On May 8, 2009, the Electronic Commerce Protection Act (ECPA) received a second reading in the House of Commons. The Government of Canada had introduced the bill on April 24th. The intention of the ECPA is "to deter the most dangerous forms of spam, such as identity theft, phishing and spyware, from occurring in Canada" and to "help drive spammers out of Canada." The bill also contains provisions intended to combat spyware by prohibiting the installation of computer programs without the consent of the computer’s owner. While the objective of the legislation is laudable, the bill's overly broad language could circumscribe legitimate business-to-business marketing and impact software companies' ability to deliver upgrades and patches to customers.

Restrictions on Commercial Electronic Messages

Section 6(1) of the ECPA states that "No person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) the message complies [with specified formalities]."

Technologies affected by this provision include commercial electronic messages sent by e-mail, instant messaging and mobile phones ? and probably also messages sent using social networks, chat groups, Internet forums, business networks, and websites where users have accounts. The ECPA would prohibit sending "an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity." The types of communication technologies that are subject to the prohibition are open-ended, and the messages that are sent must include prescribed content and be in a prescribed form.

Unlike other international anti-spam legislation, the prohibition against unsolicited commercial messages in the ECPA is not limited to messages sent with some element of fraud or misleading information, sent with an "intent to deceive or mislead," sent to addresses that were gathered using "automated means," or sent in bulk.

The requirements for obtaining express consent are stringent and the circumstances in which an implied consent can be relied upon are limited. It is not possible to seek consent electronically, because such a request itself would be a prohibited electronic message. Consent is implied only where the sender has an existing relationship with the recipient.

Restrictions on Software Installation

Although the government’s stated intent in introducing this bill is to stop the spread of unlawful programs engaged in "the collection of personal information through illicit access to computer systems," the ECPA would actually prohibit a business from installing any computer program on any person’s computer without obtaining express consent. As currently drafted, this provision would outlaw any program, patch, upgrade or add-on installed without express consent.

The ECPA would also require, before any software is installed on a computer, that the person requesting consent "describe clearly and simply the function, purpose and impact of every computer program that is to be installed." The provisions in the ECPA would apply not only to personal computers but to a whole host of devices, from iPhones and BlackBerry® devices to mainframe computers, even though many do not have the capability of displaying consent forms and relaying consent.

Administrative Penalties

The ECPA would make the violation of the above provisions subject to "administrative monetary" penalties of up to $1 million in the case of an individual, or $10 million in the case of a non-individual. These high penalties can be exacted without any right to a trial, and a conviction can be entered on proof of only a "balance of probabilities." This liability would also extend to employers, officers, directors or agents of a company. It also appears to include a statutory damages regime that could result in an order to pay "a maximum of $200 for each contravention of the provision, not exceeding $1,000,000 for each day on which one or more of those contraventions occurred." This liability would also extend to employers, officers and directors of a company.

The bill also contains a new private right of action for any person who alleges that they are affected by an act or omission that constitutes a contravention of Section 5 of the Personal Information Protection and Electronic Documents Act, which relates to a collection or use of information described in subsection 7.1(2) or (3) of that act. This would appear to now expose Canadian business to extensive new liabilities for the use or disclosure of personal information without the knowledge or consent of individuals. Officers, directors, and employers would also be potentially liable for their employees’ actions.

Over the last decade, the Internet has become an essential tool for conducting commercial activity. If passed, this bill would prohibit the formation of new business relationships over the Internet or through e-mail. It would stultify the use of the Internet for the distribution of software and software upgrades. It also contains very high penalties for breach, penalties that are particularly disconcerting given the wide and ambiguous nature of the bill.

If your business will be impacted by the ECPA, we recommend that you make submissions to the House of Commons Standing Committee on Industry, Science and Technology, setting out your concerns.  

This blog post was first published by Barry Sookman on his blog @barrysookman.com.