Canada’s anti-spam legislation (CASL) is the federal law dealing with spam and other electronic threats.  It is meant to protect Canadians while ensuring that businesses can continue to compete in the global marketplace

CASL is a new anti-spam law that will apply to all electronic messages (i.e. email, texts) organizations send in connection with a “commercial activity.” Its key feature requires Canadian and global organizations that send commercial electronic messages (CEMs) within, from or to Canada to receive consent from recipients before sending messages. CASL does not apply to CEMs that is simply routed through Canada.

The EU General Data Protection Regulation (GDPR) is designed to harmonize data privacy laws across Europe, protect and empower all EU citizens data privacy and reshape the way organizations across the region approach data privacy.

Express Consent
Express consent is generally required to control or process personal data, except in certain circumstances.

Consent means any freely given, specific, informed and unambiguous indication of an individual’s wishes which, by a statement or by a clear affirmative action, signifies an agreement to the processing of their personal data.

The GDPR provides that, when assessing whether consent is freely given, “utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
CASL provides that a sender must hold the consent of a recipient in order to send the recipient a commercial electronic message (CEM), unless the CEM is exempt. Consent can be express or implied/deemed under CASL.

Unlike the principle-based forms of express consent under privacy statutes, CASL sets out various formalities that must be met in order for an express consent to be valid, including certain informational disclosures that must be made at the time consent is collected. The purpose for which an organization seeks consent must be clearly set out, with consent limited to that purpose.

Express consent under CASL may be obtained orally or in writing. CASL puts the onus of proof upon an organization alleging that it holds express consent, obligating an organization to put forward evidence in its own favour or face regulatory consequences. CASL provides that a request for express consent is a CEM and therefore cannot be sent without consent.
Implied Consent
The GDPR provides that the control or processing of personal data is lawful absent express consent in certain circumstances analogous to implied/deemed consent under PIPEDA and the PIPAs.

For example, where processing of personal data is necessary for the performance of a contract to which the data subject is party, such processing is lawful even absent express consent.
Unlike the principle-based forms of express consent under privacy statutes, CASL recognizes implied/deemed consent only in certain limited prescribed cases.

Under CASL, implied consent arises where a sender and recipient have an existing business relationship or an existing non-business relationship.

CASL provides that specific factual circumstances must exist in order for either of these relationships to form. CASL recognizes a limited form of implied consent where an individual discloses or publishes an electronic address without a disclaimer–note that this kind of implied consent is subject to certain restrictions on content.

CASL recognizes a limited form of deemed consent in specific circumstances related to referrals. This consent can only be used once before it expires. CASL permits the holder of an express consent to share it with third parties in certain circumstances.

The GDPR applies to both data ‘controllers’ and ‘processors’. Data controllers determine the purpose and manner in which data is processed. Data processors are any third party undertaking data processing on behalf of a controlle


Comments are closed.