Industry Committee on Sept. 26th, 2017

Good morning.

Thank you, Mr. Chair, for inviting us to appear before your committee to share the Canadian Radio-television and Telecommunications Commission's, the CRTC's, experience with Canada's anti-spam legislation, CASL.

With me today are my colleagues Kelly-Anne Smith, senior legal counsel, and Neil Barratt, the director of electronic commerce enforcement.

This is our first opportunity to discuss the act with you since its introduction, so I think it would be helpful to provide a high-level overview of our responsibilities under CASL.

The legislation gives the CRTC the authority to regulate certain forms of electronic contact to provide Canadians with a secure online environment, while ensuring that businesses can compete in the global marketplace.

The fundamental underlying principle is that activities can only be carried out with consent. CASL is an opt-in regime. This means that consent must be obtained before sending commercial electronic messages, altering transmission data, or installing software. Commercial electronic messages, whether email, text message, or other format, must contain an unsubscribe mechanism that is clearly and prominently set out and readily performed. This allows recipients to withdraw their consent if they no longer wish to receive messages. Messages must also identify the sender or the person on whose behalf the message is being sent and contain contact details such as an email address, mailing address, and website.

Our objective is to promote and ensure compliance with the act. During the past three years, the CRTC has made it a priority to offer information sessions across the country and publish guidance materials for businesses, consumers, and the legal community. For example, my staff and I delivered six information sessions last May in Toronto to more than 1,200 businesses. These presentations help to raise awareness among businesses of their responsibilities when marketing products and services to Canadians and allow us to share lessons learned from investigations. As we do in every seminar, I made it clear that the CRTC is available to offer advice and support to help businesses comply with the act.

We also promote CASL to Canadians through our website, interactions with consumer groups, and on the phone and by email with our client service specialists. Consumer alerts are published on our website to warn Canadians of non-compliant online practices so they are aware and report any suspected violations. We want Canadians to report violations, and they are doing so, in great numbers.

The CRTC acts on the complaints it receives and has a number of tools to bring individuals and businesses into compliance, including the issuance of notices of violation, with accompanying administrative monetary penalties.

We look at a variety of factors to determine what the appropriate enforcement action should be. Our compliance approach includes interventions ranging from education to enforcement.

Our options include a warning letter regarding a minor violation requiring corrective action. We can also issue a notice of violation. This enforcement measure often includes an administrative monetary penalty.

We also enter into undertakings with parties who voluntarily agree to come into compliance. This often means that the party implements a corporate compliance program to prevent future violations. It can also entail paying a specified amount, although this payment is not considered an administrative monetary penalty. This has been a particularly useful tool, as we have reached undertakings with several parties that co-operated with our investigations.

Depending on the nature of the violation, the CRTC can impose up to $1 million per violation in the case of an individual, and up to $10 million per violation in the case of other persons, for example, corporations. We also have the authority to seek a judicially pre-authorized warrant to enter a residence or business to verify compliance with the act or determine if a violation of the act has occurred.

The CRTC has had success enforcing the legislation in the short time that it has been in force. For instance, along with national and international partners, in December 2015 the CRTC took down a command-and-control server disseminating spam and malicious malware, located in Toronto, as part of a coordinated international effort. This disrupted one of the most widely distributed malware families, which had affected more than one million personal computers in over 190 countries.

Of course, in today's interconnected world, spam and other electronic threats are not confined to Canada. One of the tools Parliament provided the CRTC is the ability to share information and seek enforcement assistance from our international counterparts. To date, the CRTC has entered into agreements with enforcement agencies in the United States, the United Kingdom, Australia and New Zealand.

Internationally, we also co-operate with partners through the Unsolicited Communications Enforcement Network, or UCENet. The purpose of this network is to promote international spam enforcement co-operation and address related problems such as online fraud and deception, phishing, and the dissemination of viruses.

Through UCENet, the CRTC has signed a memorandum of understanding with 12 enforcement agencies from eight different countries. We share our knowledge and expertise through training programs and staff exchanges and inform each other of developments in our respective countries' laws.

Domestically, CASL allows us to share information and co-operate on investigations with our partner enforcement agencies, the Competition Bureau and the Office of the Privacy Commissioner. In 2013, the CRTC signed a memorandum of understanding with our partners to facilitate co-operation, coordination, and information sharing. However, there are limited tools within CASL to allow the CRTC to share information with other domestic law enforcement and cybersecurity partners.

Working with our partners, we are better equipped to ensure that people who distribute commercial messages, domestic or foreign, comply with Canada's anti-spam legislation.

Mr. Chair, I'm not suggesting that the act is perfect. I suspect that you will hear a lot of suggestions about what needs fixing from the various witnesses who will address the committee in the months ahead. The CRTC would welcome the opportunity to appear before your members again before you wrap up your review and begin writing your report. We will closely follow the proceedings and can provide feedback on the ideas you may hear and respond to any questions you may have about what will or will not work.

As you and the members of the committee are aware, legislation must be enforceable in order to be effective. As you conduct your review, it is important to keep in mind that CASL has been in force for a relatively short period of time and covers a broad range of activities. The activities and ensuing investigations under the act are complex, and we have yet to fully apply the legislation.

We now welcome any questions you may have.

Thank you for the question. I think there are two elements to that.

One is that CASL has been successful at reducing the amount of spam that originates from within Canada, and that's been quite helpful, but to your point, spam is very much an international domain, in that there are a number of other spam-producing entities that exist outside of our borders.

That's why the coordinated international efforts of our enforcement agencies participate in a whole series of international fora, such as the Messaging, Malware and Mobile Anti-Abuse Working Group and the Unsolicited Communications Enforcement Network, which my colleague has mentioned. I think those sorts of efforts have been able to ensure that we work in tandem with other international enforcement agencies to get at the real root of spam, because it is a coordinated effort across borders.

I'll start with the 5,000 complaints a week to our spam reporting centre. I would suggest that compliance is still an issue.

Certainly compliance is key. I'm the chief compliance and enforcement officer. The compliance part of my title is critical to ensuring that businesses are aware of the rules, understand how they can comply with the rules, and understand what's necessary with respect to following the rules. Those education outreach sessions are extremely important.

The ones we did in the early days in 2014 when we were first getting off the ground and the ones we did a couple of months ago are very different. In the early days, we were talking about how you must have an “unsubscribe” and it must link to this, etc. Now, we're providing more guidance and interpretation on recent decisions and compliance programs.

Businesses, individuals, and the legal community are looking at our decisions, interpreting them, and saying, “Oh, I understand now what you mean when you say this”, or “I understand how you're applying this particular regulation.” We're trying to provide that clarity. It is an ongoing initiative. We will do it every year, I would suspect, because there are always people knocking at our door and saying that they need help to understand.

I'd like to think we have a great suite of tools. Certainly I know my colleagues at the Privacy Commissioner's office would say that having administrative monetary penalties is very useful. I know they're looking for it themselves. We have a broad range of tools to effectively ensure compliance now and, for enforcement purposes, in the future. The tools that the CRTC has been afforded are very useful. It's a broad range. It allows us lots of flexibility depending on the type of case, the magnitude of the case, or the nefarious activities involved.

With respect to the private right of action, the number one concern that we heard from stakeholders across a wide variety of areas—academia, industry, and broader stakeholders—was that the private right of action upped their initial concerns around compliance. Because the PRA would introduce the possibility of significant monetary penalties and legal risk, absent clarity on exactly how to comply, and to ensure that they were able to pursue CASL in its fullest form, they would be subject to significant risk. Given that its suspension corresponded exactly with this review, it seemed timely to take on some of those concerns, and to have a full hearing about what the anxiety was, before proceeding on what we heard from many people was going to cause significant risk and anxiety within their daily operations.

CASL was always framed to have a coming into force of the regulations. The act was passed in 2010; the initial regulations came in during 2014, and the malware pieces for computers came in during 2015. PRA was to come in during 2017, and even with that long lead time there was considerable anxiety from a host of stakeholders that compliance was still unclear and that a lack of clarity on compliance meant a huge legal risk.

Yes, I would say there are elements of CASL that stakeholders have told us need to be clarified to support increased compliance, and that has taken some effort.

I'll have my colleague, Neil Barratt, describe our investigative enforcement process.

One of the things we have at our disposal is the spam reporting centre. Through the “fightspam” portal that Mark mentioned, Canadians can submit complaints of spam that they've received. They can also fill out a detailed form and provide us with additional information relating to the message and other information they may have available.

For us that is a huge resource in terms of information. To date, since coming into force, we have more than 1.1 million complaints in the SRC. That's our primary source of intelligence. Our intelligence analysts look through that information. They try to identify trends. They look, obviously, at high-volume complaints to see if there are relationships. They're trying to identify links between different messages and different sending campaigns. Based on that, they'll develop some material for my enforcement officers to look at. We'll review that with them to decide what the viable cases are. That's the main source. We also have other information that we look at. We work with private sector partners who run giant spam honeypots that can see a broader scope of what the issue looks like.

At the end of the day, however, it's a conversation of our enforcement officers with our intelligence analysts to look at cases that are likely to succeed, that will promote compliance, and cases that can provide guidance to businesses.

It's important to note that the emails in the spam reporting centre are not validated. They may be a potential violation, but they may also be incorrectly identified as a violation. The first thing we do is try to validate the complaint, if that's the main basis for the investigation. Depending on the level of information we receive from the Canadian who submitted the email, we may return to them, collect further details, and take a witness statement, things of that nature.

More broadly, we also look at collecting information from the companies in question, from email service providers, from hosting companies, from domain registrars, and from a whole suite of the people who are involved in that email from the time it's sent to the time it's received. Obviously, depending on the type of case, we also want to discuss with that business and request information from them on how they maintain their email lists, how they ensure compliance, and how they ensure they're working from a consent-based list, actioning unsubscribes, and ensuring that all the different pieces of the legislation are respected.

The investigations vary widely in scope, in scale, and in complexity. Certainly it depends on the size and the sophistication of the business involved, and on the number of emails sent. All of those factors will play into the appropriate enforcement response. As Steven mentioned, one of the tools we have available is a warning letter to make clear where there are alleged violations and to provide a bit of guidance to companies to help them improve their practices.

In terms of the complaints we've received in the spam reporting centre, I can't say there's a clear trend out of those numbers. It really does touch a lot of different industries and businesses of all different sizes.

I'm not sure that's always obtainable based on the information that's filed with the complaint.

We've relied on a number of third party reports to be able to get an assessment of the degree to which spam makes up the email flows of Canadians. We get it in two ways. One is the degree to which we can rely on the senders to understand their practices, for instance, working with folks on the “Canadian Digital Marketing Report” or others that tell us about senders as well as some information related to recipients.

One year after CASL's implementation, for instance, there was 29% less email in Canadians' inboxes, and a 37% reduction in spam originating from Canada. That came from an organization called Cloudmark, in a 2015 study.

We have data from CIRA and Ipsos that indicates that 84% of Canadians who knew about CASL took advantage of the coming into force to triage the emails coming into their inboxes. The spam reporting centre has received just over 1.1 million submissions. We're trying to triangulate multiple sources of data to be able to get at the issue.

On the sender side, Litmus and others have told us, for instance, that 49% said that CASL had no impact on their email marketing program; they were continuing to market through email because they felt they could be compliant. Twenty-three per cent said that CASL had minimal impact, so clearly there were some shifts. Twenty-seven per cent said that it had a significant or dramatic impact, which means that, potentially, they were significantly addressing their current practices.

The data is third party, and by and large, as we say, we try to get it from a number of sources, to really get at the root of the issue.

Canada is no longer in the top 10, and according to some sources, since CASL came into effect, it is no longer a top 20 spam-producing country.

Again, we have to triangulate lots of information to get at that, but by rankings, we're not in the top 10 and maybe not even in the top 20.

Causality is always challenging in these situations, but I think the fact that we have a robust anti-spam legislation that has significant compliance requirements for all senders is a useful mechanism to be able to highlight that spam is important and that we want to cut it down. It's not directly attributable, but one can see that pre-CASL and post-CASL there has been significant progress.

On international enforcement, we have had some success in the international space. I'll turn to my colleagues in a second and they can tell you their own success stories. The enforcement agencies that are empowered by CASL have the capacity to work in the international zone with their peers. That has included the taking down of a botnet server, which I'm sure the CRTC may want to suggest as their own victory, so I'll turn it over to my colleagues.

As I mentioned in my opening remarks, we were afforded by Parliament great information-sharing privileges with our international jurisdictions, which is fantastic. We've executed MOUs with various different countries. We are a member of UCENet, which we talked about. It is an international unsolicited communications network of enforcement agencies. That allows us to call on those specific agencies and countries whose spam legislation falls within...to execute warrants and get information for us. We do the same for them. It is a back and forth, so we're able to help them, and they are able to help us. I think that's probably been the most successful piece from an international perspective.

I think the committee is right in pointing out that it's domestic legislation for a global problem.

One of the things I mentioned in my opening remarks, since you're asking, is that I am required to collaborate and co-operate with my partners at the Privacy Commissioner and the Competition Bureau, but my domestic sharing is actually rather limited. It's difficult for me, within Canada, to actually share with my colleagues at the RCMP, Public Safety, or wherever to move forward on cases. I made a point of that in my opening remarks, so I'll make it again. That's probably where we find the biggest challenge. Internationally, I can share more easily than I can across the street with my RCMP colleagues.

Absolutely, from an enforcement perspective.

From an enforcement perspective, the act is written as technology neutral, which is helpful. We are certainly seeing different types of spam. You're right. I think it's moving faster than we can keep up.

I have a team of technical experts and forensic analysts who are constantly challenged by the next thing. As soon as we think we understand one form of spam or one form of malware, we are challenged by yet another new form.

We can ponder this when we return perhaps, but at this time, I would suggest that the way the act is written—it's technology neutral—we have the flexibility to move. I would argue that trying to keep pace is our challenge. It's not the act.

We've conducted several investigations, more than 30.

Investigations aren't always closed the moment a warning letter or a notice of violation is issued. A big part of our job is ensuring that companies remain in compliance after they've been the subject of an investigation. For instance, we have several investigations where, after we issue a warning letter, we'll do some follow-up to ensure compliance is achieved and monitor their activities, check in on their compliance programs.

I believe that, to date, we've issued about a half a dozen notices of violation. We've issued more than 10 warning letters and several other kinds of enforcement actions. Undertakings, especially, are quite helpful. We have the ability to engage in a negotiated discussion with the subject of an investigation when it wishes to voluntarily come into compliance. That's a particularly effective tool for us. We can negotiate the terms with the party involved and ensure part of that includes a robust compliance program going forward.

When we learn of information, when we receive information in the spam recording centre that relates to a criminal violation, we share it with the RCMP. Our colleagues at the bureau have the ability to pursue violations, either civilly or criminally. They would be the best people to talk to about that.

I'll start, and then I'll turn it over to my colleagues from the CRTC.

To the point that was made earlier, in general, because the law was framed as technology neutral, by and large it has been able to keep up. I think our own sophisticated understanding of the tools and techniques that are being used by entities requires quite a bit of constant study and work on our part, but the law itself has generally been able to continue to allow for enforcement to be carried out.

I would say, with respect to the notion of consent, that even the Privacy Commissioner in his own report just last week indicated that obtaining meaningful consent has become increasingly challenging in the digital age, where data is ubiquitous, commodified, and maybe processed by multiple players, totally unbeknownst to the individual to whom the data belongs. I think that is something that we continue to examine and analyze and understand. It's something that is changing, as we say. Your point about 2004.... It allowed people to share both very personal information about themselves as well as pictures of their dinners, but also created quite an interesting conceptual issue around consent.

I think from a legal perspective, by and large, we've been relatively successful in keeping up with the technological advancements.

With regard to enforcement, I'll turn to my colleagues.

I'll build on what Mark has been saying.

From an enforcement perspective, the opt-in regime is actually very helpful, because we are able to understand very clearly if someone has given their permission to receive information or emails, etc. That's a very helpful piece.

On the international front, I stand by the fact that we are very active in the international sphere. For example, I've mentioned UCENet, which is an international network of enforcement agencies. Just last year, we held a workshop with the International Institute of Communications on nuisance communications. The importance of that venue was that they are the policy folks, and there are people and countries involved in the IIC who had never met the enforcement side of the piece. We brought those two sides of the puzzle together at a workshop to look at the varying ranges of legislation available to these countries, so that the developed and the developing countries could exchange with each other their lessons learned. We can learn from the enforcement side of the house about what works and what doesn't. If you're about to institute legislation, how can that help?

We at the CRTC took it upon ourselves to sponsor this workshop and bring those two worlds together, and we'll be doing a follow-up actually, later in October, to discuss the next steps, how we can get everybody on the same page moving forward, and who can pick up the ball on particular pieces to ensure that we keep furthering the elimination of nuisance communications to everyone around the world.

It's ironic that you say you get calls from everywhere else. I know we've cited good stats. We still get calls from international partners asking us to help them against the servers in Canada. It's interesting. They see it from the other side of the fence. Across the pond, they say it's over there in Canada. They're the ones doing the spamming. They may not be spamming Canadians, but they're spamming someone else around the world.

I would say no. I definitely think UCENet as an enforcement network is very helpful, and Mark had mentioned the M3AAWG and malware analysis group, which also includes countries from around the world.

There is certainly no one central point and that is why we, as the CRTC, branched out to get the policy folks in. Now we've included the IIC. There are certainly other fora, for sure, in which we could participate. The challenge, of course, internationally is that the legislation differs in different countries. The commitment by certain countries is different from what we would suggest. We have a strong commitment here in Canada. There may not be the same level of value in other countries. So one-stop shopping is probably not the way to go. I think it would be challenging, and we might never get anything done because no one would agree.

Absolutely, and I apologize if there was any confusion.

Our memorandums of understanding with Australia, the U.S., and New Zealand are with the government departments responsible for spam legislation. The 12 enforcement agencies in the nine different countries are the enforcement side of the house, so more the RCMP or public safety kind of officials in the UCENet space. They are two different organizations, two different sides of the house, if you will, referring back to my policy side versus enforcement side.

Absolutely. I would suggest the MOUs are drafted in such a way that we can share. From a very simplistic perspective, we help them and they help us. We get calls, I won't say every week, but definitely every month. We are probably more in contact with our colleagues in the FCC and the FTC than other countries. We receive requests all the time for assistance.

Just to clarify, we do have the ability to impose administrative monetary penalties, and we have on several occasions.

Overall, we have a broad suite of tools. In each case it's dependent on the facts of that investigation and our assessment of what the best outcome is to produce compliance. In some cases that is a negotiated agreement with the party, where it voluntarily agrees to come into compliance, and sometimes it pays a prescribed amount as part of that agreement. In other cases, parties might not be willing to negotiate with us, and in such a case we might pursue a notice of violation, including an administrative monetary penalty.

Yes.

That's correct.

I'll ask my colleague to chime in on that one.

Yes. For example, the U.S. has a private right of action, but it's only available to Internet service providers, not individuals. There are other jurisdictions. Australia and New Zealand have similar private rights of action, but for example, Australia talks about application for compensation and civil liability events. So there are similar provisions in allied countries, basically. The U.K. has similar provisions as well.

To what extent they mirror exactly the provisions of the Canadian legislation, I would have to....

Absolutely. I was going to say I could pull out a list, but even just last year we travelled from P.E.I. to Victoria. We do this across the country.

With respect to the first question, as I said in my opening remarks, the origination for CASL in and of itself was Canada's appearance on the top five countries for origination of spam. As I said, we are now out of the top 10, so in terms of whether it was the result we were aiming for, I'd say that in general, it's a positive outcome as a whole. I think it's a double-edged sword or it's a two-headed challenge in some ways.

With respect to what we would like to see, I think the degree to which organizations in Canada have the capacity to understand and thereby comply with CASL should be at its maximum, to be able to ensure that no one is receiving a message that they haven't consented to, and that the expression of that consent was understood by both parties. To that degree—

I think it's clarification around compliance. You'll hear from a number of witnesses over the course of this study about what that could or should look like. I think you'll hear from some who say, “It's pretty clear,” and you'll hear from others who say, “No, we really need to have a much more refined understanding and prescriptive understanding of what consent would look like.” I think that's a key element of the degree to which this is a successful piece of legislation. Insofar as people understand their obligations, they can then live up to them and consumers can then hold them to account.

I think it's twofold, On the one hand, on the malware, ransomware, other sorts of factors, that's by its very nature malicious. It's intended to do bad things to your computer system and to do bad things to users. That's an international problem. I think we really are working in collaboration with other enforcement agencies to take down botnets and take down malware and ensure that we can take appropriate action.

The domestic side, though, is a lot about understanding what the law requires, and I think consumers in Canada get frustrated by both. One, they're a great risk, and the other, they're quite frustrated.

I'll touch on a couple of things that were in your previous question as well.

The most shocking thing I'll say at this committee is that CASL was never going to eliminate all spam. We might as well all understand that now.

Going back to your domestic and international perspective, most companies and individuals in Canada want to live up to their expectations with the government and the regulator. What CASL does is it puts everyone on the same level playing field. Everyone who wants to abide by the rules will follow the rules and they will not be spamming anyone anymore.

Going back to the sophistication side of the house, what happens there is that everyone who wants to abide by the rules abides by the rules; the more nefarious activities rise to the top. Cream rises to the top, and when everyone is following the rules, these guys rise to the top.

Going back to nefarious activities, our complaints are changing. We talk about 1.1 million complaints—

Exactly, so the 1.1 million complaints are no longer.... Of course in 2014, day two, it was about a well-known Canadian national company that didn't have the right to email me. That is not happening today, which I think is the most important part to my colleague's statistics about the reduction of spam. The companies in Canada are complying, which I'd like to think is partly due to our education on compliance.

I don't have any numbers but I was just talking to my folks yesterday on what we are seeing. The sophistication is changing. It's no longer just about an “unsubscribe”, or it's no longer about their not having an existing business relationship with me. This is a very different activity. They want me to open up this particular attachment. They want me to do these particular things.

I don't have stats just because it's not really how we organize the spam reporting centre. It's a work in progress as well.

I'll go back to it being only three years since we've been in force. There are certain pieces of the legislation we haven't even applied yet because we haven't got to that more nefarious activity, because we've been busy getting everyone....

Yes, exactly. It was not so much the low-hanging fruit; it was ensuring that everyone is complying.

We have done some studies but we do not have exact figures. The amount depends on the organization and the computerized systems they had to implement to make compliance automatic.

We have received feedback from certain organizations which indicated that the initial costs of compliance with the law were quite high. We do not have any specific figures, however, since the cost varies from organization to organization and depending on how they communicate with their clients.

We have noticed that this created a need in industry. For example, certain companies offer automated compliance services. In this regard, there has been some innovation in order to facilitate compliance.

We do not have exact figures at this time but we could follow up on this.

I think that can be explained by two factors. First of all, spam has been reduced by the new technologies that consumers can use. Moreover, there has been a reduction in the number of emails from companies that have not obtained consumers' consent. I think both of these factors are at play.

Agreed.

I'll start and then go to my colleague.

We talk about compliance and reach out to the business community and individuals to comply. Another side of what we do is ensuring that Canadians are aware of things that are happening.

We're very fortunate at the CRTC. As an independent agency, we're very active on Facebook and Twitter. We do lots of consumer alerts, if you will, along with my colleagues at the office of consumer affairs, to let Canadians know that this activity has happened, that this scam is out there.

We've all heard about the vacation scams and about the Microsoft scams for tech support, etc. We are very active in that space to let Canadians know: first, that this is what's happening; second, that this is what we've been investigating; and third, that if you have given us a complaint about a certain company, this is what has happened.

We try, then, to be active in the space to let Canadians know that they should be aware. Obviously, we can't solve all the problems of the world, but at least we can make awareness important. That's why in our social media space it's very important. As you say, it's no longer the tweens; it's everyone from 12 to 92.

I'll just quickly add—I'll give a shout-out for my colleagues at the office of consumer affairs—that the fightspam.gc.ca website has been a successful centralized point to receive consumer complaints as well as to provide information. They've received more than 1.1 million submissions.

Interestingly, the “unsubscribe” mechanism that's required in emails provides consumers with tools to control their commercial electronic messages, and 84% of Canadians, when surveyed by CIRA and Ipsos, said that they had used the opportunity of CASL to triage the emails coming into their inbox. For some that meant a hit of the unsubscribe button; for others it was, “No, I want to receive this and I'll continue to receive this communication.”

I might start by saying that there was a task force working group originally on the Task Force on Spam in 2005 that tried to have a wide reach to get at this issue. It included.... I'll just note that the co-chairs were Roger Tassé and Michael Geist, but the member organizations were a broad range that included the Coalition Against Unsolicited Commercial Email, Amazon, Bell Canada, the office of consumer affairs, the Privacy Commissioner, and PayPal. All of these I think indicate that there is wide interest in the legal, academic, consumer, and commercial zones that rely upon this legislation, all of which have views, certainly.

You are correct. The statute allows for the provision of that. It's never been exercised. The national do-not-call list is also something that falls under my purview at the CRTC. It is very active. Canadians still register their telephone numbers and it's definitely more mature. It's been in effect since 2008, so we're almost at our 10-year anniversary, but we are very active on pursuing those who violate the do-not-call list rules. It's working in its own regime, for sure.

There is a provision and I'm certain my legal counsel can talk about that. It's never been exercised. The regimes are very different, so I think that would be an interesting discussion.

Go ahead.

Okay.

The framework already exists within CASL to take out of the Telecommunications Act and all its regulations and decisions, the existing do-not-call and unsolicited telecommunications framework and to roll it into CASL. That could be done very easily by a GIC provision. There are really no changes that are required.

As my colleague suggested, the regimes are very different, since one is an opt in and one is an opt out. Before you did that, I would think that you would want to do a lot of consultation with the telemarketing community to see if they would be agreeable to that sort of provision.

I think that there would be a lot more additional authorities that would be available to the commission in order to deal with telemarketing regulations that do not exist in the Telecommunications Act. On that side, there would be pros and cons, but certainly, it should be done.

Super quickly and I know we're out of time. I just want to say that the original intent was an anticipation that voice-over Internet protocol calling would essentially replace telephone calls and that those would be considered electronic messages and therefore, come under CASL. That was the original intent for why the do-not-call suspension provisions are there.

Yes, you're quite right.

The phasing was essentially as I indicated: the original regulations, then the malware regulations, then the PRA. I think the concern on the PRA is particularly related to the possibility of class action suits and legal liability that may arise from compliance. While a number of organizations and entities have attempted to be as compliant as possible, I think they fear that moving from a system, where potentially they're under a CRTC-type enforcement where there's an opportunity for a helpful exchange and maybe a warning letter, that it could move very quickly to a legal dispute, where potentially there may be a significant legal risk.

I think the zones where we hear the most concern is around this notion of consent. It gets at what the Privacy Commissioner indicated, which is that, in an electronic age, where potentially you're collecting a lot of different information for different purposes, what constitutes consent can be a challenge. Also, ensuring that when the consumer or the user has consented to the receipt of the electronic message, how explicit does that have to be to be able to send the messages? I think the concern about the PRA was that this would then become a litigious action that potentially raised a compliance risk and potential legal uncertainty.

I want to add that what we've also heard is that the act provides for statutory damages. In terms of the actions that would be brought forward by individuals, there's compensation for actual harm done, but there's also prescribed statutory damages that can be awarded. That is based on.... Non-compliance, in and of itself, would be a factor in granting individuals compensation for that. What we heard from stakeholders is that was a particular concern in the context of the private right of action, specifically, where you didn't necessarily have to demonstrate harm, that statutory damages could be awarded simply for having received a commercial electronic message that you didn't consent to. For this you could be awarded compensation. That's what elevated that risk.

I'll just say as a public servant, we don't have views on these sorts of issues. I think what we've heard from some stakeholders, and what ultimately led to the suspension of the PRA, is that we want the obligations in the act to be as clear as possible. Over the course of the testimony and this study, you'll likely hear about zones where people will want a greater degree of specificity.

I think we all want to make sure that the act is understood, yes.

I think it's enhanced information sharing domestically.

Oh, oh!

Just generally, I think the top two are consent, one, and identification of the sender.

You are exempt under the legislation. There may be complaints in our spam reporting centre about that, but that goes back to validating the complaint, whether or not it's valid. We also get complaints about a not-for-profit charitable organization as well, which may also be exempt for certain reasons.

From an enforcement perspective, I will enforce accordingly, and I'll leave it to my colleagues at the department.

Oh, oh!

From a policy perspective, as a public servant, I have no view.

Oh, oh!

I'd have to go back to the original RIAS, but I think in the explanation for why the exemption was initially provided, the communications between politicians and their constituents were seen as vital and, therefore, not one to which one could consent because it was necessary for democracy. I think that was the original intent.

I would suggest, Mr. Bernier, that there is no reason why you and your colleagues cannot follow the rules of CASL, even though you don't fall under those rules.

Oh, oh!

It's definitely something we see. Network security is always evolving, and there are lots of institutions out there that aren't always on the cutting edge, or that through no fault of their own have some vulnerability in their system. We've definitely seen universities and other public institutions where somebody takes control of their email server and just shoots emails out, rapid fire, to everyone.

That's something we look at when we're investigating, to make sure of where the emails actually came from, that the institution was in fact the sender. Part of our job is to work with our partners and make sure institutions are aware when that happens, so that we can give them a bit of guidance or at least point them in the right direction in terms of how to secure their facilities and their infrastructure.

A lot of times in cases like that, the person who actually committed the violation is not going to be readily found or be within the area.

Again I would say we're agnostic on that view. The original reason the do-not-call list had the capacity to be brought under CASL was that our view was that voice over Internet protocol, which would constitute an electronic message, would necessarily bring messages sent through VoIP under CASL. As we've seen, that hasn't necessarily come to be the case, so phone calls that are not electronic messages are still being received. Insofar as those continue, the do-not-call list provisions still apply.

From an enforcement perspective, we are enforcing the do-not-call list . It's a very mature program. It works very well. As my legal counsel pointed out, I have a broader suite of enforcement tools available to me under CASL, so that would be one of the advantages for sure. I really don't have a view as to whether it should or shouldn't. The two programs are very different and would require some study, I would suspect.

Thank you.

I just want to add one thing, which is that the Telecommunications Act provisions permit the chief compliance and enforcement officer to have more flexibility, thanks to the tools he has at his disposal. He can have a staff member issue a request for information letter, and the party has to respond. They have no opportunity to appeal or any recourse.

CASL, and this is a good thing in some cases, has many different appeal mechanisms built into it, so that causes a lot of delay to investigations. We issue a preservation demand or a notice to produce, and the party has an opportunity to appeal to the commission, and then even to the Federal Court of Appeal. So although he has more powers at his disposal in CASL, the Telecommunications Act is more nimble and the investigations are less complex. For the most part, although they are becoming more complex with spoofing, the Telecommunications Act provisions work really well.

That's my comment. Thank you.

Most definitely we have the same challenges. I like to think we do a good job at the commission and informing Canadians about those types of scams, phone calls, emails, etc. There is no easy answer. The easy answer is if you get a call or an email from your bank or CRA, or anyone you have a relationship with, if you feel remotely uncomfortable, ask to call them back. If you call back the legitimate phone number that you've found on a website or on the back of your bank card, etc., they will let you know if they were really trying to contact you or not.

We certainly work with a lot of legitimate companies that have been victims of these things, such as CRA. We work with our federal partners to make sure the message is out there that the CRA will never contact you that way, for example. The banks do a very good job. They even post on their websites that these are the current scams and they'll never contact you this way. Unfortunately, Canadians should just be on their guard a bit when they're giving personal information over the phone or via email.

I'll deem that as your consent.