Human Resources Legislative Update
CRTC Publishes Guidance on Indirect Contraventions of Canada’s Anti-Spam Law
Date: November 15, 2018
On November 5, 2018, the CRTC published its Compliance and Enforcement Information Bulletin CRTC 2018-415 (Bulletin), which is a guideline regarding the prohibition against facilitating spam under Canada’s Anti-Spam Law (CASL).
Section 9 of CASL imposes prohibitions and penalties for activities that facilitate the contravention of the anti-spam provisions in sections 6-8. The non-facilitation prohibition is broad, making it an offence to “aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.”
The prohibitions at sections 6-8 make the following offences under CASL:
- sending, causing, or permitting to be sent, commercial electronic messages without express or implied consent;
- altering, or causing to be altered, transmission data in electronic messages (phishing and redirection), in the course of a commercial activity, without express consent; and
- installing, or causing to be installed, a computer program on another person’s computer in the course of a commercial activity without express consent.
Who risks contravening section 9?
Any individual or organization could be liable for contravening section 9 by providing services (technical or otherwise) that enable or contribute to the prohibited actions listed above. Other relationships between organizations that relate to, or enable, electronic messages may also raise the possibility of liability under section 9, though the Bulletin focuses on service provider liability.
The CRTC will assess possible section 9 violations by considering the level of control over and degree of connection to the activity that violates sections 6-8, as well as reasonable preventative steps taken to prevent it.
In the Bulletin, the CRTC lists the following intermediaries as parties engaged in activities that risk non-compliance with section 9:
- Advertising brokers
- Electronic marketers
- Software and application developers
- Software and application distributors
- Telecommunications and Internet service providers
- Payment processing system operators
How to mitigate a section 9 violation
An individual or organization will not be found liable for a contravention of the non-facilitation provision if they exercised due diligence to prevent the violation. The most effective way to establish the due diligence defence is to adopt measures that specifically identify and address non-compliance risks. The CRTC advises that the following as categories of reasonable measures address non-compliance risks:
- Prevention;
- Detection, notification and information sharing;
- Remediation and recovery; and
- Documentation.
Penalty for contravention
The CRTC can impose a range of enforcement measures for a contravention of section 9, with a maximum possible financial penalty of $1,000,000 for an individual and $10,000,000 for an organization. The following factors are assessed to determine the appropriate enforcement measure:
- the likely effect on compliance;
- the nature and scope of the violation;
- the degree of harm associated with the violation;
- the level of co-operation by the alleged violator; and
- the history of prior violations.
Conclusion
Organizations engaged in activities that could contravene the section 9 non-facilitation provision should review their practices against the anti-spam rules. If you would like our assistance with this, please contact a member of our Information, Data Security and Privacy Practice Group.