CASL’s inscrutable computer program provisions to be tackled by CRTC
With the computer program sections of Canada’s anti-spam/anti-malware law (CASL) coming into force in January 2015, the CRTC has now started reaching out to the public for questions they want guidance on in FAQs or bulletins. I attended such a session last week (on September 9, 2014) at an IT.CAN Public Affairs Forum Roundtable. The attendees were Dana-Lynn Wood (Senior Enforcement Officer, Electronic Commerce Enforcement, CRTC) Kelly-Anne Smith (Legal Counsel, Legal Sector CRTC), and Andre Leduc (Manager of the National Anti-spam Coordinating Body, Industry Canada).
Unlike the initial information sessions related to the anti-messaging parts of CASL, no guidance was provided about how CASL or the applicable regulations will be interpreted by the CRTC. Instead, the CRTC has decided to get feedback on the issues the public wants guidance on, to consider the answers, and then to provide either an FAQ or bulletin to provide its guidance. Unfortunately, according to Ms Wood, neither form of guidance is expected before end of November or sometime in December. This timing is incredibly late to be of much help to businesses preparing for the program provisions to become law. However, Ms. Wood advised that sometime after completing the guidance documents and before their release, the CRTC will hold information sessions, as they did just prior to the release of the FAQs for the anti-messaging provisions.
As I have argued before, the computer program prohibitions in CASL are diabolically challenging due to their ambitious scope of regulating all computer programs installed on all computer systems as part of a commercial activity rather than targeting real malware or spyware. The challenges of applying CASL to the ubiquitous ecosystems of products and services that involve computer programs are compounded by CASL’s enigmatic drafting. See, CASL Industry Canada regulations: summary and comments, The Industry Canada CASL regulations and RIAS: a lost opportunity, CASL don’t forget about the computer program “malware” and “spyware” provisions, CRTC Issues CASL (Canada’s Anti-Spam Law) Guidelines, background and commentary.
Some of the questions asked at the IT.CAN roundtable illustrate some of the complexities that have to be navigated.
- When is a program “installed” on a computer system for the purposes of Section 8? Does it include downloads from web sites initiated by users? Does it also apply to off line installations e.g., where the program is installed from an installation CD?
- Who is the person responsible for causing a program to be installed? If a program is acquired from an app store, is the person responsible the software publisher, the app store, the user, or some combination?
- Does CASL apply to pre-installed software, for example, software on a computer or smart phone?
- What acts are caught under Section 10(5)(a)? Are they limited to stored information or do they include information that is indirectly collected?
- Consent must be obtained for all updates and upgrades to a computer program. What do those terms mean? Do they include bug fixes? Is there a materiality threshold?
- What parts of content do the program provisions and updates and upgrades apply to? If an app, for example, is a mapping application, do the provisions apply to updates to the mapping data as well as to the programs?
- Is an electronic programing guide (EPG) (or part thereof) a computer program and is an update to an EPG a program update for CASL purposes?
- What is a computer program? Does it include firmware? Does it include software distributed in embedded devices such as fridges, digital cameras, printers, set top-boxes and cable modems?
- What parts of a program will be considered to be an operating system?
- What does the term “in the course of a commercial activity” mean? Do the computer provisions apply to hackers or hactivists? (Is this a major gap in CASL e.g. does it impose unreasonable burdens on legitimate businesses but provide no legal recourse against the real culprits?)
- CASL requires consent from the owner of a computer system (or an authorized user). Is the lessor of a computer system an owner of the computer system for CASL purposes?
- How to make the disclosures and obtain necessary consents for the installation of programs, updates and upgrades? How can these be achieved for devices like programs embedded in products without user interfaces such as fridges and cable modems?
- How can disclosures and consents be obtained for apps purchased from app stores for use on mobile devices? How can the formalities be complied with on these devices for updates and upgrades? How can CASL’s provisions be complied with in each case where the program has the enhanced disclosure and consent requirements for Section 10(5) features or functions?
- How to comply with CASL for programs with multiple installations that automatically sync?
- Does CASL apply to installations of programs by service providers such as outsourcers? Are the outsourcers the agents of their customers? Do outsourcers need express consents and do they need to make to make disclosures to their customers?
- What is the scope of transition provisions in s67? Do they permit pre-January 2015 installed programs to continue to transmit information to the program installer without another consent? It is illegal under the messaging provision of CASL to seek a consent to provide program updates or upgrades for existing programs where there is no existing business relationship between the user and the program publisher?
These questions are only the tip of the CASL iceberg.
For people keeping count, the CRTC advised that since July 1, 2014 there have been 105,000 complaints under the anti-messaging portions of CASL.
For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.
First published on barrysookman.com.
Canadian anti-spam law CASL malware