Bill C-27 (Historical)

Mr. Speaker, I thank my hon. colleague for his question.

I think he understands that the current system is inadequate. It makes electronic communication really inefficient and the purpose of Bill C-27 is to clean things up. So I will respond with a brief answer. Yes, Bill C-27 would put us on a level playing field, to some extent, with countries that have passed similar legislation.

Mr. Speaker, as always, I am very honoured to rise in this place as a representative of the people from Timmins—James Bay, and I take that role very seriously. One of the roles that I am given as a member of Parliament is to review and speak on legislation. This legislation is something that we as members of Parliament need to see in terms of a larger vision. This is not just a one-off bill.

In order for Canada to go where it needs to go in terms of a 21st century economy, we need to have a full vision in terms of the potential for digital innovation and also the pitfalls that are facing us. In terms of a large vision of where we need to be as a country holding its own and being a leader, we need to look at a number of initiatives. Earlier the issue of digital broadband access was brought up in the House. For a country that is as defined by geography as we are, to remain competitive, we need digital broadband.

The FCC report last week, which would be one of the world leaders in terms of its credibility on this issue, it says how much Canada has fallen behind. We have gone from being a world leader in 2003 to a world laggard. Anyone watching this back home does not need the FCC to tell them that we are paying some of the highest fees for Internet access and we are getting some of the lousiest service.

The FCC talks about how it is that Canada went from being a world leader in terms of making sure broadband access was happening, where just in 2003 we were the country to watch, to now being in 20th, 25th, or 26th place on various parts, depending on what indicators we look at.

The FCC points out the lack of competition in Canada. It is not pointing out the CRTC's dropping of the ball on this, but it speaks to something again that we are seeing, that when there is a very small cabal of companies that are basically now running the infrastructure of the Internet, unless there is innovation being pushed forward by small third-party ISPs, we will have a situation where development begins to ossify and that is what has happened. The FCC reports show how much we are falling behind because we are not getting that level of third-party competition from the smaller players. That is one of the elements we need to look at in terms of a larger vision.

Second is the issue of net neutrality, which plays very much into the access of broadband. When there are a few giant players who are deciding the development of speed on the Internet, we cannot have them making the decision as to who is going to be in the fast lane and who is going to be in the slow lane. There needs to be a sense that, in order to have development on the Internet, net neutrality is a key cornerstone. This is not a principle of the so-called computer geeks. Talk to anybody in business and they will say that if they cannot get fast access, they are going somewhere else. They are very concerned about deep packet inspection, for example. They are very concerned that when they put information through VoIP, or through BitTorrent, it could be unfairly slowed down. So that is the second element of an innovation agenda that we need to look at.

The third part of an innovation agenda is upgrading our copyright laws to the 21st century to ensure that we are moving forward and encouraging innovation and encouraging new ideas that may threaten some existing business models, but the only way we are going to have innovation is if we bring our copyright laws up to the 21st century agenda. I spend a great deal of time on the copyright file and I can say that we are finally at the point where we are agreeing that trying to implement laws that would work in 1996 is not going to get us anywhere. We need to be enacting laws that will bring us into the next 20 years.

The other element in terms of a digital strategy is dealing with the irritant factor. That is how most people see spam. They see spam as an irritant. It affects all of us. Every time I go on my computer I have someone offering to sell me a product that is going to make certain parts of my body much larger than they otherwise would be. I think my ears are large enough as it is. I do not need any help, thanks very much. Nonetheless, they will not leave me alone. They are always offering to sell me real estate when I am still paying for the house I bought many years ago in northern Ontario. I could have used the help then, but I certainly did not need the help of spammers.

We laugh about the silly and stupid things we come across in spam day after day, but we need to see the effect that it is having in terms of not just our ability to do our work but the very nature of the threat it is posing to average citizens. Spammers are very tied into a growing level of Internet fraud. They undermine confidence. We do not want to go to a website and leave our email information, because we do not want it to be taken and misused.

If we do not have confidence, it undermines our ability to move forward. Certainly the issue of spam is very serious. Canada has been singled out as the only G7 country without spam legislation. That puts us in a really bad light, because spammers will use our jurisdiction to push for spam. It is all well and good to say that we will get the emails of the spammers and hunt them down. If anybody has ever tried to track one of them down, they know that these emails do not go anywhere.

What ends up happening is that there is a much more insidious move afoot. They move very quickly in terms of their technological innovation. They do not send the spam from a home computer, so they cannot be tracked. They use a number of techniques to basically act as a parasite on other messages going out, to the point where they can actually take over a person's computer without the person using it and download malicious software. They create these zombies or bots.

The threat to privacy and innovation and the threat of fraud become compounded on a massive scale. This needs to be addressed and taken seriously.

For example, just last year, the U.S. came down with some of the heaviest attacks on spammers. I was referring earlier to May 31, 2007, when they went after Robert Alan Soloway. They charged him with 35 criminal counts, including mail fraud, wire fraud, email fraud, aggravated identity theft and money laundering. Prosecutors were alleging that Soloway was using these zombie computers to distribute spam across wide networks.

I will give an example of how this plays out. It is classic in terms of the development of the Internet. The greatest strength of the Internet is the ease with which one can get information out there. Of course, the greatest threat is the ease with which spammers can undermine it.

We can talk about the famous Nigerian 419 scam. Back in the day when the fax machine was the most exciting cutting-edge technology and I was working at a northern magazine, we used to get these emails from this guy. He was a former colonel in the Nigerian army. He was being held prisoner. If only I could send him $500, he would send me $100,000. It was very crude. It cost them money every time they sent that out. It went on a fax machine. It made tracking these guys a lot easier.

The 419 scam was a very marginal scam in the 1980s when it was first developed in Nigeria. It is interesting that Insa Nolte from the University of Birmingham said that the development of email turned the 419 scam from a local fraud to one of the largest export businesses in the country of Nigeria. That is how effective it has been.

For every million people who click delete, one person in a million might respond. That is how the fraud happens. I am sure that my colleagues here can tell similar stories, but I am now starting to see email requests for help coming much closer to home, where similar last names of family members of constituents and local references are being used.

This comes from the trolling of information that has been enabled under these massive networks of zombie computers. They can track and pick out names from the email traffic. They are picking out bits of stories and they are able to tailor the stories of personal need and personal threat. My daughter received one yesterday from someone who she thought might be a student who was lost in London. They had two or three key pieces of information about her and she could not figure out how they got that.

That is the kind of computer fraud that is now being perpetrated. Again, many of us will click through and delete. The problem is that there are enough people out there who will respond. So we are looking in terms of basic computer protection and basic civic protection. We need to do that.

However, we need to look at it in a larger area, in terms of what basic rules we are going to put down so that developers, innovators and citizens can use this wonderful new medium that we have, without fear.

I think some of the basic provisions in Bill C-27 are fairly straightforward. We should be asked for consent before any computer program is downloaded on our computer. That should be basic. The idea that spyware could be put into our computer without us knowing should have criminal consequences. We know, for example, there are various forms, such as Trojan rootkits. Sometimes legitimate companies think that by being able to put this spyware into our computer it is going to protect them. But it does not. It undermines consumer confidence.

I just have to refer to the famous Sony rootkit disaster, where Sony decided that on its CDs it was going to put spyware and not tell the consumers. Consumers were buying these CDs, thinking they were buying a piece of music, putting them into their computers, and their computers were crashing and they could not figure out why. It turned out that Sony, one of the biggest entertainment companies in the world, had put in the spyware thinking it was going to go after copyright infringement and what it did was undermine its credibility in the marketplace to a great degree. Companies should never have been allowed to think that kind of move should have been able to take place. No citizen who buys a CD or any computer product to put into his or her system should have to worry that there is spyware in there.

So the issue of asking consent before any computer program or any spyware is put into our computer is a very reasonable provision and a necessary provision.

I think the other thing we need to speak to is that companies cannot take personal information without consent. That is another primary element of the Internet. When we go on the Internet and we go to a website or when we respond to email from someone we might not know, we want to know that our records on the computer, our data on the computer, is not being accessed, and that when we go to a website our information is not being passed on to someone who is then going to come and try to sell us some kind of scam product that we do not want.

If we do not have that assurance, it starts to undermine the ability of consumers and companies to make the most of what they need to make the most of in terms of moving forward.

Earlier a Liberal colleague said he was worried that this was a big hammer that was going to shut down business, and we know there was certainly a big backlash against the Liberals when they seemed to be led around by the nose by some lobbyists on watering down provisions of this bill.

I have looked at the provisions and I have looked at what the Liberals were trying to sneak through, and I do not think it is in line with the 21st century digital innovation agenda. Fortunately, the Liberals are not in the position to run a bill like this, where they would be able to undermine it and ensure that the corporate lobbyists got their way. There are citizen provisions that have to be addressed and this bill is looking at that.

It was the Liberals who wanting to limit the scope on spyware. I am astounded by that. I do not know if they think it is okay to spy on my computer, but I certainly do not think it is. And I, as an average citizen or a legislator, would not support that they wanted to exclude surreptitiously installed DRM from the gambit of the bill.

Once again, when I go to a website or when I respond to an email, I do not want to have to worry that some company thinks it is okay to bury mechanical means for spying on what I am doing.

I was surprised by my Liberal colleagues on this bill, but I think there was certainly a large backlash, because the consumer public is very aware in terms of where we need to go with a digital agenda. So I am glad to see that we have moved forward with all parties on this bill.

The bill only addresses commercial electronic messages. This is not an attempt to shut down individuals who maybe want to do mass emails to their friends and to their friends' friends. There is no provision in the bill to go after people who send out those emails. Personally, I find those emails rather irritating. I do not think I have ever reached the bottom of one of the long lists of cc and cc and cc. I do think it is okay for individuals to do that. The question here is electronic messaging for commercial use. That is the main focus of this bill.

A personal relationship, a family relationship, a pre-existing business relationship would not be stopped. Companies would still be able to send information with respect to previous business dealings, such as someone buying software or something from a company.

I ask the simple question: What is the problem with asking the person for consent to continue? I do not see that impeding in any manner. If I purchase goods and I develop a relationship with a company, that is perfectly fine. But I want to know that my Parliament and legislation will back me up if I am not interested in receiving mass emails, that I can say I am not interested. That is not an unreasonable situation. Contrary to what the Liberals are saying, it is not going to grind business to a halt in Canada. It might if we were still back in the age of the fax machine, but this is certainly not going to grind innovation to a halt.

We worked at committee on this. This is a big bill. We had to look at many areas in terms of ensuring that spam legislation would actually address the problems. I am hopeful that this is the proper first step because we need to start addressing this.

We need to address this in terms of lost potential. We need to address this in terms of interference with competitiveness. We need to address this in terms of fraud. We need to address this in terms of the fundamental issue of consumer rights.

Our computers should not be open to some third party that we do not know, a third party who could be dropping spyware into it, or using it to send out harassing emails, possibly fraudulent emails. When we are plugged into the web, we should not have to worry about what is going to come back down the pipe that we do not want.

Bill C-27 takes some steps toward addressing that. Does it do everything that is necessary? I do not think that is possible at this point. We are going to have to amend and change it as we go because the Internet changes quickly, fraudsters change quickly. We have to run just to keep up as legislators, but this is a good first step.

I am proud of the work of my colleague from Windsor West who worked on this bill at committee. We will be supporting it as it goes ahead.

Mr. Speaker, the member for Timmins—James Bay has taken a leadership role relative to the Internet and the impact that it has had culturally. Being a bit older than my colleague, to listen to him talk today and give us his thoughts on this helps a person of my generation deal with some of the issues that are happening.

One of the things that I am concerned about is phishing. It strikes me that is a very significant issue.

In my little more innocent time, when I first started going on the Internet, I was asked to take an IQ test, which I should not admit publicly. I had to change every password on my computer after that because I realized that I had made a mistake, especially when the first email showed up at my address. I wound up changing my email address as well.

Does my colleague think this particular bill deals with that situation appropriately?

Mr. Speaker, the issue is of how phishing is used to send out a simple email. Someone responds and then basically they have got that person. They have information. They can use that information against that person. That is a huge concern.

I would like to put it in a broader context. Where it is being used now in a very dangerous way is on Facebook. The Privacy Commissioner has certainly come out, as a result of the excellent work of the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa, and raised the issue of privacy concerns on Facebook.

Every one of us is on Facebook, I am sure. Our kids are on Facebook. They do not see that posting their names, their cellphone numbers, all kinds of personal information about themselves, can hurt them down the road, because there are scammers out there. What is our solution? Is our solution as legislators to say, “Bad, bad, bad. We have to shut this down”, or is it to say that, no, we need to have the laws in place to protect people and to go after the people who misuse it.

Second, I think it is as important, not within the confines of the bill and it would not fit within the bill but I think it is something we need to look at, is the need to educate young people. Until people have been scammed, they will never get scammed so they do not have to worry about it. But as I said earlier, I used the example of a young student who received a scam yesterday and it had three pertinent pieces about her and her personal identity that she figured it had to be someone she knew.

All we have to do is go on Facebook. I could tell a people what high school they went to. I could tell them who their first girlfriend was. I could tell them their date of birth and their star sign. If I am looking to scam a person, going on Facebook is the first place I would go. It is the ultimate phishing expedition and people will see some long-term implications from that kind of free flow of personal, private information that people think is protected because it has just been seen by their friends, but third party applications are using it, and all kinds of corporate entities are getting in and getting access to this information.

Mr. Speaker, I would like to congratulate the member for Timmins—James Bay on his speech today in the House. I found it very interesting in terms of the scamming and so on that is going on.

Today, I actually received two requests for information from what I believe are people trying to scam me, and those are from organizations trying to get banking information. One of my friends back home was scammed on that very technique and provided this individual with information on banking and got scammed for just over $3,000.

I am wondering if the hon. member thinks this legislation would help prevent that sort of situation.

Mr. Speaker, the hon. member's example is very pertinent because it actually speaks to another level.

I spoke of Facebook and young people getting scammed. The banking information tends to affect older people because they are very concerned about their bank credit. They receive an email, and I have received a similar email which looks just like it comes from my bank, and the email says it needs my banking information because there has been a fraud committed. That is how it happens. A person believes they have had a relationship with their bank, but if they look at those emails closely, they will suddenly realize there is something not quite correct. The hon. member raises an excellent point.

Within the confines of the bill, it will be able to go after the scammers who are sending these kinds of messages out. It will allow for people to sue, which is an important provision. The bigger issue, though, goes back to the issue we face with Facebook. We really need a larger information campaign about the rights of the digital citizen and what people need to do to protect themselves. It is not about locking the Internet down. That will not happen. It is about giving people a level of assurance, whether they are senior citizens who are getting on the Internet for the first time or whether they are young people or whether they are people like us who press, press, press, click, click, click all day long. We never know when we will make that mistake.

We do need to have this discussion. It is not a partisan discussion. This is a discussion we need to have as a Canadian legislature in terms of looking at some of the problems out there that are not being addressed. Education will be one of the key ones in stopping these kinds of scams.

Mr. Speaker, this has been a very informative discussion today and I was quite intrigued by a number of my colleague's points. First and foremost, he talked about the threat to innovation, that if we do not get a handle on using the Internet in its most positive way and avoiding the pitfalls, as it were, we are going to lose out in terms of innovation.

I was hoping that he would expand on that notion of innovation.

Mr. Speaker, Clay Shirky has just written a book entitled Here Comes Everybody and what he says in it is that we are on the verge of an absolute transformation in industrial design in terms of economic ordering.

Clay says that when new technology comes in is not when the revolution happens. The revolution happens when the technology becomes boring and every day. When everybody is posting pictures of their babies online and emailing back and forth is when the real, new transformative powers begin to happen.

What Clay talks about is cognitive surplus. For example, if most of us go online and basically treat it like TV, there is no difference. However, if 5% of us are on maybe a genealogical site putting information online or doing something like Flickr where there are millions and millions of photos being built up, there is power in so many people putting just 1% or 2% of their time into building something bigger, like Wikipedia, which has enormous transformative power.

If we look at the success of Wikipedia, Clay is positing that this is the beginning of this sort of wiki building of all kinds of people coming together. That is the new model for design innovation. That is where we are going to begin to see the whole transformation of the industrial complex.

Whereas before, it was hierarchical, top down; now, there is going to be a whole movement. However, in order to make that happen, there has to be confidence and people have to know that as they are sharing information, they are not being ripped off, that they are not going to be getting hit with tons of emails and subjected to fraud. There has to be a sense that they can go online to transform and build new economies, new ideas, and new systems of working together. There has to be confidence and one way to get that confidence is to get the scammers, the spammers and the fraudsters off the Internet.

Mr. Speaker, I am pleased to rise to speak to the third reading of Bill C-27, Electronic Commerce Protection Act, or as it is also called the ECPA.

As chair of the Standing Committee on Industry, Science and Technology, I want to recognize the constructive work of all the members of the committee from all parties in improving the bill.

The bill, as amended, from committee has benefited from the work over the past months of the members of the committee. As a result, a number of key elements in the bill have been strengthened, clarified and have been done in a way without diminishing the core principles of what the government has been trying to achieve.

Email is a wonderful technology, and it has only been just over 10 years that we have all been using email broadly. In just over 10 years, it has completely changed our lives. However, many of the benefits of email have been offset by the problem of spam, which is unwanted and unsolicited commercial emails.

According to a MessageLabs report of September 2009, which is a division of Symantec Corporation, spam accounted for as much as 86% of all global email traffic. Unfortunately, Canada is in part responsible for this problem.

Canada ranks as one of the top originating states for spam. In Cisco 2008 Annual Security Report Canada ranked fourth on the list of spam by originating country list.

Late last year in the United States, Facebook won $873 million U.S. in damages from an American court arising from the activities of a spammer based in Canada. That case was prosecuted in the United States and not in Canada. That speaks to the lack of Canadian legislation in place to prevent this kind of activity.

The high volume of spam in recent years has negatively affected the productivity of the Internet and all the technologies associated with the Internet. When a high volume of email is spammed, many people spend hours deleting unwanted messages, networks slow down and companies are forced to spend millions, if not billions of dollars, upgrading their systems, their networks, their backbones, their routers, their pipes to the Internet in order to accommodate the additional bandwidth and network capacity needed to handle this volume of email traffic.

The high volume of spam has impeded the full potential of the Internet as a platform for both personal and commercial use. Spam is more than just unwanted email. It is often used as a vehicle to perpetrate fraud on Canadians. It can lead to online fraud by luring individuals to counterfeit websites, also known as phishing. It can lead to the theft of personal data to rob bank accounts and credit card accounts, called identity theft. It can lead to the collection of personal information through elicit access on one's laptop or on one's computer, known as spyware. It often is used as a vehicle to perpetrate fraud on Canadians

Not just Canadians suffer but Canadian businesses suffer and often this is an overlooked fact of spam. Canadian businesses suffer because they are the victims of the counterfeiting of their corporate website to defraud individuals. We all know of examples of getting emails from spammers or from other people who wish to perpetrate fraud. They ask for people's banking information. They send an email that contains a page that looks like a Royal Bank website or a TD Bank website and often many unsuspecting individuals give their information to these spammers, the people trying to perpetrate this fraud.

It also leads to spam borne viruses and other malicious software called malware, which are used to create networks of zombie computers known botnets without the knowledge of their owners. This undermines confidence not just that Canadians have in the Internet but that Canadian businesses have in the Internet as a platform for commerce, as a platform for doing business in the 21st century.

I do not think it is hyperbole to say that spam is costing Canadians and Canadian businesses billions of dollars a year in fraud, in network capacity and in the need to upgrade systems to handle the volumes of email which we are seeing. It costs the economy through malicious programs such as malware, spyware, phishing, viruses, worms and Trojans that enter computers. It costs the economy in terms of undermining Canadians and Canadian businesses in their confidence of the Internet, often having to rely on old-fashioned ways of doing business because the Internet is not seen as trustworthy enough to conduct certain types of business transactions.

In response to this problem, the Government of Canada launched a task force on spam to consult Canadians and their businesses. The task force was given one year to consult and report. In May 2005 the task force reported its findings and recommendations in a report to the Minister of Industry. I want to thank the members of the task force for their valuable work in this regard.

Our government has acted on the recommendations and findings of the task force by introducing Bill C-27, anti-spam legislation entitled “The Electronic Commerce Protection Act”, or the ECPA. This legislation will deter the most damaging form of spam from happening in Canada and will help drive spammers and their associated activity out of Canada.

The legislation addresses the recommendations of the task force on spam, which brought together experts from industry, academia, consumers and other business experts to come together to craft a comprehensive set of measures to combat threats to the online economy. Successful legislative models in other states were also examined and taken into account when drafting the bill.

The legislation will allow Industry Canada to act as a national coordinating body to educate consumers, track and analyze statistics and trends and lead policy oversight and coordination.

The legislation will also facilitate the establishment of a non-governmental agency, the spam reporting centre, which will receive reports of spam and related online threats, allowing it to collect evidence and gather intelligence to assist the three reporting agencies, the Canadian Radio-television and Telecommunications Commission, the Competition Bureau and the Office of the Privacy Commissioner, with the investigation and prosecution of offences.

It is important to note that the ECPA does not apply to non-commercial activity. Political parties and charities, other organizations that contact Canadians through email will not be subject to the ECPA, provided these emails do not involve selling or promoting a product.

Bill C-27 will protect Canadians and their businesses from the most damaging and deceptive forms of electronic harms and provide a regulatory regime to protect the privacy and personal security of Canadians. The rules will encourage confidence in online communications and e-commerce on the Internet.

The bill before us provides the CRTC, the Competition Bureau and the Office of the Privacy Commissioner with the tools they need to pursue those who undermine our online economy and to work with one another and their international counterparts. The bill has sharp teeth, administrative monetary penalties of up to $1 million for individuals and up to $10 million for businesses.

The bill in front of us today resulted from a great deal of work from several different sources. On the one hand, we had the recommendations and findings of the 2005 Task Force on Spam. On the other hand, we have also benefited from some of the work that former Senator Goldstein did in Bill S-220 in this regard.

Some of the features in this bill differ from what Mr. Goldstein had previously proposed. One of the most important is the use of the CRTC, the Competition Bureau and the Office of the Privacy Commissioner to enforce the provisions, in other words, using regulatory agencies to enforce the provisions of the spam bill rather than using police enforcement agencies as Bill S-220 had proposed.

The RCMP has other urgent law enforcement responsibilities, and I believe we should not redirect those precious resources to the monitoring of unsolicited commercial email. I believe that regulatory authorities are better positioned than law enforcement authorities for this kind of white collar problem.

In drafting Bill C-27, the government also drew on a wealth of experience in other states in combating spam. The bill drew on work that had been done in New Zealand, Australia and in the United States. The bill also benefited from the approach taken by other states as well. The bill before us is based on the best and most effective aspects of those legislative regimes in those states.

By being consistent with the approaches of other states, by using regulatory approaches and regulatory agencies in effecting this anti-spam bill rather than law enforcement agencies, we will help promote greater international co-operation to combat spam and other online fraud.

As members of the House know, Bill C-27 adopts an express consent regime designed to give businesses and consumers control over their inboxes and their computers. It requires that the individual's consent be sought and obtained in order to permit an ongoing commercial transaction. Once consent has been expressed by an individual, it remains until the individual opts out or revokes that consent. The industry committee took a careful look at how to ensure that the companies that used email could keep in touch with consumers so they did not inadvertently find themselves in violation of the law.

Members of the House will also know that the bill contains implied consent provisions that have been expanded to include suspicious publication of an electronic address. If someone publishes his or her email address on a website or in a print advertisement, he or she is considered to have consented to receive unsolicited commercial messages, provided the sender's message relates to the business or office held by the person.

Consent is also implied when a person gives out a business card or provides an email address in a letter. Similarly, the amended bill clarifies that when a business is sold, the purchaser has an implied consent to contact the customers of that business. Following the initial transaction between a business and a consumer, the period of implied consent has been expanded to 24 months from the original 18, as first contained in the original bill. This gives businesses even more time in which to obtain the express consent to further commercial transactions.

Another area in which the bill has been amended is in ensuring that updates to computer programs are not adversely affected by the protections we have put in place against malware and spyware.

The committee looked at the impact the bill would have on the installation of computer programs. It has been amended in the situation where the installation of updates, as it is understood as part of an original contract under which the software is installed, is not prohibited by the bill. Most of these programs call for automatic updates, such as daily or weekly updates, to anti-virus software. These updates will not require fresh consent for each instance. Running programs such as JavaScript or Flash programs will also not require express consent each time they are run.

Let me say a few words about the private right of action before I conclude. Some hon. members have questioned whether a private right of action is necessary. I believe it is. The private right of action enforces and complements the enforcement efforts of the CRTC, the Competition Bureau and the Office of the Privacy Commissioner. I would remind the House that this feature has been very effective in other jurisdictions in shutting down those such as spammers who have caused to the electronic economy. I believe it will be equally effective here in allowing groups or individuals to pursue violators. The private right of action will allow individuals and businesses suffering financial harm an avenue of recourse to be compensated and awarded damages.

Finally, the bill is technology-neutral. Bill C-27 recognizes that the convergence of voice and data is happening and will eventually be complete. It will allow the Government of Canada to prevent spam and associated threats regardless of how the technology evolves. Therefore, the bill will remain current in the future as technology evolves.

If Bill C-27 is passed by the House at third reading, Canada will go a long way to combatting spam and spam-related threats. Based on the experience of other states with similar legislation, a reduction in spam is quickly expected. When Australia adopted similar legislation in 2004, it dropped out of the world's top 10 spam-originating states and major spammers in Australia closed their operations altogether.

While the legislation will not eliminate spam entirely, Canadians will see a reduction in the amount of spam in their inboxes. Equally important, the legislation will decrease the most damaging forms of spam from originating in Canada and will help drive spammers and their associated illegal activities out of Canada.

The Internet has become the primary platform for online commerce and general communications. Canada has had a long history of global leadership in the telecommunications sector. E-commerce is now a part of the Canadian economy, with billions of dollars of goods and services being sold over the Internet each year in Canada.

If adopted by Parliament, this legislation would allow Canada to continue in that leadership, ensuring that we remain a secure locale for e-commerce and for Canadians. It is time for Canadian law to catch up with the Internet age. All parties in the House have expressed their desire to strengthen confidence in online commerce. All parties are opposed to spam and see the danger of it.

We have studied this bill at great length in committee and have emerged with important amendments that clarify it. The time has come to pass it at third reading.

Mr. Speaker, we often talk about individuals and their individual experiences on the Internet. However, there is also this extremely important aspect of commercial business and what it can do from the other side to protect itself and the important practices it can follow to help Canadians understand and recognize legitimate commercial communications.

I wonder if the member would care to comment about the importance of engaging business on the other side. We can legislate only so much, but we really do need partners in this if we are going to deal with it effectively.

Mr. Speaker, part of this debate that is often overlooked is the cost to Canadian businesses and the problems that Canadian corporations have in managing their email networks. From personal experience, I can say that it costs billions of dollars for Canadian corporations to handle the volumes of spam that we are now seeing.

As the House knows, we in Parliament have size limits on our inboxes. The simple reality is that the volume of email coming into the House of Commons and Senate computer systems is such that a great volume of these emails are spam. While companies can put in place firewalls, routers and other forms of software on their servers to redirect or block spam, at the end of the day, a lot of this spam still makes its way through those firewalls and routers and into the email servers, which then become completely clogged and saturated with this spam. As a result, legitimate transactions and emails are often slowed down or mailboxes are restricted in terms of the amount of email they can handle in order to deal with all of the spam that is being received.

Backup systems have to be enlarged. Bandwidth has to be enlarged. Email systems have to be expanded. All of these represent hidden costs to Canadian businesses. Many times, the senior management of these businesses does not realize the number of dollars that are being wasted on IT departments and chief information officers to handle the volumes of spam that we are seeing.

I think this bill is a move in the right direction because it is going to help Canadian businesses combat the time wasting and resource wasting that this problem creates, despite the efforts taken to put network security in place and expand data storage systems.

Mr. Speaker, I am pleased to participate in the debate on Bill C-27. PIPEDA falls under the jurisdiction of the Standing Committee on Access to Information, Privacy and Ethics with regard to personal information.

A number of members have been involved in one aspect of this and that is identity theft. It is a very serious problem in our society and the stories are horrific. The impacts it can have on people are very tragic.

I certainly want to speak in support of the bill, basically to start the process of educating legislators, because this is a starting point from which we need to continue to grow due to the velocity with which the information and technology are growing, as well as some of the tricks and things that we have seen and the way the envelope is being pushed.

Most members will have seen things in their inboxes from people identifying themselves as representatives of their bank. The emails say that the bank is doing a security check and requires members to provide their account numbers or something like that. They look very official. As a matter of fact, often the logos of a bank or the proper or stylized name of the bank will appear. Yet Canadians should understand that banks do not do business related to security and privacy over the Internet. It is just not a secure environment in which to do that.

This bill would establish a regulatory framework, which I think is a very good start. Our economy is changing. Our kids grew up with computers. Their ability to move very quickly through the electronic world is absolutely fascinating.

I actually have a degree in computer science from the University of Western Ontario and at the time I took that degree, we were using punch cards, which will give everyone an idea of where I came from. This is a very serious issue, and I am glad that we are at least at the point that this bill is at third reading and this electronic commerce protection act would prohibit the sending of commercial electronic messages without prior consent of the recipient.

It brings to mind the do not call list system that was established, which Canadians will say does not work very well. It is problematic and we should probably learn from the experience of the do not call list that notwithstanding the mechanisms that have been put in place, somehow things slip through. There is a caution that as much as we legislate, we are not going to be able to anticipate all the pitfalls that may transpire.

This act would also amend the Competition Act to prohibit false and misleading commercial representations made electronically. As I have indicated, the Personal Information Protection and Electronic Documents Act, referred to as PIPEDA, prohibits the collection of personal information by means of unauthorized access to computer systems and the unauthorized compiling of lists of electronic addresses.

That is a reasonable indication that the bill addresses this from sufficient directions. However, I asked a question earlier of the previous speaker. The role of business in this also comes into play.

Last week I just happened to receive a document called “The Canadian Privacy and Data Security Toolkit”. This is for small and medium size enterprises, many of which are active. These are the ones that are extremely active, scouring the bushes, looking for that bit of business, that niche for their businesses.

The foreword is by our Privacy Commissioner, Jennifer Stoddart, and the introduction is by Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario. This was actually produced by the Canadian Institute of Chartered Accountants, which is trying to educate its clients about some of the important things.

I want to start off from a business perspective looking back. Some of these businesses may very well be the businesses that are improperly using information they receive from individuals over the net. It states that:

Information privacy is the right of an individual to exercise control over the collection, use, disclosure and retention of his or her personal information. Personal information (also known as personally identifiable information...) is any information, recorded or otherwise, relating to an identifiable individual.

It includes such things as credit card numbers, debit card numbers, social insurance and security numbers, driver's licence numbers, and health cards, all of which deal with a fair bit of sensitive information. This leads to the whole situation of things like identity theft.

A constituent wrote me an email over the weekend to thank my staff for giving her some hints and tips on what she could do to protect herself because she had lost her wallet with all her information in it and had in fact had an indication that someone was already using some of that information. Things happen quickly when information gets into the hands of the wrong people.

The report talks about a privacy breach. On page 83 it says that:

A privacy breach is unauthorized access to, collection, use, or disclosure of personal information. The breach could be the result of an inadvertent act such as the loss of a laptop or by a deliberate act such as an attack from a computer hacker. Both, however, are considered breaches since the information is no longer under your protection.

Other examples of privacy breaches [include] misplaced fax, CD-ROM, or USB drive key[,]...sales receipts with credit card information thrown into recycling bin instead of the shredder[,] old computers reused with personal information still present on the hard drive[,] or customer files stolen during a break-in.

The consequences of a privacy breach could be a number of things such as:

damage to reputation or brand[,] loss of consumer confidence[,] reduced revenues [and] unexpected costs to compensate victims.

The potential damage to reputation or brand can be severe. In a survey of individuals who had received notification of a breach, almost 20% of the respondents terminated their relationship with the company, and another 40% were reconsidering their relationship.

We can see that this is not an inconsequential item we are dealing with for either side. The individual's private information needs to be protected, and a business whether small, medium or large has a role to play in protecting that information which they legitimately acquire through business transactions. There is often the temptation to utilize that information for unauthorized uses.

There was a case recently within the Government of Canada involving, and I will try not to be too specific, a program to do with a grant for doing something energy related. People who applied for that grant started to receive information on other areas of the government. When someone applies to the Government of Canada for a grant, I would suggest that they do not expect to find themselves on a mailing list and getting information to do with other matters related to the government.

The government itself is also strongly targeted here with regard to its practices. We have to be vigilant to ensure that none of the information the government collects, regardless of the department, is inadvertently or advertently used for a purpose which was unauthorized by the person who made contact with the government in the first place.

There is one other thing that I thought was kind of interesting. Under privacy impact assessment, there is a quick privacy self-assessment. I thought it would be interesting to let members know what small and medium-sized businesses might do.

The first item is, do we know our privacy obligations?

Some businesses are busy. I must admit, from an accountant's perspective, most people who run small and medium-sized businesses are more interested in doing business than they are in keeping the books and dealing with the myriad of paperwork and legislative reporting, but this is about knowing the privacy obligations, both federal and provincial, because there are some differences.

The second item is, has the organization assigned responsibility for compliance with privacy legislation and policy?

This is an important aspect, because it is an indication of whether the company is taking it seriously, that it has a serious responsibility to comply with provincial and federal legislation and to be proactive in terms of protecting the information of individuals.

The third accountability and management assessment question is, has the organization conducted an inventory of personal information to identify what information has been collected, where the information is collected from, who has access to that information and to whom may be the information be disclosed externally?

That is extremely important, because as we well know, one of the ways that people get on mailing lists is that people who accumulate personal information tend to share it or sell it to others. All of a sudden, like a pyramid scheme, it just continues to expand to where all information seems to be in the hands of all people.

The fourth assessment point is, does the organization make use of online privacy resources, for example, websites of the privacy commissioners or the Canadian Institute of Chartered Accountants, to assist with privacy compliance and awareness of privacy developments?

Keeping on top of it is clearly very important, and it will be important for us also to readily assess the evolution of this electronic vehicle that is being used and has caused a great deal of difficulty and problems for individuals and for businesses.

The next point asks, has the organization adopted a privacy policy that addresses collection, use, disclosure to third parties, secure disposal of personal information and retention of personal information as it applies to particular operations?

With regard to that last point about the retention, there is a shelf life for information. For instance, if we have information about someone who is deceased, all of a sudden, if it is made known, that information has to be destroyed.

Our committee has dealt with even something like Google Street View. There are some privacy implications there. There are a couple of others where we have provided information to offshore parties as well, being able to control that or make sure of that when we are complying under obligations we have, for instance, with the United States, which requires that for any aircraft that even just flies over any its air space, documents have to be provided as to who the passengers are and where they came from, et cetera.

Those are extremely important because our private information, our personal information, is everywhere.

I must admit that I tend to keep thinking about whether I should just report as lost and not recoverable all my cards and the other things that have my personal information on them and get new numbers, simply as almost a reaction to what can happen.

Just last week I got a phone call from my bank. I have a U.S. credit card because I have family in the United States, and we travel sometimes to visit them and I use that card. I have not been to California in about 10 years because that is not where my family is, but I was advised that there were two $1,000 charges to my U.S. credit card. The bank took all the information and advised me that those charges would not be left on my account, and I have a new card today.

Some cards do protect us, but not all of them. It is incumbent on people to understand what can happen when their personal information is used or stolen. Do they have coverage in some fashion? Some of the instruments we use do provide protection.

There are two more questions on the privacy policy side.

The sixth question asks, is the privacy policy made available to individuals prior to or at the time that the personal information is collected? Basically, do employees know what is going on and are they aware of all of the policy related to the activity they are undertaking?

Finally, the self-assessment asks, are your employees aware of the privacy policy and able to direct individuals to it?

I found this to be an excellent document. It also has a checklist on privacy procedures, training and disclosure to third parties. One could even score oneself on this.

I would certainly recommend this document to hon. members or others who might want to know a bit more from the perspective of business and how it would be able to interact with this legislation. This legislation would help businesses understand the kinds of things they must be aware of and cautioned not to do. It would also make businesses aware of the kinds of things they could do proactively, and that is a complement to the legislation.

Again, this document is called “The Canadian Privacy and Data Security Toolkit for Small and Medium-Sized Enterprises”, and it is published by the Canadian Institute of Chartered Accountants. I am sure that hon. members would be able to get it.

I appreciate the fact that this legislation has come forward. I think there will be good support from all hon. members. We need this bill to give us the foundation or the basis on which to be able to assure Canadians that we are taking all reasonable steps to provide an environment in which personal information is protected from those who would misuse it or use it for other wrongful purposes.

The bill itself is fairly straightforward. I appreciate that this was a lot of work for committee. I commend committee for going through it. I did notice the breadth of the work that has been done not only at committee, but by others prior to committee work. A long evolutionary process has brought us to this point.

It is extremely important that members also familiarize themselves with this. I hope members take an opportunity in their householders to advise their constituents about important legislation such as this, as well as some tips for Canadians at large to help them safeguard their personal information.

Mr. Speaker, as I see it, there are two problems that this legislation is trying to address.

The first is obviously the problem of spam as a vehicle to perpetrate online fraud, whether that be phishing or identity theft, spyware, spoofing, counterfeiting, malware, botnets and the like.

The other part of the problem that this bill is attempting to address is the fact that even if spam were not a vehicle for online fraud, even if spam were not a delivery mechanism for all these malicious types of computer programs, even if spam were not doing anything malicious in terms of what it is delivering to people's computer inboxes, it has a second major problem that is often overlooked, which is that it chews up a huge amount of bandwidth, of storage space on corporate and other computer systems. It is reported that up to 85% of all email traffic in the world is spam, and that costs a huge amount to Canadian businesses in terms of bandwidth usage, in terms of storage space, and that is often overlooked.

Much of the spam cannot be blocked by firewalls or routers or other forms of technology. The proof is that when we go into our Hotmail account or Yahoo! Mail account or Gmail account, there will be a folder for spam, because spam cannot even be blocked from entering into their systems and their networks. This has a huge hidden cost for the Internet, both for consumers and for Canadian businesses.

I wonder if the member would comment on that.

Mr. Speaker, I must admit, the first thing I thought of was Bill Gates saying that all anyone would need is 64 kilobytes for their Commodore 64 and nobody would ever need anything more.

On the weekend I picked a little memory stick that has 16 gigabytes of memory on it. The cost of this is coming down very substantially.

On the commercial side, the member is absolutely right. This is a tremendous amount of information. On a personal level, our computers get filled up pretty quickly. I think members of Parliament have all experienced the same thing, where they can go into their office after having left late at night and find somewhere between 100 and 200 emails in their computer. This is such an easy facility to use, so we can understand that so many of these are people from around the world.

The member is quite right that the risk to us is that we have the intelligence or maybe the misapplication of intelligence of virtually the entire world looking at ways in which it can intrude, looking at ways in which it can take advantage of our information, destroy our information, share it with others, or park itself for activation later on.

Some of the Norton software for bugs and the like cannot keep up. Every time I go to Future Shop, there is another version of Norton there.

Certainly businesses need to get engaged here. They have a significant role to play. I do not know how many small and medium-sized businesses, though, have been engaged to protect their information, to protect their software from invasion, and whether they can or even know how to detect it, and this concerns me.

Eventually what is going to happen is that business information will be modified in ways in which there is such a high volume of traffic through it that ordinary businesses that are operationally focused will never be able to see it until there is substantial damage.

Again I thank the committee. I hope we will be able to continue to improve upon the legislation as the risk continues to evolve.