Thank you, Mr. Chair.
I am Deborah Evans, associate chief privacy officer for Rogers Communications. I welcome the opportunity to appear before the committee and provide input into the review of Canada's anti-spam legislation.
CASL has increased consumer protection but it is not perfect. This review provides a valuable opportunity to ensure that the legislation can give greater certainty to consumers and businesses interpreting CASL.
When we reflect on the last three years, there are certain provisions that could benefit from further clarification. Specifically, there are three areas in which Rogers would like to see changes: improving enforcement and ensuring proportionality of administrative monetary penalties, reducing the ambiguity with regard to content and wording of the act, and eliminating the private right of action.
The current structure of CASL empowers the CRTC to enforce compliance through a range of remedies, including the use of AMPs. While we acknowledge that there are benefits to enforcement through the use of AMPs in more egregious cases, the current process has not been without difficulties. For example, all companies in both private and public sectors are faced with unintended information system errors. When consumers are impacted, they notify companies directly in the majority of cases, but they also go to the CRTC's spam reporting centre.
During this committee review, we have heard that warning letters are often issued for violations requiring corrective action. This was not the experience of Rogers when faced with a CASL investigation. We were given no warning at all.
Rogers is an established Canadian business with systems and processes in place to ensure that we comply with all applicable laws and regulations. Nonetheless, we were investigated and signed an undertaking that involved a significant payment. This undertaking was required despite Rogers having identified and resolved the minor issues impacting our customers prior to the investigation. Under CASL, we were not afforded an early resolution process prior to investigation and penalty, unlike similar processes of the Privacy Commissioner, the Advertising Standards Council, and the Canadian Transportation Agency.
When enforcing penalties, the CRTC considers the history of violation and the ability to pay when determining an AMP. We recommend that this approach be revised, and that penalties be linked to the severity of the infringement, not the ability to pay. In the case of the first violation, where an organization's act of non-compliance is an unintended information system error, the CRTC should always issue a warning letter or citation. This would be a more appropriate way to tackle infringements that are inadvertent.
If there are subsequent violations, there should be an established framework to determine the level of fine based on the proportionality of the violation. AMPs would then increase with the magnitude and frequency of the infringement. For example, a deliberate malware dissemination would warrant a much higher penalty than would sending a CEM that omits a required field. For every subsequent violation of the same nature, the fines would grow in severity. The large majority of Canadian companies want to comply with the legislation. Unfortunately, due to uncertainty in the wording of the act, many Canadian businesses have employed an overly cautious approach to communicating with their customers in order to avoid being subject to enforcement activities. This is compounded by uncertainty regarding the application of AMPs, and the high punitive nature of the maximum fine.
In reviewing the act, and based on Rogers' experience, there is an opportunity to provide clear guidance and to remove ambiguous wording. We have heard witness presentations during this review, which have outlined concerns with the lack of clarity in the definition of a CEM and computer programs. We support these positions. As well, there are other areas where the act could provide more clarity for businesses. For example, the current wording in subsection 6(6), states that notification-type emails, such as messages to tell you that your mobile device is roaming, are exempt from consent requirements. However, such messages must include an unsubscribe mechanism. There is no reason why legislation created to regulate electronic commercial activity should be applied to non-commercial messages. These types of notification messages do not fall within the statutory definition of a CEM and should not be subject to consent or message form requirements.
We recommend removing subsection 6(6) from the legislation to limit the scope of CASL to commercial electronic messaging only. As well, guidance material from the CRTC should be produced to give greater certainty as to what types of messages are not CEMs. Additionally, the current definition of electronic address should be updated. We are in the age of new technologies and digital advancements. The overly broad definition has added an additional layer of complexity for Canadian businesses.
We recommend providing a clear and specific definition of electronic address. In particular, the reference to “any similar account” should be removed. As well, we recommend issuing guidance material indicating what is excluded from this definition.
We support the decision by Minister Bains to suspend the PRA. It is unnecessary and does not represent a proportionate response to the stated objective of CASL, namely increased consumer protection. The three agencies responsible for enforcing CASL provide sufficient protections for consumers. The PRA allows any person affected by an alleged infringement to sue for actual damages of up to $1 million per violation with no requirement to demonstrate harm.
Currently, the PRA has the potential to create an environment that encourages consumers to pursue Canadian businesses that may have experienced an unintended informational system error rather than targeting deliberate spammers, many of which operate outside of Canada. Rogers supports eliminating the PRA from CASL. It creates an environment for frivolous lawsuits and is not an efficient use of Canadian courts.
As the committee has heard, most Canadian businesses want to comply with CASL. Well-intentioned companies should not be associated with those that are deliberately and maliciously ignoring the act. If the PRA is to continue, the government must ensure that it is specific enough to target those intentionally acting outside the legislation.
In summary, we propose the following: that first-time offenders be issued a warning letter if the violation was the result of an unintentional error; that penalties be based on a framework of proportionality in which fines increase with the severity and frequency of the infringement; that subsection 6(6) be removed to limit the scope of CASL's commercial electronic messaging; that the definition of electronic address be updated to remove the reference to any similar account; and that the PRA be removed since it is unnecessary.
Thank you for the opportunity to participate in this review. I'm happy to answer any questions.