Industry Committee on Oct. 5th, 2017

Thank you, Mr. Chair.

Honourable members, on behalf of the Desjardins Group, thank you for inviting us to testify before your committee.

I am pleased to be here today to talk about something as important as the review of Canada's anti-spam legislation, that I will call CASL. It is an important piece of legislation for our industry, and it has a considerable impact on how we communicate with our members and clients.

As the Chair said, my name is Aïsha Fournier Diallo. I am senior legal counsel with the Desjardins Group, more specifically with its subsidiaries in property and casualty insurance that do business across Canada. My job is to support the validation of the legal risks associated with Canada's anti-spam legislation. Naturally, we are called upon to interpret the legislation every day.

Let me introduce Natalie Brown. She is the director of the caisse network and she leads a team that deals with credit card services, payments and litigation.

Although my remarks will be mostly in French, we will be happy to answer your questions in both languages.

First, I will say a quick word about the Desjardins Group because I would like to move on to CASL.

It was here, in Ottawa, that the idea for the Desjardins Group was born. Right next door, across the road, Alphonse Desjardins was a Hansard reporter for more than 25 years. After a debate on loan sharking, he got the idea to found a co-operative financial group that would address the needs of smaller depositors.

Today, 117 years later, the Desjardins Group is the largest co-operative financial group in Canada, and the 6th largest in the world, with assets of over $270 billion.

Our close to 1,100 caisses and financial centres in Quebec and Ontario, together with our online platforms and subsidiaries from coast to coast to coast, serve over seven million members and clients. It should be noted that a third of our service centres are located in less densely populated areas.

From heritage to insurance management, including business services, the group employs just under 48,000 employees and 5,000 managers.

That said, I would like to say what a pleasure it is to be among you today, honourable members, to share with you my point of view.

I came to Desjardins as a lawyer in 2013, about one year before the legislation came into force. I was able to witness the impact it had on what we do and how we communicate with our members and clients.

People's expectations towards communications have changed. Our modes of communication have also changed. Clients expect us to reach out to them in the most natural and effective way possible. You have to put yourself in the shoes of the consumer, which we do every day since we are in contact with them. They want emails and texts, and are looking for an easy way to connect with us.

This is why organizations should be able to communicate with their clients and their members without having to constantly worry about whether they are violating a section of Canada's anti-spam legislation. With every message we send, we have to ask: does my email or text comply with the law? Is it a commercial electronic message, a CEM? Do I have the necessary valid consent to send it? Is it excluded under the legislation? Is the prescribed information included in the email?

Imagine having to do this every single time you send an email to a member or client.

In the past, the government said, “Canadians deserve an effective law that protects them from spam and other electronic threats that lead to harassment, identity theft and fraud.” As Mr. Smith said, no one is against this. However, the law is far too broad.

People, like ourselves for instance, who work everyday with this legislation while trying to support our business operations have been anxiously waiting for this review. We hope that the government will take advantage of this opportunity to undertake an in-depth review of this legislation so that it may achieve its goal, while at the same time finding a balance that will allow organizations that have legitimate reasons to communicate with their clients to do so without fear and with the benefit of more streamlined legislation.

CASL is one of the most restrictive pieces of anti-spam legislation in the world. It was a great idea, protecting Canadians from spam. No one likes spam. But in our view, there has been a chilling effect on marketing and business communications, primarily for four reasons: the lack of clarity and the interpretive issues that exist in the act that require either clarification or amendments to the law; the fact that it is an opt-in consent model piece of legislation, meaning that you need an express or implied consent to send commercial electronic messages; the incredibly steep administrative penalties that the CRTC can impose for violations of the act; and the possibility of lawsuits from consumers through the private right of action.

The interpretive issues and lack of clarity make it difficult for lawyers like us to provide firm advice to their clients and for clients to be confident that they are in compliance with the law. There is no room for error under CASL, and all are extremely cautious, therefore missing opportunities to communicate with the clients for legitimate reasons, particularly in the one-on-one context. It should be easy for small businesses and larger ones to understand CASL and to apply it.

I am going to give an overview of the major interpretive issues we have faced these past few years, and we will provide you with a brief explaining them in greater detail, because there are quite a few.

First of all, the definition of a “commercial electronic message” is so broad that it includes practically any commercial message, even if the message is sent to a client with whom we have a perfectly legitimate commercial relationship.

As I said earlier, with every message, its content and the context in which it is sent have to be considered. You need to be aware of things like hyperlinks in the emails, clickable logos, in short, anything that could be seen as promoting the image of whoever is sending the email, and that includes a lot of things. For example, the fraud prevention email we would like to send to our members and clients could be considered a CEM because of the hyperlinks it includes. If a hyperlink leads to our website where our products and services are advertized, we have to ask whether it compromises the email by turning it into a CEM, which is prohibited.

The fact that our clients have to consult us before they send an email to their clientele with every new initiative and new campaign or innovation complicates things a great deal. We need more clarity to make sure that the nature of the messages we send, like the fraud prevention email, cannot be misinterpreted, even if they include hyperlinks, logos or elements that promote the Desjardins Group.

We feel it necessary to clarify the definition of CEM and to relate it back to the legislation's original purpose, which is to protect consumers from spam and the electronic threats that could lead to harassment, identity theft and fraud. Essentially, we need the assumption to be that Canadian companies have no ill intent when they communicate with their clients, and focus rather on the truly problematic communications.

I am now going to talk to you about the notion of consent and related provisions. As you know, the law requires express and implicit consent. Some of the provisions around implicit consent are a bit murky, and as a large financial group, we need to know who can benefit from this consent. Therefore, we recommend an opt-out option, that way, we would administer an unsubscribe mechanism instead of getting bogged down with consent management.

There is still one more area I want to cover. Earlier, Mr. Smith mentioned that subsection 6(6) is unclear. Indeed, some emails that shouldn't even qualify as CEMs are prohibited under this subsection.

Finally, I would like to mention the private right of action provision. We are very happy that it was suspended and we think it should be completely struck from the act. As a regulatory body, the CRTC can interpret the act. We believe that it is better to defer to such a body on matters of interpretation instead of overwhelming the courts.

I would like to thank you once again for inviting us to testify today. I sincerely believe it is possible to find a balance that would allow organizations to communicate more freely with their clients while at the same time protecting the interests of Canadians.

Thank you, Mr. Chair.

The Public Interest Advocacy Centre, or PIAC, is a national, non-profit organization and registered charity that provides legal and research services on behalf of consumer interests, and in particular, vulnerable consumer interests, concerning the provision of important public services.

PIAC has been active on the spam file since before the anti-spam task force was constituted in 2004. We testified before this committee in relation to then Bill C-27 in 2009 in support of the legislation. We supported the legislation as passed in 2010.

Our message today is simple. Canadians benefit from some of the world’s strongest protections against spam. Canada’s anti-spam legislation generally keeps business from sending spam unless the recipient has provided express prior consent and can easily unsubscribe. This is the great Canadian innovation. Trust consumers and citizens to control their privacy in the marketplace not marketers.

Has CASL been working for consumers? Currently, the CRTC is receiving about 5,000 complaints a week about email marketers not respecting CASL. One report from spring 2015 found outgoing spam volumes from Canada dropped 37% and overall email volume, spam and legitimate email, received by Canadians also dropped about 30% in the immediate period after CASL came into full force on July 1, 2014.

Since then Canadians have enjoyed the control of their email and other electronic communications by giving their consent to email, texts, and other electronic messages only to those companies with which they deal and by being able to unsubscribe from any email list that they wish.

Companies can still reach Canadians via email. There is no commercial email ban. Consumers buying products and services or who reach out to the company in question can expect two years of emails before the existing business relationship is deemed stale and the emails must stop. While consumers have a valid contract with a company, emails are allowed during the contract and for two years after that contract ends, unless of course the consumer unsubscribes on the handy link on each of these emails.

If a company does not follow these simple rules that put consumers in control, consumers can report the spam by completing a complaint form at fightspam.ca. As mentioned, up to 5,000 consumers a week file complaints.

Spam still wastes consumers’ time and reduces their confidence in electronic commerce, as it continues to deliver not only irrelevant, unrequested marketing but also deceptive and fraudulent messages and malware. What is different now is that the CRTC, Competition Bureau, and Privacy Commissioner of Canada can pursue companies for doing all these things.

Alysia.

Enforcement of CASL relies on a spectrum approach. The CRTC, which is the main enforcer, issues information on compliance, educates business associations, and then if there are problems, issues warnings, reprimands, seeks voluntary consent orders, and finally if necessary issues administrative monetary penalties, or AMPs.

In PIAC’s view, contrary to the opinion of some of the other parties here today, CRTC enforcement of CASL has been very generous to offenders and in some cases, nearly to the point of being weak. Companies are given many chances to change their practices. When more stringent sanctions are required, AMPs are often set at well less than the maximum possible due to the consideration of many mitigating factors, which are outlined in CASL. I will add here that of the undertakings published on the CRTC website, only two exceed $100,000. Those are for Rogers Media and Porter Airlines, which are not your typical or your average small businesses. Yet the CRTC does have the authority to impose an AMP of up to $10 million per violation for corporations. Finally, all offenders are permitted to challenge AMPs before the CRTC, which can reduce, and has reduced, the recommended AMP.

The committee should also note that the government has apparently indefinitely suspended the bringing into force of the private right of action in CASL, which would have allowed consumers to sue particularly recalcitrant or aggressive spammers. Marketers, and in particular those marketers that act responsibly while attempting to adhere to CASL, therefore face little prospect of any significant AMPs or other sanctions.

We therefore find it disingenuous that representatives of companies and marketers are here today to say the CASL is somehow bad for consumers and commerce. Instead, we believe CASL is bringing some control to consumers in their electronic interactions with marketers and that consumers in control are more confident and better consumers. That should help commerce.

Instead, marketers are here to defend stale lists and lazy marketing. CASL sets reasonable limits on the contact that marketers can have with consumers without first asking consumers for permission to continue to market to them. That's all it does. It does not sabotage legitimate commercial relationships between consumers and companies.

Were CASL to be repealed or the consent requirements flipped to require consumers to opt out of marketing as before, then CASL would truly be useless. We would return to the days before the anti-spam task force and consumers' feelings of helplessness in the face of ever-increasing spam volumes. CASL now is working fine. We suggest you leave CASL alone.

If one thing has not been done right since CASL was introduced, it has been insufficient information gathering. Since CASL does not require spam volume to be reported by ISPs, although they may report it to the CRTC, Competition Bureau, or Privacy Commissioner, nor by the spam reporting centre, and CASL does not require that any of this information be made public or provided to Parliament directly, we are here today largely in the dark regarding evidence of the effect of CASL on spam and other electronic messaging. This committee could recommend a more robust and public spam reporting mechanism that would allow all parties and academic researchers to evaluate the effect of CASL upon objective evidence. That at present is sorely lacking.

PIAC thanks the committee, and we welcome any questions you might have.

I thank the committee for inviting me here today. What you are doing is very important. CASL is flawed and needs re-examination.

I am a senior partner with McCarthy Tétrault. I am also an adjunct professor of intellectual property law, and I am on the advisory boards of the Macdonald-Laurier Institute and CIGI. I am here today in my personal capacity.

I have been closely involved in CASL for many years. I appeared before this committee when it first examined CASL, and I pointed out that CASL was so flawed that it would, among other things, literally have made browsing on the Internet illegal.

I worked with officials trying to fix CASL at the committee stage. I was extensively involved in the regulatory process, the first and second consultations on the regulations. I made a personal submission the committee.

I have been extensively involved in advising clients from all sectors of the economy, including large and small businesses, charities, the educational sector and other not-for-profits, the media, and software companies on how to comply with CASL.

I know what's happening on the ground and the impacts CASL is having.

CASL is, and is seen as, complex, disproportionate, and wrongly focused. To be frank, it is ridiculed by many organizations. It is particularly onerous for small businesses.

CASL's overbreadth makes communicating over networks illegal or legally uncertain in countless situations that Parliament could never have intended.

Let me give you a few examples. Take a start-up business that wants to use a public trade directory to email prospective customers and investors. This is most likely illegal under CASL, and it especially hurts small businesses trying to grow and develop new markets. To take another example, a person leaves his or her former employer to start a business or join another business and wants to email former clients, patients, customers, or former colleagues to let them know. Or the person wants to email an old schoolmate the person used to be good friends with. That is illegal under CASL in many cases.

It also deprives individuals of the valuable connections they have, which are important to their livelihoods, and it deprives recipients of information they would want to know. I would want to know if my doctor moved.

Say a charity or not-for-profit wants to continue sending newsletters to someone it has been sending them to even before CASL became law. If the newsletter is funded in part by the inclusion of only one ad, say, a vision correction device ad in a newsletter sent out by the CNIB, the charity likely has to cut off the recipient unless it can find a donation by the person in last two years or a record of obtaining express consent. Records weren't kept before CASL came into being. This deprives individuals, including the most vulnerable, from receiving information they want and need. It is also illegal under CASL to send an email asking people if they want to continue to receive emails, including from the CNIB.

Organizations want to send out Christmas cards to current and former clients, customers, and colleagues. They want to include a corporate logo and tag line promoting the organization. These items by themselves may make these cards CEMs, because they promote their businesses. If the recipients haven't expressly consented to receiving CEMs and haven't done business with the organization in the last two years, the cards likely cannot be sent. So much for Christmas cheer and keeping in touch.

A new online newspaper wants to send trial copies to members of the public. In the physical world, a publisher could leave complimentary copies in mailboxes. It's illegal online if the paper includes a single ad or if it asks people if they want to subscribe. This is especially unfortunate as it hampers establishing new media, something we need to foster in this world of fake news, as a healthy press is critical to our democracy.

There is a business-to-business exception in CASL. It has a number of conditions. It applies to organizations but not to individuals carrying on business as sole proprietorships. CASL operates in a discriminatory way for no good reason—in this case, discriminating and hurting small businesses.

CASL makes it illegal for a child to email neighbours promoting his or her lemonade stand, to ask if they want a babysitter, or to ask if they can mow their grass to earn a little school money. Its breadth is not subject to any de minimis or reasonable limitation. Do you want your kids not to be able to promote their lemonade stands?

A person wants to send a CEM using an SMS. Even if the person has consent to send the message, the person can't legally do it because the character limits don't enable people to include all of the identification and unsubscribe information the CRTC regulations prescribe. The person might try to comply by including a hyperlink in the message to a website, but if the person doesn't have a website—which not every young small business has—and can't find a tool that lets them shorten the hyperlink, they effectively can't use SMS messages. CASL effectively impedes the use of the modern messaging systems it purports to regulate.

These problems all flow from CASL's flawed structure, which prohibits a broad range of communications subject to a limited number of exceptions. The computer program provisions also have many difficulties.

What's happened in the real world and not the theoretical world of those people who conceived of CASL? CASL has had no material impact on the purveyors of damaging and deceptive spam, spyware, malware, and other related network threats, which were the stated objectives of CASL. As a practical matter, the burdens fall on legitimate businesses. Many businesses have invested and continue to expend resources to comply with CASL, and it's not easy for the reasons Natalie Brown explained. Use of electronic messaging is chilled, because organizations don't know if they can send messages, and they are very concerned about the excessive AMPs that can be levied.

What should this committee do?

My most important recommendation for this committee is to assess all the provisions of CASL against the government's justification for it. CASL was repeatedly represented during the legislative process and the regulatory process as a law targeting the most damaging and offensive type of spam and malware, yet these prohibitions target ordinary commercial electronic messages and computer programs that have nothing to do whatsoever with malware.

Given that CASL impairs freedoms of expression in Internet communication, I urge this committee to recommend that CASL be recalibrated to what it was really intended to do, and that is to deal with the really bad actors.

I'll just say one more point because I realize, Mr. Chairman, that you have already given me a substantial indulgence, which I appreciate. If CASL were recalibrated, the CRTC could reallocate resources to deal with the real problems Canadians have. We have a real problem with cybersecurity and a real problem with malware. That should be the focus, not legitimate businesses like Desjardins that want to continue to communicate with their customers.

Thank you, Mr. Chairman.

The concern around cybersecurity is that most of the messages that contain things like ransomware.... That's the big thing that we are hearing about right now. All of these breach.... There is personal information being stolen, and identity theft issues, but the big one is around ransomware, and it's going after businesses. From our perspective, that's the big concern.

I'd give you a statistic on the volume of messages that now have ransomware attached to them. They are coming from other countries; they aren't coming from Canada. The reality is that the anti-spam legislation is never going to touch or solve that problem by going after businesses in Canada. For the most part, they are not coming from here.

It's going after anybody who can pay.

Absolutely. There are a number of things that can be done to solve that, but not necessarily through legislation. There is education, an awareness challenge, and I think there is a certification option out there now that businesses could undertake, which would help prevent some of the attacks they are experiencing.

The first one is definitely the definition of CEM. It's too broad: any message that “encourage[s] participation in a commercial activity”, including promoting the image of a person. That's much too broad. That would definitely be the first one.

I would like to add to that. An email that facilitates, completes, or confirms a commercial transaction is deemed to be a CEM. I can give you two examples of emails that are sent in the context of sound business practices and that would fall under that definition.

We are an issuer of credit cards. If I want to alert by SMS the owner of the credit card that they are approaching their credit limit, or even surpassing it, I can't send it because it might be a CEM. As a co-operative, I want to warn my cardholder. That's a good, sound business practice.

Another one is under new technologies. I want to be able to offer electronic signature at a distance, and I want to send a password for the electronic signing session to my client, but the transaction hasn't been completed yet, and that's a CEM. It's much too broad.

There are a few spam studies out there, from the Netherlands and other places, where they've set up spam traps. There are emails that have never been used by anyone for anything, but researchers set them up, and they end up trapping only spam because they have never been used for legitimate email. The spam reporting centre doesn't quite work that way. It gets emails forwarded by Canadians who think something is spam. Then there is a third source, which is just ISP spam volumes, which I think Mr. Sookman told us about, where a lot of it is caught already.

There needs to be more coordination work at the CRTC enforcement end, to work with academics, ISPs, and their own enforcement people to give us a coherent picture. At the moment, a lot of it is presented in a very restrictive way, if you will, from CRTC. We have little scraps, but we don't have an overall picture.

It's hard for us to say.... For example, today I would have loved to come and say that since CASL, the volume of spam that consumers receive has gone down 35%. I can't say that. I don't know. It's hard to prove a negative.

I'm glad to do it, and if I can in 10 of my seconds, I want to deal with the cybersecurity issue, because CASL makes it very difficult to combat the problems facing Canadians. Unless you're a telecommunications service provider you can't install computer programs that would combat a cybersecurity threat without express consent, and if you're a software provider, it's also illegal to transmit updates that would protect systems used by Canadians. So CASL could really be improved in that area to let companies protect their consumers.