Regular readers of this column know that I have been advocating an anti-spam law for Canada for quite some time (it is truly an embarrassment that Canada remains the only major industrialized country in the world without a law addressing spam). Unsolicited mass e-mail, colloquially known as spam, has been a problem for a number of years, and the problem is not getting better in Canada.
So it was heartening when the federal government brought forward Bill C-27 (the Electronic Commerce Protection Act) earlier this year. Finally, years after the US passed their anti-spam legislation, Canada is doing something too. This bill is long overdue. Spam is still unsolicited mass e-mail, but it has also morphed into a range of text and voice over IP messages, and it is infecting social networking sites and instant messaging systems. And it is not merely unwanted marketing messages — it encompasses the means to deliver a broad range of "malware" that facilitates identity theft and virus dissemination. True spam needs a legislative response.
What is proposed in C-27 however, goes too far in a number of important respects. It is hoped that in the Fall of 2009, when the bill goes to committee, it will be fine tuned to remove the parts of it that are over the top.
The bill will fight spam by prohibiting sending a commercial electronic message to an e-mail address unless the recipient has provided express or implied consent. The implied consent mechanism is a helpful addition, and mirrors the implied consent rule in the electronic commerce statutes that were enacted about a decade ago to help facilitate the legal effectiveness of electronic messages.
The scope of the implied consent rule in C-27, however, is too limited. First, it is limited to an existing business relationship or non-business relationship between sender and recipient, and both of these are defined rather narrowly. Most importantly, each is restricted to circumstances where the relevant persons had some pre-existing activity together within the last 18 months.
Problematic Implied Consent
This 18 month rule is a real problem. I know all sorts of people who I will want to reconnect with again electronically, but with whom I’ve not had contact for a year and a half. Under C-27, I wouldn’t be able to reach out to them over the Internet.
Moreover, C-27 states that I cannot even send them an email simply to see if they with to re-engage with me electronically (or otherwise). What I would have to do, presumably, is call them by phone to see if they wish to receive electronic communications from me.
The truly pernicious spam is the very mass oriented unsolicited email where there is no pre-existing connection between the sender and recipient. That’s the stuff we need to shut down. With all other communications over the Internet, we have to exercise great care, otherwise we will chill the exchange of information over the greatest communication medium ever devised. And that would be too high a price to pay for combating true spam.
Another important mischief tackled by C-27 is spyware. This is software that is surreptitiously downloaded onto a user’s computer typically without the user’s knowledge. This unwanted software can then do various things, including tracking the click stream of the user (or worse), and reporting this back to the person who unleashed the spyware program.
While the objective of combating real spyware is commendable, again C-27 goes too far. It prohibits someone from installing on another person’s computer any software program without express consent.
Prohibiting Good Software
By defining the prohibited range of software so broadly, C-27 arguably captures under the spyware prohibition, legitimate software as well. Most anti-virus software, for example, is today refreshed automatically, because the user’s shield against malicious code must be continually updated to guard against the latest predators. C-27, however, makes no such distinction — it simply lumps all legitimate software in with the truly problematic material.
When you read C-27, you see lots of evidence of good intention, but also a dearth of real-world industry savvy. It’s as though the bulk of the bill was drafted in an ivory tower, divorced from the realities of legitimate e-commerce.
Not Academic Concerns
Getting the scope of C-27 right is not merely an academic concern. The bill stipulates very heavy fines for its violation: up to $1 million for individuals, and up to a whopping $10 million for companies. Moreover, officers and directors of a company could also be held personally liable, if they participated in the applicable decision.
Then, in addition to these financial sanctions brought by the government (through the Crown), C-27 also affords a private right of action for persons feeling aggrieved by someone’s alleged breach of the provisions of the bill providing anti-spam, anti-phishing or anti-spyware protection. Presumably this private right of action would be operationalized through the class action regime, raising the stakes still further for the business community.
Interestingly, C-27 also harnesses the Privacy Commissioner and the Commissioner of Competition to assist in the administration of the rules promulgated by the bill. And because spam (and identity theft, phishing and spyware) are global problems, C-27 also allows the government (as well as the Privacy and Competition Commissioners) to share information with their counterparts in other countries to advance international investigations. The message to would-be Canadian spammers — "you can run, but you will not be able to hide".
Recalibrating the Bill
We don’t need to throw out C-27 and start again (though one is left to wonder why we couldn’t draw more language, or at least concepts, from existing anti-spam/anti-spyware provisions in relevant laws in other countries). What we do need, however, is some very down-to-earth, practical feed-back from industry to the Parliamentary Committee that will decide the fate of C-27 in the Fall of 2009, in order to make sure that the new law doesn’t discourage legitimate activity over the Internet.