Industry Committee on Sept. 26th, 2017

First of all, I would like to thank you, Mr. Chair, and members of the committee for the invitation to appear before you this morning.

My name is Mark Schaan and I serve as director general of the marketplace framework policy branch in the strategic innovation and policy sector of Innovation, Science and Economic Development Canada.

While our sector broadly includes such policy areas as innovation, telecommunications, and trade, my branch specifically analyzes and proposes improvements for the role of marketplace frameworks in meeting the department's objectives. This includes analysis of corporate governance, bankruptcy and insolvency, competition, and intellectual property to support an efficient marketplace and innovation economy.

More recently, my branch was assigned responsibility for Canada's anti-spam legislation, CASL, and the Personal Information Protection and Electronic Documents Act, PIPEDA, which are key pieces of legislation that are part of a broader legal underpinning that provides a regulatory foundation for commerce, including electronic commerce. Both seek to promote commerce and innovation through facilitating trust and confidence in the digital marketplace.

I am here with Charles Taillefer, director of the privacy and data protection directorate within my branch. His team is responsible for providing policy advice, guidance, and support with respect to CASL.

CASL has its origins with the anti-spam action plan for Canada, which was launched in 2004 and established a private sector task force chaired by ISED. The task force was responsible for looking into the issue of unsolicited commercial email, or spam. By the end of 2004, spam accounted for 80% of all global email traffic. In that same year, the task force on spam held national consultations with stakeholders, and it issued a report in May 2005. In order to combat spam, the report recommended that specific legislation be created.

Canada's new anti-spam law was passed in December 2010. The law, as the chair has pointed out, does not have a short title. Its actual title is “An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying Out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act”.

Given the substantive changes represented within this new framework legislation, a transition period was built into the implementation of the act and, following a Governor in Council order, it entered into force on July 1, 2014.

CASL helps protect Canadians by encouraging the use of safe and secure electronic commerce to carry out commercial activities in the online marketplace.

CASL generally protects Canadians from spam and other electronic threats, while ensuring that businesses can continue to compete in the global marketplace.

The law prohibits: sending of commercial electronic messages without the recipient's consent; altering transmission data in an electronic message without express consent; installation of computer programs without the express consent of the owner of the computer system; using false or misleading representations online in the promotion of products or services; collecting personal information through the illegal access of a computer system; and collecting and using electronic addresses through computer programs, which is also known as electronic harvesting.

Responsibilities for meeting the objectives are shared by a number of federal organizations. ISED operates the national coordinating body for CASL, which is responsible for the policy oversight and coordination of the anti-spam initiative. This also includes monitoring the implementation of the legislation and assessing whether it's meeting its stated objectives.

In addition to the national coordinating body, there are three independent federal agencies responsible for enforcing the act. The Canadian Radio-television and Telecommunications Commission, the CRTC, of which we have representatives with us today, can issue administrative monetary penalties for violations of the anti-spam law. The Competition Bureau can seek administrative monetary penalties or criminal sanctions under the Competition Act. The Office of the Privacy Commissioner also has powers under the Personal Information Protection and Electronic Documents Act related to ensuring the privacy of personal information and handling breaches.

The office of consumer affairs, which is also part of ISED, has an important role to play in terms of information and outreach, as they manage the fightspam.gc.ca website in liaison with the three mentioned agencies and the national coordinating body.

Despite new e-communication filters and blockers, spam and malware remain a significant issue for electronic commerce, and a serious security threat. Spam, while being reduced from the level of 2004, still accounts for over 50% of global email traffic in 2017. Moreover, spam is used as a means to introduce malicious programs, such as ransomware, into computer systems of both consumers and businesses. For example, after the WannaCry ransomware attack, malicious spam rose by 17%.

The scope of the issue is global and requires coordinated international efforts, and our enforcement agencies participate in international forums to impose administrative monetary penalties and conclude investigations on an international scale.

CASL is a key element of the Canadian legal framework to support development of the digital economy. Its stated purpose is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means.

There is evidence that CASL is working. Since the law has been in force, the amount of spam sent from within Canada has been reduced by more than a third. CASL provides for a suite of enforcement tools, including a private right of action, to support anti-spam efforts. The private right of action was scheduled to come into force in July 2017, the same time as the scheduled statutory review under the act. Some Canadian representatives from industry, academia, and civil society had raised concerns over the scope of the private right of action under CASL. As noted in recent ISED consultations with stakeholders, there is a significant sentiment that some aspects of the law could be further clarified.

As all of you know, the coming into force date of the provisions was suspended on June 2, 2017, pending a legislative review by this committee. Legislation such as CASL is foundational to building trust in the digital economy and it is sound practice to review such rules on a regular basis to ensure that they respond effectively and adapt to new developments in this fast-evolving digital marketplace.

In today's markets, business success depends heavily on the flow and utilization of information, making information itself one of the primary raw materials of the modern economy. Consumers and businesses need to trust that this information is managed responsibly for the digital economy to flourish. That is why a balanced and efficient regulatory framework is key, and CASL is a central part of Canada's response to this challenge.

I would be happy to respond to any questions that you may have with respect to ISED's role in administering CASL. My colleagues from the CRTC are also here today and are best placed to respond to questions related to enforcement activities, including interpretation of CASL.

Thank you.

Good morning.

Thank you, Mr. Chair, for inviting us to appear before your committee to share the Canadian Radio-television and Telecommunications Commission's, the CRTC's, experience with Canada's anti-spam legislation, CASL.

With me today are my colleagues Kelly-Anne Smith, senior legal counsel, and Neil Barratt, the director of electronic commerce enforcement.

This is our first opportunity to discuss the act with you since its introduction, so I think it would be helpful to provide a high-level overview of our responsibilities under CASL.

The legislation gives the CRTC the authority to regulate certain forms of electronic contact to provide Canadians with a secure online environment, while ensuring that businesses can compete in the global marketplace.

The fundamental underlying principle is that activities can only be carried out with consent. CASL is an opt-in regime. This means that consent must be obtained before sending commercial electronic messages, altering transmission data, or installing software. Commercial electronic messages, whether email, text message, or other format, must contain an unsubscribe mechanism that is clearly and prominently set out and readily performed. This allows recipients to withdraw their consent if they no longer wish to receive messages. Messages must also identify the sender or the person on whose behalf the message is being sent and contain contact details such as an email address, mailing address, and website.

Our objective is to promote and ensure compliance with the act. During the past three years, the CRTC has made it a priority to offer information sessions across the country and publish guidance materials for businesses, consumers, and the legal community. For example, my staff and I delivered six information sessions last May in Toronto to more than 1,200 businesses. These presentations help to raise awareness among businesses of their responsibilities when marketing products and services to Canadians and allow us to share lessons learned from investigations. As we do in every seminar, I made it clear that the CRTC is available to offer advice and support to help businesses comply with the act.

We also promote CASL to Canadians through our website, interactions with consumer groups, and on the phone and by email with our client service specialists. Consumer alerts are published on our website to warn Canadians of non-compliant online practices so they are aware and report any suspected violations. We want Canadians to report violations, and they are doing so, in great numbers.

The CRTC acts on the complaints it receives and has a number of tools to bring individuals and businesses into compliance, including the issuance of notices of violation, with accompanying administrative monetary penalties.

We look at a variety of factors to determine what the appropriate enforcement action should be. Our compliance approach includes interventions ranging from education to enforcement.

Our options include a warning letter regarding a minor violation requiring corrective action. We can also issue a notice of violation. This enforcement measure often includes an administrative monetary penalty.

We also enter into undertakings with parties who voluntarily agree to come into compliance. This often means that the party implements a corporate compliance program to prevent future violations. It can also entail paying a specified amount, although this payment is not considered an administrative monetary penalty. This has been a particularly useful tool, as we have reached undertakings with several parties that co-operated with our investigations.

Depending on the nature of the violation, the CRTC can impose up to $1 million per violation in the case of an individual, and up to $10 million per violation in the case of other persons, for example, corporations. We also have the authority to seek a judicially pre-authorized warrant to enter a residence or business to verify compliance with the act or determine if a violation of the act has occurred.

The CRTC has had success enforcing the legislation in the short time that it has been in force. For instance, along with national and international partners, in December 2015 the CRTC took down a command-and-control server disseminating spam and malicious malware, located in Toronto, as part of a coordinated international effort. This disrupted one of the most widely distributed malware families, which had affected more than one million personal computers in over 190 countries.

Of course, in today's interconnected world, spam and other electronic threats are not confined to Canada. One of the tools Parliament provided the CRTC is the ability to share information and seek enforcement assistance from our international counterparts. To date, the CRTC has entered into agreements with enforcement agencies in the United States, the United Kingdom, Australia and New Zealand.

Internationally, we also co-operate with partners through the Unsolicited Communications Enforcement Network, or UCENet. The purpose of this network is to promote international spam enforcement co-operation and address related problems such as online fraud and deception, phishing, and the dissemination of viruses.

Through UCENet, the CRTC has signed a memorandum of understanding with 12 enforcement agencies from eight different countries. We share our knowledge and expertise through training programs and staff exchanges and inform each other of developments in our respective countries' laws.

Domestically, CASL allows us to share information and co-operate on investigations with our partner enforcement agencies, the Competition Bureau and the Office of the Privacy Commissioner. In 2013, the CRTC signed a memorandum of understanding with our partners to facilitate co-operation, coordination, and information sharing. However, there are limited tools within CASL to allow the CRTC to share information with other domestic law enforcement and cybersecurity partners.

Working with our partners, we are better equipped to ensure that people who distribute commercial messages, domestic or foreign, comply with Canada's anti-spam legislation.

Mr. Chair, I'm not suggesting that the act is perfect. I suspect that you will hear a lot of suggestions about what needs fixing from the various witnesses who will address the committee in the months ahead. The CRTC would welcome the opportunity to appear before your members again before you wrap up your review and begin writing your report. We will closely follow the proceedings and can provide feedback on the ideas you may hear and respond to any questions you may have about what will or will not work.

As you and the members of the committee are aware, legislation must be enforceable in order to be effective. As you conduct your review, it is important to keep in mind that CASL has been in force for a relatively short period of time and covers a broad range of activities. The activities and ensuing investigations under the act are complex, and we have yet to fully apply the legislation.

We now welcome any questions you may have.

Thank you for the question. I think there are two elements to that.

One is that CASL has been successful at reducing the amount of spam that originates from within Canada, and that's been quite helpful, but to your point, spam is very much an international domain, in that there are a number of other spam-producing entities that exist outside of our borders.

That's why the coordinated international efforts of our enforcement agencies participate in a whole series of international fora, such as the Messaging, Malware and Mobile Anti-Abuse Working Group and the Unsolicited Communications Enforcement Network, which my colleague has mentioned. I think those sorts of efforts have been able to ensure that we work in tandem with other international enforcement agencies to get at the real root of spam, because it is a coordinated effort across borders.

I'll start with the 5,000 complaints a week to our spam reporting centre. I would suggest that compliance is still an issue.

Certainly compliance is key. I'm the chief compliance and enforcement officer. The compliance part of my title is critical to ensuring that businesses are aware of the rules, understand how they can comply with the rules, and understand what's necessary with respect to following the rules. Those education outreach sessions are extremely important.

The ones we did in the early days in 2014 when we were first getting off the ground and the ones we did a couple of months ago are very different. In the early days, we were talking about how you must have an “unsubscribe” and it must link to this, etc. Now, we're providing more guidance and interpretation on recent decisions and compliance programs.

Businesses, individuals, and the legal community are looking at our decisions, interpreting them, and saying, “Oh, I understand now what you mean when you say this”, or “I understand how you're applying this particular regulation.” We're trying to provide that clarity. It is an ongoing initiative. We will do it every year, I would suspect, because there are always people knocking at our door and saying that they need help to understand.

I'd like to think we have a great suite of tools. Certainly I know my colleagues at the Privacy Commissioner's office would say that having administrative monetary penalties is very useful. I know they're looking for it themselves. We have a broad range of tools to effectively ensure compliance now and, for enforcement purposes, in the future. The tools that the CRTC has been afforded are very useful. It's a broad range. It allows us lots of flexibility depending on the type of case, the magnitude of the case, or the nefarious activities involved.

With respect to the private right of action, the number one concern that we heard from stakeholders across a wide variety of areas—academia, industry, and broader stakeholders—was that the private right of action upped their initial concerns around compliance. Because the PRA would introduce the possibility of significant monetary penalties and legal risk, absent clarity on exactly how to comply, and to ensure that they were able to pursue CASL in its fullest form, they would be subject to significant risk. Given that its suspension corresponded exactly with this review, it seemed timely to take on some of those concerns, and to have a full hearing about what the anxiety was, before proceeding on what we heard from many people was going to cause significant risk and anxiety within their daily operations.

CASL was always framed to have a coming into force of the regulations. The act was passed in 2010; the initial regulations came in during 2014, and the malware pieces for computers came in during 2015. PRA was to come in during 2017, and even with that long lead time there was considerable anxiety from a host of stakeholders that compliance was still unclear and that a lack of clarity on compliance meant a huge legal risk.

Yes, I would say there are elements of CASL that stakeholders have told us need to be clarified to support increased compliance, and that has taken some effort.

I'll have my colleague, Neil Barratt, describe our investigative enforcement process.

One of the things we have at our disposal is the spam reporting centre. Through the “fightspam” portal that Mark mentioned, Canadians can submit complaints of spam that they've received. They can also fill out a detailed form and provide us with additional information relating to the message and other information they may have available.

For us that is a huge resource in terms of information. To date, since coming into force, we have more than 1.1 million complaints in the SRC. That's our primary source of intelligence. Our intelligence analysts look through that information. They try to identify trends. They look, obviously, at high-volume complaints to see if there are relationships. They're trying to identify links between different messages and different sending campaigns. Based on that, they'll develop some material for my enforcement officers to look at. We'll review that with them to decide what the viable cases are. That's the main source. We also have other information that we look at. We work with private sector partners who run giant spam honeypots that can see a broader scope of what the issue looks like.

At the end of the day, however, it's a conversation of our enforcement officers with our intelligence analysts to look at cases that are likely to succeed, that will promote compliance, and cases that can provide guidance to businesses.

It's important to note that the emails in the spam reporting centre are not validated. They may be a potential violation, but they may also be incorrectly identified as a violation. The first thing we do is try to validate the complaint, if that's the main basis for the investigation. Depending on the level of information we receive from the Canadian who submitted the email, we may return to them, collect further details, and take a witness statement, things of that nature.

More broadly, we also look at collecting information from the companies in question, from email service providers, from hosting companies, from domain registrars, and from a whole suite of the people who are involved in that email from the time it's sent to the time it's received. Obviously, depending on the type of case, we also want to discuss with that business and request information from them on how they maintain their email lists, how they ensure compliance, and how they ensure they're working from a consent-based list, actioning unsubscribes, and ensuring that all the different pieces of the legislation are respected.