Industry Committee on Oct. 5th, 2017

I think the objectives of the law are exactly those that you mentioned, and with good clear definitions, that could still be attained.

I think we need to be careful about conflating different types of messages. I don't think any of us would argue that it is important to manage emails that come through with malicious intent. So if there are ransomware attachments, if it's being sent through a botnet and it's attacking your system, it makes sense to have some legislation in place that allows enforcement agencies to deal with that. I think what we're talking about is messages that customers want. From a business-to-business perspective, there needs to be a certain amount of freedom to be able to conduct that business, to be able to prospect. If specific bulk emails are going to advertise a broad cross-section of people who may or may not have an interest, that's a different story.

You asked a good question. First,, the fact that the CRTC is there and prosecutes and publicizes prosecution does have some impact on behaviour. Contrary to what my friend said, I think some of their fines have been very high relative to the alleged infraction. Specifically on your question about the PRA, which is a good one, I don't have a problem with a private right of action in a calibrated piece of legislation. If the private right of action was effective against the people who were providing the malware, the spyware, the phishing problems—the real bad actors everyone agrees on, assuming you can find them and go after them—I have no objection to that. Nor do I have an objection to letting ISPs, which are bearing the brunt of dealing with this, have a right of action against the people who are the purveyors of the 99%. The problem I have is that when you have a piece of legislation that's extremely onerous, that's ambiguous, and we have the potential for class actions, we're creating a monster that is going to be very expensive for Canadians to address.

I applaud the government to have suspended the PRA while this committee does the work it needs to do. If, at the end of the day, the recommendation is to recalibrate the loss but it targets the things that it truly was intended to target and it has a PRA, so be it. Throw the book at these bad guys. I don't think anyone around the table disagrees with that.

I think we agree with you that consumers should have control, and that's what you're talking about. I own the device and I pay for the connectivity. That's the way the act is set up now. If it turns to opt out, consumers lose control. What you're going to get, if you lose control, is unsolicited commercial email. There's not only bad spam and malware, if you want to talk about illegal. There is also unwanted, unsolicited, commercial email, and the act covers that as well. That's an element of control that chafes against the thought that businesses should be able to contact people out of the blue. We support the control of consumers in that.

As for the private rate of action, it would have been a complementary aspect because, as I said in our remarks, a recalcitrant or aggressive spammer, somebody who's been told to stop over and over again, clearly fined in the past and continues to do so, or who is a hard-core spammer, needs to have the threat of millions of dollars outside of the administrative regime because some of those just can't be handled by the administrative regime. We've seen people set up shop in Canada who are very hard core.

I'll just end there.