“There were shock waves through the industry about how extensive the guidelines were and what could be perceived as a burdensome laundry list of compliance expectations, especially for the many startups in this arena,” says Monique McAlister, a regulatory, public and commercial law partner at Goodmans LLP in Toronto.
The guidelines, issued in December 2018, are meant to assist in the interpretation of s. 9 of CASL, which not only prohibits certain activities without obtaining consent but also prohibits anyone from aiding, including, procuring or causing such activities to be procured.
The point of controversy, however, is the provision in the guidelines that innocent intermediaries can be liable for breaching s. 9 “even if they did not intend to do so, or were unaware that their activities enabled or facilitated contraventions of CASL by a third party.”
Most observers trace the guidelines’ origin to the notices of violation issued by the CRTC in July 2018 against Sunlight Media Network Inc. and Datablocks, which included a $250,000 penalty.
The CRTC contended that Sunlight and Datablocks used online advertising to deliver malware (ads booby-trapped with malicious computer programs, including ransomware and Trojan horses). Usually in such cases, the ad network redirects web browsers to a page controlled by the advertiser from which further exploitative malware can be launched.
According to the CRTC, Sunlight and Datablocks facilitated the installation of malware by providing software, services and infrastructure to their advertising clients that enabled them to violate CASL, primarily by obviating the need for the consent required from individuals before software (in this case the malware) was installed on their computers.
The companies have challenged the notices, alleging that they were apparently conjured out of thin air by improperly invoking a general duty on the part of all intermediaries to prevent others from breaking the law. The CRTC has not yet ruled on the challenge.
But David Young, principal at David Young Law in Toronto, a regulatory and privacy law counsel practice, says that, regardless of the final result, the Sunlight affair was an egregious case that did not provide a proper foundation for the extended liability described in the guidelines.
“This was a no-brainer involving vertically integrated internet and digital advertisers who were hand in glove so that one or the other of them had clearly violated CASL,” he says. “The examples provided in the guidelines are far removed from this case.”
McAlister agrees, noting that the Sunlight case had previously received adverse coverage in the international and foreign press.
“Both companies were on notice in 2015 that the services they provided were resulting in abuse, and they basically ignored it,” she says.
Even putting the connection between the companies aside, Young says he can see liability attaching if there’s some evidence that an intermediary knew they were providing software to downstream parties that enabled them to violate CASL.
“The difficulty with the guidelines is that it envisages liability even where there’s no awareness of the enabling features of the offending software or infrastructure,” he says. “As drafted, the guidelines would make intermediaries responsible even if the software was misused without their knowledge or assistance.”
André Leduc, vice president, GR & policy at the Information Technology Association of Canada, worked at Industry Canada between 2008 and 2017, where he was responsible for putting together the antispam regulations.
“Section 9 was never intended to be an extended liability clause,” he says. “It was designed to avoid parties indemnifying themselves for what they knew was going on because they were doing it through a third party.”
Internet advertising, Leduc adds, is highly complex compared to print advertising.
“A news outlet on which ads pop up would not likely know if an ad had misleading information or whether it had malware embedded,” he says. “In fact, because ads these days tend to be highly targeted, the outlet could well have no clue about which ads were actually appearing.”
According to Leduc, the CRTC’s guidelines run contrary to CASL’s aims.
“The legislation is meant to encourage, not discourage, digital commerce,” he says. “The CRTC is totally missing the boat on why s. 9 exists and what it is intended to do.”
Shaun Brown, a partner at nNovation LLP in Ottawa, where his practice focuses on e-commerce, e-marketing, privacy, access to information and information security, also worked at Industry Canada while CASL was in development.
“We always referred to s. 9 as the ‘follow-the-money’ clause,” he says. “It was designed to prevent legitimate businesses from avoiding liability by having third-party spammers send out their advertising rather than doing it themselves.”
Brown says the CRTC’s focus is misguided.
“The CRTC jumped on the Databox case to interpret s. 9 as broadly as possible in an attempt to squeeze intermediaries to go after nefarious activities, rather than going after the bad actors themselves,” he says.
Like Leduc, he says the s. 9 guidelines are discouraging e-commerce, especially because the CRTC can impose penalties of up to $10 million.
“The guidelines take the risk level through the roof for small and medium-sized Canadian businesses who are doing innovative things in the economy,” Brown says. “In fact, the guidelines are so broad that the CRTC can always find something else that a company could have done by way of due diligence.”
What is clear is that the preventive measures recommended in the guidelines are onerous. They include monitoring third-party activities, performing diligent and consistent audits, seeking legal and other expert advice, implementing a robust compliance program, validating clients’ identities and reputations and being cognizant of location discrepancies.
Still, there may a bright side.
“It’s true that the guidelines are a bit expansive, but I don’t think they’re entirely unexpected in light of the enforcement actions against Datablocks and Sunlight,” says Lyndsay Wasser, the Toronto-based co-chairperson of McMillan LLP’s privacy & data protection group and its cybersecurity group. “I don’t believe that the CRTC is trying to impose liability where companies are both not aware of what’s going on and could not reasonably be expected to be aware of what’s going on. It’s a case of taking reasonable steps instead of going forward in bliss or ignorance.”
Indeed, given the uproar that followed on the release of the guidelines, the CRTC has taken steps to reassure stakeholders.
“I think they tried to walk some of the guidelines back by giving speeches and presentations in which they insisted that they were focusing on egregious cases and malicious actors where there were clear violations and no attempt at all to comply with the legislation,” McAlister says. “They also said that not all the preventative measures listed in the guidelines will be relevant in every case.”
Simply following industry standards may not do the trick, however. “Where a threat or vulnerability has been identified, steps should be taken to address it, even if that means surpassing industry standards,” McAlister says.