Canada’s anti-spam legislation, known as CASL, will soon be enforced in a new manner: the private right of action. As of July 1, individuals and organizations that are affected by a CASL infraction will be able to take legal action, either personally or as a class, against organizations and their directors and officers. It will have wide-reaching consequences for businesses in Canada and elsewhere.
Update: The Governement of Canada has just suspended the private right of action. More details to come.
Since the legislation came into force in 2014, the Canadian Radio-television and Telecommunications Commission (CRTC) has been responsible for enforcing CASL.
Though it has sporadically cracked down on offenders, many consider the legal framework and the principles stemming from the penalties it imposed ambiguous. And there is still some uncertainty around the practical application of the law, even as the “grace period” comes to a close. That is all set to change.
A tool to protect internet users
Until now, the CRTC has focused almost exclusively on commercial e-mail (spam), and even then only cautiously. It shouldn’t be long before the private right of action helps clarify some of the rules surrounding unsolicited commercial electronic messages, the installation of malware, the collection and use of personal information without the public’s knowledge, and the spoofing of email addresses and subject lines. The courts are likely to get busy quickly, as victims seek compensation for injury.
Of course, the law stipulates a minimum fine of $200 per offence – an amount that may discourage potential victims from heading to the courthouse. But class actions should facilitate a greater number of claims, as class members share legal expenses and the law requires, for certain offences, that the minimum amount be payable even in the absence of proof of damages. The only potential obstacles are procedural in nature. Indeed, CASL calls for the detailed identification of all the offences by each member of the class. Given the lack of any other precedents for the application of this legislation before the courts, the initial claims will set the precedent.
Complex challenges for organizations and their insurers
In time and as the case law evolves, the stakes will grow for organizations and their directors and officers. The complexity and length of the class actions are just the tip of the iceberg. Once an action is certified, an organization seeking to discharge the burden of proof will have to commit extensive financial resources to supplying all the necessary data to prove its case. To establish it acted with due diligence, an organization will have to prove that it took every possible precaution to avoid committing offences and that remedial measures have been put into place since then. Furthermore, CASL introduces new responsibilities: Organizations must provide a framework and continuous education for employees about the duties and prohibitions outlined in the legislation, and on issues of cybersecurity. Hackings leading to the transmission of thousands of spam e-mails in an organization’s name is only one example of the types of incidents organizations will have to contend with.
How insurers will respond is not entirely clear. The law provides for a maximum fine of up to $1,000,000 a day. So far, the position of the insurers in relation to CASL and the liability of organizations is open to some interpretation. As for the directors and officers, insurers will have to review their coverage to ensure compliance with the legislation, or quite simply stipulate exclusion. In any event, organizations would be well advised to thoroughly review their insurance coverage to ascertain their situation when it comes to cybersecurity and CASL violations.
In a vain attempt to alleviate the burden on organizations, CASL stipulates that the court will be limited in awarding compensation where an organization has entered into an undertaking with the CRTC. But the fact that the CRTC has only modestly enforced the legislation since it came into force should in no way encourage organizations to delay their compliance efforts any longer. For one, the government’s intent in postponing the date of entry into force of the private right of action was clearly to allow organizations to learn how to comply in the meantime. According to Certimail, more than 60% of the enterprises that enter the scope of the CASL would still do not have any policy with regard to this matter. Moreover, only 10% of the enterprises that have done something would really be protected.
Another interesting aspect of CASL is its extraterritorial scope, which is clear. Regardless of where the author of the offence is located, the law only requires that electronic communications be sent or retrieved from a computer in Canada for CASL to apply. As a result, these rules promise to give Canada a broad field of jurisdiction in respect of other countries, even though the CRTC has not been involved in such international cases up to now.
However, there are limits, in particular due to the international cooperation prescribed by the legislation and the legal uncertainty when it comes to the Web’s borders. Moreover, in the event a foreign sender commits an offence, Canada will have to make certain of bilateral follow-up and cooperation with the authorities of the countries listed in the CASL regulation. Such cooperation means that Canadian authorities will have to waive the prosecution of certain cases and, ultimately, that not all actions will be able to succeed in Canada. Finally, Canada’s highest court is currently contemplating its territorial jurisdiction affecting online activities in the Equustek and Douez cases. We can therefore expect a number of modulations in terms of the scope of CASL, and therefore of its real consequences for the digital economy, for the rights and duties of its actors and, certainly, for the day-to-day life of internet users.