Thank you, Mr. Chair. Thanks for the invitation to come and speak.
My name, as you heard, is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I'm also a syndicated weekly columnist on law and technology issues for theToronto Star and the Ottawa Citizen, and I was a member of the national task force on spam that was struck by the Minister of Industry at the time, in 2004. I served on the board of directors of the Canadian Internet Registration Authority, CIRA, for six years. I currently serve on the Privacy Commissioner of Canada's advisory committee. However, I appear today strictly in my personal capacity, representing my own views.
The introduction of Bill C-27 represents the culmination of years of effort to address concerns that Canada is rapidly emerging as a spam haven. I don't think I have to convince you that spam is a problem, whether it's the cost borne by consumers, schools, businesses, and hospitals in dealing with unwanted e-mail, or the shaken confidence of online banking customers who receive phished e-mail. There is a real need to address the problem.
I think we all know that Bill C-27 isn't going to eradicate the problem, but no country can do that alone. But I think it will finally help to clean up our backyard.
Members of this committee have noted that this is broad legislation that extends beyond just spam. I'd like to submit that this is a feature, not a bug. With much talk of the need for a national digital strategy, I think Bill C-27 fits nicely within that framework, providing much-needed consumer protection for electronic commerce. It's fair to say that the spam task force members recognize the need to address the broader issues towards the end of our mandate and that the steps in this bill are consistent with our recommendations.
While the legislation is broad, it's important to emphasize that the exceptions are broad as well. There are three exceptions, in particular, that I want to point to.
The first exception is consent. Under this law consent trumps all. Indeed, any business or any organization can do anything it likes with respect to electronic marketing or software installation as long as it obtains consent. Now, there are some rules around that consent--form requirements for electronic marketing, disclosure requirements for the software--but I don't think it's an onerous obligation. In fact, whenever a potential concern is raised, and I know that some have been, the first question to ask is, “Why is obtaining consent unreasonable in those circumstances?” Is it unreasonable to ask someone to obtain consent before installing a software program on my computer? Or is it unreasonable to obtain consent before sending me a commercial e-mail about a house sale or about a product or a service? I think in almost every instance the answer is no, that consent is a reasonable requirement.
Moreover, it's not an uncommon requirement, as other laws have adopted the same opt-in consent model. Australia and New Zealand both have opt-in models, and Japan actually switched from an opt-out model to an opt-in model when they found that their opt-out model didn't work.
Secondly, there is a business-to-business exception, as you know. I've heard some claims that this legislation will hamper business as it seeks to use e-mail to promote its products and services to other businesses. The reality is that the legislation contains a business-to-business exception, paragraph 6.(5)(b). I think many of those concerns are unwarranted.
And finally, there are the consumer exceptions. These are pretty broad--in fact, arguably too broad. They mirror, for the most part, the exceptions that we find in the national do-not-call list. I think there are many people who argue that those exceptions already go too far.
Consider, for example, the business-to-consumer exception that covers eighteen months for existing customers and six months for non-customers who merely make an inquiry. So think about what that means. Somebody makes an inquiry with a long-distance provider about one of their plans or contacts a hotel to see if they have room availability and they are then subjected to six months of electronic messages under the guise that this is now implied consent. I think it's reasonable to ask why a business should be entitled to contact a consumer for six months without any further consent merely because the consumer has made a single inquiry.
My point here is that the net of the legislation may be broad, but so too are the exceptions that will continue to permit commercial activity. Some businesses may argue that it goes too far, and some consumers may believe it doesn't go far enough. Perhaps that's a sign that an appropriate balance has been struck.
Let me quickly talk about how these principles apply to several of the criticisms that I saw highlighted earlier this week. I know jurisdiction was raised. And jurisdiction, as you know, covers connections with Canada, including the routing of a message through Canada. This approach merely builds on existing jurisdictional law in Canada with respect to a real and substantial connection. If a message fleetingly enters Canada, I suspect that the test would not be met of a real and substantial connection and it's a non-issue from a liability perspective.
With respect to software updates, as I referenced earlier, it seems perfectly reasonable to expect a software vendor to obtain consent from an end user before installing anything on their personal computer and to tell them what they are about to install. To suggest otherwise would be to surrender control over their personal computer and to face the prospect of security breaches, as occurred in the fairly infamous Sony rootkit case.
Then there's the issue of real estate agent e-mails. As I'm sure many of you are aware, real estate scams are among the most common, with references to swampland in Florida being almost shorthand for the notion of fraudulent offers. Do we really want to exempt an entire area that suffers significantly from spam concerns?
Fourth, there's the issue of tough penalties, including the private right of action. I'd argue this is another feature of the legislation. The bill has tough penalties. The experience in countries such as Australia has been that anti-spam law only works if the penalties are sufficiently tough that you create some economic risk for spammers. Otherwise, they simply keep on doing what they're doing. In fact, there have been some lawsuits launched against Canadian spammers, but they've been launched elsewhere because Canadian law didn't measure up. I think we ought to fix that.
Are there any changes needed? I think there are at least two amendments I can point to. The first--and it was raised by this committee--is the prospect of a review provision. I think it's a fast-moving area, and mandated reviews make sense. The second involves the computer software consent provision. In the main, I think the provision gets it right. However, there may be a limited number of instances--the use of Java script on web pages comes to mind--where the provision could prove problematic. It's not easy to craft a rule that targets all the harms, the botnets, spyware, surreptitious installations, keystroke logging, while leaving behind the benign activities.
I'd suggest a small addition. I'm not a legislative drafter, but I would suggest essentially a subclause 10(3) that would allow for implied consent for certain types of computer programs where the person has consented to the installation of that type of program by way of their preferences in their web browser. In other words, if they've checked their preferences in their browser that will allow that form of program, then we ought to be able to take that as implied consent. That would cover off programs like Java and Java script, as those are typically addressed within web browser preferences.
Let me conclude with a warning against what I see as some lobbying efforts to water down what I see as reasonable standards found in this legislation. I'd note that we have seen this before; it's what took place with the do-not-call list. That bill started with good principles, faced intense lobbying and I think some scare tactics, and by the end of the process Canadians were left with a system that I think is now widely recognized as a failure, with some estimates saying that more than 80% of the calls that used to come continue to come, and with security breaches around the do-not-call list itself.
I think we must avoid a similar occurrence with respect to anti-spam legislation. Change in some business practices might be scary to some, but we can't allow scare tactics to dissuade you from moving forward with this much-needed legislation.
I look forward to your questions.