Industry Committee on Oct. 24th, 2017

I'll just mention one criterion that is relevant to your question.

One of the criteria, which are to be assessed on a case-by-case basis under PIPEDA as to whether explicit consent is required, involves the expectation of individuals. If we apply that standard to CASL, the question becomes what the reasonable expectation of consumers is in terms of receiving unsolicited communications from organizations. Do they find them helpful, because they help them make certain decisions, or do they find them unhelpful because—

It works conceptually. There are huge issues in the application of it and whether consumers are properly informed so that their consent is meaningful. We could spend a couple of hours on that.

But in terms of the concepts and whether implied consent can be permissible in certain circumstances, I think that's a workable regime.

I'll try to be more nuanced in my answer.

PIPEDA allows for implicit consent and requires explicit consent based on criteria that generally makes sense. Does it work? It all depends on whether meaningful consent is obtained, and people do come to us frequently to say, “Maybe the law allows for implicit consent, but I never understood that I was giving implicit consent for this or that conduct by the organization.” How this applies and what kind of information is given by organizations in order to obtain meaningful consent is the subject of my last annual report. It's a very open question, and I think many improvements would be required.

If I understand the question posed to me in terms of comparing CASL consent with PIPEDA consent, I concede that CASL consent is more onerous for organizations. Therefore, the PIPEDA consent regime could work if proper information was given to consumers, but in addition to that, I would suggest that you need to ask yourself, among other things, what the expectation of consumers is in terms of receiving unsolicited communications from organizations? That's the first question.

I don't have the answer to that question. Different countries have different answers, but one question is, what is the reasonable expectation of consumers?

I'll ask my colleague Brent Homan to answer.

With respect to fightspam.gc.ca, that's one portal by which individuals can identify whether there are complaints. In terms of our process at the OPC, we can also receive complaints directly, related to CASL or other privacy matters.

We have received certain complaints, but by the nature of what we are looking at, as with harvesting and spyware, they're opaque practices, so it's less likely for us to receive complaints. It's less likely for individuals to know whether they've been affected by such practices. As a result, we look at things more proactively, but fightspam.gc.ca might be one portal to identify issues they could relay to different authorities. We have working groups where we are able to collaborate and discuss issues of commonality, but as well, the traditional intake and complaint process is available and that's what's often used.

I'll give you an answer. I'm not sure we're the most relevant organization to ask this of, because again, our role in terms of CASL is limited to two activities: address harvesting and spyware, both of which are clearly unacceptable. There are more questions around spam per se and the fact that organizations are unable under that legislation to contact individuals, but our role deals with these two types of conduct. We don't have many cases. That's not the sum total of CASL by far, but these two types of conduct in particular are essentially hidden, so it is very difficult, if not impossible, for individuals to see the harm being done. We act, in part, based on information in the CRTC's spam centre, the analysis of this, to ourselves spot trends, spot problems, and act on our own initiative.

I've mentioned two investigations that we have conducted. There are not many, just two, and they have resulted in reports of finding. We're investigating other activities currently, but they are few.

As to how many people we have to devote to these efforts, there is no one specifically on this. However, we have a handful of people who, among other duties, have as a duty to enforce this particular piece of legislation.

Yes.

To answer that question, I would have to look at the sum total of our responsibilities.

Again, CASL addresses two conducts out of a very large number of activities that affect privacy protection. I think it is very difficult to be effective in privacy protection writ large with the resources I have. Is CASL the biggest problem? I would not say so. It is part of the problem of insufficient resources to tackle privacy protection generally.