Like the US, rapid changes are occurring in e-commerce in Canada, but there are some major differences in the law
Robust activity characterized the Canadian e-commerce sector in 2011. All signs point to the fact that 2012 and beyond will be no different.
"The pace hasn’t slowed at all," says Fraser Mann of Miller Thomson LLP’s Toronto office. "Legal and business developments are continuing at a rapid pace."
Here are some of the most significant legal developments:
The Electronic Commerce Protection Act (ECPA), Canada’s new anti-spam legislation, was awaiting proclamation at press time. Although some aspects of the accompanying regulations remain to be finalized, the law in its present form may be the world’s most comprehensive attempt to restrict unsolicited email. It has extra-territorial effect, applying whenever a computer located in Canada sends commercial electronic messages anywhere, regardless of the destination.
The law is considerably harsher than the US CAN-SPAM Act. Unlike the American legislation, for example, Canada’s statute applies not only to email but to other forms of electronic communications, including instant and text messaging, and all social media.
Unlike any other international anti-spam legislation, the anti-spam provisions of the ECPA are not limited to messages that may be harmful in the sense that they contain some element of fraud or deceit. Rather, the ECPA prohibits the sending of any "commercial electronic message" (defined as any telecommunication including text, sound, voice or image) to an electronic address without the recipient’s prior consent, where the purpose of the message is to encourage participation in a commercial activity.
"We have a number of American clients who have elected not to come to Canada until the dust settles on this legislation," says Wendy Gross of Osler, Hoskin & Harcourt LLP’s Toronto office.
All of this is not to say that the laws in Canada and the US will be completely at odds. There are important similarities between the Canadian legislation and CAN-SPAM in the sense that the laws’ purposes are the same. Both seek to prevent consumers from being misled, both give consumers the right to decline receipt of unwanted emails and both seek to reduce the costs for businesses that have to manage an influx of spam.
But the fact remains that CAN-SPAM is opt-out legislation whereas the ECPA is premised on an opt-in principle. And the ECPA applies not only to business-to-consumer messages, but also business-to-business messages.
The core difficulty for businesses involved in electronic marketing, however, is that the consent provisions are quite rigid. The ECPA is very clear that consent is required before a commercial electronic message can be sent, which means that you can’t even send an email asking for consent. By contrast, CAN-SPAM allows an initial mailing, as long as it contains the required information and has a simple unsubscribe function.
Consent under the ECPA is implied when the sender and the recipient have in the past 18 months had an existing business or non-business relationship, both of which are defined by the statute. Where no such relationship exists, the sender must obtain the express consent of the recipient by setting out the purpose for which the consent is sought, information identifying the person seeking consent, and other information that may be required by regulation.
Indeed, the Bill does not permit consent for a solicitation to be inferred from publication of an email address even if it would be reasonable to assume the message would be of interest to the individual or their organization, or more generally from the conduct of the individual or organizations concerned.
According to Charles Morgan of McCarthy Tétrault LLP’s Toronto office, sending an email in any of the following situations would be considered unlawful under the ECPA in the absence of express consent:
To a potential supplier or customer proposing a possible business arrangement after reviewing its website, even if the recipient’s contact information is displayed on its website;
Sending an email with a link to a business’s website, if the website describes the goods or services of the business;
A business customer who hasn’t made a purchase for 18 months could not send an email asking for a catalogue, a price list, a quotation or an estimate;
Professional firms sending out e-alerts or newsletters to clients for whom they have not provided services in the last 18 months, if the material contains a link to the firm’s website or promotes the firm in any way;
Emailing an existing customer or supplier with whom the sender has a long-term contract entered into more than 18 months before the communication if it contains a proposal to do more business under the contract or includes an updated price list or catalogue of products, or suggests a meeting;
Sending e-newsletters that have advertisements to persons who have been receiving them without objection for years, unless the sender has done business with the recipient in the last 18 months;
Soliciting freelance or consulting services to prospective clients, no matter how targeted the communications are;
Proposing cross-industry partnerships with others in your field if you’ve never had any contact with them; and
Sending newsletters, business publications or company information to anyone who has made a relevant inquiry if the inquiry was made more than six months earlier.
The practical solution for dealing with the ECPA, lawyers say, is proactivity.
"Businesses should set out immediately to get express consents where they haven’t done so already, so there will be no ambiguity about dealing with Canadian customers and prospects," says Richard Corley of Blake, Cassels & Graydon LLP’s Toronto office.
Putting aside the practicality or efficacy of the ECPA, however, what is clear is that the legislation has teeth.
Offenders are liable to administrative monetary penalties of up to $1 million for individuals and up to $10 million for corporations. Officers, directors and agents are liable if they directed, authorized or participated in the violation. A due diligence defense is available.
The Canadian Radio-Television Telecommunications Commission (CR-
TC) will determine whether a violation has occurred and the amount of the penalty. The legislation provides for appeals to the Federal Court of Appeal.
As well, the ECPA provides for a private right of action for individuals affected by offenders. These individuals may apply for a compensation order for actual loss, as well as a maximum of $200 daily for each contravention of the breached provisions, with a limit of $1 million for each day on which a contravention occurred. Officers, directors and agents of corporation are subject to the private right of action if they directed, authorized or participated in the contravention.
As for prohibited activities that originate outside Canada, the ECPA gives Canada’s Privacy Commissioner the power to disclose and share information with foreign states. There is a similar provision in the US SAFE WEB Act.
Still, enforcement could be a daunting proposition.
"Given the practical implications of complying with the law, businesses will have to put in an enormous effort to comply and the government will have to devote enormous resources to enforce it," Mann says.
One of the significant impacts of the ECPA is that Canada may be at a competitive disadvantage as a venue for the nascent cloud computing industry. Although the Act exempts telecommunications companies, it does not exempt data centers.
As it turns out, the ECPA will be coming into force just as the cloud computing phenomenon is peaking in Canada. But IT lawyers say the convergence of the newest popular paradigm in information technology and what may be the world’s most comprehensive attempt to restrict unsolicited email doesn’t augur well for Canadian businesses interested in taking advantage of the economic opportunities cloud computing presents.
"The principal difficulty is the extra-territorial effect of the law," says Morgan’s colleague Barry Sookman.
The upshot is that if a cloud provider wanted to set up in Canada, any transmission from that cloud – whether inside or outside the country – would become subject to the legislation’s consent and disclosure obligations.
"That includes not only the cloud operators but their customers, wherever they may be," Sookman says. "The difficulty is that no one will want to be at a disadvantage in sending out electronic messages simply because the server happens to be in Canada."
Sookman is not suggesting that Canadian companies shouldn’t have to comply with anti-spam laws.
"I’m merely saying that the extra-territorial impact shouldn’t be so broad as to catch foreign companies who are using a server in Canada as a conduit," Sookman says.
Quite apart from the restrictions, there are operational liability issues for service providers who wish to operate in Canada.
"The law attaches liability to anyone who permits or aids a commercial electronic message to be sent, not just the sender," notes Christine Ing of Blake, Cassels & Graydon LLP’s Toronto office. "So service providers who situate in Canada will have to ask themselves whether and to what extent they have to start policing their customers."
All this aside, both Canadian and US companies will have to adapt their thinking to a new reality.
"The challenge for the e-commerce bar is that many have software licensing experience and licensing concepts that don’t translate well in a cloud environment," says Martin Kratz of Bennett Jones LLP’s Toronto office.
Digital payment mechanisms and processes, of course, lie at the heart of almost all e-commerce.
"There’s a great deal of interest in terms of what policy makers are going to make of electronic wallets and mobile payments," says Stephen Clark of Osler, Hoskin & Harcourt LLP’s Toronto office. "Everyone wants to know where the business is heading and what future regulation may look like."
The final report of Canada’s federal government’s Task Force for the Payments System Review was released in March 2012.
The Task Force’s mandate was to review the safety, soundness and efficiency of the system; to determine whether there is sufficient innovation in the system; to review the competitive landscape; to determine whether business and consumers are well-served by payments system providers; and to determine whether current payments system oversight mechanisms are still appropriate.
According to Wendy Gross of Osler, Hoskin & Harcourt LLP’s Toronto office, the overarching challenge facing the Task Force was striking the right balance between consumer protection and facilitating new entrants into the marketplace from both a technical and corporate perspective.
But whether the Task Force achieved this end is controversial.
The report lays out a proposed regulatory framework for the payments industry, including a self-governing organization and public oversight body. The radically new system would maintain the Canadian Payments Association as a core infrastructure entity.
"From a substantive perspective, the most significant of these recommendations is that payment industry participants such as processors, software and hardware manufacturers, acquirers, loyalty point program operators and ATM operators that were not previously subject to specific payments legislation would now be swept up in the definition of ‘payments system providers’ and subjected to the new proposed payments governance regime," says Jacqueline Shinfield of Blake, Cassels & Graydon LLP’s Toronto office.
Not surprisingly, the payments industry is less than enthusiastic about the recommendations.
"The radical approach of adding new regulatory layers will not be appetizing to the industry in general," says Eric Boehm of Borden Ladner Gervais LLP’s Toronto office. "And why would stakeholders who are currently not regulated want to move away from the unregulated freedom they now enjoy?"
Anti-Money Laundering (AML)
In a related development in December 2011, the federal government released a consultation paper related to the strengthening of AML laws — likely in response to international criticism that Canada was lagging behind in its regulation of digital money movement.
"One issue the government’s looking at is requiring a review of prepaid access products," Gross says.
If the consultation paper is any indication, it appears the government is inclined to introduce similar rules for small-money cards it has for the financial sector generally.
"So we may be looking at know-your-client rules that will make it more difficult to introduce new kinds of payment products," Gross says. "It’s another area where US clients have elected not to proceed with certain initiatives because of the uncertain regulatory environment."
In December 2011, the Privacy Commissioner of Canada released new online behavioral advertising (OBA) guidelines intended to ensure that advertisers’ practices are transparent and comply with federal private-sector privacy legislation.
"The guidelines are not intended to be revolutionary," Mann says. "Their main objective is to ensure that consumers are informed of specific online behavioral practices."
Accordingly, the guidelines confirm that OBA is a "reasonable purpose" for collecting personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA) subject to certain restrictions.
To begin with, children may not be the subjects of OBA because they do not have the capacity to consent.
Otherwise, because information collected for OBA is likely personal information, advertisers must comply with PIPEDA’s knowledge and consent requirements. The legislation’s knowledge requirements envisage that advertisers have an OBA policy that is "accessible, easy-to-read and accurate"; on the consent side, PIPEDA allows advertisers to use "opt-out" processes so long as they are easy to use and make consumers aware that information is being collected for OBA before it is actually collected.
"The key issue on the consent side is just how clear the notice has to be," Mann says.
The upshot is that US advertisers familiar with American law on the subject will not be confronted with difficult adjustments if they resort to OBA in Canada.
"There are no vast differences between the OBA rules in Canada and the US," Gross says.
Business Method Patents (BMP)
In March 2009, Canada’s Patent Appeal Board (PAB) shocked the intellectual property community with a definitive statement against the patentability of business method patents (BMP) in Canada. The Board also categorically stated that previous decisions allowing BMPs were wrong.
The pronouncement came in a lengthy decision that rejected Amazon.com Inc.’s patent application for a "one-click" shopping system related to the placement of online purchase orders with a single mouse click. Although a US patent for the one-click feature had been issued in 1998, the Canadian Intellectual Property Office (CIPO) had refused to issue a Canadian patent for the process in 2004.
But in November 2011, the Federal Court of Appeal rejected the PAB’s analysis and ordered CIPO to re-examine whether the one-click patent was "patentable subject matter." Shortly thereafter, CIPO granted the patent.
The Court of Appeal’s ruling was the culmination of protracted litigation, beginning with Amazon’s appeal to the PAB following CIPO’s initial rejection of the one-click patent.
Despite finding that the one-click innovation was both new and non-obvious, the Board ruled that the claims advanced were not patentable under the Patent Act because they did not define a "technological" advance that was either a physical object or an act performed "by some physical agent upon some physical object and producing in such object some change either of character or condition."
Amazon then appealed to the Federal Court, contending that the one-click patent was patentable subject matter and that, in appropriate circumstances, BMPs were patentable in Canada.
As the court in Amazon.com Inc. v. Attorney General of Canada saw it, the PAB’s ruling that a "traditional business method patent exclusion" existed in Canada was a radical departure from the country’s patent regime. In the court’s view, there was not and had never been any categorical prohibition of such patents. Rather, the test for what was patentable was that enunciated by the Supreme Court of Canada’s 1982 decision in Shell Oil Co. of Canada v. Commissioner of Patents, in which the high court stated that a patentable "art" was not limited to "new processes or products or manufacturing techniques" but embraced "new and innovative methods of applying skill or knowledge provided they produced effects or results commercially useful to the public."
In the Federal Court’s view, Shell had set out three conditions that an invention must meet in order to be patentable: it had to be a method of practical application that was more than an abstract idea; it had to be a new and inventive method of applying skill and knowledge; and it had to have a commercially useful result.
The PAB had also erred in isolating the portion of the claim that comprised the inventive step to determine whether it was patentable subject matter. Instead, the court ruled, claims must be purposively construed "as a whole" and not only by examining the new and non-obvious elements. As well, the PAB had erred in ruling that an invention had to be "technological" to constitute patentable subject matter. Rather, the court stated, the legislation should be construed "in ways that recognize changes in technology such as the move from the industrial age to the electronic one of today." This meant BMPs were patentable if directed to subject matter that met the general test of what constituted an "invention" under s. 2 of the Patent Act.
Finally, it was not necessary to transform something material into another form to meet the subject matter requirement in the Act. It was irrelevant, then, that the goods ordered by the "one-click" method did not themselves undergo some physical change.
Now it was CIPO’s turn to appeal, taking the case to the Federal Court of Appeal. But it substantially affirmed the Federal Court’s reasoning regarding patentable subject matter, ruling that no legal rationale existed for excluding business methods as potential patentable subject matter. The Court of Appeal also rejected CIPO’s stance that patentable subject matter had to be scientific or technological in nature, and agreed with the Federal Court’s view that what was "technological" was subjective and unpredictable.
US readers will of course notice that Amazon parallels the reasoning of the US Supreme Court in Bilski, which rejected the "machine or transformation" test as the exclusive test for patentability under the US equivalent of the subject matter test.
Given the difficult jurisprudence that has ensued over the issue in both countries, and given the uncertainty that still remains over just what is patentable in a specific case, any cross-border convergence of the law is surely a welcome development.
Julius Melnitzer is a legal affairs writer in Toronto.