Debates of Nov. 2nd, 2009

Mr. Speaker, I am pleased to rise to speak to the third reading of Bill C-27, Electronic Commerce Protection Act, or as it is also called the ECPA.

As chair of the Standing Committee on Industry, Science and Technology, I want to recognize the constructive work of all the members of the committee from all parties in improving the bill.

The bill, as amended, from committee has benefited from the work over the past months of the members of the committee. As a result, a number of key elements in the bill have been strengthened, clarified and have been done in a way without diminishing the core principles of what the government has been trying to achieve.

Email is a wonderful technology, and it has only been just over 10 years that we have all been using email broadly. In just over 10 years, it has completely changed our lives. However, many of the benefits of email have been offset by the problem of spam, which is unwanted and unsolicited commercial emails.

According to a MessageLabs report of September 2009, which is a division of Symantec Corporation, spam accounted for as much as 86% of all global email traffic. Unfortunately, Canada is in part responsible for this problem.

Canada ranks as one of the top originating states for spam. In Cisco 2008 Annual Security Report Canada ranked fourth on the list of spam by originating country list.

Late last year in the United States, Facebook won $873 million U.S. in damages from an American court arising from the activities of a spammer based in Canada. That case was prosecuted in the United States and not in Canada. That speaks to the lack of Canadian legislation in place to prevent this kind of activity.

The high volume of spam in recent years has negatively affected the productivity of the Internet and all the technologies associated with the Internet. When a high volume of email is spammed, many people spend hours deleting unwanted messages, networks slow down and companies are forced to spend millions, if not billions of dollars, upgrading their systems, their networks, their backbones, their routers, their pipes to the Internet in order to accommodate the additional bandwidth and network capacity needed to handle this volume of email traffic.

The high volume of spam has impeded the full potential of the Internet as a platform for both personal and commercial use. Spam is more than just unwanted email. It is often used as a vehicle to perpetrate fraud on Canadians. It can lead to online fraud by luring individuals to counterfeit websites, also known as phishing. It can lead to the theft of personal data to rob bank accounts and credit card accounts, called identity theft. It can lead to the collection of personal information through elicit access on one's laptop or on one's computer, known as spyware. It often is used as a vehicle to perpetrate fraud on Canadians

Not just Canadians suffer but Canadian businesses suffer and often this is an overlooked fact of spam. Canadian businesses suffer because they are the victims of the counterfeiting of their corporate website to defraud individuals. We all know of examples of getting emails from spammers or from other people who wish to perpetrate fraud. They ask for people's banking information. They send an email that contains a page that looks like a Royal Bank website or a TD Bank website and often many unsuspecting individuals give their information to these spammers, the people trying to perpetrate this fraud.

It also leads to spam borne viruses and other malicious software called malware, which are used to create networks of zombie computers known botnets without the knowledge of their owners. This undermines confidence not just that Canadians have in the Internet but that Canadian businesses have in the Internet as a platform for commerce, as a platform for doing business in the 21st century.

I do not think it is hyperbole to say that spam is costing Canadians and Canadian businesses billions of dollars a year in fraud, in network capacity and in the need to upgrade systems to handle the volumes of email which we are seeing. It costs the economy through malicious programs such as malware, spyware, phishing, viruses, worms and Trojans that enter computers. It costs the economy in terms of undermining Canadians and Canadian businesses in their confidence of the Internet, often having to rely on old-fashioned ways of doing business because the Internet is not seen as trustworthy enough to conduct certain types of business transactions.

In response to this problem, the Government of Canada launched a task force on spam to consult Canadians and their businesses. The task force was given one year to consult and report. In May 2005 the task force reported its findings and recommendations in a report to the Minister of Industry. I want to thank the members of the task force for their valuable work in this regard.

Our government has acted on the recommendations and findings of the task force by introducing Bill C-27, anti-spam legislation entitled “The Electronic Commerce Protection Act”, or the ECPA. This legislation will deter the most damaging form of spam from happening in Canada and will help drive spammers and their associated activity out of Canada.

The legislation addresses the recommendations of the task force on spam, which brought together experts from industry, academia, consumers and other business experts to come together to craft a comprehensive set of measures to combat threats to the online economy. Successful legislative models in other states were also examined and taken into account when drafting the bill.

The legislation will allow Industry Canada to act as a national coordinating body to educate consumers, track and analyze statistics and trends and lead policy oversight and coordination.

The legislation will also facilitate the establishment of a non-governmental agency, the spam reporting centre, which will receive reports of spam and related online threats, allowing it to collect evidence and gather intelligence to assist the three reporting agencies, the Canadian Radio-television and Telecommunications Commission, the Competition Bureau and the Office of the Privacy Commissioner, with the investigation and prosecution of offences.

It is important to note that the ECPA does not apply to non-commercial activity. Political parties and charities, other organizations that contact Canadians through email will not be subject to the ECPA, provided these emails do not involve selling or promoting a product.

Bill C-27 will protect Canadians and their businesses from the most damaging and deceptive forms of electronic harms and provide a regulatory regime to protect the privacy and personal security of Canadians. The rules will encourage confidence in online communications and e-commerce on the Internet.

The bill before us provides the CRTC, the Competition Bureau and the Office of the Privacy Commissioner with the tools they need to pursue those who undermine our online economy and to work with one another and their international counterparts. The bill has sharp teeth, administrative monetary penalties of up to $1 million for individuals and up to $10 million for businesses.

The bill in front of us today resulted from a great deal of work from several different sources. On the one hand, we had the recommendations and findings of the 2005 Task Force on Spam. On the other hand, we have also benefited from some of the work that former Senator Goldstein did in Bill S-220 in this regard.

Some of the features in this bill differ from what Mr. Goldstein had previously proposed. One of the most important is the use of the CRTC, the Competition Bureau and the Office of the Privacy Commissioner to enforce the provisions, in other words, using regulatory agencies to enforce the provisions of the spam bill rather than using police enforcement agencies as Bill S-220 had proposed.

The RCMP has other urgent law enforcement responsibilities, and I believe we should not redirect those precious resources to the monitoring of unsolicited commercial email. I believe that regulatory authorities are better positioned than law enforcement authorities for this kind of white collar problem.

In drafting Bill C-27, the government also drew on a wealth of experience in other states in combating spam. The bill drew on work that had been done in New Zealand, Australia and in the United States. The bill also benefited from the approach taken by other states as well. The bill before us is based on the best and most effective aspects of those legislative regimes in those states.

By being consistent with the approaches of other states, by using regulatory approaches and regulatory agencies in effecting this anti-spam bill rather than law enforcement agencies, we will help promote greater international co-operation to combat spam and other online fraud.

As members of the House know, Bill C-27 adopts an express consent regime designed to give businesses and consumers control over their inboxes and their computers. It requires that the individual's consent be sought and obtained in order to permit an ongoing commercial transaction. Once consent has been expressed by an individual, it remains until the individual opts out or revokes that consent. The industry committee took a careful look at how to ensure that the companies that used email could keep in touch with consumers so they did not inadvertently find themselves in violation of the law.

Members of the House will also know that the bill contains implied consent provisions that have been expanded to include suspicious publication of an electronic address. If someone publishes his or her email address on a website or in a print advertisement, he or she is considered to have consented to receive unsolicited commercial messages, provided the sender's message relates to the business or office held by the person.

Consent is also implied when a person gives out a business card or provides an email address in a letter. Similarly, the amended bill clarifies that when a business is sold, the purchaser has an implied consent to contact the customers of that business. Following the initial transaction between a business and a consumer, the period of implied consent has been expanded to 24 months from the original 18, as first contained in the original bill. This gives businesses even more time in which to obtain the express consent to further commercial transactions.

Another area in which the bill has been amended is in ensuring that updates to computer programs are not adversely affected by the protections we have put in place against malware and spyware.

The committee looked at the impact the bill would have on the installation of computer programs. It has been amended in the situation where the installation of updates, as it is understood as part of an original contract under which the software is installed, is not prohibited by the bill. Most of these programs call for automatic updates, such as daily or weekly updates, to anti-virus software. These updates will not require fresh consent for each instance. Running programs such as JavaScript or Flash programs will also not require express consent each time they are run.

Let me say a few words about the private right of action before I conclude. Some hon. members have questioned whether a private right of action is necessary. I believe it is. The private right of action enforces and complements the enforcement efforts of the CRTC, the Competition Bureau and the Office of the Privacy Commissioner. I would remind the House that this feature has been very effective in other jurisdictions in shutting down those such as spammers who have caused to the electronic economy. I believe it will be equally effective here in allowing groups or individuals to pursue violators. The private right of action will allow individuals and businesses suffering financial harm an avenue of recourse to be compensated and awarded damages.

Finally, the bill is technology-neutral. Bill C-27 recognizes that the convergence of voice and data is happening and will eventually be complete. It will allow the Government of Canada to prevent spam and associated threats regardless of how the technology evolves. Therefore, the bill will remain current in the future as technology evolves.

If Bill C-27 is passed by the House at third reading, Canada will go a long way to combatting spam and spam-related threats. Based on the experience of other states with similar legislation, a reduction in spam is quickly expected. When Australia adopted similar legislation in 2004, it dropped out of the world's top 10 spam-originating states and major spammers in Australia closed their operations altogether.

While the legislation will not eliminate spam entirely, Canadians will see a reduction in the amount of spam in their inboxes. Equally important, the legislation will decrease the most damaging forms of spam from originating in Canada and will help drive spammers and their associated illegal activities out of Canada.

The Internet has become the primary platform for online commerce and general communications. Canada has had a long history of global leadership in the telecommunications sector. E-commerce is now a part of the Canadian economy, with billions of dollars of goods and services being sold over the Internet each year in Canada.

If adopted by Parliament, this legislation would allow Canada to continue in that leadership, ensuring that we remain a secure locale for e-commerce and for Canadians. It is time for Canadian law to catch up with the Internet age. All parties in the House have expressed their desire to strengthen confidence in online commerce. All parties are opposed to spam and see the danger of it.

We have studied this bill at great length in committee and have emerged with important amendments that clarify it. The time has come to pass it at third reading.

Mr. Speaker, we often talk about individuals and their individual experiences on the Internet. However, there is also this extremely important aspect of commercial business and what it can do from the other side to protect itself and the important practices it can follow to help Canadians understand and recognize legitimate commercial communications.

I wonder if the member would care to comment about the importance of engaging business on the other side. We can legislate only so much, but we really do need partners in this if we are going to deal with it effectively.

Mr. Speaker, part of this debate that is often overlooked is the cost to Canadian businesses and the problems that Canadian corporations have in managing their email networks. From personal experience, I can say that it costs billions of dollars for Canadian corporations to handle the volumes of spam that we are now seeing.

As the House knows, we in Parliament have size limits on our inboxes. The simple reality is that the volume of email coming into the House of Commons and Senate computer systems is such that a great volume of these emails are spam. While companies can put in place firewalls, routers and other forms of software on their servers to redirect or block spam, at the end of the day, a lot of this spam still makes its way through those firewalls and routers and into the email servers, which then become completely clogged and saturated with this spam. As a result, legitimate transactions and emails are often slowed down or mailboxes are restricted in terms of the amount of email they can handle in order to deal with all of the spam that is being received.

Backup systems have to be enlarged. Bandwidth has to be enlarged. Email systems have to be expanded. All of these represent hidden costs to Canadian businesses. Many times, the senior management of these businesses does not realize the number of dollars that are being wasted on IT departments and chief information officers to handle the volumes of spam that we are seeing.

I think this bill is a move in the right direction because it is going to help Canadian businesses combat the time wasting and resource wasting that this problem creates, despite the efforts taken to put network security in place and expand data storage systems.

Mr. Speaker, I am pleased to participate in the debate on Bill C-27. PIPEDA falls under the jurisdiction of the Standing Committee on Access to Information, Privacy and Ethics with regard to personal information.

A number of members have been involved in one aspect of this and that is identity theft. It is a very serious problem in our society and the stories are horrific. The impacts it can have on people are very tragic.

I certainly want to speak in support of the bill, basically to start the process of educating legislators, because this is a starting point from which we need to continue to grow due to the velocity with which the information and technology are growing, as well as some of the tricks and things that we have seen and the way the envelope is being pushed.

Most members will have seen things in their inboxes from people identifying themselves as representatives of their bank. The emails say that the bank is doing a security check and requires members to provide their account numbers or something like that. They look very official. As a matter of fact, often the logos of a bank or the proper or stylized name of the bank will appear. Yet Canadians should understand that banks do not do business related to security and privacy over the Internet. It is just not a secure environment in which to do that.

This bill would establish a regulatory framework, which I think is a very good start. Our economy is changing. Our kids grew up with computers. Their ability to move very quickly through the electronic world is absolutely fascinating.

I actually have a degree in computer science from the University of Western Ontario and at the time I took that degree, we were using punch cards, which will give everyone an idea of where I came from. This is a very serious issue, and I am glad that we are at least at the point that this bill is at third reading and this electronic commerce protection act would prohibit the sending of commercial electronic messages without prior consent of the recipient.

It brings to mind the do not call list system that was established, which Canadians will say does not work very well. It is problematic and we should probably learn from the experience of the do not call list that notwithstanding the mechanisms that have been put in place, somehow things slip through. There is a caution that as much as we legislate, we are not going to be able to anticipate all the pitfalls that may transpire.

This act would also amend the Competition Act to prohibit false and misleading commercial representations made electronically. As I have indicated, the Personal Information Protection and Electronic Documents Act, referred to as PIPEDA, prohibits the collection of personal information by means of unauthorized access to computer systems and the unauthorized compiling of lists of electronic addresses.

That is a reasonable indication that the bill addresses this from sufficient directions. However, I asked a question earlier of the previous speaker. The role of business in this also comes into play.

Last week I just happened to receive a document called “The Canadian Privacy and Data Security Toolkit”. This is for small and medium size enterprises, many of which are active. These are the ones that are extremely active, scouring the bushes, looking for that bit of business, that niche for their businesses.

The foreword is by our Privacy Commissioner, Jennifer Stoddart, and the introduction is by Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario. This was actually produced by the Canadian Institute of Chartered Accountants, which is trying to educate its clients about some of the important things.

I want to start off from a business perspective looking back. Some of these businesses may very well be the businesses that are improperly using information they receive from individuals over the net. It states that:

Information privacy is the right of an individual to exercise control over the collection, use, disclosure and retention of his or her personal information. Personal information (also known as personally identifiable information...) is any information, recorded or otherwise, relating to an identifiable individual.

It includes such things as credit card numbers, debit card numbers, social insurance and security numbers, driver's licence numbers, and health cards, all of which deal with a fair bit of sensitive information. This leads to the whole situation of things like identity theft.

A constituent wrote me an email over the weekend to thank my staff for giving her some hints and tips on what she could do to protect herself because she had lost her wallet with all her information in it and had in fact had an indication that someone was already using some of that information. Things happen quickly when information gets into the hands of the wrong people.

The report talks about a privacy breach. On page 83 it says that:

A privacy breach is unauthorized access to, collection, use, or disclosure of personal information. The breach could be the result of an inadvertent act such as the loss of a laptop or by a deliberate act such as an attack from a computer hacker. Both, however, are considered breaches since the information is no longer under your protection.

Other examples of privacy breaches [include] misplaced fax, CD-ROM, or USB drive key[,]...sales receipts with credit card information thrown into recycling bin instead of the shredder[,] old computers reused with personal information still present on the hard drive[,] or customer files stolen during a break-in.

The consequences of a privacy breach could be a number of things such as:

damage to reputation or brand[,] loss of consumer confidence[,] reduced revenues [and] unexpected costs to compensate victims.

The potential damage to reputation or brand can be severe. In a survey of individuals who had received notification of a breach, almost 20% of the respondents terminated their relationship with the company, and another 40% were reconsidering their relationship.

We can see that this is not an inconsequential item we are dealing with for either side. The individual's private information needs to be protected, and a business whether small, medium or large has a role to play in protecting that information which they legitimately acquire through business transactions. There is often the temptation to utilize that information for unauthorized uses.

There was a case recently within the Government of Canada involving, and I will try not to be too specific, a program to do with a grant for doing something energy related. People who applied for that grant started to receive information on other areas of the government. When someone applies to the Government of Canada for a grant, I would suggest that they do not expect to find themselves on a mailing list and getting information to do with other matters related to the government.

The government itself is also strongly targeted here with regard to its practices. We have to be vigilant to ensure that none of the information the government collects, regardless of the department, is inadvertently or advertently used for a purpose which was unauthorized by the person who made contact with the government in the first place.

There is one other thing that I thought was kind of interesting. Under privacy impact assessment, there is a quick privacy self-assessment. I thought it would be interesting to let members know what small and medium-sized businesses might do.

The first item is, do we know our privacy obligations?

Some businesses are busy. I must admit, from an accountant's perspective, most people who run small and medium-sized businesses are more interested in doing business than they are in keeping the books and dealing with the myriad of paperwork and legislative reporting, but this is about knowing the privacy obligations, both federal and provincial, because there are some differences.

The second item is, has the organization assigned responsibility for compliance with privacy legislation and policy?

This is an important aspect, because it is an indication of whether the company is taking it seriously, that it has a serious responsibility to comply with provincial and federal legislation and to be proactive in terms of protecting the information of individuals.

The third accountability and management assessment question is, has the organization conducted an inventory of personal information to identify what information has been collected, where the information is collected from, who has access to that information and to whom may be the information be disclosed externally?

That is extremely important, because as we well know, one of the ways that people get on mailing lists is that people who accumulate personal information tend to share it or sell it to others. All of a sudden, like a pyramid scheme, it just continues to expand to where all information seems to be in the hands of all people.

The fourth assessment point is, does the organization make use of online privacy resources, for example, websites of the privacy commissioners or the Canadian Institute of Chartered Accountants, to assist with privacy compliance and awareness of privacy developments?

Keeping on top of it is clearly very important, and it will be important for us also to readily assess the evolution of this electronic vehicle that is being used and has caused a great deal of difficulty and problems for individuals and for businesses.

The next point asks, has the organization adopted a privacy policy that addresses collection, use, disclosure to third parties, secure disposal of personal information and retention of personal information as it applies to particular operations?

With regard to that last point about the retention, there is a shelf life for information. For instance, if we have information about someone who is deceased, all of a sudden, if it is made known, that information has to be destroyed.

Our committee has dealt with even something like Google Street View. There are some privacy implications there. There are a couple of others where we have provided information to offshore parties as well, being able to control that or make sure of that when we are complying under obligations we have, for instance, with the United States, which requires that for any aircraft that even just flies over any its air space, documents have to be provided as to who the passengers are and where they came from, et cetera.

Those are extremely important because our private information, our personal information, is everywhere.

I must admit that I tend to keep thinking about whether I should just report as lost and not recoverable all my cards and the other things that have my personal information on them and get new numbers, simply as almost a reaction to what can happen.

Just last week I got a phone call from my bank. I have a U.S. credit card because I have family in the United States, and we travel sometimes to visit them and I use that card. I have not been to California in about 10 years because that is not where my family is, but I was advised that there were two $1,000 charges to my U.S. credit card. The bank took all the information and advised me that those charges would not be left on my account, and I have a new card today.

Some cards do protect us, but not all of them. It is incumbent on people to understand what can happen when their personal information is used or stolen. Do they have coverage in some fashion? Some of the instruments we use do provide protection.

There are two more questions on the privacy policy side.

The sixth question asks, is the privacy policy made available to individuals prior to or at the time that the personal information is collected? Basically, do employees know what is going on and are they aware of all of the policy related to the activity they are undertaking?

Finally, the self-assessment asks, are your employees aware of the privacy policy and able to direct individuals to it?

I found this to be an excellent document. It also has a checklist on privacy procedures, training and disclosure to third parties. One could even score oneself on this.

I would certainly recommend this document to hon. members or others who might want to know a bit more from the perspective of business and how it would be able to interact with this legislation. This legislation would help businesses understand the kinds of things they must be aware of and cautioned not to do. It would also make businesses aware of the kinds of things they could do proactively, and that is a complement to the legislation.

Again, this document is called “The Canadian Privacy and Data Security Toolkit for Small and Medium-Sized Enterprises”, and it is published by the Canadian Institute of Chartered Accountants. I am sure that hon. members would be able to get it.

I appreciate the fact that this legislation has come forward. I think there will be good support from all hon. members. We need this bill to give us the foundation or the basis on which to be able to assure Canadians that we are taking all reasonable steps to provide an environment in which personal information is protected from those who would misuse it or use it for other wrongful purposes.

The bill itself is fairly straightforward. I appreciate that this was a lot of work for committee. I commend committee for going through it. I did notice the breadth of the work that has been done not only at committee, but by others prior to committee work. A long evolutionary process has brought us to this point.

It is extremely important that members also familiarize themselves with this. I hope members take an opportunity in their householders to advise their constituents about important legislation such as this, as well as some tips for Canadians at large to help them safeguard their personal information.

Mr. Speaker, as I see it, there are two problems that this legislation is trying to address.

The first is obviously the problem of spam as a vehicle to perpetrate online fraud, whether that be phishing or identity theft, spyware, spoofing, counterfeiting, malware, botnets and the like.

The other part of the problem that this bill is attempting to address is the fact that even if spam were not a vehicle for online fraud, even if spam were not a delivery mechanism for all these malicious types of computer programs, even if spam were not doing anything malicious in terms of what it is delivering to people's computer inboxes, it has a second major problem that is often overlooked, which is that it chews up a huge amount of bandwidth, of storage space on corporate and other computer systems. It is reported that up to 85% of all email traffic in the world is spam, and that costs a huge amount to Canadian businesses in terms of bandwidth usage, in terms of storage space, and that is often overlooked.

Much of the spam cannot be blocked by firewalls or routers or other forms of technology. The proof is that when we go into our Hotmail account or Yahoo! Mail account or Gmail account, there will be a folder for spam, because spam cannot even be blocked from entering into their systems and their networks. This has a huge hidden cost for the Internet, both for consumers and for Canadian businesses.

I wonder if the member would comment on that.

Mr. Speaker, I must admit, the first thing I thought of was Bill Gates saying that all anyone would need is 64 kilobytes for their Commodore 64 and nobody would ever need anything more.

On the weekend I picked a little memory stick that has 16 gigabytes of memory on it. The cost of this is coming down very substantially.

On the commercial side, the member is absolutely right. This is a tremendous amount of information. On a personal level, our computers get filled up pretty quickly. I think members of Parliament have all experienced the same thing, where they can go into their office after having left late at night and find somewhere between 100 and 200 emails in their computer. This is such an easy facility to use, so we can understand that so many of these are people from around the world.

The member is quite right that the risk to us is that we have the intelligence or maybe the misapplication of intelligence of virtually the entire world looking at ways in which it can intrude, looking at ways in which it can take advantage of our information, destroy our information, share it with others, or park itself for activation later on.

Some of the Norton software for bugs and the like cannot keep up. Every time I go to Future Shop, there is another version of Norton there.

Certainly businesses need to get engaged here. They have a significant role to play. I do not know how many small and medium-sized businesses, though, have been engaged to protect their information, to protect their software from invasion, and whether they can or even know how to detect it, and this concerns me.

Eventually what is going to happen is that business information will be modified in ways in which there is such a high volume of traffic through it that ordinary businesses that are operationally focused will never be able to see it until there is substantial damage.

Again I thank the committee. I hope we will be able to continue to improve upon the legislation as the risk continues to evolve.

Mr. Speaker, I would first like to say that we support this bill. I see the committee chair nodding his head that, yes, it is an excellent bill. I must say, this bill is a good start. This new legislation specifically targets unsolicited commercial electronic messages. Citizens have been demanding such a bill for some time, and it is sorely needed. Not only are commercial emails sent with the prior consent of the recipient important to electronic commerce, but they are also essential to the development of the online economy.

By drafting legislation prohibiting spam and protecting personal information and privacy, as well as computers, emails and our networks, the proposed legislation is designed to allow individuals and companies to sue spammers and hold any businesses whose products and services are promoted using these means partially responsible for spamming activity.

As well, email marketers would be required to obtain informed consent from recipients to receive emails; provide an opting-out mechanism for further emails; and create a complaints system. That is the main purpose of the bill. Since most spam Canadians receive comes from other countries, international anti-spam measures are needed. The government should continue its efforts to harmonize anti-spam policies and encourage countries to work together on enforcing anti-spam legislation.

I would like to talk about this a bit longer. We know that spam comes from all over the world. That is one thing. But Canadian law applies only to Canada and Canadians, not to other countries. How might this affect us as consumers? What sort of commercial impact might it have? Businesses here in Canada will not be able to distribute advertising on the Internet using software or other ways of communicating with a computer.

The biggest problem is that because other countries are not subject to this law and their legislation is not harmonized with Canada's, they can keep on sending messages. If I have a business and I decide to send advertising over the Internet for doors, windows and other things, I cannot send a mass mailing. But a business in another country can.

We have to be competitive with industries around the world, because we are part of a global economy now. So what reason do we have to protect consumers? Protecting them against phishing or hacking is one thing, but we must not forget business. That was the committee's main concern. We must not prevent businesses here from continuing to make a profit. Eight billion transactions are carried out on the Internet. I believe that Canadian businesses should enjoy a share of this growth with all the people here in Canada.

It is vital that we ask ourselves whether we want to protect our industries or consumers. Should we let others continue to do business without our being able to participate? These are the questions that should be raised, and they have been raised. They have not received a full answer, but this bill is a major step, because it proposes a concrete measure within a timeframe. It took four years to come up with this legislation, because we wanted something better. As we know, things change much more rapidly with the Internet, where six months is an eternity.

So, fairly soon after this bill is passed, we will have to take time to see how things are unfolding and to make adjustments, as cyberpirates target us.

By the way, how do we define spam? Spam is any electronic commercial message, any text, audio, voice or visual message sent by any means of telecommunication—whether by email, cellular phone text messaging or instant messaging—without the consent of recipients. Therefore, it is reasonable to conclude that its purpose is to encourage participation in a new commercial activity, and that it includes electronic messages that offer to purchase, sell, barter or lease a product, good, service, land or an interest or right in land, or offer a business, investment or gaming opportunity.

I mentioned what spam is. It has to do with commercial activities, including offers to purchase, sell, barter or lease a product, good, service, land or an interest or right in land. All these are commercial activities that exist here. With this legislation, these people will no longer be able to use the Internet to send their messages.

What is left for these people to be competitive? Not much. They could use mail services. However, this can be costly, considering that, as I mentioned, such costs will not be incurred in other countries. We always hear—as one member said—that spam requires a lot of work. It takes someone to prepare these emails. If, all of a sudden, we prevent our industries from using the Internet to sell or rent all the products that I listed earlier, what are they going to do? As I just said, they will have to rely on mail services.

Just think how clogged up the system could get if every industry decided to send a mass mailing to all the other businesses, or to households. How much time would businesses spend opening mail, instead of emails? Of course, Canada Post would be pleased, since postal rates are exorbitant, but businesses would no longer be competitive, because of these costs. We should not forget that, because this is a significant economic consideration.

Having said what is considered spam, it is also important to point out what is not. What is not spam are messages sent by an individual to another individual with whom they have a personal or family relationship. For instance, I have no personal ties to you, Mr. Speaker. Imagine I send you a message, not as a member, since that is not allowed. So imagine that someone from outside the House sends you an email, he or she could be subject to fines, since this legislation no longer allows emails from one person to another. The bill reads:

—a message that is sent to a person who is engaged in a commercial activity and consists solely of an inquiry or application related to that activity.

Regarding commercial activities, witnesses came to testify that, initially, the bill required 18 months of contact with the other person. Let me give an example. I know that about every four or five years, family situations and incomes change, so people could be selling their house and buying a new one. With this new law, the real estate agent who sold me my house can no longer contact me after 18 months. In fact, he would be subject to a fine, if the 18-month time limit has passed. In committee, we were able to change that timeframe to 24 months. We would have preferred it to be even longer, to allow businesses and individuals to continue communicating with their existing clients.

As I said, the purpose of this bill was to restrict commercial activity, which is important here.

(a) that is, in whole or in part, an interactive two-way voice communication between individuals;

(b) that is sent by means of a facsimile to a telephone account; or

(c) that is a voice recording sent to a telephone account.

...

(c) that is of a class, or is sent in circumstances, specified in the regulations.

This bill will completely define the issue. There will surely be some flaws, as with any bill, whether it is good or bad. Since this is a new bill, there are always flaws because we forgot something or did not think to regulate something. Over time, we will have to re-examine the bill, more quickly than any other bill, to ensure that we have not left anything out.

The only circumstances under which spam could be sent would be if the person to whom the message is sent has consented to receiving it, whether the consent is express or implied. So, if I send a message and the individual agrees to receive it, a relationship has been established.

Let us take that same real estate agent, and let us assume that I heard from one of my colleagues that his brother-in-law has a house to sell. I would not be able to send that brother-in-law an email to let him know that his brother-in-law had informed me about the house for sale, or to tell him that I know someone who would be interested in buying the house. I could not do that.

I could only do it over the telephone. I could directly contact the individual via telephone or meet them in person. I would have to establish contact before doing business with this person.

So therein lies the problem. Anyone who wishes to establish a business relationship with another person must now do so via the telephone or mail, or meet the individual in person. They could not send a simple email.

We are setting limits. That is the message I want to get across. We are setting limits, but we cannot limit other countries in sending us these messages. We have to consider doing that and count on the goodwill of other countries such as the United States, Australia, France or other European countries. This type of legislation needs to be harmonized. Many countries do not have such regulations or laws. They can therefore do what they want because they are not subject to such legislation.

In addition to being in a form that conforms to the prescribed requirements, the message will have to make it possible to identify and contact the sender. The message must include an unsubscribe mechanism, with an email address or hyperlink, so that the recipient can indicate that he or she does not want to receive any further commercial electronic messages from the sender. If I send a message or an email, at the end of that message there specifically needs to be a box to check or a note explaining to the person how to stop receiving further messages.

I think this is the right approach, but in order for it to be successful inquiries would be necessary. The CRTC would have interesting powers. It could require a person to preserve transmission data, produce a copy of a document that is in their possession and prepare a document based on data, information or documents that are in their possession. It could also conduct a site visit in order to gather such information or, if necessary, to establish whether there was a violation.

Because it cannot do that itself, note that it will have to get a warrant from a justice of the peace prior to entering premises. It cannot do that by itself; the CRTC cannot do it by itself; the Competition Bureau has certain powers, but there again its powers are limited. Today, the Competition Bureau has no powers of inquiry. That is why there is Bill C-452, which will give the Competition Bureau three types of powers of inquiry: an exclusive power of inquiry, a power of inquiry to summon and protect witnesses, and a power to search. That is what is important.

How can agencies conduct inquiries and do the work for which they have been created if they have no power? I have introduced Bill C-452 to give the Competition Bureau this power so it can conduct inquiries and do the work we expect of it.

If the court believes that a person has violated any of those provisions, it may, which is not to say that it will have to, order that the applicant be paid an amount representing the loss or damages suffered, or any expenses incurred. If it is impossible for the applicant to establish those amounts, the court may order that the applicant be paid a maximum of $200 per contravention, up to a maximum of $1 million. I am choosing my words carefully: not “shall order”, but “may order”. That is very different.

As I said earlier, the CRTC, the Competition Bureau and the Office of the Privacy Commissioner must also consult one another, and they may share any information with one another in order to carry out their activities and responsibilities pursuant to their respective powers.

So there are three agencies: the CRTC, the Office of the Privacy Commissioner and the Competition Bureau. Together, they have certain powers under the bill. However, they must be capable of communicating with one another. We know that these agencies have their private preserves and they are not prone to disclosing information.

The Office of the Privacy Commissioner is another thing again. The Liberal member referred to this earlier. That Office is an important player in this regard.

Unsolicited commercial electronic messages are becoming a serious social and economic problem that undermines the personal and commercial productivity of Quebeckers. Not only do they hinder email use for personal communications but they also threaten the growth of legitimate e-commerce. As I mentioned earlier, when people are assigned to open these emails, time is lost and businesses become less competitive. That causes a problem.

I would like to point out something else. The minister, or another organization somehow involved in Bill C-27, has managed to ensure that a clause in this bill could jeopardize the National Do-Not-Call List (DNCL). A door has been opened because one of the clauses states that the DNCL—set up by this government and containing the telephone numbers of seven million people who do not wish to be unnecessarily pestered by telemarketers—could be deactivated. They have now made it possible, within one year, to eliminate a list that cost millions to set up.

Mr. Speaker, I listened with great interest to my colleague's speech.

The issue that we are trying to deal with here, on all sides I would hope, is the need to ensure that innovation continues to happen, that we believe that the Internet is going to be more and more of a vehicle for not just economic innovation but for social, cultural and political discourse. Therefore, there has to be the issue of confidence.

When people go on the Internet and they respond to people they might not know, they have to have a fundamental sense of confidence that they can make those connections. Without those links that are being made from person to person, from business to business, major problems will occur in terms of impeding productivity and also undermining the fundamental revolutionary power of what is before us.

The issue of spam is not simply an issue of an irritant. It is not simply that it bothers us because we have to delete from our inbox everyday hundreds of useless irritating emails. The deeper issue is the underlying issue of spam that leads to fraud. There is such an interconnection between the misuse of Internet communication and international fraud rings. We see that Canada was alone in the G7 in terms of having any kind of plan for dealing with spam up until now and we are also one of the worst spam bases in the G7 and, in fact, the world.

Could my hon. colleague speak to the connection between fraud and spam, and the need to have an international standard because a spam artist knows no domestic boundary or border?

Mr. Speaker, my colleague has identified the problem and its implications. Yes, it can be useful. There is spam, emails, and there are important things. There are things we can use every day. It is true that there has been fraud and that is why we have a bill. However, we must be careful. I can certainly understand how a great deal of spam can affect the productivity of some companies.

However, if we restrict people here and our businesses—those trying to make an honest living for themselves and their employees—if they can no longer use email and the Internet to sell and promote their products, what do they have left? As I was saying earlier, that leaves the postal service. This will hurt small businesses, who will not be able to keep up with big businesses. Larger big businesses will win out and smaller businesses will disappear. Is that what we want? It is one thing to protect our citizens. But we must also protect our businesses so that they can continue to participate in a given market.

Mr. Speaker, I am pleased to ask a question of my colleague today.

I am very concerned about the bill with regard to the cost and confusion the legislation might have for small businesses in the country. Oftentimes the government introduces legislation. Then, after it is introduced, it is quite a complicated process and expense communicating with small businesses and getting them up to speed on what the requirements are.

I can think of many initiatives in that area over the last several years. I just wonder if the member has any thoughts about how we should be proceeding with regard to that.

Mr. Speaker, my colleague put his finger on the problem. Yes, we discussed it in committee. It would seem that businesses would continue for some time, because as for any other bill, we do not yet know what impact it will have.

That is why I said during my speech that this bill would have to be reviewed again as soon as possible after it is passed, to determine whether or not it presents a problem for our businesses. That is what should be done. Six months is a long time and a year is much too long, but we would have to look at the legislation again to determine whether it has affected our companies and our society directly.

Mr. Speaker, we have moved this legislation along to the point where it should be ready to be made law. However, then we look at the do not call registry which was made law.

I am sure most members of the House have received phone calls. I receive calls at home all the time telling me my credit card information is incorrect and I have to press 1 immediately to correct credit card information. I am getting those calls at home. I was not getting them before the do not call registry was established.

It seems to me that we can say whatever we want in the House about spammers. We can talk until we are blue in the face and yet the fraud and misrepresentation continues, and the lack of political will to get serious about this remains in place.

I would ask my hon. colleague, does he think, besides reviewing the bill and its effectiveness, we need to show our other competitive countries in the G8, which are actually serious on these things? We preach the gospel of change, but it seems that once something is implemented, the government goes back to being an agnostic on actually dealing with it.

In light of the failure of the do not call registry, would my hon. colleague like to perhaps guess where this is going to go?

Mr. Speaker, yes, I will. A witness told us. That was our concern. We knew that the question would come up when a clause was put in the bill that could abolish the national do not call list.

The question did come up, and there was no mention in the answer of abolishing the list. The government wants to be able to replace this regulatory system in future if necessary.

I believe that they want to abolish this list. I do not know why, since they are the ones who introduced it. It cost businesses $5 million to comply with the list. This bill contains a clause that could abolish it. That is unfortunate, because the do not call list has been in place for a year and it is working.

Mr. Speaker, when the government brought in the do not call registry, individuals signed up so they would not be called. Then we found out that international scammers simply walked away with that list because internationally the registry is not respected. All the people, who put their numbers on the list so they would not be called, found themselves victimized by fraud artists and scammers.

There is talk about taking the existing registry and rolling it into Bill C-27. That is possible and I am open to the suggestion. However, my concern is this. Given the fact that the government showed absolutely no teeth in dealing with all of the scam artists in the Cayman Islands, and wherever else, who obtained the list of our citizens, how are we going to ensure that we are protected from international scammers who have no interest in what we proclaim in the House of Commons?

The hon. member for Shefford has only 30 seconds left.

Mr. Speaker, that is precisely the problem. The bill does not mention what is happening at the international level. It only makes reference to what is going on locally, here in Canada. Anything outside the country is excluded. We do not hear about it and we cannot pass an international law either. We would need the G7 or G8 to pass a law that would be respected and endorsed by all its members.

I want to go back to the do not call list. I personally put the question to the chairman of the CRTC, who told me that the list is working. Federal public servants use it. I do not know why they identified it and included it in this legislation. I do not have an answer to that.

Mr. Speaker, I will be splitting my time with the member for Yukon.

I am pleased to speak to Bill C-27, the electronic commerce protection act.

I think that the last interchange is an indication that the legislation before us may have its shortcomings but the urgency with respect to bringing the legislation forward is undeniable. It is undeniable because of the invasiveness of spam and that people's lives can be turned absolutely upside down by those who use spam with the intent to defraud and to use information that is available through access to information. It has been pointed out that no technological firewall or router can act as a barrier and people are absolutely susceptible to those who have spent a huge amount of time thinking of how they can, through an email invasion, access information that will be used fraudulently.

This is not an issue over which the government or any particular party has proprietary rights. In this House we all share the responsibility to have in place a legislative regime that anticipates the nature of this invasion through electronic commerce with the intent to defraud or to put forward false information.

We all share the desire to develop the tools. This will not be the end. The committee has made amendments to original legislation that was put forward through a committee or a task force process. This bill will go through the Senate process. I would assure members of the House, and I refer in particular to the interchange that just took place, there will be other mechanisms undoubtedly, other tools that will be developed through the continuing process of developing the legislation.

I am sure there are people who are watching who only see bits and pieces of the debate. People do not always see the total context within which the debate on legislation is taking place. I would like to provide a chronology to put things in context.

Spam is a serious concern for individual Canadians and businesses. Back in 2004-05, the then Liberal government established a task force to look at anti-spam legislation. That task force brought forward recommendations which generally paralleled the bill before us. Those recommendations were aimed at prohibiting the sending of spam without prior consent as a first principle. The second principle was that it would be an offence to use false or misleading statements to disguise the origins or true intent of an email.

The task force led to a number of key recommendations. I think there were 22 recommendations in all. The government of the day established a series of round tables to seek input from the business community and the community in general.

At that time, the specific recommendations were to prohibit the sending of spam without prior consent as the first principle, to prohibit the use of false or misleading statements disguising the origins or intent of an email, and to prohibit the installation of unauthorized programs. Spam artists are so cunning that if a person does give clearance to a misleading and disguised email, information with respect to even the person's passwords can be made available, which gives access to the person's email content, websites, et cetera. The final principle that was established through that task force was to prohibit the unauthorized collection of personal information or email addresses.

This bill has all of the elements of those task force recommendations and looks to implement the recommendations of that task force. As I have said, this is not a Liberal approach or a Conservative approach; in fact, it appears that the bill has the support of all parties in the House.

There is one aspect of the bill that is different from the regime that was put forward back in 2004-05 under those recommendations, and that is with respect to fines and the implications with respect to what may happen if one is found guilty of violating the intent of the legislation. The fines for these violations can go up to a maximum of $1 million for individuals and $10 million for businesses. It establishes rules for warrants, for information, as was discussed by the last speaker and in questions, and in particular, that information being available through warrants during investigations and injunctions that can be sought on spam activity while under investigation.

The bill also establishes the private right of action, allowing individuals and businesses the ability to seek damages from the perpetrators of spam. That is a particularly important principle. We have talked about victims and victims' statements during criminal proceedings and recently with the bill that firms up the interventions with respect to parole and the ongoing communication with those who have been victimized with respect to how the provisions of parole are carried out.

This bill also attempts to err on the side of victims. It gives them the ability to seek damages from the perpetrators of spam, depending upon the nature of invasion of privacy and the activity that took place.

It was pointed out that the committee had some problems with flaws in this bill. Clause 6 seemed to be a little too broadly written and, as has been pointed out by other speakers, could suppress a very legitimate part of our application of technology and the whole sector. It could impose an adverse position with respect to those who are creative within the technology, the rules of the technology and so on. It was pointed out that the committee was not satisfied to that extent. However, amendments were made to the bill.

The bill also maintains a very strong and some have said heavy-handed position, but given the nature of the illegal activity going on, I think that all of the House would concur with the committee's intent to make those who are guilty suffer.

Generally speaking, those in the stakeholder groups were not satisfied with the original task force recommendations, and there may be some who are still not satisfied with the bill. However, as I have indicated, it has gone through the committee stage, amendments have been made and at this point I think we have to err on the side of those who use their email and other technology for positive and high value-added activity and go after those who would victimize those who are using the technology.

Mr. Speaker, I realize that there are certain provinces, I believe Quebec is one and Manitoba is another, that have class action legislation. Ontario might have it as well.

I wonder if the member could confirm that class action provisions might be applicable as far as the bill is concerned. It seems to me that if we are dealing on an individual basis, it is a much more positive approach if we could have the bill affected by class action lawsuits, whereby people could take action on the part of a whole group of people who were being victimized by certain types of spam activity.

I wonder if the member would comment on that and whether he has any ideas for improvements.

Mr. Speaker, I know that the hon. member is a lawyer, and I very much respect his knowledge of not only this kind of legislation, but the recourse that innocents would have with respect to the law.

The bill leans toward the concept of victims' rights. If victims' rights can be characterized through class action, and in other aspects of law, both civil and criminal, then that can happen. This is embarking on new ground. There will be many who will be viewing the intent of the bill and the legislation. It may be contested through the courts, but certainly the provisions with respect to victims would leave the door open, I would say from a lay person's perspective, to class actions. That would mitigate the cost associated with an action. Also, with the kind of publicity that is entrenched in that approach it would do what the bill, in terms of its intent is trying to do. It would put those who would use spam for defrauding and other criminal purposes on notice that more than individual court proceedings could occur. Class actions are very costly. The repercussions could be serious and would act as a deterrent, I would think. However, I am sure that the member would have better suggestions than I would from a legal perspective.

Mr. Speaker, the hon. member is always very succinct and informative in his speeches.

In his speech he talked about the fines, which he said were slightly different from the original task force recommendations. What specifically was he getting at? I would like his opinion on that. Also, I think there needs to be a significantly large fine for huge corporations because some of them look at a small fine as the cost of doing business and just carry on. It does not have an effect.

Mr. Speaker, there are those with legal experience who could probably give a better answer to that.

When I review the bill and look at fines of a maximum of $1 million for individuals and $10 million for businesses, it would seem that is a pretty serious step toward the objective the member has which I inferred from his question. In that there is not a regime that is that serious now, this would be a fairly substantive deterrent. These are very serious charges and very serious fines.

The whole process through the bill establishes a framework for investigation. The notion that there are rules to be established with respect to warrants, for information during an investigation and so on, certainly provides a framework which will make the bill a much greater deterrent, if it is fully understood, than exists at this time.

Mr. Speaker, in 2004-05 a Liberal government anti-spam task force consulted the public widely and had round tables with stakeholders. This important bill to limit spam did not come out of the blue. There were four major recommendations from the task force.

The first is prohibiting the sending spam without the prior consent of recipients. I cannot imagine anyone in the public who would not want this to come into effect very quickly. We all get hundreds and hundreds of nuisance and unwarranted spam. People must be dreaming for the day when they will no longer be sent. Quite often it is the very same message with a different title, which I will talk about a little later. This will be a very popular part of the bill for businesses and anyone who uses a computers.

The second is the use of false or misleading statements disguising the origin or true intent of the email. I am sure everyone has received emails that they have opened by accident because they are very clever titled such as “You haven't paid your bill” or other more creative ways of getting us to open the email. Then there is the very same email we received one hundred times trying to sell us the very same product.

The third major recommendation from the Liberal task force is the installation of unauthorized programs prohibiting that and no one would want that to occur.

The fourth is the unauthorized collection of personal information or email addresses. That is very significant. Canadians and businesses do not want the unauthorized collection of their personal information. All kinds of damage can be done.

We only need to go back to the debates we have had recently on commercial crime to see the huge multi-billion dollars in damages and lives ruined because information of individuals has been used for fraudulent purposes. Computer technology is relatively new. In a previous job before I became a member of Parliament there were no computers in business. In that it is a new technology, people, especially seniors who were not used to this throughout their lives, could easily be hoodwinked into giving personal information, which is then be used to victimize them. It is very important this not be allowed to continue.

Let us look at the scenario where millions of unauthorized, unwanted messages or spam go through the Internet. How important is the Internet to today's life? It is really a backbone for many people and for many businesses. The whole way that our society functions—

Order, please. The hon. member will still have time available in his time slot.