Industry Committee on Oct. 17th, 2017

Thank you very much.

I'd like to start by thanking everyone for inviting us to speak on what I think is a very important issue.

I'm the co-chair of the technology group at Osler, Hoskin & Harcourt, and we advise a broad range of clients, from start-up technology companies to some of the largest companies in the world. What we've seen with CASL is legislation that has really challenged us, both in terms of advising clients and in terms of having clients who want to comply with the law but who truly have difficulty understanding what's required and fitting what the law prescribes into a business reality.

My perspective is that, although very well intentioned, CASL is flawed. That really stems from the fact that it's overly complex, very prescriptive, and very broad. I think it's really important to point out that it undercuts some other very important public policy objectives. I'll name just a few.

CASL has increased cybersecurity risks because it places restrictions on when updates and patches can be installed to fix security issues and vulnerabilities.

Also, it has unlevelled the playing field among Canadian businesses, including many of the technology companies that we're looking to support and to see become global players, because it creates a regulatory burden that competitors in other markets don't face.

We see this in the installation of computer programs. If you set up operations in Canada, you need to comply globally with the rules in CASL in terms of any installations you might send to your users or install base, whereas if you're in the United States or another jurisdiction, it's only the installations made on computers in Canada that need to comply.

This isn't a trivial point. The rules with respect to computer programs are quite complex, and they're unique. They're very much made-in-Canada rules that are not reflected in the laws of other jurisdictions.

I think it's fair to say that CASL creates unnecessary red tape and compliance costs. At a time when we're looking to see how red tape can be reduced, you could say that CASL goes in the opposite direction. It's really the small businesses that bear the brunt of this red tape, in that they have difficulty understanding what the law requires, and they're having difficulty using the most efficient means of communicating—which is electronically—with their customers.

There's also a question as to whether CASL is constitutional. There's no question that it impinges upon free speech. The questions a court would ask are whether the restrictions are proportional to the harm, and whether the restrictions minimally impact on the right of free speech enshrined in the charter.

I think that when we look at CASL's regulatory reach and prescriptive rules, we can say that full compliance becomes next to impossible. There's no shortage of circumstances in which you can say that it doesn't make sense to comply with the rules in the context of day-to-day business operations.

I think this is exemplified most strongly in the computer program provisions. I'm a technology lawyer. I work very closely with technology companies that are trying to comply with the rules. Again, these are unique rules. No other country has adopted rules as broad as the ones found in CASL, or as prescriptive.

The real question is this. When these rules were conceived, it was really in a world of laptops and hand-held devices, but we've moved to a world where the Internet of things is the buzzword. We have devices that are permeating all of our different day-to-day interactions. Many of these devices do not have user interfaces through which you can request consent. Many of the manufacturers of devices, whether they be automobiles, fridges, or TVs, do not have a direct relationship with consumers, and that makes the request for consent challenging.

I can provide a few other examples of where CASL creates just really practical problems. The question is whether it's sensical to require companies that sell online exclusively—they're online businesses—to provide an unsubscribe mechanism in the transactional messages they send to consumers. You're confirming a transaction that you've just completed and you must, under the rules in CASL, include an unsubscribe mechanism.

Essentially, that leads to confusion for the lawyers, the companies, and consumers. I'm providing this example because it highlights how prescriptive CASL is and the way that prescriptive rules, however well-intended, don't necessarily have the intended effect.

We can look at text messaging, in which we have a very limited number of characters available to us. Because CASL prescribes exactly that contact information, identity information, and an unsubscribe mechanism need to be provided, you're really not left with anything to communicate to consumers vis-à-vis text messaging.

It's also important to ask how effective CASL has been at addressing spam, spyware, and other online threats. The truth is that we have very little empirical information, so there's very little that we can point to in terms of statistics to show the impact. A 2015 report published by the security firm Cloudmark is often cited. It did an analysis of email traffic in Canada following the coming into force of CASL. Interestingly, it showed that there was a reduction, but the reduction was largely due to decreased use of messaging by legitimate companies. I don't think that was the intent of the legislation. We're trying to encourage digital activities, not reduce them.

What other things can we say about effectiveness? We know that phishing emails remain very prevalent and the related cybersecurity concerns are growing, and growing for good reason, because this has become an epidemic. So we know that CASL hasn't been effective at preventing those types of risks. We also know that enforcement by the CRTC has largely been against legitimate companies rather than against the bad actors, the fraudsters.

We can then ask ourselves how we got here, with well-intentioned legislation that has had a questionable impact on fighting the harmful spyware and spam that the legislation was really intending to address. I think we can look back and say that there was broad three-party support for the legislation. There was largely support from industry, from civil society, and from academia, since fighting spam and spyware is a critical objective. However, I think we can also be truthful and say that it hasn't been a success. There has been a chorus of complaints about the complexity and the prescriptiveness, and about how it doesn't work in practice. We want legislation that encourages participation in commercial activity, and we can't say that CASL has facilitated that.

The opportunity today is for all three parties and all stakeholders to work together and to identify fixes. I'm going to identify four fixes very quickly.

First, the regulatory reach of CASL needs to be narrowed. We need to focus on harmful spam and spyware, and we need to be very clear that this is the intent and purpose.

Second, we need to ensure that there's a meaningful implied-consent exception. Rather than having a prescriptive rule, which is the way it's expressed today, we need to introduce flexibility. As with our federal privacy legislation, PIPEDA, we need an approach to applied consent that's based on a contextual assessment of whether it's reasonable. This will in no way undermine the efforts to fight the harmful stuff. Rather, it will introduce the flexibility that business needs.

Third, we need to reduce the prescriptiveness. There is too much in the way of prescriptive rules for what we can clarify through general principles.

Fourth, with respect to the private right of action, rather than having standing to sue left with anyone who receives a message that doesn't comply, we should provide the companies that are in a position to go after the bad actors the opportunity to supplement the efforts of the CRTC and place standing to sue in their hands.

Thank you for your time. I look forward to receiving any questions.

Thank you.

Good morning, everyone. First of all, I would like to thank you, Mr. Chair and members of the committee, for the opportunity to speak with you today.

My name is Adam Kardash and I am here on behalf of IAB Canada, a not-for-profit association dedicated exclusively to the development and promotion of the rapidly growing digital marketing and advertising sector in Canada.

IAB Canada represents over 250 of Canada's best-known and most respected stakeholders in the digital advertising and marketing sector, including advertisers, agencies, digital publishers, social media platforms, and ad networks. Our members include numerous small and medium-size enterprises.

To put it simply, CASL requires significant amendment, so the work of this committee is very important to IAB Canada, as CASL impacts every one of IAB Canada's members. Our trade association has been closely and actively involved with CASL for years, including through formal submissions on CASL regulations and meetings with government officials, and through hosting CRTC information sessions for our members.

My brief introductory comments this morning are based on my experience as counsel to the IAB as well as my personal capacity as the head of Osler, Hoskin & Harcourt's national privacy law practice. Our team, together with our firm's technology practice, led by Mr. Fekete, has dealt with hundreds of mandates involving CASL across all sectors, in particular the digital marketing and advertising sector.

The main theme of my comments this morning is that while CASL was intended to build trust in the digital ecosystem by deterring spam, malware, and other nefarious activity, there is widespread acknowledgement that there are serious and fundamental issues with CASL's regulatory framework that need to be carefully considered and appropriately addressed, mainly by significant amendments to the statute.

We're offering the following three recommendations for the committee's consideration with regard to the changes necessary to CASL's statutory regime.

First, we urge that the committee, in its review of the act, focus on narrowing the incredibly broad scope of CASL's application. In our view the expansive scope CASL's framework is fundamentally flawed. Instead of just targeting nefarious activities, CASL is structured to regulate virtually all electronic messaging activity. CASL could be effective if it applied only to bad actors or egregious activities, as opposed to regulating wholly legitimate messaging activities that nobody considers unwanted, let alone spam.

By way of just one example, consider that CASL doesn't just regulate marketing and promotional messages. Rather, the statute, as my colleague Mr. Fekete just mentioned, applies even to certain administrative or transactional messages that provide solely factual information about an account, a product recall, or even safety. Stunningly, CASL requires that such messages contain an unsubscribe or opt-out mechanism. This is totally confusing for consumers and businesses. Nobody would ever consider these types of messages to be spam, yet companies that don't offer an unsubscribe option for these types of administrative messages would be technically violating the statute.

CASL definitely needs to be amended to expressly exclude these and other wholly legitimate types of electronic messages from the CASL regulatory regime. CASL's broad scope has resulted in an incredibly and unnecessarily complicated statutory regime, as legitimate electronic messages are subject to the consent, notice, and unsubscribe requirements and penalties under the statute unless they expressly fall within one of the several highly technical exceptions set out in the regulations.

From our day-to-day experience, it can be a very time-consuming, complicated exercise, and, for small businesses especially, an expensive undertaking to interpret and navigate CASL's provisions in this regard.

Moreover, in terms of scope, while the display of online advertisements is not subject to CASL as the display of an ad is not sent to an electronic address, statutory clarity of the scope of application in this regard is critically required. CASL simply cannot apply to the display of online advertising, because it would be practically impossible for organizations involved in the online advertising ecosystem to comply with the act's prescriptive requirements.

In our view, without question, the scope of CASL needs to be clarified and could be appropriately narrowed without imperiling CASL's intended goal of fostering trust.

Second, we urge the committee to recommend the elimination of unduly prescriptive and technical requirements in CASL that are either ambiguous or, often, very impractical to implement and totally unnecessary in order to achieve the policy objectives of the statute.

One example for the committee is that when an organization is seeking express consent, CASL requires organizations to provide a whole bunch of specific and detailed contact information and a statement about how individuals can withdraw their consent at any time.

This may sound like a totally innocuous requirement, but these requirements are more strict than what's required for a valid express consent under privacy legislation and they pose very practical compliance challenges when, for instance, companies seek a valid express consent over the phone or in person, such as at a retail store when you're just trying to get out of the checkout line.

These and other unnecessary notice requirements need to be removed from the statute. They don't benefit consumers, and there's no reason why a company should be exposed to regulatory enforcement, let alone class action litigation, for failure to comply with a technical requirement by providing a statement that says you can withdraw your consent at any time. It makes no sense. These are technical and wholly immaterial violations of the statute as currently constructed.

We urge the committee to recommend that any consideration of the issues raised by CASL be done through the application of CASL's provisions to very specific-use case scenarios.

We cannot overstate the significance of this suggestion. If you examine the actual impact of CASL on legitimate, daily, electronic messaging activity, you—and not just you but also ISED—will see through real-life examples on a case-by-case basis that there will be a drastic need to address a myriad of very impractical, ambiguous, technical, and unnecessary provisions. Over and over again the application of case studies sheds light on this.

Third, we want to make a specific recommendation regarding the private right of action. As was anyone who has actually spent time trying to comply or to help companies comply with CASL, IAB Canada members were very grateful for the deferral of the private right of action coming into force.

In short, CASL in its current form with the PRA, the private right of action, is a perfect cocktail for unnecessary litigation. CASL's overly expansive breadth of application, prescriptive technical requirements, ambiguous drafting, and the right to sue with no proof of harm would have set the stage for plaintiffs' counsel to commence a stream of class action litigation, including meritless and frivolous class action lawsuits. There's a payday for plaintiffs' counsel in such class action activity.

IAB Canada is strongly urging the committee to carefully review the private right of action, including narrowing the PRA as a remedy only in circumstances involving bad actors and particularly nefarious and egregious violations of the act.

I'll conclude my introductory comments at this time. On behalf of IAB Canada, I thank you again for inviting me here this morning. I would be pleased to answer any of your questions.

Thanks very much.

Good morning. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I served as a member of the national task force on spam and appeared before this committee in the development of CASL. As always, I appear in a personal capacity, representing only my own views.

The hallmark of fraudulent spam, from get-rich-quick schemes to body-part enlargement promises, is that while it contains something that seems unlikely, people still often want to believe the claims. Over the last several years we've experienced something similar with respect to anti-spam legislation, in which the claims of doom often just don't add up.

A perfect example is the frequent suggestion that somehow the neighbourhood lemonade stand would be affected by CASL. Now, stop and think about this for just a moment. Politicians admittedly might be an exception to this, but how many of us have email addresses for all of our neighbours? How many would think to actually not only collect all of those email addresses, but then email the entire neighbourhood about a lemonade stand? Like spam, it takes a claim with a kernel of truth—the need for consent to send commercial messages—and then moves into a world of fantasy. Long-standing scare tactics, ones that pre-date even the drafting of the legislation, are not the way to assess this law.

In my view, there are really three questions that lie at the heart of the assessment of CASL: Is there a harm or risk that needs to be addressed? Does CASL help solve the problem? And even if the answers to one and two are yes, is the law still too onerous?

Let me try to answer all three.

First, is there a harm or risk to be addressed? I think the answer to that is obvious: absolutely. Let me point to three examples. First, malware, spyware, and phishing attempts have emerged as exceptionally important cybersecurity issues and they are caught squarely by CASL. Today these efforts may be state-sponsored or simply criminal. Consider the impact of phishing attempts in the last U.S. election that successfully gained access to thousands of emails at the DNC and may have helped change the course of U.S. political history; or the massive malware cases such as WannaCry, which have affected millions, caused millions or even billions in damages, and put hospital and banking systems at risk. We need effective laws to counter these threats, and they are unquestionably part of CASL's ambit.

Second, I think we all recognize the importance of e-commerce. The success of e-commerce depends on trust, trust that our information will be used appropriately, and trust that online sellers will deliver what is promised. The concerns associated with fraudulent spam extend beyond just the losses that can occur from those individual messages. They undermine the potential success of all e-commerce activities by undermining trust more broadly.

Third, the public is increasingly aware and, I would argue, concerned with their privacy and the use of personal information. Our major trading partners, particularly the EU, have tried to address these concerns through tough new laws. CASL isn't separate and apart from PIPEDA; it is a foundational part of the legislative response to the risks of misuse of our personal information. At its heart is the need for informed consent, a standard the establishment of which is long overdue.

Now, does it work? I would start by saying I wish we had more data. I think the failure to collect extensive data is a serious mistake by officials who should have been working with the spam research centre, Internet providers, email service providers, and law enforcement to collect data. The need for more data provides a reminder that the work of policy-makers doesn't end just because the legislative process concludes. There are, however, several studies and reports that provide valuable data on the impact of CASL.

The committee already heard from Mr. Fekete about the 2015 Cloudmark study, which found significant declines in spam, with 29% less email in Canadian inboxes, and a 37% reduction in spam originating from Canada. I'd be happy to debate and explain why that's actually a good thing.

Further, one of the core concerns about Canada's anti-spam framework before CASL was our inability to co-operate actively with global enforcement actions. Our task force heard that without a comparative spam law, Canada risked becoming a spam haven, without the legal ability to assist partner countries in investigations and enforcement. CASL has unquestionably addressed this issue, ensuring that Canada is no longer an island in the fight against spam. We have international enforcement agreements with four countries, and MOUs with 12 agencies in eight countries. But perhaps most telling—and I don't believe the committee has heard about this yet—is the ROKSO list, the register of known spamming organizations, which is maintained by an organization known as Spamhaus. The ROKSO list identifies the top 100 spamming organizations, which are responsible for 80% of the spam worldwide. I have to tell you that the existence of this kind of list came as a surprise to me and to many other spam task force members, as it confirmed, surprisingly I think, that we actually know where the leading spammers are.

Further, we learned that Canada was a notable home for these spamming organizations.

When CASL took effect in 2014, Canada was home to a disproportionate number of spamming organizations, with seven of the top 100 spamming organizations in the world located in Canada. Today, three years later, there are only two remaining. There may be several factors behind the decline in the top spamming organizations in Canada, but the existence of a tough anti-spam law with real penalties is surely one of them.

This data confirms CASL's effectiveness, and in this regard it should be emphasized that the goal of the law was never to eliminate all spam from our inboxes. No law can do that, just as no technology can eliminate spam or fully protect us from malware, spyware, and phishing. Rather, the goal was to reduce the spam that originates in Canada with the hope that other countries would do their part. In that regard, the law has been a success.

Finally, is the law overbroad? I have to say that CASL complaints have always struck me as a bit odd. The complaints typically focus on the many exceptions in the law, claiming they are too narrow, restrictive, or difficult to interpret. The real narrowness has often come from the interpretations that have been provided.

Consider the issue of charities. ISED Minister Navdeep Bains stated the following in the press release announcing the decision to delay the private right of action: “Canadian businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation.” But the CASL regulations state that section 6 of the act does not apply to a commercial electronic message sent by or on behalf of a registered charity, which has as its primary purpose raising funds for the charity. In other words, charities already enjoy a broad exemption under the law.

Similarly, the committee has already heard from others about the supposed need for a business-to-business exception, yet the law already states that this section does not apply to a commercial electronic message sent to a person engaged in a commercial activity consisting solely of an inquiry or application related to that activity. That exempts legitimate business-to-business commercial electronic messages.

I'd say that even this focus on exceptions is misplaced. Businesses rely on exceptions where they don't want to comply with the foundational obligation that is in the law: consent. The law is clear: if you get informed consent, there is no need to go searching for an exception to apply to your activities. When you hear complaints about narrow exceptions or calls for more, that complaint is fundamentally about the ability to use that personal information without informed consent by leveraging an exception. I'd say that's bad policy and bad for privacy.

To conclude, these remarks aren't meant to suggest we can't do better. We need better data; we need better awareness of the Spam Reporting Centre; we need the agencies to engage more directly with businesses about the true requirements of the law; and we need better enforcement, including the private right of action. I would also suggest that we need a strong anti-spam law with real penalties that is based on informed consent to deal with a very real threat. That law is CASL.

I look forward to your questions.

Thank you, Mr. Chair and committee, for having me here today.

I'm here on behalf of the Information Technology Association of Canada. ITAC is the national voice of Canada's information and communications technology sector. There are over 37,000 ICT firms in Canada, employing almost 600,000 Canadians.

The ICT industry is uniquely positioned to provide comments on CASL. The industry includes telecommunications, online, and IT companies that are both on the front line fighting against spam and spyware and dependent on electronic messaging and the installation of computer programs as core elements of their businesses.

While the legislation under review is commonly referred to as CASL, or Canada's Anti-Spam Legislation, it's important to consider the full objectives, as stated in section 3, which are:

to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct

(a) impairs the availability, reliability, efficiency and optimal use of electronic means...

(b) imposes additional costs on businesses and consumers;

(c) compromises privacy and the security of confidential information; and

(d) undermines the confidence of Canadians in the use of electronic means of communication to carry out their commercial activities

While spam is part of it, the central goal of the legislation is really to promote and grow the digital economy and to encourage businesses and consumers to embrace electronic means of communication and commerce.

The idea is to clear the pipes of junk so it's easier and safer for everyone. The interests of the ICT industry are very much aligned with these public policy goals. However, to date, there is little objective evidence that CASL has led to either a decline in malicious forms of spam or an increase in confidence in electronic commerce. We do know that phishing, ransomware, and other cyber-threats remain very prevalent and we know that enforcement of CASL by the CRTC has largely been against legitimate companies, with an absence of targeted enforcement against true malicious spammers or other bad actors. We also know that CASL has imposed substantial administrative costs on businesses across the country.

CASL is complex and confusing, with highly prescriptive rules, heavy fines, and aggressive enforcement by the CRTC. Organizations of all sizes need to devote considerable resources to understanding the rules and maintaining compliance. It is so complex that CASL consulting has become an industry unto itself, which is certainly an unintended consequence of the legislation.

Confusion breeds risk aversion, and the experience of our members has been that CASL discourages Canadian businesses from innovating or adopting new technologies. Enforcement actions by the CRTC only exacerbate this aversion, which creates a chill in the industry without providing useful guidance so that other companies can avoid the same mistakes.

In addition, the often overlooked computer program provisions have created risks to consumers by inhibiting companies from installing updates to protect against emerging cybersecurity threats. While the regulations include limited deemed consent exceptions, they do not go far enough, and ultimately they undermine the legislation's objective of making consumers more secure.

The software provisions are especially unworkable when we consider the quickly emerging Internet of things, as Michael mentioned. Many software-controlled devices coming into our homes and workplaces have no user interfaces, and the global companies that design and sell them often have no direct relationship with the consumer, which makes CASL compliance extremely difficult.

To address CASL's unintended consequences and to help it meet its stated objectives, ITAC proposes five themes to guide amendments.

First, the justification for CASL has been articulated as targeting damaging and deceptive spam, spyware, malicious code, and other threats. Amending CASL so that it targets only these harmful activities would go a long way to addressing CASL's unintended consequences. This can be accomplished by narrowing the definitions of three terms: computer program, commercial electronic message, and electronic address. In ITAC's written submission, we will include outlines of specific proposals regarding how we think these definitions should be narrowed.

Second, the circumstances in which express consent is not required should be expanded. CASL combines prescriptive express-consent rules with narrowly drafted exceptions. This combination creates complexity and rigidity that make compliance exceptionally difficult and costly when compared to compliance with anti-spam laws in other jurisdictions, such as the United States or Australia. Amending CASL to include an implied-consent principle, similar to Canada's privacy law, PIPEDA, would help to remove the unnecessary regulatory burden created by CASL.

Third, we should make CASL less complex and rigid. Canadian businesses should not require a lawyer to determine whether they're in compliance with CASL. CASL's overly prescriptive rules, including the rules governing requests for consent and the content of messages, should be replaced with general principles, similar to Canada's privacy law. By following the approach found in PIPEDA, businesses will be free to innovate in how they communicate specific information to consumers, and the CRTC, the Office of the Privacy Commissioner, and the Competition Bureau will have room and flexibility to provide guidance.

Fourth, CASL should be amended so that businesses in Canada are on a level playing field with competitors in other jurisdictions. The computer program provision in CASL should not apply, for instance, to programs installed on devices in another jurisdiction if the installation does not violate the law in that jurisdiction. Further, the red tape and regulatory burden caused by CASL's prescriptive rules should be minimized and, where appropriate, harmonized across borders.

Last, as mentioned previously, the private right of action, which combines broad standing to sue and statutory damages, creates the perfect conditions for frivolous class actions against legitimate businesses. Minister Bains was wise to defer its implementation earlier this summer. To avoid the significant costs to both the court system and industry, the private right of action should be repealed, or at the very least restricted to have standing only for organizations like networks and ISPs who bear the direct costs of spam, spyware, and other online threats.

Thank you. I look forward to your questions.

Thank you, Mr. Chair.

I am Deborah Evans, associate chief privacy officer for Rogers Communications. I welcome the opportunity to appear before the committee and provide input into the review of Canada's anti-spam legislation.

CASL has increased consumer protection but it is not perfect. This review provides a valuable opportunity to ensure that the legislation can give greater certainty to consumers and businesses interpreting CASL.

When we reflect on the last three years, there are certain provisions that could benefit from further clarification. Specifically, there are three areas in which Rogers would like to see changes: improving enforcement and ensuring proportionality of administrative monetary penalties, reducing the ambiguity with regard to content and wording of the act, and eliminating the private right of action.

The current structure of CASL empowers the CRTC to enforce compliance through a range of remedies, including the use of AMPs. While we acknowledge that there are benefits to enforcement through the use of AMPs in more egregious cases, the current process has not been without difficulties. For example, all companies in both private and public sectors are faced with unintended information system errors. When consumers are impacted, they notify companies directly in the majority of cases, but they also go to the CRTC's spam reporting centre.

During this committee review, we have heard that warning letters are often issued for violations requiring corrective action. This was not the experience of Rogers when faced with a CASL investigation. We were given no warning at all.

Rogers is an established Canadian business with systems and processes in place to ensure that we comply with all applicable laws and regulations. Nonetheless, we were investigated and signed an undertaking that involved a significant payment. This undertaking was required despite Rogers having identified and resolved the minor issues impacting our customers prior to the investigation. Under CASL, we were not afforded an early resolution process prior to investigation and penalty, unlike similar processes of the Privacy Commissioner, the Advertising Standards Council, and the Canadian Transportation Agency.

When enforcing penalties, the CRTC considers the history of violation and the ability to pay when determining an AMP. We recommend that this approach be revised, and that penalties be linked to the severity of the infringement, not the ability to pay. In the case of the first violation, where an organization's act of non-compliance is an unintended information system error, the CRTC should always issue a warning letter or citation. This would be a more appropriate way to tackle infringements that are inadvertent.

If there are subsequent violations, there should be an established framework to determine the level of fine based on the proportionality of the violation. AMPs would then increase with the magnitude and frequency of the infringement. For example, a deliberate malware dissemination would warrant a much higher penalty than would sending a CEM that omits a required field. For every subsequent violation of the same nature, the fines would grow in severity. The large majority of Canadian companies want to comply with the legislation. Unfortunately, due to uncertainty in the wording of the act, many Canadian businesses have employed an overly cautious approach to communicating with their customers in order to avoid being subject to enforcement activities. This is compounded by uncertainty regarding the application of AMPs, and the high punitive nature of the maximum fine.

In reviewing the act, and based on Rogers' experience, there is an opportunity to provide clear guidance and to remove ambiguous wording. We have heard witness presentations during this review, which have outlined concerns with the lack of clarity in the definition of a CEM and computer programs. We support these positions. As well, there are other areas where the act could provide more clarity for businesses. For example, the current wording in subsection 6(6), states that notification-type emails, such as messages to tell you that your mobile device is roaming, are exempt from consent requirements. However, such messages must include an unsubscribe mechanism. There is no reason why legislation created to regulate electronic commercial activity should be applied to non-commercial messages. These types of notification messages do not fall within the statutory definition of a CEM and should not be subject to consent or message form requirements.

We recommend removing subsection 6(6) from the legislation to limit the scope of CASL to commercial electronic messaging only. As well, guidance material from the CRTC should be produced to give greater certainty as to what types of messages are not CEMs. Additionally, the current definition of electronic address should be updated. We are in the age of new technologies and digital advancements. The overly broad definition has added an additional layer of complexity for Canadian businesses.

We recommend providing a clear and specific definition of electronic address. In particular, the reference to “any similar account” should be removed. As well, we recommend issuing guidance material indicating what is excluded from this definition.

We support the decision by Minister Bains to suspend the PRA. It is unnecessary and does not represent a proportionate response to the stated objective of CASL, namely increased consumer protection. The three agencies responsible for enforcing CASL provide sufficient protections for consumers. The PRA allows any person affected by an alleged infringement to sue for actual damages of up to $1 million per violation with no requirement to demonstrate harm.

Currently, the PRA has the potential to create an environment that encourages consumers to pursue Canadian businesses that may have experienced an unintended informational system error rather than targeting deliberate spammers, many of which operate outside of Canada. Rogers supports eliminating the PRA from CASL. It creates an environment for frivolous lawsuits and is not an efficient use of Canadian courts.

As the committee has heard, most Canadian businesses want to comply with CASL. Well-intentioned companies should not be associated with those that are deliberately and maliciously ignoring the act. If the PRA is to continue, the government must ensure that it is specific enough to target those intentionally acting outside the legislation.

In summary, we propose the following: that first-time offenders be issued a warning letter if the violation was the result of an unintentional error; that penalties be based on a framework of proportionality in which fines increase with the severity and frequency of the infringement; that subsection 6(6) be removed to limit the scope of CASL's commercial electronic messaging; that the definition of electronic address be updated to remove the reference to any similar account; and that the PRA be removed since it is unnecessary.

Thank you for the opportunity to participate in this review. I'm happy to answer any questions.

Sure. I can start on that at least. From speaking to companies in our association, small and very large, I would say it inhibits innovation because it's confusing, and people don't know what to do. So you have a great idea and then you go and say, “Oh, can we do this?” But the requirements are so complex and there are so many exemptions and small requirements here and there that companies don't know what to do.

For instance, I was speaking to a very large company yesterday. They wanted to send out a text message to their clients about the wildfires out west, saying “if you send us a number back with this hashtag we will match your donation.” They wanted to do this very quickly to get donations to the Red Cross, but they got stuck internally because everyone said, “Wait—does this fall under CASL or does this not? If we include a hashtag that mentions—”

It makes companies less likely to take innovative steps and to change the way they're doing business. It makes them stop and think, and it makes them shy away from innovative activities.

If anything, when we're talking about something like IoT, that's an area in which we particularly need stronger privacy rules and clear knowledge of how our information is being used. Let's recognize what that is.

If we're talking about giving companies the right to listen in through our televisions or through our smart fridges or our coffee makers or whatever it happens to be, the notion that somehow we need greater flexibility and consent.... Let's understand that for years we had that flexibility and consent under law, and that was effectively code for consumers agreeing to things they were not aware they were actually agreeing to.

If we want to see innovation and consumer acceptance of these kinds of new technologies, consumers need to know when their information is being collected and how it's being used, and the messages that go back and forth are part of that.

Certainly.

Most of us can tell from our own inboxes that spam filters and cybersecurity mechanisms put in place by ISPs and by email providers and email programs have gotten much better, certainly over the past decade. These are only improving as technologies such as AI feed into cybersecurity. Moving forward, they will advance and our inboxes will be safer before we even get there.

Certainly. Many ISP and telecommunication service providers do have spam filters on their network to try to identify keywords that will block out spam. Obviously the system isn't perfect, and spammers who are deliberately trying to reach you to do nefarious things are quick to act and get around that.

In a similar example, not related to CASL but to spoofing of telephone calls, we put in a fix to eliminate a telephone number that someone has been spoofing. The spammers know and they've moved on to another one. They're quick acting, and we're just keeping pace with them.