Privacy Advisor

CANADA—Revised Proposed Electronic Commerce Protection Regulations Issued by the Department of Industry

February 1, 2013

By John Jager, CIPP/US, CIPP/G, CIPP/C

On January 5, the federal Department of Industry published a second set of proposed regulations in the Canada Gazette. Readers may recall that after Canada’s Anti-Spam legislation (CASL) received Royal Assent on December 15, 2010, the department issued its proposed regulations on July 9, 2011. Stakeholders were invited to provide feedback on the proposed regulations by September 7, 2011.

Now, almost 16 months later, the department has published a revised set of regulations. Since we reported on the initial proposed regulations in the September 2011 edition of The Privacy Advisor, we will restrict our comments to some key changes in the 2013 regulations.

The revised regulations change the proposed definition of "personal relationship." In the original regulation, a personal relationship existed if the parties had an in-person meeting and, within the previous two years, had a two-way communication. The revised regulations proposed that the individuals “have had direct, voluntary, two-way communications and it would be reasonable to conclude that the relationship is personal,” taking into account a number of factors, and the person receiving the message has not opted-out from receiving any messages from the sender.

The regulation also excludes some commercial electronic messages from the general requirements of the act concerning such messages. Exclusions include messages between employees within an organization, messages to employees of other organizations related to that person’s role, functions or duties within that organization, responses to requests, inquiries or complaints and messages from outside of Canada concerning goods and services outside Canada if the sender did not and could not reasonably know the message would be accessed using a computer system inside Canada.

Computer programs that may be installed without consent of individuals are identified in the regulations. They include programs installed by—or on behalf of—a telecommunications service provider to prevent activities that the provider “reasonably believes are in contravention of an Act of Parliament and which present an imminent risk to the security of its network” or a program installed by the provider for the purpose of updating or upgrading its network.

It is equally important to note that there were a number of issues raised by stakeholders in the first consultation period which were not addressed in the revised regulations. One such concern, raised by a number of commentators, relates to the consent requirements. Stakeholders had argued that consent obtained under the Personal Information Protection and Electronic Documents Act (PIPEDA) should be considered as valid consent under CASL. However, the commentary to the regulations notes that while businesses may have been in compliance with PIPEDA when obtaining customers’ consent for the sending of electronic messages, they may, in some cases, not be able to send a message to those customers under CASL. The commentary notes that “CASL is intended to create a higher threshold for the collection and use of consent for the particular activities being regulated.”

The Department of Industry is inviting stakeholders to provide input on the regulations within 30 days of publication in the Gazette, which was published on January 5, 2013.

John Jager, CIPP/US, CIPP/G, CIPP/C, is vice president of research services at Nymity, Inc., which offers web-based privacy support to help organizations control their privacy risk. He may be reached at john.jager@nymity.com.