This month’s post features a potpourri of legal issues stemming from the ever-growing world of the internet: an overview of Canada’s Anti-Spam Legislation (CASL), a brief look at cyberbullying and harassment, and an examination of crimes against computers systems including hackers, mischief, malware and spyware.
Internet Law
By: Chantal Bernier, LL.B, LL.M.
Counsel, Privacy Law Group, Dentons Canada LLP, with the assistance of Jawaid Panjwani, B.A., M.A., J.D., Associate, Dentons Canada LLP, on the basis of work of Sukanya Pillay, B.A., LL.B., LL.M., and Professor Myra Tawfik, B.A. (Hons.).
II.3(a): Canada’s Anti-spam Legislation
II.3: E-Commerce - Spam
See Canadian Abridgment: INF.III.3.a Information technology | Internet publishing | Email | Spam mail
Canada's Anti-spam Legislation (CASL) prohibits sending a commercial electronic message (CEM) to an electronic address via e-mail, instant messaging, telephone or any similar account unless the recipient has consented to receive the message and the message complies with certain formal requirements, including identifying the sender and providing an unsubscribe mechanism.1
A message is a CEM if it would be reasonable to conclude that its purpose or one of its purposes is to encourage participation in a commercial activity. Messages where the purpose or one of the purposes is to advertise, promote, market, or otherwise offer a product, good, service, business or gaming opportunity or interest in land, are considered CEMs. Indicators of commercial activity include the commercial content, hyperlinks, or contact information in an electronic message. The expectation of profit is not determinative.2
An "electronic address" is an e-mail account, a telephone account, an instant messaging account, or any other similar account.3 Whether a "similar account" is considered an "electronic address" is determined on a case-by-case basis and depends on how the account or platform functions. Certain social media messaging, such as messages posted on a Facebook wall or Twitter feed, are not sent to an electronic address. However, messages sent to a social media messaging system (e.g. Facebook messaging and LinkedIn messaging) are considered to be messages sent to an electronic address. IP addresses are not electronic addresses if the IP address is not linked to an identifiable person or to an account.4
CASL requires opt-in consent to send CEMs to recipients.5 Recipients must make a positive action to indicate their consent.6 The request for consent must be obtained orally or in writing and must be sought separately for each act contemplated by the Act.7 The request for consent must identify and provide the contact information of the sender, including its mailing address, and either a telephone number, e-mail address or web address; include the purpose for which the consent is being sought; and provide a statement indicating that the person whose consent is sought can withdraw their consent.8
Under CASL, implied consent to send CEMs exists under a limited number of circumstances, including where there is an existing business relationship or existing non-business relationship between the organization that sends the CEM and the recipient.9
The following CEMs are excluded from the consent and form requirements imposed by CASL: CEMs sent by or on behalf of an individual to another individual with whom they have a personal or family relationship; CEMs sent by or on behalf of a registered charity to raise funds for the charity; CEMs sent by or on behalf of a political party or a political candidate to solicit political contributions; business-to-business communications; CEMs sent and received on an electronic messaging service, such as a closed or managed messaging system (e.g. Blackberry Messenger), where users have control over who sends them messages and the messages that they receive; CEMs sent in response to a request, inquiry or complaint or otherwise solicited by the recipient; CEMs sent to a limited-access secure and confidential account where messages can only be sent by the person who provides the account to the recipient (e.g. banking websites); CEMs that the sender reasonably believes will be accessed in an approved foreign jurisdiction and meet foreign requirements; CEMs sent to satisfy a legal or juridical obligation.10
The following CEMs are excluded only from the consent requirements imposed by CASL: CEMs that provide a quote or estimate requested by a recipient; CEMs that facilitate, complete or confirm a commercial transaction that the recipient has entered into; CEMs that convey warranty, product recall or safety information about a product, good or service that the recipient has purchased; CEMs that provide factual information about the ongoing use or purchase of a product, subscription, membership, loan, or account; CEMs that provide information directly related to an employment relationship or related benefit plan; and CEMs that deliver product updates or upgrades that the recipient is entitled to receive under the terms of a transaction.11
CASL applies only where a computer system located in Canada is used to send or access the CEM.12
The CRTC is the main regulatory body responsible for enforcing violations of CASL.13 The maximum administrative monetary penalty for an individual that breaches CASL is $1,000,000 and the maximum penalty for a corporation or other organization is $10,000,000.14 A private right of action will be available as of July 1, 2017.15 An organization may avoid sanction by entering into an undertaking with the CRTC.16
CASL does not apply to Internet Service Providers where they merely enable the transmission of a CEM.17 Internet Service Providers can prohibit spam in their terms and conditions.18 Even where there are no express terms or conditions in the agreement, the user is still required to "follow generally accepted "netiquette" when sending e-mail messages".19
II.3(b): Criminal Code of Canada
See Canadian Abridgment: INF.III.3.a Information technology | Internet publishing | Email | Spam mail
It is a criminal offence to wrongfully obtain a computer service, intercept computer functions, or use a computer system to commit mischief.1
II.3(c): Telecommunications Act
See Canadian Abridgment: INF.III.3.a Information technology | Internet publishing | Email | Spam mail
The CRTC has certain powers to "prohibit or regulate the use by any person of the telecommunications facilities of a Canadian carrier for the provision of unsolicited telecommunications to the extent that the Commission considers it necessary to prevent undue inconvenience or nuisance, giving due regard to freedom of expression".1
VI.2: Online Crimes
VI.2(a): Harassment
See Canadian Abridgment: INF.III.5 Information technology | Internet publishing | Online harassment in work environment; CRM.VI.27 Criminal law | Offences | Criminal harassment
Everyone commits an offence of harassment who, without lawful authority: (a) repeatedly follows from place to place the other person or anyone known to them; (b) repeatedly communicates with, either directly or indirectly, with the other person or anyone known to them; (c) besets or watches the dwelling-house, or place where the other person, or anyone known to them, resides, works, carries on business or happens to be; or (d) engages in threatening conduct directed at the other person or any member of their family.1 All those found guilty are subject to an indictable offence of less than ten years of imprisonment or they are subject to a summary conviction.2 In addition, the court will consider aggravating factors when it imposes its sentence.3
Harassment by telephone, mail or Internet may be grounds for an interlocutory injunction.4
VI.2(b): Cyberbullying
See Canadian Abridgment: INF.III.2.a.iii.B Information technology | Internet publishing | Internet service providers | Disclosure of subscribers | Anonymous defamatory statements | Cyber bullying; INF.III.5 Information technology | Internet publishing | Online harassment in work environment; CRM.VI.27 Criminal law | Offences | Criminal harassment
The Protecting Canadians from Online Crime Act amends the Criminal Code in relation to cyberbullying. Everyone who knowingly publishes, distributes, transmits, sells, makes available or advertises an intimate image of a person knowing that the person depicted in the image did not give their consent to that conduct, or being reckless as to whether or not that person gave their consent to that conduct, commits an offence (publication of an intimate image without consent). An intimate image means a visual recording of a person made by any means including a photographic, film or video recording, (a) in which the person is nude, is exposing his or her genital organs or anal region or her breasts or is engaged in explicit sexual activity; (b) in respect of which, at the time of the recording, there were circumstances that gave rise to a reasonable expectation of privacy; and (c) in respect of which the person depicted retains a reasonable expectation of privacy at the time the offence is committed.1
All those found guilty of unlawfully disseminating an intimate image, may, in addition to a sentence, be prohibited from using the Internet or any other digital network or be restricted in accordance with conditions set by the court.2
No person shall be convicted of an offence for online distribution of intimate images if such conduct is proven to serve the public good.3
VI.5: Crimes Against Computer Systems: Hackers, Crackers, Threats
VI.5(a): Definitions Related to Hacking
See Canadian Abridgment: INF.I Information technology | General principles
“Computer password” is any data by which a computer service or computer system is capable of being obtained or used. “Computer program” means any computer data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function. “Computer service” includes data processing and the storage or retrieval of computer data. “Computer system” means a device, or a group of interconnected or related devices, one or more of which: (a) contains computer programs or other computer data; and (b) by means of computer programs, (i) performs logic and control; and (ii) may perform any other function. “Computer data” means representations, including signs, signals or symbols, that are in a form suitable for processing in a computer system. “Device” includes (a) a component of a device; and (b) a computer program. “Electro-magnetic, acoustic, mechanical or other device” means any device or apparatus that is used or is capable of being used to intercept any function of a computer system, but does not include a hearing aid used to correct subnormal hearing of the user to not better than normal hearing. “Function” includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer system. “Intercept” includes to listen to or record a function of a computer system, or acquire the substance, meaning or purport thereof. “Traffic” means, in respect of a computer password, to sell, export from or import into Canada, distribute or deal with in any other way.1
VI.5(b): Hacking/Unauthorized Use
See Canadian Abridgment: INF.I Information technology | General principles
Anyone who, fraudulently1 and without colour of right (a) obtains, directly or indirectly, any computer service;2 (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system; (c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under the Criminal Code sections relevant to mischief, in relation to computer data or a computer system; or (d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c), is guilty of an indictable offence and liable to a maximum imprisonment of ten years, or is guilty of a summary offence.3
Hacking is more serious than simple fraud or mischief, due to the consequences which result from the actions harming commerce and possibly national security.4
An injunction may be granted when a defendant attempts to break unauthorized use safeguards in computer software because, if a defendant was successful in breaking the unauthorized use safeguards, there would be no judgment to render, nor any case to try.5
VI.5(c): Mischief in Relation to Data
See Canadian Abridgment: INF.I Information technology | General principles; CRM.VI.100 Criminal law | Offences | Mischief
Anyone commits mischief who wilfully (a) destroys or alters computer data; (b) renders computer data meaningless, useless or ineffective; (c) obstructs, interrupts or interferes with the lawful use of computer data; or (d) obstructs, interrupts or interferes with any person in the lawful use of computer data or denies access to data to any person who is entitled to access thereto.1 Anyone who commits mischief in relation to computer data (a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or (b) is guilty of a summary offence.2 Anyone who wilfully does an act or wilfully omits to do an act that it is his or her duty to do, if that act or omission is likely to constitute mischief causing actual danger to life, or to constitute mischief in relation to property or computer data (a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years; or (b) is guilty of an offence punishable on summary conviction.3 Mischief also includes actions which obstruct the use of data.4
A person can be liable for deleting data he or she believed to be his or hers from someone else’s computer.5
VI.5(d): Malware and Spyware
See Canadian Abridgment: INF.I Information technology | General principles
To deter malware, spyware, viruses and botnets, Canada’s Anti-spam Legislation (CASL) prohibits a person, in the course of a commercial activity, from installing, or causing to be installed, a computer program on any other person’s computer system, or having so installed or caused to be installed a computer program, cause an electronic message to be sent from the computer system, unless the person has obtained express consent of the owner or an authorized user of the computer system or the person is acting in accordance with a court order. CASL only applies if the computer system is located in Canada or if the person installing the program is either in Canada or acting under the direction of a person who is in Canada.1
A person is considered to expressly consent to the installation of a computer program if the program is a cookie, HTML code, Java Scripts, an operating system, and any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to.2
CASL requires opt-in consent for the installation of a computer program.3 Recipients must make a positive action to indicate their consent.4 The request for consent must be obtained orally or in writing and must be sought separately for each act contemplated by the Act.5 The request for consent must identify and provide the contact information of the person installing the program, including its mailing address, and either a telephone number, e-mail address or web address; include the purpose for which the consent is being sought; provide a general description of the function of the program; and provide a statement indicating that the person whose consent is sought can withdraw their consent.6
If the computer program to be installed performs one or more functions that will cause the computer system to operate in a manner that is contrary to the reasonable expectation of the owner or an authorized user of the computer system, including collecting personal information stored on the computer system; interfering with the owner’s or authorized user’s control of the computer system; changing or interfering with the setting on the computer system without the knowledge of the owner or authorized user; changing or interfering with the data stored on the device in a way that obstructs or interferes with the user’s access to the data; causing the computer system to communicate with another computer system without authorization; or installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system, the person who seeks express consent must provide enhanced disclosure separately and apart from the license agreement. The person must describe the program’s material elements that perform the function or functions and their reasonably foreseeable impact on the operation of the computer system and bring those elements to the attention of the person from whom consent is being sought.7
The CRTC is the main regulatory body responsible for enforcing violations of CASL.8 The maximum administrative monetary penalty for an individual that breaches CASL is $1,000,000 and the maximum penalty for a corporation or other organization is $10,000,000.9 A private right of action will be available as of July 1, 2017.10 An organization may avoid sanction by entering into an undertaking with the CRTC.11
Click here to view footnotes.