more draft regulations to canadian anti-spam legislation published

A while back I had posted an entry on some draft regulations under Canada’s Anti-Spam Legis­la­tion which were published by the CRTC for public comment.  Those regulations related primarily to consent mechanisms and what information must be provided in e-mails.

Late last week, another round of draft regulations were released. This time, by the Governor in Counsel rather than the CRTC. For what it’s worth, here’s a compressed version of same. I’ve taken the liberty of appending the full wording at the end of the post, which can also be found in the Canada Gazette (with the added bonus of a regulatory impact analysis statement). This summary is a bit wordier as the regulations need a bit of background in order to be properly understood, and are a bit more complicated. Anyway, here it is FWIW:

  1. Section 6(5) of CASL exempts certain types of messages from the requirements to get prior consent and provide certain information before sending e-mails. These include messages to individuals with whom the sender has “personal or family relationships”. The regulations define both of these:
    • a family relationship  means:
      • a blood relationship (children, grandchildren, parents, grandparents, brothers, sisters or others of common or “collateral” descent);
      • relationship by marriage or common-law partnership (including in-laws in either case); or
      • adoption (including blood relations of the person doing the adopting).
    • a personal relationship means a relationship with someone who the sender has:
      • met in person at some point in the past;
      • had a two way communication within the past two years; and
      • the meeting and communication were not related to a “commercial activity”.
  2. Section 10(2) of CASL allows someone  (let’s call that someone the “Original Consentee”) to get consent from a person (let’s call them the “Target”) to send or alter messages or install software on behalf of third parties (let’s call those third parties “Additional Consentees”) whose identities are not known. To do so, there are two requirements: First, the Original Consentee must disclose specific information about itself (see my earlier post). Second, the Original Consentee must comply with the regulations. The regulations basically try to ensure there are seamless links between the Original Consentee and Additional Consentees from the Target’s perspective, as follows:
    • Requirements to send messages:
      • any message sent to the Target must identify the Original Consentee; and
      • each Additional Consentee must provide an unsubscribe mechanism that complies with CASL and which also allows the Target to withdraw consent from the Original Consentee and any other Additional Consentee;
    • Requirements related to withdrawal of consent by a Target:
      • the Original Consentee must ensure that any Additional Consentee who receives withdrawal of consent from a Target notifies the Original Consentee of those for whom consent has been withdrawn (i.e. the Original Consentee, the Additional Consentee receiving the notice of withdrawal, and any other Additional Consentees); and
      • the Original Consentee must:
        • give effect to the withdrawal of consent;
        • promptly notify any other Additional Consentees for whom consent has been withdrawn (other than of course the Additional Consentee who received the withdrawal); and
        • ensure that each other Additional Consentee for whom consent has been withdrawn also gives effect to the withdrawal of consent
  3. Section 6 of the Act provides that consent for messages can be express or implied. However, consent is only implied in certain situations. One of those situations is an existing “non-business relationship”. In turn, there are different categories of “non-business relationship”, one of which membership with a club, association or voluntary organization within two years immediately before the day the message is sent. The regulations clarify what is meant by membership and what constitutes a club, association or voluntary organization:
    • membership means being accepted as a member; and
    • club, association or voluntary organization basically means a non-profit. To drive home the point, the regulation specifies that it can be operated for any purpose other than profit, and that no proprietor, member or shareholder can personally benefit from any income of the organization, except for organizations promoting amateur athletics in Canada.

The concepts are a bit convoluted, particularly those summarized in paragraph 2 above (which, as an aside, I think leave open some questions of interpretation, which I might address in a later post). Perhaps at a later time I’ll try to come up with an illustrative example of how 2 works (or at least my best guess as to how it’s supposed to work). Also, I believe in my previous post I referred to “e-mail”. Just to be clear, the Act applies not only to e-mail, but to any “commercial electronic messages”, which is fairly broad and could include SMS messages, messages through websites, IM, etc.

As with the last set, open for comments for 60 days following the publication date (July 9, 2011).

Full regulation to save you a click:

ELECTRONIC COMMERCE PROTECTION REGULATIONS

DEFINITION

1. In these Regulations “Act” means AnAct to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.

PERSONAL RELATIONSHIP AND FAMILY RELATIONSHIP

2. For the purposes of paragraph 6(5)(a) of the Act

  1. (a) “family relationship” means the relationship between individuals who are connected by
    1. (i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or of collateral descent from the other individual’s grandparent,
    2. (ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,
    3. (iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual; and
    4. (iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual; and
  2. (b) “personal relationship” means the relationship, other than in relation to a commercial activity, between an individual who sends the message and the individual to whom the message is sent, if they have had an in-person meeting and, within the previous two years, a two-way communication.

CONDITIONS FOR USE OF CONSENT

3. (1) For the purposes of paragraph 10(2)(b) of the Act, a person who obtained express consent on behalf of a person whose identity was unknown may authorize any person to use the consent on the condition that the person who obtained consent ensures that, in any commercial electronic message sent to the person from whom consent was obtained,

  1. (a) the person who obtained consent is identified; and
  1. (b) the authorized person provides an unsubscribe mechanism that, in addition to meeting the requirements set out in section 11 of the Act, allows the person from whom consent was obtained to withdraw their consent from the person who obtained consent or any other person who is authorized to use the consent.

(2) The person who obtained consent must ensure that, on receipt of an indication of withdrawal of consent by the authorized person who sent the commercial electronic message, that authorized person notifies the person who obtained consent that consent has been withdrawn from, as the case may be,

  1. (a) the person who obtained consent;
  2. (b) the authorized person who sent the commercial electronic message; or
  3. (c) any other person who is authorized to use the consent.

(3) The person who obtained consent must inform, without delay, a person referred to in paragraph 2(c) of the withdrawal of consent on receipt of notification of withdrawal of consent from that person.

(4) The person who obtained consent must give effect to a withdrawal of consent and, if applicable, ensure that a person referred to in paragraph 2(c) gives effect to the withdrawal of consent, in accordance with subsection 11(3) of the Act.

MEMBERSHIP, CLUB, ASSOCIATION AND VOLUNTARY ORGANIZATION

4. (1) For the purposes of paragraph 10(13)(c) of the Act, membership is the status of having been accepted as a member of a club, association or voluntary organization in accordance with the membership requirements of the club, association or organization.

(2) For the purposes of paragraph 10(13)(c) of the Act, a club, association or voluntary organization is a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization the primary purpose of which is the promotion of amateur athletics in Canada.

COMING INTO FORCE

5. These Regulations come into force on the day on which they are registered.

draft regulations to canadian anti-spam legislation published

Sorry for the absence, blog and readers thereof. I have my reasons. Anyway just a short one this time.  The CRTC published their draft regulations under Canada’s Anti-Spam Legislation (which as many of you isn’t the official short name) which was passed last December but isn’t yet in force.

Nothing particularly earth-shattering. I’ve reproduced the regulations further below, but here’s the ultra short version:

  1. E-mails must set out:
    • name of sender
    • name of the principal on whose behalf the sender is sending (if different)
    • if sender/principal carry on business under other names, those other names
    • physical/mailing address, telephone number, email address and website of sender and principal
  2. If not practicable to include the info and an unsubscribe message in the e-mail, it can be presented through a link in the e-mail or another equally efficient method that doesn’t cost the recipient anything.
  3. Unsubscribe mechanisms cannot take more than two clicks (or something similarly efficient).
  4. Requests for consents (e.g. to receive e-mails or to install software) must include all the information set out in 1 and a statement indicating consent can be withdrawn by using such information.
  5. If software to be installed performs any of the functions specified in s. 10(5) of the Act, then:
    • those functions must be described “separately” from other information in the consent request
    • written acknowledgement must be obtained that the recipient understands and agrees to the performance of those functions

The functions set out in s. 10(5) for which consent must be obtained are (in compressed form):

  • collecting personal information
  • interfering with control of the recipient’s computer
  • changing or interfering with settings, preferences or commands without their knowledge
  • changing or interfering with data that prevents access or use
  • causing the computer system to communicate without the authorization
  • installing software  that may be activated without their  knowledge

I won’t put you through the pain of a rehash of the rest of the Act.

The consultation period ends August 29. Also, apparently there may be other stuff in the official regulation to be published on Saturday.

Here’s the full text for your reading pleasure and to save you a click:

Appendix to Telecom Notice of Consultation
CRTC 2011-400

Electronic Commerce Protection Regulations (CRTC)

DEFINITION

1. In these Regulations, “Act” means An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.

INFORMATION TO BE INCLUDED IN COMMERCIAL ELECTRONIC MESSAGES

2. (1)   For the purposes of subsection 6(2) of the Act, the following information must be set out in any commercial electronic message:

(a)   the name of the person sending the message and the person, if different, on whose behalf it is sent;

(b)   if the message is sent on behalf of another person, a statement indicating which person is sending the message and which person on whose behalf the message is sent;

(c)   if the person who sends the message and the person, if different, on behalf of whom it is sent carry on business by different names, the name by which those persons carry on business; and

(d)   the physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address of the person sending the message and, if different, the person on whose behalf the message is sent and any other electronic address used by those persons.

(2)   If it is not practicable to include the information referred to in subsection (1) and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act in a commercial electronic message, that information may be provided by a link to a web page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single click or another method of equivalent efficiency at no cost to the person to whom the message is sent.

FORM OF COMMERCIAL ELECTRONIC MESSAGES

3. (1)   The information referred to in section 2 and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently.

(2)   The unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be able to be performed in no more than two clicks or another method of equivalent efficiency.

INFORMATION TO BE INCLUDED IN A REQUEST FOR CONSENT

4. For the purposes of subsections 10(1) and (3) of the Act, a request for consent must be in writing and must be sought separately for each act described in sections 6 to 8 of the Act and must include

(a)   the name of the person seeking consent and the person, if different, on whose behalf consent is sought;

(b)   if the consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought;

(c)   if the person seeking consent and the person, if different, on whose behalf consent is sought carry on business by different names, the name by which those persons carry on business;

(d)   the physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address of the person seeking consent and, if different, the person on whose behalf consent is sought and any other electronic address used by those persons; and

(e)   a statement indicating that the person whose consent is sought can withdraw their consent by using any contact information referred to in paragraph (d).

SPECIFIED FUNCTIONS OF COMPUTER PROGRAMS

5. A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.

COMING INTO FORCE

6. These Regulations come into force on the day on which they are registered.

 

so much for the paperless revolution

Lexology had an interesting story that serves as a really good reminder that sometimes, despite all the great things about modern technology, plain old paper may sometimes be the best way to go.

What happened? Well, to make a long story short, the US Federal Trade Commission inadvertently disclosed a large amount of information that was filed with the FTC that should have remained confidential. To wit:

The mistake made by the FTC was basic. In preparing its brief for filing, FTC staff wrongly assumed that the metadata in its word processing file would not migrate upon direct conversion from native format to portable document format (.pdf). In particular, they wrongly assumed that using Microsoft’s “Highlight” (or “Borders and Shading”) tool to black out text actually removed the text from the file’s contents. It does not. It “covers up” the text, but the text itself remains in the file, fully searchable and available for copying. The resulting .pdf appears at first glance to contain only black boxes in place of the redacted content. That content, however, is present in the .pdf file and can be easily revealed either by copying and pasting the blacked-out text into a word-processing file or an e-mail message or by viewing the .pdf file in a reader such as Preview or Xpdf.

Its one of those stories that makes you want to laugh and cry at the same time. The laughing because its easy enough to think “What kind of idiot would do that?” because the error was (at least for most readers of this blog) rather obvious. The crying because, if you give it some thought, there are instances that this could very well happen to even the most technically sophisticated of you – not just with PDFs, but any number of other forms of digital documents, communications and storage – and in any number of ways. The bottom line is that when things are put into digital form, they are often harder to get rid of. Its something well worth keeping in mind.

the (not so) long arm of the tax authorities

The recent case involving the Canada Revenue Agency and eBay took an interesting (and perhaps somewhat ironic) twist on access to information. Without getting into too much detail, the essence of the issue was this: CRA wanted eBay Canada to cough up information on folks known as “Power Sellers” – those that sell a lot of stuff on eBay. Presumably so that CRA could helpfully remind those folks of their tax obligations in the unfortunate event they somehow forgot to report all the income they made in Canada by selling on eBay.

eBay Canada’s response was that the legal entity in Canada did not in fact own that information and it was also not stored in Canada. Rather, the information was owned by some of its affiliates and stored in the US, outside of Canadian jurisdiction. So they couldn’t provide the information, they asserted.

Unfortunately (for eBay) it came out that eBay Canada was able to access the information even though it didn’t own the data. In fact, it had to be able to access that information in order to run its business. So the court ruled in favour of the CRA, with this rather cogent analysis:

The issue as to the reach of section 231.2 when information, though stored electronically outside Canada, is available to and used by those in Canada, must be approached from the point of view of the realities of today’s world. Such information cannot truly be said to “reside” only in one place or be “owned” by only one person. The reality is that the information is readily and instantaneously available to those within the group of eBay entities in a variety of places. It is irrelevant where the electronically-stored information is located or who as among those entities, if any, by agreement or otherwise asserts “ownership” of the information. It is “both here and there” to use the words of Justice Binnie in Society of Composers, Authors and Music Publishers of Canada v. Canadian Ass’n of Internet Providers, [2004] 2 S.C.R. 427 at paragraph 59. It is instructive to review his reasons, for the Court, at paragraphs 57 to 63 in dealing with whether jurisdiction may be exercised in Canada respecting certain Internet communications, including an important reference to Libman v. The Queen, [1985] 2 SCR 178 and the concept of a “real and substantial link”.

The implications in this case are relatively clear. In other cases, it may become less so. For example, what happens with this concept when someone who once stored their docs on their local hard drive starts using Google Docs, only to find out that the authorities in whatever far-flung jurisdiction have ordered an affiliate of Google to disclose that information? Or in the near future when things like Prism get to a point where users aren’t even sure whether their data is here, there, or elsewhere. Interesting times, indeed.

to disclose or not to disclose – that is the question…

A good writeup on globeandmail.com about the very, very unfortunate case of AiT and Deborah Weinstein, their lawyer. The (very) short version: AiT signs a non-binding letter of intent to get purchased by 3M. Apparently shortly thereafter there’s a leak of the deal (which causes a runup in its share price). AiT issues a press release, saying its exploring alternatives but doesn’t mention the deal. The deal is only disclosed two weeks after the leak, when a definitive agreement is signed (i.e. the deal is binding). Read more about it on the OSC site. Talk about being between a rock and a hard place. One of the partners of our firm is quoted on that point:

Gary Girvan, an M&A specialist with McCarthy Tétrault LLP, says “the stakes are very high” for directors to disclose merger negotiations early because civil liabilities legislation introduced by Ontario last year could cost board members personally if they fail to disclose material events in a timely fashion. The combination of the new legislation and the AiT case puts more pressure on boards to reveal potential deals earlier, Mr. Girvan said, but the consequences can be devastating for shareholders.

“The danger is that you end up with a lot of announcements that do not come to fruition and the stocks of the listed company become volatile. Investors will be reacting to news about a deal that hasn’t crystallized,” he said.

The company and its CEO have settled with the Ontario Securities Commission (the provincial equivalent here of the SEC) but Ms Weinstein has indicated she will vigorously defend herself. As, I think, IMHO, she should.

press neutrality and lawsuits

Techcrunch (Mr. Arrington) has put up an article suggesting Digg sue Wired (that’s also the headline – “Digg Should Sue Wired”). Because Wired posted some negative reviews of Digg. And because Wired’s parent, Condé Nast, owns a competitor of Digg (reddit). The nub:

Digg can’t treat Wired like any other user that’s engaged in fraud. Wired is the press, and the press has tremendous power. Wired is putting Digg in an impossible situation, and they should be called on it. Reporting news is one thing (although they should note the conflict of interest there as well), but actively creating negative news about a competitor and then using the massive reach of Wired to promote that “news” is way over the line.

Very strog words indeed. I’m quite surprised by this comment, as I understand Mr. Arrington has legal training and in fact practiced as a lawyer for some time. Why surprised? Because, apart from the possibility that the reporter who wrote the second article to which he refers (who basically tried to see if Digg’s system of user rankings could be “gamed”) breached Digg’s terms of use (of course – because rightly so their terms would prohibit such gaming…), its really, really tough for me to see exactly what Digg should sue Wired for? What exactly is the cause of action? Surely he’s not accusing Digg of actually committing fraud, is he? It difficult for me to see how fraud has been committed – what exactly is fraudulent about the articles?

Sure, there is a conflict of interest situation here, the usual cure for which is full disclosure, but hardly the basis for a lawsuit. And if he thinks that Wired suffers from conflict of interest, well, I invite him to check out the ownership of most major media in the US and Canada, and see how many times they are taking a stab at competitors of other companies that their ultimate owners control. If this is as big a deal as Mr. Arrington suggests, the Chomsky’s Manufacturing Consent should be considered a field manual to endless lawsuits against not only Condé Nast but also CBS, NBC, ABC, CanWest Global, etc. etc. etc.

But perhaps I took the words too seriously – perhaps he was just using the words “sue” and “fraud” figuratively or to illustrate his point. Or perhaps, given the more litigious nature of the US, and the somewhat kindler, gentler, less punitive (as in damages) environment in Canada, there is actually a basis for Digg suing the heck out of Wired.

Bit of a tempest in a teapot, I think…

And of course in the interest of full disclosure, I am a subscriber to Wired, and also hope someday to see one tiny link from their site to this little blog.

Were You Once a Brobeck Client?

Very interesting post on TechCrunch on how the digital records of law firm Brobeck, Phleger & Harrison, for some 10,000 clients, will be preserved and made available to a limited group of scholars and researchers, through what will be called the Brobeck Closed Archive.
Wow. At first blush I had the same reaction as Michael Arrington (the TechCrunch guy) and the guy who wrote the original article that he cited. But if you read through the FAQ at the sight, as well as the comments that the professor who is running the thing posted on TechCrunch, its pretty clear that they’re not going to be displaying lawyer-client documents on a website for all to see – there will be some measure of protection put into place.

That being said, though I certainly understand the historical significance of these records, and the objectives of the archive (which seem entirely noble) I get a bad feeling about this generally – you know, kind of like that little tickle at the back of your throat that almost, but not quite, wants to make you cough. Heck, if I were a client of a law firm, would I want anyone looking at my counsel’s records on me? Even if it were a researcher? Even under NDA? And even with restrictions? Well, no, I don’t think so. Not at all. Its not any researcher’s business – not at all. So sure, maybe as an opt in program, if the client consents, but otherwise, even, I think, where a corporate client no longer exists to approve disclosure, the records should also do the same.

So, if you were once a Brobeck client, and haven’t seen the notice, you might want to get in touch with the archive.