Debating C-27: My Appearance Before the Industry Committee

Yesterday I appeared before the Standing Committee on Industry, Science and Technology to discuss Bill C-27, the Electronic Commerce Protection Act.  The Conservatives, NDP, and Bloc have also demonstrated strong support for the bill.  The Liberals have been cautious, indicating that they support the principle but expressing "significant concerns" about specific provisions.  My opening tried to address some of those concerns and the dialogue that followed led to a lively debate.  My opening statement is posted below.  Audio of the hearing available here (the transcript is not yet online).

 

Appearance before the Standing Committee on Industry, Science and Technology
June 11, 2009

Good afternoon.  My name is Michael Geist.  I am a law professor at the University of Ottawa, Faculty of Law, where I hold the Canada Research Chair in Internet and E-commerce Law.  I am also a syndicated weekly columnist on law and technology issues for the Toronto Star and the Ottawa Citizen.  I was a member of the National Task Force on Spam struck by the Minister of Industry in 2004 and on the board of directors of the Canadian Internet Registration Authority, which manages the dot-ca domain name space, from 2000 – 2006.  I also currently serve on the Privacy Commissioner of Canada’s Expert Advisory Committee.

I appear before this committee today in a personal capacity representing only my own views. 

The introduction of Bill C-27 – the Electronic Commerce Protection Act – represents the culmination of years of effort to address concerns that Canada is rapidly emerging as a spam haven.  I don’t think I have to convince you that spam is problem.  Whether it is the cost borne by consumers, schools, businesses, and hospitals in dealing with unwanted email or the shaken confidence of online banking customers who receive phished or phoney emails, there is a real need to address the problem.  C-27 will not eradicate spam – no country can do so alone – but it will finally help to clean up our backyard.

Members of the committee have noted that this is broad legislation that extends beyond just spam.  I would submit that this is a feature, not a bug.  With much talk of the need for a national digital strategy, C-27 fits nicely within that framework by providing much-needed consumer protection legislation for e-commerce.  I think it is fair to say that the Spam Task Force members recognized the need to address the issue toward the end of the mandate and that the steps in this bill are consistent with our recommendations.

While legislation is broad, I think it is important to emphasize that the exceptions are as well.  There are three in particular that are noteworthy:

1.    Consent.  Under this law, consent trumps all.  Indeed, any business – any organization – can do anything it likes with respect to electronic marketing or software installation.  So long as it obtains consent.  There are rules around that consent – form requirement for electronic marketing and disclosure for software, but I don’t think that is such an onerous obligation.  Indeed, whenever a potential concern is raised, I think the first question to ask is why seeking consent is unreasonable. Is it unreasonable to obtain consent before installing a program on my computer?  Is it unreasonable to obtain consent before sending me a commercial message about a house or service or product?  In almost every instance, I think the answer is no – consent is a reasonable requirement. 

Moreover, it is not an uncommon requirement as other laws have also adopted this opt-in consent model.  Australia and New Zealand both have opt-in and Japan even switched its law to opt-in after opt-out proved unsuccessful.

2.    Business-to-Business exception.  I have heard some claims that this legislation will hamper business as it seeks to use email to promote its products or services to other businesses.  The reality is that the legislation contains a business-to-business exception (Section 6(5)(b)). The concerns are unwarranted.

3.    The Consumer exceptions.  These are pretty broad, indeed arguably too broad.  They mirror most of the DNCL exceptions and there are many people who would argue that they go too far and fail to meet consumer expectations.  Consider the business-to-consumer exception that covers 18 months for existing customers and 6 months for non-customers who merely make an inquiry.  Think about that – someone who merely inquires about a long distance plan or hotel room availability is then subject to six months of electronic messaging under the guise of “implied consent.” I think it is reasonable to ask why a business should be entitled to contact a consumer for six months without any consent merely because the consumer has made a single inquiry.

My point here is that the net of the legislation may be broad, but so too are the exceptions that will continue to permit commercial activity.  Some businesses may argue it goes too far, while some consumers may believe it does not go far enough.  Perhaps that is a sign that an appropriate balance has been struck.

Consider the application of these principles to several of the criticisms that were highlighted earlier this week:

1. Jurisdiction.  The legislation covers connections with Canada including the routing of a message through Canada.  This approach merely builds on existing jurisdictional law with respect to a real and substantial connection.  If the message fleetingly enters Canada, I suspect that the test might not be met and it is a non-issue from a liability perspective.
2. Software updates.  As I referenced earlier, it seems perfectly reasonable to expect a software vendor to obtain consent from the end-user before installing anything on their computer.  To suggest otherwise, would be to surrender control over their personal computer and face the prospect of security breaches, as occurred in the infamous Sony rootkit case.
3. Real estate agent emails.  As I am sure you are aware, real estate scams are among the most common with references to swampland in Florida being shorthand for fraudulent offers.  Do we really want to exempt an area that suffers from significant spam concerns?
4. Tough penalties including a private right of action.  This is another feature, not a bug.  Yes, the bill has tough penalties.  The experience in countries like Australia is that anti-spam law only works if the penalties are sufficiently tough that you create some economic risk for spammers.  Otherwise, they’ll keep on doing what they’re doing.  There have been lawsuits against Canadian spammers but they’ve been launched elsewhere because Canadian law didn’t measure up.  We should fix that.

Are there any changes needed?  There are at least two amendments I can think of.  The first is the review provision that was noted in the discussion earlier this week.  This is a fast-moving area and mandated reviews make sense.

The second involves the computer software consent provision.  In the main, I think the provision gets it right.  However, there may be a limited number of instances – the use of javascript on web pages comes to mind – where the provision would prove problematic.  It is not easy to craft a rule that targets all the harms (botnets, spyware, surreptitious installations, keystroke logging) while leaving aside benign activities. 

I would suggest a small addition by adding a Section 10(3) that would allow for implied consent for certain types of computer programs where the person has consented to the installation of that type of computer program by way of their preferences in their web browser.  This would cover off programs like Java and JavaScript that users typically address in their preferences.

Let me conclude with a warning against the lobbying efforts to water down the reasonable standards found in this legislation.  We have seen this before with the do-not-call list.  That bill started with some good principles, but faced intense lobbying and scare tactics.  By the end of the process, Canadians were left with a system that is widely recognized as a failure with 80% of calls continuing and security breaches of the do-not-call list itself.  We must avoid a similar outcome for anti-spam legislation.  Change may be scary to some, but do not let scare tactics dissuade you from moving forward with this much needed legislation.  I welcome your questions.

Debating The ECPA

IT World Canada covers the growing debate over the Electronic Commerce Protection Act, with a mini-debate between Barry Sookman and me over the implications of the bill.  Sookman expresses concern that an attempt to buy additional software licences might render the purchaser a spammer (as if the vendor is going to report that the prospective purchaser has spammed them with the request).

Anti-Spam Bill Will Face Tough Fight Over Consumer Protections

The recent introduction of the Electronic Commerce Protection Act, Canada's long-awaited anti-spam bill, has been greeted with initial all-party support in the House of Commons. The bill just passed second reading with committee hearings the next step in the legislative process. My weekly technology law column (Toronto Star version, Ottawa Citizen version, homepage version) argues that looking ahead, the big fight seems destined to focus on the government's desire to establish a comprehensive regime with tough penalties that apply to most commercial communications to consumers.  Consumer groups will likely welcome the reforms, while some business and marketing organizations may paint a gloomy picture of the costs associated with the new regulations.

The bill strives to address most Internet-related consumer harms.  These include email and text message spam, software programs that are secretly installed on users' computers ("spyware"), the use emails and websites that trick users into thinking they are visiting a trusted site ("phishing"), as well as the use of computers infected by viruses to send spam ("botnets").  

If enacted into law, the ECPA would make it illegal to send an electronic commercial message without the prior consent of the recipient.  This would create an "opt-in" system, whereby, subject to certain exceptions, marketers would have to obtain consumers' consent before sending them commercial messages. Moreover, marketers would be required to meet several form requirements including identifying the sender and providing a mechanism to allow consumers to unsubscribe from receipt of further messages.

In addition to the consent requirements, the ECPA targets the tactics frequently employed by spammers.  It would become illegal to harvest email addresses without consent or to alter the transmission information on an electronic message, a rule designed to target phishing practices.

The bill also makes several important amendments to the Competition Act to better ensure that the law captures false or misleading representations.  This will grant the Competition Bureau the power to investigate and take action against the use of false headers in emails, false locator information, or the presence of false or misleading content.

Attempts to install computer programs without the users' express consent are also included within the ECPA.  This not only addresses spyware that is secretly inserted into some emails, but also software companies that attempt to install updates without informing users or music companies that surreptitiously install anti-copying technologies.

The new provisions will only be effective if enforced and the ECPA features some of the toughest penalties in the world. The CRTC has been given a wide range of investigatory powers, including the power to compel Internet service providers to preserve transmission data.  Once it concludes its investigation, the Commission can pursue a settlement or bring a notice of violation with penalties that can run as high as $10 million.

The Privacy Commissioner of Canada can also investigate certain complaints and the Competition Bureau can go after misleading representations with penalties up to 14 years in jail (indictment) or $200,000 and a year in jail (summary conviction). For those not content to wait for the CRTC or the Competition Bureau to act, the law also creates a private right of action to facilitate lawsuits against Canadian-based spammers.

The ECPA addresses many of the recommendations of the 2005 National Anti-Spam Task Force, but not everyone will welcome it with open arms.  Some business groups are likely to oppose the shift toward an opt-in system, claiming that the new rules will impede commercial opportunities.  Software companies may object to requirements to obtain express consent from users before installing new programs and opponents may try to sow fear within the business community, pointing to the regulatory costs and potential for multi-million dollar liability. Yet most of these provisions are standard fare around the world.  All parties should recognize that providing reasonable consumer protections does not impede electronic commerce, but rather facilitate it.

Electronic Commerce Protection Act Headed To Committee Following Odd Debate

The Electronic Commerce Protection Act (Bill C-27) is headed for committee review following two days of rather strange debate in the House of Commons last Thursday and Friday.  What was ensued was alternately predictable and bizarre.  The predictable part was the all-party support for anti-spam legislation.  MPs from all four parties talked about the need for anti-spam legislation, how it was long overdue, it is costly, it undermines confidence, etc.

The bizarre part was the discussion on the bill's implications for the do-not-call list.  As I wrote soon after the bill was introduced, buried at the very end are provisions that kill the do-not-call list.  Given the problems associated with the list, moving toward an opt-in approach (rather than DNCL's opt-out) could be a good thing.  Yet the government seems determined to deny that the bill lays the groundwork to kill the list.

The debate started on Thursday when NDP MP Charlie Angus asks why the government seems reluctant to discuss the do-not-call provisions in the ECPA.  Parliamentary Secretary Mike Lake responds that "I will start by correcting the hon. member. The bill clearly does not abolish the do-not-call registry." It continues when MP Jean Crowder (after citing some my earlier work on do-not-call) talks about how the ECPA will correct some of the problems associated with the DNCL.  Lake responds that Crowder "spoke more about other legislation than this legislation."  Crowder later raises the issue again and this time Conservative MP Terence Young says "it should be noted that the electronic commerce protection act will not abolish the do-not-call list. I think the member might be aware of that. There are published reports to that effect, and it is not true. For greater certainty, there is a section of the bill that remains dormant until it is made law by an order-in-council and by regulation."

Angus and Young then go back and forth on the issue:

Angus:    I have heard from the member and the parliamentary secretary that there is no power to cancel the do-not-call registry. Yet sections 41.1 to 41.7 of the act is the do-not-call registry. Either the Conservatives are slipping it in the bill or they are not sure it is in the bill.

Young:   I want to reassure the member opposite that there is no intention to repeal the do-not-call list.

Angus:   Why, then, is it in the bill? Should we strike it now before we send it to committee?

Young:   The provision at the end of the bill, which is clause 86, allows for the repeal of the do-not-call list at the time of the government's choosing in the future. It does not repeal the list. It leaves the door open for greater certainty. Clause 86 will remain dormant until the government chooses to enact it by order-in-council.

Angus:   I am very glad we finally dragged it out of the hon. member. It is in the bill, but it is not in the bill unless the government decides to enact it, so we would be giving the government the power to do that. The Conservatives have told the House again and again that it is not there, but now we finally see it is there, but they will only enact it when they choose to enact it. Again, why is it in the bill? Why does the government not at least have the guts to come out and say that it completely blew it on the registry. It had no enforcement plan. This has been a complete debacle.

Later, Liberal MP Derek Lee remarks:

I want to say that I am just as curious as the last member who spoke in relation to the revocation of the do-not-call list framework in this bill. A summary is a written piece customarily found within the leaf of the bill in a statutory document like this. There is no reference to it in the summary, at least in any way that one could identify it. I may not be quite so accusatory, but I am just as curious. Perhaps we could get something on the record here in this debate from the government's side about that.

The discussion continued on Friday, with NDP MP Jim Maloway again raised my column and focused on the do-not-call issues.  The Government MPs did not respond and the bill was referred to the Industry Committee for review.

The Electronic Commerce Protection Act – The Competition Act Provisions

Having reviewed the Electronic Commerce Protection Act provisions on anti-spam, enforcement, and do-not-call, the other major section in the bill are the provisions involving reforms to the Competition Act.  The ECPA makes several important amendments to the statute to better ensure that false or misleading representations in electronic messages are captured by the law.  This will mean that the Competition Bureau will have the power to investigate and take action against the use of false headers, false locator information, or the presence of false or misleading content in electronic messages.

The changes focus on parallel reforms to the false or misleading representation provisions and the deceptive marketing provisions.  The Competition Act will now include a lengthy new provision on false or misleading representations in an electronic message.  The three main offences, contained with Offences Related to Competition, are:

(1)     No person shall, for the purpose of promoting, directly or indirectly, any business interest or the supply or use of a product, knowingly or recklessly send or cause to be sent a false or misleading representation in the sender information or subject matter information of an electronic message.

(2)     No person shall, for the purpose of promoting, directly or indirectly, any business interest or the supply or use of a product, knowingly or recklessly send or cause to be sent in an electronic message a representation that is false or misleading in a material respect.

(3)      No person shall, for the purpose of promoting, directly or indirectly, any business interest or the supply or use of a product, knowingly or recklessly make or cause to be made a false or misleading representation in a locator.

The net effect of these three provisions is to render illegal false header information in electronic messages such as emails or text messages (including false sender or subject lines), false or misleading content in electronic messages, as well as false locator information.  Locator is defined in the Act as "a name or information used to identify a source of data on a computer system, and includes a URL." Sending a message covers both the actual sender and some who permits a representation to be made or sent. Electronic messages are considered sent once the transmission has been initiated and it does not matter if the message reaches the destination (or even if the recipient address is real).

With regard to penalties, the bill makes it clear that the recipient need not have been deceived or misled by the misleading representation for these provisions to apply.  The penalties for violating these provisions are severe – up to 14 years in jail (indictment) or $200,000 and a year in jail (summary conviction).  Moreover, the Act also grants courts the power to issue injunctions forbidding conduct that would result in a violation of these offences.

The Competition Act's provisions on Deceptive Marketing Practices are also expanded to deal with these same offences  (false or misleading sender information or subject matter information, false or misleading representations in a material respect, false or misleading locators).  This renders all of these actions "reviewable conduct" for the Competition Bureau, which brings the prospect of Administrative Monetary Penalties of up to $100,000 for a corporation on a first offence and $200,000 for subsequent orders.  Courts can also issue injunctions blocking further illegal conduct.  Note that the reforms specify that the Competition Bureau must choose either the false or misleading representation provisions or the deceptive marketing provisions when taking action against a specific incident or conduct.

The Electronic Commerce Protection Act – The Privacy Provisions

The Electronic Commerce Protection Act includes a noteworthy change to Canada's private sector privacy legislation (earlier posts on anti-spam provisions, enforcement, do-not-call). PIPEDA includes specific provisions dealing with the issue of consent for the collection of personal information, including the possibility of collecting personal information without knowledge or consent in certain circumstances.  The ECPA adds a new provision that effectively overrides this exception – ie. it requires consent.  The provisions are designed to target both spyware and the harvesting of email addresses or other collection of personal information without consent (a practice known as dictionary attacks).

The new PIPEDA Section 7.1(2) states:

Section 7 and the exception set out in clause 4.3 of Schedule 1 [ie. consent exception] do not apply in respect of:

(a) the collection of an individual's electronic address, if the address is collected by the use of a computer program that is designed or marketed for use in generating or searching for, and collecting, electronic addresses; or

(b) the use of an individual's electronic address, if the address is collected by the use of a computer program described in (a).

Section 7.1(3) creates a similar prohibition against collecting personal information through any means of telecommunications, if the collection is made by accessing a computer system without authorization.  There is a parallel provision for the use of this information.

In addition to these new provisions, the ECPA makes changes to PIPEDA's investigative provisions.  While Canadians may file a complaint under these new provisions, the Privacy Commissioner may decline to investigate if the Commissioner is of the view that it can be dealt with by the CRTC or the Competition Bureau. The ECPA also opens the door to provincial involvement, granting the Federal Privacy Commissioner the power to consult with their provincial privacy counterparts, coordinate activities, and share information.   The same sharing of information powers can be used to provide information to foreign authorities.

The Electronic Commerce Protection Act – The Enforcement Prohibitions

The Electronic Commerce Protection Act will accomplish little if there is not a real commitment to enforcement.  The enforcement provisions form the bulk of anti-spam bill (my review of the prohibitions here, the effect on the do-not-call list here).  The enforcement part of the bill includes details on who does the enforcing, investigative powers, and penalties associated with anti-spam violations.  The short version is that the CRTC has been given a wide range of investigatory powers, including the power to compel ISPs to preserve transmission data.  Once it concludes its investigation, it can pursue a settlement or bring a notice of violation.  The penalties run as high as $10 million.  There are also smaller roles for the Privacy Commissioner and Competition Bureau as well as provisions to facilitate anti-spam lawsuits.

The more detailed version is:

 

CRTC Enforcement

The CRTC is granted the power to levy Administrative Monetary Penalties for violations of the ECPA.  The maximum penalty for individuals is $1 million and $10 million for any other person   Section 20(3) identifies the factors to be considered in assessing the penalty, including past violations and financial benefits from the activity. 

The ECPA provides the CRTC with a wide range of investigative powers, including the power to require ISPs to preserve transmission data related to the investigation (there are detailed provisions on the preservation issue), require individuals to produce documents, or obtain a warrant to search a place for evidence of a possible violation.

Once it completes the investigation, the CRTC has two options if it finds evidence of a violation.  First, it can obtain an "undertaking" from a party that is alleged to have violated the law (an undertaking is effectively a settlement).  The undertaking can include identifying past violations and include a penalty and additional conditions.  Alternatively, the CRTC can file a notice of violation that sets out the alleged violations and penalty to be paid.  The Commission has up to three years to commence an action from the time it is notified of an alleged violation.  Once someone is served with a notice of violation, they can make representations to the CRTC defending their conduct.  The CRTC is then required to decide, based on a balance of probabilities, if there has been a violation.  The Commission has the right to make public the names of the people who enter into undertakings or are found to have violated the law.  The CRTC decision can be appealed to the Federal Court of Appeal. 

While a notice of violation is not the equivalent of an offence under the Criminal Code, officers and directors can be held liable for the actions of their companies.  Courts are empowered to issue injunctions prohibiting further ECPA violations and the bill also includes significant financial penalties for violating the investigatory requirements (ie. obstruct or fail to comply with the investigation requests).

Private Right of Action

One of the Spam Task Force's recommendations was the establishment of a private right of action to facilitate lawsuits against Canadian-based spammers.  The ECPA creates a new right that could allow for such lawsuits with penalties that reach a maximum of $1 million per day.  The private right of action extends beyond just violations of the ECPA, as it includes contravention of the new PIPEDA provision and the Competition Act provisions.

New Anti-Spam Coordination and Complaints Mechanisms

Although not contained in the ECPA, the government materials that accompanied the release point to two new administrative efforts to address anti-spam enforcement in Canada.  First, Industry Canada will serve as a "national coordinating body" with responsibilities for public awareness, the development of voluntary guidelines, and further research.  Second, there are plans to establish a Spam Reporting Centre.  It would "receive reports of spam and related threats allowing it to collect evidence and gather intelligence to assist the three enforcement agencies."  The SRC appears to be similar to the U.S. FTC reporting mechanism, often referred to as the spam fridge.

The Untold Story of Do-Not-Call Enforcement (aka Why Killing Do-Not-Call Can’t Come Fast Enough)

Earlier today, I posted on how one of the most significant aspects the anti-spam bill introduced on Friday was not reported or discussed in government briefing materials.  Namely, that buried at the very end of the 69-page bill, are provisions that lay the groundwork to kill the National Do-Not-Call list.  I noted that the proposed approach is very complicated, but boils down to the government repealing the provisions that establish and govern the do-not-call list.  In its place, the Electronic Commerce Protection Act approach of requiring an opt-in would apply, meaning that Canadians would no longer need to register their phone numbers on a do-not-call list.

My weekly technology law column (homepage version, Ottawa Citizen version, Toronto Star version) provides some reasons why that the change cannot come fast enough.  The column reports that while misuse of the do-not-call list remains a concern, a review of thousands of pages of internal government documents released under the Access to Information Act reveal that it is only the tip of the iceberg.  In addition to lax list distribution policies, the enforcement side of the do-not-call list raises serious alarm bells with the majority of complaints being dismissed as invalid without CRTC investigation, the appearance of a conflict of interest in sorting through complaints, and a regulator that has been content to issue to "warnings" rather than levying the tough penalties contained in the law.

The CRTC documents obtained under Access to Information include a list of companies that have downloaded the do-not-call list. Given the broad exceptions under the law, virtually no charities, survey companies, political parties, or newspapers have acquired it.  Instead, real estate agents, car dealers, financial advisors, and lawn care companies dominate the list of over one thousand organizations.  Many of those organizations are identifiable, yet there are also over a hundred provincial numbered companies for which little is known, as well as cryptic names such as “My broker office” or “Michele.” It is unclear whether the CRTC invoked further verification before granting access to unknown organizations.

The proliferation of the do-not-call list is certainly disconcerting, but picture that emerges about its enforcement is even more troubling.  The documents reveal that the CRTC receives over 20,000 telemarketing complaints each month, many involving the do-not-call list (some complaints may relate to other telecommunications rules that cover automated dialers or curfews). 

The initial evaluation of complaints is handled by Bell, which manages the do-not-call list, rather than the CRTC. Bell reviews each complaint and provides a prima facie evaluation of whether it is valid, invalid, or indeterminate (which require further investigation). Despite tens of thousands of complaints, very few have been categorized by Bell as a prima facie violation of the do-not-call list.  For example, in January, Bell reported that there were only 42 valid prima facie national do-not-call violations, while 3,033 national do-not-call complaints were ruled invalid (an unknown number of do-not-call complaints were treated as indeterminate). 

The situation was much the same in prior months.  In December 2008, Bell reported only 32 valid do-not-call complaints, while dismissing 2,748 complaints as invalid.  In November 2008, there were 44 valid complaints as opposed to 3,981 complaints dismissed as invalid.

Not only are the vast majority of do-not-call complaints dismissed as invalid without any further investigation, but a complete list of consumer complaints lodged on the CRTC's website reveals that a who's who of the Canadian business community has been the target of complaints. 

Alongside a steady of stream of complaints about vacation offers and duct cleaning, leading retailers such as the Bay and Zellers, financial institutions such as MBNA, telecommunications companies such as Rogers, Telus, and Bell, as well as newspapers and charities regularly appear on the complaints list.  Under the current system, this means that Bell adjudicates whether complaints about its own telemarketing practices (and those of its competitors) are prima facie valid or invalid, a procedure that raises obvious concerns about conflict of interest.

Complaints that survive Bell's initial round of scrutiny go to the CRTC for further investigation.  To date, the CRTC has sent out approximately 70 warning letters where it believes there are reasonable grounds to conclude that the organization is not in compliance with the do-not-call list legislation.  Recipients of the letters are asked to take "corrective action" to address the concerns and warned that failure to do so could lead to penalties of up to $15,000 per violation for corporations.  Notwithstanding that threat, the CRTC has yet to levy any fines.

Given the ongoing concerns around list misuse, enforcement, and overbroad exceptions that may be leading to the dismissal of the majority of complaints without further investigation, Industry Minister Tony Clement’s decision to open the door to the do-not-call reform is much needed.  The complicating factor is that the ECPA provisions related to the do-not-call list are exceptionally complicated and could be delayed for years. If the DNCL is to be fixed – as it should be – better to avoid delays and get on with the job.

Why the ECPA Lays the Groundwork To Kill The Do-Not Call List

While the focus of attention on the Electronic Commerce Protection Act has obviously been on the anti-spam provisions (more on the enforcement as well as changes to privacy and competition law shortly), possibly the biggest story in the bill is one that has been unreported and is not discussed in the government briefing materials.  Buried at the very end of the bill, are provisions that would kill the National Do-Not-Call list.  Section 86, the second last provision in the bill, states simply that Sections 41.1 to 41.7 of the Telecommunications Act are repealed.  Those sections are the provisions that create a legislative framework for the national do-not-call list. 

What is going on?

It would appear that the Government is laying the foundation for killing the do-not-call list with plans to replace it with the approach found in the ECPA.  That could be a good news story, since the ECPA adopts an opt-in model (ie. companies need consent before sending electronic commercial messages).  This means that Canadians would not need to register their phone numbers on the list, since the presumption would be that there is no right to call unless the caller/marketer has express or implied consent.  While many of the current do-not-call exceptions are found in the ECPA, some are not.  For example, the newspaper exception contained in the do-not-call list is not part of the ECPA and would therefore disappear with this transition.

 

The legal approach to kill the DNCL and replace it with the ECPA is complicated.  The definition of an electronic message includes voice messages; however, Section 6(7) expressly excludes commercial electronic messages that are two-way voice communications or voice recordings.  So, the starting position is that the ECPA could apply to telemarketing but does not.  Note that without the exception, the same opt-in rules that will apply to email marketing (ie. express or implied consent under certain circumstances) would apply to telemarketing.

The last section of the ECPA addresses changes to the Telecommunications Act.  They include repealing the do-not-call provisions but granting the CRTC the power to regulate the telemarketing commercial electronic messages that were previously excluded from the ECPA.  As if that were not complicated enough, the law only comes into effect with an order from Governor in Council.  This gives the Government the power to trigger when the law takes effect.  Rather than having the entire law take effect at once, the provision states that the "Act come into force on a day or days to be fixed."  This means that the ECPA could take effect first and then changes to the Telecommunications Act that kill the DNCL come along later.

All of this strikes me as unnecessarily complicated and secretive.  By including these provisions, the government has begun to acknowledge that the DNCL is flawed (more on how just how flawed in my column this week) and that an opt-in model would be far better.  Merely opening the door to change without a firm timeline is not good enough, though.  If the DNCL is to be replaced, better to give everyone commercial certainty and get on the with the job.

The Electronic Commerce Protection Act – The Spam Prohibitions

The Electronic Commerce Protection Act (aka Bill C-27 or the anti-spam bill) is a lengthy, complicated piece of legislation.  At 69 pages, it involves many new prohibitions, enforcement measures, and changes to existing laws.  Given its complexity, I'll divide the substance of the bill into several separate postings.  This post focuses on the prohibitions – there are three primary prohibitions but it quickly gets complicated.  The short version of this is that the bill requires all senders to obtain express consent before sending commercial electronic messages (including email, instant message, etc.) and to include contact and unsubscribe information.  It also includes provisions designed to counter phishing, spyware, and botnets used to send spam.

The more detailed version is:

 

The primary prohibition is found in Section 6(1) which is the basic anti-spam provision.  It provides that:

No person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) the message complies with subsection (2).

Not a particularly long sentence, but there is a lot there:

• by including sending or cause or permit to be sent, the ECPA covers the entire chain of spamming – the party that commissions the spam, the party that does the sending, and the party that permits it to be sent.
• an "electronic address" is very broadly defined as it includes email accounts, IM accounts, telephone accounts, or any similar accounts.  In other words, the law applies to all forms of spam, not just email spam.
• the law only applies to commercial electronic messages.  It too is broadly defined in Section 2(2) to cover the content, hyperlinks, or contact information that would make it "reasonable to conclude" that the message has as one of its purposes encouraging participation in commercial activity.  The provision adds that this may include offers to purchase or sell products, goods or services; business opportunities; advertising or promotion of goods, services, products, etc.; and promotion of a person who does any of these commercial activities.  There is, however, an exception for law enforcement, public safety, protection of Canada, and international affairs.
• Electronic messages that seek consent to send commercial messages (ie. obtain consent) are also commercial messages.  In other words, you cannot send a message to obtain consent without consent.

That is the basics of what it covers.  Then there are the three key requirements – form, consent, and jurisdiction. The law establishes form requirements for those who send commercial electronic messages.  These include:

1. Identification of the person sending the message (as well as on whose behalf it is sent)
2. Contact information of the sender
3. An unsubscribe mechanism.  The unsubscribe mechanism (described in Section 11) must allow for an easy opt-out via email or hyperlink that remains valid for at least 60 days after the message is sent.  The sender has ten days to comply with the unsubscribe request.

The consent requirements are primarily about exceptions.  The starting point is a prohibition against sending electronic commercial messages without consent from the recipient. The consent must generally be express consent with clear identification of the sender and the purposes for which consent is sought.

But this does not apply if:

• there is a personal or family relationship
• there is an active commercial relationship and the message is an inquiry
• the party is an ISP who is merely enabling the transmission
• the message is an interactive two-voice communication, a fax, or a voice recording

The consent can be implied rather than express if:

• there is an existing business relationship between the sender and recipient.  This includes purchase of a product, good or service over the prior 18 months; an active written contract, or an inquiry from the recipient over the prior 6 months
• there is an "existing non-business relationship" between the sender and recipient.  This includes a donation or gift over the prior 18 months to a charity, political party or political candidate; volunteer work over the prior 18 months for a charity, political party or political candidate; or membership in a club, association, or voluntary organization over the prior 18 months.

These exceptions share many similarities with the do-not-call list.  As for jurisdiction, Section 12 of the law says that the basic anti-spam provision only applies if a computer system located in Canada is used to send, route or access the electronic message.

The second prohibition is the anti-phishing provision and it involves the alteration of the transmission data on electronic message (Section 7).  This is designed to deal with phishing, where the electronic message appears to go one place, but goes somewhere else.  The provision states that:

No person shall, in the course of commercial activity, alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless the alteration is made with the express consent of the sender or in accordance with a court order.

There is an exception for ISPs blocking or filtering these messages if done for the purposes of "network management."

The third prohibition is the anti-spyware and botnet provision (Section 8).  It is designed to deal with the increasingly common method of delivering spam – infect a user's computer and use their Internet connection to send millions of spam messages.  The provision states:

No person shall, in the course of commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person obtained the express consent of the owner or an authorized user of a computer system or is acting in accordance with a court order.

For this to apply, there must be a Canadian connection to the activity.

Part two – the enforcement provisions – will come soon.

« go back — keep looking »

Categories

• copyright
• CyberLaw
• Free speech
• Internet
• Technologies
• Uncategorized

Blogroll

• brīvība.info
• Freedom.lv
• hooed.com
• xlt photo
• xlt's blog
• xlt.lv

Ads and partners

Search for:

Recent Posts

• Pirate Bay Ban Rockets Pirate Party Website Into The Big Time
• Don’t Let This Sticky Wicket Overshadow Internet Freedom
• File-Sharing Is Linked to Depression, Researchers Find
• In Congress Today: Testifying in Support of Geo-Privacy
• With New Privacy Policy, Twitter Commits to Respecting Do Not Track

Tags

acta Announcement anonymity anti-counterfeiting trade agreement anti-piracy Anti-Piracy Gangs Censorship clement Commentary copycon Copyright Issues Counterfeit Counterfeiting crtc Defamation DVDrip facebook First Amendment General google Hot Off The Press Internet & Society In the press Legal Analysis Legal Issues LGBT Rights net neutrality News News Update Opinion P2P and Filesharing Pirate Talk Politics and Ideology privacy RIAA Security Slaw social media the pirate bay Torrent Sites Torture & Abuse twitter Une - Asie - 1 Une - Europe - 1 United States