Skip to content

Are you ready for CASL 2.0?

Proper compliance may all come down to ‘interpretation’
|Written By Jennifer Brown
Are you ready for CASL 2.0?
A law that protects citizens against malware is even more important than an anti-e-mail spam one, says Jon Festinger. Photo: Mark Brennan

On Jan. 15, the next phase of Canada’s anti-spam law comes into effect but will businesses that provide software services be ready to ask for all the documentation required?

The computer software provisions of CASL are aimed at preventing the installation of unauthorized malware and spyware programs but have varying degrees of impact on all types of software applications.

Section 8 of CASL requires “express consent” to install a computer program on another person’s computer system or device in the course of commercial activity.

Breach of the requirements can result in fines of up to $10 million for organizations or $1 million for individuals. Employers can also be held vicariously liable for employee actions.

An example of those who must comply include any company that does computer maintenance and repair work that may install software on a client’s machine. Or, in the automotive sector — software provided to vehicles in a “push” fashion. It is also prohibited for a web site to automatically install software on a visitor’s computer without consent, or for software to be updated without first obtaining consent.

“It applies to anyone who installs or causes to be installed a software program on a computer owned or leased by someone else in the course of commercial activity,” explains technology and privacy lawyer Peter Murphy of Gowling Lafleur Henderson LLP.

In a recent article, Murphy wrote that while the CRTC released guidance on this aspect of CASL on Nov. 10, further details on the computer program provisions can be expected in the future.

He told Canadian Lawyer InHouse Canada needed a law against malware but wonders if the CRTC’s interpretation of the law will pass the test in court.

“I think the intention is valid. Canada was behind compared to other major nations when it came to anti-spam and malware so now we’ve caught up. I think the intention is great, but unfortunately the way the law is written could stand some clarification. For that reason it makes it more of a burden on business than it otherwise might be because of the uncertainty that stems from some of the poor drafting,” he says.

Murphy questions whether the interpretation by the CRTC will be binding in court.

“There can be private actions brought in court as of July 1, 2017, and we don’t know if the court will follow the CRTC’s interpretation,” he says.

Where consent is required under CASL, it must be obtained before the software is installed and the person who obtains consent should keep a record of that consent. The consent requirements include the reason consent is sought, mailing address, and one other piece of contact information, a statement indicating the person whose consent is sought can withdraw their consent, and the function and purpose of the computer program to be installed.

“Organizations that install software on someone else’s computer will have a tougher time and more to do to comply with these provisions,” he says.

Practically speaking though, a law that protects citizens against malware is even more important than an anti-e-mail spam law says Jon Festinger, a Vancouver media lawyer and law professor at the University of British Columbia Faculty of Law.

“Spamming seems like a less important issue. E-mail spamming is like people knocking on your door when you don’t want them around. This [anti-malware law] seems a lot more important — it’s like not having people in your house when you don’t know they are there,” says Festinger.

And while the goal may have originally been to protect consumers, this aspect of CASL should really be viewed as just good for business.

“My argument is not a consumer protection argument, it’s a business success argument,” says Festinger.

“I think every country has a vested interest in de-cluttering people’s computers to ensure their own citizens are not being spied on inadvertently. If this kind of spyware that goes into your computer and gathers information and feeds it back is part of how governments are spying on each other — if you want to protect citizens you want to de-clutter their computers.”

While CASL doesn’t apply to apps users download themselves or update, Murphy says it is important providers make it crystal clear what they are agreeing to install when saying yes to a piece of software.

“It’s important any organization or individual making software available in a commercial context adequately describes the function and purpose of that software to make sure that user fully intends to install it when they make that decision.

“You want to avoid that user thinking ‘I didn’t know the software did all this. It was not reasonable for me to expect it, therefore it’s not a self-install because I didn’t intentionally install these aspects of this program’ and therefore CASL applied and you, the distributor, breached CASL. So the key is adequate disclosure.”

The law does apply to organizations outside Canada that offer software downloads into Canada. The CRTC has made arrangements with foreign authorities to enforce CASL abroad and co-ordinate with foreign authorities.

While he says it is “rather unlikely” the government will go after one particular instance where a provider violates the law, if there is a large outcry about one particular organization installing something viewed as malicious or malware Murphy says the CRTC may opt to go after foreign companies.

  • Incorrect on Apps

    Jim Hornyki
    The article is incorrect where it states that the law doesn't apply to apps and updates.

    The definition of "software" in the Act uses the Criminal Code definition, which clearly captures mobile apps. Further, the CRTC's own guidance indicates that apps a user installs are not captured, but automatic updates that are installed by the app developer ARE captured. So an app developer would either need to get consent when the app is installed for the updates, or never update the app.

    This will be a real problem for app developers with current apps out there when the 3 year transition period is up.

SPECIAL REPORTS



Save

PROFESSIONAL DEVELOPMENT