Industry committee  I agree with what Mr. Kardash just said, but I would like to provide an example of why the computer program provisions are too broad. If you're a start-up company and you're deciding whether to start up in Silicon Valley or in Waterloo, you look at the laws and at how they apply.

Industry committee  The challenge with the PRA in CASL is in no small part because of the complexity of the law and the innumerable situations in which compliance is next to impossible, and because it's combined with statutory damages. If you are a class action lawyer, you make an economic decision, by commencing a suit, about whether there is likely to be a return on your investment in time.

Industry committee  You have to say this is my business name, and this is my mailing address and either my email address, my web address, or my telephone number. And I must say that you have the right to withdraw consent, or you can withhold your consent, or pull it back later. If I don't ask it in that specific way, with that information, the consent is not valid, so—

Industry committee  That's a great example. Another example is on implied consent. I'm in full agreement with Dr. Geist that we need a strong consent regime, but there has to be a willingness to look at the circumstances and ask whether it makes sense for this small business to send a message to a customer based on a prior relationship.

Industry committee  Absolutely. If I've made a purchase within the last two years, you can send me a message, but if I've subscribed for a free service—I didn't buy anything—maybe you can't send me a message. I say “maybe” because we're left scrambling to interpret the law. It's too prescriptive to make sense to business, let alone to the legal community who have to interpret it.

Industry committee  I'll start by providing some advice to the CRTC about helping organizations comply. The CRTC does not issue findings or decisions that provide the rationale for the fine or the circumstances in which the offence or violation took place. That contrasts with the behaviour of the Privacy Commissioner, who provides very helpful, very meaningful findings explaining the perspective of both parties as well as the commissioner's interpretation and outcome.

Industry committee  I think there would be broad support if the private right of action were targeted on the truly bad actors, and we had a situation where we weren't combining a private right of action, broad standing to sue, and statutory damages, because that's where the potential for frivolous class actions becomes most prevalent.

Industry committee  Let me give you two real-life examples. The law tells you how you must request express consent.

Industry committee  I would like to take a different perspective. There is no question that we need effective privacy legislation. The discussion and the points that Michael is raising are about privacy, agreed. That's why we have PIPEDA. That's why we have a very active, internationally respected privacy commissioner who sets out guidelines and provides direction based on very technology-neutral legislation that is based on principles.

Industry committee  I think the problem is, as Mr. Geist has mentioned, we really don't have enough information. We have some statistics that are quite old, from 2015, to suggest there's been a reduction in overall messaging, including of legitimate messages. To Mr. Masse's comment, the question we have to ask ourselves from a policy standpoint is how we ensure that it is a privilege to use electronic means to communicate, much as it is a privilege to collect, use, and disclose personal information.

Industry committee  I didn't say that, but you're right. The rules prescribed by the CRTC indicate that in any request for consent, you must state that a person will have the opportunity to withdraw consent.

Industry committee  Subsection 6(6) does not deal with a computer program. It deals exclusively with electronic messaging.

Industry committee  I think we need to look at what our international trading partners do. They don't regulate all computer program installations. They regulate malware and spyware. There are unintended consequences of having an overly broad approach, and those are the consequences that I fear are undermining the innovation.

Industry committee  Other jurisdictions regulate malware and spyware, as they should and as we need to, but they don't go and regulate all other messages. They certainly regulate collection of information, personal information using computer programs, as we have with PIPEDA and as we will continue to need to do.

Industry committee  A decision was made to regulate the installation of all computer programs except for those specifically exempted by regulation.