Industry Committee on Oct. 24th, 2017

I'll make the preliminary remarks.

Thank you, Mr. Chair.

Thank you for inviting us, my colleagues and me, to appear before you today on your review of Canada's Anti-Spam Legislation.

We think this legislation has been positive in helping to fight spam and address certain online threats that can be harmful to Canadians.

As you know, responsibility for enforcing compliance with the legislation is assigned to three enforcement agencies: the CRTC, the Competition Bureau and the Office of the Privacy Commissioner of Canada.

For its part, the office is responsible for investigating address harvesting and spyware, both of which generally involve the collection and use of personal information without consent.

This responsibility forms an integral part of the office's broader mandate of the Personal Information Protection and Electronic Documents Act, or PIPEDA, in other words, the act respecting the protection of personal information in the private sector, which sets out rules governing the collection, use, and disclosure of personal information in the course of commercial activities.

Canada's Anti-Spam Legislation also empowers the three agencies to share information and collaborate in enforcing the law. We worked with our partners in applying this legislation. In particular, we have accessed and made use of the Spam Reporting Centre at the CRTC to help identify address harvesters or entities suspected of distributing spyware, which has resulted in two major investigations so far.

Our first investigation involved Compu-Finder, a Quebec-based training provider.

Compu-Finder used email addresses—some of which were collected via address harvesting software—to send out recurring email messages to individuals, many without adequate consent.

We collaborated and shared information with the CRTC. Our investigation served to enhance Compu-Finder's practices and provided guidance to businesses in general on responsible email marketing that respects people's information.

Most recently, we completed an investigation into a Canadian company called Wajam Internet Technologies, which distributed its program as an unsolicited add-on to free software. The program tracks a user's online search queries and integrates the results with content shared by an individual's contacts on social media networks.

Our investigation found that Wajam Internet Technologies was not obtaining meaningful consent to install the software and was preventing users from withdrawing consent by making it difficult to uninstall the software.

As a result of our investigation, the company stopped distributing the software in Canada, ceased collecting personal information from Canadians who had already installed the software, and agreed to destroy all Canadian user information in its possession.

By their nature, spyware and address harvesting pose dangerous threats and can be difficult for Canadians to detect.

These issues are not likely to be the subject of traditional consumer-driven complaints or that consumers will recognize them.

This is leading us to adopt a more proactive enforcement approach for Canada's Anti-Spam Legislation matters, including the greater use of commissioner-initiated investigations like the ones I have just described.

Our proactive efforts also include outreach, issuing education and guidance material for consumers and organizations on protecting their computers, and understanding spyware and ransomware.

Canada's Anti-Spam Legislation has also made amendments to PIPEDA, which have improved our compliance outcomes generally, in other words, the compliance of other provisions of the act respecting the protection of personal information in the private sector that go beyond the two behaviours set out in Canada's Anti-Spam Legislation. These were consequential powers associated with the adoption of Canada's Anti-Spam Legislation.

The ability to decline or discontinue complaints has taken us part of the way in allowing us to focus efforts on matters that present the greatest risk to Canadians.

That said, our enforcement resources remain taxed with a continuous high volume of complaints.

The ability to collaborate and share information with domestic and international counterparts—another consequential PIPEDA amendment—has had a profound effect on our office's capacity to deliver impactful enforcement outcomes across the globe.

Since those provisions came into effect in 2011, our office has participated in numerous collaborative and joint investigations, including our first joint investigation with our Dutch counterpart into WhatsApp in 2013, as well as last year's Ashley Madison investigation with our Australian equivalent and the U.S. Federal Trade Commission.

CASL has only been in place a short time, so we're still gaining experience, but from my perspective so far, the law has provided the OPC with useful additional tools. Nevertheless, I believe the following legislative changes to CASL would be worthy of consideration. There are three.

First, give the OPC more flexibility to share information with the CRTC and the Competition Bureau. At present, under sections 58 and 59, the three bodies can share information and use that information, but this is limited to specific CASL-related purposes as set out in those sections.

As noted previously, CASL also amended PIPEDA to give the OPC the ability to share information with domestic and international counterparts, but these provisions do not include the CRTC and the Competition Bureau. In past investigations under PIPEDA, outside of the context of CASL, issues have surfaced that overlap with the jurisdiction of the CRTC or the Competition Bureau, and in those instances we think it would have been very helpful to be able to share information and to collaborate with our colleagues. To address this, either PIPEDA or CASL could be amended to give the OPC more flexibility to share information with the CRTC and the Competition Bureau more broadly, to address matters that intersect between consumer and privacy protection.

The second amendment would be to clarify the conflict provision in CASL, section 2, which states that CASL takes precedence over PIPEDA in the case of a conflict. We would like a reformulation of section 2 to say that CASL can add to the provisions of PIPEDA, but does not lower those standards.

This is not an abstract concern, as we have already encountered one instance where the organization attempted to argue that it did not need to comply with PIPEDA because of an exception to CASL. I would refer the committee to our report of findings in Compu-Finder as an example of why this clarification is required.

Finally, we would suggest clarifying the spyware provision. This is subsection 7.1(3). As a result of CASL, PIPEDA removed the possibility of resorting to consent exceptions to justify the collection or use of personal information that has been made by accessing a computer system, or causing one to be accessed, in contravention of an act of Parliament. To further clarify this provision, we recommend that the reference in the provision to accessing a computer system “in contravention of an Act of Parliament” more explicitly include unauthorized installation of a computer program within the meaning of section 8 of CASL.

In conclusion, Mr. Chair, the OPC works diligently to educate individuals and organizations on the privacy implications of digital technologies, social trends, and business practices, and to enforce privacy protections. CASL enforcement is a key part of this suite of activities. While individuals should take steps to be aware of risks and to protect their personal information, it should not all rest on individuals. Organizations, too, must do their part.

Thank you. I will be pleased to try to answer your questions.

This is public—

We'll send it, but I believe it can be found as an annex to our latest annual report as well.

Yes. The problem, again at the general level, pertains to the ability to share with our two sister organizations where the conduct that we're investigating goes beyond CASL, per se, but touches on our more general mandate, as in privacy protection, or competition more generally for the Competition Bureau. An example of where we faced the limit of the ability to share was in the case of Ashley Madison. It dealt with the obligation of organizations to properly secure the safety of information that clients gave to them. Because the sum total of the rules allow us to co-operate with various colleagues, we were able to share information with the U.S. FTC on that investigation, but not with the Competition Bureau.

There could be discussions between Canadian enforcement agencies as to, for instance, who is best placed to investigate a given matter and what would make more sense. We were not able to have these discussions with the Competition Bureau. We were limited in our ability to share specific information about the alleged facts to allow us to have that conversation.

The conducts that the three organizations responsible for CASL can investigate all tackle different angles of conduct that may be harmful to consumers, that is, consumer protection, privacy protection, and telecommunication issues. We cannot individually tackle all of these problems by ourselves. To be effective collectively in addressing the sum total of these harms, it's better to be able to share information and divide roles.

It would help.... For the enforcement of CASL provisions per se, we have the authorities we need to enforce the conducts prohibited by CASL. In our case, the two conducts are address harvesting and spyware. The recommendation we're making is to broaden the ability to share on other parts of our individual mandates. Here it's privacy protection, the obligation to have adequate safeguards. To have the authority to share information with the two other agencies for broader purposes would allow us to be more effective in our investigations on not the CASL conduct but the other conduct that is the subject of our acts.

I raise this in the context of this study, because the source of authority for sharing information, in our case to enforce PIPEDA more broadly, came from consequential amendments to CASL.

The PRA deals with the enforcement of the mandate of the three sister agencies.

Perhaps I can limit my comments to whether PRA would help in enforcing the two conducts for which the OPC is responsible, spyware and address harvesting. I understand that there's debate around whether CASL goes too far in certain respects, but I would suggest that for the two conducts for which the OPC is responsible, address harvesting and spyware, this is clearly unacceptable conduct. The more tools there are to tackle these unacceptable products, including the private right of action, the better.

I would welcome the coming into force of the private right of action as it relates to the two conducts for which I am responsible.

No.

Harvesting email addresses and spyware.

The investigation in question, the one into WhatsApp, did not deal with illegal behaviour under Canada's Anti-Spam Legislation. We have been granted information-sharing authorities through consequential amendments, as part of our broader mandate.

You are wondering about the effectiveness of the tools and how information-sharing is done. I must say that sharing information with other international data protection authorities has been very important. The starting point of the analysis is that, obviously, the data crosses borders and the behaviours that may be problematic for privacy protection or to consumers also cross borders. We must therefore collaborate with other similar organizations to tackle common and global problems.

How do we do this? We have bilateral agreements with certain colleagues and certain other data protection authorities or multilateral agreements. These agreements allow us to share information, but they also contain provisions that protect the confidentiality of data collected by investigators for investigation purposes. We may share information with law enforcement agencies, but the agreements include provisions that the information is to be used for investigative purposes only and cannot be disclosed. When we conduct an investigation, PIPEDA, which is a federal act, requires our office to process information that is collected confidentially, which is normal. However, once the investigation is completed, we will inform the complainant and the respondent.

Under the federal legislation, I have the power to make certain information publicly available for public information purposes, as well as to learn from such behaviour. If it's in the public interest, I can disclose certain information. We can talk to the investigators within that framework. Unless the public interest requires some information to be made public to better inform the public, I think there are still some limitations.

I would prefer to limit my response to applying the right of action with respect to the two behaviours that fall within my jurisdiction. I won't say anything beyond that. Should there be any changes to the plan with respect to these two behaviours? I don't think so.

There was discussion of the amount of fines, for instance, and factors that would allow the regulator to decide on the amount of a fine or whether or not to impose a fine. I think these factors are reasonable. Has the company committed multiple offences? How serious is the offence? These are all factors that seem reasonable to me.

Of course, applying these criteria in a reasonable way is also important. The criteria set out in the legislation make sense. It's about applying them correctly on a case-by-case basis.

The two behaviours that fall under my responsibility do not concern consent in the broad sense. It relates to two highly targeted and clearly unacceptable behaviours, namely, the harvesting of email addresses and the installation of spyware.

There is no doubt in my mind that spyware should be prohibited. There should be no exceptions that allow this kind of behaviour. Harvesting email addresses falls under the same category, but less clearly. There is a direct link between harvesting email addresses and the risks that consumers are exposed to, because email addresses can then be used to distribute malware, for instance. Because of the link between the two, I don't think there should be any exceptions.

I referred, in answer to Mr. Bernier, to some of our efforts with the Dutch under bilateral or collective agreements. I'll ask my colleague Brent Homan to speak to networks, for instance, that have been created between regulators in various countries to tackle that very issue.

With respect to networks that have been created, these are enforcement networks that have evolved somewhat organically in order to address issues, whether they be with respect to privacy, such as the Global Privacy Enforcement Network, or Usenet, which is the network associated with electronic threats.

One of the benefits of such networks is the ability to not only come together to share expertise and to identify potential opportunities for collaborating together on investigations, but also to carry out informal actions and enforcement actions, such as global sweeps that have been carried out both by the Global Privacy Enforcement Network in areas such as children's privacy, and most recently with respect to Usenet in this area of electronic threats and spam.

Making use of those networks is a key part of the solution in terms of collaborating with our international partners. Often it can be an ability to identify who we may want to expand our ability to work more closely with on more formal investigations, because we can't in all situations. There has to be some MOU, or some mechanism that allows us to share confidential information.

With respect—

To clarify, we have these networks. We have bilateral agreements with other countries. In terms of sharing our information to enforce spam legislation, we're good. We have authority under CASL to share information. Our recommendations to improve the legislation with respect to sharing of information deal with domestic agencies outside of CASL per se.

Yes.

Just to make one point as well, what we're seeing is often an intersection between issues of different regulatory spheres, an intersection between privacy issues and consumer protection issues. The commissioner talked about the one instance with respect to Ashley Madison where, while we were able to share information with the U.S. Federal Trade Commission on something that bled into the consumer protection issues, we ironically were unable to share information with our domestic counterparts. So that's where the mischief—

To be generous, I would not say obstruction. I would say there were good authorities who gave us helpful additional tools to share information as consequential amendments to CASL. Parliament just did not cover all of the territory, and we would want all of the territory to be covered.

Exactly.

In terms of enforcing CASL per se, yes, we have the authority we need, but we think we need more authority to share outside of CASL.

I would agree that it's low-hanging fruit.

Our second amendment?

I'll ask my colleague to respond.

I think the idea is just to make sure that PIPEDA remains the baseline protection for personal information for consumers. CASL is meant to provide extra additional requirements. PIPEDA is the baseline.

The consequential amendments to Canada's Anti-Spam Legislation go beyond the two activities I mentioned. Previously, because of the ombudsman model, when a person filed a complaint with the office and claimed that the act respecting the protection of personal information in the private sector had been violated, we had to investigate.

There were only some extremely limited exceptions.

The consequential amendments to Canada's Anti-Spam Legislation have reasonably expanded the reasons for which we can refuse to investigate. There are half a dozen exceptions; if you wish, my colleague Regan Morris can clarify this.

If another tribunal was dealing with a similar case, we could refuse to investigate, for instance, when a grievance mechanism would achieve the right outcome. We could then direct our attention to other matters.

Yes.

Basically. We would like to have even more flexibility, but this still helped.

What is fundamental is that we must investigate all the complaints we receive. Given our limited resources, we may not be able to focus on what is most important and what would have the greatest impact on privacy protection.

Generally, yes.

It's an interesting question.

My understanding of the CASL provisions on consent—even though we're not enforcing them, we're generally aware of them—is that it's an opt-in regime in which an individual receives communications from an organization only if they have opted in to that conduct.

PIPEDA, more generally, does not define specifically the relationships that are subject to opt in or opt out. It gives a certain number of general considerations. Under PIPEDA implied consent is permissible, but explicit consent is required based on a number of criteria. For instance—

I'll just mention one criterion that is relevant to your question.

One of the criteria, which are to be assessed on a case-by-case basis under PIPEDA as to whether explicit consent is required, involves the expectation of individuals. If we apply that standard to CASL, the question becomes what the reasonable expectation of consumers is in terms of receiving unsolicited communications from organizations. Do they find them helpful, because they help them make certain decisions, or do they find them unhelpful because—

It works conceptually. There are huge issues in the application of it and whether consumers are properly informed so that their consent is meaningful. We could spend a couple of hours on that.

But in terms of the concepts and whether implied consent can be permissible in certain circumstances, I think that's a workable regime.

I'll try to be more nuanced in my answer.

PIPEDA allows for implicit consent and requires explicit consent based on criteria that generally makes sense. Does it work? It all depends on whether meaningful consent is obtained, and people do come to us frequently to say, “Maybe the law allows for implicit consent, but I never understood that I was giving implicit consent for this or that conduct by the organization.” How this applies and what kind of information is given by organizations in order to obtain meaningful consent is the subject of my last annual report. It's a very open question, and I think many improvements would be required.

If I understand the question posed to me in terms of comparing CASL consent with PIPEDA consent, I concede that CASL consent is more onerous for organizations. Therefore, the PIPEDA consent regime could work if proper information was given to consumers, but in addition to that, I would suggest that you need to ask yourself, among other things, what the expectation of consumers is in terms of receiving unsolicited communications from organizations? That's the first question.

I don't have the answer to that question. Different countries have different answers, but one question is, what is the reasonable expectation of consumers?

I'll ask my colleague Brent Homan to answer.

With respect to fightspam.gc.ca, that's one portal by which individuals can identify whether there are complaints. In terms of our process at the OPC, we can also receive complaints directly, related to CASL or other privacy matters.

We have received certain complaints, but by the nature of what we are looking at, as with harvesting and spyware, they're opaque practices, so it's less likely for us to receive complaints. It's less likely for individuals to know whether they've been affected by such practices. As a result, we look at things more proactively, but fightspam.gc.ca might be one portal to identify issues they could relay to different authorities. We have working groups where we are able to collaborate and discuss issues of commonality, but as well, the traditional intake and complaint process is available and that's what's often used.

I'll give you an answer. I'm not sure we're the most relevant organization to ask this of, because again, our role in terms of CASL is limited to two activities: address harvesting and spyware, both of which are clearly unacceptable. There are more questions around spam per se and the fact that organizations are unable under that legislation to contact individuals, but our role deals with these two types of conduct. We don't have many cases. That's not the sum total of CASL by far, but these two types of conduct in particular are essentially hidden, so it is very difficult, if not impossible, for individuals to see the harm being done. We act, in part, based on information in the CRTC's spam centre, the analysis of this, to ourselves spot trends, spot problems, and act on our own initiative.

I've mentioned two investigations that we have conducted. There are not many, just two, and they have resulted in reports of finding. We're investigating other activities currently, but they are few.

As to how many people we have to devote to these efforts, there is no one specifically on this. However, we have a handful of people who, among other duties, have as a duty to enforce this particular piece of legislation.

Yes.

To answer that question, I would have to look at the sum total of our responsibilities.

Again, CASL addresses two conducts out of a very large number of activities that affect privacy protection. I think it is very difficult to be effective in privacy protection writ large with the resources I have. Is CASL the biggest problem? I would not say so. It is part of the problem of insufficient resources to tackle privacy protection generally.

Go ahead, Brent.

I can talk about one specific outreach initiative where we thought we would do some reaching out to organizations that may not know they're implicated with respect to address harvesting—address harvesting being the collection of addresses through electronic means. Some organizations that use address lists may think that doesn't have anything to do with them, that they just purchase the lists and use them in order to do their marketing. However, if you've purchased a list that's been compiled without the adequate consent of the individuals through address harvesting, then you're also potentially on the hook for a violation of the act.

For part of our outreach, at least in that specific area, we thought it was highly valuable to say to these organizations, which are broadly across sectors, that if they are using lists, they must ensure that they ask the right questions of the list providers to ensure the list has been compiled with the consent of those people on that list.

That's a good example of what we've done in the area of outreach, at least for organizations.

I'm afraid the question is a bit too broad for me to get my head around it.

Legislation about social media generally...?

Do you have a view on that, Brent?

Well, I can tell you how it can be related.

If you look at the recent case with respect to Wajam, you'll see that one of the features of this adware is that it was coupled with social media interactions and delivered to individuals. Social media could be leveraged by organizations that are carrying out some of these other activities, such as in the Wajam situation, in order to facilitate those activities.

In this situation an organization was coupling the adware with the understanding of the contacts related to social media. It wasn't just social media that was spamming, no. It was this organization that was installing this adware along with other free adware. Social media was a component, but it was not the avenue by which it was delivered.

The adware would take a look at social feeds and deliver and identify advertisements related to the social feeds. It was making use of the social network.

It was Compu-Finder. Because address harvesting harvests many electronic addresses, it can obviously facilitate an excessive number of communications to consumers who do not wish to receive these communications. That's the link we're making. It's excessive from the perspective that numerically many people are affected and receive communications that they never asked for, and address harvesting results in that conduct among other things. Address harvesting can also, in the worst case, be used to disseminate malware and can lead to other privacy risks.

This case was intelligence-driven. It pointed out with respect to these threats, address harvesting and spyware, it's more unlikely that individuals will know that they've been affected and impacted by that. Right from the outset with respect to the coming into force with CASL, we expected to take a more proactive approach. The Wajam case was a result of identifying potential threats and risks out there in the marketplace and knowing that and surveying that there were issues and concerns related to this specific type of adware and its installation and its difficulty with respect to de-installing as well.

People noticed it was intelligence-based when they tried to reinstall the system and were unsuccessful. Some of them made their views known, but the start of this was intelligence-based.

Yes.

There was more collaboration with the CRTC with regard to the Compu-Finder investigation because two agencies were carrying out the same investigation. Our office was looking at the collection of addresses whereas their office was looking at the dissemination of messages. To that extent the issue was very complementary. That was where there was closer sharing of information, and just keeping each other apprised of the status of investigations.

With respect to Wajam, there wasn't any specific collaboration, but we also have certain working groups and certain opportunities where we get together and talk and are aware of what each other is doing to see whether there might be an opportunity to collaborate, or to know that we've seen this, is this something of interest to the others or not, and that way we can make a more informed decision about who's best placed to pursue our matter.

It would have been mentioned at certain meetings that we were pursuing this.

No, Brent is.

Often it could be the DGs, or the assistant deputy commissioners, or whoever it might be. There are different steering committees. There's the directors general steering committee, where we talk about broader issues as well as about ongoing investigations. As well, there are enforcement working groups that get together and talk about matters ongoing.

Absolutely, yes, it would assist. Again, when we look at the two prohibited conducts under CASL, the two conducts relevant to us, these are unacceptable practices by organizations. Generally speaking, I would say that the more tools that are proportionate to the conduct, the better. A private right of action fits within that, in my view, and order-making to require companies to desist from certain conduct would also be very effective.

A number of companies wish to comply with the law, but not all do. In particular, for the two conducts of address harvesting and spyware, these are conducts where you're not dealing with very legitimate companies or organizations, so order-making would help.

I'll try to answer the best I can with as little time as possible.

The one reality is that privacy laws are not harmonized, but they're not completely dissimilar, either. There are important differences. They're all inspired by the same principles. They are not drafted in the same way. They're not harmonized.

Regulators, other data protection authorities, privacy commissioners have to operate within that environment. It is possible, not perfectly, to work within that environment and enforce our respective laws through the kinds of co-operation that I had referred to in the past, either bilateral or multilateral agreements with other data protection authorities. There is quite a bit that is happening on that front.

There are various networks. There is an international conference of data protection authorities that discusses these issues. There are arrangements under that network. There are other networks. There are a number of networks. The situation is not perfect because, ideally, the laws would be harmonized, and that's not the reality and I don't think it will be the reality anytime soon.

Maintenance of data...?

Are you referring to the upcoming data breach regulations?

I'll ask Regan Morris to complete this, but I would refer to the general regime under PIPEDA, wherein the rule is that information collected from consumers by an organization must be kept only as necessary. That's the concept. There's no prescribed time limit.

Regan.

I think your question is dealing with the specific consent provisions that the CRTC enforces in relation to proving that they have obtained consent for the—

I'm not sure we would have a comment on those specific rules. As the commissioner has said, the general rule for storing personal information is to keep it only as long as necessary, and that could be because of legal requirements.

If you are talking specifically about the notion of external invasion into networks, then spyware, for example, might be a gateway in order to allow and facilitate such invasions.

To that extent, address harvesting can result from spyware or can result in the application of spyware. They are all interrelated in that these are threats, and when they are threats to the digital economic platform, they're also threats to the networks, whose robustness and constitution impacts upon trust in that platform.

[Inaudible—Editor] are a part of the solution, but are not all of the solution, obviously.

We received funds for CASL, but for other responsibilities, not so much recently. For CASL, however, we did receive funding.

Thank you very much, Mr. Chair.

Good afternoon, honourable members of the committee. My name is Suzanne Morin, and I am chair of the CBA's national privacy and access law section, and I work for Sun Life. With me today, as you know, is Gillian Carter, who is a lawyer with the law reform directorate of the Canadian Bar Association.

Thank you for inviting us to present our views on CASL. Before addressing some of our main points though, I'm going to ask Ms. Carter to provide some background information on the CBA for your information.

Thank you.

The CBA is a national association of over 36,000 lawyers, law students, notaries, and academics. An important aspect of our mandate is seeking improvements in the law and the administration of justice. That is what brings us here today. Our written submission, which you've received, was provided by the CBA's privacy and access law section, the competition law section, and the Canadian Corporate Counsel Association. These sections consist of lawyers from every part of the country who have in-depth knowledge of privacy and access law, competition law, and issues affecting in-house counsel.

I'm going to focus on a few main points, many of which have been echoed by others who have appeared before you.

The CBA sections believe that CASL must strike a balance between protecting consumers from damaging and deceptive electronic communications while at the same time allowing businesses to compete in a global marketplace. CASL's interpretation and application need to be clarified to meet the act's objective, which is to protect consumers by really targeting bad actors. In our view, current application and enforcement efforts are not in line with the act's objectives. Instead, legitimate businesses doing the best that they can to comply are being targeted.

In its current form, CASL is confusing and overly complex. CASL is an unclear statute, and there are two separate sets of regulations that go with it. This makes compliance very difficult for organizations, especially for small and medium-sized businesses, as well as not-for-profits, who have limited resources. The CBA sections have set out in our written submission a number of the more problematic interpretation areas in CASL.

One example, and you've heard that many times, is the broad definition of commercial electronic message, which is open to significant interpretation. This overbreadth limits messages that may benefit consumers, and has a chilling effect on innovation and competition. Canadian organizations, out of fear of being non-compliant, have reduced their email marketing efforts, creating an anti-competitive environment.

Another example is the requirement for installing computer programs, which deems express consent if it is reasonable to believe through the person's conduct that they consented. It is very unclear, however, what conduct will be sufficient to meet that threshold.

The CBA sections encourage publishing all in one place guidance materials that are updated regularly. For example, it would be very helpful to have a regularly updated Q and A web page addressing some of the more complex interpretative issues that are being raised from time to time by practitioners.

The limited guidance currently available to address the confusion and uncertainty in CASL increases the possibility, and you've heard this as well, of inadvertent non-compliance. The guidance that does exist is incomplete, out of date, inconsistent, and overly simplistic even at times. For example, the guidelines on the interpretation of electronic commerce protection regulations read obligations into CASL that are not supported by the legislation itself. The guidelines state that consent must be sought separately from general terms of use or sale, but CASL speaks only to keeping CASL consents separate. That's an additional obligation not found in the act.

The guidance is also difficult to find. Some is provided by the CRTC, some by the Competition Bureau, some by the Office of the Privacy Commissioner, and some by ISED.

The CBA sections encourage greater transparency of CASL's enforcement and oversight mechanisms. Currently, there is little information about how the CRTC decides which cases to investigate, and what monetary fines to impose. As well, it is unclear from reported decisions to what extent the CRTC is actually applying the due diligence defence.

Organizations are also not typically advised of complaints prior to commencement of an investigation, nor are they given an opportunity to respond to complaints in an informal manner. We believe this is a missed opportunity.

An informal mechanism that allows organizations to respond to complaints and make the necessary changes during the normal course of business would be a wonderful opportunity to deal with a lot of these complaints that you see coming into the CRTC's complaint spam centre. This would reduce significant investigation costs down the road, and would be particularly useful in cases of unintentional non-compliance, or differing interpretations.

The CBA sections also encourage a thorough analysis of the appropriateness of the private right of action provision, and its scope in the context of the whole of CASL. In our view, bringing the private right of action into force without clear guidance is premature. Even without the private right of action, CASL has a broad range of enforcement tools, and you heard from Commissioner Therrien this morning. In our view, any lack of compliance is more likely the result of the confusing and onerous nature of CASL, rather than the current enforcement tools being insufficient.

We want to note, in particular, the application of the private right of action under the false or misleading representation provisions of the Competition Act. The need for the private right of action in this context remains questionable particularly given the Competition Bureau's existing oversight and enforcement. The relevant provision, section 74.011, is also concerning because certain subsections contain no materiality threshold.

Finally, we also want to note the inordinate cost and resource burden of CASL on charities and non-profits. We would recommend that they be exempt from all of CASL's provisions, except for the ID, content, and unsubscribe requirements as they relate to commercial electronic messages.

In conclusion, the CBA sections once again appreciate the opportunity to share our views on CASL. Given its complexities, we believe a more extensive consultation is needed under the statutory review, and we encourage you to invite more stakeholder feedback and more detailed feedback.

Thank you for having us here today.

We will be pleased to answer your questions.

Thank you.

Absolutely.

With apologies to the Bard of Avon, friends, parliamentarians, countrymen, lend me your ears; I come to praise CASL, not to kill it. The evil that critics of CASL do lives with them; the good is oft imbued in its sections; so let it be with CASL.

CASL's noble adversaries may tell you the law is too ambitious, as if this was a grievous fault.

CASL enshrines the work of the 2005 federal task force on spam. Best practices found in our final report are now global industry standards, but best practices mean nothing without disincentives to bad actors.

CASL is a crowdsourced law, taking input from hundreds of people working tens of thousands of hours. The Messaging Anti-Abuse Working Group, for example, MAAWG, is an industry association of 185 member companies, all anti-spam professionals, such as Apple, Facebook, Google, Amazon, and Bell Canada. MAAWG participated throughout the CASL process and sent a letter to the Prime Minister urging the passage of the law as it was tabled.

My name is Neil Schwartzman. I'm the executive director of the Coalition Against Unsolicited Commercial Email. I wrote the world's first distributed spam filter, and 20 years later, here we are. I'm a management consultant. My clients include the world's largest company and the world's biggest sender of commercial email, neither of which spam. It's not that hard. I also teach cyber-investigation methods to international law enforcement.

Spam filtering costs recipient networks $20 billion a year. We pay for spam. Spam has become much worse of late: ransomware and phishing payloads are vicious. Ninety per cent of the spam that hits our networks is affiliate spam, which you've heard we should allow. Affiliate spam is an open sewer spraying a billion messages per hour at our families, friends, and colleagues. Unsolicited junk email, texts, and phone calls from Walmart, DirecTV, and Fidelity are some of the affiliate spam sent by third parties, earning commissions from the brand to send spam. CASL was purpose-built to remedy such activity.

The Privacy Commissioner and other law enforcement agencies just this year have completed a five-country sweep against affiliate spammers. Results have yet to be published, but we will be hearing about that. Studies from Cloudmark, Inbox Marketer, Return Path, and Cisco have proven CASL to reduce spam coming into Canada and going out of it. That's data, not opinion.

Law enforcement can't possibly investigate, nor do they know about all of the spam attacks. CASL's PRA, a right integral to the American CAN-SPAM Act, has been suspended, lamentably preventing Canadian ISPs, businesses, and organizations from seeking compensation for damages done to their network by spam.

Declarations of CASL's damaging effects that some have made here are laughable. The OECD two weeks ago projected that Canada's economic growth for 2018 is the best in the G7. Quebec is enjoying the lowest unemployment rate in three decades. Our economy is not hurting. We hear about how legitimate companies have been caught in the CASL net. In two cases prosecuted by the CRTC, the marketing departments of Rogers and Kellogg's used spam email lists provided to them by third party firms. Yes, legitimate companies bear costs to become compliant, just as when PIPEDA came into force.

Businesses must be vigilant. Data breaches occur daily. Business email compromise costs tens of millions of dollars. CASL defines modern standards of data integrity and permission that companies must maintain in the global economy. In the EU, the updated GDPR privacy law comes into effect in 2018. Failure to maintain parity with them will put us at a severe economic disadvantage.

Why are some afraid of CASL? It's because it's working. CASL is so frightening to spammers that they lobby Canada's law enforcement and legislators. American groups with direct ties to black-hat spam organizations will present you with information in the coming weeks. They've been invited here.

With this in mind, I exhort you to leave CASL intact. Adjust, yes, and clarify, doubtless, but do not come here to kill CASL. Do Caesar proud.

Thank you for inviting us here.

I'll be quick.

Good afternoon to our distinguished members of Parliament. Thank you for inviting us to speak with you today.

My name is Matthew Vernhout, and I am here on behalf of CAUCE, the Coalition Against Unsolicited Commercial Email. In my professional capacity, I am the director of privacy and industry relations for the email analytics firm, 250ok; the chair of the Email Experience Council's advocacy subcommittee; and an active member of the global email community.

I participated in the drafting of America's CAN-SPAM Act, and I had the pleasure of speaking to this committee in support of CASL in 2009.

I have published dozens of articles, been quoted in the press, spoken at numerous industry events, and consulted with some of North America's top brands regarding CASL compliance. In fact, one of the comparative benchmark reports I authored for ISED was recently cited in the CRTC's decision on the constitutional challenge by Compu-Finder.

The positive effects of CASL on the email industry are remarkable. I'm delighted to say analysis finds the email industry thriving and experiencing significant growth. Businesses ensure they have recipient consent, and they are seeing the positive benefits of those actions. A common trend has emerged from several published reports in the last three years: more messages are delivered to Canadian consumer inboxes post-CASL, due to better list management practices and consumer trust. A recent industry report shows that two countries with the toughest anti-spam legislation, Canada and Australia, also have the best deliverability of commercial emails to inboxes in the G8 nations studied.

The basic framework of CASL is a series of email marketing best practices that have been the basis of most of my consulting efforts over the last 17 years: ask for permission, honour opt-outs, and be clear as to who you are and why you're sending the messages. CASL has taken these ideas and made them the law of the land.

As my colleague stated, CASL is working to diminish spam. Moreover, it is working to make legitimate email marketing more successful and more effective. There is far too much baseless fear, uncertainty, and doubt being spread by the naysayers of CASL, many of whom are neither anti-abuse nor marketing professionals.

When I speak with marketers about their compliance efforts and the challenges they face to make their digital marketing compliant, I hear, “This is a lot of work, but it's not nearly as difficult as I thought it would be.”

However, we still have a long road ahead of us. The spam reporting centre receives 6,000 complaints per week, totalling more than one million complaints since 2014. For example, blacklist operator SURBL notes that there are currently 70 “.ca” domains spamming counterfeit goods targeting Canadian consumers. There are also active spam gangs set up on hosting providers in Montreal, Hamilton, and Vancouver.

Regarding the PRA suspension, this renders CASL toothless. The PRA should be revisited to allow network operators who carry the cost of spam to avail themselves of redress.

In closing, it is our hope that the law remains a strong and viable tool to protect email marketing, networks, and consumers from unwanted spam messaging. Canadians, like all consumers, deserve nothing less.

Thank you.

I think that's an excellent question. There's no denying that I have some open fears about people misusing the law. We didn't intend it to be a cash cow for litigious frivolities. Mr. Vernhout has stated CAUCE's opinion. Our stance is that network operators should be allowed to avail themselves of private right of action, so ISPs, companies, and organizations should absolutely be able to have a right for redress. We're growing softer on the right of individuals to sue a company, or the class action stuff. Admittedly I think that's where the vulnerability lies, and, no, we don't want this to be stupidly abusive. I know we are in a loser-pays environment here in Canada, but that will not prevent frivolous suits from being filed. So let's just focus on the people who actually operate the networks and suffer the damage.

Yes, precisely. I think we've also heard from the Privacy Commissioner and others about some reasonable sculpting, which makes it less...in fact while I rarely find myself in agreement with Ms. Morin, I have to agree that the “false and misleading” is very vague, and there absolutely need to be standards set before we go with that. Again, it has parity with CAN-SPAM and other places, but it allows a network operator, an ISP small or large, to say “stop”. And, yes, everybody says we can't sue Nigerian spammers, but they exist in this country. The “Nigerian princes” are here. They are everywhere. They pretend to be from Nigeria, but they do exist in this country. There's this kind of fallacious thing of “Oh, we can't deal with international spam.” Private right of action allows us to actually do that.

The very fact that you're asking those questions is really the first step. As Mr. Schwartzman explained, even when CASL was being debated before committee, back when it was introduced, definitely one of the comments about it made by the business and legal profession was that it was too broad, that it went way beyond what we were seeing across the border, and also what we thought was necessary, which was to allow those who were suffering the harm, if you like, the network providers.... While the CBA doesn't have an explicit provision as to exactly what it should be, you need to look at it, and you need to make sure that you look at it in the context of existing CASL and any changes that you might make. But narrowing it down to those service providers who are actually suffering harm and actually have the ability to go after some of those more nefarious players sounds like a possible, reasonable approach.

Absolutely. As a consumer who receives large volumes of spam, certainly I've had a personal interest in being able to go after that, but in turn, if my network provider and my email provider had the tools to go forward on my behalf, or on behalf of fellow consumers using their domains, I certainly think that would be a valuable tool. We did see under CAN-SPAM that organizations like Facebook have effectively used CAN-SPAM on their own to protect their network and protect their users. In fact, they did have a settlement against a gentleman in Montreal that resulted in, I believe, a $1-billion violation under the California anti-spam act and CAN-SPAM, which was later upheld by the Quebec courts, because his initial response was that if he lived in Canada, CAN-SPAM didn't apply. Then they went after him civilly and were able to get the Quebec courts to honour that judgment.

The IoT software update issue has been misstated a little bit to this committee and perhaps misunderstood more generally. Once you install a piece of software and they throw up the terms of service to a net user, they also accept, if the terms of service are written correctly, the ability of the software publisher to update the software.

It would not hurt us. It would benefit us and IoT is a lurking giant that should scare us all.

Sure. Thanks for the question.

From a large business perspective, you gather the resources and you do what you need to do to comply. As someone who has worked on implementing CASL internally at a few organizations, but also in working with external counsel and my colleagues in other companies, and the discussion we have at the CBA across the different sections as well, it is truly amazing the amount of time spent, and org charts and step-by-steps that you have to develop in order to make sure that you're actually complying with all the different pieces because it is unnecessarily complex. You shouldn't need a lawyer to implement CASL, and unfortunately, you do. When you think of a small enterprise where they have a few employees, or larger ones—and you heard from the Canadian Marketing Association, an organization which in about 2025 may have spent upwards of $40,000—it's mind-boggling.

Once again, the idea is not to get rid of CASL, but rather to have it focus on what it should be focusing on. For small and medium-sized enterprises to be sending electronic communications to their customers or trying to do prospects, even before CASL came around, people used to insist on consent. However, it's all the little things you need to do to ensure that you have complied that bogs everybody down and it's the fallout from the non-compliant element. If it were more akin to PIPEDA, on which we heard from Commissioner Therrien before, it's a complaints-based model. If you make a mistake or you have a judgment call that you make that's not quite agreed to by everybody else, you have an opportunity as an organization to make it right without necessarily seeing yourself subject to a very formal investigation or fines.

Unfortunately, in the way it's been enforced here in Canada by the CRTC, it has had a chilling effect. You don't want to be that organization that then has to have a settlement agreement or notice of violation.

To your question, if the $40,000 that the Canadian Marketing Association...which would be a trade association really trying to do the right thing, you can't just really wing it, because if you do, then you're subject to potentially being found to be not compliant. If the CRTC were to send back to individual organizations right away any complaint that they got, that would be an opportunity for organizations, small and large alike, to see what changes they need to make.

There are some things that a small organization would have to deal with. Once they got over how broad the definition is, they would have to look at the unsubscribe requirements. No one has an issue with unsubscribing, but we also have to add some of the managing consents, separate consents, for all the different elements. With the record-keeping obligations, which are fairly onerous, you have to be able to show at every instance which consent you're relying on and how you obtained it. There's the way they have to manage their lists. Once you have an existing business relationship, you leave.... I'm sending you emails for two years, but then after that, I have to stop because the law says to. It's all these little artificial things that get in the way of just everyday, appropriate business practices.

Those are some of the elements that small and medium-sized enterprises in particular would have to deal with.

A lot of the compliance efforts and a lot of the consulting that I've seen done really focus on education. Sure, you need someone who understands the law, you need maybe a legal opinion on a few business practices, but there are lots of solutions, many free, many paid for. Obviously if you pay, you get better service and support to manage consent tracking, daytime tracking, even to manage the idea of taking screen shots at the point of data collection and tracking what forms look like. There are solutions out there. Not all of them are onerous to use; not all of them are expensive to use, either.

Is $40,000 for an organization a lot of money to comply? Honestly, I don't necessarily think it is for most mid-sized businesses. Smaller businesses, sure, but smaller businesses also tend to have very small email lists and they may very well know every person who's on their list, so they're not going to be necessarily looking at.... They know where their consumers come from. They have transaction purchase data; they have that history. It's just organizing it in a way that makes it accessible and easy to understand.

There was a question earlier in the panel around six-month implied consent versus two-year implied consent. All of those things are built into marketing automation platforms now. You can track the date the consumer subscribed. You can assign a flag to them to say this is a six-month implied consent, this is a two-year implied consent, an express consent. You can build the logic right into the marketing platforms that will either suppress those users when they've reached their end-of-life cycle or will notify those users, or build some sort of communication plan proactively into reaching those consumers before they reach their expiry.

Sure. There are the right ways to do third party communications and there are the wrong ways to do third party communications. CASL actually allows for both, unfortunately.

The right way that typical people will look at doing third party communications in regard to even the idea of list rental is similar to the idea of taking out a full-page ad in a newspaper. I will give you my advertisement, you will send it to your communication list because you have the proper consents and can manage the unsubscribes. I don't see any of the addresses until people choose to either take my offer or engage and give me some type of consent directly. That's the right way to do third party communications.

The other way really comes down to the idea of, “I have a list. Here you go. Please feel free to send it based on our contractual agreement.” That industry, right after CASL came into force, was studied by an organization in Toronto. They said the available number of lists to be used that way in Canada went from 400 to 14 because none of them had proper consent prior to CASL. When they were reviewed against CASL, that industry basically disappeared, actually probably accounting for a significant amount of unsolicited email communication also disappearing.

That was one of my talking points, that we were the last country in the G8 to adopt an anti-spam law. It's embarrassing that some would like to do away with the law. It's an excellent law, and it's one that is respected as the best in the world among my colleagues.

Absolutely it could do with some adjustments, but in terms of the GDPR which is coming into effect May 25, 2018, we are about to encounter a degree of onerousness in data integrity that the world hasn't seen before, and that's a good thing.

The GDPR builds on the European privacy directive, which has been around for about a decade, with no teeth, with no ability to take punitive action. The GDPR gives countries the ability to force companies back into compliance, to respect the individual's right to say no, to be forgotten, to be left alone by marketers, or to willingly give that data to them and enjoy the benefits.

One thing that's very important is that the difference from the junk mail or the bulk mail that ends up on your doorstep is the marketer pays to get it there. They pay Canada Post to bring it to you. They pay for the printing. They pay for everything. Spammers do not. The recipients end up paying for that.

I'll talk about a small company here in Ottawa: striker.ottawa.on.ca was their domain. It's a consulting company that, for some reason, ended up on the spammer lists, and now they get one million spam a day. They've been driven out of business using that domain. There's not enough spam filtering in the world to compensate for that kind of flood.

We need to be a leader, and we are absolutely positioned to be such. I think it would be a matter of pride for everybody in this room that we can maintain parity with the EU.

Oh, oh!

As Commissioner Therrien explained, there is no doubt they have a very narrow and small piece of CASL that they implement, so obviously any sort of outreach they can do to clarify so that there is no inadvertent.... Being offside of those provisions would be helpful, but if we slide to the rest of CASL, which is where you're hearing a lot of the concern that we are expressing here today and from others who have come before us, yes, there have been a lot of people out on the road trying to explain CASL, but the guidance that organizations have been provided has not been sufficient to remove the fear and the chilling effect that being inadvertently non-compliant could result in something fairly onerous for your organization. That applies to large organizations, small and medium-sized enterprises, and charities as well. So yes, we are all for it, and we think any legislation needs it, so we definitely think there needs to be more, and it needs to be very focused.

We also need to get a message, separate from any changes to CASL, because we've made recommendations about some changes we might want to CASL. There needs to be a message about what the approach to enforcement is going to be. If you are an organization that is trying to do the right thing, “It's okay, don't worry, we can work with you to get you onside” is not the messaging they're getting, so they're spending a lot of money unnecessarily. They're developing a lot of processes that maybe they don't.... There is confusion, also, for individuals who are receiving these messages simply because of the way CASL has been structured.

You heard from Mr. Sookman, and Mr. Elder as well, that when you have a statute that prohibits everything unless it's permitted through exceptions and exemptions, you're offside if you can't fit yourself within those narrow exceptions.

That's some of what our members are struggling with when they are helping their organizations or advising organizations, big and small alike, and not-for-profits as well. That's what we're struggling with. We just want to get to a place where business can operate. We're not talking about the bad spammers here. We want to continue that. This is just about legitimate business trying to do the right thing, so more guidance would be great, but some changes to CASL as well.

Let's make no mistake. Legitimate companies spam, too. They do, all the time. Matt and I have been doing it for 20 years. The amount of non-compliance among legitimate companies is high. CASL has put a stop to that.

On Internet of things updates, I think we could talk for hours, if you want to go to lunch. Your light bulbs should scare you. They really should. The amount of destruction that is happening as a result of IoT and the inability—not by law, but by connectivity—to update this stuff, I think absolutely should be a subject of investigation by this committee. I'd be happy to elucidate to that end.

We keep hearing about charities, but charities are specifically exempt under CASL. I don't understand what the onerous thing is. We keep hearing about the chilling effects of CASL. I don't understand how.... We have data that shows that there is more mail being delivered to Canadian consumers. It is being more effectively delivered, and our economy is growing, yet there is a chilling effect. I'm not feeling the cold; I'm actually quite warm right now.

You have to understand, in terms of the way ISPs work, we get complaints. Consumers hit, “this is spam“, “this is spam”, and “this is spam”. We put a block up in front of, let's say, one of Matt's clients because Matt helps them to send.... They have to come to us with proof that they had permission to send anyway, so what CASL is asking for is exactly the same proof that is demanded of senders every single day of the week. If they don't have proof that you signed up to his list, I'd block them permanently so they don't get to send mail to Bell Canada or Rogers—the ISP side, not the marketing side—or any other network operator in the world. That happens every single day. It's been normal, standard operating procedure for decades.

It's how one interprets the exceptions. To the extent that the charity is not engaging in a commercial electronic activity, that part of the business is exempt, but then every once in a while they're going to creep into soliciting money. They're going to creep into things, and with the way the language is.... Again, you prohibit everything, and unless you fit within one of the exceptions, you find yourself in this spot, as a charity, where you're not quite sure if you can send out that commercial electronic message, and if you are going to send it, then you need to make sure you meet all of these different obligations. Making it very simple for a charity would go a long way to making it easier for them.

Sure. I consulted with the Heart and Stroke Foundation. It is a former client of mine. They had no problems figuring out what part of their email programs were deemed to be fundraising messages, which are the messages that are exempt, and their commercial activity such as their lottery. They were able to absolutely separate those and treat them differently with regard to the activities of the business.

When they look at soliciting money in regard to their research and their programs, they are undertaking fundraising activities. In their view, and some of the other opinions they received, activities such as a lottery is a game of chance; therefore, it is not a fundraiser. It results in funds being raised for their organization, but because it is a game of chance it looks—

There are multiple interpretations.

If the purpose of the gala is fundraising versus simply to host an event, then yes, if the funds are being used toward a goal or activity with a purpose. Simply buying a ticket to an event would be a commercial activity, however.

I would say that would be open to interpretation, potentially by the CRTC.

Unfortunately, when I've asked them specifically about this as well, their answer tends to be that it's a case-by-case example when they look at the activities and the end goals, which I know is not necessarily the answer anyone wants to hear, but when you look at this as being a fundraising event versus being an event—

A lot of funds get driven toward payroll and non-charitable activities as well. I suppose it depends on the activity of the charity.

If I could add quickly—

The definition of “charity” and “not-for-profit” is not the same under CASL as it is under the Income Tax Act, so one opportunity, and it's in our submission, is to sort of make them the same. That may eliminate some of the confusion. The fact that we're here, and we can't even agree, and you can't understand shows the position that these charities find themselves in.

Yes.