Bill C-27: An Early Critical Look at the Electronic Commerce Protection Act

On April 24th the Minister of Industry, Tony Clement, tabled a government bill with the aims of protecting consumers and businesses from dangerous forms of spam and regulating activities that are believed to discourage the use of electronic means of carrying out commercial activities. Bill C-27, the Electronic Commerce Protection Act, contains provisions that prohibit the sending of commercial electronic messages without prior consent, the unauthorized installation of computer programs, the altering of transmission data in an electronic message (as is commonly used in phishing scams), and a variety of other activities that touch upon electronic commerce. There are amendments to the Competition Act, PIPEDA, the CRTC Act, and the Telecommunications Act. The ECPA also allows for administrative penalties to be imposed by the CRTC against offenders as well as separate civil actions by persons who suffer damage as a result of violations.

Though the stated purpose of the ECPA is to “promote the efficiency and adaptability of the Canadian economy”, some of the provisions found within may do just the opposite if applied too liberally. Not that I am certain that the ECPA can be made any more effective, but this post will point out what may be some of the possible undesirable consequences if it is passed. Of course, its overall effects, with which we can make a decision about whether it is actually a good law or not, will likely not be truly understood until it is put into play in our dynamic marketplace. However, it should be expected that both legitimate and illegitimate enterprises will, as usual, evolve around the law so as to continue to pursue their end goals as best as possible.

Section 6 of the ECPA prohibits the transmission of electronic messages received without express or implied consent that, it would be reasonable to conclude, have as their purposes the encouragement of participation in a commercial activity. Furthermore, section 2(3) states that “an electronic message that contains a request for consent to send a [commercial electronic message] is also considered to be a commercial electronic message”. So if X wishes to share information about entity Y (i.e. a business, band, or any other entity that can potentially be viewed as carrying on a commercial activity), and X invites his friends to subscribe to an e-mail list (made available through a mechanism set up by Y) or to join a Facebook group of Y, this may constitute a contravention of the provision against unsolicited electronic messages. Despite the exception to express consent between those who have a personal relationship, as found in section 6(5)(a), the mere fact that the receiver of the invite is on the e-mail list or friends list of X may not be sufficient enough to constitute a personal relationship.

The vicarious liability provision of section 32 maintains that principals are liable for the actions of agents who act “within the scope of their authority”. It may be argued that the existence and use of mechanisms of promotion set up by Y to be used by X can be said to entail that X has in fact acted within the scope of his authority as an agent of Y. Furthermore, because section 32 does not require that an agent even be identified in order for a principal to be liable, it is also possible that the manufacturer of a product, for example, may be unfairly responsible for the actions of agents of its distributors and retailers. This would be the case despite the possibility that these agents may never be found, and even though they may have been acting on their own and had virtually no connection to the manufacturer.

As a separate matter, the ECPA does not seem to address any issue of reduced liability regarding a system that has become infected by malicious software and that sends out unsolicited electronic messages to others unbeknownst to its user. Though the defence of due diligence is allowed under section 33(1), it is difficult to assess the level of care that is expected to prevent infection of one’s computer. Would obtaining standard anti-virus software suffice? If it is found that one’s system has been infected, but the exact consequences are unknown, would the user be required to stop usage and go as far as reformatting to completely eliminate any possibility of a threat to others? Because malicious software is constantly evolving, it is possible that what may be considered due diligence right now will not cut it next year, so that the burden users will be expected to bear will continue to increase in weight.

Section 8 of the ECPA prohibits installing computer programs, as defined in the Criminal Code, onto another person’s system without their express consent. From section 342.1(2) of the Criminal Code, a computer program is “data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function”. This provision is meant to prevent the installation of malicious software and spyware, however, it will no doubt affect other aspects of internet browsing. For example, it seems as though JavaScript would fall within the ambit of this section, despite its common appearance on many websites for the purposes of enhancing the user’s experience and allowing for added functionality. In order to obtain express consent, according to sections 10(1) and 10(2), a variety of specific information (that most users will likely not be interested in) will have to be conveyed and accepted, thus slowing down the process of everyday browsing.

There is an interesting comment on Michael Geist’s blog by one Stephen Tyers, a Canadian living in New Zealand. He states that the ECPA closely resembles a New Zealand law that was recently passed, which I presume is the Unsolicited Electronic Messages Act 2007. He believes that businesses were advised to play it safe and so they ceased contact with past subscribers who may have been interested in remaining on their contact lists but would not have necessarily been considered to have given implied consent under the law. He also believes that the uncertainties in the law can be exploited, resulting in further losses to businesses in the form of litigation costs.

Obviously it is a difficult task to create legislation that delineates the types of electronic transmissions that we do not want, since it is the specific nature of a particular message that makes it spam. A balance should be reached that considers methods of preventing nuisances and threats that we would like to see eliminated as well as the resulting hindrances that are created by any new measures. Ultimately, Parliament must essentially make a judgment call about how far to cast their net of regulations so as to produce an optimum level of efficiency for both consumers and businesses.

  1. This is an excellent post that draws well-needed attention to the serious liabilities that would face many Canadian businesses should this Bill be passed as drafted.

    As the author suggests, the prohibitions against unsolicited messages in Section 6 of the ECPA are very broadly written. In addition to what the author has already pointed out, it is important to further note that the prohibitions in the Bill would apply not only to email but to instant messaging, and mobile phones, and could likely include messages sent using social networks, chat groups, Internet forums, business networks, and web sites where users have an account. The Bill would not apply only to spam emails, but it would prohibit sending “any electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity”

    Another serious restriction worth noting in this Section is the requirement that all commercial messages must now include prescribed content to allow recipients to “unsubscribe” from the message. It seems very unlikely that users of e-mail, IM messaging services, mobile phones, social networks, chat groups, Internet forums, business networks, and web sites would practically or technically be able to comply with these restrictions for most of the everyday forms of commercial messaging they do.

    It is interesting that the author refers to a comparison with Australia’s Unsolocited Electronic Messages Act 2007. S.4 of that Act allows commercial messages to be sent where there is implied consent, which is defined as consent that is reasonable to assume “from the conduct of the individual or organizations concerned”. The implied consent definition in the ECPA is much more restrictive, as noted by the author of this post.

    The author also does a good job raising concerns about the “anti-spyware” provisions of this Bill. Any businesses involved in software development should be very concerned about the potential ambit of the ECPA in this respect. The Bill would actually prohibit a business from installing any computer program on any person’s computer without obtaining express consent. This provision could make it illegal to use applications written in popular computer languages like Java, which use application programs called applets that are transmitted to a user’s web browser. It might require consent for users to surf the Internet because HTML code associated with a web site is transmitted and temporarily stored in a computer memory during use. Media streaming web sites like YouTube now often embed code into the videos themselves which is stored in a computer memory. It would likely be technically and commercially infeasible or impossible to obtain the express consent from computer users for the use of these basic technologies that power the Internet. The provisions in the ECPA would apply not only to personal computers but to a whole host of devices from iPhones and Blackberries to mainframe computers. Many of these devices do not have the capability of displaying consent forms and relaying consent.

    Finally, one of the most surprising and troubling aspects of this Bill is that is creates a new civil liability for breaches of PIPEDA. The ECPA would create a new private right of action for any person who alleges that they are affected by an act or omission that constitutes a contravention of section 5 of PIPEDA, which relates to a collection or use described in subsection 7.1(2) or (3) of that Act. This would appear to now expose Canadian business to extensive new liability for the use or disclosure of personal information without the knowledge or consent of individuals. Officers, directors, and employers would also be potentially liable for the acts of their employees.

    I again thank the author for taking the time to raise awareness of this flawed legislation. While the aim of the Bill of reducing instances of spam email and malicious spyware software is certainly without reproach, the potential effects of the broadly drafted provisions in the ECPA could potentially be crippling to many Canadian companies that conduct business over the Internet.

  2. In regards to the Electronic Commerce Protection Act, it’s a good summary but there is an overlying question: if someone signs up for an online forum, or even say posts a comment here, does that mean you can send them mail if they’ve signed up to your forum. Or do you need to ASK permission before sending to RL address?

    (This puts aside the concept that it’s just good, moral practice to have opt-in lists)

    To me this part says yes:
    “The exception is “implied consent” – when there is an existing business or non-business relationship between the sender and the recipient during the 18 months prior to the message send.”

    This part says no:
    “The ECPA prohibits the sending of commercial electronic messages without the prior consent of the recipient.”

    I must admit a bit unclear on where the line is drawn here.

  3. The definitions of implied consent, as well as business and non-business relationships, can be found in section 10. If someone signs up for a forum I think you’d still need to get their express permission to send them a message (I guess at the time they sign up), unless they sign up for the purpose of completing some sort of commercial transaction. However, section 10(6)(c) might allow signing up for some other purpose to constitute a non-business relationship, and thus allow the forum to send messages within the notion of implied consent. It seems that the Bill doesn’t specify the exact definitions of membership, clubs, associations, or voluntary organizations, but rather says in section 63(1)(e) that the government will be doing this in future regulations.

  4. Mr. Nathanael, thank you for sharing.

    I have thought, and I think your summary backs this up, that essentially they don’t care about forum spam (yet), as long as they can get the 3 Ps –> porn, pills and phishing. That makes sense to me, I can deal with some mails from groups I joined once upon a time.

    And I’d deal with it better, if the rest of that unwanted mail starts to fade away.

  5. The Bill would indeed cover forum spam, which could include any forum message that contains any form of commercial proposition or even a link to a commercial website. While Mr. Ferguson is correct that it does not appear to be the intent of the Government to cover these types of activities with the Bill, the fact that the Bill contains a private right of action would potentially attract substantial fines to these actions, and other similarly harmless activities like sending your CV to a company. Under the private right of action in s.47 of the Bill, all it would take is for one recipient of your “spam” to apply to the CRTC, and your forum post, or CV letter or e-newsletter etc., would be judge by the CRTC on a balance of probabilities for consideration as spam, with fines of up to $10 million as a consequence.

  6. Mr. Ferguson, I also think that forum spam (i.e. posting certain messages on forums) would likely contravene the Act since it would not fall within the exception of section 10(6)(c), whereas a forum sending certain messages to one of its members (as I understood the earlier question) might not contravene. The reason for this is that there must be membership “by the person to whom the message is sent”, and the party sending the message must be the “club, association or voluntary organization, as defined in the regulations”.

    However, I’m not so sure that sending a CV would be disallowed, since I don’t think the search for employment (which is in most cases the likely purpose of sending a CV) would qualify as falling within section 2(2). Just my opinion, of course, and I could easily see the case for the other side. At the end of the day, the definition of commercial activity is somewhat vague, and therefore, potentially broad. And as mentioned by Mr. Gannon, there could be a private right of action, so a good litigator could use this vagueness to his or her advantage.

Comments are closed.