In a secretive manoeuvre, Innovation, Science and Economic Development Canada (fondly called ISED) announced on June 7, nearly a week after Cabinet had acted, that the most important remedies available to businesses and consumers threatened with cyberattacks had been, indeed, iced.
The legislation, popularly called Canada’s Anti-Spam Legislation (CASL for short), was adopted in December 2010, after thorough review in Parliament (and passed with all party support). Its main provisions came into force on July 1, 2014.
The legislation has always had its detractors – and not all criticisms were invalid. However, in the course of crafting the regulations clarifications and carve outs for especially sensitive groups (e.g. political parties and registered charities) were accommodated – even to the extent of legislative overkill.
On July 1, 2017, the provisions creating the private right of action (PRA) were to come into force.
Before discussing the PRA, some words need to be said about CASL more generally.
First, it is not just about spam: it prohibits harms like spyware and malware that can cripple the computers of consumers, businesses, governments, educational institutions and charities alike.
Second, CASL is not merely consumer protection legislation: it protects all users of the Internet, whether an individual consumer, a small business, or a Canadian chartered bank.
Third, it introduced valuable amendments to the Competition Act and the Privacy Act to prohibit false or misleading electronic communications and to protect the hijacking and use of personal information.
CASL is enforced by three public agencies: the CRTC, the Office of the Privacy Commissioner, and the Competition Bureau. It is important to know that all three agencies have many other functions to perform, and that over the years the budget for the implementation and enforcement of CASL was constantly cut back (including, lamentably, the money that would have permitted a more fulsome public education campaign) or diverted to other purposes deemed more worthy at the time.
The agencies have chronic challenges in setting enforcement priorities. They have major legislation to oversee and enforce, and decisions on where to put enforcement resources must constantly be made. The computer forensic skills required to enforce CASL are difficult to find or develop, and even harder to maintain. Focus on minor non-compliance is seen as persecution of the weak. A focus on major violators eats up resources and are countered by teams of lawyers, beset by delays, and litigated to the point where any eventual outcome is likely to represent a pyrrhic victory. In short, public enforcement is under resourced, compromised by competing priorities, and unresponsive to economic incentives.
The weakness of public enforcement was recognized as early as 2005, when the National Task Force on Spam recommended that any anti-spam legislation contain private enforcement mechanisms in the form of a private right of action.
CASL, from its earliest conception, included the PRA. The CASL private right of action is unique in Canadian law. As with other statutory private rights of action, it provides that any person who has been harmed by non-compliance with the legislation can recover actual damages (if malware has disabled your computer, you can recover the cost of the repair or replacement of the computer together with any resulting business loss). What is unique in CASL is that, in addition to actual damages, the victim of non-compliance can recover statutory damages that mirror the penalties that could have been sought by the public enforcement agencies.
Let us consider that for a moment. If a number of small businesses are hit by a malware attack, they could band together to hire a computer forensics expert to track down the malefactor. The economic incentives to recover just their actual losses may be insufficient to warrant the investment in experts and lawyers. However, if the court believes it appropriate, the businesses could recover not just their losses, but also an amount that reflects the public harm caused by the wrong doer. In short, the PRA in CASL creates incentives for self-enforcement. Under the PRA, the public authorities do not have a monopoly in determining all enforcement priorities – the persons who have been harmed can determine for themselves if it is worth the time and investment necessary to track down and attempt to recover from the wrongdoers.
I know that many businesses see any private right of action as just one more step in the slippery slope to litigation hell. This is the Eeyore view of litigation: nothing good can possibly come of it. It can’t be expected that PRA would be greeted with enthusiasm, but the fact remains that the PRA is a tool for any entity that is the victim of online harm. It is not restricted to consumers. It is a tool for legitimate business, governments or education institutions that are victims of conduct that is non-compliant with CASL. Consumers are not the only persons who can take advantage of class actions.
The WannaCry ransomware attack is only weeks old. As these words are written, a new wave of ransomware is spreading through computer systems world-wide. Cybercriminals are now in possession of US National Security Agency cyber tools, against which there seems to be little protection. We read, with alarm, of new malware that seems beyond the detection of current software defences. In this environment, the Government has chosen to leave economic commerce to the mercies of cyber criminals while denying Canadian consumers and businesses the only self-help remedy that might possibly assist them in tracking down and recovering from those committed to cyber harm.
The only utterance from the Government came as a news release from ISED issued five days after the Cabinet killed the PRA. That release discusses only concerns relating to compliance with the spam provisions, and takes no account of the enormous economic benefits that might flow from proceeding with the full implementation of CASL.
While the new release speaks of concerns raised by interested parties, there was no public consultation on this abrupt change of course. No opportunity was given for all interested parties to intercede. To suspend, as it has promised to do, the PRA until the end of the mandated Parliamentary review of CASL is essentially to shunt the matter three or more years down the road (Parliamentary reviews of legislation have tended to result in governmental busy-work with little or no legislative action). This is a sad betrayal of all those who engage in online activity in Canada – which, according to recent statistics, is 93% of us.