It would hardly be fair to punish a business that did nothing wrong just because its customers are breaking the law. Imagine punishing an auto dealership because they sold a car to someone who later drove drunk. But Canada’s anti-spam rules are snaring companies that have done nothing wrong, simply because they sold products or services to people who use them illegally.
Last month the CRTC released a bulletin of its interpretations of the Intermediaries section (Section 9) of Canada’s Anti-Spam Legislation (CASL). In a nutshell, the section allows enforcement against entities that may not be the ones actually clicking “send” on a spam email, but who still contribute to violations of CASL.
The CRTC’s interpretation of this section overreaches this intent. For instance, in the bulletin the CRTC writes, “…it is possible for an individual or organization to be held liable and face administrative monetary penalties for violating section 9 of CASL, even if they did not intend to do so or were unaware that their activities enabled or facilitated contraventions of sections 6 to 8 of CASL by a third party.”
This isn’t just a friendly advisory either. The CRTC has already published a notice of violation against one Canadian company — a small ad network that allegedly had customers use their services to distribute malware. Moreover, there is a report of a number of telecommunications companies having received letters from the CRTC warning they face liability under the anti-spam laws when other people use their infrastructure to violate the rules. Aside from recommending service agreements, compliance programs, and other reasonable due-diligence practices, the letters audaciously encouraged “client vetting practices,” as if telecom companies should also be acting as investigators for the government and sniffing out potential offenders from their client lists.
The CRTC’s anti-spam overreach has come as a surprise to many, perhaps even to politicians. Last year, Industry Minister Navdeep Bains announced he was suspending the Private Right of Action (PRA) provisions of the anti-spam laws to allow time to pause and reflect. Those are the powerful provisions that allow accused violators to be sued. And even a tri-partisan industry committee in the House of Commons released a report last year requesting “clarity” or “clarifications” for no less than seven major parts of the anti-spam act. Even the name of the report was “Canada’s Anti-Spam Legislation: Clarifications Are In Order.”
Andre Leduc is a former director at Industry Canada and current vice president at the Information Technology Association of Canada. While at Industry Canada he was involved in the original drafting of CASL. “CRTC’s interpretation isn’t what was originally intended,” Leduc said. “Section 9 was a follow-the-money provision. And it was to enable enforcement against those who try to indemnify their violations of the Act by doing their unlawful work through third parties.” In other words, the point of Section 9 was to prevent companies that were actually involved in spam and other cyber threats from hiding behind a shell company.
There is certainly room to hold accountable those businesses who have clear knowledge of their customers using their products and services to violate CASL, having had reasonable time to take action, having the means to correct the violations, and not doing so. But for a sweeping interpretation that probably nets every communications-type service provider in its crosshairs is poor policy and lazy enforcement.
It’s going to take hard work and political will for the CRTC to go after real spammers — who often don’t even reside in Canada — versus legitimate Canadian companies trying to do right, employ people, and make an honest living. But it would be better for Canada if it did.