The Electronic Commerce Protection Act will accomplish little if there is not a real commitment to enforcement. The enforcement provisions form the bulk of anti-spam bill (my review of the prohibitions here, the effect on the do-not-call list here). The enforcement part of the bill includes details on who does the enforcing, investigative powers, and penalties associated with anti-spam violations. The short version is that the CRTC has been given a wide range of investigatory powers, including the power to compel ISPs to preserve transmission data. Once it concludes its investigation, it can pursue a settlement or bring a notice of violation. The penalties run as high as $10 million. There are also smaller roles for the Privacy Commissioner and Competition Bureau as well as provisions to facilitate anti-spam lawsuits.
The more detailed version is:
The CRTC is granted the power to levy Administrative Monetary Penalties for violations of the ECPA. The maximum penalty for individuals is $1 million and $10 million for any other person Section 20(3) identifies the factors to be considered in assessing the penalty, including past violations and financial benefits from the activity.
The ECPA provides the CRTC with a wide range of investigative powers, including the power to require ISPs to preserve transmission data related to the investigation (there are detailed provisions on the preservation issue), require individuals to produce documents, or obtain a warrant to search a place for evidence of a possible violation.
Once it completes the investigation, the CRTC has two options if it finds evidence of a violation. First, it can obtain an "undertaking" from a party that is alleged to have violated the law (an undertaking is effectively a settlement). The undertaking can include identifying past violations and include a penalty and additional conditions. Alternatively, the CRTC can file a notice of violation that sets out the alleged violations and penalty to be paid. The Commission has up to three years to commence an action from the time it is notified of an alleged violation. Once someone is served with a notice of violation, they can make representations to the CRTC defending their conduct. The CRTC is then required to decide, based on a balance of probabilities, if there has been a violation. The Commission has the right to make public the names of the people who enter into undertakings or are found to have violated the law. The CRTC decision can be appealed to the Federal Court of Appeal.
While a notice of violation is not the equivalent of an offence under the Criminal Code, officers and directors can be held liable for the actions of their companies. Courts are empowered to issue injunctions prohibiting further ECPA violations and the bill also includes significant financial penalties for violating the investigatory requirements (ie. obstruct or fail to comply with the investigation requests).
Private Right of Action
One of the Spam Task Force's recommendations was the establishment of a private right of action to facilitate lawsuits against Canadian-based spammers. The ECPA creates a new right that could allow for such lawsuits with penalties that reach a maximum of $1 million per day. The private right of action extends beyond just violations of the ECPA, as it includes contravention of the new PIPEDA provision and the Competition Act provisions.
New Anti-Spam Coordination and Complaints Mechanisms
Although not contained in the ECPA, the government materials that accompanied the release point to two new administrative efforts to address anti-spam enforcement in Canada. First, Industry Canada will serve as a "national coordinating body" with responsibilities for public awareness, the development of voluntary guidelines, and further research. Second, there are plans to establish a Spam Reporting Centre. It would "receive reports of spam and related threats allowing it to collect evidence and gather intelligence to assist the three enforcement agencies." The SRC appears to be similar to the U.S. FTC reporting mechanism, often referred to as the spam fridge.