The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Canada’s Anti-Spam Law (CASL) – New Guidance on Providing Apps and Software

Canada’s Anti-Spam Law (CASL) targets more than just email and text messages 

In our previous post, we explained that on July 1, 2014, Canada’s Anti-Spam Law (CASL) had entered into force with respect to email, text and other “commercial electronic messages”.

CASL also targets “malware”.  It prohibits installing a “computer program” – including an app, widget, software, or other executable data – on a computer system (e.g. computer, device) unless the program is installed with consent and complies with disclosure requirements.  The provisions in CASL related to the installation of computer programs will come into force on January 15, 2015.

Application outside Canada

Like CASL’s email and text message provisions, the Act’s ”computer program” installation provisions apply to persons outside Canada.  A person contravenes the computer program provisions if the computer system (computer, device) is located in Canada at the relevant time (or if the person is in Canada or is acting under the direction of a person in Canada).  We wrote about CASL’s application outside of Canada here.

Penalties

The maximum penalty under CASL is $10 million for a violation of the Act by a corporation.  In certain circumstances, a person may enter into an “undertaking” to avoid a Notice of Violation.  Moreover, a private right of action is available to individuals as of July 1, 2017.

CASL’s broad scope leads to fundamental questions – how does it apply?

The broad legal terms “computer program”, “computer system” “install or cause to be installed” have raised many fundamental questions with industry stakeholders.  The CRTC – the Canadian authority charged with administering this new regime – seems to have gotten the message.  The first part of the CRTC’s response to FAQ #1 in its interpretation document CASL Requirements for Installing Computer Programs is “First off, don’t panic”.

New CRTC Guidance 

The CRTC has clarified some, but not all of the questions that industry stakeholders have raised.  CRTC Guidance does clarify the following.

  • Self-installed software is not covered under CASL.  CASL does not apply to owners or authorized users who are installing software on their own computer systems – for example, personal devices such as computers, mobile devices or tablets.
  • CASL does not apply to “offline installations“, for example, where a person installs a CD or DVD that is purchased at a store.
  • Where consent is required, it may be obtained from an employee (in an employment context); from the lessee of a computer (in a lease context); or from an individual (e.g. in a family context) where that individual has the “sole use” of the computer.
  • An “update or upgrade” – which benefits from blanket consent in certain cases under CASL – is “generally a replacement of software with a newer or better version”, or a version change.
  • Grandfathering – if a program (software, app, etc.) was installed on a person’s computer system before January 15, 2015, then you have implied consent until January 15, 2018 – unless the person opts out of future updates or upgrades.

Who is liable?

CRTC staff have clarified that as between the software developer and the software vendor (the “platform”), both may be liable under CASL.  To determine liability, the CRTC proposes to examine the following factors, on a case-by-case basis:

  • was their action a necessary cause leading to the installation?
  • was their action reasonably proximate to the installation?
  • was their action sufficiently important toward the end result of causing the installation of the computer program?

CRTC and Industry Canada staff have indicated that they will be publishing additional FAQs, in response to ongoing industry stakeholder questions.

See:  Step-by-Step: How CASL applies to software, apps and other “computer programs”

See also:  fightspam.gc.ca  and consider signing up for information updates through the site.


Leave a comment

Canada’s Anti-Spam Law (CASL) in force July 1

Canada’s Anti-Spam Law (CASL) enters into force on Canada Day, July 1.  It was passed in 2010 as a “made-in-Canada” solution to “drive spammers out of Canada“. 

Are you outside Canada?  It’s important to know that this law reaches beyond Canada’s borders.  CASL is already affecting businesses in the United States, Europe and elsewhere as they change their communications practices to send emails and other “commercial electronic messages” into Canada. 

As we have described in our presentation Comparing CASL to CAN-SPAM, the new law applies to messages that are accessed by a computer system in Canada.  That means that messages sent by a person, business or organization outside of Canada, to a person in Canada, are subject to the law.

CASL expressly provides for sharing information among the Government of Canada, the Canadian CASL enforcement agencies, and “the government of a foreign state” or international organization, for the purposes of administering CASL’s anti-spam (and other) provisions.  The MOU among the Canadian CASL enforcement agencies similarly references processes to share and disseminate information received from and provided to their foreign counterpart agencies. 

In a speech on June 26, the Chair of the Canadian Radio-television and Telecommunications Commission, Jean-Pierre Blais, emphasized the CRTC’s cooperation with its international counterparts to combat unlawful telemarketers, hackers and spammers that “often operate outside our borders“.  The Chairman specifically named “the Federal Trade Commission in the U.S., the Office of Communication (OFCOM) in the U.K., the Authority for Consumers and Markets in the Netherlands, the Australian Communications and Media Authority and others”, and noted that the CRTC has led or participated in many international networks on unlawful telecommunications.

Companies should also take note that a violation of CASL might also result in the CRTC exercising its so-called “name and shame” power, by posting the name of the offender and the violation on its online compliance and enforcement list.  The CRTC has for years published notices of violation with respect to its “Do Not Call List”, and is expected to take a similar approach for CASL notices of violation as well. 

The CRTC recently published a Compliance and Enforcement Bulletin on its Unsolicited Telecommunications Rules and on CASL, available here.  The CRTC recommends implementing a corporate compliance program as part of a due diligence defence: 

Commission staff may take into consideration the existence and implementation of an effective corporate compliance program if the business presents the program as part of a due diligence defence in response to an alleged violation of the Rules or CASL. Although the pre-existence of a corporate compliance program may not be sufficient as a  complete defence to allegations of violations under the Rules or CASL, a credible and effective documented program may enable a business to demonstrate that it took  reasonable steps to avoid contravening the law.


Leave a comment

More International Reactions to the US Massive Intelligence Collection

The revelation of the large-scale US intelligence collection program continues to bring about international reactions.  

United Nations

The Third Committee of the United Nations (Social, Humanitarian and Cultural) approved on November 26 a draft resolution on “The right to privacy in the digital age.” The draft will now advance to General Assembly voting.

 The General Assembly would call upon Member States to respect the right to privacy and to take measures to prevent its violation. They also would have to “review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law.

The General Assembly would also request the United Nations High Commissioner for Human Rights to write a report on the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale.

European Union Commission

In the European Union, the EU Commission published today a communication on “Rebuilding Trust in EU-US Data Flows.” The Commission noted that “the standard of protection of personal data must be addressed in its proper context, without affecting other dimensions of EU-US relations.”

This is why data protection standards will not be negotiated within the Transatlantic Trade and Investment Partnership (TTIP).

The Commission noted in the introduction that trust in the US/EU “has been negatively affected and needs to be restored” and that “[m]ass surveillance of private communication, be it of citizens, enterprises or political leaders, is unacceptable.”

The communication identified six steps which should be taken to restore trust in transatlantic data transfers:

Implement the EU Data Protection Reform

The proposed regulation has a wide territorial scope since companies not established in the EU would have to apply it if they offer goods and services to European consumers or monitor their behavior.

The regulation would also provide” clear rules on the obligations and liabilities of data processors such as cloud providers.” Surveillance programs affect data stored in the cloud, and companies providing cloud services asked to provide personal data to foreign authorities would not be able “to escape their responsibility” by arguing that they are mere data processors, not data controllers.

Making the Safe Harbor Safe

The Safe Harbor scheme has several weaknesses and that leads to some competitive disadvantages. For instance, some self-certified Safe Harbor members do not comply with its principles in practice. Also, some countries may decide to cease altogether data transfer on the basis of Safe Harbor.

Therefore,” the current implementation of Safe Harbor cannot be maintained.”However, it should be strengthened, not canceled.

The scheme would be more effective if certified companies would have more transparent privacy policies  and also if affordable dispute resolution mechanisms would be available to EU citizens.

Strengthening Data Protection Safeguards in the Law Enforcement Area

The current negotiations between the US and the EU on an “umbrella agreement” for transfers and processing of data in the context of police and judicial cooperation must be concluded quickly.

Using the existing Mutual Legal Assistance and Sectoral Agreements to Obtain Data

The Commission expressed hope that the US would commit that personal data held by private companies located in the EU will not be directly accessed and transferred to US law enforcement authorities outside of formal channels of cooperation, such as the Passenger Name Records Agreement and Terrorist Financing Tracking Program.

Addressing European Concerns in the On-Going U.S. Reform Process

President Obama has announced a review of U.S. national security authorities’ activities. This process should also benefit EU citizens by providing an opportunity to address the EU concerns about US intelligence collection programs.

Safeguards available to US citizens should be extended to EU citizens not resident in the US, and transparency should be increased and there should be better and stronger oversight.

Promoting Privacy Standards Internationally

The U.S. should accede to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the “Convention 108”, which is open to countries which are not member of the Council of Europe. The US has already acceded to the 2001 Convention on Cybercrime.

The press release about this communication is available here.


1 Comment

Privacy and Data Protection Impacting on International Trade Talks

European Commission

The European Union and the United States are currently negotiating a broad compact on trade called the Transatlantic Trade and Investment Partnership (“TTIP”). While the negotiations themselves are non-public, among the issues that are reported to be potential obstacles to agreement are privacy and data protection. Not only does the European Union mandate a much stronger set of data protection and privacy laws for its member states than exist in the United States, but recent revelations of U.S. surveillance practices (including of European leaders) have highlighted the legal and cultural divide.

In an October 29, 2013 speech in Washington, D.C., Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, emphasized that Europe would not put its more stringent privacy rules at risk of weakening as part of the TTIP negotiations. She said in part,

Friends and partners do not spy on each other. Friends and partners talk and negotiate. For ambitious and complex negotiations to succeed there needs to be trust among the negotiating partners. That is why I am here in Washington: to help rebuild trust.

You are aware of the deep concerns that recent developments concerning intelligence issues have raised among European citizens. They have unfortunately shaken and damaged our relationship.

The close relationship between Europe and the USA is of utmost value. And like any partnership, it must be based on respect and trust. Spying certainly does not lead to trust. That is why it is urgent and essential that our partners take clear action to rebuild trust….

The relations between Europe and the US run very deep, both economically and politically. Our partnership has not fallen from the sky. It is the most successful commercial partnership the world has ever seen. The energy it injects into to our economies is measured in millions, billions and trillions – of jobs, trade and investment flows. The Transatlantic Trade and Investment Partnership could improve the figures and take them to new highs.

But getting there will not be easy. There are challenges to get it done and there are issues that will easily derail it. One such issue is data and the protection of personal data.

This is an important issue in Europe because data protection is a fundamental right. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe’s fundamental values or our common understanding of a free society.

This is why I warn against bringing data protection to the trade talks. Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable….

Beyond the TTIP talks, the divergence between European and U.S. privacy practices is putting new pressure on an existing legal framework, the Safe Harbor that was adopted after the enactment of the EU Data Protection Directive. A number of EU committees and political groups are either criticizing or recommending revocation of the Safe Harbor, a development that could significantly change the risk management calculus for the numerous companies which move personal information between the United States and Europe.


Leave a comment

Canada’s Anti-Spam Legislation: A road map to “commercial electronic messages”

Let’s take stock of the information currently available on Canada’s Anti-Spam Legislation (CASL).  First, there is the Act itself.  Next, there are:

If you still have questions about the circumstances in which you can send a commercial electronic message (CEM) under CASL, you’re not alone. 

The following one-page overview is intended as a guide to the various scenarios contemplated under CASL.  As an “at a glance” reference, it is not intended as legal advice, and is not a substitute for consulting CASL and the various regulations and bulletins noted above.  It should, however, serve as a high level road-map through the maze.

CASL-Overview-Image


Leave a comment

Google in the Crosshairs of the European Data Protection Authorities

The following post of the first of a series of guest posts written by students from the US and from all over the world. If you are interested to write a post on a privacy or data security issue, please contact Bridget Calhoun or Marie-Andrée Weiss. The PRIS Committee extends a special invitation to foreign students for whom English is a second language. The following post is written by Clara Steimlé, a law student in France.

On April 2nd, 6 of the 27 European data protection authorities (DPAs) started legal actions against Google. Despite several warnings, Google did not take any measures to avoid this step.

The story began in March 2012 when Google set up a new Privacy Policy, which integrated in to only one all the privacy policies of its sixty or so services, thus allowing Google to gather Google users’ personal data and to create very precise profiles.

A few months later, in October, 2012, the European DPAs, united in the Article 29 Working Party (G29), which is an independent advisory body on data protection and privacy, asked Google, after consultation of an evaluation made by the French DPA, the Commission Nationale de l’Informatique et des Libertés (CNIL), for more complete and clearer information. The G29 thought that Google’s Privacy Policy did not meet the requirements of Directive 95/46/EC, the Data Protection Directive. The G29 then gave Google 4 months to put itself in conformity.

Pursuant to the Data Privacy Directive, data controllers must inform clearly and precisely the data subjects about the purpose of the data processing and also must respect the principle of data minimization. In particular, the G29 blamed Google on three main points.

First, Google does not supply its users with enough information about how it processes data. Users are not informed about Google’s data collection practices and Google doesn’t make any difference between personal data and special categories of data.

Secondly, Google does not give its users the power to control when their personal data is combined among its numerous different services. However, the DPAs did not criticize the principle to include all privacy policies in one. Lastly, Google does not specify the retention period for the data it collects.

During the audit of October 2012, the G29 had made recommendations to Google which, however, were not followed. The CNIL considered that Google should supply control to users over their data and to simplify their right to opt-out.

In spite of these recommendations, Google did not comply.

On March 19th, 2013, a working group met with representatives of Google but no change was implemented. The French, German, Spanish, Italian, Dutch and British DPAs thus decided to each start legal actions against Google in their respective countries.

Google is moreover known to engage in a bit of arm wrestling and to give in only when it no longer has any excuses not to do so. At the moment, it considers it did not violate European laws. The penalties that Google could incur would be different in each of the European Union countries which chose to start legal actions against Google, but could amount to up to 2% of its total global sales.

Nevertheless, the process is not irreversible as no legal action has yet been started, but could happen by the end of summer and penalties pronounced by the end of 2013. However, Google may give in before, not under the threat of financial penalties, but by fear of degrading its reputation.

Clara Steimlé is a LL.M. student at the University of Strasbourg in France. She graduated in 2012 from the University of La Sorbonne in Paris, where she studied international business law. She expects to graduate with a LL.M. in e-commerce economic law in September 2013. Her studies focus on data protection law, e-commerce law, and Intellectual Property. After graduation, she plans to take the French bar exam and practice IP/IT law, with a focus on international law.


Leave a comment

Election 2012: Privacy Platforms Compared

The Democratic and Republican Parties unveiled their respective policy platforms at their national conventions this past month. Both platforms address a host of issues related to internet freedoms and security, and differ greatly in some ways and little in others. The starkest contrast lies in the parties’ plans for protecting consumer privacy. However, in other areas such as cybersecurity, the differences seem more imagined than real.

Both party platforms prioritize the civil-liberties aspect of internet freedom but have different prescriptions for achieving achieving it. The Democratic platform envisions information privacy as freedom from private intrusion and public censorship, “protecting an open Internet that fosters investment, innovation, creativity, consumer choice, and free speech, unfettered by censorship or undue violations of privacy.” It later touts the implementation of consumer privacy initiatives taken by the White House as a step in this direction: “That’s why the administration launched the Internet Privacy Bill of Rights and encouraged innovative solutions such as a Do Not Track option for consumers.”

Earlier Secure Times coverage on the White House’s privacy approach and Privacy Bill of Rights is available here.

The Republican platform, on the other hand, specifically promises greater protection of personal data from use by government and law enforcement. In what may be a nod to the holding in United States v. Jones and the ongoing debate over location tracking, the RNC pledges to “ensure that personal data receives full constitutional protection from government overreach.”

The RNC platform goes on to add its support for protection from private actors, such that “individuals retain the right to control the use of their data by third parties.” However, it argues that “the only way to safeguard or improve these systems is through the private sector.”

Both platforms agree on the great importance of cybersecurity. However, the RNC criticizes the Administration for not being proactive enough in its efforts to neutralize new cyberthreats:

The current Administration’s cyber security policies have failed to curb malicious actions by our adversaries, and no wonder, for there is no active deterrence protocol. The current deterrence framework is overly reliant on the development of defensive capabilities and has been unsuccessful in dissuading cyber-related aggression. The U.S. cannot afford to risk the cyber-equivalent of Pearl Harbor.

The platform does not name any specific measures to dissuade rather than defend against cyberthreats, but it goes on to criticize the administration for not enabling enough information-sharing between public and private parties. Nonetheless, the Democratic platform mentions “strengthening private sector and international partnerships” as well.

Both parties roundly agree on the multi-stakeholder policymaking framework. Both statements seem to paraphrase each other. The RNC platform states:
We will resist any effort to shift control away from the successful multi-stakeholder approach of Internet governance and toward governance by international or other in- tergovernmental organizations.

The Secure Times provided earlier coverage of the Multistakeholder Process here.

Links:

National Journal: Dems Part Company With Republicans on Net Neutrality, Online Privacy

2012 Democratic National Platform

2012 Republican National Platform


Leave a comment

Canada’s Anti-Spam Law is coming – and will affect US businesses

Canada’s Anti-Spam Law (CASL) is now expected to enter into force in 2013.  Don’t expect things to sit idle until then, however. 

3 Next Steps for CASL in 2012

Following are three next steps for 2012, ranked in order of importance to industry stakeholders:

1.  Industry Canada to issue new set of regulations for comment

While businesses had hoped that regulations would clarify key terms and obligations under the Act, and lessen the Act’s impact on certain types of communications, many stakeholders were disappointed.  Many businesses considered that neither the draft Industry Canada regulations, nor the Canadian Radio-Television and Telecommunications Commission (CRTC) regulations as finalized, went far enough to clarify obligations.  Moreover, neither set of regulations provided the exemptions many businesses have called for, to exclude certain categories or types of messages from the application of CASL consent requirements. 

A glimmer of hope is in sight:  Industry Canada is expected to publish a new set of regulations for comment in the coming weeks.  These regulations are expected to contain some exemptions from the application of CASL requirements.  In the comment period, businesses will have the opportunity to comment on the regulations, and seek further changes to make CASL more workable. 

2.  CRTC to issue a series of information bulletins for industry

Anyone who has tried to read through CASL’s provisions and the accompanying CRTC regulations knows that they tend to raise at least as many questions as they answer. 

The CRTC is expected to issue information bulletins in the coming weeks and months to help clarify what is meant, and required, by some key elements of the regulations.  These bulletins may include matters relating to what it means to get consent “in writing” online, and how far businesses must go to make information accessible in “commercial electronic messages”. 

3.  Spam Reporting Centre

The government is currently reviewing bids by third-party service providers to operate the The Spam Reporting Centre.  The Centre will act as a liaison between the public and the government agencies (CRTC, Office of the Privacy Commissioner, Competition Bureau) on spam complaints and monitoring.  The government states that:

“When operational, the Spam Reporting Centre will accept various types of electronic messages from individuals and organizations in Canada. Reporting spam and related electronic threats will not stop such threats completely; however, the data sent to the Spam Reporting Centre will help it identify trends, and try to find out who is sending the spam and other threats and from where. This will aid in the future prosecution and civil proceedings against those responsible for electronic threats in Canada and internationally.”

The final line of the above quote – “future prosecution and civil proceedings”, and “threats in Canada and internationally” – is a stark reminder of two important points. 

First, the government means business.  Its objective is to “drive spammers out of Canada” (then Minister of Industry Tony Clement, 2010).  Second, CASL is designed to reach beyond Canada.  It is designed to capture commercial electronic messages that may be sent from other countries, and also to provide the framework for international monitoring and enforcement. 

3 Things to do while you “wait” for CASL in 2013:

  1. Participate in the comment process on the coming draft Industry Canada regulations
  2. Remind yourself of the differences between the U.S. CAN-SPAM requirements, and CASL
  3. It’s strongly recommended that businesses use the lead time before CASL’s entry into force to get their operations in order.  Prepare your organization’s  CASL audit, checklist, and Compliance Policy.  The CAN-SPAM vs. CASL presentation can help explain the basics. 


Leave a comment

UK Investigates Privacy Implications of Email-Hacking by Journalists

The UK communications regulator Ofcom this week announced that it is investigating alleged email-hacking by journalists at Sky News, a satellite news channel controlled by Rupert Murdoch.  The investigation raises interesting issues regarding the role of online privacy in news reporting; in particular whether privacy should trump the public interest in media led investigations into criminal activity.

Ofcom announced its investigation after a Sky News representative admitted to hacking the email accounts of John Darwin, who faked his own death in order to claim life insurance, and later reappeared living abroad.  In addition to email-hacking, Sky News also admitted to posting a hacked voicemail message from Mr. Darwin’s wife on its website.  These hacking admissions were made at the wide-ranging Leveson Inquiry into press ethics and culture, which was prompted by last year’s UK press phone-hacking scandal.

Under UK law, email hacking is a violation of the Computer Misuse Act 1990, and may trigger criminal sanctions.  In addition, Ofcom’s broadcasting code – Rule 8.1 – provides that: "Any infringement of privacy in programs, or in connection with obtaining material included in programs, must be warranted."  The potential sanctions for breach of Ofcom’s code range from a warning, to a fine, to revoking a broadcasting license in the most serious circumstances. 

For its part, Sky News argues that its actions were "editorially justified" since there are rare instances when it is defensible for a journalist to commit an offense in the public interest, in this case the detection of insurance fraud.

An Ofcom spokesperson stated that the agency "is investigating the fairness and privacy issues raised by Sky News’ statement that it had accessed without prior authorization private email accounts during the course of its news investigations." 

The regulator also announced that it will "make the outcome [of its investigation] known in due course." 

 

 

 


Leave a comment

New Developments on Canadian Anti-Spam Law

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL), which is expected to come into force in 2012.  The newly released regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

  • businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
  • CEMs are are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

  • simply include the name by which they carry on business (rather than both that and their legal name);
  • include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
  • include the information in the above point on a website that “is readily accessible” (rather than via a single click);
  • use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
  • simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.