Industry Committee on Sept. 28th, 2009

I would be totally fine with it being done in regulation, sir.

Thank you for providing CIPPIC with this opportunity to offer you our submissions.

We're a technology law clinic at the Faculty of Law at the University of Ottawa. Our mandate is to ensure balance in policy and law-making processes by representing under-represented interests and perspectives on issues that arise at the intersection of law and technology, so you might guess why this legislation interests us.

We were established in the fall of 2003, and since that time we've advocated for a legislative regime that addresses spam, phishing, spyware and malware. Our advocacy has included making contributions to the Task Force on Spam, offering submissions to Senate and House committees on identity theft, and participating as a member of the Anti-Spyware Coalition, a coalition of business and consumer advocates working together to address the challenges of potentially unwanted technologies such as spyware. All of this is very pertinent to the work this committee is doing and the bill before you.

We have a lot to say about this bill. I'm going to try to reduce it four areas, though I'd be happy to take questions about anything you have on your minds about this legislation.

First, I want to talk about the purpose of the legislation. Second, I want to talk about challenges to the consent principle. Third, I want to address the central importance of the private right of action. And finally, I want to talk about something I haven't heard a great deal of discussion of before the committee, namely, some fundamental changes to PIPEDA's central investigatory power.

First, on the purpose of the legislation, many of the criticisms we've heard of this legislation suggest that it goes too far and that it's not tailored to reducing harm. With respect, these challenges misstate the objective of the legislation. The objective is to establish accountability for sending unsolicited commercial e-mail.

E-mail is directed at more than just fraud and deception. This legislation is about more than phishing and Viagra ads, right? It's also about promoting commerce. It's about the cost imposed by spam on all Canadians, Canadian consumers, and Canadian businesses. Even commercial e-mail imposes efficiency and productivity drains on us. After all, we call such e-mail, when unwanted, spam. At bottom, it's about enhancing the ability of telecommunications tools to promote efficiency within the Canadian economy more broadly, or to enhance productivity within Canadian businesses more broadly. That's the focus. Keep that in mind. That's the harm we're trying to avoid.

This committee heard earlier from the Coalition Against Unsolicited Commercial Email about the costs of spam, estimated to be about $300 per employee in lost productivity. That's the focus. This legislation aims at establishing accountability for spam; it's aimed at reclaiming control over the inbox and restoring the utility of e-mail and other electronic communications as productive tools that promote commerce.

Second, on challenges to the consent principle, we've seen claims that the nature of the consent required by the bill is too vague. Frankly, we don't see any merit in those claims. Our experience with PIPEDA, our federal privacy legislation, suggests that businesses can work with opt-in mechanism. The circumstances under which explicit consent may be done away with are clear, in our view. To the extent we need to address these things, we can address them by regulation.

And finally, we argue that the availability of a due diligence defence further assists businesses in addressing consent issues.

On the central importance of the private right of action, having mentioned PIPEDA, I need to stress that PIPEDA alone is insufficient to address the behaviour targeted by this legislation. In particular, the private right of action is essential to the functioning of this law. The harms associated with spam and spyware are cumulative. The harms here are many small ones, repeated often. The ability of consumers to band together and businesses to band together to address noxious behaviour is essential to address these kinds of cumulative harms. Gutting the private right of action guts the bill. This tortious behaviour is not something that a serious harm standard advanced by some can address.

And finally, there is the issue of changes to PIPEDA's central investigatory power. Frankly, we're greatly alarmed by the sweeping revisions to the framework of PIPEDA proposed in this bill. This legislative change has nothing to do with spam or spyware; it's a fundamental revision of the complaints-based framework of PIPEDA itself. And there are many problems with PIPEDA from a consumer perspective, but the mandatory nature of investigations of complaints by the Office of the Privacy Commissioner is not one of them.

We'd ask that this section be removed from this bill and placed in other legislation, along with other amendments of PIPEDA that are pending further to the five-year review of the statute. That's where that kind of framework amendment belongs, not in this bill, not tailing along in this bill. The fact that you've heard so little about this suggests the merit of that claim.

If this provision is left in, we would suggest that you limit it to granting the discretion the Privacy Commissioner seeks in respect only of the subject matter otherwise addressed in this bill: spam, malware, etc. And if it is to be left in, and of general application, we would suggest that it needs to be narrowly tailored to address the specific concerns raised by the Office of the Privacy Commissioner of Canada, such as frivolous and vexatious complaints.

With respect, our view is that the discretion being granted is just too broad.

Thank you. We'd be happy to address any questions you might have.

Thank you, Mr. Chair.

I will start and then my colleagues will continue on.

I think you are all familiar with the Canadian Bar Association as a national association representing over 37,000 jurists across Canada. Amongst our objectives are the improvement of the law and the improvement of the administration of justice. It's with that optic that we have studied the bill in front of us today and we make the comments.

I should point out that both our privacy and access law section as well as our competition law section have analyzed the bill.

Mr. Fraser will address the general parts of the bill and then Mr. Alexander-Cook will look at the Competition Act aspects.

Thank you.

In addition to the concerns raised by Mr. Fraser, we have two concerns that relate specifically to the way in which Bill C-27 proposes to amend the Competition Act.

The first concern is, in essence, a concern about a single word, or at least a single phrase. It's only a single phrase, but we think you will agree that it's a very important one.

At clause 71 of the bill, added to the Competition Act is a new proposed section that provides for a criminal false and misleading representation offence that applies specifically to electronic messages. There's already a general false and misleading advertising provision in the Competition Act. This provides a very specific one.

This new proposed section would specifically prohibit sending an electronic message knowingly and recklessly with one or more of the following three features: either misleading or false header information, that is sender or subject matter information; content within the message that is false or misleading; or locator information that's false or misleading.

Our concern is that only in respect of one of those features is the important phrase “in a material respect” included. In all other prohibitions for false and misleading representations in the Competition Act, there is a qualifier.

The false or misleading representation has to be in a material respect. There is an important reason for that. We all make mistakes, and in fact, many people in business make what are actually false representations but which ought not to be pursued for false or misleading representations under the Competition Act. I can give you a very simple example.

Last week I sat on an expert panel at a conference where we considered environmental product marketing claims, including the following claim: “Save the planet, use our biodegradable shampoo”. We talked at length about this claim. One of the issues that were not raised was that “save the planet”, although it's obviously false in respect of the shampoo, was problematic under the Competition Act. It's considered playful puffery or hyperbole. Is it false? Yes, you're not going to save the planet by using this shampoo. Is it actionable under the Competition Act as a criminal or civilly reviewable offence? Not under the general provision. Would it be if it were included in the header of an e-mail? Under Bill C-27, arguably it would be. That's our first issue.

The second issue concerns the proposed lowering of the threshold that must be met under the Competition Act for a temporary order to be issued by a court in respect of any allegedly reviewable conduct under the act. That includes not just misleading advertising, but it includes tied selling, exclusive dealing, and a number of other pieces of conduct that businesses may or may not be engaged in.

Bill C-27, perhaps unaware to many on the committee, makes a fundamental change to the standard that must be observed by a judge in deciding whether to issue a temporary order to stop a representation from being made. It will not only apply to electronic message representations, but it will apply in respect of all of the conduct under the Competition Act to which it currently speaks. This is an over-breadth that, in our view, defies any real rational connection to this legislation.

Thanks very much.

Thank you, Mr. Chair.

My name is John Lawford. I am counsel with the Public Interest Advocacy Centre. With me is Janet Lo, also counsel.

PIAC has been deeply involved for many years with the efforts to regulate commercial electronic messages--that is, spam--and the Personal Information Protection and Electronic Documents Act from a consumer perspective. We therefore are here to give you that perspective on Bill C-27.

Make no mistake about it, Bill C-27, the Electronic Commerce Protection Act, is intended to empower consumers, to empower them to take control of their electronic mail and to take control of their computers. In this way, it is hoped that spam and spyware, fraud such as phishing and the like that is delivered with this manner, can be greatly curtailed. And under this bill, with this focus on consumer empowerment, it can.

Based on this underlying belief in the legislation, we wish to make three basic points to the committee and mention three possible amendments to the bill.

The first basic point is that under the ECPA as drafted, an individual's personal consent, explicit in most cases and implicit only for limited exceptions, is required before an organization or individual can send them a commercial e-mail. This is the only effective way to stem the tide of spam. Exceptions from this requirement for certain senders or an enlargement of the implied consent standard should be strongly resisted by the committee.

Some of the presenters to the committee have expressed concerns that the requirement for explicit consent to receive commercial e-mail is too onerous or would be unworkable. PIAC cautions that the general requirement of explicit consent underpins the entire structure of the bill. It is only by clearly--that is, explicitly and with solid proof--requiring a person's verifiable consent to receive commercial e-mail that the tide of unwanted commercial messages can ever be truly controlled.

Marketers gain advantage from assuming consent, which is possible under an implicit consent model, as their only goal is to simply deliver the messages, leaving the work and time invested in sorting out what is relevant or what is spam to the individual. As we all know, it is the incessant time-wasting triage of e-mails from hundreds and thousands of uncoordinated marketers using this lazy technique that creates the problem of spam.

The existing business relationship exemption for implicit consent allows a wide scope for commercial contact with consumers by e-mail. Every customer of every business is deemed to consent to receiving e-mail from that business unless they go to the trouble of unsubscribing. This exemption provides businesses numerous opportunities to seek and obtain explicit consent and provides for a long tail of 18 months after dealings with that customer to again obtain explicit consent for future e-mail solicitations. We know that this time period is equal to that allowed under the national “do not call” list for the same purpose.

The second basic point is that as drafted under this bill, there is no business-to-business exemption from the explicit consent requirement, it is true, unless the e-mail otherwise falls within that existing business relationship implied consent exemption. That is, businesses under this bill may not seek out new business by sending unsolicited commercial e-mail to other businesses or consumers that they do not actively do business with, period. This practice may well be the norm in the business world and in certain industries, especially banking or insurance, which may rely on referrals, where the recipient has no relationship with the sender, but that is not permitted at the moment. We believe that is as it should be. These are, in our view, unsolicited commercial e-mails that are just as annoying and productivity-killing for people in the workplace environment as they are for consumers at home.

We note here that under the national “do not call” list, referrals are also not allowed.

Should this committee absolutely want to have a business-to-business exemption for prospecting for new business or for referrals, we recommend that the business-to-business exempted e-mails also be required to follow the same rules as are laid out in subclause 6(2). That is, the e-mail must have information on the sender and the unsubscribing mechanism.

The third point is the private right of action. We feel that the private right of action must be maintained in order to protect consumers intended to be empowered by this legislation. The private right of action will only be used in egregious cases. We note that if the company is fined or is complying with an undertaking, consumers cannot bring an action for statutory damages. Therefore, this provision likely will only be used in cases where consumers suffer actual loss or damage, which they normally would be able to sue for anyway, or when there's a serious matter of interpretation of the legislation and the CRTC has refused to issue a notice of violation.

Courts are best placed to determine the interpretation of the act and whether actual loss has occurred. However, what is missing in that private right of action, we note, is a provision that protects companies from being able to contract out of this right.

We therefore recommend to the committee that they consider a provision modelled on sections 6 to 8 of the Ontario Consumer Protection Act, 2002, which does that as well. I have three possible amendments for the committee.

The first one is that we do believe the penalities involved in the bill on the e-mail side may be too high. We've heard that today. We suggest that they be brought into line with those for the national “do not call” legislation. They do not need to be terrorizingly high; they just need to be effective.

The second amendment is that the installation of software when there is implicit or explicit consent requires a transparency section that is parallel to that for e-mail, which is now found in subclause 6(2). There is subclause10(2) of the present bill, which requires the software supplier for spyware to describe clearly and simply the function, purpose, and impact of every computer program that is installed. However, that's not parallel to subclause 6(2). It doesn't tell you which company, and it doesn't tell you how to contact them. As well, it doesn't give you information about how to unsubscribe, and in this context that would be how to get off of automatic updates in the future. PIAC studied spyware in 2006 and issued a report at that time. We have further recommendations for the legislation that could go into the regulations with regard to more spyware requirements.

Our last amendment is to repeal the bill's potential to remove the national “do not call” list. Therefore, we agree with the Canadian Marketing Association that clauses 64 and 86 would be removed from this bill. We agree with them because we feel that the national “do not call” list needs time, and that the Electronic Commerce Protection Act approach is necessary for spam but will not work for telemarketing and vice versa.

Those are our comments. Merci.

At the time of our review, we didn't do a finely tuned comparison of the different legislative regimes in different jurisdictions, so I wouldn't be able to answer that question in sufficient detail.

Fundamentally, the challenge we're dealing with is that we have a piece of legislation that starts with a very broad prohibition and then has exceptions. Those exceptions are really quite firm, although they do have the possibility of being altered significantly in regulation.

The issue is that for most pieces of legislation where they're looking to curtail particular behaviour, they name exactly what the harmful behaviour is and outlaw that. They leave other behaviour that doesn't meet the threshold of needing to be outlawed to still exist.

Now, I recognize that a number of people have argued that there's a cumulative effect of all of this. You can have one piece of unsolicited commercial e-mail that's not, on its face, particularly offensive, but when you get dozens and dozens, or thousands and thousands, appearing in your inbox, cumulatively they have a very significant impact.

The challenge is trying to make sure that this piece of legislation is sufficiently tailored so that it does deal with what is seen as being the harm, which is that huge number of e-mail messages that people do not want, and at the same time tries to address a circumstance where there are e-mail messages that many people, and maybe the preponderance of people, would say would be reasonable in the circumstances. Making sure that the two fit together; that's what this legislative scheme has to allow to take place.

What is reasonable is going to differ from one individual to another. It's a very difficult task that this committee has and that everybody who's appeared before this committee has had to deal with. But given the way the scheme is in this piece of legislation, it appears to be consent based. If you have the person's explicit consent in the manner prescribed, you can send them commercial e-mail messages. If you have implied consent--implied consent is very narrowly limited to within this existing business relationship, fundamentally--you can send them messages. But there's a possibility, a chance, that there are kinds of communications that are not particularly offensive and that in fact in some cases may be welcomed that would inadvertently be caught within this very broad net.

To give one example, let's say I'm an accountant and I would really like to volunteer for your next campaign. I'd really like to help you and offer accounting services to your campaign. I could not send you that message by e-mail. I could not tell you that. That would be outlawed. Even if it's to completely volunteer, one element within that would be a smidgen of self-promotion, which is enough to taint that entire e-mail message and make it unlawful.

Referrals are obviously something that you've heard about. There's even the change of address notification to your professional contacts. They may not have been customers, they may not be your family and friends, they may not be people you've done business with; they're members of associations. That sort of e-mail message, which a lot of people would say is reasonable, would probably be caught within that net.

I think the challenge is to try to tailor the legislation so that the bad stuff is caught and the inoffensive stuff is not necessarily caught.

Obviously we didn't do a full economic analysis of what the full impact of the legislation would be, but I'm not sure--