Canadian Technology & IP Law : Canadian Technology Lawyers & Attorneys : Stikeman Elliott Law Firm : IP Law in Toronto, Montreal, Calgary, Ottawa & Vancouver

Mobile phone payment systems, also known as mobile wallets, are capable of storing a user’s credit and banking information on chips known as SIM cards, and may also store other personal information, such as driver’s licenses, library cards and transit passes. Mobile wallets can enable users to make purchases through phone software, or by physically tapping their phones against NFC receivers to make automatic purchases without requiring signatures or PIN numbers. Such systems have become increasingly popular outside of Canada. By illustration, statistics published by Forbes indicate that U.S. mobile payments on “Black Friday” in 2011 soared by 538% in comparison to the previous year.

Mobile wallets and other alternative payment systems are allowing new entrants to compete in a field traditionally dominated by banks and credit cards. Rogers Telecommunications and CIBC have recently announced a partnership whereby CIBC will pay Rogers to store Visa and MasterCard information on Rogers’ phones. The arrangement will allow Rogers to essentially “rent” space on a user’s SIM card. Separately, Rogers has also applied for a banking licence to become a credit card issuer, signalling its potential to further develop its role in the payment processing industry.

While mobile wallets present a number of convenient features, they have also given rise to security, risk and privacy concerns. The CBA’s guidelines address some of these issues, including who may access data stored on mobile wallets, such as loyalty points information, coupons, transaction amounts, transaction times and transaction locations. However, while the CBA guidelines remain voluntary and address NFC phones only, the federal government has indicated that greater regulation of mobile and digital payments may not be far away.

The UK is not alone in its crusade against misleading marketing practices through digital media. In Canada, the Competition Act (the Act) contains provisions addressing false or misleading material representations and deceptive marketing practices in promoting the supply or use of a product. Representations are considered to be material where the statement would affect a consumer’s decision to buy or use a particular product or service. The Act provides for both criminal and civil adjudication of misleading representations, with penalties including fines and imprisonment. Online marketing, including the use of Twitter, is captured under the Act.

In the United States, the Federal Trade Commission (FTC) has also recently revised its Endorsement Guides (the Guides) so as to reflect modern truth-in-advertising principles. The Guides, which were originally written in 1980, were revised to address new social media, although the FTC states that the legal principles have not changed.  The general principle is that if there is a connection between the endorser of a product and its manufacturer/marketer that would affect how consumers evaluate the endorsement, such connection should be disclosed in the statement. 

Companies should exercise caution to ensure that they do not accidentally violate any of these laws or regulations.

The additional time will allow both industry and regulators to gear up for the new regime (The CRTC, the Privacy Commissioner and the Competition Bureau are all slated to receive additional budget and personnel to administer their sections of the legislation), as well as providing the government with time to consult with the public and interested stakeholders on proposed new regulations, including the launch of a planned website dedicated to the legislation, to be known as the Fighting Internet and Wireless Spam Act (FISA). This week, at the very brief Senate Transportation and Communications Committee meeting convened to consider the bill, government officials indicated that they were planning a 60-day consultation period on the new regs, which have yet to be made public.

As we have detailed in previous blogposts, with some exceptions, the new law would generally prohibit the sending of commercial electronic messages without consent,  as well as making significant consequential amendments to other federal legislation, including Canada’s Competition Act, Telecommunications Act; and Personal Information Protection and Electronic Documents Act (PIPEDA). The law also contains provisions, intended to prevent the spread of spyware and malware, which prohibit the installation of a computer program without consent, as well as prohibitions on the indiscriminate harvesting of addresses to create distribution lists for spam.

Violations of FISA will carry significant Administrative Monetary Penalties of up to $ 1 Million for individuals and up to $ 10 Million for corporations. The law also creates a private right of action for actual damages, as well as statutory penalties of between $200 and $1 Million per contravention.

The policies put into place by the Code will give merchants more choice as well as pricing flexibility. For example, payment networks must provide extended notification when they increase or introduce new fees. Merchants will also be able to cancel their contracts without penalty if they disagree with the fee increases. Some policies will directly benefit consumers such as requiring payment card networks to separate credit and debit functions so that they cannot co-reside on the same card. This will help to minimize consumer confusion. Overall, the Code puts into place mechanisms which are targeted at ensuring maximum access to information for all parties involved in the credit and debit card industry.

While most sections of the Code came into effect immediately, payment networks will have until February 17, 2011 to implement certain disclosure requirements and until May 17, 2011 to re-issue cards (such as multiple access debit cards) which contravene the Code.

The task force, which will be chaired by Ms. Pat Meredith, is due to tender its recommendations by the end of 2011. It will be seeking submissions from stakeholders and interested Canadians in the near future. For further information, please visit http://www.paymentsystemreview.ca.

About Canada’s Payments System

Canada’s payments system is operated by the Canadian Payments Association (the CPA), a non-profit organization created by the Canadian Payments Act in 2001 (the Act). Under the Act, the CPA is required to:

1. establish and operate national systems for the clearing and settlement of payments and other arrangements for the making or exchange of payments;
2. facilitate the interaction of its clearing and settlement systems and related arrangements with other systems or arrangements involved in the exchange, clearing or settlement of payments; and
3. facilitate the development of new payment methods and technologies.

The CPA’s payment systems handle, among other things, the clearing and exchange of cheques, direct deposits and debit card transactions.

The primary purpose of Bill C-27, which incorporates a number of the legislative recommendations made in 2005 by the government-mandated "Task Force on Spam", is to cut down on spam (unsolicited junk e-mail). However, the proposed ECPA aims to regulate not only spam, but also counterfeit websites and spyware, among other issues. In the broadest sense, therefore, the legislation is intended to bolster consumer confidence in online commerce.

Canada is currently the only G8 country and one of only four OECD (Organisation for Economic Co operation and Development) countries without specific spam legislation. The Cisco 2008 Annual Security Report estimated that messages sent from Canada accounted for 4.7% of the world's spam.  That percentage landed Canada in fourth place on the list of countries with the most originating spam, behind only the U.S., Turkey and Russia.  The government has characterized Bill C-27 as a necessary step in fulfilling an international duty to join global partners in passing laws to combat spam and related cyber threats.

Having passed both First Reading and Second Reading in the House of Commons, Bill C-27 has been referred to the Standing Committee on Industry, Science and Technology for review. While almost everyone can agree that spam is a nuisance, concerns have been raised about the proposed legislation, as drafted. Thus, while initial predictions were that Standing Committee review would be completed before Parliament's summer recess, more recent estimates see the review continuing after Parliament returns in the fall, in order to ensure that the resulting legislative changes do not negatively affect legitimate business.

Main prohibitions

The anti-spam provisions would prohibit sending (or causing or permitting to be sent) a commercial "electronic message" (which is defined broadly to include a text, sound, voice or image message) to an electronic address, unless the recipient has given express or implied consent. As currently drafted, implied consent would be limited to situations in which there is an existing business or non-business relationship between the sender and recipient (although there is a provision that would permit future regulations to better define implied consent.)  Both "existing business relationship" and "existing non-business relationship" are defined fairly narrowly, and would be restricted to situations in which the relevant parties had participated in a relevant transaction in the last eighteen months.  Another aspect of the ECPA that appears to pose some practical difficulties is that it would prohibit the sending by email of any request for express consent to communications by email.

The ECPA also dictates some aspects of the form of permitted messages: the message must identify the person who sent the message (and, if it is different, the identity of the person on whose behalf the message was sent), along with contact information for those identified. Moreover, permitted messages must include an unsubscribe mechanism, which includes either a hyperlink (valid for at least 60 days after the message is sent) that the recipient can follow or a specified electronic address to which the unsubscribe indication can be sent. Unsubscribe requests must be given effect within 10 days.

The ECPA includes provisions directed to privacy and personal security concerns that are associated with counterfeit websites.  Section 7 of the proposed ECPA would prohibit a person, in the course of a commercial activity, from altering or causing to be altered the transmission data in an electronic message "so that the message is delivered to a destination other than, or in addition to, that specified by the sender."  This provision appears to be directed at one aspect of "phishing".  Phishing, which is often undertaken in conjunction with a spoofed email, is the act of sending an email falsely claiming to be a legitimate business and directing the recipient to a specified counterfeit website, in an attempt to obtain sensitive information such as passwords, credit card numbers, and bank account information.

Section 8 of the proposed ECPA would prohibit a person, in the course of a commercial activity, from installing a computer program on another person's computer system without express consent.  After a presumably authorized installation, it would also prohibit a person, in the course of a commercial activity, from causing an electronic message to be sent from that computer system, without express consent.  The government's stated intent for the legislation is to prevent the collection of personal information through illicit access to computer systems (spyware), but as currently drafted, these provisions apply to all computer programs, and not just those with a harmful effect.
Requests for express consent must clearly and simply set out the purpose for which the consent is being sought, and identify the entity seeking consent.  Moreover, consent in respect of the installation of a computer program must clearly and simply describe the function, purpose and impact of every computer program that would be installed if consent is given. There is some disagreement between the federal government and industry as to whether the drafting of the latter requirement could be considered to prevent current commercial practices that see some legitimate programs (such as anti-virus and anti-spyware programs) utilizing automatic updates to the software.

Administrative monetary penalties

The ECPA would subject any individual who violates any of the foregoing prohibitions to liability under an administrative monetary penalty ("AMP") of up to $1 million and corporate entities would be liable to an AMP of up to $10 million. Officers, directors, agents of a corporation that violates the prohibitions could also be held liable for such actions if they directed, authorized or participated in the commission of the violation. At the same time, a defence of exercising due diligence to prevent the violation is available, although there is no indication of the types of action that would constitute due diligence.

The process for imposing liability under the AMP is a fairly expedited administrative process. A notice of violation (which must include details of he alleged violation and the amount of the AMP) will be issued and served upon an offender if the CRTC believes that there are reasonable grounds on which to believe that a person has committed a violation under the ECPA. The person served with the notice of violation then has 30 days to make representations to the CRTC regarding the allegations or the amount of AMP, failing which that person will be deemed to have committed the violation. If representations are made, the CRTC will evaluate them on the civil balance of probabilities standard, and may then impose the penalty set out in the notice of violation or reduce or waive the penalty. Appeal of decisions of the CRTC in respect of notices of violation can be made to the Federal Court of Appeal. The CRTC can also agree to an undertaking, which is in essence an agreement to settle an alleged violation on terms acceptable to both the CRTC and the offender.

Private right of action

One of the most controversial provisions of the ECPA is that it would establish a private right of action for persons who allege that they have been affected by a contravention of the anti-spam, anti-phishing and anti-spyware provisions of the ECPA. Such persons may apply for an order for compensation for actual loss or damages suffered or expenses incurred, as well as a maximum of $200 for each contravention of the breached provisions (with a limit of $1 million for each day on which a contravention occurred). Again, officers, directors or agents of corporations would be subject to this private right of action, if it could be proved that they directed, authorized or participated in the commission of the contravention.

That same private right of action would apply to persons who allege that they have been affected by breaches of the new provisions of PIPEDA and the Competition Act that would be brought into effect by Bill C-27 (discussed in the next section).

Changes to PIPEDA, the Competition Act and the Telecommunications Act

Bill C-27 would establish new prohibitions under PIPEDA in relation to collecting personal information, including a ban on (i) collecting an individual's electronic address through a computer program designed or marketed for use in generating (or searching for) and collecting electronic addresses, or using any address collected by the foregoing means; and (ii) collecting personal information through any means of telecommunications if the collection involves accessing a computer system (or causing one to be accessed) without authorization, or using any personal information that is collected that way.

Bill C-27 also proposes numerous amendments to the Competition Act, including the addition a new section 52.01, which broadens the criminal "false or misleading representation" provisions of the Competition Act by prohibiting activities such as knowingly or recklessly sending, for business promotion purposes (i) a false or misleading representation in the sender or subject matter information of an electronic message or (ii) an electronic message that contains a materially false or misleading representation. Under the proposed new section 74.011 of the Competition Act, such actions would also qualify as reviewable conduct, thus permitting the Commissioner of Competition to apply to court or the Competition Tribunal for an order prohibiting the conduct and/or imposing AMPs under the Competition Act.

Bill C-27 would also amend the Telecommunications Act to permit the government to either maintain the current "Do Not Call" list in such a way that it would not overlap with the ECPA regime, or to have the responsibility for regulating telemarketing fall under the ECPA entirely.

Other anti-spam bills

Bill C-27 is not the only bill with anti-spam implications currently moving through Parliament. Bill C-355, a private member's bill which aims to amend the Criminal Code to make cyberbullying an offence, proposes as part of that effort to make it an offence to make repeated telephone calls or to send repeated electronic messages to any person with intent to harass.

Bill S-220 also purports to be anti-spam legislation, introducing an offence for sending an unauthorized commercial electronic message, as well as a right of civil action for those adversely affected. Unlike Bill C-27, however, it does not propose to amend other statutes. Having been introduced in the Senate, Bill S-220 would also need to pass through the House of Commons before it could be enacted, which seems unlikely given the status of Bill C-27.