CRTC CASL Enforcement Bulletin

Notice for Web Hosting Service Industry


In their efforts to enforce CASL, CRTC has broadly interpreted Section 9 of CASL which states: “It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.” 

In their November 22, 2018 announcement “Enforcement Advisory - Notice for Web Hosting Service Industry”  they recruited all web hosting providers to join their enforcement efforts.

When asked Why web hosting providers? 
CRTC responded with “CASL prohibits sending unsolicited commercial electronic messages (commonly referred to as spam), altering transmission data in electronic messages without consent and installing computer programs without consent. An organization or individual can also be found liable if they provided aid during these activities. 
  
Information gathered by the Canadian Radio-television and Telecommunications Commission (CRTC) shows that malware is being distributed by way of Canadian web hosting infrastructure. Web hosting providers and operators of other networked infrastructure are critical in safeguarding Canadian cyber security.”


They went on to explain that while web hosting providers may not be directly responsible for violations committed by their clients, they are nevertheless uniquely positioned to detect, prevent and stop these non-compliant activities. It is their obligation to stop these activities.

How do web hosting providers avoid liability?
Web hosting providers can avoid liability by “exersising sound due diligence including prevention strategies and the development of a written corporate compliance program. They went on to add:

“Once an organization becomes aware of infected infrastructure, remediating a cyber incident becomes critical to ensuring compliance. This includes both an incident-handling plan and an appropriately resourced incident response team.”

CRTC also asked Cyber Security Companies and Malware Researchers to:
“If you have any information on Canadian infrastructure used for illicit activities (e.g. spam, phishing, malware, or botnet-related activities) and Canadian web hosts which are non-responsive to abuse claims, you can report it to us via email at lcap-casl-inv@crtc.gc.ca."

Left with limited tools to enforce CASL, CRTC has recruited the industry players to help with enforcement. The public was meant to be the primary enforcement tool via the private right of action that was written into the law. On June 7, 2017,  just 3 weeks from the date of full enforcement of CASL, Minister Bains buckled to some heavy lobbying of the major brands and their industry associations who were concerned with being swamped with “frivolous lawsuits” from a public that had little understanding of CASL consent, particularly implied consent. He "indefinitely postponed" the PRA. Sounds kind of final does it not?

"Canadians deserve to be protected from spam and other electronic threats so that they can have confidence in digital technology. At the same time, businesses, charities and other non-profit groups should have reasonable ways to communicate electronically with Canadians. We have listened to the concerns of stakeholders and are committed to striking the right balance."
The Honourable  Navdeep Bains, Minister of Innovation, Science and Economic Development.

This resulted in CRTC going very quiet in the subsequent months/year. It’s good to see them getting creative and making the best of what they have. It is good to hear something other than crickets regarding CASL enforcement.

As President of the Direct Marketing Association of Canada I believe CASL was integral to the efforts of saving email marketing as an effective marketing tool for years to come. Many email recipients have stopped even checking their email as it is full of irrelevant messages from all types of legitimate and non-legitimate businesses. Without the rules set forth by CASL, we believe the death of email as an effective marketing tool was only a matter of time.

The weak enforcement of these new data protection and privacy laws has certainly moved CASL compliance off the corporate list of urgent to-dos in many organizations. 

0 Comments Write your comment

    1. Loading...