The CRTC has once again extracted a large sum of money from an “alleged” violator of Canada’s Anti-Spam Legislation (CASL). On November 20th, Rogers Media Inc. became the third company this year to enter into anUndertaking to resolve a CRTC investigation. Following on the heels of the Undertakings by Plenty of Fish ($48,000) and Porter Airlines ($150,000) the Rogers payment serves as an indication of how seriously the CRTC views violations of the CASL. Notably, all three Undertakings relate at least in part to alleged violations of s. 6 and s. 11 of CASL, which deal with consent to the receipt of commercial electronic messages and the recipient’s ability to effectively unsubscribe.
Because the complaint was resolved by an Undertaking, there are few details of the alleged violations. What we do know is that the Chief Compliance and Enforcement Officer’s investigation alleged that:
Rogers Media Inc. sent certain commercial electronic messages to email addresses that either:
a) contained an unsubscribe mechanism that was not able to be “readily performed”;
b) did not enable the person to indicate their wish to no longer receive messages; or
c) did not provide an electronic address for the purposes of unsubscribing that was valid for a period of 60 days after the message was sent.
In addition, Rogers Media Inc. was alleged to have not given effect to certain unsubscribe requests within 10 business days.
As part of the Undertaking, Rogers Media agreed to improve its existing compliance program to ensure that its activities are fully compliant with CASL.
If your organization sends out commercial electronic messages, there is a pretty strong lesson in this Undertaking: take unsubscribe seriously. This means not only having a clear link on your messages, but making sure it works, and that you follow through on all requests. Remember, the readers who click on your unsubscribe link and fail will happily click on the CRTCs Fight Spam link next. Filing a complaint is really easy – make sure your unsubscribe process is easier.
The Sedona Conference has just published the Second Edition of The Sedona Canada Principles Addressing Electronic Discovery. The original edition, first published in 2008, was quickly adopted by lawyers and the courts as the “best practice” guide for managing e-discovery in Canada.
The 2nd Edition was just released on November 20th. It has long awaited updates, particularly given the advances in technology since 2008. Four key enhancements are:
Microsoft is betting that Germans will trust their data to the Microsoft cloud if it is managed by a “Data Trustee”. When the Court of Justice of the European Union declared Safe Harbor not to be so safe in early October, the vulnerability of personal information held by big US corporations was in the spotlight. US data multinationals like Amazon, Microsoft, Google and Apple could promise whatever they wanted about keeping our information away from the prying eyes of the US government, but their international credibility was in question.
The first serious response came on November 11, when Microsoft announced that it would open two German datacenters in late 2016, which would provide German data residency for its cloud offerings. To assuage concerns about the US government (or others) being able to strong-arm them into turning over customers’ data, Microsoft announced the “Data Trustee”. Like the reveler who turns the car keys over to the host on the way into a party, Microsoft will lock itself out of its German datacenters. Partnering with Deutsche Telekom as Data Trustee, Microsoft is building a security model in which even they must ask permission to access customer data. Presumably Deutsche Telekom will ensure that only the right people can snoop around in the Microsoft cloud.
Will it work? Practically, it appears sound. Legally, it is unclear. These legal constructs are subject to legal challenge, and in the international privacy context those challenges will take years to sort out. What is clear is that the way information is protected needs to change. We are long past just trusting that our data is safe – and we are now seeing a shift to trusted non-state oversight. What they are called is not important – what matters most is who is holding the key and the circumstances in which they can be compelled to turn the key over.