Industry Committee on Nov. 2nd, 2010

Thanks, Mr. Chairman.

I appreciate this opportunity to be here today to discuss Bill C-28, the proposed Fighting Internet and Wireless Spam Act, or FISA.

The bill before you today closely resembles the former Bill C-27, the Electronic Commerce Protection Act, or ECPA, which this committee studied during the last parliamentary session. Bill C-28 builds upon the recommendations of this committee and stakeholders in response to Bill C-27.

FISA, like ECPA, provides a comprehensive regulatory regime that uses economic disincentives instead of criminal sanctions to protect electronic commerce. The measures introduced in Bill C-28 are based on international best practices.

This regime creates new violations to address the threats posed by spam, malware, deceptive online marketing practices, phishing and spyware.

It also allows for private right of action and introduces administrative monetary penalties in order to hold those who violate the Fighting Internet and Wireless Spam Act—FISA—accountable for their actions.

It also promotes international cooperation by providing authority for the three enforcement agencies, the Canadian Radio-television and Telecommunications Commission—the CRTC—, the Competition Bureau and the Office of the Privacy Commissioner of Canada, to share information with their counterparts around the globe.

We have provided the committee with a redline version of the bill to make it easier for you to compare FISA with its predecessor, ECPA. The redline version can be found at tab three in the blue binders that you have in front of you this morning.

I can take you through that document, if you like, but I would briefly like to summarize two substantive changes that have been made to the bill.

The first change concerns a new clause in clause 3, which can be found on page 4. The Personal Information Protection and Electronic Documents Act, or PIPEDA, contains a primacy clause in subsection 4(3) that, among other things, ensures that the consent provisions in PIPEDA take precedence over other acts. However, since the scope of the consent regime in FISA is more precise than in PIPEDA, it is necessary to include this coordinating amendment, which clarifies that FISA takes precedence over PIPEDA should there be any conflict.

The second change that I would point to can be found on page 59 of the bill, in clause 83. It concerns an amendment to PIPEDA designed to address the collection of personal information when a person accesses a computer system without consent. In Bill C-27, this provision applied when access to the computer system was without authorization. Stakeholders expressed concern that the term “without authorization” was too broad, and to address these concerns the provision now applies when access to a computer system to collect personal information is “in contravention of an act of Parliament”. For example, there was concern that hackers might be able to claim that information obtained about their practices from a website could be considered to be collected without authorization simply through the use of the terms and conditions on the site.

Mr. Chairman, it is our hope that the adoption of this bill will provide an opportunity, through a concerted and cooperative approach involving the public sector and the private sector, to reduce spam and related online threats. At the same time, the bill will permit us to work more effectively with our domestic and international partners to address threats to online commerce.

I would be pleased to take the committee through a more detailed examination of the changes highlighted in the redline version of the bill that has been provided to you, or, if you prefer, we can simply be prepared to respond to questions.

Thank you.

Absolutely. Thank you.

Yes, we have consulted with the Office of the Privacy Commissioner, and they are completely supportive of the change to FISA to ensure that in specific situations covered by this act, the consent provisions do take priority and precedence.

We think that the bill is very adaptable. We've taken a very careful approach to ensure that the legislation is technology neutral, in that it doesn't specify any specific type of technology. It uses broad language to capture electronic commercial messages, for example. We have also incorporated into the bill, though, where appropriate, regulation-making authority.

To the extent that we are aware of a challenge or a concern on the Internet today, we've enumerated that into the bill, but we've also allowed for regulation-making authority to permit us to accommodate new things or new threats that might come up that are consistent with the intent of the legislation as you see it before you today.

Yes, absolutely. The bill has specific measures to allow the CRTC, the Office of the Privacy Commissioner, and the Competition Bureau to collaborate internationally with their counterparts in other countries. It is a very important element of the bill. That is something that's been considered and something we look forward to seeing an improvement in once the legislation is in place.

I think the bill recognizes that third-party referrals are a difficult area and certainly are something that could be used by those who want to spam individuals. We recognize that the legislation does require, perhaps, a change in business models for the kind of situation you described, but would suggest that kind of situation could be handled by having the family member contact the real estate agent, as opposed to the real estate agent contacting the family member.

Clearly, what the legislation is trying to do is not allow a third party to give express or implied consent on behalf of another person. In the situation you described, someone might say that's a very legitimate marketing practice, but you can imagine that if the bill allowed someone else to give consent on my behalf, it is wide-open, from a spam perspective, to allow that to be widely used.

We do recognize that in some instances business models will have to change to accommodate the new legislation, but we think it's practical, reasonable, and necessary to obtain the objectives of the bill.

That's accurate. In the first instance, the bill clearly notes that the sending of the first commercial electronic message, even if it's just seeking consent, counts as an unsolicited commercial electronic message.

This is one of the clauses that differentiates us from the American model, which is an opt-out type of regime. Everybody gets that one-off. Every spammer, as much as every legitimate business, is permitted to send that first commercial electronic message.

We're saying that's not acceptable; that's just another form of spam.

The business model for the real estate agent, in this case, is that if the real estate agent would like to contact me through a friend, the friend can provide me with the real estate agent's card and I can contact the real estate agent, rather than the other way around.

One commercial electronic message.

I know we've said it at committee before, but the Americans are the last remnants of the opt-out regime; everybody else in the world has gone opt-in. Basically it's a “you can spam” act. It permits spamming, ultimately.

The marketing lobby in the United States was successful. That was not their original intent, but they were very successful in lobbying our American counterparts to put that in the legislation. Over the next few years, I'm sure we'll see the American folks having a look at moving to an opt-in regime.

A couple of countries have already started with an opt-out regime and transitioned to an opt-in regime on a similar model, like Japan.

Jurisdictions have moved, yes.

On first look, it seemed that the opt-out might work. It created too large of a loophole, so countries then migrated to an opt-in regime.

The 10-day deadline was set for withdrawing a person's consent with regard to an activity mentioned in clauses 7, 8 or 9. The process by which a person's consent is withdrawn is often automated. It could be someone requesting that their name be removed from a marketing list, which is normally done through an automated process.

A deadline of 10 business days gives enough time to small and medium sized businesses that traditionally do all this manually. For example, the business might make the change to their list manually and finish the work later. Ten business days equals a minimum of two weeks—maybe longer if we consider the Christmas holidays. That is enough time.

The text clearly says without delay and no later than 10 business days.