Publications

The United States and the European Union recently concluded a new agreement aimed at allowing U.S. companies to continue to collect, use and disclose personal information concerning European citizens, while still preserving their fundamental rights. To properly understand the importance of this new agreement, one must be aware that the Court of Justice of the European Union, in a decision rendered on October 6, 2015, had declared invalid the previous data sharing framework, known as "Safe Harbour", which governed the holding of personal information regarding European nationals by numerous American companies, including Web giants such as Facebook and Google. This transnational agreement provided for a self-certification mechanism for U.S. companies by which they undertook to abide by a certain number of guiding principles applicable in the European Economic Area (EEA), pursuant to which these companies could obtain the authorization to collect and store personal information originating from the European Union. Such an agreement was necessary to allow U.S. companies to hold personal information about European citizens because the legislative framework applicable in the United States does not offer "an adequate level of protection" for personal information as compared with that required by European authorities. However, in the wake of the revelations by Edward Snowden regarding the mass surveillance by U.S. authorities of the computer data of several large corporations, an Austrian citizen, Maximillian Schrems, sought and obtained the invalidation by the Court of Justice of the European Union of the Safe Harbour Agreement.1 The Court held that the “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”. While this decision was, in principle, supposed to apply immediately, the Data Protection Working Party (known as the “WP29”) — an independent European advisory board on data protection and privacy — urged the European institutions and the U.S. government to act by January 31, 2016 to agree to an alternative solution. It was in this context that the European Commission made the highly anticipated announcement, on February 2, 2016, of a new agreement in principle with the United States, dubbed the "Privacy Shield". The details of this agreement have not yet been disclosed, but we already know that this new mechanism will entail stricter obligations and tighter control of U.S. companies that deal with information of a personal nature originating from the European Union. Furthermore, access by U.S. authorities to this information is expected to be more closely regulated and more transparent. While, in theory, this agreement does not directly affect Canadian companies that collect, use or disclose personal information regarding European citizens, any such companies having an American subsidiary or a place of business in the United States and which collect personal information from Europe, as well as Canadian companies mandating third parties located in the United States with tasks that require the communication of personal information on European nationals, e.g. for hosting purposes, would be well advised to ensure they comply with the conditions of this new agreement when it takes effect. Stay tuned for more updates.   Schrems v. Data Protection Commissioner, 2000/520/CE, Court of Justice of the European Union, 6 Octobre 2015.

Whereas Canadian businesses have barely recovered from the first phase of Canada’s anti-spam legislation (CASL), which aims primarily to regulate the sending of unsolicited commercial electronic messages, a new series of requirements applicable to the unauthorized installation of computer programs came into force on January 15, 2015. Like the rules applicable to commercial electronic messages, the second phase of the CASL is based on an opt-in mechanism as opposed to an opt-out mechanism. In other words, if someone wishes to install computer software or programs on someone else’s device, he must first obtain the consent of the device’s owner or authorized user. Parliament has not limited the legislation to any devices in particular. This means that the installation of software or programs on a computer, smartphone, tablet or game console is likely subject to the new rules. Likewise, the installation of software or programs on any device with computerized components, such as cars, appliances, smartwatches, etc. Since the legislation does not apply to the personal installation of computer software or programs, it is important to bear in mind that the new rules only apply when a business installs or causes the installation of software on someone’s device as part of its business activities. For example, the new rules do not apply where a person downloads an application onto his or her own device. Nor does the legislation apply to employers who install software or a computer program on the company’s devices. On the other hand, if the employer wishes to install a program or software on a device belonging to its employee, it must obtain the employee’s consent first. Furthermore, the legislation establishes several cases in which a person is deemed to have consented to the installation of a computer program or software. These include, for example, cookies, HTML, JavaScript, or an operating system such as Windows, OS/IOS, Linux, Android, Unix and BlackBerry OS. For the time being, if computer software or a computer program was installed on someone else’s computer before January 15, 2015, the person is also deemed to have implicitly consented to the installation of updates until January 15, 2018. CONSENT OF THE OWNER OR AUTHORIZED USER Express consent must be obtained from the device’s owner or an authorized user. The CASL does not define the notion of “authorized user.” According to the CRTC, anyone who has permission to use the device is an authorized user. For example, an employee who uses a device supplied by his or her business, a spouse or children who use the family computer, the renter of a device, and a person who is repairing a computer (but only to the extent that the person is making agreed-upon repairs) are authorized users. When a person must obtain consent, the person must convey the following information to the owner or authorized user in clear and simple language: The reason consent is being requested The identity of the person who is seeking consent If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought The mailing address and one other type of contact information of the person A statement indicating that the person whose consent is sought can withdraw their consent A description in general terms of the functions and purpose of the computer program to be installed In addition, if the software or computer program collects personal information, interferes with the user’s control of the device, changes the device’s settings or the data stored on the device, causes the device to communicate with another device or allows a third party to connect to the device remotely without the owner or authorized user’s knowledge, the request for consent must also disclose the following information: A description of these functions and the reason for them A description of the impact of these functions on the operation of the device All the consent-related requirements must be met before the software or computer program is installed. As for the consent itself, it is not presumed and the burden of proof is always on the person who does or causes the installation. A $1.1 MILLION PENALTY FOR CONTRAVENING CANADA’S ANTI-SPAM LEGISLATION The CRTC recently reprimanded a Quebec business for sending commercial electronic messages without the consent of the addressees and for sending messages with unsubscribe mechanisms that did not function properly. The monetary penalty for the four violations is $1.1 million. The company has 30 days to submit written representations to the CRTC or pay the penalty. It also has the option to request an undertaking with the CRTC to address this issue. We remind you that the CASL imposes serious penalties on people who do not comply with its provisions, including those concerning the unauthorized installation of computer programs. Offenders who are individuals face administrative monetary penalties of up to $1 million, whereas the maximum is $10 million for all other offenders. Effective July 1, 2017, any person who suffers a loss or damage due to a contravention of the CASL may apply to a competent court for an order requiring the person to pay the amount of the damage in question, plus up to $1 million in liquidated damages. CONCLUSIONS Although this second phase of the CASL mainly seeks to protect Canadian consumers and businesses against the installation of malware or spyware that is often particularly harmful to users, it should be kept in mind that the new requirements can apply to many other situations. It is therefore important for businesses to review their practices in this regard, to ensure they comply with the law’s provisions.

In December 2010, the federal Parliament passed the Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities1 that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, better known as the “Canada’s Anti Spam Legislation” (CASL or the “Act”). The purpose of the Act is mainly to protect Canadian consumers and businesses against unsolicited spam messages, false or misleading commercial representations, malicious software and other electronic threats. It is scheduled to come into force on July 1, 2014. The new regime is based on a opt-in mechanism rather than through exclusion. As such, after July 1st, sending a commercial electronic message will be prohibited unless the recipient has consented to receiving it. Canadian businesses using electronic mail or social networks to inform and solicit customers will therefore have to review their practices in order to comply with the law, failing which they will be liable to administrative penalties and civil suits. However, transition measures are provided to give businesses time to adjust their practices.The definition of “commercial electronic message” within the meaning of the Act is wide and covers all electronic messages, including text messages (commonly called SMS), sound, vocal or visual messages in respect of which it is reasonable to conclude that their purpose is to encourage participation in a commercial activity. For instance, an electronic message which promotes an offer to purchase, sell or rent a product or a service constitutes a commercial electronic message covered under the Act. Such is also the case for an electronic message promoting a person as a purchaser, seller or renter of a product or service or involved in the areas of business, investment or gaming.Since non commercial activities are not covered under the Act, it must be noted that political parties, charitable organizations and corporations conducting market studies or surveys are generally not covered under the Act, unless their electronic messages are related to the sale or promotion of a product.Furthermore, the Act provides for many exceptions, such as messages sent between persons having a personal or family relationship or commercial electronic messages responding to a recipient who requested information on prices or estimates for the provision or delivery of goods, products or services.For the time being, the prohibition does not cover verbal communications by phone, which are currently governed by the Telecommunications Act2, particularly through the National Do Not Call List. However, this exception may be revoked by order-in-council if the government deems it appropriate.EXPRESS OR IMPLIED CONSENT OF THE RECIPIENTThe required consent for sending a commercial electronic message may be express or implied. The situations where the sender of such a message may rely on the implied consent of the recipient are set out in the Act. For instance, the Act provides that there is implied consent where the sender and the recipient have or had an ongoing business relationship within the two years preceding the date the message is sent. The same applies where the recipient asked the sender about products, goods or services during a 6-month period preceding the date of the message.The consent of the recipient is also implied if he or she has conspicuously published his or her electronic address without adding a statement whereby the recipient does not wish to receive unsolicited commercial electronic messages, to the extent that the message is relevant to the recipient’s employment or business or functions in such business.The consent is also implied where the recipient communicated his or her electronic address to the sender without indicating that he or she does not wish to receive unsolicited commercial electronic messages, again to the extent that the message is relevant to the recipient’s employment or business or functions in such business.Lastly, the existence of private relationships between the sender and the recipient within the two-year period immediately before the day on which the message is sent also allows for inferring the implied consent of the recipient to a commercial electronic message being sent in the cases provided in the Act.In all other cases where the Act does allow for inferring an implied consent, the express consent of the recipient is required for sending a commercial electronic message. Such consent is not presumed and the burden of proof lies with the sender.To obtain this consent, the sender must set out clearly and simply the purposes for which the consent is being sought and also the information that identifies the person seeking consent (or if the person is seeking consent on behalf of another person, information that identifies that other person). The scope of information which is required to be provided to identify the person seeking consent is set out in the regulations.It is important to note that after July 1st, a request for consent will in itself constitute a commercial electronic message. It will therefore not be possible to request such consent using an electronic mean, subject to certain exceptions.MECHANISM FOR WITHDRAWING CONSENT AND FORM OF COMMERCIAL ELECTRONIC MESSAGESThe Act provides that any person sending a commercial electronic message to another person must implement an unsubscribe mechanism allowing the recipient to withdraw his or her consent to receive commercial electronic messages from that sender. The sender must allow the recipient to express his or her will by electronic means, either by electronic mail or through a website, without cost and at any time. The sender must give effect to any withdrawal within a 10-day period.The description of this withdrawal mechanism must appear in the commercial electronic message which must, in addition, include information that identifies the person who sends the message or, if the message is sent on behalf of another person, the information that identifies the person who sends the message and the person on whose behalf it is sent. The commercial electronic message must also indicate the postal address and either the phone number to reach a service agent or a voicemail service, or the electronic mail address or the address of the website of the person who sends the message or, if applicable, the address of the website of the person on whose behalf it is sent.If it is practically impossible to include this information and the withdrawal mechanism in the commercial electronic message, they may be posted on an easily accessible web page without charge to the recipient through a link indicated clearly and prominently in the message.ADMINISTRATIVE PENALTIES AND PRIVATE RIGHT OF ACTIONThe Act provides for severe penalties for persons who fail to comply with its provisions. Contraveners are liable to administrative monetary penalties of up to $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person.Furthermore, the existence of a private right of action against the sender of an unsolicited commercial electronic message constitutes a crucial point of this new regime. The Act allows any person suffering a loss or harm as a result of non-compliance with the provisions of the Act by the sender of a commercial electronic message to apply to a court of competent jurisdiction for a judgment ordering the sender to pay him or her the amount of such damages, plus liquidated damages of up to $1,000,000. For instance, the recipients of a spam message who suffer damages after relying on misleading information found therein may institute a class action to pursue their common claims on the basis of this new Act.CONCLUSIONUnsolicited electronic messages are a nuisance which warrant action. Canada is the only G8 jurisdiction which had not yet taken specific measures to regulate or prohibit spam messages. However, the obligation to obtain the consent of the recipients of commercial electronic messages, who in most cases have nothing to do with the spam messages, will constitute a difficult and costly burden for many businesses.It is therefore important that businesses review their electronic mailing lists to ensure that they comply with the provisions of the Act, namely, that the persons whose names are included have given their express consent to receive commercial electronic messages from the businesses or that the businesses can rely on the implied consent of such persons, failing which the businesses will have to obtain adequate consents. Again, contravening businesses will be liable to substantial penalties and claims which may exponentially increase through class actions involving hundreds if not thousands of recipients who allege that they suffered damages._________________________________________1 S.C. 2010, c. 23.2 S.C. 1993, c. 38.

Limited Partners: a Closer Look at Your Liability Voluntary Disclosure: Is It Still a Worthwhile Option for Repenting Taxpayers? The Court of Appeal Recognizes the Right to Claim Legal Fees from a Defaulting Debtor The Superior Court’s Decision in Chambre des notaires du Québec v. Canada (Procureur général)

On April 28, 2005, the Chambre des notaires du Québec filed a petition to declare unconstitutional and of no force and effect requirements issued by the Canada Revenue Agency (CRA) under sections 231.2 and 231.7 as well as subsection 5 of section 232(1) of the Income Tax Act, R.S.C. 1985, c. 1 (5th Supp.) (ITA) to obtain documents or information prima facie protected by professional secrecy.

The member-funded pension plan: a defined benefit pension plan that limits the employer’s financial risk Doing business with the government: a question of transparency Your company and the influenza H1N1 flu pandemic