Sookman oba casl._slides

730 views
566 views

Published on

Canada's anti-spam law: the computer program provisions

Published in: Law
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
730
On SlideShare
0
From Embeds
0
Number of Embeds
55
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sookman oba casl._slides

  1. 1. McCarthy Tétrault LLP / mccarthy.ca / 13300658 OBA: Countdown to Canada’s Anti-Spam Legislation: Make Sure You are Ready Barry B. Sookman McCarthy Tétrault LLP bsookman@mccarthy.ca 416-601-7949 April 7, 2014
  2. 2. SCOPE OF CASL • Anti-SPAM • Anti-spyware/malware • Amendments to PIPEDA prohibiting address harvesting and personal information harvesting • Amendments to the Competition Act prohibiting false or misleading representations in electronic messages, sender information in electronic messages, subject matter information in electronic messages, locaters McCarthy Tétrault LLP / mccarthy.ca / 13300658 2
  3. 3. CASL HISTORY • Received royal assent on December 15, 2010. • Original draft regulations were published in the summer of 2011 by the CRTC and Industry Canada. The Canadian business community raised serious objections to their strict requirements. • The CRTC enacted revised regulations which were finalized on March 28, 2012. • CRTC issues 2 sets of Guidelines - October, 2012 • Revised draft regulations from Industry Canada on January 5, 2013. The Canadian business community, non-profit community, colleges, universities and others all raised serious concerns. • Industry Canada released finalized regulations on December 4, 2013. • CRTC issued FAQ - December 2013 • Messaging Provisions coming into force -July 2014. Computer Programs provisions coming into force -January 2015. Private Right of Action coming into force - July 2017. McCarthy Tétrault LLP / mccarthy.ca / 13300658 3
  4. 4. WHAT YOU NEED TO CONSIDER IN DEVELOPING A COMPLIANCE PROGRAM • CASL • CRTC Regulations • Industry Canada regulations • Regulatory Impact Analysis Statement • CRTC Guidelines on the interpretation of the Electronic Commerce Protection Regulations (Oct. 10, 2012) • CRTC Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation (Oct. 10, 2012) • CRTC FAQ Canada’s Anti-Spam Legislation (December 18, 2013) McCarthy Tétrault LLP / mccarthy.ca / 13300658 4
  5. 5. Is there a need to be concerned about CASL? McCarthy Tétrault LLP / mccarthy.ca / 13300658 5
  6. 6. VERY HIGH LIABILITY ¬ Administrative monetary penalties (AMPS) with caps up $10 million for an organization. (s.20(4)) ¬ Private rights of action by anyone affected by a prohibited act (s.47(1)) with liability that consists of: ¬ compensation for loss, damages and expenses; and ¬ extensive awards that are capped at: ¬ $1 million per day for breach of SPAM, malware, spyware, message routing, address and personal information harvesting, and Competition Act provisions; ¬ $1 million for each act of aiding, inducing, or procuring a breach of the SPAM, malware and spyware, and message routing provisions, plus liability up to $1 million per day for breach of SPAM, malware, spyware, and message routing provisions. ¬ Risk of class actions. ¬ Will be in force January 1, 2017. Are prior claims covered? McCarthy Tétrault LLP / mccarthy.ca / 13300658 6
  7. 7. EXTENSIVE ACCESSORIAL AND VICARIOUS LIABILITY ¬ Liability extends to any person who aids, induces or procures a prohibited act. (s.9) ¬ Senders of CEMs are liable for acts of their employees within the scope of their authority. (s.32, s.53) ¬ Liability extends to officers, directors, and agents if they directed, authorized, assented to, acquiesced, or participated in the prohibited act. (s.31, s.52) ¬ Risk implications too easy to pierce corporate veil; requirements for insurance? ¬ Does the risk make sense? McCarthy Tétrault LLP / mccarthy.ca / 13300658 7
  8. 8. McCarthy Tétrault LLP / mccarthy.ca TERRITORIAL REACH • The anti-spam provisions apply to any message where a computer system located “in Canada is used to send or access the electronic message”. (s.12(1)) • Anti-spam exception IC Regs 3(f) “if the person who sends the message or causes or permits it to be sent reasonably believes the message will be accessed in a foreign state that is listed in the schedule and the message conforms to the law of the foreign state that addresses conduct that is substantially similar to conduct prohibited under section 6 of the Act”; • The computer program provisions apply “if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions”. (s.8(2)). McCarthy Tétrault LLP / mccarthy.ca / 13300658 8
  9. 9. Anti-Spyware/Malware Provisions and Regulations McCarthy Tétrault LLP / mccarthy.ca / 13300658 9
  10. 10. Question: What countries have anti- malware/spyware laws that are similar to those in CASL? McCarthy Tétrault LLP / mccarthy.ca / 13300658 10
  11. 11. McCarthy Tétrault LLP / mccarthy.ca / 13300658 11
  12. 12. THE PROHIBITION 8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless: (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with [the disclosure requirements of] subsection 11(5); or (b) the person is acting in accordance with a court order. Problems: Implied consents cannot be relied upon. Only express consents are valid, assuming compliance with the disclosure requirements. Written agreements or click-wraps will comply, assuming the consent is not bundled in the agreement. Web wrap agreements will likely not comply. McCarthy Tétrault LLP / mccarthy.ca / 13300658 12
  13. 13. WHAT PROGRAMS DOES CASL APPLY TO? • Applies to “computer programs” (defined in subsection 342.1(2) of the Criminal Code) as meaning “data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function”. Includes apps and updates. • Note: Computer programs are not limited to malware or spyware. • Installed on another person’s “computer system” ” (defined in subsection 342.1(2) of the Criminal Code) as meaning “a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function”. • Note: Computer systems could include: servers, PCs, smartphones, tablets, ebook readers, the “Cloud”, websites and web services, industrial machines, appliances, autos, and other consumer products. McCarthy Tétrault LLP / mccarthy.ca / 13300658 13
  14. 14. WHAT PROGRAMS DOES CASL APPLY TO? • RIAS: “the requirements under CASL for the installation of computer programs only apply to the installation of computer programs on another person’s computer system. CASL will not apply to installations carried out by persons on their own computing devices.” ¬ A consumer buys a program on a physical media and installs the program on a home computer? ¬ A manufacturer pre-installs a program on a computer, machine, device or appliance and directly, or through a channel, sells the product to consumers? ¬ A retailer offers computer services such as to install software or to repair or configure computers or installs updates? While new hardware or software is installed by the service provider, the program may automatically go to a web site to look for and download an upgrade? ¬ A person goes to a website to download a program? McCarthy Tétrault LLP / mccarthy.ca / 13300658 14
  15. 15. WHAT PROGRAMS DOES CASL APPLY TO? A person is considered to expressly consent to the installation of a computer program if: a) the program is: i. a cookie, ii. HTML code, iii. Java Scripts, iv. an operating system, v. any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or vi. any other program specified in the regulations; and b) the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation. (s.10(8)) NOTE:, there is no express waiver of the disclosure requirement, but disclosure is only required where express requests are being sought. McCarthy Tétrault LLP / mccarthy.ca / 13300658 15
  16. 16. WHAT PROGRAMS DOES CASL APPLY TO? RIAS: ¬ “In addition, the software on some computer dedicated systems in automobiles may be “operating systems”, such as computers that operate specific functions like braking. There is deemed consent to update that as operating systems under the Act.” McCarthy Tétrault LLP / mccarthy.ca / 13300658 16
  17. 17. GETTING EXPRESS CONSENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS Obtaining consent: A person who seeks express consent must, when requesting consent, set out clearly and simply the following information: (a) the purpose or purposes for which the consent is being sought; (b) prescribed information that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, prescribed information that identifies that other person; and (c) any other prescribed information.” (s.10(1)). McCarthy Tétrault LLP / mccarthy.ca / 13300658 17
  18. 18. DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS Two levels of disclosure required when obtaining consent. 1. Minimum Disclosure: A person who seeks express consent, must when requesting consent, also, in addition to setting out any other prescribed information, must clearly and simply describe, in general terms the function and purpose of the computer program that is to be installed if the consent is given. (s.10(3)) McCarthy Tétrault LLP / mccarthy.ca / 13300658 18
  19. 19. 2. Enhanced Disclosure: If the computer program meets one of the specified “malware” or “spyware” criteria in s.10(5), “the person who seeks express consent must, when requesting consent, clearly and prominently, and separately and apart from the licence agreement, (a) describe the program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and (b) bring those elements to the attention of the person from whom consent is being sought in the prescribed manner”. DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS McCarthy Tétrault LLP / mccarthy.ca / 13300658 19
  20. 20. ¬ Enhanced Disclosure: The enhanced disclosure standard applies where ¬ the program performs functions that the person knows and intends will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user of the computer ¬ collects personal information; ¬ interferes with control of the computer; ¬ changes or interferes with settings preferences or commands; ¬ obstructs, interrupts, or interferes with access to data; ¬ causes the computer to communicate with another computer without authorization,: ¬ installing a computer program that can be activated by a third party: ¬ installing a bot, or something set out in the regulations; ¬ but not merely transmission data. (s.10(5) &(6)). DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS McCarthy Tétrault LLP / mccarthy.ca / 13300658 20
  21. 21. MEANING OF “SOUGHT SEPARATELY” CRTC Guidelines: a. What does “sought separately” mean? 14. The Commission considers that in order to meet the requirement of seeking consent separately, the person seeking consent must identify and obtain specific and separate consent for each act contemplated by the sections of the Act described in paragraph 13 above. Accordingly, consent for each act above must be sought separately from any other act captured by sections 6 to 8 of the Act. The Commission also considers that the activities captured by each of the above acts are distinct, as are the consequences. 15. For example, the Commission considers that persons must be able to grant their consent for the installation of a computer program while refusing to grant their consent for receiving CEMs. However, the Commission does not consider it necessary for consent to be sought separately for each instance of the acts listed in paragraph 13 above, as long as the consent request is in accordance with subsections 10(1), 10(2), 10(3), and 10(4) of the Act, where applicable. McCarthy Tétrault LLP / mccarthy.ca / 13300658 21
  22. 22. REQUESTS FOR CONSENT CRTC Guidelines ¬ 6. The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. The underlying objective is that the specific requests for consent in question must be clearly identified to the persons from whom the consent is being sought. For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs. McCarthy Tétrault LLP / mccarthy.ca / 13300658 22
  23. 23. CRTC Regulations, s.5 (unchanged): 5. A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions. ENHANCED DISCLOSURE IN REGULATIONS McCarthy Tétrault LLP / mccarthy.ca / 13300658 23
  24. 24. EXCEPTIONS FOR SOFTWARE UPDATES, UPGRADES AND PATCHES The formalities for obtaining express consent (ss.10(1) and (3)) are not required for the installation of an update or upgrade so long as the installation or use of the computer program being updated was expressly consented to and the person who gave the consent is entitled to, and does receive the update under the terms of the express consent. (s.10(7)) Problem: ¬ There is no express exception that permits installation of an update or upgrade without consent. ¬ The original consent to install a program must include a consent to install updates or upgrades or they cannot be installed without requesting and obtaining a new consent. McCarthy Tétrault LLP / mccarthy.ca / 13300658 24
  25. 25. GETTING EXPRESS CONSENTS TO INSTALL UPDATES AND UPGRADES RIAS: ¬ “For updates and upgrades to computer programs installed after CASL comes into force, the Act allows companies to get the consent of the owner or authorized user for future updates or upgrades to the computer program at the same time they obtain consent for the original installation, or when the user is downloading. That is, when a computer program is installed, consent must in general be requested in accordance with the Act, but there are no requirements for the form of a request for consent to install updates and upgrades, whether that consent is requested in advance or when the update or upgrade is installed.” McCarthy Tétrault LLP / mccarthy.ca / 13300658 25
  26. 26. GETTING EXPRESS CONSENTS TO INSTALL PROGRAMS CRTC Reg s.4. For the purposes of subsections 10(1) and (3) of the Act, a request for consent may be obtained orally or in writing and must be sought separately for each act described in sections 6 to 8 of the Act and must include (a) the name by which the person seeking consent carries on business, if different from their name, if not, the name of the person seeking consent; (b) if the consent is sought on behalf of another person, the name by which the person on whose behalf consent is sought carries on business, if different from their name, if not, the name of the person on whose behalf consent is sought; (c) if consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought; and (d) the mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought; and (e) a statement indicating that the person whose consent is sought can withdraw their consent. Problems: Each consent must be separate; how can consent be withdrawn for a program that is already installed? McCarthy Tétrault LLP / mccarthy.ca / 13300658 26
  27. 27. Withdrawal of consent: If the computer program installed meets one of the specified “malware” or “spyware” criteria in s.10(5), the person who installs the program with consent must for 1 year provide an electronic address to which a request can be sent to remove or disable the computer program if the requestor believes that the function, purpose or impact of the computer program installed under the consent was not accurately described when consent was requested; and if the consent was based on an inaccurate description of the material elements of the enumerated function or functions, must, without cost to the person who gave consent, assist that person in removing or disabling the computer program as soon as feasible. (s.11(5)) WITHDRAWAL OF CONSENT FOR “SPYWARE” FUNCTIONALITY McCarthy Tétrault LLP / mccarthy.ca / 13300658 27
  28. 28. NEW EXCEPTIONS – (IC REGS S.6) • (a) network security • (b) updates and upgrades to a network • (c) correcting computer program failures. NOTE: exemptions are subject to the condition that “the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation”. (s.10(8)) RIAS: ¬ “Note that the Act only applies to computer programs installed in the course of commercial activity, a defined term that excludes public safety and other purposes, so issues of public safety. However, for software issues that are not matters of public safety, the Regulations provide for deemed consent for the installation of computer programs that are necessary to correct a failure in the operation of a computer system or program that is already installed.” McCarthy Tétrault LLP / mccarthy.ca / 13300658 28
  29. 29. NEW EXCEPTION – NETWORK SECURITY (IC REGS S.6) (a) a program that is installed by or on behalf of a telecommunications service provider solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network; ¬ RIAS: ¬ “Note that CASL provides a broad definition of a Telecommunications Service Provider (TSP), which includes any persons who together or independently provides a telecommunications service. These services include features of services delivered by means of telecommunications facilities including network routers and servers, regardless whether the provider owns, leases or has any interest in or right to the equipment and software used to provide the telecommunications service…. ¬ The Regulations provide deemed consent for any companies or individuals who together or independently provide a telecommunications service, defined in the Act as a Telecommunications Service Provider (TSP), to install a computer program for the limited purposes of protecting the security of all or part of its network from a current and identifiable threat to its availability, reliability, efficiency, or optimal use… ¬ It should also be noted, that auto manufacturers may be TSPs for the purposes of CASL when they run computing networks such as GM’s OnStar or Ford’s Sync…” McCarthy Tétrault LLP / mccarthy.ca / 13300658 29
  30. 30. NEW EXCEPTION – UPDATE A NETWORK (IC REGS S.6) • (b) program that is installed, for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network; • Will the definition of TSP be broad enough to include all networks such as those operated by vehicle manufacturers, appliance manufacturers and others who provide products and services to consumers? • Where is the end node of the network such as the network of a vehicle manufacturer? • How will TSPs be able to conclude that all users of its network are consenting to the installation of the program? McCarthy Tétrault LLP / mccarthy.ca / 13300658 30
  31. 31. NEW EXCEPTION – CORRECTING PROGRAM FAILURES (IC REGS S.6) ¬ (c) a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose. ¬ RIAS: ¬ “Some stakeholders argued that they should not be required to get consent every time they install an update or upgrade. CASL provides a three year transitional period to continue updates and upgrades to existing computer programs, after which they will be required to get express consent to continue updates in the future, if they don’t fall under one of the exemptions.” McCarthy Tétrault LLP / mccarthy.ca / 13300658 31
  32. 32. TRANSITIONAL PROVISIONS ¬ S67. “If a computer program was installed on a person’s computer system before section 8 comes into force, the person’s consent to the installation of an update or upgrade to the program is implied until the person gives notification that they no longer consent to receiving such an installation or until three years after the day on which section 8 comes into force, whichever is earlier.” ¬ RIAS: ¬ “Auto manufacturers were also concerned that the three year transitional period in section 67 would limit their ability to continue to install updates or upgrades to computer programs on automobiles. To address this concern, these Regulations specify that express consent of an individual is deemed for updates and upgrades to computer programs that are installed across all or part of the auto manufacturer’s network, and the installation of computer programs to correct failures in the operation of the computer system or an existing program.” McCarthy Tétrault LLP / mccarthy.ca / 13300658 32
  33. 33. VANCOUVER Suite 1300, 777 Dunsmuir Street P.O. Box 10424, Pacific Centre Vancouver BC V7Y 1K2 Tel: 604-643-7100 Fax: 604-643-7900 Toll-Free: 1-877-244-7711 CALGARY Suite 3300, 421 7th Avenue SW Calgary AB T2P 4K9 Tel: 403-260-3500 Fax: 403-260-3501 Toll-Free: 1-877-244-7711 TORONTO Box 48, Suite 5300 Toronto Dominion Bank Tower Toronto ON M5K 1E6 Tel: 416-362-1812 Fax: 416-868-0673 Toll-Free: 1-877-244-7711 MONTRÉAL Suite 2500 1000 De La Gauchetière Street West Montréal QC H3B 0A2 Tel: 514-397-4100 Fax: 514-875-6246 Toll-Free: 1-877-244-7711 QUÉBEC Le Complexe St-Amable 1150, rue de Claire-Fontaine, 7e étage Québec QC G1R 5G4 Tel: 418-521-3000 Fax: 418-521-3099 Toll-Free: 1-877-244-7711 UNITED KINGDOM & EUROPE 125 Old Broad Street, 26th Floor London EC2N 1AR UNITED KINGDOM Tel: +44 (0)20 7786 5700 Fax: +44 (0)20 7786 5702 McCarthy Tétrault LLP / mccarthy.ca / 13300658

×