Industry Committee on Nov. 9th, 2017

I guess so.

Good morning and thank you, Mr. Chair, for providing us with another opportunity to appear before you as part of your review of Canada's anti-spam legislation, known as CASL.

My name is Steven Harroun, and I'm the chief compliance and enforcement officer at the CRTC. I am joined today by my colleagues Kelly-Anne Smith, CRTC senior legal counsel, and Neil Barratt, director of electronic commerce enforcement.

We have followed your proceedings closely, and welcome this chance to comment on some of the recommendations for changes to the legislation that the committee has heard. We know that concerns were raised by many witnesses about various aspects of CASL. Despite their criticisms, the legislation is largely effective. You heard repeated testimony endorsing that view during your hearings—from consumer advocates, various technical experts, and academics.

As we explained during our first appearance, it is important to keep in mind that CASL came into force only three years ago. In that short time, the CRTC has built up its expertise in cyber-threats and computer forensics. We've operationalized the spam reporting centre and taken enforcement actions against companies in violation of the law. As such, while the review is welcome, we believe it could be counterproductive to open up the legislation in these early days. Businesses have invested in compliance programs and systems based on CASL as it is currently written. It would be costly and burdensome to review and modify those systems now.

Even though it is still early days, we think the legislation has already proven its worth. You heard from our colleagues at the Department of Innovation, Science and Economic Development that only one year after CASL's implementation, a third-party study showed there was 29% less spam email in Canadians' inboxes, and a 37% reduction in spam originating from Canada.

Internationally, Canada is no longer in the top 10 spam-producing countries. And according to some sources, since CASL came into effect, it is no longer in the top 20.

We believe strongly that any challenge or burden of compliance needs to be balanced against the significant consumer and privacy benefits CASL provides.

This doesn't diminish the perception among some witnesses that compliance is challenging. There's no question that adapting to new legislation takes time and effort. As we outlined the first time we addressed this committee, that's why we publish substantial guidance and conduct regular outreach to both consumers and businesses to assist them. They are coming to the CRTC's website to find information. Our spam- and CASL-related pages attracted nearly 100,000 visits last year alone. In fact, we designed numerous guidance documents and tools specifically to address issues that witnesses raised with your committee, including the installation of computer programs and compliance for SMS messages.

Guidance comes in many forms. For instance, since our last appearance, the CRTC published a decision related to a company called Compu.Finder. Among other things, the decision provided extensive guidance to industry on the business-to-business exemption, unsubscribe function, implied consent, conspicuous publication, and due diligence.

It's true that our early enforcement efforts have mostly targeted major senders of commercial electronic messages. This was based on the scope and volume of complaints and targeted by the commercial sector to encourage broad-based compliance, all of which is consistent with our mandate under CASL. However, what's overlooked is that a lot of our work actually protects businesses and consumers from malicious threats. As one example, we assisted with the takedown of a command and control server infecting computers around the world. We also work with organizations whose email servers have been compromised—sending out unwanted, malicious, or fraudulent emails—to help them clean up their infrastructure.

What concerns us is that witnesses have made statements about the chilling effect CASL has had on business, something that we believe needs to be put into perspective. Creating exemptions for every situation, even when well-intentioned, would only make the legislation more difficult for businesses to understand and for the CRTC and our partners to enforce.

More to the point, large companies have a duty and the resources to appropriately comply. Your committee heard from Canadian entrepreneurs and innovators that market-based solutions for CASL compliance exist. It's up to businesses to use them.

We also disagree with the assertion that CASL increases cybersecurity threats and risks. We collaborate across government to ensure that our activities feed into a comprehensive approach to Canadian cybersecurity.

One final issue I want to briefly touch on is the criticism of the legislation's opt-in requirement. Committee members undoubtedly recognize that in today's challenging online environment, it's even more important that consumers consent to any application installed on their devices. The opt-in regime was adopted after extensive study, including a broad review of international best practices. Experiences in other countries with opt-out regimes have been less than successful. Transitioning to an opt-out regime at this point would be complex and have significant consumer impacts. It would also negatively affect our ability to use the intelligent tools we have at our disposal, including the spam reporting centre.

For all these reasons, Mr. Chair, we think it would be prudent to adopt a cautious approach at this time when it comes to making amendments to the act. We firmly believe that CASL's current regime is adequate and effectively promotes the public good, and that the committee should allow it sufficient time to achieve this goal.

We'd now be happy to answer any questions you or your committee members may have.

I would suggest that it's early days. It has only been in force for three years.

I would suggest that there are definitely opportunities for tweaks. I would caution against a complete overhaul of the legislation.

Absolutely, based on the witnesses and the testimony you heard.

As you know, we have a range of different tools at our disposal, from warning letters to notices of violation and administrative monetary penalties. If you're referring specifically to monetary penalties, in total we've issued about $2.5 million's worth of administrative monetary penalties in the three years that CASL has been in force.

Those have been issued to five different companies.

Over the three years in total, we've issued 22 warning letters.

Yes. When a party is interested in voluntarily coming into compliance, we have the ability under CASL to negotiate an undertaking with them, which can include a monetary payment. It also often includes a robust compliance program, and it's done on an—

It's not forced. It's up to them if they would like to enter into an agreement with us. It gives us the ability to flag concerns that we have with the company and then allows them, if they choose, to start a discussion with us. We share the information we have with them about what we see as potential violations, and then we can come to an agreement.

I would suggest that there is, in the enforcement options we have at our—

I would say that having that mandatorily or written into the law would greatly limit our discretion and our ability to adjust to the facts of a given case. As you said, every case is going to be different. If we have to start with a warning letter, then that would limit our ability to ensure that we're reaching an appropriate outcome with the company in question.