TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Consumer groups, regulators must rethink enforcement of CASL Related reading: New CASL 'right of action' will lead to surge in class-action lawsuits

rss_feed
PrivacyTraining_ad300x250.Promo1-01
PSR17_WebBanner_300x250-COPY
Webcon_Identity_Guard_PA_300x250_ad_June_2017

It came down to the wire, but the government of Canada announced June 7, 2017, that it would suspend the coming into force of the private right of action under Canada’s Anti-Spam Legislation. This was welcome news for businesses communicating with Canadians. The private right of action would have become reality July 1, and permitted plaintiffs to recover any actual damages they might prove, as well as statutory damages of CA$200 per violation of CASL or up to CA$1 million per day. There was broad-based concern that the private right of action would unleash a wave of litigation given the many uncertainties in this complex legislation that is not well understood by businesses or consumers.

While the suspension of the private right of action is welcome news, the burning question now is whether organizations can expect any other changes to CASL or the manner in which the Canadian Radio-television and Telecommunications Commission enforces CASL. The CRTC receives an average of 5,000 submissions a week to the Canada's Spam Reporting Centre by its citizens. Clearly, Canadians are frustrated at receiving unsolicited email communications.

However, if consumer groups and the CRTC do not wish to see CASL gutted, they will need to convince parliament that the law operates in a balanced way. In my view, this must begin with the CRTC properly educating consumers on the right of businesses to communicate with them electronically and with CRTC staff taking a more measured approach to enforcement, focusing on clear guidance rather than press releases and Twitter posts about violations.

Here are three takeaways from last week’s developments.

The government has finally accepted that stakeholders find CASL confusing and difficult to operationalize

The press release from Innovation, Science and Economic Development Canada stated the government was responding to “broad-based concerns raised by businesses, charities and the not-for-profit sector.” The Privy Council Office’s summary of the purpose of the Order in Council stated the purpose of the Order in Council repealing the previous Order in Council that had set the coming into force date for the private right of action was “to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk.”

In the press release announcing the delay to the private right of action, the Hon. Navdeep Bains, the Minister of ISEDC, unequivocally acknowledged the law is imbalanced. The Minister stated, "Canadians deserve to be protected from spam and other electronic threats so that they can have confidence in digital technology. At the same time, businesses, charities and other nonprofit groups should have reasonable ways to communicate electronically with Canadians. We have listened to the concerns of stakeholders and are committed to striking the right balance."

This is an enormous victory and the first time the government has expressly recognized the broad-based concerns of businesses, charities and nonprofits that are struggling to comply with imbalanced and confusing legislation.

This is an enormous victory and the first time the government has expressly recognized the broad-based concerns of businesses, charities and nonprofits that are struggling to comply with imbalanced and confusing legislation.

The door is open for change, but there is a long road ahead

Recognition that there is a problem is a start. However, it will take a long time before organizations see any relief. The press release announcing the delay stated the government would ask a parliamentary committee to undertake a review of CASL in accordance with s. 65 of CASL, which provides for a review following its three-year anniversary, which occurs July 1.

It is not yet certain which committee might convene to review CASL. It is likely to be the Standing Committee on Industry, Science and Technology. However, it could also be the Standing Committee on Access to Information, Privacy and Ethics or a Special Committee struck for the purpose of the CASL review.

For those readers who are not familiar with a committee process, it is made up of members of parliament and/or senators depending on whether it is a House of Commons committee, a Senate committee or a joint committee. Usually, the committee will have 10 members, including from the governing and opposition parties in proportion to their standings in the House of Commons.

Once the committee is mandated to review CASL, stakeholders will usually have an opportunity to make submissions on whether amendments to CASL are advisable. Therefore, businesses wishing to see changes should consider working proactively with industry groups to conduct research and gather information on compliance challenges and the economic costs of CASL in preparation for the committee meetings. Similarly, citizen groups may wish to gather evidence and focus on matters that might make a real impact on individuals who wish to gain control over their inboxes.

After hearing from stakeholders, the parliamentary committee will report to Parliament on its recommendations. Although the recommendations are not binding on the government or Parliament, the government will find it politically necessary to respond to the recommendations in some way. To the extent that statutory revisions are required, the government would need to prepare a bill and introduce that bill in either the Senate or the House of Commons. Only once the bill was approved by both houses would it receive royal assent and come into force either on the date of royal assent or some future date. At any time, the government could lose interest in making revisions, particularly if the CRTC’s enforcement posture eases and, therefore, the pressure from stakeholders diminishes.

I wouldn’t bet on changes earlier than mid-2018.

The CRTC staff’s “cop on the block” routine has not helped its cause

The CRTC staff must enforce the law as written, but they have considerable latitude in the tools they use to promote compliance. The government’s acknowledgment that stakeholders find CASL confusing and imbalanced is as much an indictment of the law as it is the manner in which the CRTC has promoted compliance. Indeed, the backlash from stakeholders that resulted in the government’s announcement may have been motivated, in part, by the CRTC staff’s approach to enforcement over the past three years.

The CRTC staff’s approach from the get-go has been aggressive, pursuing enormous administrative monetary penalties or requiring six-figure settlements from legitimate businesses communicating with customers and prospective customers. Instead of using the first three years to focus on scam artists or working with legitimate businesses to develop guard rails, it focused on trumpeting its enforcement activity by press releases that provided no information that could help other organizations understand the context for the CRTC staff’s concerns and the quantum of the administrative monetary penalty or the settlement.

Further, CRTC staff has failed to clearly advise consumers of the right of companies to email them.

Instead, they have encouraged complaints by consumers. The Fight Spam website encourages individuals to report receiving "an email for which you did not give consent." An ordinary consumer would interpret this as meaning express consent. However, there are numerous exceptions to the consent requirement, not to mention the fact that businesses may have implied consent. By contrast, the CRTC’s website for the National Do Not Call List, which contains similar exceptions for existing business relationships, devotes a page to explaining when organizations can still contact a person who has registered for the Do Not Call List. No similar page has been published by the CRTC in respect of the similar exception under CASL.

Moreover, it took the CRTC commissioners to reign in the CRTC staff’s pursuit of excessive administrative monetary penalties. In an enforcement decision regarding Blackstone Learning Corp., an administrative monetary penalty of $640,000 was reduced to $50,000. The commissioners stated the amount of the penalty should be high enough to promote a change to the organization’s behavior but not so high as to preclude continued operation. Blackstone had sent more than 350,000 messages in violation of CASL and failed to cooperate. There were at least 60 complaints to the Spam Reporting Centre. However, there was some evidence that a penalty of the magnitude sought by the CRTC staff would have a serious detrimental impact on the organization.

These activities have served the purpose of demonstrating that the law is imbalanced and is placing legal risk and compliance burdens on legitimate businesses attempting to communicate for legitimate purposes.

These activities have served the purpose of demonstrating that the law is imbalanced and is placing legal risk and compliance burdens on legitimate businesses attempting to communicate for legitimate purposes. If the CRTC staff and consumer groups do not want to see CASL gutted, they will have to demonstrate that the law works and that legitimate businesses are not prevented or forced to engage in costly compliance activities that are disproportionate to the harm to consumers, particularly those consumers with whom they do business.

Although it would require a fundamental rethinking of how CRTC staff operate, the time is ripe for it to pull back from overly technical and aggressive enforcement against legitimate businesses. It has no obligation to pursue every report to the Spam Reporting Centre and could, therefore, work with organizations to develop mutual lessons learned and to reserve formal settlements through Compliance Agreements and Notices of Violation for those organizations that are running scams, have no compliance program in place, or resist or refuse to change their practices.

However, given the enforcement posture to date, I wouldn’t rest easy. Full compliance should still be the priority. 

photo credit: Onasill ~ Bill Badzo ~ Enough ~ OFF Ottawa Ontario ~ Canada ~ Parliament Hill ~ Central Block ~ Heritage Building via photopin (license)

1 Comment

If you want to comment on this post, you need to login.

  • comment Peter Meyler • Jun 15, 2017
    Individuals will have very little say about the use of their personal email addresses if business gets its way, which it seems it will. An individual's privacy rights should not so easily be ignored by the government. Welcome, Canada, to the Monty Python world of spam, spam, spam.... Lovely spam! Wonderful spam!