Canada’s newly resurrected Anti-Spam legislation (Bill C-28), which would enact the Fighting Internet and Wireless Spam Act (“FISA”), essentially mimics the key provisions of the previously proposed Electronic Commerce Protection Act (“ECPA”) which died on the order paper at the end of the last parliamentary session. According to the Federal Government, FISA will “deter the most damaging and deceptive forms of spam” such as email and text message spam, phishing, identity theft, email address harvesting, spyware and botnets, and will “help drive spammers out of Canada”.
The key anti-spam, anti-phishing and anti-spyware features of FISA are set out in Sections 7 to 9, respectively. Unless prior consent has been obtained, FISA prohibits (for commercial purposes): sending electronic messages (Section 7), altering the transmission data in an electronic message (Section 8), and installing a computer program on any other person’s computer or causing electronic messages to be sent from another person’s computer (Section 9).
The prohibitions in Sections 7 to 9 only apply if the messages are sent from a computer system located in Canada (or additionally, in the case of Section 9, if the action is directed from within Canada). Section 10 also prohibits aiding, inducing, procuring or causing to be procured any act contrary to Sections 7 to 9.
Although these key anti-spam provisions essentially mimic those proposed under ECPA, FISA appears to be an attempt to tone down the over-reaching effects of ECPA (which went far beyond prohibiting what would traditionally be considered spam), by expanding the permitted exemptions. Despite these positive steps, some commentators have questioned whether enough has been done to ensure that legitimate business practices are not negatively impacted by the onerous requirements of FISA.
As with ECPA, FISA still requires that recipients of commercial electronic messages must first “opt-in” to receive commercial emails or text messages, and must be allowed to quickly and easily “unsubscribe” from further messages. However, circumstances in which consent is implied have been slightly expanded under FISA, and now include an existing (within the last two years) business or personal relationship, situations in which the recipient has published or provided their electronic address to the sender (without indicating that they do not wish to receive unsolicited commercial messages), and circumstances that are set out in the regulations. Such changes would appear to allow for email follow-up with potential business contacts following the exchange of business cards at networking functions – a common and legitimate business practice that would have been considered “spam” under the previous bill.
In addition, the government has listened to industry objections and added in exemptions to the anti-spyware sections in Section 9 in order to allow for the installation of automatic updates and upgrades to software (provided such updates/upgrades are installed in accordance with the initial consent provided).
In order to ease the transition to “opt-in” consent, Section 67 of FISA provides a grandfather clause which implies consent for three years following enactment of Section 7 for email communications sent to existing business or non-business contacts (even those which fall outside the two-year window), provided that the existing relationship included email communication and the recipient has not withdrawn consent. Section 68 provides a similar three-year grandfather clause for implied consent to receive updates relating to computer programs installed prior to the enactment of Section 9.
Despite these few additional exemptions, complying with FISA’s strict consent and form requirements, the “opt-in” requirement and the all encompassing definition of “commercial electronic message” may still cause headaches for many ordinary businesses engaged in legitimate business communications with potential or past customers, suppliers and other contacts.
FISA would be enforced by the Canadian Radio-television and Telecommunications Commission (“CRTC”), the Competition Bureau of Canada and the Office of the Privacy Commissioner of Canada, with Industry Canada taking on the role of “national coordinating body” in order to expand awareness of the law and educate consumers. FISA provides these enforcement bodies with greater powers to deal with spammers, such as the ability to impose administrative fines of up to $1 million against individuals and up to $10 million against businesses. There is also a private right of action under FISA, which provides for compensation for each contravention. In each case, officers, directors and agents of corporations can potentially be found personally liable, and employers can be found vicariously liable for the actions of their employees.
While no one disputes the need for effective anti-spam legislation, one can question whether a more strategic approach might be to focus on prohibiting only malicious or bulk transmissions or the installation of fraudulent or misleading communications or computer programs. Under the currently proposed legislation, legitimate businesses and individuals face a real risk of finding themselves inadvertently in violation of the stringent legal requirements set out in FISA each and every time they or their employees hit “send”.