Thank you so much, and my thanks to members of the committee for having me here today. It's good to see you all again.
I'm here representing the Canadian Chamber of Commerce. I think you all know who we are. We represent a network of 450 chambers of commerce across the country, boards of trade, and over 200,000 businesses of all sizes, in all sectors, and in all regions. We're the largest business organization in the country. We also represent over 100 sector associations, so by extension we basically represent the views of the business community in Canada.
Since 1925 the Canadian Chamber of Commerce has connected businesses of all sizes, from all sectors, and from all regions, in pursuing public policies that will foster a strong, competitive economic environment that benefits business, communities, and families.
In 2014, making those connections became a little more complicated. I'll start by saying that none of the organizations I represent like spam. No one does, unless of course you're a spammer. If you regard spam as a massive intrusion of unwanted bulk email advertising sent into your inbox by nefarious criminals lurking on the Internet, then 10 years ago spam was a big problem. According to Trustwave, which is a global services company, in 2008 92.6% of global email traffic was spam. By 2015 that number had declined to 54%. In 2016 it was back up to 59%. But here's the catch. In 2008 much of the unwanted messaging was reaching your inbox; by 2016 it wasn't.
Trustwave is measuring the volume of traffic entering their servers and comparing spam to legitimate messages. The spam that's filtered out never reaches you. In fact, the ISPs managing all of your email accounts have gone to great lengths and expense to build filters with sophisticated algorithms that achieve a 99% success rate in eliminating spam.
The real problem now is cybersecurity. According to Fung Global Retail and Technology, and IBM X-Force, the total amount of spam found with ransomware attachments in 2015 was 1%; in 2016 that number jumped to 43%. The bad guys found a new platform.
While there are tools in CASL that would be useful in going after these bad guys, the breathtaking scope of CASL clutters the digital landscape and distracts enforcement efforts away from the problems that really matter. The trouble is that CASL does not define spam as a massive intrusion of unwanted bulk email. The law applies to everyone. It applies to multinational companies, small businesses, trade associations, charities, and individuals, and it captures single messages from one individual to another. While the private right-of-action provisions in CASL have been delayed from coming into force, the provisions still represent a significant risk to the business community down the road, assuming that they do come into force at some time.
The law regulates electronic commerce by restricting the use of electronic communications media to send commercial electronic messages. In effect, the law requires the consent of a recipient to send an email, text, instant message, or any other form of electronic message unless the sender has a narrowly defined pre-existing relationship. The law does not permit the sending of an electronic message in order to obtain that consent, so if you want to email somebody to talk about a business venture, even if it's one-on-one you can't send an email asking them to meet you for coffee.
In essence, CASL places unreasonable limits on free speech, it stifles innovation, and it puts the competitiveness of Canadian business at risk. On February 19, 2016, the National Post published an article saying that Canadians could no longer appear on Jeopardy! The Jeopardy! organization couldn't send a note to prospective contestants because they were fearful of violating CASL. It's a glib example, but it's illustrative of the challenges that organizations face when attempting to do business in this country. The law has been in force for about three years now, and I still get frequent calls from businesses outside of Canada asking what CASL is all about. More often than not, the choice of these businesses is to avoid the Canadian marketplace, after they find out the rules.
We released a survey about CASL earlier this week. It will be in the field for a few more weeks. I'll paraphrase from one of the comments we've received back so far.
Prospecting for new business is very difficult. It is almost impossible to track how long you can rely on implied consent for a lead and how you can contact them. The record-keeping required is also very challenging. You need a screenshot of where the email address or contact info was published, and you need to know when. There is no one-size-fits-all, off-the-shelf technology solution to track records of consent. It means we must make a huge technology investment. This particular company says they've done a lot to become CASL-compliant, including investing in the technology and legal advice, and from a marketing perspective, they believe that they are onside. The challenge is the sales team, as they feel very uncomfortable with where they stand in terms of documenting, contacting, and prospecting for new clients.
I'll get into a few specifics. Organizations are struggling with CASL compliance in the following areas.
First, they are struggling with the definition of commercial electronic messages, CEM, which is exceptionally vague, and could inadvertently cover many messages that are not commercial advertisements or promotion of a commercial product or service.
Second, CASL does not permit the installation of a computer program without obtaining express consent. We believe this will have, or has had, unforeseen, negative impacts on consumers given the fact that data analytics is now a massive global innovation opportunity that's likely being darkened in Canada because of CASL.
Third, the information requirements for acquiring express consent are onerous, as the system asks for a voice recording, for instance, for verbal consent, and this will need to be stored, tracked, and managed over time.
Fourth, managing the deadlines around implied consent is too difficult. There was an effort to make things more efficient by allowing certain types of implied consent, but that implied consent expires. The reality is, when you have multiple levels of messages going through the system and consent is going through third parties, managing unsubscribes is very difficult.
Fifth, many of the exceptions are too vague. For instance, in section 3(d) of the CRTC regulation, it states that:
Section 6 of the Act does not apply to a commercial electronic message... (d) that is sent and received on an electronic messaging service if the information and unsubscribe mechanism that are required under subsection 6(2) of the Act are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.
Most small businesses won't even read that.
Sixth, the record-keeping standard is difficult to achieve. According to regulators, consent can be achieved not only by digital or written format, but also through voice. However, section 13 puts the onus on the sender to prove consent. This has created a predicament for businesses. Even if they acquire valid consent, they will be unable to document it in a sufficient way, forcing them to abandon the message in the first place.
Seventh, the private right of action, which I've mentioned, is still a concern among businesses. The likelihood of a business being drawn into a class action lawsuit, even if they are in full compliance, would be a significant burden on that business.
Eighth, there is an issue related to vicarious liability. Section 53 creates potential personal liability for officers and directors of corporations that violate CASL where due diligence is the only defence. We view this as extreme.
Finally, there is an issue related to proportionality. The punishments don't fit the crime. Compliance agreements that have been implemented by the CRTC to this point have imposed massive penalties on legitimate companies that had minor errors in their attempts to achieve compliance. Instead of following along with the due diligence argument when companies were attempting to do the right thing, the CRTC fined them hundreds of thousands of dollars. The same is true in the case of very small companies that had infractions. Yes, they were out of compliance, but a $15,000 fine? This is a very significant amount of money for a small company.
I will wrap this up.
The government's objective in bringing this legislation was to “deter spam and other damaging and deceptive electronic threats such as identity theft, phishing”, and it “helps protect Canadians while ensuring that businesses can continue to compete in the global marketplace.” I would argue that CASL has not met that objective.
Disproportionate compliance spending hurts the Canadian economy. Businesses could be spending this money on innovation, hiring, marketing, and expansion, and I would urge this committee to take a stand on this legislation and make recommendations for a significant overhaul that will meet the objective of promoting a framework of effective electronic commerce in this country.
Thank you very much.