Law Times

April 29, 2019

The premier weekly newspaper for the legal profession in Ontario

Issue link: https://digital.lawtimesnews.com/i/1110112

Contents of this Issue

Navigation

Page 9 of 15

LAW TIMES 10 COVERING ONTARIO'S LEGAL SCENE | APRIL 29, 2019 www.lawtimesnews.com BY JULIUS MELNITZER For Law Times T he Canadian Radio-Televi- sion and Telecommunica- tions' recent guidance on its approach to intermediary liabil- ity under Canada's anti-spam legislation is overreaching and onerous, according to lawyers working in the field. "There were shock waves through the industry about how extensive the guidelines were and what could be perceived as a burdensome laundry list of compliance expectations, es- pecially for the many startups in this arena," says Monique McAlister, a regulatory, public and commercial law partner at Goodmans LLP in Toronto. The guidelines, issued in De- cember 2018, are meant to assist in the interpretation of s. 9 of CASL, which not only prohibits certain activities without ob- taining consent but also prohib- its anyone from aiding, includ- ing, procuring or causing such activities to be procured. The point of controversy, however, is the provision in the guidelines that innocent in- termediaries can be liable for breaching s. 9 "even if they did not intend to do so, or were un- aware that their activities en- abled or facilitated contraven- tions of CASL by a third party." Most observers trace the guidelines' origin to the no- tices of violation issued by the CRTC in July 2018 against Sun- light Media Network Inc. and Datablocks, which included a $250,000 penalty. The CRTC contended that Sunlight and Datablocks used online advertising to deliver malware (ads booby-trapped with malicious computer pro- grams, including ransomware and Trojan horses). Usually in such cases, the ad network re- directs web browsers to a page controlled by the advertiser from which further exploitative malware can be launched. According to the CRTC, Sun- light and Datablocks facilitated the installation of malware by providing software, services and infrastructure to their advertising clients that enabled them to vio- late CASL, primarily by obviating the need for the consent required from individuals before software (in this case the malware) was in- stalled on their computers. The companies have chal- lenged the notices, alleging that they were apparently conjured out of thin air by improperly invoking a general duty on the part of all intermediaries to pre- vent others from breaking the law. The CRTC has not yet ruled on the challenge. But David Young, principal at David Young Law in Toronto, a regulatory and privacy law coun- sel practice, says that, regardless of the final result, the Sunlight affair was an egregious case that did not provide a proper founda- tion for the extended liability de- scribed in the guidelines. "This was a no-brainer involv- ing vertically integrated internet and digital advertisers who were hand in glove so that one or the other of them had clearly violated CASL," he says. "The examples provided in the guidelines are far removed from this case." McAlister agrees, noting that the Sunlight case had previously received adverse coverage in the international and foreign press. "Both companies were on notice in 2015 that the services they provided were resulting in abuse, and they basically ig- nored it," she says. Even putting the connec- tion between the companies aside, Young says he can see li- ability attaching if there's some evidence that an intermediary knew they were providing soft- ware to downstream parties that enabled them to violate CASL. "The difficulty with the guide- lines is that it envisages liability even where there's no awareness of the enabling features of the of- fending software or infrastruc- ture," he says. "As drafted, the guidelines would make inter- mediaries responsible even if the software was misused without their knowledge or assistance." André Leduc, vice president, GR & policy at the Information Technology Association of Can- ada, worked at Industry Canada between 2008 and 2017, where he was responsible for putting to- gether the antispam regulations. "Section 9 was never intend- ed to be an extended liability clause," he says. "It was designed to avoid parties indemnifying themselves for what they knew was going on because they were doing it through a third party." Internet advertising, Leduc adds, is highly complex com- pared to print advertising. "A news outlet on which ads pop up would not likely know if an ad had misleading informa- tion or whether it had malware embedded," he says. "In fact, be- cause ads these days tend to be highly targeted, the outlet could well have no clue about which ads were actually appearing." According to Leduc, the CRTC's guidelines run contrary to CASL's aims. "The legislation is meant to encourage, not discourage, digital commerce," he says. "The CRTC is totally missing the boat on why s. 9 exists and what it is intended to do." Shaun Brown, a partner at nNovation LLP in Ottawa, where his practice focuses on e-commerce, e-marketing, pri- vacy, access to information and information security, also worked at Industry Canada while CASL was in development. "We always referred to s. 9 as the 'follow-the-money' clause," he says. "It was designed to pre- vent legitimate businesses from avoiding liability by having third-party spammers send out their advertising rather than do- ing it themselves." Brown says the CRTC's focus is misguided. "The CRTC jumped on the Databox case to interpret s. 9 as broadly as possible in an attempt to squeeze intermediaries to go after nefarious activities, rather than going after the bad actors themselves," he says. Like Leduc, he says the s. 9 guidelines are discouraging e-commerce, especially because the CRTC can impose penalties of up to $10 million. "The guidelines take the risk level through the roof for small and medium-sized Canadian businesses who are doing in- novative things in the economy," Brown says. "In fact, the guide- lines are so broad that the CRTC can always find something else that a company could have done by way of due diligence." What is clear is that the pre- ventive measures recommended in the guidelines are onerous. They include monitoring third- party activities, performing diligent and consistent audits, seeking legal and other expert advice, implementing a robust compliance program, validat- ing clients' identities and repu- tations and being cognizant of location discrepancies. Still, there may a bright side. "It's true that the guidelines are a bit expansive, but I don't think they're entirely unexpect- ed in light of the enforcement actions against Datablocks and Sunlight," says Lyndsay Wasser, the Toronto-based co-chair- person of McMillan LLP's pri- vacy & data protection group and its cybersecurity group. "I don't believe that the CRTC is trying to impose liability where companies are both not aware of what's going on and could not reasonably be expected to be aware of what's going on. It's a case of taking reasonable steps instead of going forward in bliss or ignorance." Indeed, given the uproar that followed on the release of the guidelines, the CRTC has taken steps to reassure stakeholders. "I think they tried to walk some of the guidelines back by giving speeches and presenta- tions in which they insisted that they were focusing on egre- gious cases and malicious actors where there were clear violations and no attempt at all to comply with the legislation," McAlister says. "They also said that not all the preventative measures listed in the guidelines will be relevant in every case." Simply following industry standards may not do the trick, however. "Where a threat or vul- nerability has been identified, steps should be taken to address it, even if that means surpassing industry standards," McAlister says. LT Monique McAlister says 'where a threat or vulnerability has been identified, steps should be taken to address it, even if that means surpassing industry standards.' Creates a 'burdensome laundry list of compliance expectations' Anti-spam laws are overreaching, say lawyers "The guidelines take the risk level through the roof for small and medium- sized Canadian businesses who are doing innovative things in the economy." Shaun Brown FOCUS LawTimesNews.com Fresh Ontario legal news and analysis available on any device. Get More Online

Articles in this issue

Links on this page

Archives of this issue

view archives of Law Times - April 29, 2019