Thank you very much.
I'd like to start by thanking everyone for inviting us to speak on what I think is a very important issue.
I'm the co-chair of the technology group at Osler, Hoskin & Harcourt, and we advise a broad range of clients, from start-up technology companies to some of the largest companies in the world. What we've seen with CASL is legislation that has really challenged us, both in terms of advising clients and in terms of having clients who want to comply with the law but who truly have difficulty understanding what's required and fitting what the law prescribes into a business reality.
My perspective is that, although very well intentioned, CASL is flawed. That really stems from the fact that it's overly complex, very prescriptive, and very broad. I think it's really important to point out that it undercuts some other very important public policy objectives. I'll name just a few.
CASL has increased cybersecurity risks because it places restrictions on when updates and patches can be installed to fix security issues and vulnerabilities.
Also, it has unlevelled the playing field among Canadian businesses, including many of the technology companies that we're looking to support and to see become global players, because it creates a regulatory burden that competitors in other markets don't face.
We see this in the installation of computer programs. If you set up operations in Canada, you need to comply globally with the rules in CASL in terms of any installations you might send to your users or install base, whereas if you're in the United States or another jurisdiction, it's only the installations made on computers in Canada that need to comply.
This isn't a trivial point. The rules with respect to computer programs are quite complex, and they're unique. They're very much made-in-Canada rules that are not reflected in the laws of other jurisdictions.
I think it's fair to say that CASL creates unnecessary red tape and compliance costs. At a time when we're looking to see how red tape can be reduced, you could say that CASL goes in the opposite direction. It's really the small businesses that bear the brunt of this red tape, in that they have difficulty understanding what the law requires, and they're having difficulty using the most efficient means of communicating—which is electronically—with their customers.
There's also a question as to whether CASL is constitutional. There's no question that it impinges upon free speech. The questions a court would ask are whether the restrictions are proportional to the harm, and whether the restrictions minimally impact on the right of free speech enshrined in the charter.
I think that when we look at CASL's regulatory reach and prescriptive rules, we can say that full compliance becomes next to impossible. There's no shortage of circumstances in which you can say that it doesn't make sense to comply with the rules in the context of day-to-day business operations.
I think this is exemplified most strongly in the computer program provisions. I'm a technology lawyer. I work very closely with technology companies that are trying to comply with the rules. Again, these are unique rules. No other country has adopted rules as broad as the ones found in CASL, or as prescriptive.
The real question is this. When these rules were conceived, it was really in a world of laptops and hand-held devices, but we've moved to a world where the Internet of things is the buzzword. We have devices that are permeating all of our different day-to-day interactions. Many of these devices do not have user interfaces through which you can request consent. Many of the manufacturers of devices, whether they be automobiles, fridges, or TVs, do not have a direct relationship with consumers, and that makes the request for consent challenging.
I can provide a few other examples of where CASL creates just really practical problems. The question is whether it's sensical to require companies that sell online exclusively—they're online businesses—to provide an unsubscribe mechanism in the transactional messages they send to consumers. You're confirming a transaction that you've just completed and you must, under the rules in CASL, include an unsubscribe mechanism.
Essentially, that leads to confusion for the lawyers, the companies, and consumers. I'm providing this example because it highlights how prescriptive CASL is and the way that prescriptive rules, however well-intended, don't necessarily have the intended effect.
We can look at text messaging, in which we have a very limited number of characters available to us. Because CASL prescribes exactly that contact information, identity information, and an unsubscribe mechanism need to be provided, you're really not left with anything to communicate to consumers vis-à-vis text messaging.
It's also important to ask how effective CASL has been at addressing spam, spyware, and other online threats. The truth is that we have very little empirical information, so there's very little that we can point to in terms of statistics to show the impact. A 2015 report published by the security firm Cloudmark is often cited. It did an analysis of email traffic in Canada following the coming into force of CASL. Interestingly, it showed that there was a reduction, but the reduction was largely due to decreased use of messaging by legitimate companies. I don't think that was the intent of the legislation. We're trying to encourage digital activities, not reduce them.
What other things can we say about effectiveness? We know that phishing emails remain very prevalent and the related cybersecurity concerns are growing, and growing for good reason, because this has become an epidemic. So we know that CASL hasn't been effective at preventing those types of risks. We also know that enforcement by the CRTC has largely been against legitimate companies rather than against the bad actors, the fraudsters.
We can then ask ourselves how we got here, with well-intentioned legislation that has had a questionable impact on fighting the harmful spyware and spam that the legislation was really intending to address. I think we can look back and say that there was broad three-party support for the legislation. There was largely support from industry, from civil society, and from academia, since fighting spam and spyware is a critical objective. However, I think we can also be truthful and say that it hasn't been a success. There has been a chorus of complaints about the complexity and the prescriptiveness, and about how it doesn't work in practice. We want legislation that encourages participation in commercial activity, and we can't say that CASL has facilitated that.
The opportunity today is for all three parties and all stakeholders to work together and to identify fixes. I'm going to identify four fixes very quickly.
First, the regulatory reach of CASL needs to be narrowed. We need to focus on harmful spam and spyware, and we need to be very clear that this is the intent and purpose.
Second, we need to ensure that there's a meaningful implied-consent exception. Rather than having a prescriptive rule, which is the way it's expressed today, we need to introduce flexibility. As with our federal privacy legislation, PIPEDA, we need an approach to applied consent that's based on a contextual assessment of whether it's reasonable. This will in no way undermine the efforts to fight the harmful stuff. Rather, it will introduce the flexibility that business needs.
Third, we need to reduce the prescriptiveness. There is too much in the way of prescriptive rules for what we can clarify through general principles.
Fourth, with respect to the private right of action, rather than having standing to sue left with anyone who receives a message that doesn't comply, we should provide the companies that are in a position to go after the bad actors the opportunity to supplement the efforts of the CRTC and place standing to sue in their hands.
Thank you for your time. I look forward to receiving any questions.