Industry Committee on Sept. 28th, 2009

I would be totally fine with it being done in regulation, sir.

Thank you for providing CIPPIC with this opportunity to offer you our submissions.

We're a technology law clinic at the Faculty of Law at the University of Ottawa. Our mandate is to ensure balance in policy and law-making processes by representing under-represented interests and perspectives on issues that arise at the intersection of law and technology, so you might guess why this legislation interests us.

We were established in the fall of 2003, and since that time we've advocated for a legislative regime that addresses spam, phishing, spyware and malware. Our advocacy has included making contributions to the Task Force on Spam, offering submissions to Senate and House committees on identity theft, and participating as a member of the Anti-Spyware Coalition, a coalition of business and consumer advocates working together to address the challenges of potentially unwanted technologies such as spyware. All of this is very pertinent to the work this committee is doing and the bill before you.

We have a lot to say about this bill. I'm going to try to reduce it four areas, though I'd be happy to take questions about anything you have on your minds about this legislation.

First, I want to talk about the purpose of the legislation. Second, I want to talk about challenges to the consent principle. Third, I want to address the central importance of the private right of action. And finally, I want to talk about something I haven't heard a great deal of discussion of before the committee, namely, some fundamental changes to PIPEDA's central investigatory power.

First, on the purpose of the legislation, many of the criticisms we've heard of this legislation suggest that it goes too far and that it's not tailored to reducing harm. With respect, these challenges misstate the objective of the legislation. The objective is to establish accountability for sending unsolicited commercial e-mail.

E-mail is directed at more than just fraud and deception. This legislation is about more than phishing and Viagra ads, right? It's also about promoting commerce. It's about the cost imposed by spam on all Canadians, Canadian consumers, and Canadian businesses. Even commercial e-mail imposes efficiency and productivity drains on us. After all, we call such e-mail, when unwanted, spam. At bottom, it's about enhancing the ability of telecommunications tools to promote efficiency within the Canadian economy more broadly, or to enhance productivity within Canadian businesses more broadly. That's the focus. Keep that in mind. That's the harm we're trying to avoid.

This committee heard earlier from the Coalition Against Unsolicited Commercial Email about the costs of spam, estimated to be about $300 per employee in lost productivity. That's the focus. This legislation aims at establishing accountability for spam; it's aimed at reclaiming control over the inbox and restoring the utility of e-mail and other electronic communications as productive tools that promote commerce.

Second, on challenges to the consent principle, we've seen claims that the nature of the consent required by the bill is too vague. Frankly, we don't see any merit in those claims. Our experience with PIPEDA, our federal privacy legislation, suggests that businesses can work with opt-in mechanism. The circumstances under which explicit consent may be done away with are clear, in our view. To the extent we need to address these things, we can address them by regulation.

And finally, we argue that the availability of a due diligence defence further assists businesses in addressing consent issues.

On the central importance of the private right of action, having mentioned PIPEDA, I need to stress that PIPEDA alone is insufficient to address the behaviour targeted by this legislation. In particular, the private right of action is essential to the functioning of this law. The harms associated with spam and spyware are cumulative. The harms here are many small ones, repeated often. The ability of consumers to band together and businesses to band together to address noxious behaviour is essential to address these kinds of cumulative harms. Gutting the private right of action guts the bill. This tortious behaviour is not something that a serious harm standard advanced by some can address.

And finally, there is the issue of changes to PIPEDA's central investigatory power. Frankly, we're greatly alarmed by the sweeping revisions to the framework of PIPEDA proposed in this bill. This legislative change has nothing to do with spam or spyware; it's a fundamental revision of the complaints-based framework of PIPEDA itself. And there are many problems with PIPEDA from a consumer perspective, but the mandatory nature of investigations of complaints by the Office of the Privacy Commissioner is not one of them.

We'd ask that this section be removed from this bill and placed in other legislation, along with other amendments of PIPEDA that are pending further to the five-year review of the statute. That's where that kind of framework amendment belongs, not in this bill, not tailing along in this bill. The fact that you've heard so little about this suggests the merit of that claim.

If this provision is left in, we would suggest that you limit it to granting the discretion the Privacy Commissioner seeks in respect only of the subject matter otherwise addressed in this bill: spam, malware, etc. And if it is to be left in, and of general application, we would suggest that it needs to be narrowly tailored to address the specific concerns raised by the Office of the Privacy Commissioner of Canada, such as frivolous and vexatious complaints.

With respect, our view is that the discretion being granted is just too broad.

Thank you. We'd be happy to address any questions you might have.

Thank you, Mr. Chair.

I will start and then my colleagues will continue on.

I think you are all familiar with the Canadian Bar Association as a national association representing over 37,000 jurists across Canada. Amongst our objectives are the improvement of the law and the improvement of the administration of justice. It's with that optic that we have studied the bill in front of us today and we make the comments.

I should point out that both our privacy and access law section as well as our competition law section have analyzed the bill.

Mr. Fraser will address the general parts of the bill and then Mr. Alexander-Cook will look at the Competition Act aspects.

Thank you very much.

As a preface to all of our comments, we'd like to emphasize for the benefit of the committee that we agree wholeheartedly with the intent of the legislation. I think there's general consensus that spam wastes time, energy, and significant resources, is a source of fraud, and makes it difficult for legitimate business to be conducted online. Notwithstanding that, we do have some serious concerns about Bill C-27 and exactly how it's implemented. I'll briefly delve into each of them, but we will of course be available for questions.

First of all, we think the legislation is a little too broad. What it does is take all commercial electronic messages and outlaw them subject to some hard-to-manage exceptions that are simply based on explicit consent, which can be altered significantly in regulations; personal or family relationships, which also are defined in the regulations that we haven't seen; and implied consent, which doesn't quite accord with what you would think implied consent means--it means simply an existing business relationship.

We're also concerned that the legislation itself is inconsistent with related regimes and other statutes that it actually seeks to amend. “Existing business relationship” is a concept that's entrenched in the national “do not call” list, but it's treated differently for the purposes of this statute. “Commercial activity” is also a term that is central to the Personal Information Protection and Electronic Documents Act but is defined differently in this statute for purposes that aren't necessarily clear on their face as to why one needs to have different definitions of the same term.

Consent, which is obviously a concept that's central to the privacy provisions in PIPEDA and is central to this piece of legislation, is radically different from one to the other. We think this presents problems because many of the businesses that are going to have to deal with compliance with the Electronic Commerce Protection Act, PIPEDA, and the Competition Act are the same people who are going to be using the exact same terms, but for very different purposes or with different meanings, which makes it difficult to manage.

Otherwise, the statute is also a bit hard to follow, and we're concerned that too much of it has actually been left to the regulations. This is a statute of general application. It's going to apply to pretty well every business and it's designed to be for the benefit of every single consumer. In our view, businesses should be able to pick up the statute and have a very strong understanding of exactly what it is they have to do and what it is they can't do. Likewise, consumers should have the ability to pick up the statute and understand what their rights are and what their remedies are.

It's our feeling that too many important provisions are being left to the regulations, which may be sensible in the sense that this is a rapidly moving area. There are some central concepts that could be and should be entrenched in the statute, with regulations being left to deal with issues that come up and to deal with loopholes that might not have been foreseen.

We're also concerned that the statute may in fact actually, on its face, violate the charter, simply based on a violation of the freedom of expression provisions contained in paragraph 2(b) of the charter for anything that regulates communication that conveys expression. You may not think that most of the spam that arrives in your inbox actually conveys meaning, but the courts would find otherwise. In order to be justified, it has to meet a strict test under section 1 of the charter, the most important provision of which is that it has to be minimally impairing, so it has to be very finely tuned legislation.

We're concerned that the way it's drafted so broadly may mean that it actually might not survive a charter challenge. While we agree wholeheartedly with the intent of the legislation, we don't want to be back here in a couple of years because it has been struck down as being unconstitutional. In our view, it needs to be fine-tuned in that regard.

A number of fixes could be proposed, which we'd be happy to talk about at greater length. The most important one would be not to limit implied consent. I think you've probably heard this from others. Consent is a concept that we've been dealing with under privacy legislation for quite some time. People have a pretty good idea of it. You've been dealing with it in the medical context as well. A reasonableness standard can be put in place.

Before I run out of time--and I apologize for being a bit long-winded--I'm going to hand it over to my colleague Mr. Alexander-Cook.

Thank you, Mr. Chair.

My name is John Lawford. I am counsel with the Public Interest Advocacy Centre. With me is Janet Lo, also counsel.

PIAC has been deeply involved for many years with the efforts to regulate commercial electronic messages--that is, spam--and the Personal Information Protection and Electronic Documents Act from a consumer perspective. We therefore are here to give you that perspective on Bill C-27.

Make no mistake about it, Bill C-27, the Electronic Commerce Protection Act, is intended to empower consumers, to empower them to take control of their electronic mail and to take control of their computers. In this way, it is hoped that spam and spyware, fraud such as phishing and the like that is delivered with this manner, can be greatly curtailed. And under this bill, with this focus on consumer empowerment, it can.

Based on this underlying belief in the legislation, we wish to make three basic points to the committee and mention three possible amendments to the bill.

The first basic point is that under the ECPA as drafted, an individual's personal consent, explicit in most cases and implicit only for limited exceptions, is required before an organization or individual can send them a commercial e-mail. This is the only effective way to stem the tide of spam. Exceptions from this requirement for certain senders or an enlargement of the implied consent standard should be strongly resisted by the committee.

Some of the presenters to the committee have expressed concerns that the requirement for explicit consent to receive commercial e-mail is too onerous or would be unworkable. PIAC cautions that the general requirement of explicit consent underpins the entire structure of the bill. It is only by clearly--that is, explicitly and with solid proof--requiring a person's verifiable consent to receive commercial e-mail that the tide of unwanted commercial messages can ever be truly controlled.

Marketers gain advantage from assuming consent, which is possible under an implicit consent model, as their only goal is to simply deliver the messages, leaving the work and time invested in sorting out what is relevant or what is spam to the individual. As we all know, it is the incessant time-wasting triage of e-mails from hundreds and thousands of uncoordinated marketers using this lazy technique that creates the problem of spam.

The existing business relationship exemption for implicit consent allows a wide scope for commercial contact with consumers by e-mail. Every customer of every business is deemed to consent to receiving e-mail from that business unless they go to the trouble of unsubscribing. This exemption provides businesses numerous opportunities to seek and obtain explicit consent and provides for a long tail of 18 months after dealings with that customer to again obtain explicit consent for future e-mail solicitations. We know that this time period is equal to that allowed under the national “do not call” list for the same purpose.

The second basic point is that as drafted under this bill, there is no business-to-business exemption from the explicit consent requirement, it is true, unless the e-mail otherwise falls within that existing business relationship implied consent exemption. That is, businesses under this bill may not seek out new business by sending unsolicited commercial e-mail to other businesses or consumers that they do not actively do business with, period. This practice may well be the norm in the business world and in certain industries, especially banking or insurance, which may rely on referrals, where the recipient has no relationship with the sender, but that is not permitted at the moment. We believe that is as it should be. These are, in our view, unsolicited commercial e-mails that are just as annoying and productivity-killing for people in the workplace environment as they are for consumers at home.

We note here that under the national “do not call” list, referrals are also not allowed.

Should this committee absolutely want to have a business-to-business exemption for prospecting for new business or for referrals, we recommend that the business-to-business exempted e-mails also be required to follow the same rules as are laid out in subclause 6(2). That is, the e-mail must have information on the sender and the unsubscribing mechanism.

The third point is the private right of action. We feel that the private right of action must be maintained in order to protect consumers intended to be empowered by this legislation. The private right of action will only be used in egregious cases. We note that if the company is fined or is complying with an undertaking, consumers cannot bring an action for statutory damages. Therefore, this provision likely will only be used in cases where consumers suffer actual loss or damage, which they normally would be able to sue for anyway, or when there's a serious matter of interpretation of the legislation and the CRTC has refused to issue a notice of violation.

Courts are best placed to determine the interpretation of the act and whether actual loss has occurred. However, what is missing in that private right of action, we note, is a provision that protects companies from being able to contract out of this right.

We therefore recommend to the committee that they consider a provision modelled on sections 6 to 8 of the Ontario Consumer Protection Act, 2002, which does that as well. I have three possible amendments for the committee.

The first one is that we do believe the penalities involved in the bill on the e-mail side may be too high. We've heard that today. We suggest that they be brought into line with those for the national “do not call” legislation. They do not need to be terrorizingly high; they just need to be effective.

The second amendment is that the installation of software when there is implicit or explicit consent requires a transparency section that is parallel to that for e-mail, which is now found in subclause 6(2). There is subclause10(2) of the present bill, which requires the software supplier for spyware to describe clearly and simply the function, purpose, and impact of every computer program that is installed. However, that's not parallel to subclause 6(2). It doesn't tell you which company, and it doesn't tell you how to contact them. As well, it doesn't give you information about how to unsubscribe, and in this context that would be how to get off of automatic updates in the future. PIAC studied spyware in 2006 and issued a report at that time. We have further recommendations for the legislation that could go into the regulations with regard to more spyware requirements.

Our last amendment is to repeal the bill's potential to remove the national “do not call” list. Therefore, we agree with the Canadian Marketing Association that clauses 64 and 86 would be removed from this bill. We agree with them because we feel that the national “do not call” list needs time, and that the Electronic Commerce Protection Act approach is necessary for spam but will not work for telemarketing and vice versa.

Those are our comments. Merci.

At the time of our review, we didn't do a finely tuned comparison of the different legislative regimes in different jurisdictions, so I wouldn't be able to answer that question in sufficient detail.

Fundamentally, the challenge we're dealing with is that we have a piece of legislation that starts with a very broad prohibition and then has exceptions. Those exceptions are really quite firm, although they do have the possibility of being altered significantly in regulation.

The issue is that for most pieces of legislation where they're looking to curtail particular behaviour, they name exactly what the harmful behaviour is and outlaw that. They leave other behaviour that doesn't meet the threshold of needing to be outlawed to still exist.

Now, I recognize that a number of people have argued that there's a cumulative effect of all of this. You can have one piece of unsolicited commercial e-mail that's not, on its face, particularly offensive, but when you get dozens and dozens, or thousands and thousands, appearing in your inbox, cumulatively they have a very significant impact.

The challenge is trying to make sure that this piece of legislation is sufficiently tailored so that it does deal with what is seen as being the harm, which is that huge number of e-mail messages that people do not want, and at the same time tries to address a circumstance where there are e-mail messages that many people, and maybe the preponderance of people, would say would be reasonable in the circumstances. Making sure that the two fit together; that's what this legislative scheme has to allow to take place.

What is reasonable is going to differ from one individual to another. It's a very difficult task that this committee has and that everybody who's appeared before this committee has had to deal with. But given the way the scheme is in this piece of legislation, it appears to be consent based. If you have the person's explicit consent in the manner prescribed, you can send them commercial e-mail messages. If you have implied consent--implied consent is very narrowly limited to within this existing business relationship, fundamentally--you can send them messages. But there's a possibility, a chance, that there are kinds of communications that are not particularly offensive and that in fact in some cases may be welcomed that would inadvertently be caught within this very broad net.

To give one example, let's say I'm an accountant and I would really like to volunteer for your next campaign. I'd really like to help you and offer accounting services to your campaign. I could not send you that message by e-mail. I could not tell you that. That would be outlawed. Even if it's to completely volunteer, one element within that would be a smidgen of self-promotion, which is enough to taint that entire e-mail message and make it unlawful.

Referrals are obviously something that you've heard about. There's even the change of address notification to your professional contacts. They may not have been customers, they may not be your family and friends, they may not be people you've done business with; they're members of associations. That sort of e-mail message, which a lot of people would say is reasonable, would probably be caught within that net.

I think the challenge is to try to tailor the legislation so that the bad stuff is caught and the inoffensive stuff is not necessarily caught.

Obviously we didn't do a full economic analysis of what the full impact of the legislation would be, but I'm not sure--