The section was abruptly suspended last June, a month before it was to be enacted, when businesses, charities and organizations expressed concerns about the section, which would allow consumers to the private right of action to sue under s. 51 of CASL.
Critics of the section said that allowing a private right of action would have unnecessarily exposed organizations to class actions. It is now under review and its fate remains to be determined.
“The private right of action in CASL perhaps created a perfect storm for class actions,” says Michael Fekete, a partner in the technology group and the national innovation leader at Osler Hoskin & Harcourt LLP.
The provisions in CASL that were originally proposed would have allowed people to sue businesses and groups for breaches related to spam, as well as for breaches related to the Personal Information Protection and Electronic Documents Act and the Competition Act.
Most components of CASL came into force in 2014.
The provisions pertaining to the private right of action were to follow in July 2017, and they would have allowed awards of up to $1 million per day for sending spam.
However, critics said the legislation would allow people to sue for statutory damages, meaning they would not have to prove harm.
It was widely anticipated by the legal community that this would lead to a cottage industry of class actions brought against companies and organizations for non-compliance, even where no damage was done.
Therefore, the current federal government put the brakes on the section related to the private right of action after hearing concerns from businesses and sent it to a parliamentary committee for review.
The Standing Committee on Industry, Science and Technology issued a report in December 2017 after conducting a series of meetings and receiving 63 submissions. It concluded that the legislation and its regulations required clarifications to reduce the cost of compliance and better focus enforcement.
The committee also suggested the government needs to consider issues related to consent and the effects of the private right of action created by the legislation.
“There’s always a concern when you combine statutory damages, broad standing to sue and a prescriptive law because you can find yourself as a defendant in a class action very easily, even if there isn’t significant harm to consumers. And the fact that CASL created those conditions has led the government to reconsider bringing it into force,” says Fekete.
By suspending it, there is acknowledgement that the government is alive to concerns about whether the private right to action provisions created a huge amount of unquantifiable risk, adds Fekete.
Allowing anyone to sue for alleged violation of the legislation without requiring them to prove harm makes it difficult to clearly identify the risks and mitigate against them, says Shaun Brown, a partner with nNovation LLP in Ottawa.
If an organization is trying to comply but is considered by some to be in violation of the legislation, it could quickly find itself having to defend against legal action.
Brown says it’s frustrating for companies that are concerned that the private right of action could leave them vulnerable to a $1-million lawsuit.
“The industry is pretty much aligned on the private right of action, that it’s unnecessary and unhelpful and that it should be at least altered in the legislation if it is brought into effect,” he says, adding that the law is so “complex and confusing” that it’s difficult for companies to navigate if they are complying properly.
The federal government could tweak the legislation to follow the lead of other jurisdictions and limit who has standing to sue, says Brown.
He also says it’s possible to remove the statutory damages.
“Finding a way so that the organizations, the businesses that are directly impacted by spam pursue the bad actors [who purposely defy the anti-spam legislation] does make a lot of sense,” says Fekete.
Another approach that may be considered in Canada is allowing internet service providers and companies the private right of action to go after spammers to try to recover some of the costs they incurred by vast amounts of spam they must manage in their networks.
That makes sense to Stikeman Elliott LLP privacy lawyer David Elder, who also sees a similar enforcement approach applying to malware, which is also covered by CASL.
Service providers can directly attribute damages to spammers, he says, because they must invest in screening software and overprovisioning networks.
They also may suffer network outages they can directly attribute to mass spam.
Allowing the current provisions allowing the private right of action “really takes the implementation and supervision of CASL out of the hands out of the government and effectively puts it in the hands of private parties and plaintiffs’ counsel,” says Elder.
“I think there’s too much uncertainty with the law now to do that,” he says.