With respect to the private right of action, the number one concern that we heard from stakeholders across a wide variety of areas—academia, industry, and broader stakeholders—was that the private right of action upped their initial concerns around compliance. Because the PRA would introduce the possibility of significant monetary penalties and legal risk, absent clarity on exactly how to comply, and to ensure that they were able to pursue CASL in its fullest form, they would be subject to significant risk. Given that its suspension corresponded exactly with this review, it seemed timely to take on some of those concerns, and to have a full hearing about what the anxiety was, before proceeding on what we heard from many people was going to cause significant risk and anxiety within their daily operations.
CASL was always framed to have a coming into force of the regulations. The act was passed in 2010; the initial regulations came in during 2014, and the malware pieces for computers came in during 2015. PRA was to come in during 2017, and even with that long lead time there was considerable anxiety from a host of stakeholders that compliance was still unclear and that a lack of clarity on compliance meant a huge legal risk.