Industry Committee on Sept. 30th, 2009

Thank you very much, Mr. Chairman.

Thank you for inviting me to testify at this hearing on this very important topic and on this most excellent bill.

On behalf of Amazon.ca, let me add my voice to the chorus of praise, congratulations, gratitude, and support for your work on this matter and for Bill C-27.

I could easily spend my five minutes complimenting various features of the bill, but I believe my appearance here will be more valuable to you and your committee if I may suggest two areas for improvement with modest changes.

The first area is with respect to the consequences of honest mistakes. We have long said that honest e-mail mistakes should not be punished; that problem spammers wilfully and intentionally spam; and that reputable companies should be able to e-mail their customers without fear of legal retribution for honest mistakes. The market already provides very strong disincentives. Honest mistakes also aren't the source of the real spam problem; our e-mail boxes aren't barraged with messages from companies that accidentally sent them. Again, problem spammers wilfully and intentionally spam.

This is already recognized implicitly in Bill C-27, the purpose of which is “to promote compliance with the act, not to punish”. It's also somewhat more explicitly recognized in the defence sections of the bill, proposed subsections 33(1) and 54(1).

At your June 18 hearings, CRTC Chairman von Finckenstein said the question of whether someone should be fined will be answered considering whether there was a “wilful breach” of the law. To make the bill clearly state the chairman's understanding, with which I agree, I suggest that proposed subsections 20(1) and 51(1) be amended so that only those who have wilfully contravened the act are subject to fines or damages. At the very least, the bill should be clarified in the defence sections using the words of Senator Goldstein's bill, Senate Bill 202, in section 22: “A person shall not be found to be liable for a violation...or if the violation was due to inadvertence or based on an honest mistake of fact.”

These simple changes, courtesy of Senator Goldstein's wise drafting, would go a long way to clarifying in Bill C-27 the consequences of honest mistakes.

The other area that could use improvement is with respect to the duration of implied consent based on purchase. In Bill C-27, implied consent based on a purchase would expire after only 18 months. We believe that in the best interests of consumers, this period is much too short. First of all--and this is not a criticism, mind you--18 months is arbitrary, as already has been acknowledged before this committee. It's not a magic number, demonstrably different from 17 or 20 months, or 36 months. But most importantly, 18 months is much too short. It is not in line with consumer expectations and customer-friendly practices. Two obvious areas are: first, the production cycles--particularly for creators, such as authors and bands--can be much longer than 18 months. Joan Thomas won the most recent Amazon.ca First Novel Award for her book Reading by Lightning. Shouldn't consumers who bought this book be notified of her next book, even if it takes her many years to write it?

Likewise, product life cycles--for example, cars, headphones, computers--are often much longer than 18 months. Consumers expect notifications about new works or replacement products at the appropriate time, not at 17 and a half months. So from a consumer perspective, indefinite duration of this implied consent would be best. A limited period actually could increase commercial e-mail. Sellers may rush to beat an artificial deadline, causing a barrage of e-mail at 17 and a half months.

It's also hard to believe that limited-duration implied consent would make much difference. Our in-boxes are not full based on purchases in the distant past, and for the rare exceptions, consumers may opt out or block. If we must have limited-duration implied consent based on a purchase, five to seven years would be best for consumers in order to take into account production cycles and product life cycles.

I look forward to your questions.

Thank you again, Mr. Chairman.

Thank you, Mr. Chairman. I am grateful to the committee members for allowing me to address you today concerning Bill C-27.

In addition to being the chair of the Canadian Association of Internet Providers for the last nine years, I have for almost 15 years been an Internet service provider in Cobourg, Ontario. I've been involved with the problem of unsolicited commercial e-mail, or spam, since it was first recognized as having the potential to cause harm and cost organizations and individuals millions of dollars each year to combat.

In 2004 I was invited to be a member of the ministerial task force on spam. In 12 short months we developed a tool kit approach to combatting spam, and the recommendations we presented to the Minister of Industry in May 2005 have been adopted by many nations around the world.

While junk e-mail is by far the most prevalent of online ailments facing Internet users, the Electronic Commerce Protection Act also recognizes that a seemingly benign e-mail message is often the precursor of greater viruses, such as Trojan horse programs, identity theft, fraud, and other criminal activity.

CAIP has several areas of concern that I'd like to bring forward today. Most of these are focused on enforcement. We are happy that the oversight of the ECPA will rest with Industry Canada. In my opinion, there isn't another department within the Government of Canada that has the experience with electronic communications that Industry Canada has. Our first concern regarding enforcement, however, lies in the enforcement agencies named in Bill C-27. While the chosen agencies have had some influence in electronic communications in the past, the will or ability to enforce their individual mandates has at times not been effective. In some instances, they have lacked the tools, mandate, or resources needed; in other instances, they simply failed to apply the tools at their disposal.

Our primary concern in this regard is with the Canadian Radio-television and Telecommunications Commission. We realize that a new function within the CRTC is being developed to accommodate this new mandate. But given the commission's adversity to enforcement of decisions and orders under its traditional telecom mandate, we have reservations regarding the willingness of the commission to exercise its new powers under Bill C-27. Despite precedent, it is my hope that these fears will not be realized and that the CRTC will gain a new appreciation of the powers bestowed upon it.

We have fewer concerns with the role played by the Office of the Privacy Commissioner and the Competition Bureau. In fact, we're pleased that their mandates have been reinforced with additional clarity, tools, and resources through Bill C-27 and other legislation. Certainly, the privacy commissioner has shown significant leadership in combatting spam to date, and the Competition Bureau has long been the watchdog consumers could turn to regarding deceptive marketing and truth in advertising. We trust that through the focus on spam that Bill C-27 provides, the leadership will continue.

With multiple enforcement agencies, however, there can come multiple agendas. In this instance, there can be no turf wars if we want Bill C-27 to be successful. The bill quickly gained legs because parliamentarians of all stripes saw value in the effort and benefits in the outcome. Our enforcement agencies must keep this example in mind as they undertake their new duties to protect Canadians online.

CAIP would like to suggest that the three agencies consider developing a trilateral task force to implement and manage their new responsibilities, rather than attempting to work in isolation. The benefit of this approach would be a reduction in duplicative efforts, more timely and effective management of complaints, better coordination of information exchanged between agencies, better use of investigative resources, and better use of financial resources.

Our second concern over enforcement has to do with the coordination of international efforts. To be effective, coordination must go beyond these hallowed halls and beyond this country. Electronic crimes know no boundaries—their perpetrators do not respect international borders. Cyber criminals do not work nine to five in the eastern time zone—they're international in scope, plying their trade 24/7, 365 days a year. Fortunately, by many estimates there are only a few ardent spamming operations in the world. Unfortunately, they operate simultaneously in many countries in nearly every continent, using unwitting Internet users as their pawns.

Despite being one of the first nations to develop a tool-kit approach to dealing with spam, we are one of the last major economies to fully implement a spam strategy based on the recommendations of the task force. The countries that have adopted these recommendations have gained expertise and developed resources capable of benefitting Canada.

The ECPA permits Canadian enforcement agencies to exchange information with other like-minded international agencies. We'd encourage the agencies to seize this opportunity and exploit the international expertise available to them in fulfilling their mandates. Because Canada is a relatively small source of spam, it is only through open and coordinated cooperation with other like-minded international enforcement agencies that we will be able to make progress in the control of spam.

Our third concern over enforcement is in the delivery of an appropriate and measured response when dealing with offenders. It would be our hope that legitimate Canadian business owners who make honest mistakes in deploying their online marketing strategy don't become the target of overzealous enforcement simply because they are the low-hanging fruit and easy to identify. It's the egregious spammer and nefarious e-mailer for hire that we hope will be the target of enforcement.

Rather than accumulating quick numbers and claiming great success by pursuing SMBs, we would encourage all three enforcement agencies and Industry Canada to undertake a concerted business and consumer awareness campaign to educate Canadians about the ECPA. Education is far more effective and less expensive than the cost of enforcement.

Finally, there are several simple things to remember that we think will help in developing regulations that will successfully enable enforcement of the ECPA. One, focus on the egregious perpetrators. Two, focus on the intent of the action, not necessarily the action itself. Three, focus on well-defined activities deemed to be dangerous, while at the same time providing the ability to expand those defined activities as technology changes. Four, focus on education of e-mail marketing etiquette. Five, focus on the use of enforcement as a measured and targeted tool based on the harm caused, not the inconvenience perceived. Six, adopt the best practices in legislation, regulation, and enforcement of other jurisdictions. Seven, develop a legislative and enforcement response that protects Canadians and doesn't burden them with unnecessary red tape and confusion in pursuing justice. And finally, develop a legislative and enforcement response that doesn't create criminals or create financial burden when there was no intent to defraud or harm.

Thank you.

Thank you, Mr. Chair.

My name is Chris Gray. I am the director of the Canadian Intellectual Property Council.

Appearing with me today is Jason Kee, a steering committee member with the CIPC. He is also the director of policy and legal affairs with the Entertainment Software Association of Canada.

It is a pleasure to be able to present the views of the Canadian Intellectual Property Council and our members on Bill C-27.

The CIPC was founded in 2008 under the authority of the Canadian Chamber of Commerce to unite businesses and press for an improved intellectual property rights regime in Canada. While our focus of late has been on the copyright consultations and seeking better border enforcement to fight counterfeit goods, we also need to monitor other legislation that could affect businesses, such as this one.

The CIPC and all in the business community support the notion of eliminating spam. As we all know, spam is a nuisance to almost everyone. For a business, especially a small business, it can slow down legitimate business practices and it takes time to delete. However, there are some concerns about Bill C-27 that need to be addressed, and we're pleased that the committee is taking the time to get it right and consider amendments to the legislation that will make it acceptable to all.

Working with the Canadian Chamber of Commerce and other business associations, we've submitted amendments to the committee members for consideration. While we support the bill's objective of deterring the most dangerous forms of spam, such as phishing and malware, that discourage reliance on electronic means of carrying out commercial activities, we can't support the bill as currently drafted.

This new Electronic Commerce Protection Act may render thousands of commonly used computer applications illegal. It would submit Canadian businesses to potential fines of up to $10 million and potential civil action. This new bill would also amend the Personal Information Protection and Electronic Documents Act to submit Canadian businesses to civil suits relating to violations of the act. This bill would potentially prohibit the formation of new business relationships over the Internet or through e-mail. It would also severely limit the use of the Internet for the distribution of software and software updates.

I'm now going to turn this over to Jason to discuss some more specific concerns we have.

If the intention of the bill is to prohibit forms of malware that discourage reliance on electronic means of carrying out commercial activities, the sweeping prohibition goes far beyond what would be required and would have the potential of doing considerable damage to the development, sale, and distribution of commercial software in Canada, thus potentially doing more to discourage electronic commerce in Canada and the development of our digital economy than the malware it purports to target.

Lastly, all computer programmers must receive express consent from the user before a program is installed and must disclose the function, purpose, and impact of each individual computer program for that consent to be valid. Accordingly, each individual computer program that's installed must be individually identified and the function, purpose, and impact of each described prior to obtaining consent. Most software routinely installs and executes a multitude—potentially hundreds or even thousands—of small computer programs during the course of its operations in order to work. Obtaining express consent from the user, including a description of the specific function, purpose, and impact, each time a program is installed and executed would simply not be technically feasible; moreover, it has the potential of being highly disruptive to the end-user's experience and could even disrupt the operation of the software itself.

Rather than institute a general, sweeping prohibition, the anti-malware provisions of the ECPA should be expressly targeted to clear instances of malware or spyware that causes harm to the end user and should provide a specific and exclusive list of computer functions that are considered to be spyware activities, as is done in the case of many anti-spyware laws that have been passed by individual U.S. states. Alternatively, the provisions of the ECPA should be narrowed to only apply to computer programs installed on another system for malicious purposes.

I would like to thank the committee for the opportunity to speak here today. I look forward to any questions you may have and to working with you to improve this important bill.

Mr. Chair, Mr. Vice-Chair, members of the committee, thank you for this opportunity to present out views on Bill C-27, the Electronic Commerce Protection Act.

Option consommateurs dates back to 1983. We are a non-profit association with a mission to promote and to defend the interests of consumers and to ensure respect of their interests. Our head office is in Montreal. We also have an office in Ottawa.

The Task Force on Spam submitted its report to the federal Minister of Industry more than four years ago. The Task Force consisted of the ten official members, of whom I was one, drawn from private industry, government and the non-governmental sector. About 100 others with a deep-rooted interest in the question also contributed. The Task Force submitted a unanimous report in which it recommended, among other things, the drafting of a stand-alone law that would clearly address spam, spam-related offences and emerging threats such as spyware and botnets.

We therefore welcome the tabling of Bill C-27 as a first step in improving Canadian consumer confidence in electronic commerce.

It is the recipients, namely Internet Service Providers, business and consumers, who bear the cost of massive volumes of commercial email, not the senders. And these direct costs—bandwidth, filtering technology, the hiring of extra staff—and indirect costs—loss of productivity, loss of genuine messages, corruption of information technology infrastructure and identity theft—are as numerous as they are hard to quantify.

Fraudulent use of email addresses directly undermines the public confidence necessary for electronic commerce. Spam violates two different principles of privacy protection: the collection and use of information and the Internet user's right to withhold consent to such collection. Spam is also an important vector for phishing attacks which enable Internet criminals to carry out identity theft. According to the OECD, spam levels are high enough that they are undermining user confidence in email and other electronic media as well as creating a negative impact on global communications networks.

This situation makes it urgent that Parliament adopt clear precise legislation banning the sending of unsolicited and unauthorized commercial emails—as stipulated in subsection 6.1; modification of message headers—section 7; the installation or use in an individual's computer of programs without that individual's consent—section 8; misleading and fraudulent representations—section 71; the use of computer program for searching for, and collecting, electronic addresses and the use of an individual's electronic address collected by such a program—section 78; as well as the unauthorized use of a computer for the purposes of collecting personal information—section 78. It is just as important that this legislation should allow commercial email only if the consumer has clearly agreed to receive them.

In discussion groups and in a Canada-wide survey which we conducted in 2004, Canadian consumers expressed a preference for a system requiring a consumer's explicit prior consent before any commercial email is sent. We would have preferred a strict regime of explicit consent, but we consider that the thrust of sections 10 through 13 of the bill represents a reasonable compromise between explicit and implied consent in cases of an existing business relationship. For the sake of greater clarity on the point of implied consent, we recommend the addition of the following clause after clause 10.4:

In the case of “existing business relationships“, an implied consent is valid only if the recipient provides his or her own details directly and if the goods or services being marketed are similar to those previously sold to him or her,

The bill incorporates the Task Force on Spam's recommendations, firstly, that the new offences created by the law should be covered under civil status and secondly, that there be a provision allowing individuals and businesses to lodge private actions. The high financial penalties in the proposed legislation strike us as severe enough to discourage spammers.

Bill C-27 also incorporates several amendments to the Competition Act and to the Personal Information Protection and Electronic Documents Acts which will help to counter spammers' methods and practices more effectively.

Overall, the drafting of Bill C-27 seems to have been based on the best regulatory practices of Canada's many commercial partners who have already adopted legislation against spam and its harmful consequences.

As you undoubtedly know, the effectiveness of any legislation depends on its enforcement. As such, additional resources must necessarily be provided along with any new statutory provisions. Furthermore, this draft legislation calls for increased coordination among existing agencies named in the bill and involves the creation of a national coordination centre to monitor and report on the law's effectiveness, to support national and international cooperation, to work with industry to analyze trends in electronic threats and to develop awareness and education programs.

Finally, there is one element which needs the attention of parliamentarians and of the Government of Canada. Canadian consumers need a simple and effective complaint mechanism.

The new legislation has made provision for establishing new monitoring and new electronic risk analysis mechanisms. These will help bolster consumer confidence in electronic commerce and will help prevent potentially even more dangerous threats from developing.

Thank you very much.

Thank you, Mr. Chair and members of the committee. Thank you for inviting us to be here with you today to contribute to your study of Bill C-27, the proposed Electronic Commerce Protection Act, ECPA.

We welcome this opportunity to comment on this important bill.

My name is Nathalie Clark. I am the general counsel and the corporate secretary of the Canadian Bankers Association. With me today is Bill Randle, our assistant general counsel.

In the submission we have provided to the committee, we have commented on Bill C-27 in some detail. But in these opening remarks, I will briefly review our main concerns with the bill.

In recent years, criminals abused e-mail both to deliver spyware, which can steal personal information from its targets, and to send counterfeit messages that lure individuals into disclosing personal information that results in identity theft.

It is widely recognized that these types of spam are a significant threat to individuals, businesses and the Canadian economy. For several years, the CBA has encouraged the government to introduce legislation to address the most malicious forms of spam.

Canada is the only G8 country that does not currently have specific anti-spam laws and the banking industry agrees that legislation is required to protect consumers and businesses from these dangerous and damaging forms of spam.

As a result, we welcome the government's decision to proceed with draft anti-spam legislation and we support the stated goal of Bill C-27 to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities. We note, however, that Bill C-27 is clearly more extensive and restrictive than similar legislation in other jurisdictions, including the United States.

We are concerned with the broad range of the bill and the potential negative impact that some of its provisions may have on legitimate business activities. In particular, we believe the opt-in framework proposed in the bill, combined with the need--with some limited exceptions--to obtain express consent from a person to send them a commercial electronic message, will have a negative impact on the ability of legitimate businesses to market their goods and services electronically. Most importantly, express consent cannot be obtained by sending an e-mail or other electronic communications to a person requesting consent. It can only be obtained in some other manner through some prior contact with the recipient. In other words, a business cannot send an unsolicited electronic message seeking consent to send more messages.

We recommend, therefore, that Bill C-27 be amended to allow the sending of an initial contact message without consent, while strengthening the content requirements of the initial contact message to ensure it is consistent with the principles of the do-not-call list legislation and the anti-spam legislation of other countries.

We acknowledge that consent can be implied when there is an existing business relationship--we welcome this exception--but believe some changes are needed to the definition of “existing business relationship”. We also recommend an amendment to extend the exception to affiliates of a company with which a person has a business relationship.

We note that express consent is required every time a “computer program” is installed, even when there is an existing business relationship. We would like some clarification that tools such as “cookies” are not included in the definition of “computer program” set out in the bill.

There is an extensive system of administrative monetary penalties set out in the bill as well. While we accept that there is a need for an enforcement regime, including penalties for persons who breach the provisions of the act, we believe that some aspects of the regime, and especially the penalties proposed in the bill, are excessive and would discourage businesses from engaging in legitimate marketing activities. This could have the effect of stifling the development of legitimate electronic marketing and could adversely affect the ability of businesses to reach their consumers.

The bill states that the purpose of these substantial AMPs is to encourage cooperation and compliance with the legislation and is not to punish. If that is the primary objective of the AMP provision in Bill C-27, we recommend that the CRTC be given the ability to suspend an AMP for a period of time, and if the persons subject to the AMP satisfy the CRTC that they have made changes to comply fully with the law, then the AMP could be withdrawn.

The bill also includes a private right of action that allows for statutory damages without proof of loss. We believe that the appropriate enforcement regime is government based. We do not support a private right of action, as we believe that these actions are generally motivated more by private monetary considerations than by general deterrence, and that a private right of action will have a chilling effect on businesses that wish to engage in legitimate marketing activities. While the bill provides for various factors to be considered in assessing damages under a private right of action, legitimate businesses are still put to the significant cost and task of defending themselves in this context. In particular, the private right of action that allows for statutory damages without proof of loss will encourage class actions that will lead to substantive legal costs and reputational risk for businesses.

Summing up, the CBA stands firmly behind this legislation that protects individuals, businesses and the Canadian economy from the serious threat of malicious forms of spams. We are very pleased to have had this opportunity to work closely with the government and with members of Parliament to ensure that Canada is no longer the only G8 without specific anti-spam laws on the books.

Thank you once again for providing the CBA with the opportunity to offer our views on Bill C-27. We would be pleased to answer any questions.

Hear, hear!

Thank you, sir.

I would have to answer simply no, I don't believe it does compromise the ability of Canadian businesses to compete and do well. Amazon.ca is generally happy with the provisions here. We've articulated a few areas where there are some pro-consumer practices that are already expected by consumers that might be foreclosed by some of the provisions, but with the minor modifications I've suggested, I think Amazon.ca will have no problem competing in this environment.

We fully recognize that there are needs for international cooperation, and I think that's been roundly applauded. The idea that we would somehow want to isolate ourselves and cut ourselves off from the rest of the world is a bit naive, because so much of it does come from overseas. So there is the need for international cooperation.

When I spoke before as part of the Canadian delegation at the OECD event in Seoul last year, I mentioned this need for international cooperation. We fully support that.

Thank you for the question.

I'll just say briefly that we at the CIPC do think that it would affect our ability to compete. It would be detrimental.

I'll turn it over to Jason, who will get a bit more into the specifics.

To give just a quick response, we concur entirely with that notion. It raises a very valid point. It also goes to what Mr. Copeland was saying about the percentage of spam that is actually coming in from abroad as a percentage of total spam.

Clearly, everyone acknowledges the significant problems caused by the volumes of spam we see generally. But to the extent that this bill is clearly going to be applying principally in Canada and affecting Canadian spammers, and in looking at that and to what extent it is actually going to stop or stem the flow of the volumes of spam that we're seeing, vis-à-vis the kinds of costs that it can impose on Canadian companies in terms of significantly limiting their capacity to engage in essentially online commerce, this is something the committee should consider very seriously when they're doing the bill.

As I said in my opening remarks, we believe that a private right of action in this context is inappropriate. We believe there is a risk of facing increased private actions that would put a lot of pressure and costs on our industry. There's always a risk of class action when there's a civil right of action. We believe it is better for the government to deal with any breaches of the act and we believe that would be an appropriate channel to deal with the breaches.