Bill C-28 is extremely similar in substance to Bill C-27, which was introduced in April 2009 and titled the Electronic Commerce Protection Act. Bill C-27 received unanimous support in the House of Commons following its third reading, but it died upon prorogation in December of 2009 while at the Standing Senate Committee on Transport and Communications. Given the strong resemblance between the two bills, many expect that Bill C-28 will move quickly through the legislative process.
Like its predecessor, Bill C-28 was designed to reduce unsolicited or junk e-mail, commonly referred to as “spam”. Most importantly, the legislation aims to bolster consumer confidence in electronic commerce, which the government has described as necessary in order to position Canada as a leader in the digital economy. The bill incorporates a number of the legislative recommendations made in 2005 by the government-mandated “Task Force on Spam”. The proposed FIWSA aims to regulate activities such as spam, counterfeit websites (known as “phishing”) and spyware.
The FIWSA would also establish a regime whereby the Canadian Radio-television and Telecommunications Commission (“CRTC”), Competition Bureau of Canada and the Office of the Privacy Commissioner could share information and evidence with law enforcement agencies outside Canada, in an effort to enforce similar international laws and pursue violators beyond Canadian borders. Currently Canada is the only G8 country and one of only four OECD (Organisation for Economic Cooperation and Development) countries without specific spam legislation. Thus, when the government first introduced Bill C-27 it was cast as a necessary step in fulfilling Canada’s international duty to join global partners in passing laws to combat spam and related cyber threats.
The anti-spam provisions remain largely unchanged from Bill C-28. They would prohibit sending (or causing or permitting to be sent) a commercial “electronic message” (which is defined broadly to include a text, sound, voice or image message) to an electronic address, unless the recipient has given express or implied consent. Implied consent would apply to situations in which there is an existing business or non-business relationship between the sender and recipient, and to certain limited circumstances where the recipient has, within a business context, conspicuously published or disclosed the electronic address and the disclosure was not accompanied by any statement that the person did not wish to receive commercial messages (there is also a provision that would permit future regulations to further define implied consent).
The FIWSA also sets requirements for the form of permitted messages: the message must identify the person who sent the message (and, if it is different, the identity of the person on whose behalf the message was sent), along with contact information for those identified. Moreover, permitted messages must include an unsubscribe mechanism, which includes either a hyperlink (valid for at least 60 days after the message is sent) that the recipient can follow, or a specified electronic address to which an unsubscribe request can be sent. Requests must be given effect within 10 days.
The anti-phishing provisions are drafted as prohibitions against “altering transmissions data”, and would prohibit the unauthorized redirection of an electronic message to a destination other than or in addition to that specified by the sender, except with the sender’s express consent. As with the anti-spam provisions, an electronic address must be provided to which the sender may give a notice of withdrawal of consent, and the request must be given effect within ten days.
Notably, the prohibitions in Bill C-28 are broader than those previously provided for in Bill C-27. The prohibitions in both bills apply to anyone who procures or causes to procure a prohibited act. However, the language in Bill C-28 has been extended to also apply where someone aids in or induces such an act.
Administrative Monetary Penalties and Private Actions
Provisions of the FIWSA that would subject violators of the Act to an Administrative Monetary Penalty (“an AMP”) remain the same as those originally envisaged in Bill C-27. An individual who violates any of the foregoing prohibitions may be subject to an AMP of up to $1 million and corporate entities would be liable to an AMP of up to $10 million. Officers, directors, and agents of corporations that violate the prohibitions could also be held liable for such actions if they directed, authorized, acquiesced in or participated in the commission of the violation.
Anyone charged under the Act can raise a due diligence defence. They must show that they exercised due diligence to prevent the violation, but there is no indication as to what actions will constitute due diligence. Furthermore, any relevant common law rule or principle that would create a justification or excuse may be relied on to the extent that it is not inconsistent with the Act.
The process for imposing liability under the AMP is a fairly expedited administrative process, administered through the CRTC. A notice may be served where the CRTC has reasonable grounds to believe that a person has committed a violation under the FIWSA. The notice must include details of every act or omission for which the notice is served, the relevant provisions and the amount of the fine. The recipient of the notice has 30 days to respond, after which time he or she will be deemed to have committed the violation and will be liable to pay the amount set out in the notice. If the recipient does provide a response, the CRTC must decide on a balance of probabilities whether the violation was committed. Upon determining that there was a violation the CRTC may impose the original fine, impose a reduced fine, or may suspend payment of the fine subject to any conditions that it considers necessary to ensure compliance with the Act. Decisions of the CRTC can be appealed to the Federal Court of Appeal. However, where the issue is one of fact, leave to appeal must be granted by the Court. The CRTC can also agree to an undertaking, which is in essence an agreement to settle an alleged violation on terms acceptable to both the CRTC and the offender.
One of the most controversial provisions of the Bill C-27 remains largely unchanged in Bill C-28. It would establish a private right of action for persons who allege that they have been affected by a contravention of the anti-spam, anti-phishing or anti-spyware provisions of the FIWSA. The application must include the alleged contravention, all relevant provisions, acts or omissions at issue, and should state the nature and amount of the loss, damage or expense. If the court is satisfied that the contravention occurred it may order the responsible individual(s) to pay the applicant compensation for any loss, damage or expenses incurred by the applicant. The court may also grant an additional award, up to a maximum of $200 per day for most contraventions, and $1 million for each day on which a contravention occurred. Again, officers, directors, or agents of corporations would be subject to this private right of action, if it could be proved that they directed, authorized or participated in the commission of the contravention.
That same private right of action would apply to persons who allege that they have been affected by breaches of the new provisions of PIPEDA and the Competition Act. These new provisions, discussed in detail below, would be brought into effect by the FIWSA.
The FIWSA would establish new prohibitions under PIPEDA in relation to collecting personal information, including a ban on (i) collecting an individual’s electronic address through a computer program designed or marketed for use in generating (or searching for) and collecting electronic addresses, or using any address collected by the foregoing means; and (ii) collecting personal information through any means of telecommunications if the collection involves accessing a computer system (or causing one to be accessed) without authorization, or using any personal information that is collected that way.
The FIWSA also proposes numerous amendments to the Competition Act, including the addition of section 52.01, which broadens the criminal false or misleading representation provisions of the Competition Act. This new section would prohibit knowingly or recklessly sending, for business promotion purposes: (i) a false or misleading representation in the sender or subject matter information of an electronic message; or (ii) an electronic message that contains a materially false or misleading representation. Under the proposed new section 74.011 of the Competition Act, such actions would also qualify as reviewable conduct, thus permitting the Commissioner of Competition to apply to a court or the Competition Tribunal for an order prohibiting the conduct and/or imposing AMPs under the Competition Act.
Impact on Other Statutes
The FIWSA, if enacted, would amend the Telecommunications Act to permit the government to either maintain the current “Do Not Call” list in such a way that it would not overlap with the FIWSA regime, or to have the responsibility for regulating telemarketing fall under the FIWSA entirely.