Industry Committee on Sept. 30th, 2009

I'll respond, because the Entertainment Software Association of Canada is actually the trade group for the Video Game Association.

We appreciate your support, Mr. Masse.

To your point—and actually, this is the core of our concern on this—what the bill is currently proposing just goes far beyond that. It requires not only that you have to obtain some form of consent, which as you mentioned is not of itself unreasonable, but it actually forces you to describe the function purpose of impact of every single computer program that's being installed during that process and to clearly identify.... To the extent that you actually may find the process of doing the update inconvenient now, can you imagine if you had literally hundreds of pages of updating for every single individual update that's happening and what the impact of that is going to be on the system?

Also, there is the corresponding issue that some of those updates are to identify security flaws that have emerged. Essentially, it would be Sony identifying to the world, “Oh, incidentally, we've identified a security flaw that lets you update the PlayStation network for free, and you can download as many games as you want. We're going to fix that. Do you agree?”

Some consumers may be—

I agree.

My thinking there is that it's very practical in nature. If we have three agencies trying to enforce the same piece of legislation—albeit with different responsibilities within the legislation—we're bound to have overlap at times. I think one of the overlaps that could occur is that, if I recall correctly, the Privacy Commissioner will have the ability to decline an investigation, which means the complaint would have to be shuffled off somewhere else to be re-initiated if that were the case or if new information came to light that would change the investigation. This hopscotch through the enforcement process would seem to be a little over-the-top. It would be a burden for individuals to work through, not knowing where they should start with a complaint and how it should be followed through. If there was a central cache of expertise that could be drawn upon, it would—

I guess I am purely looking at it from the consumer's standpoint: Where do I start? To whom do I complain? Is it the CRTC? Is it the Privacy Commissioner? Is it the Competition Bureau? There is a forged header, they're trying to sell me bogus drugs, they have sent it en masse, there is no implied consent--where do I start?

To have to play that checkers game to get something started, I think, would be a deterrent to many people.

Certainly, I can see the CBA's concern on that. In other jurisdictions, particularly in the United States where we have seen the private right of action used, it tends to be used when a large telecommunications provider wants to make a splash. They want to make an example of an egregious spammer. They want to seize their mansions, their boats, their cars, and raffle them off to their users for headlines.

I would hope we aren't going to see frivolous suits brought. Certainly, a lack of damages might be a concern, where with a large telecommunications provider it would be easier to identify damages because they have to deal with this stuff coming through their system. You could say each spam message is worth x cents, so you could compile some costs. So I think the cost of damages is important.

Thank you, Madam.

We're quite comfortable with the underlying existing business relationship. Again, this is a case of where a consumer has come and bought a product at a website, like ours or of another commercial seller, so that kind of basis for implied consent we are very comfortable with. It is simply the duration of it. If you're going to have implied consent, it ought not to expire so quickly.

Mr. Chair, I'll simply add a brief comment and then Jason can take over.

It is definitely too narrow, as currently drafted, and needs to be addressed.

Essentially, one of the challenges we find with the existing implied consent regime is that it is defined by these narrow notions of the existing business relationship, existing non-business relationship. And as much as having a bright line test, where you clearly know if you're onside or offside, gives us certainty, it doesn't address the myriad of contexts in which consent can be reasonably inferred from the circumstances. Here's an example that was raised at the last meeting: someone's Facebook page. It's reasonable to infer that you would actually expect to receive messages that they're sending out--such as for campaign donations; you don't have express consent to do that, and implied consent, as drafted in the current bill, wouldn't cover that.

Right. I was one of the 10 members.

My recollection, and this is going back a number of years now, is that we didn't discuss a review down the road. However, technology changes. It's dynamic in nature, and certainly we can't expect that, for instance, today's definitions of an illegal cyber activity not be changed down the road. I think it would be worthwhile at some point in the future and not too far out--two to five years--to have two years for an interim review and maybe five years for a more sweeping review.