Industry Committee on Oct. 17th, 2017

You could subpoena to them.

I'll start by providing some advice to the CRTC about helping organizations comply. The CRTC does not issue findings or decisions that provide the rationale for the fine or the circumstances in which the offence or violation took place. That contrasts with the behaviour of the Privacy Commissioner, who provides very helpful, very meaningful findings explaining the perspective of both parties as well as the commissioner's interpretation and outcome. That is what we need in order to better understand the law.

For clarity, there isn't one enforcement body, but rather three, so it's quite complex. There's the Competition Bureau, depending on the provisions; the CRTC; and the Office of the Privacy Commissioner of Canada. In fact, depending on the nature of a particular activity, you could have multiple investigations going on. The CRTC—

Well, it can be cumbersome. The CRTC clearly has the necessary tools to appropriately enforce against bad actors. That, again, is not our issue. Our issue is enforcement against the good actors, that and their not being subject to disproportionate penalties for technical, immaterial violations. That's it.

I agree with Mr. Kardash on this. There are three agencies. I don't have any sense that the particular agencies themselves represent the problem at this point in time.

Again hearkening back to when we were working on the report, we met with authorities from the United States and talked to various people who were involved in groups such as the one known as M3AAWG, which brings together people engaged in enforcement activities around the world. What they needed was a Canadian representative who had the tools and the power to essentially play ball in the same way that they were able to.

For many years pre-CASL, we weren't in a position to do that. We are now, so the fault doesn't lie with the legislation, but to the extent to which enforcement hasn't been as good as it needs to be, it lies with the agencies themselves.

I think the enforcement agencies are the right bodies. I think they have the right tools, which I feel they may be applying in a disproportionate manner, as I mentioned in the opening remarks. We didn't receive a warning letter. I spoke to my colleagues at Porter. They had an experience similar to that of Rogers. There was no warning letter, and it went straight to the investigation and punitive damages immediately.

I think, speaking to the point of the colleagues here on the panel, that more guidance and tools could be issued from our enforcement bodies to help businesses.

That's my comment.

I would say that the CRTC is the right body, but to some extent it is hamstrung by the legislation itself and the regulations, because it doesn't have a whole lot of flexibility in some cases because they are so prescriptive.

The other piece that's missing is that the CRTC hasn't made a concerted effort to partner with industry, to learn from industry. Some of our recommendations, those around making the private right of action focused on telecoms or other bodies that actually bear the costs of spam, would be able to bring these other industry actors into the game to help reduce spam for everyone and truly partner with CRTC.

No. The evidence we received was that it wasn't about who was doing the enforcing. It was about the penalties. It was clear if you took a look at some of the weak laws, say, in the United States, just like the CAN-SPAM act, fundamentally if you were a spamming organization, you just weren't all that fussed about the law, because there weren't really tough penalties behind it; whereas Australia put some real muscle behind it, and it changed the risk analysis that those organizations engaged in.

I would say the private right of action, if it were to be brought back in legislation, should focus on the deliberate actors who are doing more of the egregious things, such as deliberately disseminating malicious software, engaging in false or misleading advertising, or email harvesting. Those are really what the private right of action should focus on.

As I mentioned previously, we would say the private right of action should be targeted toward the companies that bear the costs of spam and allow them to partner with CRTC in enforcement.

Often the networks' email providers can tell you who the bad spammers are. They are the ones in the best location to often find them, and so if the private right of action were changed to allow them to partner with CRTC, to themselves go after and recoup the costs from the spam on their own networks, that could help everyone and help the law be more successful.

I'm going to pick up on that with one other point, and that's to say that we pay not just for that but also in terms of the spam we receive. I would disagree with respect to Mr. Messer's point that somehow it's the telecom providers or the ISPs that bear the cost. No. We bear the cost, and we all know about the problems we have with affordability of Internet access and the kinds of data charges we face. When we looked at this, we saw that ISPs were up front, and they could give a per-customer cost in terms of what they were paying for the technology, the bandwidth, and the equipment they needed to deal with these issues. We pay that cost in the very high fees we face. As for the idea that somehow it's just the Rogers of the world, I'm sorry, but it's not.

In terms of the enforcement, you're absolutely right. From my perspective, it is very difficult to understand why there was a tool in the tool box that would have effectively outsourced some of this enforcement. We recognize that it would be very effective, given how nervous people are about the prospect that people would actually try to engage in this sort of enforcement, and yet we took it away and left it solely to an agency that hasn't done a good enough job, with the costs being borne by the public and the taxpayer.