more draft regulations to canadian anti-spam legislation published

A while back I had posted an entry on some draft regulations under Canada’s Anti-Spam Legis­la­tion which were published by the CRTC for public comment.  Those regulations related primarily to consent mechanisms and what information must be provided in e-mails.

Late last week, another round of draft regulations were released. This time, by the Governor in Counsel rather than the CRTC. For what it’s worth, here’s a compressed version of same. I’ve taken the liberty of appending the full wording at the end of the post, which can also be found in the Canada Gazette (with the added bonus of a regulatory impact analysis statement). This summary is a bit wordier as the regulations need a bit of background in order to be properly understood, and are a bit more complicated. Anyway, here it is FWIW:

  1. Section 6(5) of CASL exempts certain types of messages from the requirements to get prior consent and provide certain information before sending e-mails. These include messages to individuals with whom the sender has “personal or family relationships”. The regulations define both of these:
    • a family relationship  means:
      • a blood relationship (children, grandchildren, parents, grandparents, brothers, sisters or others of common or “collateral” descent);
      • relationship by marriage or common-law partnership (including in-laws in either case); or
      • adoption (including blood relations of the person doing the adopting).
    • a personal relationship means a relationship with someone who the sender has:
      • met in person at some point in the past;
      • had a two way communication within the past two years; and
      • the meeting and communication were not related to a “commercial activity”.
  2. Section 10(2) of CASL allows someone  (let’s call that someone the “Original Consentee”) to get consent from a person (let’s call them the “Target”) to send or alter messages or install software on behalf of third parties (let’s call those third parties “Additional Consentees”) whose identities are not known. To do so, there are two requirements: First, the Original Consentee must disclose specific information about itself (see my earlier post). Second, the Original Consentee must comply with the regulations. The regulations basically try to ensure there are seamless links between the Original Consentee and Additional Consentees from the Target’s perspective, as follows:
    • Requirements to send messages:
      • any message sent to the Target must identify the Original Consentee; and
      • each Additional Consentee must provide an unsubscribe mechanism that complies with CASL and which also allows the Target to withdraw consent from the Original Consentee and any other Additional Consentee;
    • Requirements related to withdrawal of consent by a Target:
      • the Original Consentee must ensure that any Additional Consentee who receives withdrawal of consent from a Target notifies the Original Consentee of those for whom consent has been withdrawn (i.e. the Original Consentee, the Additional Consentee receiving the notice of withdrawal, and any other Additional Consentees); and
      • the Original Consentee must:
        • give effect to the withdrawal of consent;
        • promptly notify any other Additional Consentees for whom consent has been withdrawn (other than of course the Additional Consentee who received the withdrawal); and
        • ensure that each other Additional Consentee for whom consent has been withdrawn also gives effect to the withdrawal of consent
  3. Section 6 of the Act provides that consent for messages can be express or implied. However, consent is only implied in certain situations. One of those situations is an existing “non-business relationship”. In turn, there are different categories of “non-business relationship”, one of which membership with a club, association or voluntary organization within two years immediately before the day the message is sent. The regulations clarify what is meant by membership and what constitutes a club, association or voluntary organization:
    • membership means being accepted as a member; and
    • club, association or voluntary organization basically means a non-profit. To drive home the point, the regulation specifies that it can be operated for any purpose other than profit, and that no proprietor, member or shareholder can personally benefit from any income of the organization, except for organizations promoting amateur athletics in Canada.

The concepts are a bit convoluted, particularly those summarized in paragraph 2 above (which, as an aside, I think leave open some questions of interpretation, which I might address in a later post). Perhaps at a later time I’ll try to come up with an illustrative example of how 2 works (or at least my best guess as to how it’s supposed to work). Also, I believe in my previous post I referred to “e-mail”. Just to be clear, the Act applies not only to e-mail, but to any “commercial electronic messages”, which is fairly broad and could include SMS messages, messages through websites, IM, etc.

As with the last set, open for comments for 60 days following the publication date (July 9, 2011).

Full regulation to save you a click:

ELECTRONIC COMMERCE PROTECTION REGULATIONS

DEFINITION

1. In these Regulations “Act” means AnAct to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.

PERSONAL RELATIONSHIP AND FAMILY RELATIONSHIP

2. For the purposes of paragraph 6(5)(a) of the Act

  1. (a) “family relationship” means the relationship between individuals who are connected by
    1. (i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or of collateral descent from the other individual’s grandparent,
    2. (ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,
    3. (iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual; and
    4. (iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual; and
  2. (b) “personal relationship” means the relationship, other than in relation to a commercial activity, between an individual who sends the message and the individual to whom the message is sent, if they have had an in-person meeting and, within the previous two years, a two-way communication.

CONDITIONS FOR USE OF CONSENT

3. (1) For the purposes of paragraph 10(2)(b) of the Act, a person who obtained express consent on behalf of a person whose identity was unknown may authorize any person to use the consent on the condition that the person who obtained consent ensures that, in any commercial electronic message sent to the person from whom consent was obtained,

  1. (a) the person who obtained consent is identified; and
  1. (b) the authorized person provides an unsubscribe mechanism that, in addition to meeting the requirements set out in section 11 of the Act, allows the person from whom consent was obtained to withdraw their consent from the person who obtained consent or any other person who is authorized to use the consent.

(2) The person who obtained consent must ensure that, on receipt of an indication of withdrawal of consent by the authorized person who sent the commercial electronic message, that authorized person notifies the person who obtained consent that consent has been withdrawn from, as the case may be,

  1. (a) the person who obtained consent;
  2. (b) the authorized person who sent the commercial electronic message; or
  3. (c) any other person who is authorized to use the consent.

(3) The person who obtained consent must inform, without delay, a person referred to in paragraph 2(c) of the withdrawal of consent on receipt of notification of withdrawal of consent from that person.

(4) The person who obtained consent must give effect to a withdrawal of consent and, if applicable, ensure that a person referred to in paragraph 2(c) gives effect to the withdrawal of consent, in accordance with subsection 11(3) of the Act.

MEMBERSHIP, CLUB, ASSOCIATION AND VOLUNTARY ORGANIZATION

4. (1) For the purposes of paragraph 10(13)(c) of the Act, membership is the status of having been accepted as a member of a club, association or voluntary organization in accordance with the membership requirements of the club, association or organization.

(2) For the purposes of paragraph 10(13)(c) of the Act, a club, association or voluntary organization is a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization the primary purpose of which is the promotion of amateur athletics in Canada.

COMING INTO FORCE

5. These Regulations come into force on the day on which they are registered.

draft regulations to canadian anti-spam legislation published

Sorry for the absence, blog and readers thereof. I have my reasons. Anyway just a short one this time.  The CRTC published their draft regulations under Canada’s Anti-Spam Legislation (which as many of you isn’t the official short name) which was passed last December but isn’t yet in force.

Nothing particularly earth-shattering. I’ve reproduced the regulations further below, but here’s the ultra short version:

  1. E-mails must set out:
    • name of sender
    • name of the principal on whose behalf the sender is sending (if different)
    • if sender/principal carry on business under other names, those other names
    • physical/mailing address, telephone number, email address and website of sender and principal
  2. If not practicable to include the info and an unsubscribe message in the e-mail, it can be presented through a link in the e-mail or another equally efficient method that doesn’t cost the recipient anything.
  3. Unsubscribe mechanisms cannot take more than two clicks (or something similarly efficient).
  4. Requests for consents (e.g. to receive e-mails or to install software) must include all the information set out in 1 and a statement indicating consent can be withdrawn by using such information.
  5. If software to be installed performs any of the functions specified in s. 10(5) of the Act, then:
    • those functions must be described “separately” from other information in the consent request
    • written acknowledgement must be obtained that the recipient understands and agrees to the performance of those functions

The functions set out in s. 10(5) for which consent must be obtained are (in compressed form):

  • collecting personal information
  • interfering with control of the recipient’s computer
  • changing or interfering with settings, preferences or commands without their knowledge
  • changing or interfering with data that prevents access or use
  • causing the computer system to communicate without the authorization
  • installing software  that may be activated without their  knowledge

I won’t put you through the pain of a rehash of the rest of the Act.

The consultation period ends August 29. Also, apparently there may be other stuff in the official regulation to be published on Saturday.

Here’s the full text for your reading pleasure and to save you a click:

Appendix to Telecom Notice of Consultation
CRTC 2011-400

Electronic Commerce Protection Regulations (CRTC)

DEFINITION

1. In these Regulations, “Act” means An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.

INFORMATION TO BE INCLUDED IN COMMERCIAL ELECTRONIC MESSAGES

2. (1)   For the purposes of subsection 6(2) of the Act, the following information must be set out in any commercial electronic message:

(a)   the name of the person sending the message and the person, if different, on whose behalf it is sent;

(b)   if the message is sent on behalf of another person, a statement indicating which person is sending the message and which person on whose behalf the message is sent;

(c)   if the person who sends the message and the person, if different, on behalf of whom it is sent carry on business by different names, the name by which those persons carry on business; and

(d)   the physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address of the person sending the message and, if different, the person on whose behalf the message is sent and any other electronic address used by those persons.

(2)   If it is not practicable to include the information referred to in subsection (1) and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act in a commercial electronic message, that information may be provided by a link to a web page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single click or another method of equivalent efficiency at no cost to the person to whom the message is sent.

FORM OF COMMERCIAL ELECTRONIC MESSAGES

3. (1)   The information referred to in section 2 and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently.

(2)   The unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be able to be performed in no more than two clicks or another method of equivalent efficiency.

INFORMATION TO BE INCLUDED IN A REQUEST FOR CONSENT

4. For the purposes of subsections 10(1) and (3) of the Act, a request for consent must be in writing and must be sought separately for each act described in sections 6 to 8 of the Act and must include

(a)   the name of the person seeking consent and the person, if different, on whose behalf consent is sought;

(b)   if the consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought;

(c)   if the person seeking consent and the person, if different, on whose behalf consent is sought carry on business by different names, the name by which those persons carry on business;

(d)   the physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address of the person seeking consent and, if different, the person on whose behalf consent is sought and any other electronic address used by those persons; and

(e)   a statement indicating that the person whose consent is sought can withdraw their consent by using any contact information referred to in paragraph (d).

SPECIFIED FUNCTIONS OF COMPUTER PROGRAMS

5. A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.

COMING INTO FORCE

6. These Regulations come into force on the day on which they are registered.

 

electronic document regulations for financial institutions finalized

Earlier this year (May 8 to be precise), the Canadian federal government published some draft regulations relat­ing to the use of elec­tronic doc­u­ments by fed­er­ally reg­u­lated fin­an­cial insti­tu­tions. You can find a rather brief summary in an earlier post, along with some colour commentary comparing the regulations against similar types of provisions in the Ontario Consumer Protection Act and Electronic Commerce Act. You can find the earlier draft regulations in that post or at the Canada Gazette website (scroll down to the bottom).

In any event, about two weeks ago (November 10 to be precise), the federal government released the finalized regulations for banks and bank holding companies, cooperative credit associations, insurance and insurance holding companies and trust and loan companies.

If you haven’t yet reviewed the legislation, you may want to look at my earlier post, which remains, I think, somewhat useful, as the revisions made between the draft and final regulations are not that significant. If you’d like to see for yourself, I’ve taken the liberty of generating redlines (in Word format) for each of them (banks – redline,  coops – redlineinsur – redline and trusts – redline) or you can read the summary below.

There’s basically two items that are common across all the regulations. The first isn’t really much of a change but rather the fixing of the date upon which they come into force, which has now been set for June 1, 2011. The second change is a minor clarification that specific information provided in a consent is only applicable if that consent is provided in writing (whether in paper or electronic form). Here’s the specific change, which looks to be common across all four regulations:

(4) TheIf the addressee’s consent is provided in writing, in paper or electronic form, it must include the name of the information system designated by the addressee for the receipt of the electronic document and a list, in paper or electronic form, of the notices, documents or other information that is covered by the consent.

Seems to make sense, given that such consent can also be provided orally, and that is addressed in the next clause:

(5) If the addressee’s consent is provided orally, the originator or the person acting for the originator must, without delay, provide the addressee in writing, in paper or electronic form, with the information referred to in subsection (2) and confirm the information referred to in subsection (4).

The federal government’s provides the following comments in the related regulatory impact analysis statement (scroll down toward the end) with respect to this change, the in-force date and some changes which had been requested but were not made:

Consultation

After pre-publication of these regulations on May 8, 2010, in the Canada Gazette, Part I, comments related to about 10 different issues were raised from financial industry associations. Only two of the four regulations were commented on, namely the Electronic Documents Regulations and the Policyholders Disclosure Regulations. In addition, the comments did not raise any substantial concerns but rather focused on ensuring that the regulations efficiently achieved the stated policy goals.

As a result, the Government has made minor modifications to the Electronic Documents Regulations to more efficiently handle situations where a customer of a financial institution provides oral consent for the electronic delivery of documents. The previous version of the Regulations appeared to require customers to give financial institutions written documentation when giving consent in call cases — notwithstanding the fact that the Regulations allow for consent to be granted orally. Section 5(4) now sets out the information that must be provided when consent is not provided orally (including the name of the information system designated by the addressee and a list of the notices, documents or other information that is covered by the consent). Section 5(5) goes on to set out the responsibilities of the originator to properly document oral consent and confirm the information received from the customer.

Some comments have not been reflected as stakeholders requested changes that were inconsistent with the policy intent of the regulations. For example, requested changes to the Policyholder Disclosure Regulations would have had the effect of unduly narrowing the scope of information provided to holders of insurance policies with governance rights attached. Other comments to remove from the definition of adjustable policies those where an insurance company can indirectly change the premium or charge for insurance would have had the effect of restricting the Government’s ability to ensure compliance with the regulations.

Implementation, enforcement and service standards

Industry representatives asked that the regulations come into force from six months to one year after final publication, indicating operational challenges (systems, procedures, training). To allow financial institutions sufficient time to prepare documentation in advance of annual general meetings, this package of regulations will come into force on June 1, 2011.

The regulations do not require any new mechanisms to ensure compliance and enforcement. The Office of the Superintendent of Financial Institutions (OSFI) already administers the governance provisions in the federal financial institutions statutes. As such, OSFI would ensure compliance with the new requirements using its existing compliance tools, including compliance agreements and administrative monetary penalties.

new canadian privacy and anti-spam laws – updated again

Update 2: Here is a redline showing the changes from the November, 2009 version of ECPA to the May 25 version of FISA, in Word and PDF. The Word version shows the wording of some existing provisions which FISA is amending. You’ll need to scroll over to the right starting around s. 70 to see them. Not included in the PDF version. Doesn’t look like much has changed. Happy reading.

Update: Links to the bills added. See also comments and observations from Barry Sookman, Michael Geist (one on FISA and the other on SCPIA) and David Canton. Mostly just initial observations, except for Mr. Geist’s post on SCPIA. His nickname for the bill (the “Anti-Privacy Privacy Bill”) should give you an idea of his thoughts on it.

Yesterday the federal government announced the tabling of two new significant pieces of legislation. The first is the Fighting Internet and Wireless Spam Act, which has been acronymed as “FISA”. And no, I don’t know why they dropped the W. Maybe easier to pronounce? As many readers probably know, this is the rechristened Electronic Commerce Protection Act that died last year when Parliament was prorogued. In addition to the catchier name, there were a few substantive tweaks to the law. You can read the rather long winded press release though the link above. Alternatively, here’s the point form version:

  • fairly strict and comprehensive approach to unsolicited commercial e-mail (i.e. spam), described as “multi-faceted”
  • enables government agencies to share information with international counterparts to pursue foreign violators
  • sizeable fines for violations – up $1 million for individuals and $10 million for businesses ($15 million in certain cases) for each violation
  • allows businesses and consumers to sue spammers directly, modelled on U.S. laws
  • technology neutral – spam, spim, junk faxes, robocalls – all treated the same

The second piece of legislation are amendments to the existing Personal Information Protection and Electronic Documents Act (or PIPEDA). Doesn’t quite roll off the tongue as nicely as FISA. [Update: The amending act is actually nicely entitled the Safeguarding Canadians’ Personal Information Act which is somewhat sexier.] Point form summary:

  • breach notification requirement – must notify privacy commissioner for material breach and individuals if risk of harm
  • enhanced consent requirements to ensure people (particularly minors) clearly understand the consequences of sharing personal information
  • exceptions added to help people (financial abuse, missing persons, identify dead people)
  • exceptions added for business contact information and to manage employees, information produced for work purposes and due diligence in acquisitions and similar corporate transactions
  • exceptions added for private sector investigations and fraud prevention
  • prohibitions on notifying individuals in connection with disclosure of personal information to law enforcement agencies

More to come in due course.

draft electronic document regulations for financial institutions published

Last week (May 8 to be exact) the federal government published draft regulations relating to the use of electronic documents by federally regulated financial institutions. These regulations are part of a process that began in 2005 to harmonize and modernize legislation governing banks, insurance companies, trust companies and cooperatives.

The new regulations set out the general requirements that such institutions must meet in order to use electronic documents when dealing with stakeholders. You can find links to the draft regulations and a regulatory impact analysis at the end of this post.

Here’s the Coles Notes summary:

  • electronic documents related to securities transfers are excluded;
  • electronic documents must be in clear and simple language that is not misleading
  • a requirement to provide a document may be satisfied by making the document available through a generally accessible electronic source (such as a website) and giving notice (whether paper or electronic) to the person to whom the document must be provided, unless there’s a requirement under the legislation to deliver to a specific place, in which case the website mechanism won’t work;
  • consent to receive electronic documents can be obtained from addressees in writing (paper or electronic) or orally, but, unless it’s just a one time consent, they must be notified in writing (paper or electronic) regarding:
    • when their consent  is effective,
    • that they can revoke their consent,
    • that they are responsible for updating the address to which electronic documents are delivered, and
    • that the sender will only retain electronic documents for a specified period, following which it becomes the responsibility of the recipient to retain a copy
  • the notification or consent above, if in electronic form, must be provided in a form that can be retained by the recipient for future reference
  • consent must include address designated for receipt and a list of notices covered by the consent and, if consent is provided orally, the sender must confirm such information, as well as that in the original notice, in writing (paper or electronic)
  • consent can be revoked in writing (paper or electronic) or orally
  • revocation must be confirmed in writing and when it takes effect and, if provided in electronic form, must be accessible and capable of being retained for future reference
  • an electronic document is considered provided to someone when it:
    • leaves an information system in the control of the sender, or
    • when it is posted or made available through the secure website of the sender (no reference to a notice needing to be sent to them)
  • an electronic document is considered received by someone when it:
    • enters the information system designated by them
    • it is posted or made available through the secure website of the sender, or
    • the recipient receives the notice mentioned in the third bullet above (i.e. when posting to a website, the notice alerting the recipient that it’s available)
  • electronic signatures must consist of letters, characters, numbers or symbols in digital form incorporated, attached or associated with an electronic document

Not quite clear to me why the provision on sending doesn’t refer to the alert notice being sent. Nor is it clear to me what the reference to “secure” websites means. But apart from those nits, one of the good things about these new regulations is that they expressly provide for a mechanism that permits the delivery of electronic documents by posting to a website, combined with the delivery of a notice (which can of course be much shorter) that the electronic documents are available. In contrast, other acts, such as the Ontario Consumer Protection Act and its associated regulations do not expressly permit such a mechanism when it comes to delivery of “internet agreements” – for example, s. 33(3) of the regulations indicate that an internet agreement is considered delivered by:

1. Transmitting it in a manner that ensures that the consumer is able to retain, print and access it for future reference, such as sending it by e-mail to an e-mail address that the consumer has given the supplier for providing information related to the agreement.

2. Transmitting it by fax to the fax number that the consumer has given the supplier for providing information related to the agreement.

3. Mailing or delivering it to an address that the consumer has given the supplier for providing information related to the agreement.

4. Providing it to the consumer in any other manner that allows the supplier to prove that the consumer has received it.

Similarly, the equivalence rules in the Ontario Electronic Commerce Act specifically exclude the posting of information to a website as satisfying a legal requirement to provide information or a document in writing:

10. (1) For the purposes of sections 6, 7 and 8, electronic information or an electronic document is not provided to a person if it is merely made available for access by the person, for example on a website.

Same

(2) For greater certainty, the following are examples of actions that constitute providing electronic information or an electronic document to a person, if section 6, 7 or 8 is otherwise complied with:

1. Sending the electronic information or electronic document to the person by electronic mail.

2. Displaying it to the person in the course of a transaction that is being conducted electronically.

Though in both cases there is some room either to argue that a web-based posting could satisfy the requirements of either act (e.g. posting to a website plus sending a notice of availability would not be “merely” making the information available on a website), it’s certainly not as expressly permitted as in the new draft regulations.

Of course, the regulations should be read in connection with the corresponding provisions (Bank Act – scroll down to Part XVIII, Insurance Companies Act – scroll down to Part XX, Trust and Loan Companies Act – scroll down to Part XIV.1, Cooperative Credit Associations Act – scroll down to Part XVII.1) in each act relating to the use of electronic documents.

Links to draft regulations: Regulatory Impact Analysis; Bank Regulations; Insurance Company Regulations; Trust and Loan Companies Regulations; Cooperative Credit Associations Regulations

“Anonymized” data really isn’t—and here’s why not – Ars Technica

You have zero privacy anyway. Get over it.

So spoke Scott McNealy more than a decade ago. At the time he made this statement, he received a fair amount of criticism. Turns out, he might very well have had a point, though perhaps for reasons he might not have foreseen.

A recent paper highlights the issue of the “reidentification” or “deanonymization” of anonymized personal information. However, the issue goes beyond anonymized information to the very heart how one should define personal information that is or should be protected under privacy legislation.

“Anonymized” data really isn’t—and here’s why not – Ars Technica.

Canadian privacy legislation simply defines personal information as “information about an identifiable individual” (excluding certain information about someone in their capacity as an employee). However, what does “about an identifiable individual” mean? Does it mean that the person collecting the particular nugget of information can associate it with a person’s identity? Or, perhaps more disconcertingly, does it include data that has the potential to be associated with someone by analyzing that particular bit of information, which alone (or even in conjunction with all the other information collected by a given organization) could not be linked with a particular individual, with information available from other sources?

anti-spam law – about time

There have been bits and pieces floating around on this for a while but apparently the official announcement has now been made that the feds will (finally) be introducing an anti-spam law (hat tip to Barb McIsaac for forwarding the link). The nub:

This bill proposes a private right of action, modelled on U.S. legislation, which would allow businesses and consumers to take civil action against anyone who violates the ECPA. The proposed ECPA’s technology-neutral approach allows all forms of commercial electronic messages to be treated the same way. This means that the proposed bill would also address unsolicited text messages, or “cellphone spam,” as a form of “unsolicited commercial electronic message.”

The bill would establish a clear regulatory enforcement regime consistent with international best practices and a multi-faceted approach to enforcement that protects consumers and empowers the private sector to take action against spammers.

An important component of the proposed ECPA is the enforcement regime whereby the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner would be given the authority to share information and evidence with their counterparts who enforce similar laws internationally, in order to pursue violators beyond our borders.

The proposed ECPA would enable the CRTC to impose administrative monetary penalties (AMPS) of up to $1 million for individuals and $10 million in all other cases. The Competition Bureau would use a similar AMPS regime already provided for in the Competition Act,and the Office of the Privacy Commissioner would use its existing tools and enforcement framework to enforce the provisions of this legislation. The bill also proposes that the Privacy Commissioner’s powers to cooperate and exchange information with her counterparts be expanded, in respect of the Personal Information Protection and Electronic Documents Act.

via Industry Canada Site – Government of Canada Protects Canadians with the Electronic Commerce Protection Act.

More on this when I actually get some time to read the thing.