Bill C-27 (Historical)

Thank you, Mr. Chairman.

I'm pleased to be here today as the new director general of the electronic commerce branch at Industry Canada, having recently replaced Richard Simpson, who appeared alongside Minister Clement and Assistant Deputy Minister Helen McDonald in June.

As you indicated, I'm joined here today by our legal counsel, Philip Palmer, and from my staff, André Leduc.

Industry Canada has made a commitment to increasing confidence in the digital economy, to clarifying the rules of the domestic and international markets, promoting the adoption and use of e-business and eliminating barriers to the use of e-business. The electronic commerce protection bill represents an importing step in achieving these objectives. Our department is pleased with the support this initiative has received in the testimony and briefs that have been submitted to the committee.

It is no surprise that there has been such interest in this legislation, as the Internet is now the communications platform of the emerging economy. ECPA is about more than just the nuisance of spam; it is about malicious and detrimental activities that dissuade Canadians and Canadian businesses from taking part in the online marketplace.

I should note that ECPA could not have been drafted without the important work of the task force on spam and their recommendations, as well as the experience shared with us by global partners, specifically New Zealand, Australia, and the United States. By working closely with these counterparts, Canada has drafted world-leading legislation based on the best and most effective aspects from legislative initiatives from around the world.

Spam and on-line threats come from both inside and outside Canada. The current bill contains important provisions designed to protect Canadian consumers and businesses from the most dangerous and harmful types of spam and will introduce a regulatory system that will protect the privacy and personal safety of Canadians in the on-line environment. The bill will include a set of clear rules that will benefit all Canadians and that will increase their trust in on-line communications and electronic business.

I would like to take this opportunity to address a couple of the common misperceptions about the legislation.

The committee has heard a number of witnesses express concern about the consent regime. It should be noted that there is no time limit to express consent. Once an individual has provided express consent to a person, the consent can only end when the individual opts out or unsubscribes. The 18-month period with respect to existing business relationships allows companies to imply consent in order to give them time to obtain the individual's express consent.

Secondly, with regard to the private right of action, some witnesses have indicated that they do not see a need for it. We believe this provision provides an important mechanism that will allow individuals and groups of individuals to pursue violators and enable telecommunications service providers and Internet service providers to pursue those who threaten their networks. It would, for example, enable a bank or financial institution to take civil action against phishers who falsely impersonate their organizations in an attempt to defraud their customers.

Mr. Chairman, we have examined the concerns expressed before your committee and have prepared motions respecting a number of them. At Mr. Lake's request, we have distributed to all members an annotated version of the bill indicating the amendments proposed by the government. More than 40 amendments are planned, a number of which are of a technical nature.

Our purpose is to strengthen confidence in online commerce, and the opportunity for public comment presented by the committee's study of Bill C-27 has been most helpful. Of all the areas discussed, those that provoked the most comments were those relating to the perceived breadth of the legislation and the requirements respecting express and implied consent. We considered these concerns carefully, and amendments are being proposed to better focus those provisions that were considered too broad.

In brief, the amendments deal with the definition of commercial electronic messages, existing business relationships, business-to-business relationships, third party referrals, and the installation and update of programs and applets.

First, with regard to commercial electronic messages, we recommend expanding the range of situations in which the sending of e-mails is excepted from the requirements of express consent. For instance, correspondence in reply to an inquiry is clearly exempt, as would be ongoing correspondence relating to insurance policies, warranties, subscriptions, and other longer-term relationships.

Secondly, amendments have been drafted concerning existing business relationships. For example, for those relationships that are in effect prior to the act coming into force, a transitional or grandfather clause will extend the implied consent regime for a period of 36 months to allow commercial entities time to contact existing clients and obtain their express consent for future communications. Similarly, we have clarified by way of proposed amendment that the 18-month period concerning an “existing business relationship” referred to in subclause 10(4) commences on the date that the subscription, membership, account, or loan has been terminated, as opposed to the beginning of that relationship.

You will also find an amendment that clarifies that in the instance of the sale of a business, the purchaser is deemed to have an existing business relationship with the seller's clientele.

In the context of business-to-business relationships, we have suggested expanding implied consent to encompass the conspicuous publication of an electronic address, such as on a website or in a print advertisement. In these circumstances, the sender's message must relate to the business or office held by the recipients. Implied consent would also be extended to cover situations where it is reasonable to believe that consent has been given—for instance, in giving out a business card or providing an e-mail address in a letter.

We have recognized the importance in certain industries of being able to contact referrals through e-mail and have drafted an amendment to this effect. In the document before you, you will find a provision permitting under certain conditions unsolicited commercial messages that are follow-ups to third party referrals.

In terms of consent to installation of computer programs, you will find proposed amendments to clarify that automatic updates—for example, daily or weekly updates to anti-virus software—will not require consent for each update as long as this is set out as part of the original contract under which the software was installed.

Similarly, you will find that there are proposals to ensure that running applets such as JavaScript or Flash programs will not require express consent each time they are run.

Last, during witness testimony, a suggestion was made to have the administrative monetary penalties, or AMPs, provision amended to provide further assurance that companies that make an honest mistake will not be subject to heavy fines. It has been suggested that the CRTC be given the capability to suspend AMPs for a specified period of time, and that if the business does not violate the act again during that time period, the AMP could be lifted. As a result, we propose that clause 25 be amended to indicate that the CRTC has the ability to reduce, suspend, or waive an administrative monetary penalty.

I want to thank you for your review of the Electronic Business Protection Act. We are convinced that this work will result in healthy regulation and that the bill will take into account the interests of businesses and consumers in an equitable manner.

We welcome the committee's questions. Thank you.

We would like to thank you, Chair and honourable members, for inviting us to speak before you today on this important issue.

My name is Tamir Israel. I am staff counsel with CIPPIC. With me is David Fewer, our acting director. We apologize for not providing you with a brief of our position today.

CIPPIC is a legal clinic based in the University of Ottawa's Faculty of Law. Much of our mandate involves addressing the legal and policy concerns that arise from new technologies and specifically from the ever-increasing availability of private and personal information in electronic formats.

For a long time, we have been concerned with the many facets of identity theft and have researched legal and policy approaches to that problem. This work has resulted in, among other things, a public-private multidisciplinary project funded by the Ontario Research Network for Electronic Commerce, ORNEC, and a series of six working papers available on our website at www.cippic.ca. These cover most aspects of the issue.

We will be releasing a final white paper later this year, updating and summarizing our work on this issue and making specific recommendations for law and policy reform needed to address identity theft in a comprehensive manner.

We would like to point out that identity theft is a very serious phenomenon with specific impacts on individuals and society at large. You've heard that ID theft costs our economy $2 billion annually and that this is a conservative number.

There is an associated loss of confidence that is much more difficult to quantify, but equally serious. We have seen figures estimating that individual victims in Canada spend approximately $164 million of their own money and over 18 million hours annually just addressing the fallout from having their identities stolen, just to re-establish their identities.

In addition to this social and individual financial cost, there is also the invasiveness of such offences. People who have their personal information or identities taken from them for such fraudulent purposes often feel violated. People have told us that victims of ID theft often exhibit feelings similar to those seen in victims of home burglaries. There is serious psychological harm here, as well as the financial costs.

We feel that the magnitude and nature of these harms calls for a criminal component as part of any response to the problem of ID theft.

Our study of Bill S-4 has convinced us that it is well-tailored to address the specific and fairly well-documented problems raised by identity theft in the criminal sphere. It manages to provide police with the tools they need in this sphere to address these problems, while avoiding the problems of overbreadth. It does so while managing to maintain flexibility and technical neutrality. The reason it is able to do this is that it directly addresses the specific issues posed by identity theft and does not overreach in that respect.

We're here today to say that we support this bill and would gladly try to answer any outstanding questions or concerns you might have on it. We've been paying attention to your committee hearings and we've noticed that some have been raised.

But we'd also like to remind the government, in brief, that its job with respect to identity theft is not done. ID theft requires a comprehensive response. This bill largely and effectively addresses the criminal portion of this response. In addition, the government's Bill C-27, which is also currently in committee, takes important regulatory steps that will deter a great deal of ID theft activity.

But more reforms are essential to address prevention and to help individual victims deal with the problems that identity theft raises for them. Many of these additional reforms are beyond the scope of a criminal bill such as this one, and we would not want to delay the implementation of Bill S-4. However, we have your attention, so we would like to point out to you the ways in which the Criminal Code can be improved to better accommodate the needs of victims. The victim restitution provisions in clause 11 of this bill will go some way to doing that, but we feel that more can be done.

We have suggested in the past and do so here again that it would be helpful to add provisions to the Criminal Code giving victims the right to local police reports. We have found from our research that this helps victims address jurisdictional issues.

What often happens is that a resident of one city, let's say Ottawa, will have their identity stolen or the ID fraud will manifest in another city, let's say Edmonton. The victim will be directed to Edmonton police, who will have jurisdiction. The local police force will generally refuse to open an additional file because they don't like to investigate claims committed in other jurisdictions. Although I note in defence of Ottawa that we were told the OPS in particular is willing to do this, most other police forces will not.

This is a serious problem. ID theft often requires immediate action, and for an Ottawa denizen to have to contact Edmonton before a file is opened, that takes a lot of time. In the meantime, they are having credit problems.

On the other hand, ID theft also has long-term, recurring ramifications, and it simplifies matters a great deal for victims to have local police as their point of contact for any investigation. The police can then forward the investigation to a more appropriate jurisdiction, but they should remain the point of contact. It should be clarified that this applies to victims, even if the financial institution in question absorbed all the financial harm in a particular instance.

In addition, we have heard that police reports often don't contain a great deal of information. They do not even state that the offence being investigated is fraud. This means they're not very helpful to victims, in and of themselves, if they're trying to vindicate themselves with persistent creditors or with Equifax or anybody else.

To remedy this, other jurisdictions have provided, within their criminal statutes, a right to a judicial determination of factual innocence from a court of law, once an investigation is successfully completed. We point you to section 530.6 of California’s Penal Code, if you would like guidance on provisions of this nature either now or in the future. There are other examples from other jurisdictions that can be found in our working papers on our website. A broader range of suggestions is available in our working papers as well and will be collected and updated in the white paper we intend to release shortly.

We invite any questions on the issues we've raised here, on any outstanding concerns you may have with respect to the current bill that have been raised in the past hearings before you, or on any other steps that can be taken to alleviate identity theft.

Thank you.

Thank you, Mr. Chair and members of the committee. Thank you for inviting us to be here with you today to contribute to your study of Bill C-27, the proposed Electronic Commerce Protection Act, ECPA.

We welcome this opportunity to comment on this important bill.

My name is Nathalie Clark. I am the general counsel and the corporate secretary of the Canadian Bankers Association. With me today is Bill Randle, our assistant general counsel.

In the submission we have provided to the committee, we have commented on Bill C-27 in some detail. But in these opening remarks, I will briefly review our main concerns with the bill.

In recent years, criminals abused e-mail both to deliver spyware, which can steal personal information from its targets, and to send counterfeit messages that lure individuals into disclosing personal information that results in identity theft.

It is widely recognized that these types of spam are a significant threat to individuals, businesses and the Canadian economy. For several years, the CBA has encouraged the government to introduce legislation to address the most malicious forms of spam.

Canada is the only G8 country that does not currently have specific anti-spam laws and the banking industry agrees that legislation is required to protect consumers and businesses from these dangerous and damaging forms of spam.

As a result, we welcome the government's decision to proceed with draft anti-spam legislation and we support the stated goal of Bill C-27 to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities. We note, however, that Bill C-27 is clearly more extensive and restrictive than similar legislation in other jurisdictions, including the United States.

We are concerned with the broad range of the bill and the potential negative impact that some of its provisions may have on legitimate business activities. In particular, we believe the opt-in framework proposed in the bill, combined with the need--with some limited exceptions--to obtain express consent from a person to send them a commercial electronic message, will have a negative impact on the ability of legitimate businesses to market their goods and services electronically. Most importantly, express consent cannot be obtained by sending an e-mail or other electronic communications to a person requesting consent. It can only be obtained in some other manner through some prior contact with the recipient. In other words, a business cannot send an unsolicited electronic message seeking consent to send more messages.

We recommend, therefore, that Bill C-27 be amended to allow the sending of an initial contact message without consent, while strengthening the content requirements of the initial contact message to ensure it is consistent with the principles of the do-not-call list legislation and the anti-spam legislation of other countries.

We acknowledge that consent can be implied when there is an existing business relationship--we welcome this exception--but believe some changes are needed to the definition of “existing business relationship”. We also recommend an amendment to extend the exception to affiliates of a company with which a person has a business relationship.

We note that express consent is required every time a “computer program” is installed, even when there is an existing business relationship. We would like some clarification that tools such as “cookies” are not included in the definition of “computer program” set out in the bill.

There is an extensive system of administrative monetary penalties set out in the bill as well. While we accept that there is a need for an enforcement regime, including penalties for persons who breach the provisions of the act, we believe that some aspects of the regime, and especially the penalties proposed in the bill, are excessive and would discourage businesses from engaging in legitimate marketing activities. This could have the effect of stifling the development of legitimate electronic marketing and could adversely affect the ability of businesses to reach their consumers.

The bill states that the purpose of these substantial AMPs is to encourage cooperation and compliance with the legislation and is not to punish. If that is the primary objective of the AMP provision in Bill C-27, we recommend that the CRTC be given the ability to suspend an AMP for a period of time, and if the persons subject to the AMP satisfy the CRTC that they have made changes to comply fully with the law, then the AMP could be withdrawn.

The bill also includes a private right of action that allows for statutory damages without proof of loss. We believe that the appropriate enforcement regime is government based. We do not support a private right of action, as we believe that these actions are generally motivated more by private monetary considerations than by general deterrence, and that a private right of action will have a chilling effect on businesses that wish to engage in legitimate marketing activities. While the bill provides for various factors to be considered in assessing damages under a private right of action, legitimate businesses are still put to the significant cost and task of defending themselves in this context. In particular, the private right of action that allows for statutory damages without proof of loss will encourage class actions that will lead to substantive legal costs and reputational risk for businesses.

Summing up, the CBA stands firmly behind this legislation that protects individuals, businesses and the Canadian economy from the serious threat of malicious forms of spams. We are very pleased to have had this opportunity to work closely with the government and with members of Parliament to ensure that Canada is no longer the only G8 without specific anti-spam laws on the books.

Thank you once again for providing the CBA with the opportunity to offer our views on Bill C-27. We would be pleased to answer any questions.

Mr. Chair, Mr. Vice-Chair, members of the committee, thank you for this opportunity to present out views on Bill C-27, the Electronic Commerce Protection Act.

Option consommateurs dates back to 1983. We are a non-profit association with a mission to promote and to defend the interests of consumers and to ensure respect of their interests. Our head office is in Montreal. We also have an office in Ottawa.

The Task Force on Spam submitted its report to the federal Minister of Industry more than four years ago. The Task Force consisted of the ten official members, of whom I was one, drawn from private industry, government and the non-governmental sector. About 100 others with a deep-rooted interest in the question also contributed. The Task Force submitted a unanimous report in which it recommended, among other things, the drafting of a stand-alone law that would clearly address spam, spam-related offences and emerging threats such as spyware and botnets.

We therefore welcome the tabling of Bill C-27 as a first step in improving Canadian consumer confidence in electronic commerce.

It is the recipients, namely Internet Service Providers, business and consumers, who bear the cost of massive volumes of commercial email, not the senders. And these direct costs—bandwidth, filtering technology, the hiring of extra staff—and indirect costs—loss of productivity, loss of genuine messages, corruption of information technology infrastructure and identity theft—are as numerous as they are hard to quantify.

Fraudulent use of email addresses directly undermines the public confidence necessary for electronic commerce. Spam violates two different principles of privacy protection: the collection and use of information and the Internet user's right to withhold consent to such collection. Spam is also an important vector for phishing attacks which enable Internet criminals to carry out identity theft. According to the OECD, spam levels are high enough that they are undermining user confidence in email and other electronic media as well as creating a negative impact on global communications networks.

This situation makes it urgent that Parliament adopt clear precise legislation banning the sending of unsolicited and unauthorized commercial emails—as stipulated in subsection 6.1; modification of message headers—section 7; the installation or use in an individual's computer of programs without that individual's consent—section 8; misleading and fraudulent representations—section 71; the use of computer program for searching for, and collecting, electronic addresses and the use of an individual's electronic address collected by such a program—section 78; as well as the unauthorized use of a computer for the purposes of collecting personal information—section 78. It is just as important that this legislation should allow commercial email only if the consumer has clearly agreed to receive them.

In discussion groups and in a Canada-wide survey which we conducted in 2004, Canadian consumers expressed a preference for a system requiring a consumer's explicit prior consent before any commercial email is sent. We would have preferred a strict regime of explicit consent, but we consider that the thrust of sections 10 through 13 of the bill represents a reasonable compromise between explicit and implied consent in cases of an existing business relationship. For the sake of greater clarity on the point of implied consent, we recommend the addition of the following clause after clause 10.4:

In the case of “existing business relationships“, an implied consent is valid only if the recipient provides his or her own details directly and if the goods or services being marketed are similar to those previously sold to him or her,

The bill incorporates the Task Force on Spam's recommendations, firstly, that the new offences created by the law should be covered under civil status and secondly, that there be a provision allowing individuals and businesses to lodge private actions. The high financial penalties in the proposed legislation strike us as severe enough to discourage spammers.

Bill C-27 also incorporates several amendments to the Competition Act and to the Personal Information Protection and Electronic Documents Acts which will help to counter spammers' methods and practices more effectively.

Overall, the drafting of Bill C-27 seems to have been based on the best regulatory practices of Canada's many commercial partners who have already adopted legislation against spam and its harmful consequences.

As you undoubtedly know, the effectiveness of any legislation depends on its enforcement. As such, additional resources must necessarily be provided along with any new statutory provisions. Furthermore, this draft legislation calls for increased coordination among existing agencies named in the bill and involves the creation of a national coordination centre to monitor and report on the law's effectiveness, to support national and international cooperation, to work with industry to analyze trends in electronic threats and to develop awareness and education programs.

Finally, there is one element which needs the attention of parliamentarians and of the Government of Canada. Canadian consumers need a simple and effective complaint mechanism.

The new legislation has made provision for establishing new monitoring and new electronic risk analysis mechanisms. These will help bolster consumer confidence in electronic commerce and will help prevent potentially even more dangerous threats from developing.

Thank you very much.

Thank you, Mr. Chair.

My name is Chris Gray. I am the director of the Canadian Intellectual Property Council.

Appearing with me today is Jason Kee, a steering committee member with the CIPC. He is also the director of policy and legal affairs with the Entertainment Software Association of Canada.

It is a pleasure to be able to present the views of the Canadian Intellectual Property Council and our members on Bill C-27.

The CIPC was founded in 2008 under the authority of the Canadian Chamber of Commerce to unite businesses and press for an improved intellectual property rights regime in Canada. While our focus of late has been on the copyright consultations and seeking better border enforcement to fight counterfeit goods, we also need to monitor other legislation that could affect businesses, such as this one.

The CIPC and all in the business community support the notion of eliminating spam. As we all know, spam is a nuisance to almost everyone. For a business, especially a small business, it can slow down legitimate business practices and it takes time to delete. However, there are some concerns about Bill C-27 that need to be addressed, and we're pleased that the committee is taking the time to get it right and consider amendments to the legislation that will make it acceptable to all.

Working with the Canadian Chamber of Commerce and other business associations, we've submitted amendments to the committee members for consideration. While we support the bill's objective of deterring the most dangerous forms of spam, such as phishing and malware, that discourage reliance on electronic means of carrying out commercial activities, we can't support the bill as currently drafted.

This new Electronic Commerce Protection Act may render thousands of commonly used computer applications illegal. It would submit Canadian businesses to potential fines of up to $10 million and potential civil action. This new bill would also amend the Personal Information Protection and Electronic Documents Act to submit Canadian businesses to civil suits relating to violations of the act. This bill would potentially prohibit the formation of new business relationships over the Internet or through e-mail. It would also severely limit the use of the Internet for the distribution of software and software updates.

I'm now going to turn this over to Jason to discuss some more specific concerns we have.

Thank you, Mr. Chairman. I am grateful to the committee members for allowing me to address you today concerning Bill C-27.

In addition to being the chair of the Canadian Association of Internet Providers for the last nine years, I have for almost 15 years been an Internet service provider in Cobourg, Ontario. I've been involved with the problem of unsolicited commercial e-mail, or spam, since it was first recognized as having the potential to cause harm and cost organizations and individuals millions of dollars each year to combat.

In 2004 I was invited to be a member of the ministerial task force on spam. In 12 short months we developed a tool kit approach to combatting spam, and the recommendations we presented to the Minister of Industry in May 2005 have been adopted by many nations around the world.

While junk e-mail is by far the most prevalent of online ailments facing Internet users, the Electronic Commerce Protection Act also recognizes that a seemingly benign e-mail message is often the precursor of greater viruses, such as Trojan horse programs, identity theft, fraud, and other criminal activity.

CAIP has several areas of concern that I'd like to bring forward today. Most of these are focused on enforcement. We are happy that the oversight of the ECPA will rest with Industry Canada. In my opinion, there isn't another department within the Government of Canada that has the experience with electronic communications that Industry Canada has. Our first concern regarding enforcement, however, lies in the enforcement agencies named in Bill C-27. While the chosen agencies have had some influence in electronic communications in the past, the will or ability to enforce their individual mandates has at times not been effective. In some instances, they have lacked the tools, mandate, or resources needed; in other instances, they simply failed to apply the tools at their disposal.

Our primary concern in this regard is with the Canadian Radio-television and Telecommunications Commission. We realize that a new function within the CRTC is being developed to accommodate this new mandate. But given the commission's adversity to enforcement of decisions and orders under its traditional telecom mandate, we have reservations regarding the willingness of the commission to exercise its new powers under Bill C-27. Despite precedent, it is my hope that these fears will not be realized and that the CRTC will gain a new appreciation of the powers bestowed upon it.

We have fewer concerns with the role played by the Office of the Privacy Commissioner and the Competition Bureau. In fact, we're pleased that their mandates have been reinforced with additional clarity, tools, and resources through Bill C-27 and other legislation. Certainly, the privacy commissioner has shown significant leadership in combatting spam to date, and the Competition Bureau has long been the watchdog consumers could turn to regarding deceptive marketing and truth in advertising. We trust that through the focus on spam that Bill C-27 provides, the leadership will continue.

With multiple enforcement agencies, however, there can come multiple agendas. In this instance, there can be no turf wars if we want Bill C-27 to be successful. The bill quickly gained legs because parliamentarians of all stripes saw value in the effort and benefits in the outcome. Our enforcement agencies must keep this example in mind as they undertake their new duties to protect Canadians online.

CAIP would like to suggest that the three agencies consider developing a trilateral task force to implement and manage their new responsibilities, rather than attempting to work in isolation. The benefit of this approach would be a reduction in duplicative efforts, more timely and effective management of complaints, better coordination of information exchanged between agencies, better use of investigative resources, and better use of financial resources.

Our second concern over enforcement has to do with the coordination of international efforts. To be effective, coordination must go beyond these hallowed halls and beyond this country. Electronic crimes know no boundaries—their perpetrators do not respect international borders. Cyber criminals do not work nine to five in the eastern time zone—they're international in scope, plying their trade 24/7, 365 days a year. Fortunately, by many estimates there are only a few ardent spamming operations in the world. Unfortunately, they operate simultaneously in many countries in nearly every continent, using unwitting Internet users as their pawns.

Despite being one of the first nations to develop a tool-kit approach to dealing with spam, we are one of the last major economies to fully implement a spam strategy based on the recommendations of the task force. The countries that have adopted these recommendations have gained expertise and developed resources capable of benefitting Canada.

The ECPA permits Canadian enforcement agencies to exchange information with other like-minded international agencies. We'd encourage the agencies to seize this opportunity and exploit the international expertise available to them in fulfilling their mandates. Because Canada is a relatively small source of spam, it is only through open and coordinated cooperation with other like-minded international enforcement agencies that we will be able to make progress in the control of spam.

Our third concern over enforcement is in the delivery of an appropriate and measured response when dealing with offenders. It would be our hope that legitimate Canadian business owners who make honest mistakes in deploying their online marketing strategy don't become the target of overzealous enforcement simply because they are the low-hanging fruit and easy to identify. It's the egregious spammer and nefarious e-mailer for hire that we hope will be the target of enforcement.

Rather than accumulating quick numbers and claiming great success by pursuing SMBs, we would encourage all three enforcement agencies and Industry Canada to undertake a concerted business and consumer awareness campaign to educate Canadians about the ECPA. Education is far more effective and less expensive than the cost of enforcement.

Finally, there are several simple things to remember that we think will help in developing regulations that will successfully enable enforcement of the ECPA. One, focus on the egregious perpetrators. Two, focus on the intent of the action, not necessarily the action itself. Three, focus on well-defined activities deemed to be dangerous, while at the same time providing the ability to expand those defined activities as technology changes. Four, focus on education of e-mail marketing etiquette. Five, focus on the use of enforcement as a measured and targeted tool based on the harm caused, not the inconvenience perceived. Six, adopt the best practices in legislation, regulation, and enforcement of other jurisdictions. Seven, develop a legislative and enforcement response that protects Canadians and doesn't burden them with unnecessary red tape and confusion in pursuing justice. And finally, develop a legislative and enforcement response that doesn't create criminals or create financial burden when there was no intent to defraud or harm.

Thank you.

Thank you very much, Mr. Chairman.

Thank you for inviting me to testify at this hearing on this very important topic and on this most excellent bill.

On behalf of Amazon.ca, let me add my voice to the chorus of praise, congratulations, gratitude, and support for your work on this matter and for Bill C-27.

I could easily spend my five minutes complimenting various features of the bill, but I believe my appearance here will be more valuable to you and your committee if I may suggest two areas for improvement with modest changes.

The first area is with respect to the consequences of honest mistakes. We have long said that honest e-mail mistakes should not be punished; that problem spammers wilfully and intentionally spam; and that reputable companies should be able to e-mail their customers without fear of legal retribution for honest mistakes. The market already provides very strong disincentives. Honest mistakes also aren't the source of the real spam problem; our e-mail boxes aren't barraged with messages from companies that accidentally sent them. Again, problem spammers wilfully and intentionally spam.

This is already recognized implicitly in Bill C-27, the purpose of which is “to promote compliance with the act, not to punish”. It's also somewhat more explicitly recognized in the defence sections of the bill, proposed subsections 33(1) and 54(1).

At your June 18 hearings, CRTC Chairman von Finckenstein said the question of whether someone should be fined will be answered considering whether there was a “wilful breach” of the law. To make the bill clearly state the chairman's understanding, with which I agree, I suggest that proposed subsections 20(1) and 51(1) be amended so that only those who have wilfully contravened the act are subject to fines or damages. At the very least, the bill should be clarified in the defence sections using the words of Senator Goldstein's bill, Senate Bill 202, in section 22: “A person shall not be found to be liable for a violation...or if the violation was due to inadvertence or based on an honest mistake of fact.”

These simple changes, courtesy of Senator Goldstein's wise drafting, would go a long way to clarifying in Bill C-27 the consequences of honest mistakes.

The other area that could use improvement is with respect to the duration of implied consent based on purchase. In Bill C-27, implied consent based on a purchase would expire after only 18 months. We believe that in the best interests of consumers, this period is much too short. First of all--and this is not a criticism, mind you--18 months is arbitrary, as already has been acknowledged before this committee. It's not a magic number, demonstrably different from 17 or 20 months, or 36 months. But most importantly, 18 months is much too short. It is not in line with consumer expectations and customer-friendly practices. Two obvious areas are: first, the production cycles--particularly for creators, such as authors and bands--can be much longer than 18 months. Joan Thomas won the most recent Amazon.ca First Novel Award for her book Reading by Lightning. Shouldn't consumers who bought this book be notified of her next book, even if it takes her many years to write it?

Likewise, product life cycles--for example, cars, headphones, computers--are often much longer than 18 months. Consumers expect notifications about new works or replacement products at the appropriate time, not at 17 and a half months. So from a consumer perspective, indefinite duration of this implied consent would be best. A limited period actually could increase commercial e-mail. Sellers may rush to beat an artificial deadline, causing a barrage of e-mail at 17 and a half months.

It's also hard to believe that limited-duration implied consent would make much difference. Our in-boxes are not full based on purchases in the distant past, and for the rare exceptions, consumers may opt out or block. If we must have limited-duration implied consent based on a purchase, five to seven years would be best for consumers in order to take into account production cycles and product life cycles.

I look forward to your questions.

Thank you again, Mr. Chairman.

Thank you, Mr. Chair.

My name is John Lawford. I am counsel with the Public Interest Advocacy Centre. With me is Janet Lo, also counsel.

PIAC has been deeply involved for many years with the efforts to regulate commercial electronic messages--that is, spam--and the Personal Information Protection and Electronic Documents Act from a consumer perspective. We therefore are here to give you that perspective on Bill C-27.

Make no mistake about it, Bill C-27, the Electronic Commerce Protection Act, is intended to empower consumers, to empower them to take control of their electronic mail and to take control of their computers. In this way, it is hoped that spam and spyware, fraud such as phishing and the like that is delivered with this manner, can be greatly curtailed. And under this bill, with this focus on consumer empowerment, it can.

Based on this underlying belief in the legislation, we wish to make three basic points to the committee and mention three possible amendments to the bill.

The first basic point is that under the ECPA as drafted, an individual's personal consent, explicit in most cases and implicit only for limited exceptions, is required before an organization or individual can send them a commercial e-mail. This is the only effective way to stem the tide of spam. Exceptions from this requirement for certain senders or an enlargement of the implied consent standard should be strongly resisted by the committee.

Some of the presenters to the committee have expressed concerns that the requirement for explicit consent to receive commercial e-mail is too onerous or would be unworkable. PIAC cautions that the general requirement of explicit consent underpins the entire structure of the bill. It is only by clearly--that is, explicitly and with solid proof--requiring a person's verifiable consent to receive commercial e-mail that the tide of unwanted commercial messages can ever be truly controlled.

Marketers gain advantage from assuming consent, which is possible under an implicit consent model, as their only goal is to simply deliver the messages, leaving the work and time invested in sorting out what is relevant or what is spam to the individual. As we all know, it is the incessant time-wasting triage of e-mails from hundreds and thousands of uncoordinated marketers using this lazy technique that creates the problem of spam.

The existing business relationship exemption for implicit consent allows a wide scope for commercial contact with consumers by e-mail. Every customer of every business is deemed to consent to receiving e-mail from that business unless they go to the trouble of unsubscribing. This exemption provides businesses numerous opportunities to seek and obtain explicit consent and provides for a long tail of 18 months after dealings with that customer to again obtain explicit consent for future e-mail solicitations. We know that this time period is equal to that allowed under the national “do not call” list for the same purpose.

The second basic point is that as drafted under this bill, there is no business-to-business exemption from the explicit consent requirement, it is true, unless the e-mail otherwise falls within that existing business relationship implied consent exemption. That is, businesses under this bill may not seek out new business by sending unsolicited commercial e-mail to other businesses or consumers that they do not actively do business with, period. This practice may well be the norm in the business world and in certain industries, especially banking or insurance, which may rely on referrals, where the recipient has no relationship with the sender, but that is not permitted at the moment. We believe that is as it should be. These are, in our view, unsolicited commercial e-mails that are just as annoying and productivity-killing for people in the workplace environment as they are for consumers at home.

We note here that under the national “do not call” list, referrals are also not allowed.

Should this committee absolutely want to have a business-to-business exemption for prospecting for new business or for referrals, we recommend that the business-to-business exempted e-mails also be required to follow the same rules as are laid out in subclause 6(2). That is, the e-mail must have information on the sender and the unsubscribing mechanism.

The third point is the private right of action. We feel that the private right of action must be maintained in order to protect consumers intended to be empowered by this legislation. The private right of action will only be used in egregious cases. We note that if the company is fined or is complying with an undertaking, consumers cannot bring an action for statutory damages. Therefore, this provision likely will only be used in cases where consumers suffer actual loss or damage, which they normally would be able to sue for anyway, or when there's a serious matter of interpretation of the legislation and the CRTC has refused to issue a notice of violation.

Courts are best placed to determine the interpretation of the act and whether actual loss has occurred. However, what is missing in that private right of action, we note, is a provision that protects companies from being able to contract out of this right.

We therefore recommend to the committee that they consider a provision modelled on sections 6 to 8 of the Ontario Consumer Protection Act, 2002, which does that as well. I have three possible amendments for the committee.

The first one is that we do believe the penalities involved in the bill on the e-mail side may be too high. We've heard that today. We suggest that they be brought into line with those for the national “do not call” legislation. They do not need to be terrorizingly high; they just need to be effective.

The second amendment is that the installation of software when there is implicit or explicit consent requires a transparency section that is parallel to that for e-mail, which is now found in subclause 6(2). There is subclause10(2) of the present bill, which requires the software supplier for spyware to describe clearly and simply the function, purpose, and impact of every computer program that is installed. However, that's not parallel to subclause 6(2). It doesn't tell you which company, and it doesn't tell you how to contact them. As well, it doesn't give you information about how to unsubscribe, and in this context that would be how to get off of automatic updates in the future. PIAC studied spyware in 2006 and issued a report at that time. We have further recommendations for the legislation that could go into the regulations with regard to more spyware requirements.

Our last amendment is to repeal the bill's potential to remove the national “do not call” list. Therefore, we agree with the Canadian Marketing Association that clauses 64 and 86 would be removed from this bill. We agree with them because we feel that the national “do not call” list needs time, and that the Electronic Commerce Protection Act approach is necessary for spam but will not work for telemarketing and vice versa.

Those are our comments. Merci.