Industry Committee on June 11th, 2009

I think there are still a lot of options in this regard. In fact, when I'm asked to make a connection with someone in this kind of context or other sorts of contexts, my approach, partly because I'm concerned about the privacy of the individual, is to send the person who's made that request the contact information and say, “You ought to contact this person.” I often might send a similar e-mail to the person who they might be contacting, saying, “Keep an eye out for a message from my friend who might be contacting you.”

In that case, the person who wants to make that connection with the real estate agent is making the contact directly. There are no issues whatsoever. I actually think that's the healthier way of approaching this. I'm not handing out my friend's e-mail to all sorts of commercial entities. Instead, the person is able to contact them directly.

Of course, there are still other ways to market or to get that initial consent from that individual. That real estate agent can pick up the phone, assuming the individual is not on the do-not-call list, and make a phone call if they want. However, because we've seen people's personal information misused at times, I think the better approach in terms of how we make those kinds of business connections is to actually put the control in the hands of the individual who wants that service. Let them reach out to your real estate agent and let me provide them with the information they need to be able to do that.

Yes.

Well, I actually think the legislation does deal with this in part, because there is, as I mentioned, the business-to-business exception. I'll tell you that when I launched my spam complaint, it also happened to be against a sports team. It was against the Ottawa Renegades, the old CFL team, not that they were spammers, but they kept sending me these messages. They lifted my address off the university's directory.

I found it interesting to note that the university took the position that this was the university's commercial e-mail address. Now, there is an exception for true business-to-business e-mail, where it is directly related to the business itself. If someone was trying to send Mr. Lake a message that was about a hockey trade, tickets, or something like that, that's directly related, and you're okay. When they're trying to sell something else entirely, the business-to-business exception doesn't apply and that would be a violation.

I actually think the law does a pretty good job, especially when we're dealing with businesses and publicly available addresses, of trying to address the instances when there is legitimate business-to-business e-mail, which can continue to happen, as opposed to the spam or the outside messages, which would now fall into the spam category.

No. There's been an ongoing issue in Canada as to whether or not e-mail addresses are themselves personally identifiable information. At a provincial level, there actually have been some attempts to exclude that, but federally, until we change the law, they are treated as personally identifiable and thus subject to the same kinds of privacy protections as other personal information.

I'm going to repeat this. As long as you understand that there's a huge, massive exception, get consent. All of this is permitted as long as you obtain consent. We are now only in that basket where someone hasn't actually obtained the person's consent in the first place. They don't really know whether the person wants to get this information. In every other instance where the person has actually given them consent, it's fair game, and they can do whatever they like. So we're only in that particular basket.

The question is whether in that basket this is more narrowly constructed than PIPEDA, and the answer is yes. I would argue that is an absolutely good thing. What we have seen not just here, but in other countries as well where you adopt what is effectively an opt-out approach--one where you can imply consent in a broad number of situations--is that doing so opens you up to a torrent of potential abuse and misuse of what is seen to be consent. Here's where the rubber hits the road. When we went to various enforcement agencies and said we wanted them to take on a case, they were only going to take on a case that they thought was a slam-dunk case. If there was any kind of doubt about this, they were worried about taking that kind of case on.

Leaving aside the fact that we have this big huge honking “express consent” that covers everything, if you expand that so that almost anything is “implied”, you're going to hamstring the regulators and enforcers who are going to look at this and say the other side is saying “we think we could have implied consent in that circumstance” and you're left with no action at all.

I admit that I think there's ample reason for some skepticism as to whether it will be enforced as effectively as it can be, at least on paper. I think that's one reason why a private right of action is a good thing, because it actually does allow the private sector to pick up the slack if we don't get the kind of action we want from the enforcement agencies.

I think the other thing is that one would hope that putting in the right resources and having very clear legislation would send a very strong message.

But you're right. At least with respect, in my view, to the CRTC and the do-not-call list, the track record isn't great, and once again we are putting a lot of responsibility on their shoulders to enforce this law.

There's the potential for that. The concern has actually been the opposite. My understanding is that there have been a number of instances in which there have been international investigations with a Canadian component, and there have been concerns as to whether or not Canadian authorities could cooperate and hold up their end of the bargain. It's been less about trying to go after true Canadian-based spammers and more about ensuring that Canada doesn't ultimately become a barrier to international spam investigations because the agencies that have certain information aren't empowered to share it with their counterparts in other countries.

I think we could attempt to do that.

Go ahead.

I do.

Outside of the governments of the world coming together, I think you're starting to see organizations such as the Messaging Anti-Abuse Working Group, with ISPs, ESPs, and private anti-spam organizations working together to really sort of push the envelope and ask how they as organizations can raise the bar where government falls short, and how can they prevent abuse from their own networks, or abuse coming into their networks. They're really working from the business side on how we can prevent that.

With the help of government, obviously, they're going to be able to take action. What you'll see then is that the cottage industry spammer, the small guy sitting in his basement sending SPAM, will disappear. That's what Australia saw. They'll disappear overnight because they're worried about huge lawsuits.

Where you have the problem is with these large organizations. There's the Canadian Pharmacy spamming, where the Canadian organization has now moved out of Canada but still spams in Canada, still uses the Canadian Pharmacy branding, and still sends products that don't work. But there's no action. We can't do anything about it, because they've moved to other countries or they've moved outside of the borders where this stuff's enforceable because they're worried about the types of actions that can be taken against them.

Right.

Why don't you guys answer this too?

My own view is that we often try to get away from some of these definitional issues because early on we would have some of these discussions and spend half a day talking about what your definition is. It wasn't particularly productive, because the real focus was on where the harms are and what kinds of standards we want to set for what's acceptable and appropriate commercial marketing.

The legislation is obviously focused exclusively on the commercial side, and there's good reason for that from a constitutional perspective, I believe, but in terms of trying to ask if this is spam or unsolicited commercial e-mail, you could get a dozen people in here and everyone would give you a different answer in terms of how they define it.