Industry Committee on Oct. 17th, 2017

Thank you very much.

I'd like to start by thanking everyone for inviting us to speak on what I think is a very important issue.

I'm the co-chair of the technology group at Osler, Hoskin & Harcourt, and we advise a broad range of clients, from start-up technology companies to some of the largest companies in the world. What we've seen with CASL is legislation that has really challenged us, both in terms of advising clients and in terms of having clients who want to comply with the law but who truly have difficulty understanding what's required and fitting what the law prescribes into a business reality.

My perspective is that, although very well intentioned, CASL is flawed. That really stems from the fact that it's overly complex, very prescriptive, and very broad. I think it's really important to point out that it undercuts some other very important public policy objectives. I'll name just a few.

CASL has increased cybersecurity risks because it places restrictions on when updates and patches can be installed to fix security issues and vulnerabilities.

Also, it has unlevelled the playing field among Canadian businesses, including many of the technology companies that we're looking to support and to see become global players, because it creates a regulatory burden that competitors in other markets don't face.

We see this in the installation of computer programs. If you set up operations in Canada, you need to comply globally with the rules in CASL in terms of any installations you might send to your users or install base, whereas if you're in the United States or another jurisdiction, it's only the installations made on computers in Canada that need to comply.

This isn't a trivial point. The rules with respect to computer programs are quite complex, and they're unique. They're very much made-in-Canada rules that are not reflected in the laws of other jurisdictions.

I think it's fair to say that CASL creates unnecessary red tape and compliance costs. At a time when we're looking to see how red tape can be reduced, you could say that CASL goes in the opposite direction. It's really the small businesses that bear the brunt of this red tape, in that they have difficulty understanding what the law requires, and they're having difficulty using the most efficient means of communicating—which is electronically—with their customers.

There's also a question as to whether CASL is constitutional. There's no question that it impinges upon free speech. The questions a court would ask are whether the restrictions are proportional to the harm, and whether the restrictions minimally impact on the right of free speech enshrined in the charter.

I think that when we look at CASL's regulatory reach and prescriptive rules, we can say that full compliance becomes next to impossible. There's no shortage of circumstances in which you can say that it doesn't make sense to comply with the rules in the context of day-to-day business operations.

I think this is exemplified most strongly in the computer program provisions. I'm a technology lawyer. I work very closely with technology companies that are trying to comply with the rules. Again, these are unique rules. No other country has adopted rules as broad as the ones found in CASL, or as prescriptive.

The real question is this. When these rules were conceived, it was really in a world of laptops and hand-held devices, but we've moved to a world where the Internet of things is the buzzword. We have devices that are permeating all of our different day-to-day interactions. Many of these devices do not have user interfaces through which you can request consent. Many of the manufacturers of devices, whether they be automobiles, fridges, or TVs, do not have a direct relationship with consumers, and that makes the request for consent challenging.

I can provide a few other examples of where CASL creates just really practical problems. The question is whether it's sensical to require companies that sell online exclusively—they're online businesses—to provide an unsubscribe mechanism in the transactional messages they send to consumers. You're confirming a transaction that you've just completed and you must, under the rules in CASL, include an unsubscribe mechanism.

Essentially, that leads to confusion for the lawyers, the companies, and consumers. I'm providing this example because it highlights how prescriptive CASL is and the way that prescriptive rules, however well-intended, don't necessarily have the intended effect.

We can look at text messaging, in which we have a very limited number of characters available to us. Because CASL prescribes exactly that contact information, identity information, and an unsubscribe mechanism need to be provided, you're really not left with anything to communicate to consumers vis-à-vis text messaging.

It's also important to ask how effective CASL has been at addressing spam, spyware, and other online threats. The truth is that we have very little empirical information, so there's very little that we can point to in terms of statistics to show the impact. A 2015 report published by the security firm Cloudmark is often cited. It did an analysis of email traffic in Canada following the coming into force of CASL. Interestingly, it showed that there was a reduction, but the reduction was largely due to decreased use of messaging by legitimate companies. I don't think that was the intent of the legislation. We're trying to encourage digital activities, not reduce them.

What other things can we say about effectiveness? We know that phishing emails remain very prevalent and the related cybersecurity concerns are growing, and growing for good reason, because this has become an epidemic. So we know that CASL hasn't been effective at preventing those types of risks. We also know that enforcement by the CRTC has largely been against legitimate companies rather than against the bad actors, the fraudsters.

We can then ask ourselves how we got here, with well-intentioned legislation that has had a questionable impact on fighting the harmful spyware and spam that the legislation was really intending to address. I think we can look back and say that there was broad three-party support for the legislation. There was largely support from industry, from civil society, and from academia, since fighting spam and spyware is a critical objective. However, I think we can also be truthful and say that it hasn't been a success. There has been a chorus of complaints about the complexity and the prescriptiveness, and about how it doesn't work in practice. We want legislation that encourages participation in commercial activity, and we can't say that CASL has facilitated that.

The opportunity today is for all three parties and all stakeholders to work together and to identify fixes. I'm going to identify four fixes very quickly.

First, the regulatory reach of CASL needs to be narrowed. We need to focus on harmful spam and spyware, and we need to be very clear that this is the intent and purpose.

Second, we need to ensure that there's a meaningful implied-consent exception. Rather than having a prescriptive rule, which is the way it's expressed today, we need to introduce flexibility. As with our federal privacy legislation, PIPEDA, we need an approach to applied consent that's based on a contextual assessment of whether it's reasonable. This will in no way undermine the efforts to fight the harmful stuff. Rather, it will introduce the flexibility that business needs.

Third, we need to reduce the prescriptiveness. There is too much in the way of prescriptive rules for what we can clarify through general principles.

Fourth, with respect to the private right of action, rather than having standing to sue left with anyone who receives a message that doesn't comply, we should provide the companies that are in a position to go after the bad actors the opportunity to supplement the efforts of the CRTC and place standing to sue in their hands.

Thank you for your time. I look forward to receiving any questions.

Thank you.

Good morning, everyone. First of all, I would like to thank you, Mr. Chair and members of the committee, for the opportunity to speak with you today.

My name is Adam Kardash and I am here on behalf of IAB Canada, a not-for-profit association dedicated exclusively to the development and promotion of the rapidly growing digital marketing and advertising sector in Canada.

IAB Canada represents over 250 of Canada's best-known and most respected stakeholders in the digital advertising and marketing sector, including advertisers, agencies, digital publishers, social media platforms, and ad networks. Our members include numerous small and medium-size enterprises.

To put it simply, CASL requires significant amendment, so the work of this committee is very important to IAB Canada, as CASL impacts every one of IAB Canada's members. Our trade association has been closely and actively involved with CASL for years, including through formal submissions on CASL regulations and meetings with government officials, and through hosting CRTC information sessions for our members.

My brief introductory comments this morning are based on my experience as counsel to the IAB as well as my personal capacity as the head of Osler, Hoskin & Harcourt's national privacy law practice. Our team, together with our firm's technology practice, led by Mr. Fekete, has dealt with hundreds of mandates involving CASL across all sectors, in particular the digital marketing and advertising sector.

The main theme of my comments this morning is that while CASL was intended to build trust in the digital ecosystem by deterring spam, malware, and other nefarious activity, there is widespread acknowledgement that there are serious and fundamental issues with CASL's regulatory framework that need to be carefully considered and appropriately addressed, mainly by significant amendments to the statute.

We're offering the following three recommendations for the committee's consideration with regard to the changes necessary to CASL's statutory regime.

First, we urge that the committee, in its review of the act, focus on narrowing the incredibly broad scope of CASL's application. In our view the expansive scope CASL's framework is fundamentally flawed. Instead of just targeting nefarious activities, CASL is structured to regulate virtually all electronic messaging activity. CASL could be effective if it applied only to bad actors or egregious activities, as opposed to regulating wholly legitimate messaging activities that nobody considers unwanted, let alone spam.

By way of just one example, consider that CASL doesn't just regulate marketing and promotional messages. Rather, the statute, as my colleague Mr. Fekete just mentioned, applies even to certain administrative or transactional messages that provide solely factual information about an account, a product recall, or even safety. Stunningly, CASL requires that such messages contain an unsubscribe or opt-out mechanism. This is totally confusing for consumers and businesses. Nobody would ever consider these types of messages to be spam, yet companies that don't offer an unsubscribe option for these types of administrative messages would be technically violating the statute.

CASL definitely needs to be amended to expressly exclude these and other wholly legitimate types of electronic messages from the CASL regulatory regime. CASL's broad scope has resulted in an incredibly and unnecessarily complicated statutory regime, as legitimate electronic messages are subject to the consent, notice, and unsubscribe requirements and penalties under the statute unless they expressly fall within one of the several highly technical exceptions set out in the regulations.

From our day-to-day experience, it can be a very time-consuming, complicated exercise, and, for small businesses especially, an expensive undertaking to interpret and navigate CASL's provisions in this regard.

Moreover, in terms of scope, while the display of online advertisements is not subject to CASL as the display of an ad is not sent to an electronic address, statutory clarity of the scope of application in this regard is critically required. CASL simply cannot apply to the display of online advertising, because it would be practically impossible for organizations involved in the online advertising ecosystem to comply with the act's prescriptive requirements.

In our view, without question, the scope of CASL needs to be clarified and could be appropriately narrowed without imperiling CASL's intended goal of fostering trust.

Second, we urge the committee to recommend the elimination of unduly prescriptive and technical requirements in CASL that are either ambiguous or, often, very impractical to implement and totally unnecessary in order to achieve the policy objectives of the statute.

One example for the committee is that when an organization is seeking express consent, CASL requires organizations to provide a whole bunch of specific and detailed contact information and a statement about how individuals can withdraw their consent at any time.

This may sound like a totally innocuous requirement, but these requirements are more strict than what's required for a valid express consent under privacy legislation and they pose very practical compliance challenges when, for instance, companies seek a valid express consent over the phone or in person, such as at a retail store when you're just trying to get out of the checkout line.

These and other unnecessary notice requirements need to be removed from the statute. They don't benefit consumers, and there's no reason why a company should be exposed to regulatory enforcement, let alone class action litigation, for failure to comply with a technical requirement by providing a statement that says you can withdraw your consent at any time. It makes no sense. These are technical and wholly immaterial violations of the statute as currently constructed.

We urge the committee to recommend that any consideration of the issues raised by CASL be done through the application of CASL's provisions to very specific-use case scenarios.

We cannot overstate the significance of this suggestion. If you examine the actual impact of CASL on legitimate, daily, electronic messaging activity, you—and not just you but also ISED—will see through real-life examples on a case-by-case basis that there will be a drastic need to address a myriad of very impractical, ambiguous, technical, and unnecessary provisions. Over and over again the application of case studies sheds light on this.

Third, we want to make a specific recommendation regarding the private right of action. As was anyone who has actually spent time trying to comply or to help companies comply with CASL, IAB Canada members were very grateful for the deferral of the private right of action coming into force.

In short, CASL in its current form with the PRA, the private right of action, is a perfect cocktail for unnecessary litigation. CASL's overly expansive breadth of application, prescriptive technical requirements, ambiguous drafting, and the right to sue with no proof of harm would have set the stage for plaintiffs' counsel to commence a stream of class action litigation, including meritless and frivolous class action lawsuits. There's a payday for plaintiffs' counsel in such class action activity.

IAB Canada is strongly urging the committee to carefully review the private right of action, including narrowing the PRA as a remedy only in circumstances involving bad actors and particularly nefarious and egregious violations of the act.

I'll conclude my introductory comments at this time. On behalf of IAB Canada, I thank you again for inviting me here this morning. I would be pleased to answer any of your questions.

Thanks very much.

Good morning. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I served as a member of the national task force on spam and appeared before this committee in the development of CASL. As always, I appear in a personal capacity, representing only my own views.

The hallmark of fraudulent spam, from get-rich-quick schemes to body-part enlargement promises, is that while it contains something that seems unlikely, people still often want to believe the claims. Over the last several years we've experienced something similar with respect to anti-spam legislation, in which the claims of doom often just don't add up.

A perfect example is the frequent suggestion that somehow the neighbourhood lemonade stand would be affected by CASL. Now, stop and think about this for just a moment. Politicians admittedly might be an exception to this, but how many of us have email addresses for all of our neighbours? How many would think to actually not only collect all of those email addresses, but then email the entire neighbourhood about a lemonade stand? Like spam, it takes a claim with a kernel of truth—the need for consent to send commercial messages—and then moves into a world of fantasy. Long-standing scare tactics, ones that pre-date even the drafting of the legislation, are not the way to assess this law.

In my view, there are really three questions that lie at the heart of the assessment of CASL: Is there a harm or risk that needs to be addressed? Does CASL help solve the problem? And even if the answers to one and two are yes, is the law still too onerous?

Let me try to answer all three.

First, is there a harm or risk to be addressed? I think the answer to that is obvious: absolutely. Let me point to three examples. First, malware, spyware, and phishing attempts have emerged as exceptionally important cybersecurity issues and they are caught squarely by CASL. Today these efforts may be state-sponsored or simply criminal. Consider the impact of phishing attempts in the last U.S. election that successfully gained access to thousands of emails at the DNC and may have helped change the course of U.S. political history; or the massive malware cases such as WannaCry, which have affected millions, caused millions or even billions in damages, and put hospital and banking systems at risk. We need effective laws to counter these threats, and they are unquestionably part of CASL's ambit.

Second, I think we all recognize the importance of e-commerce. The success of e-commerce depends on trust, trust that our information will be used appropriately, and trust that online sellers will deliver what is promised. The concerns associated with fraudulent spam extend beyond just the losses that can occur from those individual messages. They undermine the potential success of all e-commerce activities by undermining trust more broadly.

Third, the public is increasingly aware and, I would argue, concerned with their privacy and the use of personal information. Our major trading partners, particularly the EU, have tried to address these concerns through tough new laws. CASL isn't separate and apart from PIPEDA; it is a foundational part of the legislative response to the risks of misuse of our personal information. At its heart is the need for informed consent, a standard the establishment of which is long overdue.

Now, does it work? I would start by saying I wish we had more data. I think the failure to collect extensive data is a serious mistake by officials who should have been working with the spam research centre, Internet providers, email service providers, and law enforcement to collect data. The need for more data provides a reminder that the work of policy-makers doesn't end just because the legislative process concludes. There are, however, several studies and reports that provide valuable data on the impact of CASL.

The committee already heard from Mr. Fekete about the 2015 Cloudmark study, which found significant declines in spam, with 29% less email in Canadian inboxes, and a 37% reduction in spam originating from Canada. I'd be happy to debate and explain why that's actually a good thing.

Further, one of the core concerns about Canada's anti-spam framework before CASL was our inability to co-operate actively with global enforcement actions. Our task force heard that without a comparative spam law, Canada risked becoming a spam haven, without the legal ability to assist partner countries in investigations and enforcement. CASL has unquestionably addressed this issue, ensuring that Canada is no longer an island in the fight against spam. We have international enforcement agreements with four countries, and MOUs with 12 agencies in eight countries. But perhaps most telling—and I don't believe the committee has heard about this yet—is the ROKSO list, the register of known spamming organizations, which is maintained by an organization known as Spamhaus. The ROKSO list identifies the top 100 spamming organizations, which are responsible for 80% of the spam worldwide. I have to tell you that the existence of this kind of list came as a surprise to me and to many other spam task force members, as it confirmed, surprisingly I think, that we actually know where the leading spammers are.

Further, we learned that Canada was a notable home for these spamming organizations.

When CASL took effect in 2014, Canada was home to a disproportionate number of spamming organizations, with seven of the top 100 spamming organizations in the world located in Canada. Today, three years later, there are only two remaining. There may be several factors behind the decline in the top spamming organizations in Canada, but the existence of a tough anti-spam law with real penalties is surely one of them.

This data confirms CASL's effectiveness, and in this regard it should be emphasized that the goal of the law was never to eliminate all spam from our inboxes. No law can do that, just as no technology can eliminate spam or fully protect us from malware, spyware, and phishing. Rather, the goal was to reduce the spam that originates in Canada with the hope that other countries would do their part. In that regard, the law has been a success.

Finally, is the law overbroad? I have to say that CASL complaints have always struck me as a bit odd. The complaints typically focus on the many exceptions in the law, claiming they are too narrow, restrictive, or difficult to interpret. The real narrowness has often come from the interpretations that have been provided.

Consider the issue of charities. ISED Minister Navdeep Bains stated the following in the press release announcing the decision to delay the private right of action: “Canadian businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation.” But the CASL regulations state that section 6 of the act does not apply to a commercial electronic message sent by or on behalf of a registered charity, which has as its primary purpose raising funds for the charity. In other words, charities already enjoy a broad exemption under the law.

Similarly, the committee has already heard from others about the supposed need for a business-to-business exception, yet the law already states that this section does not apply to a commercial electronic message sent to a person engaged in a commercial activity consisting solely of an inquiry or application related to that activity. That exempts legitimate business-to-business commercial electronic messages.

I'd say that even this focus on exceptions is misplaced. Businesses rely on exceptions where they don't want to comply with the foundational obligation that is in the law: consent. The law is clear: if you get informed consent, there is no need to go searching for an exception to apply to your activities. When you hear complaints about narrow exceptions or calls for more, that complaint is fundamentally about the ability to use that personal information without informed consent by leveraging an exception. I'd say that's bad policy and bad for privacy.

To conclude, these remarks aren't meant to suggest we can't do better. We need better data; we need better awareness of the Spam Reporting Centre; we need the agencies to engage more directly with businesses about the true requirements of the law; and we need better enforcement, including the private right of action. I would also suggest that we need a strong anti-spam law with real penalties that is based on informed consent to deal with a very real threat. That law is CASL.

I look forward to your questions.

Thank you, Mr. Chair.

I am Deborah Evans, associate chief privacy officer for Rogers Communications. I welcome the opportunity to appear before the committee and provide input into the review of Canada's anti-spam legislation.

CASL has increased consumer protection but it is not perfect. This review provides a valuable opportunity to ensure that the legislation can give greater certainty to consumers and businesses interpreting CASL.

When we reflect on the last three years, there are certain provisions that could benefit from further clarification. Specifically, there are three areas in which Rogers would like to see changes: improving enforcement and ensuring proportionality of administrative monetary penalties, reducing the ambiguity with regard to content and wording of the act, and eliminating the private right of action.

The current structure of CASL empowers the CRTC to enforce compliance through a range of remedies, including the use of AMPs. While we acknowledge that there are benefits to enforcement through the use of AMPs in more egregious cases, the current process has not been without difficulties. For example, all companies in both private and public sectors are faced with unintended information system errors. When consumers are impacted, they notify companies directly in the majority of cases, but they also go to the CRTC's spam reporting centre.

During this committee review, we have heard that warning letters are often issued for violations requiring corrective action. This was not the experience of Rogers when faced with a CASL investigation. We were given no warning at all.

Rogers is an established Canadian business with systems and processes in place to ensure that we comply with all applicable laws and regulations. Nonetheless, we were investigated and signed an undertaking that involved a significant payment. This undertaking was required despite Rogers having identified and resolved the minor issues impacting our customers prior to the investigation. Under CASL, we were not afforded an early resolution process prior to investigation and penalty, unlike similar processes of the Privacy Commissioner, the Advertising Standards Council, and the Canadian Transportation Agency.

When enforcing penalties, the CRTC considers the history of violation and the ability to pay when determining an AMP. We recommend that this approach be revised, and that penalties be linked to the severity of the infringement, not the ability to pay. In the case of the first violation, where an organization's act of non-compliance is an unintended information system error, the CRTC should always issue a warning letter or citation. This would be a more appropriate way to tackle infringements that are inadvertent.

If there are subsequent violations, there should be an established framework to determine the level of fine based on the proportionality of the violation. AMPs would then increase with the magnitude and frequency of the infringement. For example, a deliberate malware dissemination would warrant a much higher penalty than would sending a CEM that omits a required field. For every subsequent violation of the same nature, the fines would grow in severity. The large majority of Canadian companies want to comply with the legislation. Unfortunately, due to uncertainty in the wording of the act, many Canadian businesses have employed an overly cautious approach to communicating with their customers in order to avoid being subject to enforcement activities. This is compounded by uncertainty regarding the application of AMPs, and the high punitive nature of the maximum fine.

In reviewing the act, and based on Rogers' experience, there is an opportunity to provide clear guidance and to remove ambiguous wording. We have heard witness presentations during this review, which have outlined concerns with the lack of clarity in the definition of a CEM and computer programs. We support these positions. As well, there are other areas where the act could provide more clarity for businesses. For example, the current wording in subsection 6(6), states that notification-type emails, such as messages to tell you that your mobile device is roaming, are exempt from consent requirements. However, such messages must include an unsubscribe mechanism. There is no reason why legislation created to regulate electronic commercial activity should be applied to non-commercial messages. These types of notification messages do not fall within the statutory definition of a CEM and should not be subject to consent or message form requirements.

We recommend removing subsection 6(6) from the legislation to limit the scope of CASL to commercial electronic messaging only. As well, guidance material from the CRTC should be produced to give greater certainty as to what types of messages are not CEMs. Additionally, the current definition of electronic address should be updated. We are in the age of new technologies and digital advancements. The overly broad definition has added an additional layer of complexity for Canadian businesses.

We recommend providing a clear and specific definition of electronic address. In particular, the reference to “any similar account” should be removed. As well, we recommend issuing guidance material indicating what is excluded from this definition.

We support the decision by Minister Bains to suspend the PRA. It is unnecessary and does not represent a proportionate response to the stated objective of CASL, namely increased consumer protection. The three agencies responsible for enforcing CASL provide sufficient protections for consumers. The PRA allows any person affected by an alleged infringement to sue for actual damages of up to $1 million per violation with no requirement to demonstrate harm.

Currently, the PRA has the potential to create an environment that encourages consumers to pursue Canadian businesses that may have experienced an unintended informational system error rather than targeting deliberate spammers, many of which operate outside of Canada. Rogers supports eliminating the PRA from CASL. It creates an environment for frivolous lawsuits and is not an efficient use of Canadian courts.

As the committee has heard, most Canadian businesses want to comply with CASL. Well-intentioned companies should not be associated with those that are deliberately and maliciously ignoring the act. If the PRA is to continue, the government must ensure that it is specific enough to target those intentionally acting outside the legislation.

In summary, we propose the following: that first-time offenders be issued a warning letter if the violation was the result of an unintentional error; that penalties be based on a framework of proportionality in which fines increase with the severity and frequency of the infringement; that subsection 6(6) be removed to limit the scope of CASL's commercial electronic messaging; that the definition of electronic address be updated to remove the reference to any similar account; and that the PRA be removed since it is unnecessary.

Thank you for the opportunity to participate in this review. I'm happy to answer any questions.

Sure. I can start on that at least. From speaking to companies in our association, small and very large, I would say it inhibits innovation because it's confusing, and people don't know what to do. So you have a great idea and then you go and say, “Oh, can we do this?” But the requirements are so complex and there are so many exemptions and small requirements here and there that companies don't know what to do.

For instance, I was speaking to a very large company yesterday. They wanted to send out a text message to their clients about the wildfires out west, saying “if you send us a number back with this hashtag we will match your donation.” They wanted to do this very quickly to get donations to the Red Cross, but they got stuck internally because everyone said, “Wait—does this fall under CASL or does this not? If we include a hashtag that mentions—”

It makes companies less likely to take innovative steps and to change the way they're doing business. It makes them stop and think, and it makes them shy away from innovative activities.

If anything, when we're talking about something like IoT, that's an area in which we particularly need stronger privacy rules and clear knowledge of how our information is being used. Let's recognize what that is.

If we're talking about giving companies the right to listen in through our televisions or through our smart fridges or our coffee makers or whatever it happens to be, the notion that somehow we need greater flexibility and consent.... Let's understand that for years we had that flexibility and consent under law, and that was effectively code for consumers agreeing to things they were not aware they were actually agreeing to.

If we want to see innovation and consumer acceptance of these kinds of new technologies, consumers need to know when their information is being collected and how it's being used, and the messages that go back and forth are part of that.

No, it's not an inhibitor.

Certainly.

Most of us can tell from our own inboxes that spam filters and cybersecurity mechanisms put in place by ISPs and by email providers and email programs have gotten much better, certainly over the past decade. These are only improving as technologies such as AI feed into cybersecurity. Moving forward, they will advance and our inboxes will be safer before we even get there.

Certainly. Many ISP and telecommunication service providers do have spam filters on their network to try to identify keywords that will block out spam. Obviously the system isn't perfect, and spammers who are deliberately trying to reach you to do nefarious things are quick to act and get around that.

In a similar example, not related to CASL but to spoofing of telephone calls, we put in a fix to eliminate a telephone number that someone has been spoofing. The spammers know and they've moved on to another one. They're quick acting, and we're just keeping pace with them.

We have to do our best to keep our customers happy.

If we want our digital economy to grow and be stronger, we need to make it better aligned with our competitors. As Michael noted, Canada's software provisions are an outlier compared to those of the rest of the world. The requirements in CASL are completely different from the requirements in CAN-SPAM, the U.S. legislation, which is much more principles-based.

If we want to build a strong and robust digital economy, we need to be engaging with the world and not inhibiting our companies by putting in unnecessarily strenuous requirements; and we need to be working through organizations such as the OECD, APEC, and the G20 to develop interoperability where we can, because the ICT industry really is the most globalized industry in the world.

I'd note that CAN-SPAM in the United States is aptly named, because you can SPAM.

The reality is that the task force had the opportunity to look at some of those other laws. The idea that Canada should emulate a law that is universally regarded as entirely ineffective strikes me as problematic.

If anything, what we are seeing is jurisdictions moving towards stronger rules. Australia, for example, saw the spam problem that was happening locally and adopted the strongest anti-spam rules at the time. It found that, within short order, much as we've experienced with the reduction in major anti-spamming organizations, they left Australia because the penalties were so high that the risk changed their analysis of whether it made sense.

If we're thinking about whether these kinds of rules are getting tougher, just take a look at what's taking place in the European Union with the GDPR, which has far tougher privacy rules that are applied not just in the EU but around the world.

I'm not saying Canada should have the weakest rules or go to the lowest common denominator at all. We should find ways to work with our allies and other countries to develop interoperability so Canadian businesses are not unnecessarily hampered.

Certainly. I want to agree with Michael that we need strong privacy rules that govern the collection of information, and we have a federal privacy statute that sets a very strong standard in terms of how to do that based on principles and a flexible approach with strong guidance provided by our commissioner.

When we think about the computer program provisions, Michael is right to say there are times when personal information is collected, but that's where PIPEDA applies already. There are many times when updates to computer programs do not result in collection of personal information. In those instances, you have to comply with very prescriptive rules that don't match the rules in any other jurisdiction. If you want to focus on where Canada is hamstringing innovation in Canadian business, you can look very closely at the computer program rules and ask yourself why no other country has copied our approach.

We have a very robust compliance program that follows the guidance that has come from the CRTC.

With regard to employees, we have embedded a culture of CASL compliance in all employees who have are responsible for sending commercial electronic messages. Those employees are required to know what they have to do to comply with the law. They get robust annual training on how to comply with the law. We have tool kits available to them and job aids to help them.

We have a centralized database. We have an online preference centre for our customers to go in and self-manage their communications from us according to types of communications and lines of business. I couldn't put a dollar figure on specific costs, but it is something that's embedded in the corporate culture.

I'll just reiterate my opening remarks. I don't think there is anything more telling, to be honest, than knowing that Canada was once truly a haven for large spamming organizations responsible collectively for more than 80% of the spam generated worldwide, with a disproportionate number of those organizations hosted in Canada. Today we can't say that anymore. The decline from seven of those organizations two days before CASL took effect in 2014 to only two organizations today—and that's still two too many—speaks volumes about how the law intended to try to address the amount of spam being generated in Canada and sent either to Canadians or around the world and how it has clearly had an impact in reducing the number of those organizations situated here in Canada.

From our perspective and our investigation, we had an issue for a short time on our business-to-business publishing side, where an “unsubscribe” was not functioning as we had intended. We had put in place robust processes prior to deploying the email regarding how we compile our lists—the form, the content, everything to comply with the legislation. We sent out some communications. Unfortunately, it didn't operate as we'd intended. We heard from some of our customers, and we immediately looked into the issue. We resolved it in a matter of days of it having been brought to our attention. It's not in our best interests to be out of compliance with the law. We want to be seen as good corporate citizens—not as a company in the same boat as Compu-Finder, which, as you pointed out, has been a known spammer forever. We're a well-intentioned, established business.

One of the most surprising things is that the large spamming organizations operate with impunity and very often in the open, something one wouldn't expect. One of the reasons they do this has to do with the lax laws that exist in many countries. It's recognized that one of the only ways to deal with some of those large players is through tough anti-spam laws. We've seen a couple of countries, Australia and now Canada, that have been able to effectively drive some of those organizations out by passing some tough laws.

At the heart of the problem is the risk equation. If you are a spammer, you are in a sense off-loading just about all the costs onto consumers. We pay for all of this, and I would argue that legitimate businesses, large and small, pay too, because people's trust in the system is undermined by all of this. What we need is an effective system that will benefit large and small businesses alike, while increasing the costs for some of the scammers out there, so that they either leave the jurisdiction or stop what they're doing.

I find it somewhat discouraging when we hear people coming before committee saying that what we really need is to reduce the tools we have to enforce this law. Private right of action is a good illustration of this. You can't say, on the one hand, that the rules are too tough from an enforcement perspective and that we need ways to sort this out, and then say, on the other hand, that everything is going really well so we don't need a private right of action.

PRAs have been used in other jurisdictions and they can be used effectively.

Yes, we're at the same law firm, but I'm also counsel to the Interactive Advertising Bureau of Canada.

We're different organizations.

Mr. Geist's comments focus fundamentally, and correctly so, on bad actors. The issue we're raising is not with respect to bad actors. No one likes spam, certainly none of our members. We can speak about our client base. None of them like spam. It's extraordinarily costly for business. Bad actors should be appropriately punished. That's not the issue, which is what's fundamentally raised. We're talking about a legislative scheme that applies to all legitimate activity. That is a problem compounded not only by sheer scope but also by very complex prescriptive rules that, when you look at real life examples, don't make sense for small business.

We agree that if there's a bad actor, such as those spammers that are now gone from this country, the punishment they would get through a very focused private right of action or another remedy makes sense. What we're talking about and what our members are concerned about is the expansive scope of a legislative regime that applies to everything. Through a very complicated scenario, you're effectively playing Whac-A-Mole when trying to understand the legislative scheme, because it says everything is covered except for things that aren't.

That's correct.

I didn't say that, but you're right. The rules prescribed by the CRTC indicate that in any request for consent, you must state that a person will have the opportunity to withdraw consent.

Subsection 6(6) does not deal with a computer program. It deals exclusively with electronic messaging.

I can give you other examples: a safety recall message or a notification saying your bill is now available.

I think we need to look at what our international trading partners do. They don't regulate all computer program installations. They regulate malware and spyware. There are unintended consequences of having an overly broad approach, and those are the consequences that I fear are undermining the innovation.

Other jurisdictions regulate malware and spyware, as they should and as we need to, but they don't go and regulate all other messages. They certainly regulate collection of information, personal information using computer programs, as we have with PIPEDA and as we will continue to need to do. We go that much further than anybody else does.

A decision was made to regulate the installation of all computer programs except for those specifically exempted by regulation.

I'd turn it the other way around, and focus on the bad stuff.

Yes, section 6.6 is exactly what I was referring to.

Yes, expressly exclude the messages contemplated in section 6.6 from the definition of commercial electronic messages.

Yes.

CASL applies to the sending of commercial electronic messages to electronic addresses. The definition of electronic addresses expressly contemplates email accounts and instant messaging accounts and telephone accounts.

It's a display, yes; it's not sent. It's completely outside the ambit of the legislation.

There were comments unfortunately made by the CRTC and in the RIAS statement by what was then Industry Canada about the potential application to IP addresses, which is not, in our view, there, and you cannot have this legislative scheme apply.

We need scope of clarity.

It was a similar point made—

That would be devastatingly bad, yes.

Well, it wasn't unclear until statements were made by the CRTC and in the RIAS about the potential concept of electronic addresses applying to IP addresses. That's totally outside the scope of this.

No.

That's right, 100% correct.

Yes. On a number of Internet of things-types of devices, implied consent is really the only way.

Implied consent as a principle would be good to put in the legislation more generally, as it is in PIPEDA, because having it will make the legislation more flexible and more nimble. The CRTC will be able to issue guidance, and companies will be able to ask questions.

Exactly. It will provide more flexibility. It will make it easier for companies to ask questions, and to learn from each other.

You're speaking about a case scenario in which a company goes on, or an individual....

I'll just speak generally. The act contemplates various circumstances in which you'll have authority to reach out. The entity in question could have gotten express consent under the act. There are very prescriptive requirements to do so, as I mentioned before, but they could rely on express consent. Or there are a series of implied consent provisions, which are very detailed, and which say, for instance, that if you made a purchase within the last two years, you're able to reach out and do so; or if you have a written contract, for the duration of that contract and two years thereafter you can reach out. So assuming it's a commercial kind of message—

Now, depending on the message—and this illustrates the complexity—either subsection 6(6) might apply or one of several exemptions could apply. It depends on the very specific context.

I think the problem is, as Mr. Geist has mentioned, we really don't have enough information. We have some statistics that are quite old, from 2015, to suggest there's been a reduction in overall messaging, including of legitimate messages. To Mr. Masse's comment, the question we have to ask ourselves from a policy standpoint is how we ensure that it is a privilege to use electronic means to communicate, much as it is a privilege to collect, use, and disclose personal information. It's not a right. It has to be, however, through a balanced framework. What I am personally suggesting is that the framework as reflected in CASL doesn't strike the appropriate balance, and that there's an opportunity for all stakeholders and all parties to work together to get the balance right.

I just note—and it's come up now a couple of times—that there's this notion that there are the really bad actors, the spamming organizations, and everyone is in agreement that we have to target them; and then there's an attempt to characterize all the other businesses as not being bad actors. I don't doubt for a moment that Rogers, my carrier, is not a bad actor, but I will say that if you are sending me messages when you have not obtained my consent that is a bad act. I think we have to recognize that there are lots of legitimate businesses that may even still want to comply but that are, I would argue, misusing our personal information without obtaining appropriate consent. That's a bad act, and that's what the law's designed to target. If we contemplate moving back to implied consent, then we're right back to where we started from. The task force looked at whether or not PIPEDA was effective in dealing with spam, and the conclusion was that it was not. One of the core reasons was that implied consent just doesn't work in this context. It will be obvious to all of you, given the number of times, I'm sure, you've received messages from a legitimate business while you can't for the life of you understand why you're getting this message. The reason is that these businesses often rely on implied consent to be able to send out those messages.

Sure. I'll start that off for you. Thank you.

I think what we're seeing is that there is subsection section 6(6), which we spoke about, which says that in these scenarios, you can send the messages to the customers. You don't need consent to send the messages, but they must follow the form and content of CASL requirements, so they must have an unsubscribe mechanism.

My point is that certain messages we will send to our customers either because we're required by law to send them or because it's the good customer experience. For example, if you need to know something from us, we'll send it. To put the unsubscribe at the bottom gives the wrong impression; it creates confusion for consumers. When I'm required to send you a message and I put in the unsubscribe, and then you click on it, you think you're unsubscribing. But really, are you unsubscribing? I'm still going to send you the message, because I'm required to send the message. It creates confusion.

I've heard from other businesses that they just don't send those types of messages because they're not sure how to do that. Maybe they've resorted to other means of contacting their customers, such as direct telephone calls or direct mail. I would argue that's a negative impact and an inadvertent, unintended consequence.

Regarding public safety messages, there's an exemption in CASL that will allow messages to be sent for public safety reasons, but there's confusion created by the requirement to have an unsubscribe in a message that the business is still going to send the customer because they're required to send it or it's.... For example, you need to tell the customer if they signed up for online billing that their bill is available for them to look at. How are they going to know their bill is available otherwise? If they're unsubscribing from it, and then you send them the next month's bill, that's where the problem is created.

You asked how we can have this confusion. I think we've seen it happen on this panel just in the last number of minutes.

The panel was asked a question that I thought Mr. Kardash effectively responded to with the use of a case from Mr. Jeneroux. He started by saying that if you have explicit consent, you can go ahead and do this, and then he proceeded to talk about the various exceptions.

The problem is that we get bogged down in the various instances of how you can do this if you don't get someone's consent. The starting point again and again in many of these instances is to get consent. If we're talking about something different, not about the ability to message but instead this potential for confusion with an unsubscribe, surely that's an issue that can be fixed for a public safety message. It's not that we can't send it, but there's an unsubscribe issue. That is a far cry from the doomsday scenarios this committee has been hearing about in the last number of hearings, moving from “Can you please fix an unsubscribe mechanism in a public safety message?” to somehow that e-commerce is going to stop in Canada if this law continues.

I think the first point is that we need to simplify the law. We need to make more clear what it applies to and to make it more flexible and adaptive, so that you can explain it to a business and they'll understand it and say, “Oh, this what I need to do to comply.”

As people on the panel have been mentioning, part of the problem is that there is a range of things that are exempt or not exempt, and in some circumstances they work, but in some they don't. This is why businesses, large and small, need lawyers and consultants: to tell them how to comply.

It's no surprise that a lot of people fall asleep when they start hearing about it or ignore it if they don't have to pay attention to it, because people who do have to pay attention to it are—rightly—very confused by it. I think the first thing needs to be simplifying it and making it easier to comply with.

After that, of course, the CRTC needs to become a partner in this. They need to reach out to business.

I agree with that. I agree with the premise of the question, and I think it's a question best posed to the enforcement agencies as to why they haven't targeted those—

My comment is twofold.

One, I think the CRTC has failed to target, as I think you rightly point out, the remaining large spamming organizations. From my perspective, it's inexplicable, given that we know where they are. It was amazing when the law was being crafted and we had at least one large Canadian-based spammer who was openly blogging and laughing about it, and in a sense almost urging enforcement, and yet we haven't seen that. I do think they've fallen short in that regard.

On the other hand, I certainly have some amount of sympathy for large businesses that say they feel they're being targeted. I think in some ways it links a bit to your first question on how we can ensure that businesses are at least aware of the legislation. There is, I think, a certain element which is that the CRTC is going to go after some of the bigger fish, so to speak, partially because they ought to know better—they have the resources to do it—and partially I think because that may actually assist in ensuring there is the effect of having many other businesses becoming more aware of their obligations under the law.

I'm happy to tell you that as a task force we met with law enforcement regularly. It was a real challenge at the time in regard to convincing them that some of these issues rose to the level of deserving some of their attention and the use of their scarce resources.

Years later, when we take a look at what we've seen, particularly in some of the malware cases, let's say, and some of the other major sorts of cases.... It's not that I think we should be looking for law enforcement to say that they're going to take everybody off their existing jobs to focus on this, but there are serious implications, not only economic but political and otherwise, and I think real resources need to be put to the issue.

I want to pick up on that notion that back in 2004 we couldn't or wouldn't have predicted necessarily the rise of social media and some of these other technologies. I think that's true. In fact, the committee recognized that there was a rapid pace of change taking place. Ironically, based on the recommendations we are hearing today, we were urged to adopt as much of a technologically neutral approach as possible. The idea was to not limit this just to this narrow band of what is seen as spam, but rather to ensure that the law can be effective as some of these technologies change, which is why there is that ability to be effective against spam, spyware, malware, and potentially even some of these new technologies.

One of the discouraging things that I'm hearing now is that the recommendations are, “No, don't do that. Get as specific and narrowly tailored as possible. We don't need to have that broad base on some of these issues. It's too broad in scope.”

That was seen by many as a feature, not a bug, back when we established this. I think one of the ways to ensure that the law is effective and relevant as things change is to ensure that it can be applied as some of these things change. I would certainly point again to things like IoT and those sorts of technologies. The idea that we would bring those technologies into our homes without effective protections against misuse of our information is a real problem.

I would like to take a different perspective. There is no question that we need effective privacy legislation. The discussion and the points that Michael is raising are about privacy, agreed. That's why we have PIPEDA. That's why we have a very active, internationally respected privacy commissioner who sets out guidelines and provides direction based on very technology-neutral legislation that is based on principles.

The problem with the anti-spam legislation is that it's not based on principles; it's based on very prescriptive rules that don't necessarily work in these new environments. The Internet of things is a great example. If you don't have an interface through which you can get consent, how do you comply? There is an unintended application of these prescriptive rules to a technology we didn't fully understand or didn't see in the way that we see it today. Our privacy legislation provides the framework for technology-neutral legislation that is flexible to allow for technological change. CASL isn't that legislation, because it's overly prescriptive.

We have to fix the prescriptiveness. We have to make it more principle-based to achieve the outcomes that we all agree are necessary to protect consumers and to ensure that businesses don't exploit the privilege of contacting individuals or the right of installing an update to a computer program.

I think there would be broad support if the private right of action were targeted on the truly bad actors, and we had a situation where we weren't combining a private right of action, broad standing to sue, and statutory damages, because that's where the potential for frivolous class actions becomes most prevalent. Narrowing the scope and enabling private enforcement against the bad actors, I think, is something that would be broadly supported.

I completely agree, as I said in my opening remarks.

I think we need to understand that the existence of the private right of action under the law is not an accident. We looked at other jurisdictions which had it, and then spoke to organizations that had used it and found it was effective.

In the United States, where you see some of these actions, we spoke to organizations that had used the law, and they found that the misuse, sometimes of their domain or other sorts of spamming activities, declined after they brought those actions. That was why we brought it in.

I think we can speculate about all the potential misuses of the private right of action if it were to come into place, but with a less litigious society, typically the United States—and we've actually seen effectiveness there—from my perspective, I thought we surely should have at least seen how it worked. That's what these kinds of hearings are for—to see if it has been creating unintended consequences and if we think there is an opportunity to fix it after the fact, rather than taking away what was viewed as an important element in the tool box to try to deal with the problem.

Certainly. When you look at PIPEDA, businesses can look at it and figure out whether or not they are in compliance. They usually don't have to hire a lawyer to do that, and they have a relationship with the Privacy Commissioner, to whom they can reach out. It's much more of a partnership to make sure they're in compliance.

A more principles-based approach along those lines for CASL would help businesses be more willing to reach out and make it easier for them to comply, as opposed to saying, “Is this far enough along that it is a transaction? If I say these words, does it count as commercial?” There are a lot of very finite details, and it's difficult to tell.

Yes. A principles-based approach will give companies a little more confidence that they are leaning this way or that way, so they'll be able to have confidence in their decision and then develop a history and guidance to help them. For instance, if you use a hashtag in a transactional message that says your company's name, does that mean it's partly an advertisement? There are a lot of questions to which there aren't really clear answers. From my members' experience—

Let me give you two real-life examples.

The law tells you how you must request express consent.

You have to say this is my business name, and this is my mailing address and either my email address, my web address, or my telephone number. And I must say that you have the right to withdraw consent, or you can withhold your consent, or pull it back later.

If I don't ask it in that specific way, with that information, the consent is not valid, so—

That's a great example.

Another example is on implied consent. I'm in full agreement with Dr. Geist that we need a strong consent regime, but there has to be a willingness to look at the circumstances and ask whether it makes sense for this small business to send a message to a customer based on a prior relationship.

Absolutely. If I've made a purchase within the last two years, you can send me a message, but if I've subscribed for a free service—I didn't buy anything—maybe you can't send me a message. I say “maybe” because we're left scrambling to interpret the law. It's too prescriptive to make sense to business, let alone to the legal community who have to interpret it.

You could make changes consistent with Mr. Fekete's comments, and there's a ton of common ground with Dr. Geist. It might not appear that way, but there really is. You could make a series of tweaks to eliminate some unnecessary wording, to clarify the ambiguity—

You could subpoena to them.

I'll start by providing some advice to the CRTC about helping organizations comply. The CRTC does not issue findings or decisions that provide the rationale for the fine or the circumstances in which the offence or violation took place. That contrasts with the behaviour of the Privacy Commissioner, who provides very helpful, very meaningful findings explaining the perspective of both parties as well as the commissioner's interpretation and outcome. That is what we need in order to better understand the law.

For clarity, there isn't one enforcement body, but rather three, so it's quite complex. There's the Competition Bureau, depending on the provisions; the CRTC; and the Office of the Privacy Commissioner of Canada. In fact, depending on the nature of a particular activity, you could have multiple investigations going on. The CRTC—

Well, it can be cumbersome. The CRTC clearly has the necessary tools to appropriately enforce against bad actors. That, again, is not our issue. Our issue is enforcement against the good actors, that and their not being subject to disproportionate penalties for technical, immaterial violations. That's it.

I agree with Mr. Kardash on this. There are three agencies. I don't have any sense that the particular agencies themselves represent the problem at this point in time.

Again hearkening back to when we were working on the report, we met with authorities from the United States and talked to various people who were involved in groups such as the one known as M3AAWG, which brings together people engaged in enforcement activities around the world. What they needed was a Canadian representative who had the tools and the power to essentially play ball in the same way that they were able to.

For many years pre-CASL, we weren't in a position to do that. We are now, so the fault doesn't lie with the legislation, but to the extent to which enforcement hasn't been as good as it needs to be, it lies with the agencies themselves.

I think the enforcement agencies are the right bodies. I think they have the right tools, which I feel they may be applying in a disproportionate manner, as I mentioned in the opening remarks. We didn't receive a warning letter. I spoke to my colleagues at Porter. They had an experience similar to that of Rogers. There was no warning letter, and it went straight to the investigation and punitive damages immediately.

I think, speaking to the point of the colleagues here on the panel, that more guidance and tools could be issued from our enforcement bodies to help businesses.

That's my comment.

I would say that the CRTC is the right body, but to some extent it is hamstrung by the legislation itself and the regulations, because it doesn't have a whole lot of flexibility in some cases because they are so prescriptive.

The other piece that's missing is that the CRTC hasn't made a concerted effort to partner with industry, to learn from industry. Some of our recommendations, those around making the private right of action focused on telecoms or other bodies that actually bear the costs of spam, would be able to bring these other industry actors into the game to help reduce spam for everyone and truly partner with CRTC.

No. The evidence we received was that it wasn't about who was doing the enforcing. It was about the penalties. It was clear if you took a look at some of the weak laws, say, in the United States, just like the CAN-SPAM act, fundamentally if you were a spamming organization, you just weren't all that fussed about the law, because there weren't really tough penalties behind it; whereas Australia put some real muscle behind it, and it changed the risk analysis that those organizations engaged in.

I would say the private right of action, if it were to be brought back in legislation, should focus on the deliberate actors who are doing more of the egregious things, such as deliberately disseminating malicious software, engaging in false or misleading advertising, or email harvesting. Those are really what the private right of action should focus on.

As I mentioned previously, we would say the private right of action should be targeted toward the companies that bear the costs of spam and allow them to partner with CRTC in enforcement.

Often the networks' email providers can tell you who the bad spammers are. They are the ones in the best location to often find them, and so if the private right of action were changed to allow them to partner with CRTC, to themselves go after and recoup the costs from the spam on their own networks, that could help everyone and help the law be more successful.

I'm going to pick up on that with one other point, and that's to say that we pay not just for that but also in terms of the spam we receive. I would disagree with respect to Mr. Messer's point that somehow it's the telecom providers or the ISPs that bear the cost. No. We bear the cost, and we all know about the problems we have with affordability of Internet access and the kinds of data charges we face. When we looked at this, we saw that ISPs were up front, and they could give a per-customer cost in terms of what they were paying for the technology, the bandwidth, and the equipment they needed to deal with these issues. We pay that cost in the very high fees we face. As for the idea that somehow it's just the Rogers of the world, I'm sorry, but it's not.

In terms of the enforcement, you're absolutely right. From my perspective, it is very difficult to understand why there was a tool in the tool box that would have effectively outsourced some of this enforcement. We recognize that it would be very effective, given how nervous people are about the prospect that people would actually try to engage in this sort of enforcement, and yet we took it away and left it solely to an agency that hasn't done a good enough job, with the costs being borne by the public and the taxpayer.

I can speak on behalf of multiple companies, and I would add that certainly spam is hugely problematic for businesses too. They bear the cost. What we are trying to accomplish here is to reduce the cost of compliance, with the aim of the legislative scheme being that it should be focused on bad actors.

Yes, the public bears the cost—I get that—all of us do, but businesses also bear significant costs.

The challenge with the PRA in CASL is in no small part because of the complexity of the law and the innumerable situations in which compliance is next to impossible, and because it's combined with statutory damages. If you are a class action lawyer, you make an economic decision, by commencing a suit, about whether there is likely to be a return on your investment in time. Statutory damages give that.

If you fix the legislation while enabling businesses and potentially others to enforce the law through a private right of action, you won't have the same chorus of opposition, because the legislation will be balanced. What we have now is unbalanced legislation with a very strong penalty in the PRA.

I'll start with a basic proposition. What we are hearing from clients every day is that, anytime you have uncertainty, you have risk, and that poses a problem. It doesn't completely stop innovation—that would be an overstatement—but it introduces a level of risk in which, in our view, in the vast majority of circumstances, excluding the bad actors, you have to remove the uncertainty. Again, there is so much common ground here, and I think that's something we should really seize upon.

Part of the uncertainty is due to the fact that it's a very complex regime. We do this every day, and it takes us a lot of time to work through with clients to get very innovative types of new products and service offerings through into the digital sphere, which inevitably involves sending, or permitting to be sent, tens if not hundreds of millions of messages on a monthly basis.

None of this is illegitimate; all of this should be done in a consent regime. No one is even disputing that. What we are talking about is having clarity and removing unnecessary prescription. Then, all of a sudden, with the appropriate narrowing of the scope to keep the legitimate stuff outside the scope, focusing on the bad actors. They would be able to get the two remaining in the country, and hopefully prevent others from even thinking about coming to Canada. They wouldn't. That would be the approach.

I can't overstate the suggestion I made to the committee in my opening remarks. We deal with these every day. I urged the committee, and I urged by implication, to go through use cases, because these examples of how to fix it explode at you in their glory. Go through use cases.

I can't speak for others, but IAB Canada is going to submit a more detailed brief. With respect, three pages is not sufficient for us to provide the range of types of use cases and other suggestions. We will present use cases so the committee can see how there is unnecessarily expansive scope. We'll get rid of that, and then, with the narrowing of the scope, there will be a lowering of temperature in terms of opposition to the legislation thereafter.

I agree with what Mr. Kardash just said, but I would like to provide an example of why the computer program provisions are too broad. If you're a start-up company and you're deciding whether to start up in Silicon Valley or in Waterloo, you look at the laws and at how they apply. Computer program installations and updates are a core part of your business. If you set up in Canada, your worldwide operations are subject to these prescriptive rules that have no parallel anywhere else. We're creating an incentive for people to set up in the U.S. I think we have to look at harmonization to the extent that is appropriate to ensure a level playing field. We want to encourage the Canadian technology sector and not have laws that interfere with it.