Evidence of meeting #82 for Industry, Science and Technology in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was casl.
A recording is available from Parliament.
November 7th, 2017 / 12:05 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Thank you, Mr. Chair. I will be sharing my time with Mr. Lametti.
Thank you to all the witnesses.
Mr. Lewis, I'm going to focus on the PRA and ask you some clarifying questions.
From previous testimony, we heard that we should probably narrow the focus of the PRA and make sure the punishment fits the crime. In your remarks, the way I understood it, you talked about other elements that are in place that don't make it necessary for the scope of the PRA to be narrowed. You talked about the innocent mistake provision and the override provision.
You specifically talked about the fact that CRA has the ability to override. You also mentioned that the laws are different in Canada and the U.S. Can you expand on how CRA can override, and how it's been effective, as well as on the differences in the laws?
12:05 p.m.
Liberal
12:05 p.m.
Chief Scientist, Spamhaus Technology Ltd.
Okay.
As I understand it, if you raise a private right of action against company X and then CRTC or the Privacy Commissioner or the competition branch decides that this a situation they wish to deal with, then the private right of action goes away.
That's my understanding of the way the law works in that regard. The CRTC can supersede a private right of action.
12:05 p.m.
Chief Scientist, Spamhaus Technology Ltd.
Well, for example, if CRTC saw that I was suing someone for doing something, the CRTC could say it was a result of a larger issue or something like that, and then they would institute an investigation. Then the private right of action is suspended.
12:05 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Okay.
How about the difference between the laws in Canada and the U.S., then?
12:05 p.m.
Chief Scientist, Spamhaus Technology Ltd.
My understanding is that one of the main differences is that Canada is a loser-pays environment, whereas the United States is not. What that means is that enormous amounts of money can be made by showering people with spurious lawsuits, because they'll often back out.
I believe one of the situations that happened was in Nevada. A legal firm had gone to a prison and got the people in the prison to say they were subrogating all their private right of action rights, in terms of spam, to this legal firm. Then, with every email they got, the legal firm was making enormous amounts of money suing people. As I understand it, that can't happen here.
12:10 p.m.
Liberal
12:10 p.m.
Liberal
David Lametti Liberal LaSalle—Émard—Verdun, QC
I guess it's in a similar line. It's on the private right of action.
Would you restrict it to actual damages that people have, or would you maintain the statutory damages?
12:10 p.m.
Chief Scientist, Spamhaus Technology Ltd.
I would maintain the statutory damage, in that it can be extremely difficult to prove certain things. What it should really be is, “I was sent this after I told them to stop.” That should be sufficient, as long as the court, on a case-by-case basis, thinks that's plausible.
It has to remain relatively broad, because it should not just cover email spam, which is what CASL partially covers. The other thing CASL covers is distributed denial of service attacks of various varieties. If you narrow it down to email spam, then you're leaving out your neighbour deciding to blow your computer off the air. They can do that now, and dealing with it legally would be very difficult.
The private right of action allows you to do something about it, because it's an unsolicited message that you were being sent. It's covered.
That was why I mentioned earlier in my presentation that I was so pleased this law was written to cover just about everything we could possibly think of. So far, it still would, in a very real sense, and this is 12 years or 13 years later. That's not bad.
I wouldn't change it so much. I would make sure that there were some limitations, perhaps, on abuse of it, but I think the broad breadth is about right.
12:10 p.m.
Liberal
David Lametti Liberal LaSalle—Émard—Verdun, QC
Okay.
Similarly, on the private right of action, how do you feel about the class action potential?
12:10 p.m.
Chief Scientist, Spamhaus Technology Ltd.
That does make me nervous.
In the case of a private right of action, I wouldn't mind seeing that have a further.... You know, three years down the line, we'll allow private right of action. I do like the way that we sometimes bring these things in stages: “How is it going so far?” “It's not bad; let's turn it up another notch, and if that doesn't work, we'll back off.” Since we have the mandatary reviews in the law, there's an opportunity to do that.
I really wouldn't want to do class action right now on PRA. Let's go with the individual ones.
12:10 p.m.
Liberal
The Chair Liberal Dan Ruimy
Thank you very much.
We're going to move back to Mr. Bernier.
You have five more minutes.
12:10 p.m.
Conservative
Maxime Bernier Conservative Beauce, QC
Merci beaucoup.
My question would be for Mr. Lau. Thank you very much for being with us via the technology.
I have a short question about the relationship that Canada is having with other countries to work with you and your organization.
Do you think we need to have a new international treaty? Is the treaty that we have to share information and work together sufficient right now, or do we need to update what we have with other countries, with our relationship with Interpol?
12:10 p.m.
Digital Crime Officer, Cybercrime Directorate, INTERPOL
I would say that the current situation is sufficient in most cases. Currently we have established systems for sharing information and connecting different police forces to the platform of Interpol. I would say that is sufficient for general purposes.
For spamming information in particular, I would suggest and I would welcome more communication between Canada and other countries, but in terms of a criminal investigation or sharing of case information, I would suggest that the current system provided by Interpol is sufficient.
12:15 p.m.
Conservative
12:15 p.m.
Conservative
Jim Eglinski Conservative Yellowhead, AB
I'm going to share one question with both Ms. Arsenault and Mr. Lewis.
Suppose today is your big day, and you know what CASL stands and what's in the legislation. What's the one thing you would change today if you had the opportunity to change it? That's to either one of you.
12:15 p.m.
Senior Director, Client Services, Inbox Marketer
Get rid of the six-month and two-year requirement.
12:15 p.m.
Senior Director, Client Services, Inbox Marketer
It's an unnecessary complexity for a lot of organizations. Consumers don't necessarily understand the “implied” relationship, and it's difficult for organizations to manage. It's unclear for a lot of companies what defines six months versus two years, so the impact is that some organizations don't rely on implied consent at all, which loses them opportunities. I think it simplifies it to get rid of the six-month and two-year requirement.
12:15 p.m.
Chief Scientist, Spamhaus Technology Ltd.
I mentioned being impressed with the law when it was first proposed, and I still am. There are a couple of operational things that I would tweak: resourcing, stability, and better interactions. I wish PRA was in place. Things probably do need to be clarified better, but I think the law is pretty darn good just as it stands.