Is the CASL PRA Delay Bad for Canadians and Businesses?

Peter Clausi has written an interesting article on InvestorIntel about the CASL Private Right of Action delay and what the unintended fallout could be:

With the July 1 date three weeks away, and the prospect of class action litigation against every company not in compliance, companies were finally taking CASL seriously and were sprinting to get Human Resources, Legal, IT and the executive offices working together to remediate the situation. The CASL system was working.

This week, 12 years after that report from its own Task Force, the federal government failed Canadians by derailing its own system. By order in council, the enactment of the PRA has been indefinitely delayed. There is no visibility on when or even if this part of the legislation will become active.

So what’s next? Remember when you were young, and your older sibling got in trouble with mom, then that sibling passed it on and took it out on you. Expect the same to happen here. The CRTC is in our opinion going to ramp up its enforcement efforts and pass on Minister Bains’ insult to Canadian companies. We expect to hear of new enforcement actions by the CRTC under CASL over the next few weeks.

Click here to read the full article

CASL Private Right of Action Delayed

Last week, by an order-in-council of the Government of Canada, the private right of action provisions in CASL were delayed. There has been mixed reactions to this delay depending on who you talk to, but Fazila Nurani, of Privatech has taken a good look at what this delay means for businesses and how CASL is still effecting them.

It is important to remember that CASL otherwise remains in full force and is being actively enforced by the CRTC – we have witnessed a number of decisions where administrative monetary penalties (AMPs) have been issued against reputable organizations, and businesses of all sizes from the one-man show to the large national operation. Entities should also keep in mind that the transition period that grandfathered certain pre-CASL “existing business relationships” will end as scheduled on July 1st of this year.

Click here to read the full article

New CASL Deadline Looms

In the May 15, 2017 issue of HR Reporter Sarah Dobson has written up a great piece on the upcoming July 1st deadline when CASL’s private right of action comes into force.

As a class action, there’s a significant amount of money potentially at stake. So that’s caught a lot of people’s attention. So a lot of companies are reviewing their CASL compliance efforts that they’ve put into place one, two, three years ago to make sure they’re actually being followed and their efforts are up to date.”
It’s going to be interesting to see how the tribunal interprets the legislation because it’s possible this right of action can be taken without any proof of damages, relying on the $200 provision, said Antoine Aylwin, a partner at Fasken Martineau in Montreal.
“If the tribunal accepts that principle, we could very well see many class actions taken and it goes fast — when you send an email to 1,000 persons, well, it’s $200,000 per communication, so say you send five, you’re at $1 million, just by the mathematics of it.”

Click here to read the full article as a PDF

CASL Cure moderates panel session at Canadian Corporate Counsel Association (CCCA) National Conference

A panel comprised of recently retired GM Canada General Counsel, Heather Innes; current Bell Canada General Counsel, Bill Abbott; and Peter Clausi, General Counsel at GTA Resources and Mining and moderated by Neil Beaton, VP Corporate Development with CASL Cure, gave the CCCA member-audience an overview of issues surrounding the hot topic of the law’s upcoming private-right-of-action evolution which will open up CASL to allow class action suits, alongside the current CRTC regulation.

On July 1, a “private right of action” comes into force, opening the door for plaintiff-side class action lawyers to sue companies for alleged breaches of the law. This changes the game, because up till now companies in breach of the law have only had to answer to government regulators.Heather Innes, who was previously chief privacy officer with General Motors of Canada Ltd., said the regulatory actions have been harsher than most corporate counsel had expected. But they also offer a preview as to how easy it can be for a company to violate the law.

“Even the most sophisticated organization can make mistakes,” Innes told the panel. The regulators mean business, she said. “They are going to fine, and they are going to fine even if people have simply made mistakes.”

Bill Abbott, assistant general counsel and privacy ombudsman with Bell Canada, said that regulatory enforcement has focused on clear violations of the law. He expects class action lawyers to cast a wider net with their claims.

“Private right of action brings an entirely different environment with profit-driven plaintiffs who aren’t restricted by policy,” Abbott said. “Unlike the CRTC, which appears to be avoiding the ambiguous areas, that’s what they play on. That’s where they bring claims.”

Please visit the Financial Post Article for more information.

More CASL Enforcement

An individual has been fined $15,000 for 10 violations by the CRTC. In an enforcement action, published last week, the CRTC stated:

The Commission imposes an administrative monetary penalty of $15,000 on William Rapanos for 10 violations of section 6 of Canada’s Anti-Spam Legislation. Specifically, Mr. Rapanos sent commercial electronic messages (i) that did not identify the sender, (ii) that did not include information that enables the recipient to readily contact the sender, (iii) without prior consent from the recipients, and (iv) that, in certain cases, did not include a functioning unsubscribe mechanism.

For more information please read this article by Word to the Wise regarding this incident or the original CRTC enforcement action.

Strap on your Helmet …

Peter Clausi has written a great article about the upcoming troubles that businesses and individuals could face once CASL enter it’s next stage on July 1st 2017.

CASL really has only two key requirements. The first is that you, as the sender of a commercial electronic message (CEM) (including any business email or text), are prohibited from sending that CEM unless you can prove you had prior consent to send it to that person. You have to be able to prove you had prior consent. You can’t email someone to ask for consent to email them.

Second, all CEM’s must be transparent – it must clearly disclose who the sender is and it must include a simple unsubscribe link. This element is fairly straightforward. If you apply some business intelligence, human resources training and forethought, you can comply with this part of CASL.

It all seems simple, doesn’t it.

Whether you like these two elements is not relevant. This has been the law in Canada for several years. It doesn’t matter if you think it’s a silly law or a disproportionate one – this is a law with global exposure, as the CRTC has assumed jurisdiction if the email is sent or received in Canada (just passing through an ISP doesn’t count). Does your business operate outside of Canada but email into Canada on occasion? You’re caught. Are you a Canadian business sending any email outside of Canada? You’re caught too.

But a CRTC isn’t really the problem. The Commission’s limited resources mean you can probably sleep at night without worrying about the CRTC showing up at your office tomorrow. What you should be afraid of is July 1, 2017. Mark that date in your calendar. That’s the day when your company’s breaches of CASL, until then relatively innocuous, can be punished by a private right of action. Anyone to whom you send an email or text will have the right to sue – all they have to prove is that they received your message, and then the onus shifts to you to prove you had prior consent to do so.

That’s what CASL itself and the CRTC’s Enforcement Advisory are telling us.

After you get sued, you will then need to put forward evidence that you had prior consent to send that email. This would be part of the discovery process in the litigation, and since this type of litigation supports class action litigation, your legal bills are going to be astronomical. And if any of the recipients are outside of Canada, watch for creative aggressive plaintiff counsel to figure out ways to trace liability back to that jurisdiction. Double the litigation, double the legal expenses.

Click here to read the full article.


Jillian Swartz of Allen McDonald Swartz LLP has published an excellent article discussing the impending danger of class action lawsuits under CASL coming into effect on July 1st, 2017.

On July 1, 2017, CASL’s private right of action provisions, which provide for penalties of up to Cdn$1,000,000 per day, will come into effect. Class actions are almost a certainty. Any Canadian business (and any business that has customers, donors or contacts in Canada) that is not fully compliant with CASL must act now to develop and implement robust compliance strategies in order to mitigate its class action risk.

CASL provides for a private right of action. This means that, in addition to the risk that the regulators may bring an enforcement action against an organization that violates CASL, there is a potential for individuals, partnerships, corporations, organizations, etc. (or more aptly, a group of such persons) to bring a lawsuit against an organization that has breached CASL. There is a risk of high damages awards under CASL. The following chart summarizes the potential damages that a court may award.

As a result of the potential for high damages awards, it is likely that CASL litigation will become the next trend in class action litigation. It is also important to note that the CRTC, because it has limited resources to pursue enforcement action, has been focusing on the worst offenders. Class action lawyers are not similarly restrained, so it is likely that they will aggressively pursue organizations that have allegedly violated CASL. The class action risk is heightened because CASL allows a court to impose a monetary award without any proof that actual damages have been sustained.

An employer can be held liable where an employee violates CASL while acting within the scope of his or her employment, unless the employer can show that it exercised due diligence to prevent the violation. In addition, it is an offense to aid, induce, procure or cause to be procured the sending of CEMs in violation of CASL.

For more visit their article here or download the PDF version here.

CRTC CASL Compliance and Enforcement Update

On February 12th Lynne Perrault and Dana-Lynn Wood did a presentation to continue the CRTC’s “on-going dialogue” with industry. Keith Rose wrote a great synopsis for snIP/ITs:

As of early February 2016, the SRC has received over 500,000 complaints. These have been received fairly steadily at a rate of about 22,000 per month (5,000 – 6,000 per week), although there is a noticeable spike each time the CRTC issues an enforcement announcement.

More than 80% of the submissions from Canadians (a subset – the SRC accepts submissions from non-Canadians as well) have been about email. SMS is the next largest category, at about 13%. However, this may reflect (at least in part) the fact that the collection mechanisms that the SRC uses were largely designed with email in mind and it is much easier to report an email message to the SRC than any other kind of CEM.

An overwhelming 94% of complaints involved some form of consent issue (including both initial consent and withdrawal of consent/unsubscribe issues). Approximately 1/3 of complaints involved the identification requirements, and slightly less than that (28%) involved some allegation of deceptive marketing practices. (The numbers do not add up to 100% because complaints may involve multiple issues. Also, to be clear, the analysis is of issues reported by the complainants without any attempt to assess their merits.)

The presenters also addressed the interpretation of the due diligence provisions of the Act. As they explained it, whether an organization has exercised due diligence is an all-or-nothing question; there is no partial defence.

The presenters referred to a number of factors or tests that might be applied, including having adequate written policies with adequate on-going training, contemporaneous record-keeping, active monitoring and enforcement to put those policies into practice as well as responsiveness to complaints, problems and to inquiries from the CRTC. It was not entirely clear whether these were factors to consider, if relevant, or tests that would apply on a cumulative basis. But in any case, the Commission’s view seems to be that due diligence is not a one-time activity; it is an on-going, day-to-day activity that organizations will have to practice and document if they want to be able to rely on it as a defence.

To read the rest of the synopsis please visit:

CRTC executes warrant in malicious malware investigation

The CRTC has executed their second warrant under Canada’s anti-spam legislation at two locations in the Niagara region. The warrant was obtained as part of an ongoing investigation relating to the installation of malware based on a lead from FireEye Inc. (a cyber threat protection and forensics specialist).

“We are working to protect Canadians from online threats by pursuing those individuals and entities who violate Canada’s anti-spam legislation. We are grateful for the assistance that FireEye Inc. provided which led to the execution of this warrant, and we will continue to work closely with our domestic and international partners in the fight against cyber threats.”

Manon Bombardier
CRTC Chief Compliance and Enforcement Officer

At the moment details are sparse but visit the Government of Canada new release for more details.

2016: Cybersecurity, Corporate Ebola and CASL

Peter Clausi takes a look at the key risks to businesses in 2016 including Cybersecurity and CASL’s looming threat of class action litigation.

Cybersecurity was identified by PWC at its 2015 global conference in Monte Carlo as one of the key risks to businesses in 2016. The cybersecurity insurance market is estimated to be worth USD$7.5B by 2020. IIROC, the self-regulatory body for Canada’s brokerage firms, takes this so seriously that in December, 2015 it issued a standalone Cybersecurity Best Practices Policy aimed at small and medium sized firms.

Currently, the only consequence of a failure to comply with CASL is a prosecution by the Canadian Radio-television Telecommunications Commission (CRTC) and possible fines. The maximum penalty for a violation is $1,000,000 for an individual and $10,000,000 for a corporation, in addition to the legal costs, the cost of distraction and the public relations damage.

The problem is, that will change in July of 2017. That’s when the courts begin to share jurisdiction over CASL breaches. You and your company can then be sued for CASL breaches. Yes, in court, and supportable by class action litigation. And the onus will be on you as the sender to prove you were in compliance – the plaintiffs will not have to prove you weren’t in compliance.

Visit the original post for the full article.