Industry Committee on Oct. 24th, 2017

Thank you very much, Mr. Chair.

Good afternoon, honourable members of the committee. My name is Suzanne Morin, and I am chair of the CBA's national privacy and access law section, and I work for Sun Life. With me today, as you know, is Gillian Carter, who is a lawyer with the law reform directorate of the Canadian Bar Association.

Thank you for inviting us to present our views on CASL. Before addressing some of our main points though, I'm going to ask Ms. Carter to provide some background information on the CBA for your information.

Thank you.

The CBA is a national association of over 36,000 lawyers, law students, notaries, and academics. An important aspect of our mandate is seeking improvements in the law and the administration of justice. That is what brings us here today. Our written submission, which you've received, was provided by the CBA's privacy and access law section, the competition law section, and the Canadian Corporate Counsel Association. These sections consist of lawyers from every part of the country who have in-depth knowledge of privacy and access law, competition law, and issues affecting in-house counsel.

I'm going to focus on a few main points, many of which have been echoed by others who have appeared before you.

The CBA sections believe that CASL must strike a balance between protecting consumers from damaging and deceptive electronic communications while at the same time allowing businesses to compete in a global marketplace. CASL's interpretation and application need to be clarified to meet the act's objective, which is to protect consumers by really targeting bad actors. In our view, current application and enforcement efforts are not in line with the act's objectives. Instead, legitimate businesses doing the best that they can to comply are being targeted.

In its current form, CASL is confusing and overly complex. CASL is an unclear statute, and there are two separate sets of regulations that go with it. This makes compliance very difficult for organizations, especially for small and medium-sized businesses, as well as not-for-profits, who have limited resources. The CBA sections have set out in our written submission a number of the more problematic interpretation areas in CASL.

One example, and you've heard that many times, is the broad definition of commercial electronic message, which is open to significant interpretation. This overbreadth limits messages that may benefit consumers, and has a chilling effect on innovation and competition. Canadian organizations, out of fear of being non-compliant, have reduced their email marketing efforts, creating an anti-competitive environment.

Another example is the requirement for installing computer programs, which deems express consent if it is reasonable to believe through the person's conduct that they consented. It is very unclear, however, what conduct will be sufficient to meet that threshold.

The CBA sections encourage publishing all in one place guidance materials that are updated regularly. For example, it would be very helpful to have a regularly updated Q and A web page addressing some of the more complex interpretative issues that are being raised from time to time by practitioners.

The limited guidance currently available to address the confusion and uncertainty in CASL increases the possibility, and you've heard this as well, of inadvertent non-compliance. The guidance that does exist is incomplete, out of date, inconsistent, and overly simplistic even at times. For example, the guidelines on the interpretation of electronic commerce protection regulations read obligations into CASL that are not supported by the legislation itself. The guidelines state that consent must be sought separately from general terms of use or sale, but CASL speaks only to keeping CASL consents separate. That's an additional obligation not found in the act.

The guidance is also difficult to find. Some is provided by the CRTC, some by the Competition Bureau, some by the Office of the Privacy Commissioner, and some by ISED.

The CBA sections encourage greater transparency of CASL's enforcement and oversight mechanisms. Currently, there is little information about how the CRTC decides which cases to investigate, and what monetary fines to impose. As well, it is unclear from reported decisions to what extent the CRTC is actually applying the due diligence defence.

Organizations are also not typically advised of complaints prior to commencement of an investigation, nor are they given an opportunity to respond to complaints in an informal manner. We believe this is a missed opportunity.

An informal mechanism that allows organizations to respond to complaints and make the necessary changes during the normal course of business would be a wonderful opportunity to deal with a lot of these complaints that you see coming into the CRTC's complaint spam centre. This would reduce significant investigation costs down the road, and would be particularly useful in cases of unintentional non-compliance, or differing interpretations.

The CBA sections also encourage a thorough analysis of the appropriateness of the private right of action provision, and its scope in the context of the whole of CASL. In our view, bringing the private right of action into force without clear guidance is premature. Even without the private right of action, CASL has a broad range of enforcement tools, and you heard from Commissioner Therrien this morning. In our view, any lack of compliance is more likely the result of the confusing and onerous nature of CASL, rather than the current enforcement tools being insufficient.

We want to note, in particular, the application of the private right of action under the false or misleading representation provisions of the Competition Act. The need for the private right of action in this context remains questionable particularly given the Competition Bureau's existing oversight and enforcement. The relevant provision, section 74.011, is also concerning because certain subsections contain no materiality threshold.

Finally, we also want to note the inordinate cost and resource burden of CASL on charities and non-profits. We would recommend that they be exempt from all of CASL's provisions, except for the ID, content, and unsubscribe requirements as they relate to commercial electronic messages.

In conclusion, the CBA sections once again appreciate the opportunity to share our views on CASL. Given its complexities, we believe a more extensive consultation is needed under the statutory review, and we encourage you to invite more stakeholder feedback and more detailed feedback.

Thank you for having us here today.

We will be pleased to answer your questions.

Thank you.

Absolutely.

With apologies to the Bard of Avon, friends, parliamentarians, countrymen, lend me your ears; I come to praise CASL, not to kill it. The evil that critics of CASL do lives with them; the good is oft imbued in its sections; so let it be with CASL.

CASL's noble adversaries may tell you the law is too ambitious, as if this was a grievous fault.

CASL enshrines the work of the 2005 federal task force on spam. Best practices found in our final report are now global industry standards, but best practices mean nothing without disincentives to bad actors.

CASL is a crowdsourced law, taking input from hundreds of people working tens of thousands of hours. The Messaging Anti-Abuse Working Group, for example, MAAWG, is an industry association of 185 member companies, all anti-spam professionals, such as Apple, Facebook, Google, Amazon, and Bell Canada. MAAWG participated throughout the CASL process and sent a letter to the Prime Minister urging the passage of the law as it was tabled.

My name is Neil Schwartzman. I'm the executive director of the Coalition Against Unsolicited Commercial Email. I wrote the world's first distributed spam filter, and 20 years later, here we are. I'm a management consultant. My clients include the world's largest company and the world's biggest sender of commercial email, neither of which spam. It's not that hard. I also teach cyber-investigation methods to international law enforcement.

Spam filtering costs recipient networks $20 billion a year. We pay for spam. Spam has become much worse of late: ransomware and phishing payloads are vicious. Ninety per cent of the spam that hits our networks is affiliate spam, which you've heard we should allow. Affiliate spam is an open sewer spraying a billion messages per hour at our families, friends, and colleagues. Unsolicited junk email, texts, and phone calls from Walmart, DirecTV, and Fidelity are some of the affiliate spam sent by third parties, earning commissions from the brand to send spam. CASL was purpose-built to remedy such activity.

The Privacy Commissioner and other law enforcement agencies just this year have completed a five-country sweep against affiliate spammers. Results have yet to be published, but we will be hearing about that. Studies from Cloudmark, Inbox Marketer, Return Path, and Cisco have proven CASL to reduce spam coming into Canada and going out of it. That's data, not opinion.

Law enforcement can't possibly investigate, nor do they know about all of the spam attacks. CASL's PRA, a right integral to the American CAN-SPAM Act, has been suspended, lamentably preventing Canadian ISPs, businesses, and organizations from seeking compensation for damages done to their network by spam.

Declarations of CASL's damaging effects that some have made here are laughable. The OECD two weeks ago projected that Canada's economic growth for 2018 is the best in the G7. Quebec is enjoying the lowest unemployment rate in three decades. Our economy is not hurting. We hear about how legitimate companies have been caught in the CASL net. In two cases prosecuted by the CRTC, the marketing departments of Rogers and Kellogg's used spam email lists provided to them by third party firms. Yes, legitimate companies bear costs to become compliant, just as when PIPEDA came into force.

Businesses must be vigilant. Data breaches occur daily. Business email compromise costs tens of millions of dollars. CASL defines modern standards of data integrity and permission that companies must maintain in the global economy. In the EU, the updated GDPR privacy law comes into effect in 2018. Failure to maintain parity with them will put us at a severe economic disadvantage.

Why are some afraid of CASL? It's because it's working. CASL is so frightening to spammers that they lobby Canada's law enforcement and legislators. American groups with direct ties to black-hat spam organizations will present you with information in the coming weeks. They've been invited here.

With this in mind, I exhort you to leave CASL intact. Adjust, yes, and clarify, doubtless, but do not come here to kill CASL. Do Caesar proud.

Thank you for inviting us here.

I'll be quick.

Good afternoon to our distinguished members of Parliament. Thank you for inviting us to speak with you today.

My name is Matthew Vernhout, and I am here on behalf of CAUCE, the Coalition Against Unsolicited Commercial Email. In my professional capacity, I am the director of privacy and industry relations for the email analytics firm, 250ok; the chair of the Email Experience Council's advocacy subcommittee; and an active member of the global email community.

I participated in the drafting of America's CAN-SPAM Act, and I had the pleasure of speaking to this committee in support of CASL in 2009.

I have published dozens of articles, been quoted in the press, spoken at numerous industry events, and consulted with some of North America's top brands regarding CASL compliance. In fact, one of the comparative benchmark reports I authored for ISED was recently cited in the CRTC's decision on the constitutional challenge by Compu-Finder.

The positive effects of CASL on the email industry are remarkable. I'm delighted to say analysis finds the email industry thriving and experiencing significant growth. Businesses ensure they have recipient consent, and they are seeing the positive benefits of those actions. A common trend has emerged from several published reports in the last three years: more messages are delivered to Canadian consumer inboxes post-CASL, due to better list management practices and consumer trust. A recent industry report shows that two countries with the toughest anti-spam legislation, Canada and Australia, also have the best deliverability of commercial emails to inboxes in the G8 nations studied.

The basic framework of CASL is a series of email marketing best practices that have been the basis of most of my consulting efforts over the last 17 years: ask for permission, honour opt-outs, and be clear as to who you are and why you're sending the messages. CASL has taken these ideas and made them the law of the land.

As my colleague stated, CASL is working to diminish spam. Moreover, it is working to make legitimate email marketing more successful and more effective. There is far too much baseless fear, uncertainty, and doubt being spread by the naysayers of CASL, many of whom are neither anti-abuse nor marketing professionals.

When I speak with marketers about their compliance efforts and the challenges they face to make their digital marketing compliant, I hear, “This is a lot of work, but it's not nearly as difficult as I thought it would be.”

However, we still have a long road ahead of us. The spam reporting centre receives 6,000 complaints per week, totalling more than one million complaints since 2014. For example, blacklist operator SURBL notes that there are currently 70 “.ca” domains spamming counterfeit goods targeting Canadian consumers. There are also active spam gangs set up on hosting providers in Montreal, Hamilton, and Vancouver.

Regarding the PRA suspension, this renders CASL toothless. The PRA should be revisited to allow network operators who carry the cost of spam to avail themselves of redress.

In closing, it is our hope that the law remains a strong and viable tool to protect email marketing, networks, and consumers from unwanted spam messaging. Canadians, like all consumers, deserve nothing less.

Thank you.

I think that's an excellent question. There's no denying that I have some open fears about people misusing the law. We didn't intend it to be a cash cow for litigious frivolities. Mr. Vernhout has stated CAUCE's opinion. Our stance is that network operators should be allowed to avail themselves of private right of action, so ISPs, companies, and organizations should absolutely be able to have a right for redress. We're growing softer on the right of individuals to sue a company, or the class action stuff. Admittedly I think that's where the vulnerability lies, and, no, we don't want this to be stupidly abusive. I know we are in a loser-pays environment here in Canada, but that will not prevent frivolous suits from being filed. So let's just focus on the people who actually operate the networks and suffer the damage.

Yes, precisely. I think we've also heard from the Privacy Commissioner and others about some reasonable sculpting, which makes it less...in fact while I rarely find myself in agreement with Ms. Morin, I have to agree that the “false and misleading” is very vague, and there absolutely need to be standards set before we go with that. Again, it has parity with CAN-SPAM and other places, but it allows a network operator, an ISP small or large, to say “stop”. And, yes, everybody says we can't sue Nigerian spammers, but they exist in this country. The “Nigerian princes” are here. They are everywhere. They pretend to be from Nigeria, but they do exist in this country. There's this kind of fallacious thing of “Oh, we can't deal with international spam.” Private right of action allows us to actually do that.

The very fact that you're asking those questions is really the first step. As Mr. Schwartzman explained, even when CASL was being debated before committee, back when it was introduced, definitely one of the comments about it made by the business and legal profession was that it was too broad, that it went way beyond what we were seeing across the border, and also what we thought was necessary, which was to allow those who were suffering the harm, if you like, the network providers.... While the CBA doesn't have an explicit provision as to exactly what it should be, you need to look at it, and you need to make sure that you look at it in the context of existing CASL and any changes that you might make. But narrowing it down to those service providers who are actually suffering harm and actually have the ability to go after some of those more nefarious players sounds like a possible, reasonable approach.

Absolutely. As a consumer who receives large volumes of spam, certainly I've had a personal interest in being able to go after that, but in turn, if my network provider and my email provider had the tools to go forward on my behalf, or on behalf of fellow consumers using their domains, I certainly think that would be a valuable tool. We did see under CAN-SPAM that organizations like Facebook have effectively used CAN-SPAM on their own to protect their network and protect their users. In fact, they did have a settlement against a gentleman in Montreal that resulted in, I believe, a $1-billion violation under the California anti-spam act and CAN-SPAM, which was later upheld by the Quebec courts, because his initial response was that if he lived in Canada, CAN-SPAM didn't apply. Then they went after him civilly and were able to get the Quebec courts to honour that judgment.

The IoT software update issue has been misstated a little bit to this committee and perhaps misunderstood more generally. Once you install a piece of software and they throw up the terms of service to a net user, they also accept, if the terms of service are written correctly, the ability of the software publisher to update the software.