You may be your brother’s keeper after all, according to Canada’s spam and malware watchdog.
In a bulletin likely to send shock-waves through the digital business community, the Canadian Radio-television and Telecommunications Commission (CRTC) has set out significant new guidance that signals broad potential liability under Canada’s Anti-Spam Legislation (CASL) for failing to do enough to stop the non-compliant activities of third parties.
Most troublingly, the regulator has warned that it is possible for an individual or organization to be held liable and face administrative monetary penalties for violating CASL, even if they did not intend to do so or were unaware that their activities enabled or facilitated contraventions of the law.
Recognizing that CASL allows for the imposition of penalties of up to $10 million per violation, businesses have good cause for concern.
In Compliance and Enforcement Bulletin CRTC 2018-415, the regulator sets out what it characterizes as general compliance guidelines and best practices with respect to compliance with section 9 of CASL, a provision that imposes liability for aiding, inducing or procuring the doing of any act contrary to the core provisions of that statute. Those core provisions generally prohibit, without prior consent, the sending of electronic marketing or promotional messages, the alteration of transmission data in an electronic message, or the installation of a computer program on another person’s computer system (including legitimate programs, as well as malware).
However, surprisingly, in its guidance the Commission signals that an organization or individual could be found to have “aided” another party by simply providing enabling services, technical or otherwise, such as by providing access to the tools or equipment necessary for a third party to violate the law. The bulletin explicitly sets out a broad, but non-exhaustive array of intermediaries that could be found liable for “enabling” non-compliance by others including the following:
- Advertising brokers
- Electronic marketers
- Software and application developers
- Software and application distributors
- Telecommunications and Internet service providers (with respect to the malware and message alteration prohibitions only)
- Payment processing system operators
The Commission also notes that liability could be imposed on those receiving a direct or indirect financial benefit stemming from a violation of CASL by others. Such “benefits” could conceivably stem from the receipt by an intermediary of service revenues in the normal course of business – such as for hosting, use of software or ad impression revenue – even where the intermediary was unaware that a portion of these revenues were derived from illicit activity.
The CRTC notes that actual liability for intermediaries will be determined on a case-by-case basis, taking into account a range of potentially relevant factors, including the level of control that an intermediary has over the non-compliant activity of others, the degree of connection between an intermediary’s actions and such non-compliant behaviour, and the steps taken by the intermediary to prevent potential violations by others (the bulletin sets out a list of recommended practices and safeguards in this regard). However, the bulletin explicitly notes that while awareness of violations may be a factor when assessing section 9 violations, it is not necessary for an intermediary to have been aware of violations by others in order to be found liable.
Even if liability will not be applied to service providers in all cases, the mere identification by the CRTC of the concept of intermediary liability arising from a failure to take sufficient steps to prevent third party behaviour is striking for a number of reasons. For one, it indicates a significant extension of the original legislative intention of s. 9 of CASL, which was to impose liability on actors that actively engaged or encouraged others to violate the law, to the financial benefit of those directing actors. It also runs counter to the general principle in Canadian law that organizations and individuals do not have an inherent legal obligation to prevent illegal activity by others. Further, it is at odds with the general trend in Canadian law and government policy to limit intermediary liability for the illegal activity of others, such as in cases of defamation, copyright infringement, etc.
Most ironically, the concept of intermediary liability for failing to prevent illegal activity by third parties flies in the face of one of the stated objectives of CASL, which was to foster the growth of digital businesses in Canada. Contrary to this objective, the CRTC’s approach to liability under section 9 of the Act will likely serve to hinder and discourage the development of electronic commerce in Canada. In this regard, the imposition of a sweeping obligation to develop, implement, document and maintain practices and procedures designed to prevent non-compliance by third parties will likely serve only to create a significant administrative and financial burden for digital businesses. Combined with the threat of broad potential liability for fines of up to $10 million per violation -- even where an intermediary had no knowledge of non-compliant behaviour – it seems more likely that the interpretation set out in the bulletin will create a general chill on digital businesses in Canada rather than to encourage and enable them.