Industry Committee on Oct. 5th, 2017

Thank you so much, and my thanks to members of the committee for having me here today. It's good to see you all again.

I'm here representing the Canadian Chamber of Commerce. I think you all know who we are. We represent a network of 450 chambers of commerce across the country, boards of trade, and over 200,000 businesses of all sizes, in all sectors, and in all regions. We're the largest business organization in the country. We also represent over 100 sector associations, so by extension we basically represent the views of the business community in Canada.

Since 1925 the Canadian Chamber of Commerce has connected businesses of all sizes, from all sectors, and from all regions, in pursuing public policies that will foster a strong, competitive economic environment that benefits business, communities, and families.

In 2014, making those connections became a little more complicated. I'll start by saying that none of the organizations I represent like spam. No one does, unless of course you're a spammer. If you regard spam as a massive intrusion of unwanted bulk email advertising sent into your inbox by nefarious criminals lurking on the Internet, then 10 years ago spam was a big problem. According to Trustwave, which is a global services company, in 2008 92.6% of global email traffic was spam. By 2015 that number had declined to 54%. In 2016 it was back up to 59%. But here's the catch. In 2008 much of the unwanted messaging was reaching your inbox; by 2016 it wasn't.

Trustwave is measuring the volume of traffic entering their servers and comparing spam to legitimate messages. The spam that's filtered out never reaches you. In fact, the ISPs managing all of your email accounts have gone to great lengths and expense to build filters with sophisticated algorithms that achieve a 99% success rate in eliminating spam.

The real problem now is cybersecurity. According to Fung Global Retail and Technology, and IBM X-Force, the total amount of spam found with ransomware attachments in 2015 was 1%; in 2016 that number jumped to 43%. The bad guys found a new platform.

While there are tools in CASL that would be useful in going after these bad guys, the breathtaking scope of CASL clutters the digital landscape and distracts enforcement efforts away from the problems that really matter. The trouble is that CASL does not define spam as a massive intrusion of unwanted bulk email. The law applies to everyone. It applies to multinational companies, small businesses, trade associations, charities, and individuals, and it captures single messages from one individual to another. While the private right-of-action provisions in CASL have been delayed from coming into force, the provisions still represent a significant risk to the business community down the road, assuming that they do come into force at some time.

The law regulates electronic commerce by restricting the use of electronic communications media to send commercial electronic messages. In effect, the law requires the consent of a recipient to send an email, text, instant message, or any other form of electronic message unless the sender has a narrowly defined pre-existing relationship. The law does not permit the sending of an electronic message in order to obtain that consent, so if you want to email somebody to talk about a business venture, even if it's one-on-one you can't send an email asking them to meet you for coffee.

In essence, CASL places unreasonable limits on free speech, it stifles innovation, and it puts the competitiveness of Canadian business at risk. On February 19, 2016, the National Post published an article saying that Canadians could no longer appear on Jeopardy! The Jeopardy! organization couldn't send a note to prospective contestants because they were fearful of violating CASL. It's a glib example, but it's illustrative of the challenges that organizations face when attempting to do business in this country. The law has been in force for about three years now, and I still get frequent calls from businesses outside of Canada asking what CASL is all about. More often than not, the choice of these businesses is to avoid the Canadian marketplace, after they find out the rules.

We released a survey about CASL earlier this week. It will be in the field for a few more weeks. I'll paraphrase from one of the comments we've received back so far.

Prospecting for new business is very difficult. It is almost impossible to track how long you can rely on implied consent for a lead and how you can contact them. The record-keeping required is also very challenging. You need a screenshot of where the email address or contact info was published, and you need to know when. There is no one-size-fits-all, off-the-shelf technology solution to track records of consent. It means we must make a huge technology investment. This particular company says they've done a lot to become CASL-compliant, including investing in the technology and legal advice, and from a marketing perspective, they believe that they are onside. The challenge is the sales team, as they feel very uncomfortable with where they stand in terms of documenting, contacting, and prospecting for new clients.

I'll get into a few specifics. Organizations are struggling with CASL compliance in the following areas.

First, they are struggling with the definition of commercial electronic messages, CEM, which is exceptionally vague, and could inadvertently cover many messages that are not commercial advertisements or promotion of a commercial product or service.

Second, CASL does not permit the installation of a computer program without obtaining express consent. We believe this will have, or has had, unforeseen, negative impacts on consumers given the fact that data analytics is now a massive global innovation opportunity that's likely being darkened in Canada because of CASL.

Third, the information requirements for acquiring express consent are onerous, as the system asks for a voice recording, for instance, for verbal consent, and this will need to be stored, tracked, and managed over time.

Fourth, managing the deadlines around implied consent is too difficult. There was an effort to make things more efficient by allowing certain types of implied consent, but that implied consent expires. The reality is, when you have multiple levels of messages going through the system and consent is going through third parties, managing unsubscribes is very difficult.

Fifth, many of the exceptions are too vague. For instance, in section 3(d) of the CRTC regulation, it states that:

Section 6 of the Act does not apply to a commercial electronic message... (d) that is sent and received on an electronic messaging service if the information and unsubscribe mechanism that are required under subsection 6(2) of the Act are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.

Most small businesses won't even read that.

Sixth, the record-keeping standard is difficult to achieve. According to regulators, consent can be achieved not only by digital or written format, but also through voice. However, section 13 puts the onus on the sender to prove consent. This has created a predicament for businesses. Even if they acquire valid consent, they will be unable to document it in a sufficient way, forcing them to abandon the message in the first place.

Seventh, the private right of action, which I've mentioned, is still a concern among businesses. The likelihood of a business being drawn into a class action lawsuit, even if they are in full compliance, would be a significant burden on that business.

Eighth, there is an issue related to vicarious liability. Section 53 creates potential personal liability for officers and directors of corporations that violate CASL where due diligence is the only defence. We view this as extreme.

Finally, there is an issue related to proportionality. The punishments don't fit the crime. Compliance agreements that have been implemented by the CRTC to this point have imposed massive penalties on legitimate companies that had minor errors in their attempts to achieve compliance. Instead of following along with the due diligence argument when companies were attempting to do the right thing, the CRTC fined them hundreds of thousands of dollars. The same is true in the case of very small companies that had infractions. Yes, they were out of compliance, but a $15,000 fine? This is a very significant amount of money for a small company.

I will wrap this up.

The government's objective in bringing this legislation was to “deter spam and other damaging and deceptive electronic threats such as identity theft, phishing”, and it “helps protect Canadians while ensuring that businesses can continue to compete in the global marketplace.” I would argue that CASL has not met that objective.

Disproportionate compliance spending hurts the Canadian economy. Businesses could be spending this money on innovation, hiring, marketing, and expansion, and I would urge this committee to take a stand on this legislation and make recommendations for a significant overhaul that will meet the objective of promoting a framework of effective electronic commerce in this country.

Thank you very much.

Thank you, Mr. Chair.

Honourable members, on behalf of the Desjardins Group, thank you for inviting us to testify before your committee.

I am pleased to be here today to talk about something as important as the review of Canada's anti-spam legislation, that I will call CASL. It is an important piece of legislation for our industry, and it has a considerable impact on how we communicate with our members and clients.

As the Chair said, my name is Aïsha Fournier Diallo. I am senior legal counsel with the Desjardins Group, more specifically with its subsidiaries in property and casualty insurance that do business across Canada. My job is to support the validation of the legal risks associated with Canada's anti-spam legislation. Naturally, we are called upon to interpret the legislation every day.

Let me introduce Natalie Brown. She is the director of the caisse network and she leads a team that deals with credit card services, payments and litigation.

Although my remarks will be mostly in French, we will be happy to answer your questions in both languages.

First, I will say a quick word about the Desjardins Group because I would like to move on to CASL.

It was here, in Ottawa, that the idea for the Desjardins Group was born. Right next door, across the road, Alphonse Desjardins was a Hansard reporter for more than 25 years. After a debate on loan sharking, he got the idea to found a co-operative financial group that would address the needs of smaller depositors.

Today, 117 years later, the Desjardins Group is the largest co-operative financial group in Canada, and the 6th largest in the world, with assets of over $270 billion.

Our close to 1,100 caisses and financial centres in Quebec and Ontario, together with our online platforms and subsidiaries from coast to coast to coast, serve over seven million members and clients. It should be noted that a third of our service centres are located in less densely populated areas.

From heritage to insurance management, including business services, the group employs just under 48,000 employees and 5,000 managers.

That said, I would like to say what a pleasure it is to be among you today, honourable members, to share with you my point of view.

I came to Desjardins as a lawyer in 2013, about one year before the legislation came into force. I was able to witness the impact it had on what we do and how we communicate with our members and clients.

People's expectations towards communications have changed. Our modes of communication have also changed. Clients expect us to reach out to them in the most natural and effective way possible. You have to put yourself in the shoes of the consumer, which we do every day since we are in contact with them. They want emails and texts, and are looking for an easy way to connect with us.

This is why organizations should be able to communicate with their clients and their members without having to constantly worry about whether they are violating a section of Canada's anti-spam legislation. With every message we send, we have to ask: does my email or text comply with the law? Is it a commercial electronic message, a CEM? Do I have the necessary valid consent to send it? Is it excluded under the legislation? Is the prescribed information included in the email?

Imagine having to do this every single time you send an email to a member or client.

In the past, the government said, “Canadians deserve an effective law that protects them from spam and other electronic threats that lead to harassment, identity theft and fraud.” As Mr. Smith said, no one is against this. However, the law is far too broad.

People, like ourselves for instance, who work everyday with this legislation while trying to support our business operations have been anxiously waiting for this review. We hope that the government will take advantage of this opportunity to undertake an in-depth review of this legislation so that it may achieve its goal, while at the same time finding a balance that will allow organizations that have legitimate reasons to communicate with their clients to do so without fear and with the benefit of more streamlined legislation.

CASL is one of the most restrictive pieces of anti-spam legislation in the world. It was a great idea, protecting Canadians from spam. No one likes spam. But in our view, there has been a chilling effect on marketing and business communications, primarily for four reasons: the lack of clarity and the interpretive issues that exist in the act that require either clarification or amendments to the law; the fact that it is an opt-in consent model piece of legislation, meaning that you need an express or implied consent to send commercial electronic messages; the incredibly steep administrative penalties that the CRTC can impose for violations of the act; and the possibility of lawsuits from consumers through the private right of action.

The interpretive issues and lack of clarity make it difficult for lawyers like us to provide firm advice to their clients and for clients to be confident that they are in compliance with the law. There is no room for error under CASL, and all are extremely cautious, therefore missing opportunities to communicate with the clients for legitimate reasons, particularly in the one-on-one context. It should be easy for small businesses and larger ones to understand CASL and to apply it.

I am going to give an overview of the major interpretive issues we have faced these past few years, and we will provide you with a brief explaining them in greater detail, because there are quite a few.

First of all, the definition of a “commercial electronic message” is so broad that it includes practically any commercial message, even if the message is sent to a client with whom we have a perfectly legitimate commercial relationship.

As I said earlier, with every message, its content and the context in which it is sent have to be considered. You need to be aware of things like hyperlinks in the emails, clickable logos, in short, anything that could be seen as promoting the image of whoever is sending the email, and that includes a lot of things. For example, the fraud prevention email we would like to send to our members and clients could be considered a CEM because of the hyperlinks it includes. If a hyperlink leads to our website where our products and services are advertized, we have to ask whether it compromises the email by turning it into a CEM, which is prohibited.

The fact that our clients have to consult us before they send an email to their clientele with every new initiative and new campaign or innovation complicates things a great deal. We need more clarity to make sure that the nature of the messages we send, like the fraud prevention email, cannot be misinterpreted, even if they include hyperlinks, logos or elements that promote the Desjardins Group.

We feel it necessary to clarify the definition of CEM and to relate it back to the legislation's original purpose, which is to protect consumers from spam and the electronic threats that could lead to harassment, identity theft and fraud. Essentially, we need the assumption to be that Canadian companies have no ill intent when they communicate with their clients, and focus rather on the truly problematic communications.

I am now going to talk to you about the notion of consent and related provisions. As you know, the law requires express and implicit consent. Some of the provisions around implicit consent are a bit murky, and as a large financial group, we need to know who can benefit from this consent. Therefore, we recommend an opt-out option, that way, we would administer an unsubscribe mechanism instead of getting bogged down with consent management.

There is still one more area I want to cover. Earlier, Mr. Smith mentioned that subsection 6(6) is unclear. Indeed, some emails that shouldn't even qualify as CEMs are prohibited under this subsection.

Finally, I would like to mention the private right of action provision. We are very happy that it was suspended and we think it should be completely struck from the act. As a regulatory body, the CRTC can interpret the act. We believe that it is better to defer to such a body on matters of interpretation instead of overwhelming the courts.

I would like to thank you once again for inviting us to testify today. I sincerely believe it is possible to find a balance that would allow organizations to communicate more freely with their clients while at the same time protecting the interests of Canadians.

Thank you, Mr. Chair.

The Public Interest Advocacy Centre, or PIAC, is a national, non-profit organization and registered charity that provides legal and research services on behalf of consumer interests, and in particular, vulnerable consumer interests, concerning the provision of important public services.

PIAC has been active on the spam file since before the anti-spam task force was constituted in 2004. We testified before this committee in relation to then Bill C-27 in 2009 in support of the legislation. We supported the legislation as passed in 2010.

Our message today is simple. Canadians benefit from some of the world’s strongest protections against spam. Canada’s anti-spam legislation generally keeps business from sending spam unless the recipient has provided express prior consent and can easily unsubscribe. This is the great Canadian innovation. Trust consumers and citizens to control their privacy in the marketplace not marketers.

Has CASL been working for consumers? Currently, the CRTC is receiving about 5,000 complaints a week about email marketers not respecting CASL. One report from spring 2015 found outgoing spam volumes from Canada dropped 37% and overall email volume, spam and legitimate email, received by Canadians also dropped about 30% in the immediate period after CASL came into full force on July 1, 2014.

Since then Canadians have enjoyed the control of their email and other electronic communications by giving their consent to email, texts, and other electronic messages only to those companies with which they deal and by being able to unsubscribe from any email list that they wish.

Companies can still reach Canadians via email. There is no commercial email ban. Consumers buying products and services or who reach out to the company in question can expect two years of emails before the existing business relationship is deemed stale and the emails must stop. While consumers have a valid contract with a company, emails are allowed during the contract and for two years after that contract ends, unless of course the consumer unsubscribes on the handy link on each of these emails.

If a company does not follow these simple rules that put consumers in control, consumers can report the spam by completing a complaint form at fightspam.ca. As mentioned, up to 5,000 consumers a week file complaints.

Spam still wastes consumers’ time and reduces their confidence in electronic commerce, as it continues to deliver not only irrelevant, unrequested marketing but also deceptive and fraudulent messages and malware. What is different now is that the CRTC, Competition Bureau, and Privacy Commissioner of Canada can pursue companies for doing all these things.

Alysia.

Enforcement of CASL relies on a spectrum approach. The CRTC, which is the main enforcer, issues information on compliance, educates business associations, and then if there are problems, issues warnings, reprimands, seeks voluntary consent orders, and finally if necessary issues administrative monetary penalties, or AMPs.

In PIAC’s view, contrary to the opinion of some of the other parties here today, CRTC enforcement of CASL has been very generous to offenders and in some cases, nearly to the point of being weak. Companies are given many chances to change their practices. When more stringent sanctions are required, AMPs are often set at well less than the maximum possible due to the consideration of many mitigating factors, which are outlined in CASL. I will add here that of the undertakings published on the CRTC website, only two exceed $100,000. Those are for Rogers Media and Porter Airlines, which are not your typical or your average small businesses. Yet the CRTC does have the authority to impose an AMP of up to $10 million per violation for corporations. Finally, all offenders are permitted to challenge AMPs before the CRTC, which can reduce, and has reduced, the recommended AMP.

The committee should also note that the government has apparently indefinitely suspended the bringing into force of the private right of action in CASL, which would have allowed consumers to sue particularly recalcitrant or aggressive spammers. Marketers, and in particular those marketers that act responsibly while attempting to adhere to CASL, therefore face little prospect of any significant AMPs or other sanctions.

We therefore find it disingenuous that representatives of companies and marketers are here today to say the CASL is somehow bad for consumers and commerce. Instead, we believe CASL is bringing some control to consumers in their electronic interactions with marketers and that consumers in control are more confident and better consumers. That should help commerce.

Instead, marketers are here to defend stale lists and lazy marketing. CASL sets reasonable limits on the contact that marketers can have with consumers without first asking consumers for permission to continue to market to them. That's all it does. It does not sabotage legitimate commercial relationships between consumers and companies.

Were CASL to be repealed or the consent requirements flipped to require consumers to opt out of marketing as before, then CASL would truly be useless. We would return to the days before the anti-spam task force and consumers' feelings of helplessness in the face of ever-increasing spam volumes. CASL now is working fine. We suggest you leave CASL alone.

If one thing has not been done right since CASL was introduced, it has been insufficient information gathering. Since CASL does not require spam volume to be reported by ISPs, although they may report it to the CRTC, Competition Bureau, or Privacy Commissioner, nor by the spam reporting centre, and CASL does not require that any of this information be made public or provided to Parliament directly, we are here today largely in the dark regarding evidence of the effect of CASL on spam and other electronic messaging. This committee could recommend a more robust and public spam reporting mechanism that would allow all parties and academic researchers to evaluate the effect of CASL upon objective evidence. That at present is sorely lacking.

PIAC thanks the committee, and we welcome any questions you might have.

I thank the committee for inviting me here today. What you are doing is very important. CASL is flawed and needs re-examination.

I am a senior partner with McCarthy Tétrault. I am also an adjunct professor of intellectual property law, and I am on the advisory boards of the Macdonald-Laurier Institute and CIGI. I am here today in my personal capacity.

I have been closely involved in CASL for many years. I appeared before this committee when it first examined CASL, and I pointed out that CASL was so flawed that it would, among other things, literally have made browsing on the Internet illegal.

I worked with officials trying to fix CASL at the committee stage. I was extensively involved in the regulatory process, the first and second consultations on the regulations. I made a personal submission the committee.

I have been extensively involved in advising clients from all sectors of the economy, including large and small businesses, charities, the educational sector and other not-for-profits, the media, and software companies on how to comply with CASL.

I know what's happening on the ground and the impacts CASL is having.

CASL is, and is seen as, complex, disproportionate, and wrongly focused. To be frank, it is ridiculed by many organizations. It is particularly onerous for small businesses.

CASL's overbreadth makes communicating over networks illegal or legally uncertain in countless situations that Parliament could never have intended.

Let me give you a few examples. Take a start-up business that wants to use a public trade directory to email prospective customers and investors. This is most likely illegal under CASL, and it especially hurts small businesses trying to grow and develop new markets. To take another example, a person leaves his or her former employer to start a business or join another business and wants to email former clients, patients, customers, or former colleagues to let them know. Or the person wants to email an old schoolmate the person used to be good friends with. That is illegal under CASL in many cases.

It also deprives individuals of the valuable connections they have, which are important to their livelihoods, and it deprives recipients of information they would want to know. I would want to know if my doctor moved.

Say a charity or not-for-profit wants to continue sending newsletters to someone it has been sending them to even before CASL became law. If the newsletter is funded in part by the inclusion of only one ad, say, a vision correction device ad in a newsletter sent out by the CNIB, the charity likely has to cut off the recipient unless it can find a donation by the person in last two years or a record of obtaining express consent. Records weren't kept before CASL came into being. This deprives individuals, including the most vulnerable, from receiving information they want and need. It is also illegal under CASL to send an email asking people if they want to continue to receive emails, including from the CNIB.

Organizations want to send out Christmas cards to current and former clients, customers, and colleagues. They want to include a corporate logo and tag line promoting the organization. These items by themselves may make these cards CEMs, because they promote their businesses. If the recipients haven't expressly consented to receiving CEMs and haven't done business with the organization in the last two years, the cards likely cannot be sent. So much for Christmas cheer and keeping in touch.

A new online newspaper wants to send trial copies to members of the public. In the physical world, a publisher could leave complimentary copies in mailboxes. It's illegal online if the paper includes a single ad or if it asks people if they want to subscribe. This is especially unfortunate as it hampers establishing new media, something we need to foster in this world of fake news, as a healthy press is critical to our democracy.

There is a business-to-business exception in CASL. It has a number of conditions. It applies to organizations but not to individuals carrying on business as sole proprietorships. CASL operates in a discriminatory way for no good reason—in this case, discriminating and hurting small businesses.

CASL makes it illegal for a child to email neighbours promoting his or her lemonade stand, to ask if they want a babysitter, or to ask if they can mow their grass to earn a little school money. Its breadth is not subject to any de minimis or reasonable limitation. Do you want your kids not to be able to promote their lemonade stands?

A person wants to send a CEM using an SMS. Even if the person has consent to send the message, the person can't legally do it because the character limits don't enable people to include all of the identification and unsubscribe information the CRTC regulations prescribe. The person might try to comply by including a hyperlink in the message to a website, but if the person doesn't have a website—which not every young small business has—and can't find a tool that lets them shorten the hyperlink, they effectively can't use SMS messages. CASL effectively impedes the use of the modern messaging systems it purports to regulate.

These problems all flow from CASL's flawed structure, which prohibits a broad range of communications subject to a limited number of exceptions. The computer program provisions also have many difficulties.

What's happened in the real world and not the theoretical world of those people who conceived of CASL? CASL has had no material impact on the purveyors of damaging and deceptive spam, spyware, malware, and other related network threats, which were the stated objectives of CASL. As a practical matter, the burdens fall on legitimate businesses. Many businesses have invested and continue to expend resources to comply with CASL, and it's not easy for the reasons Natalie Brown explained. Use of electronic messaging is chilled, because organizations don't know if they can send messages, and they are very concerned about the excessive AMPs that can be levied.

What should this committee do?

My most important recommendation for this committee is to assess all the provisions of CASL against the government's justification for it. CASL was repeatedly represented during the legislative process and the regulatory process as a law targeting the most damaging and offensive type of spam and malware, yet these prohibitions target ordinary commercial electronic messages and computer programs that have nothing to do whatsoever with malware.

Given that CASL impairs freedoms of expression in Internet communication, I urge this committee to recommend that CASL be recalibrated to what it was really intended to do, and that is to deal with the really bad actors.

I'll just say one more point because I realize, Mr. Chairman, that you have already given me a substantial indulgence, which I appreciate. If CASL were recalibrated, the CRTC could reallocate resources to deal with the real problems Canadians have. We have a real problem with cybersecurity and a real problem with malware. That should be the focus, not legitimate businesses like Desjardins that want to continue to communicate with their customers.

Thank you, Mr. Chairman.

The concern around cybersecurity is that most of the messages that contain things like ransomware.... That's the big thing that we are hearing about right now. All of these breach.... There is personal information being stolen, and identity theft issues, but the big one is around ransomware, and it's going after businesses. From our perspective, that's the big concern.

I'd give you a statistic on the volume of messages that now have ransomware attached to them. They are coming from other countries; they aren't coming from Canada. The reality is that the anti-spam legislation is never going to touch or solve that problem by going after businesses in Canada. For the most part, they are not coming from here.

It's going after anybody who can pay.

Absolutely. There are a number of things that can be done to solve that, but not necessarily through legislation. There is education, an awareness challenge, and I think there is a certification option out there now that businesses could undertake, which would help prevent some of the attacks they are experiencing.

The first one is definitely the definition of CEM. It's too broad: any message that “encourage[s] participation in a commercial activity”, including promoting the image of a person. That's much too broad. That would definitely be the first one.

I would like to add to that. An email that facilitates, completes, or confirms a commercial transaction is deemed to be a CEM. I can give you two examples of emails that are sent in the context of sound business practices and that would fall under that definition.

We are an issuer of credit cards. If I want to alert by SMS the owner of the credit card that they are approaching their credit limit, or even surpassing it, I can't send it because it might be a CEM. As a co-operative, I want to warn my cardholder. That's a good, sound business practice.

Another one is under new technologies. I want to be able to offer electronic signature at a distance, and I want to send a password for the electronic signing session to my client, but the transaction hasn't been completed yet, and that's a CEM. It's much too broad.

There are a few spam studies out there, from the Netherlands and other places, where they've set up spam traps. There are emails that have never been used by anyone for anything, but researchers set them up, and they end up trapping only spam because they have never been used for legitimate email. The spam reporting centre doesn't quite work that way. It gets emails forwarded by Canadians who think something is spam. Then there is a third source, which is just ISP spam volumes, which I think Mr. Sookman told us about, where a lot of it is caught already.

There needs to be more coordination work at the CRTC enforcement end, to work with academics, ISPs, and their own enforcement people to give us a coherent picture. At the moment, a lot of it is presented in a very restrictive way, if you will, from CRTC. We have little scraps, but we don't have an overall picture.

It's hard for us to say.... For example, today I would have loved to come and say that since CASL, the volume of spam that consumers receive has gone down 35%. I can't say that. I don't know. It's hard to prove a negative.

I'm glad to do it, and if I can in 10 of my seconds, I want to deal with the cybersecurity issue, because CASL makes it very difficult to combat the problems facing Canadians. Unless you're a telecommunications service provider you can't install computer programs that would combat a cybersecurity threat without express consent, and if you're a software provider, it's also illegal to transmit updates that would protect systems used by Canadians. So CASL could really be improved in that area to let companies protect their consumers.

The intent of that comment was to demonstrate that having CASL in place really hasn't had an impact on the volume of spam coming to your inbox. The ISPs are managing that for you. There's a technical solution to dealing with most of the spam that comes through right now, and companies like Microsoft and Google and others that are managing your email accounts for you are filtering out most of the spam that comes through the system. They're the ones spending the money to make that happen.

You're exactly right. The legislation, as the goals were articulated, was to help protect consumers against malware, spyware, phishing, and to the extent that it covers that, those goals are appropriate and CASL does address that. The problem is that by expanding the ambit of CASL, the focus is not on addressing the real problems. So we have the CRTC going after a company because they've failed to have an unsubscribe, or there was a bounce-back, and they didn't give effect to it, when they could be spending their technical resources in trying to protect Canadians against cybersecurity.

My point is that the act is too broad and it's unfocused and it's leading to unfocused enforcement by the CRTC.

On the computer program side, the prohibitions against installing computer programs make it illegal to do things that Parliament would absolutely want legitimate organizations like Microsoft and other big software companies to do. I lobbied very hard for that in the regulations, and we ended up with a very narrow regulation that recognizes the problem but only if you're in a specific category. If you're in any other business, you can't protect your customers. We have to fix that.

You ask a very good question.

There are two kinds of ways in which the problems with CASL can be addressed.

One is legislative, like the private right of action. Only Parliament can address that because it's in the legislation, and at some point, it has to come into force or be killed or amended.

Two, the Governor in Council has a very broad regulatory authority, and many of the problems Canadians have occur because during the regulatory process there was—I think—a too narrow approach in what the exemptions should be, and when you have a structure that says that everything's illegal unless it falls within an exemption, you have a problem. Imagine a criminal law that prevented you from going out at night except if you were going to work or school or coming to the committee. You're bound to miss some, and that means a lot of things are going to be illegal until the regulatory process can catch up.

So the approach that the Governor in Council should have taken, in my respectful view, is to have had very generous exemptions so the act would apply to things that really counted, but it wouldn't discriminate against small business. There was no need, for example, for this law to apply to businesses, to business communications, at all, because they don't want it, they don't need it, and they see it as stifling innovation.

One thing this committee could recommend is that the Governor in Council re-review the regulations so that some of these things that are blatantly causing problems can be fixed.

You're exactly right, but if you actually look at that exemption, it applies to federal and provincial members who are applying. If you were, for example, trying to run for the leadership of a party, you'd be caught by CASL. But if you're running for municipal or regional government, you don't have the exemption so it discriminates very much in terms of the level of democracy that is protected.

I agree, nobody should have it...but in my view all politicians need to have it. It's essential for democracy that people who are running for office can reach out to potential constituents to be able to communicate their messages. It doesn't matter if it's federal or municipal, they should all be covered.

Technically, even one running for the head of a party does not have the exemption.

Oh, oh!

I'll address a couple of your points in my response.

You're correct with regard to the spam task force, and I believe that even the Chamber of Commerce at one point was certainly in support of anti-spam legislation. That's a case of “be careful what you wish for” because we ended up with a piece of legislation that is breathtakingly large in scope. It covers basically every message that you could conceive of. If it's coming from a business, there is a likelihood that it is going to have some commercial content on it. Even if it's just in the signature block of a message, it has a link to a website, and suddenly that has become a commercial electronic message.

Our concern is about the scope, and narrowing the scope would solve a lot of problems. Taking one-on-one emails out of the equation, taking business-to-business emails out of the equation, would solve a lot of the problems.

I think most businesses that do email marketing or any kind of electronic commerce recognize the value of having an unsubscribe mechanism. There is no argument about that. If somebody doesn't want to receive messages, the businesses I deal with won't send any to them.

You heard from others today about the opt-in versus the opt-out. In the U.S. they have an opt-out system that works for the most part. It's not perfect, and I don't think we'll ever get to perfect, but I think the preference of business here would be to have a mechanism that allows them to communicate with their customers that first time in order to have the opportunity to opt out.

I think most companies have a management system where you can subscribe or unsubscribe from various components of their messages, or you can unsubscribe from everything, and it's simple, one click. If that doesn't work for you and you continue to get messages, you have a complaint option, or you can just block the sender.

If you want to come to Desjardins, we have that service.

Oh, oh!

The spam volume for Canadians will go up. What Canadians consider to be spam are messages that they don't want to receive, that are unsolicited. What this act does is flip it around. You have to ask consumers first. That's the point.

What they would start getting is unsolicited messages, and they would have no clue why they're on this list or why they're getting these messages. We'll just go right back to that.

I can't necessarily speak to whether they have been involved with members who have been spamming each other. I'm not aware of too many businesses that are complaining about spam. Most of the complaints that go through the complaint centre are coming from individuals who may or may not understand what the rules are about. If they get a message, they may be just complaining about getting a message without going through the unsubscribe process.

If there's a complaint, the reality is that it doesn't mean that there's a violation. To the point about understanding the statistics, that might be something you would be interested in, regarding how many of the complaints are actually valid.

To your point about not-for-profits and the ability to communicate with business, the chambers across the country were heavily involved in the discussion during the time when the regulations were being considered. We had a number of chambers that had written to their local member of Parliament concerned about how things were going to proceed. Then there was the follow-up on how to comply. That was a major effort on our part.

I want to start by saying that I don't think it's unreasonable to protect consumers. I don't think it's unreasonable to have regulations affecting business that are necessary to protect consumers. At the end of the day, it's all about a balance. It's about a balance and ensuring that the goals are clear and the goals don't go farther than are needed and impose burdens that can't be justified by the incremental benefit to consumers. It's all a balance.

When you look at this legislation, since the definition of CEM is so broad, it's not capturing the kinds of things that are of concern. It captures the malware that might come in an email message, but it covers a whole lot of other things that are not necessary.

Regarding the consents, businesses in Canada all comply with PIPEDA. PIPEDA has a very stringent new requirement for expressed consent, but this legislation requires every business, every charity, and every non-profit in the country to now comply with two disparate regimes with consent...for two different systems. There's no need to have overlapping and different systems that businesses have to comply with. Even where PIPEDA has an opt-in, there is no way that a foreign spammer that is sending these kinds of malware has any consent under any system.

I think CASL lined up consumer expectation with the law. Prior to this time, consumers wanted to have control. They thought that they should only get emails that they've consented to. Now, the law lines up with that. That's really my only way to answer your question.

If it's changed back to opt-out, people will think they have control and they won't. Their spam volumes will go back up and they'll start getting problems. That's the only way I can express my answer.

It's a good question, Mr. Lametti.

I'd have to say that it's hard to know. There's the good and there's the bad. Consumers obviously don't want to get this malicious type of spam. They may think CASL is the reason why they're not getting as much. Of course, the answer is that it's nothing to do with CASL. It's everything to do with the spam filters that the ISPs have.

Then you have other consumers who aren't getting the kinds of messages that they want. Like the people in the charities or like messages that educational institutions are sending to solicit students to join their programs. They may not know why they're not getting these messages. In some cases, they get dropped from the list and they wonder. In other cases, they don't know.

We're relying, in part, on technical solutions. The problem is that they're extremely expensive and, given all the different levels of exceptions and delays, they are almost impossible to manage.

I would like to address your point on disproportionality very quickly. I've had to face many boards at Desjardins, with great arguments to defend that something is not SEM. In those situations, given the number of sanctions and given the personal liability, we've had very strong cases that were completely denied just because they weren't willing to take that amount of risk. It's disproportional.

It helps.

You're quite right about the lemonade stand. The reason I raise it is that it appears to me that everyone in the committee will understand that if a piece of legislation stops a kid from trying to get a babysitting job or operating a lemonade stand, there's something wrong with the legislation. That's the example, but it applies across the board. It's not just the kid with the lemonade stand. It's small businesses and sole proprietorships. It's everyone who's caught by the breadth of this legislation.

That example may be theoretical, but I can tell you that it's the kind of thing Canadians are concerned about. I have small businesses that come to me, start-up businesses, and they say, “We need to do x and y.” It's not theoretical to them. It's real-world trying to build their businesses.

I tell them what they can do and can't do, and they say, “I can't do that. I cannot do that. I only have so many people, so many employees. Don't tell me I have to have a regime like Desjardins has to operate a small business.”

No, our view is that with the enforcement spectrum the CRTC is already using, they don't waste their time on very small situations. They look for patterns of behaviour, very egregious spamming episodes, ones where the company is completely recalcitrant and doesn't respond to entreaties or notices from the commission, before they get to fining them. They have cut down at least one AMP substantially before.

We're not talking about lemonade stands. We're talking about big businesses, large retailers, large banks, and large telecom companies that send millions of emails a day. What is happening is that the law is restricting that to a list that only has express consent or implied consent if you're already buying a product or service. That naturally limits the lists. It naturally limits trying to get new customers if you have not built up your own leads. The decision was made to put consumers in control from 2014 on. We think it's the right decision, because if there are many people competing to get your attention, that spam builds up, and the only way to counter it is to put consent on the consumer side rather than on the business side.

It was said earlier today. It's the scope of what exactly a CEM is. Narrow the scope. Give a definition, and allow business to conduct business. The business-to-business communication really needs to be pulled out of it.

Mr. Smith already provided you the answer. There is a CRTC regulation that allows closed-loop social networks: if they post the information about how contacts will be exchanged on the site, they're pretty much exempt from this. At the moment, they're not really covered when you're within Facebook. I believe that's why you're not getting Facebook appearing before you here to say this thing is impeding their business.

I know this because we fought against it. We went to the folks at Industry Canada at the time and said we think there should be some kind of control from this act within Facebook and these other platforms, and they said no. At the moment, it's pretty much fair game as long as they post the rules.

I don't know if anybody has actually been hit with it. The question is more that they're unclear as to what applies. If you look at one of the small business exceptions, you're supposed to be able to send notices that are warranty related, related to a transaction, or required for legal or juridical obligations. At the same time, there's a regulation in there that says you have to add the unsubscribe mechanism in all the prescribed information. It should either be exempt or not. It's kind of halfway, which makes everybody question if it's a CEM. We don't actually know.

What ends up happening is they end up contacting their customers in other ways. They'll either phone them, or they'll put out an advertisement of some kind, or they'll contact them in a different way. They'll say, “We don't know what to do here, so we're not going to use that exemption.”

Oh, oh!

I didn't say that small business owners are lazy. They certainly aren't. I said that business practices where you are not getting consumers' consent post the law are lazy, and using old lists or buying lists that have no relation to your consumer base is a prohibitive practice, and that's what's lazy.

What should be the optimal environment, privacy versus business, is really at the base of your question, I think. The difficulty always faced when you're a legislator is trying to balance that public interest as expressed by different groups, and so business is quite right to say they want to just do business and we can trust them. The trouble is that we had 10 years of getting to this law, and it was pretty obvious you couldn't trust business because of the group send, if you will. There were so many businesses trying to reach people that the overall tsunami effect on consumers was just too much. When it gets malware and other bad payloads mixed in with unsolicited commercial messages, it's a stew that's just impossible for the consumer to manage at the consumer end.

I didn't mean to imply that commerce is bad, as I said. We think that, if consumers are in control, they'll receive the messages they want, they'll buy the products they want, and two years after a contract ends is a pretty long tail to be able to continue to try to entice that customer back to do business with you.

If I may, I'll just add that the CRTC is also not just sitting on their hands and scrolling through emails and saying, “Oh, there's no unsubscribe button here, let's go after that company”. All of their investigations are triggered by complaints, so these are Canadians who are taking advantage of the current regime and are filing submissions and complaints saying, “Hey, I got this. I didn't want it,” or, “It was misleading; it was deceptive. Could you look into this?”

Mr. Maguire, could I respond to that question as well?

Very briefly, the problem for small business—and for large businesses, but for small business—is that this law is too complex. You have a law that's very difficult to read. You have two sets of regulations, and because of all the difficulty, you have a RIAS that is probably longer than every RIAS in history. You have guidelines from the CRTC. Every time I sit down I have to reread it because it's so hard to keep in your head because it's not logical.

I've been in rooms where businesses have tried to figure it all out, similar to the representative from Desjardins. You have 25 people in a room, including five lawyers, going through every kind of email that's sent and trying to figure out if it's a CEM, trying to figure out how you get consent, and trying to figure out if you have the right unsubscribe. It takes that many people to try to figure it out, and you still can't get it right. To impose that on a small business, where it's not understandable.... These small businesses are not securities lawyers or tax lawyers, and this legislation is that complicated. Leaving aside just how onerous it is to comply, which I've dealt with and others have dealt with already, it's so complex that the average small business cannot figure out what they need to do.

I think I was referring to the private right of action.

That for sure should be completely pulled from the law, in our opinion.

The CRTC is sufficient.

We believe that the regulations in place and the exceptions referred to—warranty and that type of thing for contacting customers in the flow of a business relationship—are presently wide enough. If there are additional factors that have to be thought of, then doing that through a regulation is something that could be done quickly and easily. I don't believe you need to change the act or reverse the consent obligation on the consumer so that they have to opt out.

My concern is that small items will be blown up to completely change this act, and consumers then will bear the burden or the costs of pushing away spam, whereas we've decided to try to make the regime the other way. I'm not opposed to legitimate business concerns with compliance. The act has only been in place for three years. It's possible that there are some unintended consequences, but again, that would normally be done in the regulations, not by changing the act.

Those are good questions. If I could, I would like to spend just a minute on the question you addressed to Mr. Lawford.

One way of assessing the legislation is by comparing it to international norms. It was represented to this committee back when CASL was being reviewed that this legislation was the same as what was in Australia, the same as what was in New Zealand; that was incorrect. Although the law was somewhat modelled after that, the definition of CEM in those countries was closed, not open-ended, and the consents were not only expressed consents but included inferred consents without narrow, closed categories. If you look at international norms, even the closest norm we were trying to model was not in line with international standards. It was ratcheted up to make it even more of a straitjacket.

To get to your question, I think that is something somebody should really look at. In terms of cybersecurity, this is a problem with third parties inserting computer programs into systems and thereby hijacking systems, turning them into botnets or acquiring information, including—if you look at 142 million individuals' recent information in the Equifax case—2.5 million more. These are the kinds of things that the legislation does target, except that it doesn't permit the installation of programs where needed to combat cybersecurity.

I've always thought that, in addition to that, the legislation should actually permit the installation of counter-cybersecurity programs on the target that is attacking, in order to protect Canadians. I've also thought, as well, that ISPs should have the power to block foreign spamming sites and foreign malicious sites, to protect Canadians. It would be sort of an umbrella, if you will, to protect Canadians at large, as opposed to every ISP doing it or every organization doing it.

There's a lot that this committee could do, both with CASL and otherwise, to protect Canadians on cybersecurity.

I'm giving you an example of a situation where a charity like the CNIB—

I'm giving you an example.

But I have—

At the moment, the CRTC is working hard with other jurisdictions to try to cross-pursue, if you will, spammers on both sides. If the legislation is changed significantly to do with insulation of programs, they'll just have that many fewer tools to go after people pushing malware in Canada. It takes time for the enforcement authorities to work up their connections with foreign counterparts. They're concluding an MOU, as I understand it, and starting new work on that. It's going to take some time, but weakening the act won't help them with that goal.

How could we narrow the—

Absolutely, narrow the scope. There's an exemption in the law, which is a partial exemption that allows us to send without consent but requires us to have “unsubscribe”. All of those definitions should not fall under the definition of CEM.

Beat 'em up.

Thank you very much for the question. Being from Montreal, I appreciate the question in French, although I cannot respond in French because my French is too rusty.

With regard to your astute question about whether the exemptions apply or not, the problem is that there was a regulatory process that could have led to the exemptions applying.

There's an exemption for personal relationships. Personal relationship as it's defined as an exemption, a message from one person to another, is so narrowly confined that it really is someone who has an existing relationship and, pretty much, is exchanging views as a best friend. It doesn't include a situation where a person who lives on the same street sends a message to the friend's mother, for example. It's too narrow. It could easily have been broadened.

The family relationship doesn't permit the sending of CEMs to grandparents or cousins. It could easily have been broadened. A lot of these examples.... I did this one on whether you could actually recommend a dentist over Christmas. It just occurred to me. Could I actually recommend a dentist to somebody? Under the law as it appeared, it was impossible. It made me think it made no sense.

That is the kind of thing that could be addressed if the GIC regulations were revised. They could have a de minimis exception. They could more broadly define what is a personal relationship or a family relationship to take those kinds of situations, which should never be illegal, out of play.

I would add that we should keep in mind that the general rules of statutory interpretation call for a restrictive interpretation of these exemptions. In other words, despite the provided exemptions, we often end up having to stick to a restrictive interpretation, even when the intent is broader.

I'd be glad to do that. There is one other thing this committee might want to see. There is a charter challenge of CASL before the CRTC, and that charter challenge very explicitly identifies, both in the submissions and in the expert reports that were filed for the applicant, some of the problems with CASL.

If this committee would like me to file those materials, I'd be glad to provide them to the committee.

I can speak only for our business, and seniors are a large part of our business in Quebec.

Don't forget that we're under a tremendous amount of regulation. Our regulatory authority is the AMF, which checks for sound practices. We're under the Consumer Protection Act. There are various ways to protect seniors. Mr. Sookman mentioned personal information protection. We have all sorts of consents in place under those laws, and there are various other protections under consumer personal protection that protect seniors very well.

First, on the issue of the cost of compliance, we will have to forward you that information at a later date. We never bothered to establish a grand total.

Furthermore, having chaired the Desjardins Group's anti-spam committee, as Aïsha is doing now, I can tell you that we are talking about several dozen employees, since we have to include every branch, every caisse and every aspect of compliance, from legal affairs to operational risk. I will forward you this information as well.

On your second question, now, as to whether smaller companies can bear these kinds of costs, I would have to say that it would be unrealistic to think so. The Desjardins Group is a massive company, and even despite that, we feel the burden is much too heavy to bear. I think that more than answers the question.

We need to remember that every email and every piece of electronic communication we send is subject to the law. We need to ask the question every single time.

We need to ensure that everything is ready so that our 48,000 employees and 5,000 managers know what to do. It is not difficult to imagine how a small business might not have the resources to validate all that.

Of course.

There are individuals within businesses who are having trouble understanding it. Mr. Sookman described this fairly explicitly in a previous question, but essentially, you have multiple layers of text that you need to be able to follow. The act is very prescriptive, so you need to follow it very closely. Then you need to follow the regulations that came through Industry Canada. You need to pay attention to the CRTC regulations, to what the Competition Bureau has put out in terms of guidance, and to what the Office of the Privacy Commissioner has put out in guidance. You need to read the regulatory impact statement to get some understanding or context of why the law is there in the first place. Then you need to read the guidance from the CRTC, which in many cases hasn't been that helpful, because it doesn't give you a lot of guidance.

The problem is that the CRTC is both the enforcement agency and the guidance agency. The challenge for businesses in going back to the CRTC for guidance is that as soon as they open the door to say they have a problem, it opens the door to an investigation.

From a business person's perspective, if you are a small business and you have four or five employees, you as the business owner are likely the person who's going to be responsible for figuring out how to comply with this at the same time as running your business and dealing with all the other regulations that come across your plate.

When we're saying they're having difficulty complying.... They're having difficulty understanding the definition of a CEM, why they can't send a message to their neighbouring business saying, “Let's go for coffee.” They don't understand it.

What I suggested there is, just because there's a complaint, it doesn't necessarily mean there has been a violation. We don't know what those complaints actually look like. Maybe there should be some type of reporting back from the CRTC where these complaints are valid or these complaints are not valid. We don't understand that right now.

From our perspective, our businesses want to protect their own customers. They want to protect consumers, and there are ways of doing that.

There was a code of practice developed long before CASL came into play. That code of practice dealt with things such as making sure you are active on activating unsubscribes, for instance, or how the wording in the unsubscribes should be characterized. Most of the businesses I deal with were compliant with that code of practice.

That's a very good question. I did a very extensive blog post in terms of what I thought the structure should be for considering regulations.

In my view, it starts from looking at the structure of the act. The structure of the act prohibits a large swath of activities. You may not communicate electronically something that's in a category that's very broad, and then it has a very close list of exceptions. Recognizing that this impacts free speech, and commercial speech, is exceptionally important for Canadians, because free speech lets Canadians have information they need to make better choices. It also promotes competition in the marketplace.

Recognizing the value of commercial speech and that it is protected by the charter, and recognizing the structure of CASL, my point—when I talked about generous regulations—was not loopholes. My recommendation was, having regard to the way in which the legislation is structured, one had to recognize that there were going to be a myriad of situations that could never have been contemplated when you ban, take a “ban all“ approach.

That's why my recommendation was, in the case of doubt, we should not be trying to prohibit things that could in fact be advantageous and needed by Canadians. That doesn't mean in any sense of the word that we should have regulations that would permit malicious computer programs to be disseminated or the things that the government said they were really concerned about.

When I say generous, the regulations should have been viewed having regard to the freedoms that Canadians are entitled to and that are necessary for the proper operation of a competitive marketplace.

Of course, if we could have the privilege to have you as a customer, the purpose we aim for with the emails we want to send.... Obviously some are commercial, obviously some may be useful to alert you to fraud, to transactions that are being done in your account, if they're more commercial in marketing. My point as a business owner is to send you the most personalized, useful information that's targeted to your needs. And by doing that, I believe we're saving you some time by sending you information that you want.

Under the current regulation, that can still be sent because technically the bank has your implied consent. So those emails you're talking about are permitted today.

I think the objectives of the law are exactly those that you mentioned, and with good clear definitions, that could still be attained.

I think we need to be careful about conflating different types of messages. I don't think any of us would argue that it is important to manage emails that come through with malicious intent. So if there are ransomware attachments, if it's being sent through a botnet and it's attacking your system, it makes sense to have some legislation in place that allows enforcement agencies to deal with that. I think what we're talking about is messages that customers want. From a business-to-business perspective, there needs to be a certain amount of freedom to be able to conduct that business, to be able to prospect. If specific bulk emails are going to advertise a broad cross-section of people who may or may not have an interest, that's a different story.

You asked a good question. First,, the fact that the CRTC is there and prosecutes and publicizes prosecution does have some impact on behaviour. Contrary to what my friend said, I think some of their fines have been very high relative to the alleged infraction. Specifically on your question about the PRA, which is a good one, I don't have a problem with a private right of action in a calibrated piece of legislation. If the private right of action was effective against the people who were providing the malware, the spyware, the phishing problems—the real bad actors everyone agrees on, assuming you can find them and go after them—I have no objection to that. Nor do I have an objection to letting ISPs, which are bearing the brunt of dealing with this, have a right of action against the people who are the purveyors of the 99%. The problem I have is that when you have a piece of legislation that's extremely onerous, that's ambiguous, and we have the potential for class actions, we're creating a monster that is going to be very expensive for Canadians to address.

I applaud the government to have suspended the PRA while this committee does the work it needs to do. If, at the end of the day, the recommendation is to recalibrate the loss but it targets the things that it truly was intended to target and it has a PRA, so be it. Throw the book at these bad guys. I don't think anyone around the table disagrees with that.

I think we agree with you that consumers should have control, and that's what you're talking about. I own the device and I pay for the connectivity. That's the way the act is set up now. If it turns to opt out, consumers lose control. What you're going to get, if you lose control, is unsolicited commercial email. There's not only bad spam and malware, if you want to talk about illegal. There is also unwanted, unsolicited, commercial email, and the act covers that as well. That's an element of control that chafes against the thought that businesses should be able to contact people out of the blue. We support the control of consumers in that.

As for the private rate of action, it would have been a complementary aspect because, as I said in our remarks, a recalcitrant or aggressive spammer, somebody who's been told to stop over and over again, clearly fined in the past and continues to do so, or who is a hard-core spammer, needs to have the threat of millions of dollars outside of the administrative regime because some of those just can't be handled by the administrative regime. We've seen people set up shop in Canada who are very hard core.

I'll just end there.