Thursday, March 26, 2015

U.S. Business Should Comply With the Canadian Anti-Spam Law

            On July 1, 2014, the Canada Anti-Spam Law (CASL) came into force.
            This law, on its face, applies to U.S. or foreign businesses that send commercial electronic communications, such as emails, text messages, social media messages, IM and voice messages, to recipients in Canada. See CASL Section 1 and Section 12.  This means that any such communications can only be sent if they comply with these 3 requirements:  (1) the sender received express or implied consent to send the communication, (2) the communication clearly identifies the sender, and (3) there is a unsubscribe mechanism on each communication.  See CASL Section 6(2).  Express consent can be obtained orally or in writing and lasts until revoked. See CASL Section 6(10); CRTC Regulation Section 4Implied consent can be proved in a number of ways, e.g., based on customer inquiry or purchase, and the term of implied consent varies from 6 to 24 months.  See CASL Section 6 (9-10).  The burden of proving consent rests with the sender of the communication. See CASL Section 13.

            The penalties for non-compliance with CASL can be high.  Fines can be levied up to $10,000,000.00 CAD for businesses and $1,000,000.00 CAD for individuals.  See CASL Section 20(4)Additionally, starting in 2017, there will be a private right of action.  See CASL Section 47.

            Even though the Canadian Radio-television and Telecommunications Commission (CRTC) has not yet attempted to enforce the law on an entity outside of Canada, we recommend compliance out of caution because it is less burdensome than dealing with a violation.

             Going forward, we recommend that whenever a customer from Canada contacts you that you obtain express consent to send them commercial electronic communications, and that you record how and when such consent was received.
- Henry Park

Monday, March 2, 2015

Internet – A Right to be Forgotten?

            Last year, on May 13, 2014, the Court of Justice of the European Union (CJEU) issued its ruling in Google Spain SL and Google Inc. v Agencia Española de Protecciónde Datos (AEPD) and Mario Costeja González ("Case").  In that case, the CJEU found that Google was a data controller under EU law (see Case, para 41), and therefore should remove links from its search engine to articles relating to Mr. González's home foreclosure because the proceedings had been resolved. 

            The finding that Google should remove links has been coined a "right to be forgotten."  However, that is an oversimplification because there is no literal right to be forgotten.  Rather, E.U. citizens may have a right to have certain information delisted from a search engine results when the citizen can show that the information is "inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed".  See Case, para 94.  However, if the citizen plays a role in public life, then the right can be curtailed.  See Case, para 97.

            It is important to note that the right to delist from a search engine does not mean that the material from the original source has been deleted.  See Working Party Guidelines, at p.2.  Rather, it makes finding information about a particular subject much more difficult.

- Henry Park