The Digital North

Canada’s privacy, anti-spam and research funding rules pose significant challenges for US businesses and technology investors that have their eyes on Canada

While a wave of new technology aimed at digitizing the customer experience flows seamlessly across borders, the regulations governing it do not. In fact, some Americans might be surprised to discover that Canada – the polite neighbor to the north – has taken off the gloves when it comes to spam and digital privacy.

Canadian lawyers who work in this area say that what US counsel don’t know can come back and bite their clients.

 “US corporate counsel need to be mindful of the fact that Canada’s not simply the 51st state,” says George Takach, a senior partner at McCarthy Tétrault LLP in Toronto. “There is a separate and in some areas quite distinct legal regime north of the 49th parallel.

“Canadian privacy law, for example, differs in some very important ways from the US environment, as do our anti-spam laws. While eleventh-hour panicked phone calls are always interesting, it’s better for everyone if US legal counsel loops in their Canadian counterparts from the beginning when they are doing business in Canada.”

Even companies that have been selling services to Canadians for years can’t afford to become complacent.

Canada’s Anti-Spam Legislation, which came into effect mid-2014, is considered among the toughest in the world when it comes to regulating commercial electronic messaging.

CASL, as it’s referred to, makes what many US businesses would see as legitimate everyday activities – things like sending an email message to a customer, designing a new function on the company website or making a mobile app available for download – a potentially serious violation of Canadian law.

Martin Kratz, who leads the intellectual property and anti-spam practices at Calgary-based Bennett Jones LLP, says the anti-spam law “is often still quite surprising to US in-house counsel.

 “In Canada’s privacy law, being sensitive to the fact the US is our largest trading partner, we sought to balance with the US approaches to privacy. We didn’t do that with our anti-spam law. Unlike the CAN-SPAM Act, we have comprehensive regulation of commercial electronic communications in any electronic form – SMS messages through emails and any other form – and it’s comprehensive.

“In Canada it’s also based on an opt-in model, unlike the United States, which is an opt-out model. So generally speaking in the US, you can send the first email ‘free’ but you have to honor an unsubscribe. It requires the recipient to say: ‘I don’t want this stuff anymore’ and unsubscribe.”

But that US company is not permitted to send that first email to a Canadian, he says, calling it a Catch-22 for business. “You can’t use electronic means to ask for consent unless you have consent, or unless an exception applies. The law is very complex and it hasn’t been judicially considered yet.”

But it will be. The right to communicate with former or existing customers expires in July 2017, and a private right of action comes into effect.

Kratz says many privacy and anti-spam lawyers expect to see a rash of class-action lawsuits, particularly targeting large US retailers with sophisticated email communication programs.

“American companies often have integrated marketing programs that include Canada and they’ve usually collected personal information. They may have collected email addresses from Canadians that sometimes may not indicate whether they’re Canadian or not. The company just knows this person was a customer in a Florida store and they got an email address — it could be a dot-com rather than a dot-ca. That makes compliance for American companies more difficult.”

Wendy Gross, Co-chair of the technology group at Osler, Hoskin & Harcourt LLP, says the other half of the new anti-spam regime is an anti-spyware provision that prohibits the download of any unsolicited computer program or software. While designed to prevent malware from being installed on Canadians’ computers, it catches much more.

“The legislation is so all-encompassing it captures all forms of electronic messages — even in-app messaging could be covered. So whether the communications are coming from legitimate businesses or not, it’s all caught by the anti-spam legislation,” she says.

“Most businesses in the United States would probably just assume that there is not a whole different regime that applies to legitimate businesses communicating with their customers. But here in Canada there is.”

In addition to the rules about consent there are rules around the actual consent form, rules around the ability to unsubscribe, the unsubscribe form and the contents of the unsubscribe notices, she says, making the rules broad and far-reaching.

Every time a Canadian goes to the app store to download an app, for example, that’s a download of a computer program under the meaning of CASL, says Gross, who is based in Toronto.

“If I as the developer want to automatically push updates to my users, then there are rules around that. Think of this in the context of your automobile. If you have some sort of satellite help system on your car, your car is now just one large computer, so how does the automobile company push those downloads to your car and get your consent? It’s not obviously practical to do that.

“These are things where if you’re a US business – and we have this with many of our clients who are coming up here or do business internationally – you may need to figure out whether you need to re-engineer your whole download and sales process for Canadian customers. The standardized processes that work in the United States will not work up here.”

The legislation has led some US companies to make significant changes to their existing operational practices. But others are walking away from Canada, she says.

 “I’ve had some examples of clients where, when they’re told about the extent to which they’d have to revise their processes in order to do business in Canada, have decided it’s not worth it.”

Foreign companies that breach the rules are not out of reach of the Canadian Radio-television and Telecommunications Commission (CRTC), the key federal anti-spam regulator.

The CRTC has warned it will be collaborating with its international counterparts to investigate and enforce the Canadian legislation. The penalties for corporate non-compliance are up to C$10 million.

“That’s enough to get your attention,” says Gross.

It’s not just the anti-spam law that has been retooled. Canada recently enacted the Digital Privacy Act, a series of changes designed to modernize the Personal Information Protection and Electronic Documents Act.

While the regulations are still being drafted, the key change imposes a new standard of “valid consent” on every company that collects and uses a Canadian’s private information.

The Act stipulates that consent will only be considered valid “if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”

That standard affects everyone from multi-national retailers and app developers to mom-and-pop businesses.

Canadian law firms have been urging clients who do business north of the border to adjust their privacy policies and make sure they explain – in ways an average target customer would be expected to understand – why they want to collect the information and what they might do with it.

Another significant change under the Digital Privacy Act will be more familiar to US counsel: Mandatory cyber breach reporting. Any company that loses custody of its customers’ data will now be required to report the incident to the federal Privacy Commissioner as well as notifying individuals at real risk of “significant harm.” It’s a definition that, in Canada, includes humiliation, damage to reputation or relationships, and identity theft.

While the penalties of running afoul of the new privacy laws are not as high as the anti-spam laws, the Act also introduces a new right of private action, which is expected to give privacy-related class actions a shot in the arm.

Not that they need it. All but unheard of in Canada a few years ago, today there are 20 to 30 that have either been certified or are pending certification, says Cheryl Slusarchuk, a partner at Blake, Cassels & Graydon LLP. “There’s been a real rise,” she says. “Set that against the fact that we’re now going to have mandatory national breach reporting and you’ve got two things happening at once in the cybersecurity area.

“If I were US external counsel I’d be interested to know my risk profile for cyber security incidents is likely going up in Canada compared to what it used to look like.”

Slusarchuk, who works out of her firm’s Toronto and Vancouver offices, says it’s worth noting that there has also been an evolution of privacy torts, “which we haven’t previously had.”

And there have been some interesting court decisions. Condon v. Canada was the largest class action involving a digital privacy breach in Canada. It was filed after a government department admitted losing track of an external hard drive containing the names of hundreds of thousands of Canadians who had obtained student loans.

In 2015, the Federal Court of Appeal held that their claims based in negligence and breach of confidence should proceed even though there was no evidence any of the students had had their identity stolen or suffered a financial loss.

What that shows, says Slusarchuk, is that the courts are more willing to certify privacy claims, “and that’s even absent proof of harm.”

While the climate around electronic communications and privacy may seem unwelcoming to US-based companies accustomed to a very different environment, the spate of young tech companies developing north of the border is anything but.

“There’s an active and growing technology hub in virtually every province,” says Deborah Weinstein of LaBarge Weinstein LLP. “The biggest hubs are definitely Vancouver, Waterloo, ON, the Toronto region, Ottawa and Montréal. But I wouldn’t want to downplay what’s going on in Edmonton, in Saskatoon, in Halifax. We see that technology is really a big driver for many communities and with the new Liberal government we see it becoming even stronger and in regions you wouldn’t think of.”

The low Canadian dollar has a number of large US tech companies interested — and many innovative Canadian startups are interested right back.

But American companies looking at a Canadian purchase need to be careful. The acquisition can trigger a sharp increase in research and development costs, warns Weinstein, who is based in Ottawa.

 “The biggest thing for US companies buying Canadian companies, if they’re buying private companies, which, face it, most technology companies are, is the private Canadian companies get a big tax benefit through the SR&ED [Scientific Research and Experimental Development] refund. If you qualify, about 30 per cent or more of eligible research and development is given back by the federal government tax authorities as a cash refund.

“When these companies are bought by non-Canadians, the 30 per cent decreases to about 20 per cent and it is no longer a cash refund. It turns into a tax credit, which is offset against Canadian taxes. So that’s something that US general counsel, CFOs and lawyers need to be very aware of, because when they review the financial statements of the target, they have to realize the R&D cost which shows to be quite low is actually low because it’s been offset by a big tax refund.

“The financial guys have to scope that into their forecast of operating expenses going forward, and that can be the basis of quite a negotiation around valuation because if they lose that benefit, which they do 99 per cent of the time, then the challenge is that sometimes the buyer doesn’t want to pay as high a valuation as they thought at the outset when they thought costs were a lot less.”

It may be possible to structure an acquisition to keep the company Canadian, several lawyers said.

Young tech startups that choose not to sell have a tougher row to hoe than their US counterparts, says Anthony Morris, a senior partner at Norton Rose Fulbright Canada LLP in Calgary.

Access to capital for technology innovation in Canada has historically been more challenging in Canada than in the US, where there is a greater appetite and a broader financial infrastructure to draw upon, he says. “This is gradually changing as a deeper pool of technology leaders develops but this takes time. Canada also provides pockets of government financing and supports that should be understood and explored by any start-up and early-growth entity, though this can be somewhat challenging to leverage at times.”

Morris believes the biggest risk for US business right now is “not appreciating the depth of technology and innovation development talent that exists in Canada, and missing the business opportunities that it presents.

“For example, Calgary has a relatively young and well-educated workforce and its business cost structures are rapidly decreasing, making it a much more attractive place to invest in knowledge-based enterprises, especially with the current exchange rates. Even within Canada, it’s becoming a much more attractive place to establish businesses.”

Takach of McCarthys says many more Canadian tech entrepreneurs are staying home to start and grow their businesses.

“I think we’ve reached a tipping point, a maturity point — we have the investors here now, we have many more venture capital funds than we used to. We have some great recent successes like Constellation Software and Shopify. So we’ve reached a critical mass where you don’t have to go to the States, although a lot of entrepreneurs still choose to.”