬ <$1m/event for aid, induce, procure s. 6-8 contravention +
<1$m/day if actual s.6-8 contravention
¬ court is given list of factors to consider (s. 51(3))
¬ person’s history of contraventions
¬ ability to pay
¬ financial benefit received by offender
¬ other
¬ class action implications
46
VANCOUVER MONTRÉAL
Suite 1300, 777 Dunsmuir Street Suite 2500
P.O. Box 10424, Pacific Centre 1000 De La Gauchetière Street West
Vancouver BC V7Y 1K2 Montréal QC H3B 0A2
Tel: 604-643-7100 Tel: 514-397-4100
Fax: 604-643-7900 Fax: 514-875-6246
Toll-Free: 1-877-244-7711 Toll-Free: 1-877-244-7711

CALGARY QUÉBEC
Suite 3300, 421 7th Avenue SW Le Complexe St-Amable
Calgary AB T2P 4K9 1150, rue de Claire-Fontaine, 7e étage
Tel: 403-260-3500 Québec QC G1R 5G4
Fax: 403-260-3501 Tel: 418-521-3000
Toll-Free: 1-877-244-7711 Fax: 418-521-3099
Toll-Free: 1-877-244-7711
TORONTO
Box 48, Suite 5300 UNITED KINGDOM & EUROPE
Toronto Dominion Bank Tower 125 Old Broad Street, 26th Floor
Toronto ON M5K 1E6 London EC2N 1AR
Tel: 416-362-1812 UNITED KINGDOM
Fax: 416-868-0673 Tel: +44 (0)20 7489 5700
Toll-Free: 1-877-244-7711 Fax: +44 (0)20 7489 5777

OTTAWA
Suite 200, 440 Laurier Avenue West
Ottawa ON K1R 7X6
Tel: 613-238-2000
Fax: 613-563-9386
Toll-Free: 1-877-244-7711

47