Dan Whalen is a JD Candidate at Osgoode Hall Law School
Earlier this month, a Québec court upheld a 2008 US judgment ordering self-styled “online marketer” Adam Guerbuez to pay over $1-billion (CAD) to Facebook, Inc. Guerbuez, a Montreal resident, was tried in absentia in California for allegedly pilfering Facebook users’ personal information to flood the social networking site with spam. He was found to have violated the country’s ironically abbreviated CAN-SPAM Act and ordered to pay $100 (USD) in punitive damages for each of the 4-million-plus spam messages he allegedly sent. Facebook has acknowledged that it will likely never collect the fine but is satisfied with the message it sends.
The judgment is an interesting precedent in at least one regard–it is by far the largest penalty for Internet spammers in Canadian legal history. To date, parties wishing to sue Canadian spammers have been mostly limited to US courts. As Tony Clement, Minister of Industry, recently said, Canada is “the only G8 country and one of only four OECD countries without legislation dealing with spam.” That status quo is now challenged by Bill C-28, our government’s second attempt at anti-spam legislation, which was granted a second reading in Parliament two weeks ago. In fact, the court in Facebook v. Guerbuez cited the bill’s provision for large fines as evidence that the contested damages are not out of sync with those envisaged for Canadian law.
Despite this endorsement, some critics pounced on the proposed legislation when it was unveiled earlier this year. David Canton argued that the bill’s definition of spam is “extremely broad” and would ban a large class of commercial activity. Specifically, LawsOf.com reported, the bill may hurt legitimate businesses that use electronic messages for marketing. The online review also suggested that the bill does not prescribe sufficiently robust enforcement powers given the rights it seeks to protect.
Canada’s existing privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), was enacted in 2001 to protect personal information of individuals employed by federally and (some) provincially regulated organizations. In 2004, its authority was expanded to include all personal information collected, used or disclosed in the course of commercial activity in the private sector. Yet the Act has been found inadequate as shown in a statutory review published in May 2007.
Accordingly, the Canadian government introduced Bill C-29 to amend the Act earlier this year. Critics of PIPEDA welcomed the idea of change, particularly the bill’s proposed requirement of notification to affected persons when a breach of their privacy occurs and creates the risk of harm. However, not only are there no penalties for failing to do so but, as Michael Power indicates, the threshold is very low and much is left to organizations’ discretion. There is also a “gag order” provision that prohibits organizations from notifying affected persons that their information has been requested or obtained by a government institution.
Still, as David Fraser enumerates, the bill is set to add some needed clarity to the terms of PIPEDA. Some proposed changes raise new questions, however, like the bill’s consideration of “lawful authority.” Fraser explains that this crucial term remains poorly defined despite the bill’s updates. Tamair Israel of the Canadian Policy and Public Interest Clinic is worried by the stipulation exempting organizations from requesting indication of lawful authority in requests of personal information. The bill is only at its first reading in Parliament, so some of these issues may be addressed in future drafts.
Back to Facebook v. Guerbuez, it is certainly not unusual for our courts to uphold American rulings. Provisions in the Civil Code of Québec clearly allow for that possibility, with several important exceptions. Should it fall under such an exception, as Guerbuez argued, that such a ruling would have been impossible under current Canadian laws, or that, more generally, Canadian courts would not have allowed for damages with such a large punitive element? Also, is it troubling that the court referenced a bill not yet passed into law as part justification of its decision? These considerations may be more closely examined on appeal. For now, the decision highlights the blurring of legal and national boundaries in our increasingly digital world.