Thank you for providing CIPPIC with this opportunity to offer you our submissions.
We're a technology law clinic at the Faculty of Law at the University of Ottawa. Our mandate is to ensure balance in policy and law-making processes by representing under-represented interests and perspectives on issues that arise at the intersection of law and technology, so you might guess why this legislation interests us.
We were established in the fall of 2003, and since that time we've advocated for a legislative regime that addresses spam, phishing, spyware and malware. Our advocacy has included making contributions to the Task Force on Spam, offering submissions to Senate and House committees on identity theft, and participating as a member of the Anti-Spyware Coalition, a coalition of business and consumer advocates working together to address the challenges of potentially unwanted technologies such as spyware. All of this is very pertinent to the work this committee is doing and the bill before you.
We have a lot to say about this bill. I'm going to try to reduce it four areas, though I'd be happy to take questions about anything you have on your minds about this legislation.
First, I want to talk about the purpose of the legislation. Second, I want to talk about challenges to the consent principle. Third, I want to address the central importance of the private right of action. And finally, I want to talk about something I haven't heard a great deal of discussion of before the committee, namely, some fundamental changes to PIPEDA's central investigatory power.
First, on the purpose of the legislation, many of the criticisms we've heard of this legislation suggest that it goes too far and that it's not tailored to reducing harm. With respect, these challenges misstate the objective of the legislation. The objective is to establish accountability for sending unsolicited commercial e-mail.
E-mail is directed at more than just fraud and deception. This legislation is about more than phishing and Viagra ads, right? It's also about promoting commerce. It's about the cost imposed by spam on all Canadians, Canadian consumers, and Canadian businesses. Even commercial e-mail imposes efficiency and productivity drains on us. After all, we call such e-mail, when unwanted, spam. At bottom, it's about enhancing the ability of telecommunications tools to promote efficiency within the Canadian economy more broadly, or to enhance productivity within Canadian businesses more broadly. That's the focus. Keep that in mind. That's the harm we're trying to avoid.
This committee heard earlier from the Coalition Against Unsolicited Commercial Email about the costs of spam, estimated to be about $300 per employee in lost productivity. That's the focus. This legislation aims at establishing accountability for spam; it's aimed at reclaiming control over the inbox and restoring the utility of e-mail and other electronic communications as productive tools that promote commerce.
Second, on challenges to the consent principle, we've seen claims that the nature of the consent required by the bill is too vague. Frankly, we don't see any merit in those claims. Our experience with PIPEDA, our federal privacy legislation, suggests that businesses can work with opt-in mechanism. The circumstances under which explicit consent may be done away with are clear, in our view. To the extent we need to address these things, we can address them by regulation.
And finally, we argue that the availability of a due diligence defence further assists businesses in addressing consent issues.
On the central importance of the private right of action, having mentioned PIPEDA, I need to stress that PIPEDA alone is insufficient to address the behaviour targeted by this legislation. In particular, the private right of action is essential to the functioning of this law. The harms associated with spam and spyware are cumulative. The harms here are many small ones, repeated often. The ability of consumers to band together and businesses to band together to address noxious behaviour is essential to address these kinds of cumulative harms. Gutting the private right of action guts the bill. This tortious behaviour is not something that a serious harm standard advanced by some can address.
And finally, there is the issue of changes to PIPEDA's central investigatory power. Frankly, we're greatly alarmed by the sweeping revisions to the framework of PIPEDA proposed in this bill. This legislative change has nothing to do with spam or spyware; it's a fundamental revision of the complaints-based framework of PIPEDA itself. And there are many problems with PIPEDA from a consumer perspective, but the mandatory nature of investigations of complaints by the Office of the Privacy Commissioner is not one of them.
We'd ask that this section be removed from this bill and placed in other legislation, along with other amendments of PIPEDA that are pending further to the five-year review of the statute. That's where that kind of framework amendment belongs, not in this bill, not tailing along in this bill. The fact that you've heard so little about this suggests the merit of that claim.
If this provision is left in, we would suggest that you limit it to granting the discretion the Privacy Commissioner seeks in respect only of the subject matter otherwise addressed in this bill: spam, malware, etc. And if it is to be left in, and of general application, we would suggest that it needs to be narrowly tailored to address the specific concerns raised by the Office of the Privacy Commissioner of Canada, such as frivolous and vexatious complaints.
With respect, our view is that the discretion being granted is just too broad.
Thank you. We'd be happy to address any questions you might have.