Bill C-27: An Early Critical Look at the Electronic Commerce Protection Act

On April 24th the Minister of Industry, Tony Clement, tabled a government bill with the aims of protecting consumers and businesses from dangerous forms of spam and regulating activities that are believed to discourage the use of electronic means of carrying out commercial activities. Bill C-27, the Electronic Commerce Protection Act, contains provisions that prohibit the sending of commercial electronic messages without prior consent, the unauthorized installation of computer programs, the altering of transmission data in an electronic message (as is commonly used in phishing scams), and a variety of other activities that touch upon electronic commerce. There are amendments to the Competition Act, PIPEDA, the CRTC Act, and the Telecommunications Act. The ECPA also allows for administrative penalties to be imposed by the CRTC against offenders as well as separate civil actions by persons who suffer damage as a result of violations.

Though the stated purpose of the ECPA is to “promote the efficiency and adaptability of the Canadian economy”, some of the provisions found within may do just the opposite if applied too liberally. Not that I am certain that the ECPA can be made any more effective, but this post will point out what may be some of the possible undesirable consequences if it is passed. Of course, its overall effects, with which we can make a decision about whether it is actually a good law or not, will likely not be truly understood until it is put into play in our dynamic marketplace. However, it should be expected that both legitimate and illegitimate enterprises will, as usual, evolve around the law so as to continue to pursue their end goals as best as possible.

Section 6 of the ECPA prohibits the transmission of electronic messages received without express or implied consent that, it would be reasonable to conclude, have as their purposes the encouragement of participation in a commercial activity. Furthermore, section 2(3) states that “an electronic message that contains a request for consent to send a [commercial electronic message] is also considered to be a commercial electronic message”. So if X wishes to share information about entity Y (i.e. a business, band, or any other entity that can potentially be viewed as carrying on a commercial activity), and X invites his friends to subscribe to an e-mail list (made available through a mechanism set up by Y) or to join a Facebook group of Y, this may constitute a contravention of the provision against unsolicited electronic messages. Despite the exception to express consent between those who have a personal relationship, as found in section 6(5)(a), the mere fact that the receiver of the invite is on the e-mail list or friends list of X may not be sufficient enough to constitute a personal relationship.

The vicarious liability provision of section 32 maintains that principals are liable for the actions of agents who act “within the scope of their authority”. It may be argued that the existence and use of mechanisms of promotion set up by Y to be used by X can be said to entail that X has in fact acted within the scope of his authority as an agent of Y. Furthermore, because section 32 does not require that an agent even be identified in order for a principal to be liable, it is also possible that the manufacturer of a product, for example, may be unfairly responsible for the actions of agents of its distributors and retailers. This would be the case despite the possibility that these agents may never be found, and even though they may have been acting on their own and had virtually no connection to the manufacturer.

As a separate matter, the ECPA does not seem to address any issue of reduced liability regarding a system that has become infected by malicious software and that sends out unsolicited electronic messages to others unbeknownst to its user. Though the defence of due diligence is allowed under section 33(1), it is difficult to assess the level of care that is expected to prevent infection of one’s computer. Would obtaining standard anti-virus software suffice? If it is found that one’s system has been infected, but the exact consequences are unknown, would the user be required to stop usage and go as far as reformatting to completely eliminate any possibility of a threat to others? Because malicious software is constantly evolving, it is possible that what may be considered due diligence right now will not cut it next year, so that the burden users will be expected to bear will continue to increase in weight.

Section 8 of the ECPA prohibits installing computer programs, as defined in the Criminal Code, onto another person’s system without their express consent. From section 342.1(2) of the Criminal Code, a computer program is “data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function”. This provision is meant to prevent the installation of malicious software and spyware, however, it will no doubt affect other aspects of internet browsing. For example, it seems as though JavaScript would fall within the ambit of this section, despite its common appearance on many websites for the purposes of enhancing the user’s experience and allowing for added functionality. In order to obtain express consent, according to sections 10(1) and 10(2), a variety of specific information (that most users will likely not be interested in) will have to be conveyed and accepted, thus slowing down the process of everyday browsing.

There is an interesting comment on Michael Geist’s blog by one Stephen Tyers, a Canadian living in New Zealand. He states that the ECPA closely resembles a New Zealand law that was recently passed, which I presume is the Unsolicited Electronic Messages Act 2007. He believes that businesses were advised to play it safe and so they ceased contact with past subscribers who may have been interested in remaining on their contact lists but would not have necessarily been considered to have given implied consent under the law. He also believes that the uncertainties in the law can be exploited, resulting in further losses to businesses in the form of litigation costs.

Obviously it is a difficult task to create legislation that delineates the types of electronic transmissions that we do not want, since it is the specific nature of a particular message that makes it spam. A balance should be reached that considers methods of preventing nuisances and threats that we would like to see eliminated as well as the resulting hindrances that are created by any new measures. Ultimately, Parliament must essentially make a judgment call about how far to cast their net of regulations so as to produce an optimum level of efficiency for both consumers and businesses.