Industry Committee on Oct. 7th, 2009

That's right.

I think you are right as far as businesses go, although you must remember there are a lot of small businesses that haven't automated their e-mail lists and those kinds of thing. So it does give people time, and presumably it will even out the demand for tech services somewhat.

The other concern was that this covers, of course, other people who may be sending commercial electronic messages, people such as your university alumni association, or your humane society that you support and that's selling chocolates or T-shirts to help raise money for a new kennel or something else. These people would also be caught in regard to these activities, and they are less apt than commercial enterprises per se to have the technological sophistication. So this gives what we thought was a reasonable time for the more disorganized organizations to get their acts together.

If I could quantify that, the 36-month transitional period only applies to existing business relationships and existing non-business relationships. So there is a quantification there. The burden of proof is still that you must have had that existing business relationship—if it's your real estate agent three years ago, for example—and we're just giving them that 36-month transition period to catch up so they are not caught off-guard by the legislation.

We haven't done that anywhere in the legislation. The legislation applies to commercial activity. It doesn't matter whether you're a political party, a religious group, a charity, or Sears; it's the activity that people are engaging in that we're saying you have to get express consent for prior to this.

So we haven't done it anywhere else. There hasn't been much discussion to that effect—

Yes, it is possible, but where do you cut off the line? What's a small business? Is it 50 people or 500? What if it's a small manufacturing firm?

The 18-month thing was a clarification. It came through the witness hearings--i.e., what happens if I have a subscription to House & Home magazine for two years and the subscription is about to run out, but they've also run out of the 18 months? We're saying that they get the 18 months at the end of the subscription to contact me and see if I'd be interested in again subscribing for the next two years.

It was really with regard to memberships, subscriptions. If it's a point of purchase, where I purchase something and that's the end of the relationship, at the end of the purchase, then the 18 months starts there. So it was more of a clarification for those other things.

With regard to the third party referral, we wanted to be sure that we heard....

Oddly enough, Paul Vaillancourt, the financial adviser who appeared before you, is my financial adviser.

Oh, oh!

I didn't know he was appearing. It was just kind of odd to see him in the room.

Actually, Paul got me through a third party referral.

So you're in a conflict.

Yes.

We didn't want to allow third party referral to.... We understand, for financial advisers, real estate agents, and other professional or business service-type people, that referrals are key to their business, and that they have lost the ability to contact referrals through the do-not-call legislation. That said, we didn't want to let the referrals thing be anybody to anybody at any given time. So we said that in order for me to refer somebody to my financial adviser, I have to have a personal or family relationship with this person...to be defined in regulations, although “family” we're fairly solid on; we're going to follow what's in the Income Tax Act already.

So you have to have that kind of one-to-one relationship. And if you don't want to refer your cousin, don't refer your cousin.

We're going to use those definitions. Then the person who's sending the e-mail--i.e., my financial adviser--has to name, in that e-mail, the person who has made the referral.

If you fail to meet these criteria that we're naming here, you will be in violation of the act. We've tried to make allowances for business, the functionality of using this medium to contact prospective clients, but at the same time not poking a hole big enough that somebody could drive a truck through in the act and you might as well not have the legislation.

So we really did try to have a useful third party referral that didn't allow for absolutely everything to happen there.

That's a very good question.

The jurisdictional clause is designed to permit enforcement on behalf of Canadians. Now, as you're aware, telecommunications service providers are not liable for carrying traffic. So if there were traffic between Los Angeles and New York that is in the form of unsolicited e-mails, even if they violate U.S. law, the Canadian has not committed a contravention of the act in Canada. There is no violation.

What it does, though, is this. If the communications company is being swamped by e-mails coming into its network such that they can't properly manage traffic, it allows them to complain so that Canadian authorities can cooperate with authorities offshore to try to track down who's doing this and how can we shut it down and which country is in the best position to deal with it. But without a violation in Canada, we would not be able to get to first base of saying, listen, international partner, we've got a problem here and we need your help to fix it.

It does one other thing as well, which is that it gives the TSP that is concerned about the harm that's being done to its network potentially the right to bring a private right of action against the perpetrators. While our AMP regime and a finding by the CRTC may not be enforceable abroad, normally a Canadian judgment of a Canadian court would be, and that we think is a possible important remedy for the Canadian telecommunications service providers.

Their regular business, yes.

In appearances before the committee and in representations that have been made to Industry Canada over the summer, we have had a number of variants on the idea that instead of having a due diligence defence there should be a defence of honest mistake; in fact, inadvertence.

Our response to this is that in section 33 we have actually two categories of defence that are recognized with respect to AMPs, and they're equally applicable to the private right of action. These are, first of all, due diligence, which is the general standard that's applicable to any person where they may have been negligent or they may have caused harm without having intended it. The notion there is that as long as reasonable efforts have been made that avoid the actual harm that was caused--so you put in place, in our case, procedures to ensure that you don't e-mail people who haven't given permission--then you're okay, even if once in a while you make a mistake.

But the second part of it says that every rule and principle of the common law that would be a defence against a charge or offence is applicable in this situation. Through that mechanism we also bring in--and I can't think of many circumstances where it would apply--the concept of a mistake of fact, inadvertence, or any other standard of defence that's available at law.

So I think that rather than changing our standards...we've actually got a very flexible standard, the general rule being due diligence, which is usually enough for most corporate entities. But beyond that, they can rely on other defences that are available at common law. It's for the imagination of lawyers to imagine what other defences they might possibly want to bring, depending on the circumstances, if they need to.

Philip addressed the due diligence defence and the common law principles, but we're getting to the fact where, okay, you boo-boo once, you enter into a compliance agreement, and then you do it again, and those are in the factors to be considered under clause 20. When developing the penalties, you have to take this list of factors into consideration.

Beyond the due diligence defence, this is a compliance regime. So Mr. Misener appears, he's afraid Amazon might make a mistake one day: something happens with the technology, a new employee makes a mistake. What do we do? Well, they're likely going to hear from their clientele or the people who shouldn't have received that e-mail message: “Hey, you should have taken me off your list three months ago; I asked to be off the list.” So they're going to know they've done something wrong. The first thing they should do is approach one of the three enforcement agencies and say, “We think we've had an error here; we always intend to be compliant with this legislation, and we'd like to enter into an undertaking”, which is clause 21.

Short of that, short of their recognizing the mistake, then they'll be served the notice of violation, either by the CRTC, the Competition Bureau, or the Office of the Privacy Commissioner, and they have the opportunity then for the due diligence defence. And the same rules apply for the private right of action.

And failing being able to defend themselves, if it is an honest mistake, those factors for the scope, the nature of the violation, whether they profited from it—all of the negative implications of what they've done—have to be considered before we can process the monetary penalty. So if they didn't make any money from it and they didn't really mean to do it, they're likely not going to suffer a monetary penalty. And that's the key to those factors under clause 20.

And the last thing, barring all of that, should all of those safety valves for the honest mistake fail and they don't like the decision of the CRTC, they can appeal the CRTC's decision in the Federal Court and get another day in court.