Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.
Canada's anti-spam legislation has long been the law that Corporate Canada loves to hate. Months before it was slated to take effect in 2014, there were ominous warnings about how regulation would bring commercial e-mail to a screeching halt, banning everything from large-scale business marketing efforts to e-mails promoting a neighbourhood lemonade stand.
Nearly three years later, e-mail marketing is alive and well in Canada as many have adjusted to the tougher privacy standards that require informed consent prior to sending commercial electronic messages. Moreover, in a world where malware and ransomware have become serious cybersecurity threats touching millions of Internet users, the inclusion of antimalware provisions has proven prescient since they give authorities the legal tools to participate in global enforcement efforts.
Yet despite ample evidence that the law has had a positive impact – Cloudmark, a U.S.-based anti-spam company, found a noticeable decline in spam originating from Canada after the law took effect – the business community has engaged in a behind-the-scenes lobbying campaign to reverse some of its core provisions.
The top target has been a new private right of action that opens the door to lawsuits over harmful spam. The provision is scheduled to take effect on July 1, but groups have been urging the government to postpone its implementation. Officials have quietly consulted some stakeholders on the issue (I was contacted in my capacity as a law professor and former member of the National Task Force on Spam), but have not conducted a broader public consultation.
If the government caves to the lobbying pressure and delays the new rule, the move would signal a major shift in Canada's approach to fighting spam and cybercrime. Recent reports have concluded that two-thirds of all e-mail is spam and that as much as 10 per cent of global spam can be classified as malicious. Weakening the legal rules designed to combat spam would therefore be at odds with the country's increasing emphasis on confronting cybercrime.
The law is only three years old, but it has already played a significant role in countering all forms of spam. There have been enforcement actions against anti-spam violations, including failures to obtain appropriate consent or respect rules governing opting-out of future e-mail correspondence. Moreover, the law was used in 2015 to shut down a malware command-and-control centre in Toronto as authorities worked with law-enforcement agencies from around the world to stop a malware network that affected more than a million computers.
While the business community fears a proliferation of lawsuits once the private right of action takes effect, the experience of other countries suggests that it will be used in limited circumstances. The law allows for private actions based on commercial e-mails sent without consent, alteration of transmission data that disguises the source of an e-mail and the surreptitious installation of malware or other computer programs.
The law could come in handy in combatting several serious harms, including instances of ransomware victims paying the ransom fee and other frauds. For general business e-mails, the possibility of lawsuits may provide a helpful incentive to promote compliance.
Notwithstanding the fear mongering, compensation for spam violations is commonly available in many other countries. For example, private anti-spam lawsuits have been launched by large Internet-service providers for years in the United States with multimillion-dollar judgments used to shut down known spamming operations. In fact, the National Task Force on Spam unanimously recommended implementing a private right of action in Canada.
Innovation, Science and Economic Development Minister Navdeep Bains has said little about the future of Canada's anti-spam law. Given the ongoing proliferation of spam and the mounting concern over the dangers of malware, delaying the full implementation of Canadian law would represent a significant step backward at a time when other countries are prioritizing the fight against online harm.