Canadian HR Reporter is the national journal of human resource management. It features the latest workplace news, HR best practices, employment law commentary and tools and tips for employers to get the most out of their workforce.
Issue link: https://digital.hrreporter.com/i/818928
CANADIAN HR REPORTER May 15, 2017 8 NEWS LeNoury Law Proactive Advice to Management Employment Lawyer of The Year James LeNoury B.A. (Hons) M.A. LL.B 416-926-1107 • Toll Free 1-877-926-1107 • lenourylaw.com Perfectbound • June 2017 $46* • L7798-7855 ISBN • 978-0-7798-7855-0 Multiple copy discounts available *Plus applicable taxes and shipping & handling University law faculties... and much more. (Prices subject to change without notice) Order your copy today. Visit www.carswell.com or call 1-800-387-5164 for a 30-day, no risk evaluation Connect to Atlantic Canada's LEGAL NETWORK The 2017-18 Atlantic Legal Telephone Directory connects you to your legal community providing accurate and essential legal contact information in all four Canadian Atlantic Provinces. Find over 4,300 listings of lawyers, firms and judges. Get quick, easy access to: • Law and Barristers' Societies • Courts of Appeal • Federal Court of Canada • Government of Canada departments • Judicial districts and judicial officials • Incorporated Municipalities • Land registration and information services • The Associations of Land Surveyors • Law Foundation • Provincial government departments • Boards and Commissions • Law Related Services, Institutions and Organizations • Many employers feel the rules don't really apply to them because they're not spammers — but the legislation is very broad, she said. "It's also very vague, which makes it hard to comply with. Even if you are the most diligent company in the world trying to put in a client strategy, it's very dif- ficult to determine what the dif- ference is between a permissible transaction email and impermis- sible personal electronic message — there are definitions but there's a lot of vagueness." A number of prosecutions by the Canadian Radio-television and Telecommunications Com- mission (CRTC) have hit com- panies that weren't making par- ticularly rigorous efforts, she said. And with some brand name com- panies, it was more about a tech- nical or administrative oversight, "which emphasizes the need for routine audits of your processes." In some cases, it was about inappropriate timelines, while in others, it was about emails sent by a third-party vendor not following process, said ompson. "ese are reputable companies that you'd never think they'd fall under the category of egregious spammers but they nonetheless got tripped up by the technical requirements of the legislation." In 2015, Porter Airlines, for example, agreed to pay $150,000 for alleged violations concerning its unsubscribe mechanism, and being unable to provide proof it obtained consent for some elec- tronic addresses. And in 2015, a notice of viola- tion was issued against training school Compu-Finder, with a penalty of $1.1 million, after an investigation found the company sent CEMs without the recipient's consent, as well as emails where the unsubscribe mechanism did not function properly. Private right of action But employers will want to get it right come July, as that's when CASL's private right of action (PRA) comes into force. is al- lows individuals and organiza- tions who are affected by an act or omission that is in contravention of the law to bring a private right of action in court against these in- dividuals and organizations. It will allow an applicant to seek actual and statutory damages, though the latter may not be pursued if the person or organization against whom the contravention is alleged has entered into an undertaking or has been served with a notice of violation by the government. The potential remedies are significant, according to David Young at David Young Law in To- ronto. In addition to actual losses or expenses, people who feel wronged may be able to recover, without any proof of loss, $200 for each non-compliant CEM — up to a maximum of $1 million per day — or, in the case of computer hacking, misleading electronic messages or email harvesting, up to $1 million per day. "e potential risks of private litigation under the PRA, and par- ticularly in the event of a class ac- tion, could be — not to be under- stated — potentially devastating and point to an important need for organizations to focus on their CASL-related risk management and avoidance strategies," he said. Where previously a violation was just subject to regulatory action, after July 1, there's a pri- vate right of action involved, said ompson, so anyone who's re- ceived an offending email is in a position to sue and recover statu- tory damages. "As a class action, there's a sig- nificant amount of money po- tentially at stake. So that's caught a lot of people's attention. So a lot of companies are reviewing their CASL compliance efforts that they've put into place one, two, three years ago to make sure they're actually being followed and their efforts are up to date." It's going to be interesting to see how the tribunal interprets the legislation because it's possible this right of action can be taken without any proof of damages, relying on the $200 provision, said Antoine Aylwin, a partner at Fasken Martineau in Montreal. "If the tribunal accepts that prin- ciple, we could very well see many class actions taken and it goes fast — when you send an email to 1,000 persons, well, it's $200,000 per communication, so say you send five, you're at $1 million, just by the mathematics of it." And when it comes to any al- leged contravention of CASL, the defence of due diligence applies, said Young, meaning a person will not be found to have contravened a provision if she can establish she exercised due diligence to avoid such non-compliance. is involves not only putting in place compliant systems and procedures, but also review- ing them on a regular basis and, where necessary, making adjust- ments to ensure they meet the legislative requirements, he said. As a due diligence offence, an employer is guilty unless proven innocent, said Clausi. "So all the CRTC has to say is 'Johnny Smith over there alleges you sent him email, he did not consent in advance. Did you?' e onus then shifts to you to produce all your records — not just ones involving Johnny but everybody — to prove that your pattern of behaviour is such that you did not commit that act concerning Johnny or anyone else," he said. "It is an incredible exercise. I know a few companies who have received a notice of violation and their legal cost to respond is roughly half-a-million dollars… Because nobody knows about it, my thinking is this is where the plaintiff class action will feast. Ig- norance of the law is no excuse." It's also important to remem- ber the liability could also go on the directors, "so the consequenc- es are huge," said Aylwin. "It might well lead to debates on the reach of the D&O (direc- tors' and officers') insurance policies because to go to the di- rectors and officers, there might be allegations of knowingly let- ting the emails be sent and if it's intentional, well, typically the insurance policy will not cover intentional behaviours." HR's involvement From the start, the CRTC has been saying human resources needs to be involved, said Clausi. "HR is a key element of any initial compliance solution and must be the driving force behind ongoing compliance. Compliance without human resources is not compliance." e government has said em- ployers need to designate a senior official to be the point of contact for all CASL issues, and desig- nate another senior executive re- sponsible to respond to any data or CASL breaches, he said. Plus, all employees must be properly trained on CASL, and disciplined if they breach CASL — and these are all activities involving human beings, said Clausi. "In a perfect world, HR is ac- tively engaged in this, as it must be in other data-related issues." e heightened compliance fo- cus gives employers reason to re- double their efforts to have train- ing in place for employees, said Young, "which a conscientious, diligent employer would have had already, with persons in commu- nications, marketing, whatever, in their CASL compliance programs. So it behooves employers to redou- ble those in light of the heightened compliance focus that will come into effect on July 1," he said. "It's not only important to give the guidance through policies, procedures and training ses- sions, but I'm seeing increasingly a heightened standard where you should be testing the employees to confirm they do understand it, so simple acknowledgement may not be enough. And that would certainly improve your due dili- gence standard." Much of the focus should be on the marketing department, which sends out the most CEMs, and training is important, said Aylwin. "And make sure that you have the proper technological envi- ronment to manage consent, and communications, and to keep track of all this because this is all needed by the legislation," he said. "Make sure that everything that would be seen as electronic commercial messages, the man- agement of it, should all be cen- tralized within the company be- cause compliance could be very difficult to manage if you do not have a centralization of either communications or at least guide- lines… you put yourself at risk." Education and updated poli- cies are a good chunk of what's required, along with looking at consent, said ompson. "If they haven't looked at deemed consent and can't find ei- ther a relationship to ground the validity of the message or they haven't sought expressed consent, a number of companies are now pushing before July to get that ex- pressed consent. " In addition, if a company is au- dited on an annual basis, there will be qualitative tests in addition to quantitative ones starting in 2018- 19, said Clausi, and the auditor will be required to make a judgment call on the quality of management. "Part of that is looking at com- pliance with all laws and regula- tions. CASL will become a large enough problem that the audi- tor will have to say, as part of his management rep letter: 'Are you in compliance with all known laws and regulations? Are you in compliance with CASL?'… And then the auditor will have to make disclosure in the audit of non-compliance." 'Reputable companies' get tripped up CASL < pg. 1 "I know a few companies who have received a notice of violation and their legal cost to respond is roughly half-a-million dollars."