Beware CASL’s new private right of action requirements!
- Subtitle: The IT Girl
While the first prohibitions against the sending of commercial electronic messages came into force on July 1, 2014, the government allowed for a three-year delay in putting into force those sections of CASL allowing for the right to sue — but this grace period will shortly be at an end.
Beginning on July 1, any person who alleges they are affected by an “act or omission” that constitutes a contravention of s. 6-9 of CASL, i.e., (i) relating to violations of the unsolicited electronic messages requirements (including sending commercial electronic messages, unless the recipient provided express or implied consent and the message complies with the prescribed form and content requirements), (ii) the alteration of transmission data in electronic messages, (iii) the installation of computer programs on devices without consent or (iv) aiding, inducing or promoting any act contrary to any of the above sections, can launch claims against alleged offenders seeking financial redress.
Additionally, persons that have been the subject of violations of the collection of electronic addresses or accessing a computer system to collect personal information (i.e., email harvesting and use) provisions in s. 7.1(2) and (3) of PIPEDA in contravention of s. 5 (PIPEDA violations) or has suffered conduct that is reviewable under s. 74.011 of the Competition Act, i.e., been the recipient of false or misleading electronic messages (Competition Act violations), can also apply to a court for justice. Unless the court decides otherwise, the claim must be brought not later than three years after the day on which the subject matter of the proceeding (reviewable conduct or contravention) became known to the applicant.
The application must be accompanied by an affidavit that identifies the alleged contravention or reviewable conduct, sets out every provision, act or omission at issue and any other facts in support of the application. If the applicant claims they have suffered an actual loss or damage, or have incurred expenses, as a result of the alleged contravention or reviewable conduct, the affidavit must also state the nature and amount of the loss, damage or expenses. Depending on the nature of the proceeding, the Federal Privacy Commissioner, the CRTC or the Competition Commissioner has the right to intervene in the claim.
The penalties for violating CASL, particularly the PRA sections, will be formidable. Courts will be entitled to order violators to pay applicants an amount equal to the actual loss or damage suffered or expenses incurred by the applicant, plus additional statutory damages up to a maximum of:
(i) for contraventions of s. 6 of CASL (unsolicited electronic messages), $200 for each contravention of that provision, not exceeding $1,000,000 for each day on which a contravention occurred;
(ii) for contraventions of s. 7 (altering transmission data) or 8 (installation of computer programs), $1,000,000 for each day on which a contravention occurred;
(iii) for contraventions of s. 9 (resulting from aiding, inducing or procuring, or causing to be procured, the doing of an act contrary to s. 6, and if a contravention of s. 6 has resulted), $200 for each contravention of s. 6, not exceeding $1,000,000 for each day on which a contravention of s. 6 occurred; and
(v) for contraventions of s. 9 (resulting from aiding, inducing or procuring, or causing to be procured, the doing of an act contrary to s. 7 or 8, and if a contravention of either of those sections has resulted), $1,000,000 for each day on which a contravention of s. 7 or 8, as the case may be, occurred.
Courts can also award up to $1,000,000 for each day on which the PIPEDA violations occurred or, in the case of Competition Act violations, $200 for each occurrence of the conduct, not exceeding $1,000,000 for each day on which the conduct occurred.
But wait — it gets worse. Directors and officers of corporations who commit contraventions of s. 6-9 of CASL, PIPEDA violations or the Competition Act violations as described above will also now be liable for the contravention or reviewable conduct, as the case may be, if they directed, authorized, assented to, acquiesced in or participated in the commission of that contravention, or engaged in that conduct, whether or not the corporation itself is actually proceeded against. Companies will also be vicariously liable for the actions of their employees.
Anyone feel like joining a board of directors now?
One small positive note is that a court will not be allowed to award the statutory damages described above for CASL violations if the person has entered into an undertaking with the CRTC or been served with a notice of violation by the CRTC regarding the same conduct. A similar exemption applies for those persons liable under the extended liability (s. 52) and vicarious liability (s. 53) provisions in CASL, in cases where the corporation, employee or agent, as the case may be, who committed the contravention has entered into an undertaking or been served with a notice of violation.
As the additional statutory fines that might be levied by a court are supposed to promote “compliance” with CASL, PIPEDA and the Competition Act, as the case may be, and not simply “punish,” the court will be required to consider a wide variety of factors before levying the additional fines, including:
(i) the nature and scope of the contravention or reviewable conduct;
(ii) the person’s history, or each person’s history, as the case may be, with respect to any previous contravention of CASL, for PIPEDA violations or Competition Act violations;
(iii) the person’s history, or each person’s history, as the case may be, with respect to any previous undertakings or consent agreements relating to prior violations;
(iv) any financial benefit that the person or persons obtained from the commission of the contravention or from engaging in the reviewable conduct;
(v) the person’s or persons’ ability to pay the total amount payable;
(vi) whether the applicant has received compensation in connection with the contravention or the reviewable conduct; and
(vi) any other relevant factor.
Persons who are charged under the PRA for violations of CASL, PIPEDA and the Competition Act will only have a very limited defence — they must establish that they exercised due diligence to prevent the contravention or conduct, as the case may be. However, as we have already seen, organizations cannot simply avoid liability under CASL by engaging third-party service providers to send CEMs on their behalf. For example, on Aug. 22, 2016, Kellogg Canada Inc. voluntarily entered into an undertaking with the CRTC in relation to an alleged violation of paragraph 6(1)(a) of the act when it was found that from Oct. 1, 2014 to Dec. 16, 2014, inclusively, CEMs were allegedly sent by Kellogg and/or its third-party service providers to recipients without their consent. Kellogg agreed to pay the CRTC $60,000 and to review and update its CASL compliance program.
There is no question CASL’s PRA will be a boon for class action lawyers and lawyers who specialize in providing CASL advice more generally in the upcoming months. As the PRA provisions of CASL will be coming into force in July, it will be a race against time for organizations to close any remaining gaps in their existing CASL compliance practices to try to mitigate, if not entirely forestall, their risks against this new source of potential exposure. Of course, the question ultimately remains whether the threat of this draconian remedy will actually help stop spam or just prove to be an additional impediment to Canadian business and investment. I personally remain unconvinced of the value of the new PRA and instead remain concerned about potential abuse and frivolous litigation. In the meantime, better sharpen up your CASL compliance policies before it’s too late.
Lisa R. Lifshitz is a partner in Torkin Manes’ Business Law Group, specializing in technology and privacy law and is the leader of the firm’s Technology, Privacy and Data Management Group. Lisa has been nationally and internationally recognized for her technology law expertise and enjoys writing and speaking on technology law issues. She is the immediate past president of the Canadian IT Law Association and can be reached at firstname.lastname@example.org. The views presented here are the author's alone.
Column: The IT Girl