Evidence of meeting #83 for Industry, Science and Technology in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was casl.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Steven Harroun  Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission
Neil Barratt  Director, Electronic Commerce Enforcement, Canadian Radio-television and Telecommunications Commission
Kelly-Anne Smith  Senior Legal Counsel, Canadian Radio-television and Telecommunications Commission
Francis Lord  Committee Researcher

11:05 a.m.

Liberal

The Chair Liberal Dan Ruimy

Welcome, everyone, to meeting 83 of the Standing Committee on Industry, Science and Technology as we continue our study on Canada's anti-spam legislation.

Today we have with us, from the CRTC, Neil Barratt, director, electronic commerce enforcement; Steve Harroun, chief compliance and enforcement officer; and Kelly-Anne Smith, senior legal counsel. We have an hour.

Steve, you'll be our main MC guy, I believe?

11:05 a.m.

Steven Harroun Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission

I guess so.

11:05 a.m.

Liberal

The Chair Liberal Dan Ruimy

All right. You have 10 minutes, and then we will go into questions.

11:05 a.m.

Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission

Steven Harroun

Good morning and thank you, Mr. Chair, for providing us with another opportunity to appear before you as part of your review of Canada's anti-spam legislation, known as CASL.

My name is Steven Harroun, and I'm the chief compliance and enforcement officer at the CRTC. I am joined today by my colleagues Kelly-Anne Smith, CRTC senior legal counsel, and Neil Barratt, director of electronic commerce enforcement.

We have followed your proceedings closely, and welcome this chance to comment on some of the recommendations for changes to the legislation that the committee has heard. We know that concerns were raised by many witnesses about various aspects of CASL. Despite their criticisms, the legislation is largely effective. You heard repeated testimony endorsing that view during your hearings—from consumer advocates, various technical experts, and academics.

As we explained during our first appearance, it is important to keep in mind that CASL came into force only three years ago. In that short time, the CRTC has built up its expertise in cyber-threats and computer forensics. We've operationalized the spam reporting centre and taken enforcement actions against companies in violation of the law. As such, while the review is welcome, we believe it could be counterproductive to open up the legislation in these early days. Businesses have invested in compliance programs and systems based on CASL as it is currently written. It would be costly and burdensome to review and modify those systems now.

Even though it is still early days, we think the legislation has already proven its worth. You heard from our colleagues at the Department of Innovation, Science and Economic Development that only one year after CASL's implementation, a third-party study showed there was 29% less spam email in Canadians' inboxes, and a 37% reduction in spam originating from Canada.

Internationally, Canada is no longer in the top 10 spam-producing countries. And according to some sources, since CASL came into effect, it is no longer in the top 20.

We believe strongly that any challenge or burden of compliance needs to be balanced against the significant consumer and privacy benefits CASL provides.

This doesn't diminish the perception among some witnesses that compliance is challenging. There's no question that adapting to new legislation takes time and effort. As we outlined the first time we addressed this committee, that's why we publish substantial guidance and conduct regular outreach to both consumers and businesses to assist them. They are coming to the CRTC's website to find information. Our spam- and CASL-related pages attracted nearly 100,000 visits last year alone. In fact, we designed numerous guidance documents and tools specifically to address issues that witnesses raised with your committee, including the installation of computer programs and compliance for SMS messages.

Guidance comes in many forms. For instance, since our last appearance, the CRTC published a decision related to a company called Compu.Finder. Among other things, the decision provided extensive guidance to industry on the business-to-business exemption, unsubscribe function, implied consent, conspicuous publication, and due diligence.

It's true that our early enforcement efforts have mostly targeted major senders of commercial electronic messages. This was based on the scope and volume of complaints and targeted by the commercial sector to encourage broad-based compliance, all of which is consistent with our mandate under CASL. However, what's overlooked is that a lot of our work actually protects businesses and consumers from malicious threats. As one example, we assisted with the takedown of a command and control server infecting computers around the world. We also work with organizations whose email servers have been compromised—sending out unwanted, malicious, or fraudulent emails—to help them clean up their infrastructure.

What concerns us is that witnesses have made statements about the chilling effect CASL has had on business, something that we believe needs to be put into perspective. Creating exemptions for every situation, even when well-intentioned, would only make the legislation more difficult for businesses to understand and for the CRTC and our partners to enforce.

More to the point, large companies have a duty and the resources to appropriately comply. Your committee heard from Canadian entrepreneurs and innovators that market-based solutions for CASL compliance exist. It's up to businesses to use them.

We also disagree with the assertion that CASL increases cybersecurity threats and risks. We collaborate across government to ensure that our activities feed into a comprehensive approach to Canadian cybersecurity.

One final issue I want to briefly touch on is the criticism of the legislation's opt-in requirement. Committee members undoubtedly recognize that in today's challenging online environment, it's even more important that consumers consent to any application installed on their devices. The opt-in regime was adopted after extensive study, including a broad review of international best practices. Experiences in other countries with opt-out regimes have been less than successful. Transitioning to an opt-out regime at this point would be complex and have significant consumer impacts. It would also negatively affect our ability to use the intelligent tools we have at our disposal, including the spam reporting centre.

For all these reasons, Mr. Chair, we think it would be prudent to adopt a cautious approach at this time when it comes to making amendments to the act. We firmly believe that CASL's current regime is adequate and effectively promotes the public good, and that the committee should allow it sufficient time to achieve this goal.

We'd now be happy to answer any questions you or your committee members may have.

11:10 a.m.

Liberal

The Chair Liberal Dan Ruimy

Excellent. Thank you very much.

We'll move right into questioning with Mr. Baylis for seven minutes.

11:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Thank you.

Thank you for coming.

You're correct that we heard an awful lot of different opinions on CASL. If I understand your first statement, you're suggesting that we don't change anything?

11:10 a.m.

Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission

Steven Harroun

I would suggest that it's early days. It has only been in force for three years.

11:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

I understand that, but we heard a tremendous amount of testimony about what I thought were great opportunities to improve, clarify, and simplify. Are you saying that all that testimony was non-valid?

11:10 a.m.

Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission

Steven Harroun

I would suggest that there are definitely opportunities for tweaks. I would caution against a complete overhaul of the legislation.

11:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

So there are opportunities for tweaks.

11:10 a.m.

Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission

Steven Harroun

Absolutely, based on the witnesses and the testimony you heard.

11:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Okay. I just wanted to clarify that.

I'd like to delve in on penalties. First, what penalties have you applied to date, what size, and against who?

11:10 a.m.

Neil Barratt Director, Electronic Commerce Enforcement, Canadian Radio-television and Telecommunications Commission

As you know, we have a range of different tools at our disposal, from warning letters to notices of violation and administrative monetary penalties. If you're referring specifically to monetary penalties, in total we've issued about $2.5 million's worth of administrative monetary penalties in the three years that CASL has been in force.

11:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

How many people; how many companies?

11:10 a.m.

Director, Electronic Commerce Enforcement, Canadian Radio-television and Telecommunications Commission

Neil Barratt

Those have been issued to five different companies.

11:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Five companies: and how many warning letters?

11:10 a.m.

Director, Electronic Commerce Enforcement, Canadian Radio-television and Telecommunications Commission

Neil Barratt

Over the three years in total, we've issued 22 warning letters.

11:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

You've issued 22 warning letters and five penalties totalling $2.5 million. Are there any other things you've done in that section?

11:10 a.m.

Director, Electronic Commerce Enforcement, Canadian Radio-television and Telecommunications Commission

Neil Barratt

Yes. When a party is interested in voluntarily coming into compliance, we have the ability under CASL to negotiate an undertaking with them, which can include a monetary payment. It also often includes a robust compliance program, and it's done on an—

11:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

This is a forced negotiation, where you go to the company and say “We need to talk.” Is that what you're talking about?

11:10 a.m.

Director, Electronic Commerce Enforcement, Canadian Radio-television and Telecommunications Commission

Neil Barratt

It's not forced. It's up to them if they would like to enter into an agreement with us. It gives us the ability to flag concerns that we have with the company and then allows them, if they choose, to start a discussion with us. We share the information we have with them about what we see as potential violations, and then we can come to an agreement.

November 9th, 2017 / 11:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

One of the suggestions that came up quite a lot—from very small companies, from people who were both pro-CASL and anti-CASL, if I can say it that way, and from very large companies—was that there should be a gradient built in, with a warning letter first, then after a warning letter maybe a small penalty, and then a bigger penalty. Then someone else suggested there should be one penalty for accidentally sending an email out to 100,000 people as opposed to maliciously sending an email out to phish for addresses. There's a difference between inadvertent errors and malicious activity.

Should there be a gradient for first, second, and third infraction? Should there be something more severe for malicious versus non-malicious intent emails?

11:10 a.m.

Director, Electronic Commerce Enforcement, Canadian Radio-television and Telecommunications Commission

Neil Barratt

I would suggest that there is, in the enforcement options we have at our—

11:15 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

You have the option to do that, but it's not written. It's not clear to anybody. Should that be written in there?

11:15 a.m.

Director, Electronic Commerce Enforcement, Canadian Radio-television and Telecommunications Commission

Neil Barratt

I would say that having that mandatorily or written into the law would greatly limit our discretion and our ability to adjust to the facts of a given case. As you said, every case is going to be different. If we have to start with a warning letter, then that would limit our ability to ensure that we're reaching an appropriate outcome with the company in question.