You are on page 1of 44

McCarthy Tétrault Webinar:

Bill C-27, the Electronic Commerce Protection


Act

Charles S. Morgan
Lorne P. Salzman
Barry B. Sookman
May 25, 2009

3718132
Introduction
Bill C-27 Highlights and Introduction

Bill C-27 is intended to:


•Deter unsolicited commercial electronic mail by prohibiting the sending of
commercial electronic messages without consent (Spam).
•Protect the integrity of transmission data and prohibit unwanted
installation of computer programs (Spyware).
•Prohibit false and misleading commercial representations online.
•Prohibit the collection of personal information through access to computer
systems without consent.
•Provide for a private right of action for breaches.
•Allow the imposition of administrative monetary penalties on violators
•Amends: Telecommunications Act, Competition Act, PIPEDA.
•The Bill provides for regulations that could modify the impacts of the
ECPA. The regulations will probably be ready in September.
•Bill C-27 will have significant and serious consequences.
Background: Special Task Force on Spam

• On May 11, 2004, the Minister of Industry established the


Special Task Force on Spam to oversee an action plan to
reduce the volume of unsolicited commercial e-mail.
• In its 2005 Report, the Task Force recommended “new
legislation as required to fill any gaps identified in existing
laws”. See
http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00317.html

• This Bill addresses the legislative recommendations of the


Task Force on Spam. See Backgrounder, Government of
Canada Introduces the Electronic Commerce Protection
Act, http://www.ic.gc.ca/eic/site/ic1.nsf/eng/04595.html
• View the ECPA online at:
http://
www2.parl.gc.ca/HousePublications/Publication.aspx?Docid
=3832885&file=4
Introduction

Status of Bill C-27, the Electronic


Commerce Protection Act:
• 1st Reading: April 24, 2009
• Debates: May 7-8, 2009
• 2nd Reading: May 7, 2009
• Next steps: Committee: Industry, Science and
Technology
Anti-Spam Provisions
Anti-Spam Provisions – Key Sections

The main anti-spam provision in Bill C-27 is found in s.6:

6. (1) No person shall send an electronic address a commercial


electronic message unless
(a) the person to whom the message is sent has consented
to receiving it; and
(b) the message complies with subsection (2).

(2) The message must


(a) set out prescribed information that identifies the person
who sent the message;
(b) set out information enabling the person to whom the
message is sent to readily contact the sender; and
(c) set out an unsubscribe mechanism.
Anti-Spam Provisions

The sweep of the anti-spam prohibition is very wide.


“Electronic address” includes electronic messages sent by e-mail;
Instant messaging; mobile phones (SMS); social networks, chat
groups, Internet forums, business networks, twitter, RSS feeds, and
possibly web sites where users have an account.
“Commercial electronic message” is an electronic message … “it
would be reasonable to conclude has as its purpose, or one of its
purposes, to encourage participation in a commercial activity…”.
Examples are offers to purchase, sell, or lease a product, good, a
service, or land; offers to provide a business, or investment
opportunity; or a message that advertises or promotes the forgoing.
Anti-Spam Provisions – Consent

The consent requirements are stringent:


10. (1) A person who seeks express consent must set out clearly and
simply the following information:
(a) the purpose or purposes for which the consent is being sought;
(b) prescribed information that identifies the person seeking
consent.
(3) Consent is implied only where the person who sends the message has
an existing narrowly defined business or non-business relationship with
the person to whom it is sent.
“Existing business relationships” are limited to (i) business transactions
completed within last 18 months, (ii) contracts concerning some other
subject matter in existence or which have expired within 18 months, or
(3) an inquiry or application within the last 6 months.
“Existing non-business relationships” are limited to (i) persons who have
made donations or gifts to a registered charity, political party, or
candidate for Federal or Provincial office within the last 18 months, (ii)
volunteers to these above organizations within the last 18 months, and
(iii) membership in an organizations that is listed in regulations within the
last 18 months.
Problems with the Anti-Spam Provisions – Too
Broad and Encompassing

• The Bill assumes that all electronic communications are unwanted


spam and prohibits all commercial electronic messages, except in
limited circumstances.
• It departs from other international anti-spam legislation as it is
not limited to messages that are somehow harmful such as
messages:
 that contain some element of fraud or misleading information;
 that are sent in violation of an individual’s opt-out request;
 that are sent with an “intent to deceive or mislead”;
 that are sent to addresses that were gathered using
“automated means”; or
 that are sent in bulk.
• It thus imposes significant restrictions on commercial speech.
These could violate the right to freedom of speech under the
Canadian Charter of Rights and Freedoms.
Problems with the Anti-Spam – The
Consent Provisions are Far Too Limiting

• The ECPA would prohibit sending electronic


messages without either express or implied
consent from the intended recipient.
• The ECPA does not permit consent for a
solicitation to be inferred from publication of an
e-mail address if it would be reasonable to
assume the message would be of interest to the
individual or their organization, or more
generally from the conduct of the individual or
organizations concerned.
• It also prohibits seeking consent electronically
and treats even a request as a prohibited
electronic message.
Problems with the Anti-Spam – The
Formalities for Messages are Too Onerous

• The formalities apply to each means of communication and


treat them as if they were the same.
• However, the technologies related to electronic
communications that exist today or which may be created
in the future may be vastly different e.g., e-mail, IM, SMS
messages, voice mail, twitter, blogs, RSS feeds, social
networks, future communication means etc are not the
same.
• Some electronic technologies may not be able to (a) set
out prescribed information that identifies the person who
sent the message; (b) set out information enabling the
recipient to readily contact the message sender; or (c) set
out an unsubscribe mechanism in accordance with
subsection 11(1).

12
Examples of “spam”
The following would be considered “spam” under the ECPA, unless the sender has obtained the prior
express consent from the recipient:
• A business sending an e-mail to a new potential supplier or customer proposing a possible
business arrangement after reviewing its website, even if email contact information is displayed
on its websites.
• A business sending a person an email with a link to the business` web site, if the website
describes the goods or services of the business, outside of the narrowly defined situations
described above.
• The amendments would significantly advantage established businesses at the expense of newer
businesses or businesses seeking to expand into new markets. Established companies could
continue to make use of existing contacts for the period permitted by the ECPA. New businesses
would be unable to use the Internet to establish new business relationships.
• A customer or client who hasn't purchased goods or services from a business for 18 months, or
who has never bought goods or services, could not send an email asking to buy products or
obtain services, see a catalogue or ask for price list, quotation or estimate.
• Law firm or other professional firm sending out e-alerts and electronic newsletters to clients they
have not provided services for in the last 18 months that contains a link to the firm’s website or
promotes any of the firm’s professionals, services or expertise.
• E-mailing an existing customer or supplier with whom the sender has a long term contract
entered into more than 18 months before the communication with a proposal to do more business
under the contract or that includes an updated price list, catalogue of products, or services or to
suggest a meeting.
• Sending e-newsletters that have advertisements to persons that have been receiving them
without objection for years, unless the sender has done business with the receiver in the last 18
months.
Examples of “spam”

More examples:
• Headhunting using email; applying for a job by sending a resume to the head of HR of
an organization, even if in response to a published advertisement.
• Soliciting freelance or consulting services to prospective clients in your field, no matter
how targeted your emails are.
• Proposing cross industry partnerships or initiatives with others in your field if you've
never had contact with them.
• Sending newsletters, business publications, or company information from anyone who
has made an inquiry about a company`s products or services more than 6 months
before.
• Asking for donations or volunteers by any organization that is not a registered charity,
political party or federal or provincial candidate.
• Sending University alumni e-newsletters with advertisements or asking for support.
• Sending e-mails to former members of clubs after 18 months.
• Adding a business or professional acquaintance to your Facebook/Linked-in account if
you haven't contacted with the person in the last 18 months.
• Sending any messages using SMS (or like means of communication) that cannot
comply with the message formalities e.g., does not contain a means to send
unsubscribe requests.
• Any commercial e-mail that does not contain a footer enabling the recipient to
unsubscribe to further e-mails.
Anti-Spam Provisions – International Comparisons

Country Applies To Notes


Canada “any electronic message that, having regard to the content Consent to receive the message can only be
(Bill C-27, the Electronic of the message, … it would be reasonable to conclude has as implied where there is an existing relationship
Commerce Protection Act) its purpose, or one of its purposes, to encourage (within the last 18 months)
participation in a commercial activity”
U.S. “any electronic message the primary purpose of which is the Prohibitions on unsolicited messages are limited to
(CAN-SPAM Act of 2003) commercial advertisement or promotion of a commercial messages that are fraudulent or misleading (s.4),
product or service” those that do not contain prescribed information
(s.5) or those sent in violation of an opt out
request.
Australia “a commercial electronic message is an electronic message, Consent can be implied where the electronic
(Spam Act 2003) where … it would be concluded that the purpose, or one of address has been published and the message is
the purposes, of the message is [among an exclusive list of relevant to the individual.
purposes related to advertising and offering goods and
services]”
New Zealand “commercial electronic message means an electronic Consent can be implied from the conduct,
(Unsolicited Electronic message that markets or promotes [goods or services], or business and relationships of the persons
Messages Act 2007) assists or enables a person to obtain dishonestly a financial concerned.
advantage or gain from another person…”
Singapore “a commercial electronic message is an electronic message, Prohibitions on unsolicited messages are limited to
(Spam Control Act 2007) where … it would be concluded that the primary purpose of messages that are “sent in bulk” (s.6 & 11)
the message is [among an exclusive list of purposes related
to advertising and offering goods and services]”

Hong Kong “commercial electronic message means an electronic Prohibitions on unsolicited messages are limited to
(Unsolicited Commercial message the purpose, or one of the purposes, of which is those that are sent using “automated means”
Messages Ordinance) [among an exclusive list of purposes related to advertising (s.18 & 19) or “with the intent to deceive or
and offering goods and services]” mislead” (s.20)
Anti-Spyware Provisions
Anti-Spyware Provisions

The main anti-spyware provision is found in s.8(1) of the Bill:

8(1): No person shall, in the course of a commercial activity,


install a computer program or cause an electronic message
to be sent from a computer system, unless the person has
obtained the express consent of the owner or an authorized
user of that computer system.
Anti-Spyware Provisions - Consent

The provisions contain stringent disclosure and consent


requirements:

10. (1) A person who seeks express consent for the doing of an
act described in any of sections 6 to 8 must set out clearly and
simply:
(a) the purpose or purposes for which the consent is being
sought; and
(b) information that identifies the person seeking consent;
(2) A person who seeks express consent for the doing of any act
described in section 8 must also describe clearly and simply the
function, purpose and impact of every computer program that is
to be installed.
Anti-Spyware Provisions - Definitions

“computer system” means a device that (a)


contains computer programs or other data, and
(b) pursuant to computer programs, (i) performs
logic and control, and (ii) may perform any other
function.

“computer program” means data representing


instructions or statements that, when executed
in a computer system, causes the computer
system to perform a function.
Anti-Spyware Provisions – Implications

Prohibition on any program, patch, upgrade


or add-on installed without express consent.
• How practical is consent for automatic updates
given need for prior disclosure of “function,
purpose and impact” of “every” program to be
installed?
• This provision could make it illegal to use
applications written in popular computer
languages like Java, without such disclosure and
consent.
Anti-Spyware Provisions – Implications

• Developers of anti-virus and anti-spyware


software would have to obtain consent from
users to include each latest virus and spyware
definition in the programs and disclose to users
the effects of these updates.
• This disclosure could help the creators of viruses and
spyware to circumvent the protection programs.
• The provisions in the ECPA would apply not only
to personal computers but to a whole host of
devices from iPhones and Blackberries to
mainframe computers.
• Many of these devices do not have the capability of
displaying consent forms and relaying consent.
Examples of “spyware”

The following would be considered


“spyware” under the ECPA, without obtain
consent from the recipient:
• Embedded browser-based applets (Flash,
javascript), including routine functions like a
re-direct
• Anti-virus and anti-spyware updates and latest
virus/spyware definitions
• Hardware driver updates
• Other routine software patches (operating
system security patches, bug fixes, etc.)
Examples of “spyware”

More examples:
• DRM/TPM technologies
• Software code embedded in media files
• Software updates to wireless devices
• (Possibly) HTML code
Anti-Spyware Provisions – International Comparison

• The ECPA goes much further than any trading partner in its
prohibitions against installing software.
• Some U.S. states have passed laws prohibiting spyware, but the
laws only apply to programs that perform a limited set of
functions, such as:
 Modifying settings of other programs (like default browser
settings),
 Collecting personal or financial information of the computer’s
owner,
 Activating keystroke logging software to collect personal
information,
 Attempting to block or uninstall existing anti-spyware and
anti-virus programs,
 Collecting browser history and bookmark lists, or
 Preventing the user from removing the spyware program.
Message Tampering

Bill C-27 also prohibits altering e-mails:

7. (1) No person shall alter or cause to be altered the


transmission data in an electronic message so that the
message is delivered to a destination other than or in
addition to that specified by the sender, unless the
alteration is made with the express consent of the sender

(2) Subsection (1) does not apply if the alteration is made


by a telecommunications service provider for the purposes
of network management.
Deceptive Marketing Provisions
False and Misleading Messages

• Bill C-27 amends the Competition Act to


criminalize false or misleading representations in
electronic messages
• The Competition Bureau will have the power to
investigate and take action against the use of
false headers, false locator information, or the
presence of false or misleading content in
electronic messages.
• Two options for proceeding:
• prosecution under new s. 52.01 and related provisions
• reviewable practice under new s. 74.011
False/Misleading Messages Criminal Offence

The Competition Act is amended by adding the following


section:

s.52.01 No person shall knowingly or recklessly:

(1) send or cause to be sent a false or misleading


representation in the sender information or subject matter
information of an electronic message

(2) send or cause to be sent in an electronic message a


representation that is false or misleading in a material
respect

(3) make or cause to be made a false or misleading


representation in a locator
Key Definitions

• “locator” means a name or information used to identify a


source of data on a computer system, and includes a
URL;

• “sender information” means the part of an electronic


message — including the data relating to source, routing,
addressing or signalling — that identifies or purports to
identify the sender or the origin of the message;

• “subject matter information” means the part of an


electronic message that purports to summarize the
contents of the message or to give an indication of them;
Prosecution Issues

• It is not necessary to prove that any person was


actually deceived or misled.
• The general impression conveyed by a representation
as well as its literal meaning are to be taken into
account.
• Any person who contravenes this provision is guilty of
an offence and liable
• If on indictment, to a fine in the discretion of the court or to
imprisonment up to 14 years, or to both, or
• If on summary conviction, to a fine of up to $200,000 and
imprisonment up to 1 year, or to both
• Contravention can also trigger civil liability for
damages (s. 36)
New Reviewable Deceptive Marketing Practices

• 74.011 A person engages in reviewable conduct who:

(1) sends or causes to be sent a false or misleading


representation in the sender information or subject matter
information of an electronic message.

(2) sends or causes to be sent in an electronic message a


representation that is false or misleading in a material respect.

(3) makes or causes to be made a false or misleading


representation in a locator.

• Contravention results in administrative monetary penalty of up to:


• individual - $750,000 1st offence, $1 million 2nd +
• corporation - $10 million 1st offence, $15 million 2nd +
New Reviewable Deceptive Marketing Practices

• Sender information, subject matter or locator


could be found false or misleading
notwithstanding other content in an electronic
message.
• Consider teaser subject lines:
• An important message from ABC
• Our best sale of the year
• The best vacation ever
Enforcement Mechanisms
ECPA Civil Liabilities and Offences – Summary

Civil Liability Enforced by Penalty

s.20: Contravention of spam and spyware CRTC Maximum of $1,000,000


provisions of ECPA for individuals and
$10,000,000 for others
s.47(1): Private right of action for people who Courts Actual damages, plus a up
allege they are affected by: to $200 for each
•a contravention of the spam and spyware contravention, not to
provisions of the Bill, exceed $1,000,000 for per
•certain contraventions of s.5 of PIPEDA or day
•conduct reviewable under s.74.011 of the
Competition Act
Offence

s.42: non-compliance with preservation Prosecution Up to $25,000 for


demand or notice to produce individuals and $250,000
for others
s.43: Providing false or misleading information
to person performing ECPA duties
New Civil Liabilities – Administrative Monetary Penalties

• Violation of the spam or spyware provisions leads


to “administrative monetary penalties” (s. 20)
• individuals – up to $1 million
• others – up to $10 million

• Factors for determining the fine include (s. 20(3)):


• the purpose of promoting compliance, not punishment
• the scope of the contravention
• the person’s history with respect to prior spam/spyware
violations
• financial benefit received
• the person’s ability to pay
• any other relevant factor
New Civil Liabilities – Administrative Monetary Penalties

24. (1) A person who is served with a notice of


violation shall pay the penalty or make
representations with respect acts or omissions
that constitute the alleged violation.

(2) A person is deemed to have committed the


violation if they either pay the penalty or do not
pay the penalty, or do not make representations,
in accordance with the notice of violation.
25. (1) If a person makes representations in
accordance with the notice, the CRTC shall
decide, on a balance of probabilities, whether the
person committed the violation
New Civil Liabilities – Administrative Monetary Penalties

• Liability under ECPA extends to


• officers, directors or agents of a company, if they
authorized, participated, etc. in the violation (s.31)
• employer where violation by an employee (s.32)
• Due diligence defence (s. 33)
• importance of compliance training
• No proceeding against an offender that enters
into a (confession-infused) undertaking (s. 21)
• may specify conditions and payments – presumably
negotiated with CRTC
• Uncertain limitation period
• 3 years after becoming known to CRTC
New Civil Liabilities – Private Right of Action

• s.47(1) of the ECPA creates a private right of


action for people who allege they are affected
by:
 a contravention of ECPA spam and spyware
provisions
 a contraventions of s.5 of PIPEDA that
relates to new s. 7.1(2) or (3), or
 conduct reviewable under s.74.011 of the
Competition Act.
• Officers, directors, agents, employers liability
for ECPA violations (s.52,53)
• Due diligence defence is available (s.54)
PIPEDA

• s.5(3): An organization may collect, use or


disclose personal information only for
purposes that a reasonable person would
consider are appropriate in the
circumstances.
• s.7.1(2) collecting electronic addresses by
computer program without consent, or using
same
• s.7.1(3) collecting personal information by
accessing a computer system without
consent
Private Right of Action – Recovery (s. 51)

Proving contravention results in recovery of:


• S.51(1)(a) actual damages, plus
• S.51(1)(b) additional amount
• up to $200 per contravention
• maximum of $1 million per contravention day
Factors for the court to determine any additional amount under
s.51(1)(b):
• Same as in s. 20(3) violation re AMP liability
No s.51(1)(b) ECPA recovery where s.20 AMPS action or s.21
undertaking with CRTC
• This exemption not applicable to
• PIPEDA claim or
• Competition Act s. 74.011 claim, but award deducted from AMP fine
• Class action implications
Repeal of the Do-Not-Call List
Repeal of the Do-Not-Call List

• Bill C-27 contains (confusing) provisions to abolish the


CRTC’s recently established National Do-Not-Call List
(DNCL) and replace it by the ECPA, which will be expanded
so spam provisions (s.6) apply to voice calls.
• This would change from the DNCL’s current “opt-out”
approach to the ECPA’s “opt-in” approach
• Compliance with electronic message requirements in s.6(2),
including “set out unsubscribe mechanism”
• The DNCL exemption for business to business calling will, in
effect, be repealed and replaced by ECPA’s implied consent
provisions
• Thus cold calling, or contacting business relationships that
have been “inactive” for greater than 18 months, will be
restricted
• DNCL-to-ECPA trigger not specified: Gov’t decides
• No guarantee of public consultation
Summary of Concerns

• The ECPA is very complex and goes far


beyond what is seen in other jurisdictions.
• It has the potential to deter legitimate
forms of commercial speech.
• Given the Government’s accelerated
timeframe, the opportunity to voice
concerns over this Bill is now.
• The House of Commons committee on
Industry, Science and Technology will be
deliberating the ECPA very soon.
Summary of Concerns

• These slides and the accompanying video


will be made available in French and
English at http://www.mccarthy.ca
• (French version of presentation available
at http://www.mccarthy.ca)
• Questions?