Thank you, Mr. Chair.
Thank you for inviting us, my colleagues and me, to appear before you today on your review of Canada's Anti-Spam Legislation.
We think this legislation has been positive in helping to fight spam and address certain online threats that can be harmful to Canadians.
As you know, responsibility for enforcing compliance with the legislation is assigned to three enforcement agencies: the CRTC, the Competition Bureau and the Office of the Privacy Commissioner of Canada.
For its part, the office is responsible for investigating address harvesting and spyware, both of which generally involve the collection and use of personal information without consent.
This responsibility forms an integral part of the office's broader mandate of the Personal Information Protection and Electronic Documents Act, or PIPEDA, in other words, the act respecting the protection of personal information in the private sector, which sets out rules governing the collection, use, and disclosure of personal information in the course of commercial activities.
Canada's Anti-Spam Legislation also empowers the three agencies to share information and collaborate in enforcing the law. We worked with our partners in applying this legislation. In particular, we have accessed and made use of the Spam Reporting Centre at the CRTC to help identify address harvesters or entities suspected of distributing spyware, which has resulted in two major investigations so far.
Our first investigation involved Compu-Finder, a Quebec-based training provider.
Compu-Finder used email addresses—some of which were collected via address harvesting software—to send out recurring email messages to individuals, many without adequate consent.
We collaborated and shared information with the CRTC. Our investigation served to enhance Compu-Finder's practices and provided guidance to businesses in general on responsible email marketing that respects people's information.
Most recently, we completed an investigation into a Canadian company called Wajam Internet Technologies, which distributed its program as an unsolicited add-on to free software. The program tracks a user's online search queries and integrates the results with content shared by an individual's contacts on social media networks.
Our investigation found that Wajam Internet Technologies was not obtaining meaningful consent to install the software and was preventing users from withdrawing consent by making it difficult to uninstall the software.
As a result of our investigation, the company stopped distributing the software in Canada, ceased collecting personal information from Canadians who had already installed the software, and agreed to destroy all Canadian user information in its possession.
By their nature, spyware and address harvesting pose dangerous threats and can be difficult for Canadians to detect.
These issues are not likely to be the subject of traditional consumer-driven complaints or that consumers will recognize them.
This is leading us to adopt a more proactive enforcement approach for Canada's Anti-Spam Legislation matters, including the greater use of commissioner-initiated investigations like the ones I have just described.
Our proactive efforts also include outreach, issuing education and guidance material for consumers and organizations on protecting their computers, and understanding spyware and ransomware.
Canada's Anti-Spam Legislation has also made amendments to PIPEDA, which have improved our compliance outcomes generally, in other words, the compliance of other provisions of the act respecting the protection of personal information in the private sector that go beyond the two behaviours set out in Canada's Anti-Spam Legislation. These were consequential powers associated with the adoption of Canada's Anti-Spam Legislation.
The ability to decline or discontinue complaints has taken us part of the way in allowing us to focus efforts on matters that present the greatest risk to Canadians.
That said, our enforcement resources remain taxed with a continuous high volume of complaints.
The ability to collaborate and share information with domestic and international counterparts—another consequential PIPEDA amendment—has had a profound effect on our office's capacity to deliver impactful enforcement outcomes across the globe.
Since those provisions came into effect in 2011, our office has participated in numerous collaborative and joint investigations, including our first joint investigation with our Dutch counterpart into WhatsApp in 2013, as well as last year's Ashley Madison investigation with our Australian equivalent and the U.S. Federal Trade Commission.
CASL has only been in place a short time, so we're still gaining experience, but from my perspective so far, the law has provided the OPC with useful additional tools. Nevertheless, I believe the following legislative changes to CASL would be worthy of consideration. There are three.
First, give the OPC more flexibility to share information with the CRTC and the Competition Bureau. At present, under sections 58 and 59, the three bodies can share information and use that information, but this is limited to specific CASL-related purposes as set out in those sections.
As noted previously, CASL also amended PIPEDA to give the OPC the ability to share information with domestic and international counterparts, but these provisions do not include the CRTC and the Competition Bureau. In past investigations under PIPEDA, outside of the context of CASL, issues have surfaced that overlap with the jurisdiction of the CRTC or the Competition Bureau, and in those instances we think it would have been very helpful to be able to share information and to collaborate with our colleagues. To address this, either PIPEDA or CASL could be amended to give the OPC more flexibility to share information with the CRTC and the Competition Bureau more broadly, to address matters that intersect between consumer and privacy protection.
The second amendment would be to clarify the conflict provision in CASL, section 2, which states that CASL takes precedence over PIPEDA in the case of a conflict. We would like a reformulation of section 2 to say that CASL can add to the provisions of PIPEDA, but does not lower those standards.
This is not an abstract concern, as we have already encountered one instance where the organization attempted to argue that it did not need to comply with PIPEDA because of an exception to CASL. I would refer the committee to our report of findings in Compu-Finder as an example of why this clarification is required.
Finally, we would suggest clarifying the spyware provision. This is subsection 7.1(3). As a result of CASL, PIPEDA removed the possibility of resorting to consent exceptions to justify the collection or use of personal information that has been made by accessing a computer system, or causing one to be accessed, in contravention of an act of Parliament. To further clarify this provision, we recommend that the reference in the provision to accessing a computer system “in contravention of an Act of Parliament” more explicitly include unauthorized installation of a computer program within the meaning of section 8 of CASL.
In conclusion, Mr. Chair, the OPC works diligently to educate individuals and organizations on the privacy implications of digital technologies, social trends, and business practices, and to enforce privacy protections. CASL enforcement is a key part of this suite of activities. While individuals should take steps to be aware of risks and to protect their personal information, it should not all rest on individuals. Organizations, too, must do their part.
Thank you. I will be pleased to try to answer your questions.
