On April 24, 2009, the Minister of Industry and Commerce, on behalf of the Government of Canada, tabled Bill C-27, being legislation to enact the Electronic Commerce Protection Act (the "ECPA").
The proposed legislation aims to protect and promote the growth of electronic commerce by introducing measures intended to address the problems of spam, phishing, spyware and malware.
The ECPA prohibits the sending of any commercial electronic message to an electronic address by means of a computer system located in Canada, without the recipient's prior consent. For this purpose, "electronic address" means an address used in connection with the transmission of an electronic message to an electronic mail account, an instant messaging account, a telephone account or any similar account. An "electronic message" includes a text, sound, voice or image message. A "commercial electronic message" is an electronic message designed to encourage participation in a "commercial activity". This prohibition also covers messages that contain a request for consent to send the recipient a commercial electronic message.
Excluded from the scope of the prohibition are: personal electronic messages, messages sent to persons engaged in a commercial activity that are solely an inquiry or application relating to that activity, telephone calls, fax messages and voice recordings sent to a telephone account. In addition, telecommunications service providers are exempted from liability in relation to unsolicited commercial electronic messages.
The ECPA also provides that a commercial electronic message may be sent to a recipient who has given express or implied consent to receiving it. For this purpose, implied consent is deemed to have been given where there is an existing business relationship between the recipient and the sender of the commercial electronic message. Such an "existing business relationship" is one arising, among other things, from the purchase or lease, by the recipient from the sender, of a product, goods or a service, a contract entered into between the recipient and the sender or an acceptance by the recipient of a business, investment or gaming opportunity offered by the sender, within the 18-month period immediately preceding the day on which the commercial electronic message is sent, or from an inquiry or application made by the recipient to the sender within the 6-month period immediately preceding the day on which the commercial electronic message is sent.
In the absence of such implied consent, express consent authorizing the sending of a commercial electronic message must be obtained. A person seeking such consent must set out the request in clear and simple language, describing to the intended recipient the purposes for which the consent is being sought and providing information that identifies the person seeking the consent and, where applicable, the person on whose behalf the consent is sought.
Any commercial electronic message that is sent must also conform to certain content requirements.
MANDATORY CONTENT FOR COMMERCIAL E-MAIL
A commercial electronic message must identify the sender or the person on whose behalf the message is sent, set out information enabling the recipient to readily contact the sender or the person on whose behalf the message is sent, and contain an unsubscribe mechanism that complies with prescribed requirements . The mechanism must enable recipients to indicate, using the same electronic means by which the message was sent, that they do not wish to receive any further commercial electronic messages, and specify an electronic address to which the indication may be sent or provide a hyperlink by means of which the indication can be given. Any commercial electronic message that does not meet these conditions will be considered illegal, even if the electronic address to which the message was sent does not exist, or even if the message did not reach its destination. Indeed, a commercial electronic message that fails to comply with the requirements will be considered to have been sent once its transmission has been initiated and will thus result in a violation under the ECPA.
The ECPA prohibits altering or causing to be altered, in the course of a commercial activity, the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender. An exemption from this prohibition applies where such an alteration is made with the express consent of the sender or in accordance with a court order, or where an alteration is made by a telecommunications service provider for the purposes of network management. In order to combat "phishing", the ECPA amends the Competition Act to create some new prohibitions (in particular, the sending of false or misleading representations in the sender information or subject matter information of an electronic message) which are reviewable by the Competition Bureau.
SPYWARE AND MALWARE
The ECPA prohibits (i) installing a computer program on a person's computer system and (ii) using that program to cause unsolicited electronic messages to be sent from that computer system, without the express consent of the computer system's owner. Programs of this kind, which allow a computer system to be infected so that it retransmits spam (botnet) or confidential information to be obtained from a computer system's owner without the owner's knowledge, are the source of much identity theft and fraud.
The violations created in respect of such acts under the ECPA will provide a more accessible and rapid avenue of redress against perpetrators than does the offence under section 342.1 of the Criminal Code (obtaining computer service fraudulently), among other things owing to the lesser evidentiary requirements for pursuing such violations.
PENALTIES AND ENFORCEMENT
The Canadian Radio-television and Telecommunications Commission is given power to impose administrative and monetary penalties in relation to violations under the ECPA, as well as a number of investigative powers. The administrative monetary penalties to be set by the ECPA may be as high as $1,000,000 where the perpetrator is an individual, and $10,000,000 for any other person. History of previous violations, financial benefits obtained from the commission of a violation and the ability to pay are among the factors to be taken into account by the CRTC in determining the amount of a penalty to be levied.
PRIVATE RIGHT OF ACTION
A private right of action is created for persons who allege that they have been affected by contraventions of the ECPA. This private right of action differs from an action in damages in that an applicant may be entitled to monetary compensation merely upon demonstrating that a contravention of a provision of the ECPA has been committed, rather than having to prove fault/negligence, loss or damage suffered and a causal connection between the two, as would be required in the context of a civil liability suit. The application may be made to the Federal Court of Canada or the superior court of a province, and the court before which it is made may order the defendant to pay the applicant (1) compensation in an amount equal to the actual loss or damage suffered or expenses incurred by the applicant and (2) a maximum of $200 for each contravention of the provision, not exceeding $1,000,000 for each day on which one or more of such contraventions occurred.
THE ECPA AND PROTECTION OF PERSONAL INFORMATION
The ECPA also amends the Personal Information Protection and Electronic Documents Act("PIPEDA")by adding thereto provisions prohibiting the collection of an individual's electronic address through the use of a computer program designed for that purpose and prohibiting the collection and use of personal information by means of unauthorized access to a computer system. The private right of action created by the ECPA will apply to both these new prohibitions as well, thus adding teeth to PIPEDA which, since its enactment, has provided for only one remedy, namely, a complaint to the Privacy Commissioner's office. The prohibitions stand to have consequences for merchants who use the Internet as a tool to mine data on consumer habits and interests in order to target direct advertising.