On October 30, 2023, the Canadian Radio-television and Telecommunications Commission announced a notice of violation imposing a $40,000 penalty on a Quebec resident for conducting a high-volume phishing campaign in violation of Canada’s Anti-Spam Legislation (commonly known as CASL). The notice of violation is the first published CASL enforcement action in 2023.
CASL creates a comprehensive regime of offences, enforcement mechanisms, and potentially severe penalties designed to prohibit sending unsolicited commercial electronic messages (CEMs), unauthorized commercial installation and use of computer programs on another person’s computer system, and other forms of online fraud. Following are some key aspects of CASL:
- CASL creates an opt-in regime that prohibits, subject to limited exceptions, sending a CEM unless the recipient has given consent (express or implied in limited circumstances) to receive the CEM and the CEM complies with prescribed formalities (e.g., information about the sender and an effective and promptly implemented unsubscribe mechanism).
- CASL also prohibits, subject to limited exceptions, the installation and use of a computer program on another person’s computer system, in the course of a commercial activity, without the express consent of the owner or authorized user of the computer system.
- CASL imposes liability on organizations and individuals (including corporate directors and officers) for direct and indirect/vicarious CASL violations. CASL provides a due diligence defence.
- CASL violations can result in regulatory penalties of up to $10 million per violation for an organization and $1 million per violation for an individual. CASL includes a private right of action that is not in force.
The Canadian Radio-television and Telecommunications Commission (CRTC) enforces CASL’s rules regarding CEMs and computer programs. Since CASL came into force in 2014, the CRTC has investigated organizations and individuals for alleged CASL violations, issued enforcement decisions, and accepted voluntary undertakings (settlements).
Notice of violation
- In March 2021, the CRTC launched an investigation into a series of high-volume phishing campaigns after being alerted by a phone company about a potential scam affecting its customers.
- The investigation gathered information and evidence from multiple sources.
- The investigation found that, between December 2020 and January 2021, Sami Medouni, a resident of Quebec, sent or caused or permitted to be sent over 31,000 phishing text messages to Canadians without their consent.
- The messages mimicked well-known brands to obtain personal data, including credit card numbers, banking credentials, and other sensitive information.
- The messages were sent using six fraudulently obtained telephone numbers, which the CRTC alleges constitute six violations of the CASL prohibition against sending commercial electronic messages without consent.
The notice of violation imposes a $40,000 administrative monetary penalty on Medouni.
The notice of violation constitutes allegations by the CRTC’s Director of the Electronic Enforcement division. CASL’s enforcement procedures require Medouni to either pay the penalty imposed by the notice of violation, challenge the notice of violation before the CRTC, or negotiate an undertaking (settlement) with the CRTC. Medouni may appeal to the Federal Court of Appeal from any decision by the CRTC.
The CRTC’s announcement of the investigation and notice of violation comes at the end of Canada’s Cyber Security Awareness Month 2023. The announcement reminds Canadians to remain vigilant and report suspicious and spam activities to the Canadian Spam Reporting Centre.
For more information about CASL, see BLG bulletins CASL – Year in Review 2022, CASL – Year in Review 2021, CASL – Year in Review 2020, CASL – Year in Review 2019, CASL – Year in Review 2018, CASL – Year in Review 2017, CASL – Year in Review 2016, and CASL – Year in Review 2015.