A stricter regime for profiling07 June 2016
Report from Canada: New Canadian Anti-Spam Legislation About to Go Into Effect
This report on Canada's new Anti-Spam law comes to us from our friend Mark Hayes, one of Canada's leading privacy and Internet lawyers.
While unofficially known as the “Fighting Internet and Wireless Spam Act” (FISA), Canada’s new anti-spam legislation is officially titled:
“An Act To Promote The Efficiency And Adaptability Of The Canadian Economy By Regulating Certain Activities That Discourage Reliance On Electronic Means Of Carrying Out Commercial Activities, And To Amend The Canadian Radio-Television And Telecommunications Commission Act, The Competition Act, The Personal Information Protection And Electronic Documents Act And The Telecommunications Act”
The Act was enacted on December 15, 2010, but will not come into force until sometime in the fall of 2011. Regulations have not yet been enacted in connection with the Act, but are expected to be passed in the fall of 2011.
The stated purpose of the Act is to promote efficiency of the Canadian economy by regulating conduct that discourages use of electronic means for commercial activity. In particular, the Act sets out a number of prohibitions relating to the control and prevention of unsolicited electronic messages, malware and spyware, as well as provisions providing remedies against prohibited electronic practices and amending a number of other pieces of legislation in line with the Act.
Prohibition on Sending Unsolicited Commercial Electronic Messages
The Act applies to the sending of a “commercial electronic message.”
A “commercial electronic message” is a message sent by any means of telecommunication, including text, sound, voice or image message, that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity.
A “commercial activity” includes transactions, acts or conduct or regular course of conduct of a commercial character, whether or not in expectation of profit, including:
a. Offers to purchase, sell or lease a product or service;
b. Offers to provide business or investment opportunities;
c. Advertising or promoting anything covered in (a) or (b); or
d. Promoting a person who does anything covered by (a), (b) or (c).
It is important to note that the Act will apply even if only a single electronic message is sent. There is no requirement that the message be sent in bulk to multiple recipients.
Section 6 of the Act prohibits the sending of a commercial electronic message to an electronic address unless the recipient has provided express or implied consent to its receipt, the message is in a form that meets prescribed requirements and the message:
a. Identifies the sender, and the person on whose behalf it was sent (if different);
b. Sets out the means to contact one of those persons; and
c. Sets out an “unsubscribe” mechanism. According to Section 11(1) of the Act, the “unsubscribe mechanism” must allow the recipient to indicate (without cost) the wish to no longer receive electronic messages from the sender, must specify an electronic address or link to which the indication may be sent and must be effective for 60 days. Furthermore, the sender must give effect to an unsubscribe request within 10 business days.
In order to obtain express consent, Section 10 of the Act sets out that a request for consent must:
a. Set out the purpose of the consent;
b. Identify the person seeking consent; and
c. Provide certain other information, as prescribed in forthcoming Regulations.
Note that the Act creates something of a “chicken and egg” problem in that it provides that an electronic message seeking consent for the sending of further messages is itself an electronic message requiring consent after the Act is in force. As a result, many organizations, in advance of the Act coming into force, will attempt to obtain consent to the sending of future electronic messages in order to ensure that they can continue to contact the individuals on their existing database.
However, consent may be implied in the following situations:
a. Sender and recipient have an existing “business relationship” (which is defined in the Act and is time-limited);
b. Recipient has published its electronic address, without a statement indicating recipient does not wish to receive unsolicited electronic messages (provided that any message sent is relevant to the recipient’s business); or
c. Message is sent in certain circumstances set out in forthcoming Regulations.
The Section 6 prohibition on sending unsolicited commercial electronic messages does not apply to the following:
a. A message: (i) sent between individuals having a personal or family relationship (to be defined in the forthcoming Regulations); (ii) that is an enquiry or an application sent to a person engaged in a commercial activity; or (iii) that is of a class prescribed by forthcoming Regulations;
b. A telecommunication company providing a telecommunications service to enable transmission of a message; or
c. A commercial electronic message that (i) consists of a two-way voice communication; (ii) is sent by fax to a telephone account; or (iii) is a voice recording to a telephone account.
Obtaining consent is not required for sending a commercial electronic message that:
a. Is a quote in response to a request for supply of a product or service;
b. Completes or confirms a commercial transaction already agreed to;
c. Provides warranty, recall or safety information to a buyer or user of a product;
d. Provides factual information about ongoing use of a product or an ongoing subscription;
e. Provides information related to an employment relationship;
f. Delivers a product (including product upgrades) to a recipient entitled to receive same under a transaction already made; or
g. Communicates for a purpose specified by forthcoming Regulations.
Section 7 of the Act prohibits any person from altering transmission data in an electronic message in the course of a commercial activity, in a way that would result in the message being sent to a different or additional person from that specified by the sender, without sender’s express consent. The prohibition does not apply to a telecommunications company altering a message for the purpose of network management.
Prohibition on Altering Transmission Data
Prohibition on the Installation of Computer Programs Without Consent
Section 8 of the Act prohibits any person from installing computer programs on another person’s computer system in the course of a commercial activity, and from sending an electronic message from the system after any such installation, without the system owner’s express consent.
For the purposes of the Act, “computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function.
In addition to fulfilling the basic criteria for obtaining express consent dictated by Section 10 of the Act, a person seeking consent to install a computer program must:
a. Describe the function and purpose of the program, and
b. Provide additional information (including the nature of the elements of the program and its impact on the operation of the computer system), where the program will collect personal information, interfere with data, or cause the system to communicate with another system, or where the program may be activated by a third person. These additional requirements regarding the installation of a program do not apply if the program’s function is solely to collect or use transmission data, or perform an operation specified by forthcoming Regulations.
The Act deems express consent to the installation of a computer program to be automatically given for the installation of cookies, HTML code, Java Scripts, etc. where it is reasonable to believe, based on a person’s conduct, that he or she consents to the installation.
Prohibition on Helping to Commit a Prohibited Act
Aiding, inducing, procuring or causing to be procured anything prohibited by the Act is also specifically forbidden in Section 9.
Remedies Against Breaches of the Act
The Act provides both significant administrative monetary penalties for violations of the Act, as well as a private right of action against persons contravening the Act’s provisions.
- Administrative Monetary Penalties Regime. The Canadian Radio-television Telecommunications Commission (CRTC) is provided with a number of investigative and enforcement tools and can impose maximum penalties of $1,000,000 per violation against an individual, and $10,000,000 per violation against any other person.
- Remedies for Private Right of Action. Persons affected by contraventions of the Act have the possibility to apply for a court order requiring the entity contravening the Act to pay compensation calculated as set out in the Act. A private right of action is not available where the entity has entered into an undertaking with the CRTC under Section 21 of the Act or has been served with a notice of violation under Section 22 of the Act.
Amendments to Existing Legislation
Finally, the Act enacts certain amendments to existing legislation:
a. Competition Act. The Act introduces new definitions and new offences under the Competition Act related to knowingly sending false or misleading representations in any part of an electronic message, modifies the grounds for issuance of injunctions, and modifies the Competition Act’s provisions relating to deceptive marketing practices.
b. Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Act introduces new definitions, allows the federal Privacy Commissioner to decline commencing or continuing an investigation of breaches under the Act that are already being investigated by the CRTC, and grants additional powers to the Privacy Commissioner to share information with provinces or foreign states. Most importantly, PIPEDA exceptions to the obligation of obtaining consent for the collection, use and disclosure of personal information would generally not apply in connection to information collected through:
- Data mining or other manner of automatic crawling; or
- Any means of telecommunication if the information is collected through unauthorized access to computer systems.
c. Telecommunications Act. The Act removes the CRTC’s power to prohibit or regulate the use of telecommunication facilities for the provision of unsolicited commercial electronic messages, as defined in the Act, while continuing to permit the CRTC to regulate the hours of telecommunication, contact information of a caller and calls where a live operator is not available in cases of two-way voice messages, fax messages and voice recordings.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016