Industry Committee on June 11th, 2009

Thank you, Mr. Chair. Thanks for the invitation to come and speak.

My name, as you heard, is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I'm also a syndicated weekly columnist on law and technology issues for theToronto Star and the Ottawa Citizen, and I was a member of the national task force on spam that was struck by the Minister of Industry at the time, in 2004. I served on the board of directors of the Canadian Internet Registration Authority, CIRA, for six years. I currently serve on the Privacy Commissioner of Canada's advisory committee. However, I appear today strictly in my personal capacity, representing my own views.

The introduction of Bill C-27 represents the culmination of years of effort to address concerns that Canada is rapidly emerging as a spam haven. I don't think I have to convince you that spam is a problem, whether it's the cost borne by consumers, schools, businesses, and hospitals in dealing with unwanted e-mail, or the shaken confidence of online banking customers who receive phished e-mail. There is a real need to address the problem.

I think we all know that Bill C-27 isn't going to eradicate the problem, but no country can do that alone. But I think it will finally help to clean up our backyard.

Members of this committee have noted that this is broad legislation that extends beyond just spam. I'd like to submit that this is a feature, not a bug. With much talk of the need for a national digital strategy, I think Bill C-27 fits nicely within that framework, providing much-needed consumer protection for electronic commerce. It's fair to say that the spam task force members recognize the need to address the broader issues towards the end of our mandate and that the steps in this bill are consistent with our recommendations.

While the legislation is broad, it's important to emphasize that the exceptions are broad as well. There are three exceptions, in particular, that I want to point to.

The first exception is consent. Under this law consent trumps all. Indeed, any business or any organization can do anything it likes with respect to electronic marketing or software installation as long as it obtains consent. Now, there are some rules around that consent--form requirements for electronic marketing, disclosure requirements for the software--but I don't think it's an onerous obligation. In fact, whenever a potential concern is raised, and I know that some have been, the first question to ask is, “Why is obtaining consent unreasonable in those circumstances?” Is it unreasonable to ask someone to obtain consent before installing a software program on my computer? Or is it unreasonable to obtain consent before sending me a commercial e-mail about a house sale or about a product or a service? I think in almost every instance the answer is no, that consent is a reasonable requirement.

Moreover, it's not an uncommon requirement, as other laws have adopted the same opt-in consent model. Australia and New Zealand both have opt-in models, and Japan actually switched from an opt-out model to an opt-in model when they found that their opt-out model didn't work.

Secondly, there is a business-to-business exception, as you know. I've heard some claims that this legislation will hamper business as it seeks to use e-mail to promote its products and services to other businesses. The reality is that the legislation contains a business-to-business exception, paragraph 6.(5)(b). I think many of those concerns are unwarranted.

And finally, there are the consumer exceptions. These are pretty broad--in fact, arguably too broad. They mirror, for the most part, the exceptions that we find in the national do-not-call list. I think there are many people who argue that those exceptions already go too far.

Consider, for example, the business-to-consumer exception that covers eighteen months for existing customers and six months for non-customers who merely make an inquiry. So think about what that means. Somebody makes an inquiry with a long-distance provider about one of their plans or contacts a hotel to see if they have room availability and they are then subjected to six months of electronic messages under the guise that this is now implied consent. I think it's reasonable to ask why a business should be entitled to contact a consumer for six months without any further consent merely because the consumer has made a single inquiry.

My point here is that the net of the legislation may be broad, but so too are the exceptions that will continue to permit commercial activity. Some businesses may argue that it goes too far, and some consumers may believe it doesn't go far enough. Perhaps that's a sign that an appropriate balance has been struck.

Let me quickly talk about how these principles apply to several of the criticisms that I saw highlighted earlier this week. I know jurisdiction was raised. And jurisdiction, as you know, covers connections with Canada, including the routing of a message through Canada. This approach merely builds on existing jurisdictional law in Canada with respect to a real and substantial connection. If a message fleetingly enters Canada, I suspect that the test would not be met of a real and substantial connection and it's a non-issue from a liability perspective.

With respect to software updates, as I referenced earlier, it seems perfectly reasonable to expect a software vendor to obtain consent from an end user before installing anything on their personal computer and to tell them what they are about to install. To suggest otherwise would be to surrender control over their personal computer and to face the prospect of security breaches, as occurred in the fairly infamous Sony rootkit case.

Then there's the issue of real estate agent e-mails. As I'm sure many of you are aware, real estate scams are among the most common, with references to swampland in Florida being almost shorthand for the notion of fraudulent offers. Do we really want to exempt an entire area that suffers significantly from spam concerns?

Fourth, there's the issue of tough penalties, including the private right of action. I'd argue this is another feature of the legislation. The bill has tough penalties. The experience in countries such as Australia has been that anti-spam law only works if the penalties are sufficiently tough that you create some economic risk for spammers. Otherwise, they simply keep on doing what they're doing. In fact, there have been some lawsuits launched against Canadian spammers, but they've been launched elsewhere because Canadian law didn't measure up. I think we ought to fix that.

Are there any changes needed? I think there are at least two amendments I can point to. The first--and it was raised by this committee--is the prospect of a review provision. I think it's a fast-moving area, and mandated reviews make sense. The second involves the computer software consent provision. In the main, I think the provision gets it right. However, there may be a limited number of instances--the use of Java script on web pages comes to mind--where the provision could prove problematic. It's not easy to craft a rule that targets all the harms, the botnets, spyware, surreptitious installations, keystroke logging, while leaving behind the benign activities.

I'd suggest a small addition. I'm not a legislative drafter, but I would suggest essentially a subclause 10(3) that would allow for implied consent for certain types of computer programs where the person has consented to the installation of that type of program by way of their preferences in their web browser. In other words, if they've checked their preferences in their browser that will allow that form of program, then we ought to be able to take that as implied consent. That would cover off programs like Java and Java script, as those are typically addressed within web browser preferences.

Let me conclude with a warning against what I see as some lobbying efforts to water down what I see as reasonable standards found in this legislation. I'd note that we have seen this before; it's what took place with the do-not-call list. That bill started with good principles, faced intense lobbying and I think some scare tactics, and by the end of the process Canadians were left with a system that I think is now widely recognized as a failure, with some estimates saying that more than 80% of the calls that used to come continue to come, and with security breaches around the do-not-call list itself.

I think we must avoid a similar occurrence with respect to anti-spam legislation. Change in some business practices might be scary to some, but we can't allow scare tactics to dissuade you from moving forward with this much-needed legislation.

I look forward to your questions.

I wouldn't have described the exceptions as narrow, actually, but quite the opposite. I believe the exceptions are very broad, and that's perhaps an attempt to strike the right balance.

Sure.

With respect to Australia, respectfully, my reading is different. I have the Australian act in front of me, and it refers to commercial electronic messages in much the same way. I don't see a significant difference on the definitional side.

Part 2, subsection 16(1), of the Australian act says:

A person must not send, or cause to be sent, a commercial electronic message that...has an Australian link...and...is not a designated commercial electronic message.

Then you go into the definitions.

It frankly mirrors a lot of what we've done. I think it was noted by my colleague here that it's pretty clear Canada borrowed fairly heavily from the legislation you find in other countries. So I actually don't see the first premise; I don't see that focus on direct marketing the way that you suggested. I see statutes that talk about commercial electronic messages in much the same way we do.

Then you get into this other basket. As I mentioned off the top, everything is permitted; there's nothing that you can't do. The only question is whether or not you have to get someone's consent in order to do it. The exceptions we're talking about—the notion of a business, for 18 months after they have an actual relationship, or six months after an enquiry, or political parties, or charities, and all these other exceptions—are exceptions to the notion that they don't even need to get that.

That strikes me as providing pretty wide latitude. All a business has to do in every one of these circumstances is get consent from the customer; then they're okay.

Then you get into the second basket, where you say “I don't want to get consent from the customer”, and we're still giving them quite a wide berth to continue to market to consumers.

I know that under “do not call”, educational institutions have fallen under charitable organizations, so they might well fall under the same here.

That's right, but our bill—I'll try to find the specific section—contains an exception for, I believe, registered charities. To my knowledge, just about every single university, for example, that might want to contact an alumnus is a registered charity. I know that's the approach under “do not call” that's being taken by all of those organizations.

That's right.

I think that direct marketing is a part of that, maybe a subset of electronic commerce, direct marketing being more by way of an e-mailed, targeted conversation with an individual and electronic commerce looking more into social networking, IM, and voice over IP. It's a portion of, rather than the whole.

My understanding is that in Utah you had widespread abuse or attempted abuse of that provision. I think it was prisoners who were sending messages and then hoping to use that as an opportunity to file suit.

While I recognize that this seems like a concern, the experience we've seen in Canada is that our litigation environment is quite different from that in the United States. Things such as costs are different. Filing frivolous suits under a private right of action could well leave someone facing some of their own court costs, if they were to do that. We already have some disincentives built into the process.

When we look at the overall picture and at the number of large players who have wanted to target some of the Canadian-based spammers we have heard about, we see that they have been clearly unable to do so in Canada. Indeed, in the Facebook example—and we have seen it in other cases too—they have had to sue under U.S. law against Canadian-based spammers, because of the absence of legislation to deal with it here.

No, and I'm sorry if I wasn't sufficiently clear. I'm supportive of Bill C-27. My concern lies with the potential to water down the legislation. I think it does a pretty good job of striking the balance, and my fear is that some of the concerns, many of which I think are not valid once you take a look at the legislation, will result in a weakening of the legislation itself.

So I'm supportive, and supportive in much the form in which we see it now.

It's a great question. I think in some ways there are already frameworks in place to deal with many of these international issues. Canada has been a participant in them. Even dating back to when we were sitting as a spam task force, groups called the London Action Plan were bringing together various countries in an effort to deal with it. In fact, in many ways, that really highlighted how Canada was trailing behind many of our trading partners in our peer countries in not moving forward with legislation.

In some ways, we already have some of that framework in place, whether it's through the OECD or the London Action Plan or some of the groups these gentlemen are involved with. There are already those linkages. What has been missing is the legislative piece. One would hope that some of the people who through Industry Canada and otherwise have been actively involved would continue to be involved, because we already have many of those linkages with similarly placed authorities in other countries.