:
Mr. Speaker, as always, I am very honoured to rise in this place as a representative of the people from Timmins—James Bay, and I take that role very seriously. One of the roles that I am given as a member of Parliament is to review and speak on legislation. This legislation is something that we as members of Parliament need to see in terms of a larger vision. This is not just a one-off bill.
In order for Canada to go where it needs to go in terms of a 21st century economy, we need to have a full vision in terms of the potential for digital innovation and also the pitfalls that are facing us. In terms of a large vision of where we need to be as a country holding its own and being a leader, we need to look at a number of initiatives. Earlier the issue of digital broadband access was brought up in the House. For a country that is as defined by geography as we are, to remain competitive, we need digital broadband.
The FCC report last week, which would be one of the world leaders in terms of its credibility on this issue, it says how much Canada has fallen behind. We have gone from being a world leader in 2003 to a world laggard. Anyone watching this back home does not need the FCC to tell them that we are paying some of the highest fees for Internet access and we are getting some of the lousiest service.
The FCC talks about how it is that Canada went from being a world leader in terms of making sure broadband access was happening, where just in 2003 we were the country to watch, to now being in 20th, 25th, or 26th place on various parts, depending on what indicators we look at.
The FCC points out the lack of competition in Canada. It is not pointing out the CRTC's dropping of the ball on this, but it speaks to something again that we are seeing, that when there is a very small cabal of companies that are basically now running the infrastructure of the Internet, unless there is innovation being pushed forward by small third-party ISPs, we will have a situation where development begins to ossify and that is what has happened. The FCC reports show how much we are falling behind because we are not getting that level of third-party competition from the smaller players. That is one of the elements we need to look at in terms of a larger vision.
Second is the issue of net neutrality, which plays very much into the access of broadband. When there are a few giant players who are deciding the development of speed on the Internet, we cannot have them making the decision as to who is going to be in the fast lane and who is going to be in the slow lane. There needs to be a sense that, in order to have development on the Internet, net neutrality is a key cornerstone. This is not a principle of the so-called computer geeks. Talk to anybody in business and they will say that if they cannot get fast access, they are going somewhere else. They are very concerned about deep packet inspection, for example. They are very concerned that when they put information through VoIP, or through BitTorrent, it could be unfairly slowed down. So that is the second element of an innovation agenda that we need to look at.
The third part of an innovation agenda is upgrading our copyright laws to the 21st century to ensure that we are moving forward and encouraging innovation and encouraging new ideas that may threaten some existing business models, but the only way we are going to have innovation is if we bring our copyright laws up to the 21st century agenda. I spend a great deal of time on the copyright file and I can say that we are finally at the point where we are agreeing that trying to implement laws that would work in 1996 is not going to get us anywhere. We need to be enacting laws that will bring us into the next 20 years.
The other element in terms of a digital strategy is dealing with the irritant factor. That is how most people see spam. They see spam as an irritant. It affects all of us. Every time I go on my computer I have someone offering to sell me a product that is going to make certain parts of my body much larger than they otherwise would be. I think my ears are large enough as it is. I do not need any help, thanks very much. Nonetheless, they will not leave me alone. They are always offering to sell me real estate when I am still paying for the house I bought many years ago in northern Ontario. I could have used the help then, but I certainly did not need the help of spammers.
We laugh about the silly and stupid things we come across in spam day after day, but we need to see the effect that it is having in terms of not just our ability to do our work but the very nature of the threat it is posing to average citizens. Spammers are very tied into a growing level of Internet fraud. They undermine confidence. We do not want to go to a website and leave our email information, because we do not want it to be taken and misused.
If we do not have confidence, it undermines our ability to move forward. Certainly the issue of spam is very serious. Canada has been singled out as the only G7 country without spam legislation. That puts us in a really bad light, because spammers will use our jurisdiction to push for spam. It is all well and good to say that we will get the emails of the spammers and hunt them down. If anybody has ever tried to track one of them down, they know that these emails do not go anywhere.
What ends up happening is that there is a much more insidious move afoot. They move very quickly in terms of their technological innovation. They do not send the spam from a home computer, so they cannot be tracked. They use a number of techniques to basically act as a parasite on other messages going out, to the point where they can actually take over a person's computer without the person using it and download malicious software. They create these zombies or bots.
The threat to privacy and innovation and the threat of fraud become compounded on a massive scale. This needs to be addressed and taken seriously.
For example, just last year, the U.S. came down with some of the heaviest attacks on spammers. I was referring earlier to May 31, 2007, when they went after Robert Alan Soloway. They charged him with 35 criminal counts, including mail fraud, wire fraud, email fraud, aggravated identity theft and money laundering. Prosecutors were alleging that Soloway was using these zombie computers to distribute spam across wide networks.
I will give an example of how this plays out. It is classic in terms of the development of the Internet. The greatest strength of the Internet is the ease with which one can get information out there. Of course, the greatest threat is the ease with which spammers can undermine it.
We can talk about the famous Nigerian 419 scam. Back in the day when the fax machine was the most exciting cutting-edge technology and I was working at a northern magazine, we used to get these emails from this guy. He was a former colonel in the Nigerian army. He was being held prisoner. If only I could send him $500, he would send me $100,000. It was very crude. It cost them money every time they sent that out. It went on a fax machine. It made tracking these guys a lot easier.
The 419 scam was a very marginal scam in the 1980s when it was first developed in Nigeria. It is interesting that Insa Nolte from the University of Birmingham said that the development of email turned the 419 scam from a local fraud to one of the largest export businesses in the country of Nigeria. That is how effective it has been.
For every million people who click delete, one person in a million might respond. That is how the fraud happens. I am sure that my colleagues here can tell similar stories, but I am now starting to see email requests for help coming much closer to home, where similar last names of family members of constituents and local references are being used.
This comes from the trolling of information that has been enabled under these massive networks of zombie computers. They can track and pick out names from the email traffic. They are picking out bits of stories and they are able to tailor the stories of personal need and personal threat. My daughter received one yesterday from someone who she thought might be a student who was lost in London. They had two or three key pieces of information about her and she could not figure out how they got that.
That is the kind of computer fraud that is now being perpetrated. Again, many of us will click through and delete. The problem is that there are enough people out there who will respond. So we are looking in terms of basic computer protection and basic civic protection. We need to do that.
However, we need to look at it in a larger area, in terms of what basic rules we are going to put down so that developers, innovators and citizens can use this wonderful new medium that we have, without fear.
I think some of the basic provisions in Bill are fairly straightforward. We should be asked for consent before any computer program is downloaded on our computer. That should be basic. The idea that spyware could be put into our computer without us knowing should have criminal consequences. We know, for example, there are various forms, such as Trojan rootkits. Sometimes legitimate companies think that by being able to put this spyware into our computer it is going to protect them. But it does not. It undermines consumer confidence.
I just have to refer to the famous Sony rootkit disaster, where Sony decided that on its CDs it was going to put spyware and not tell the consumers. Consumers were buying these CDs, thinking they were buying a piece of music, putting them into their computers, and their computers were crashing and they could not figure out why. It turned out that Sony, one of the biggest entertainment companies in the world, had put in the spyware thinking it was going to go after copyright infringement and what it did was undermine its credibility in the marketplace to a great degree. Companies should never have been allowed to think that kind of move should have been able to take place. No citizen who buys a CD or any computer product to put into his or her system should have to worry that there is spyware in there.
So the issue of asking consent before any computer program or any spyware is put into our computer is a very reasonable provision and a necessary provision.
I think the other thing we need to speak to is that companies cannot take personal information without consent. That is another primary element of the Internet. When we go on the Internet and we go to a website or when we respond to email from someone we might not know, we want to know that our records on the computer, our data on the computer, is not being accessed, and that when we go to a website our information is not being passed on to someone who is then going to come and try to sell us some kind of scam product that we do not want.
If we do not have that assurance, it starts to undermine the ability of consumers and companies to make the most of what they need to make the most of in terms of moving forward.
Earlier a Liberal colleague said he was worried that this was a big hammer that was going to shut down business, and we know there was certainly a big backlash against the Liberals when they seemed to be led around by the nose by some lobbyists on watering down provisions of this bill.
I have looked at the provisions and I have looked at what the Liberals were trying to sneak through, and I do not think it is in line with the 21st century digital innovation agenda. Fortunately, the Liberals are not in the position to run a bill like this, where they would be able to undermine it and ensure that the corporate lobbyists got their way. There are citizen provisions that have to be addressed and this bill is looking at that.
It was the Liberals who wanting to limit the scope on spyware. I am astounded by that. I do not know if they think it is okay to spy on my computer, but I certainly do not think it is. And I, as an average citizen or a legislator, would not support that they wanted to exclude surreptitiously installed DRM from the gambit of the bill.
Once again, when I go to a website or when I respond to an email, I do not want to have to worry that some company thinks it is okay to bury mechanical means for spying on what I am doing.
I was surprised by my Liberal colleagues on this bill, but I think there was certainly a large backlash, because the consumer public is very aware in terms of where we need to go with a digital agenda. So I am glad to see that we have moved forward with all parties on this bill.
The bill only addresses commercial electronic messages. This is not an attempt to shut down individuals who maybe want to do mass emails to their friends and to their friends' friends. There is no provision in the bill to go after people who send out those emails. Personally, I find those emails rather irritating. I do not think I have ever reached the bottom of one of the long lists of cc and cc and cc. I do think it is okay for individuals to do that. The question here is electronic messaging for commercial use. That is the main focus of this bill.
A personal relationship, a family relationship, a pre-existing business relationship would not be stopped. Companies would still be able to send information with respect to previous business dealings, such as someone buying software or something from a company.
I ask the simple question: What is the problem with asking the person for consent to continue? I do not see that impeding in any manner. If I purchase goods and I develop a relationship with a company, that is perfectly fine. But I want to know that my Parliament and legislation will back me up if I am not interested in receiving mass emails, that I can say I am not interested. That is not an unreasonable situation. Contrary to what the Liberals are saying, it is not going to grind business to a halt in Canada. It might if we were still back in the age of the fax machine, but this is certainly not going to grind innovation to a halt.
We worked at committee on this. This is a big bill. We had to look at many areas in terms of ensuring that spam legislation would actually address the problems. I am hopeful that this is the proper first step because we need to start addressing this.
We need to address this in terms of lost potential. We need to address this in terms of interference with competitiveness. We need to address this in terms of fraud. We need to address this in terms of the fundamental issue of consumer rights.
Our computers should not be open to some third party that we do not know, a third party who could be dropping spyware into it, or using it to send out harassing emails, possibly fraudulent emails. When we are plugged into the web, we should not have to worry about what is going to come back down the pipe that we do not want.
Bill takes some steps toward addressing that. Does it do everything that is necessary? I do not think that is possible at this point. We are going to have to amend and change it as we go because the Internet changes quickly, fraudsters change quickly. We have to run just to keep up as legislators, but this is a good first step.
I am proud of the work of my colleague from who worked on this bill at committee. We will be supporting it as it goes ahead.
:
Mr. Speaker, I am pleased to rise to speak to the third reading of Bill , or as it is also called the ECPA.
As chair of the Standing Committee on Industry, Science and Technology, I want to recognize the constructive work of all the members of the committee from all parties in improving the bill.
The bill, as amended, from committee has benefited from the work over the past months of the members of the committee. As a result, a number of key elements in the bill have been strengthened, clarified and have been done in a way without diminishing the core principles of what the government has been trying to achieve.
Email is a wonderful technology, and it has only been just over 10 years that we have all been using email broadly. In just over 10 years, it has completely changed our lives. However, many of the benefits of email have been offset by the problem of spam, which is unwanted and unsolicited commercial emails.
According to a MessageLabs report of September 2009, which is a division of Symantec Corporation, spam accounted for as much as 86% of all global email traffic. Unfortunately, Canada is in part responsible for this problem.
Canada ranks as one of the top originating states for spam. In Cisco 2008 Annual Security Report Canada ranked fourth on the list of spam by originating country list.
Late last year in the United States, Facebook won $873 million U.S. in damages from an American court arising from the activities of a spammer based in Canada. That case was prosecuted in the United States and not in Canada. That speaks to the lack of Canadian legislation in place to prevent this kind of activity.
The high volume of spam in recent years has negatively affected the productivity of the Internet and all the technologies associated with the Internet. When a high volume of email is spammed, many people spend hours deleting unwanted messages, networks slow down and companies are forced to spend millions, if not billions of dollars, upgrading their systems, their networks, their backbones, their routers, their pipes to the Internet in order to accommodate the additional bandwidth and network capacity needed to handle this volume of email traffic.
The high volume of spam has impeded the full potential of the Internet as a platform for both personal and commercial use. Spam is more than just unwanted email. It is often used as a vehicle to perpetrate fraud on Canadians. It can lead to online fraud by luring individuals to counterfeit websites, also known as phishing. It can lead to the theft of personal data to rob bank accounts and credit card accounts, called identity theft. It can lead to the collection of personal information through elicit access on one's laptop or on one's computer, known as spyware. It often is used as a vehicle to perpetrate fraud on Canadians
Not just Canadians suffer but Canadian businesses suffer and often this is an overlooked fact of spam. Canadian businesses suffer because they are the victims of the counterfeiting of their corporate website to defraud individuals. We all know of examples of getting emails from spammers or from other people who wish to perpetrate fraud. They ask for people's banking information. They send an email that contains a page that looks like a Royal Bank website or a TD Bank website and often many unsuspecting individuals give their information to these spammers, the people trying to perpetrate this fraud.
It also leads to spam borne viruses and other malicious software called malware, which are used to create networks of zombie computers known botnets without the knowledge of their owners. This undermines confidence not just that Canadians have in the Internet but that Canadian businesses have in the Internet as a platform for commerce, as a platform for doing business in the 21st century.
I do not think it is hyperbole to say that spam is costing Canadians and Canadian businesses billions of dollars a year in fraud, in network capacity and in the need to upgrade systems to handle the volumes of email which we are seeing. It costs the economy through malicious programs such as malware, spyware, phishing, viruses, worms and Trojans that enter computers. It costs the economy in terms of undermining Canadians and Canadian businesses in their confidence of the Internet, often having to rely on old-fashioned ways of doing business because the Internet is not seen as trustworthy enough to conduct certain types of business transactions.
In response to this problem, the Government of Canada launched a task force on spam to consult Canadians and their businesses. The task force was given one year to consult and report. In May 2005 the task force reported its findings and recommendations in a report to the . I want to thank the members of the task force for their valuable work in this regard.
Our government has acted on the recommendations and findings of the task force by introducing Bill , anti-spam legislation entitled “The Electronic Commerce Protection Act”, or the ECPA. This legislation will deter the most damaging form of spam from happening in Canada and will help drive spammers and their associated activity out of Canada.
The legislation addresses the recommendations of the task force on spam, which brought together experts from industry, academia, consumers and other business experts to come together to craft a comprehensive set of measures to combat threats to the online economy. Successful legislative models in other states were also examined and taken into account when drafting the bill.
The legislation will allow Industry Canada to act as a national coordinating body to educate consumers, track and analyze statistics and trends and lead policy oversight and coordination.
The legislation will also facilitate the establishment of a non-governmental agency, the spam reporting centre, which will receive reports of spam and related online threats, allowing it to collect evidence and gather intelligence to assist the three reporting agencies, the Canadian Radio-television and Telecommunications Commission, the Competition Bureau and the Office of the Privacy Commissioner, with the investigation and prosecution of offences.
It is important to note that the ECPA does not apply to non-commercial activity. Political parties and charities, other organizations that contact Canadians through email will not be subject to the ECPA, provided these emails do not involve selling or promoting a product.
Bill will protect Canadians and their businesses from the most damaging and deceptive forms of electronic harms and provide a regulatory regime to protect the privacy and personal security of Canadians. The rules will encourage confidence in online communications and e-commerce on the Internet.
The bill before us provides the CRTC, the Competition Bureau and the Office of the Privacy Commissioner with the tools they need to pursue those who undermine our online economy and to work with one another and their international counterparts. The bill has sharp teeth, administrative monetary penalties of up to $1 million for individuals and up to $10 million for businesses.
The bill in front of us today resulted from a great deal of work from several different sources. On the one hand, we had the recommendations and findings of the 2005 Task Force on Spam. On the other hand, we have also benefited from some of the work that former Senator Goldstein did in Bill S-220 in this regard.
Some of the features in this bill differ from what Mr. Goldstein had previously proposed. One of the most important is the use of the CRTC, the Competition Bureau and the Office of the Privacy Commissioner to enforce the provisions, in other words, using regulatory agencies to enforce the provisions of the spam bill rather than using police enforcement agencies as Bill S-220 had proposed.
The RCMP has other urgent law enforcement responsibilities, and I believe we should not redirect those precious resources to the monitoring of unsolicited commercial email. I believe that regulatory authorities are better positioned than law enforcement authorities for this kind of white collar problem.
In drafting Bill , the government also drew on a wealth of experience in other states in combating spam. The bill drew on work that had been done in New Zealand, Australia and in the United States. The bill also benefited from the approach taken by other states as well. The bill before us is based on the best and most effective aspects of those legislative regimes in those states.
By being consistent with the approaches of other states, by using regulatory approaches and regulatory agencies in effecting this anti-spam bill rather than law enforcement agencies, we will help promote greater international co-operation to combat spam and other online fraud.
As members of the House know, Bill adopts an express consent regime designed to give businesses and consumers control over their inboxes and their computers. It requires that the individual's consent be sought and obtained in order to permit an ongoing commercial transaction. Once consent has been expressed by an individual, it remains until the individual opts out or revokes that consent. The industry committee took a careful look at how to ensure that the companies that used email could keep in touch with consumers so they did not inadvertently find themselves in violation of the law.
Members of the House will also know that the bill contains implied consent provisions that have been expanded to include suspicious publication of an electronic address. If someone publishes his or her email address on a website or in a print advertisement, he or she is considered to have consented to receive unsolicited commercial messages, provided the sender's message relates to the business or office held by the person.
Consent is also implied when a person gives out a business card or provides an email address in a letter. Similarly, the amended bill clarifies that when a business is sold, the purchaser has an implied consent to contact the customers of that business. Following the initial transaction between a business and a consumer, the period of implied consent has been expanded to 24 months from the original 18, as first contained in the original bill. This gives businesses even more time in which to obtain the express consent to further commercial transactions.
Another area in which the bill has been amended is in ensuring that updates to computer programs are not adversely affected by the protections we have put in place against malware and spyware.
The committee looked at the impact the bill would have on the installation of computer programs. It has been amended in the situation where the installation of updates, as it is understood as part of an original contract under which the software is installed, is not prohibited by the bill. Most of these programs call for automatic updates, such as daily or weekly updates, to anti-virus software. These updates will not require fresh consent for each instance. Running programs such as JavaScript or Flash programs will also not require express consent each time they are run.
Let me say a few words about the private right of action before I conclude. Some hon. members have questioned whether a private right of action is necessary. I believe it is. The private right of action enforces and complements the enforcement efforts of the CRTC, the Competition Bureau and the Office of the Privacy Commissioner. I would remind the House that this feature has been very effective in other jurisdictions in shutting down those such as spammers who have caused to the electronic economy. I believe it will be equally effective here in allowing groups or individuals to pursue violators. The private right of action will allow individuals and businesses suffering financial harm an avenue of recourse to be compensated and awarded damages.
Finally, the bill is technology-neutral. Bill recognizes that the convergence of voice and data is happening and will eventually be complete. It will allow the Government of Canada to prevent spam and associated threats regardless of how the technology evolves. Therefore, the bill will remain current in the future as technology evolves.
If Bill is passed by the House at third reading, Canada will go a long way to combatting spam and spam-related threats. Based on the experience of other states with similar legislation, a reduction in spam is quickly expected. When Australia adopted similar legislation in 2004, it dropped out of the world's top 10 spam-originating states and major spammers in Australia closed their operations altogether.
While the legislation will not eliminate spam entirely, Canadians will see a reduction in the amount of spam in their inboxes. Equally important, the legislation will decrease the most damaging forms of spam from originating in Canada and will help drive spammers and their associated illegal activities out of Canada.
The Internet has become the primary platform for online commerce and general communications. Canada has had a long history of global leadership in the telecommunications sector. E-commerce is now a part of the Canadian economy, with billions of dollars of goods and services being sold over the Internet each year in Canada.
If adopted by Parliament, this legislation would allow Canada to continue in that leadership, ensuring that we remain a secure locale for e-commerce and for Canadians. It is time for Canadian law to catch up with the Internet age. All parties in the House have expressed their desire to strengthen confidence in online commerce. All parties are opposed to spam and see the danger of it.
We have studied this bill at great length in committee and have emerged with important amendments that clarify it. The time has come to pass it at third reading.
:
Mr. Speaker, I am pleased to participate in the debate on Bill . PIPEDA falls under the jurisdiction of the Standing Committee on Access to Information, Privacy and Ethics with regard to personal information.
A number of members have been involved in one aspect of this and that is identity theft. It is a very serious problem in our society and the stories are horrific. The impacts it can have on people are very tragic.
I certainly want to speak in support of the bill, basically to start the process of educating legislators, because this is a starting point from which we need to continue to grow due to the velocity with which the information and technology are growing, as well as some of the tricks and things that we have seen and the way the envelope is being pushed.
Most members will have seen things in their inboxes from people identifying themselves as representatives of their bank. The emails say that the bank is doing a security check and requires members to provide their account numbers or something like that. They look very official. As a matter of fact, often the logos of a bank or the proper or stylized name of the bank will appear. Yet Canadians should understand that banks do not do business related to security and privacy over the Internet. It is just not a secure environment in which to do that.
This bill would establish a regulatory framework, which I think is a very good start. Our economy is changing. Our kids grew up with computers. Their ability to move very quickly through the electronic world is absolutely fascinating.
I actually have a degree in computer science from the University of Western Ontario and at the time I took that degree, we were using punch cards, which will give everyone an idea of where I came from. This is a very serious issue, and I am glad that we are at least at the point that this bill is at third reading and this electronic commerce protection act would prohibit the sending of commercial electronic messages without prior consent of the recipient.
It brings to mind the do not call list system that was established, which Canadians will say does not work very well. It is problematic and we should probably learn from the experience of the do not call list that notwithstanding the mechanisms that have been put in place, somehow things slip through. There is a caution that as much as we legislate, we are not going to be able to anticipate all the pitfalls that may transpire.
This act would also amend the Competition Act to prohibit false and misleading commercial representations made electronically. As I have indicated, the Personal Information Protection and Electronic Documents Act, referred to as PIPEDA, prohibits the collection of personal information by means of unauthorized access to computer systems and the unauthorized compiling of lists of electronic addresses.
That is a reasonable indication that the bill addresses this from sufficient directions. However, I asked a question earlier of the previous speaker. The role of business in this also comes into play.
Last week I just happened to receive a document called “The Canadian Privacy and Data Security Toolkit”. This is for small and medium size enterprises, many of which are active. These are the ones that are extremely active, scouring the bushes, looking for that bit of business, that niche for their businesses.
The foreword is by our Privacy Commissioner, Jennifer Stoddart, and the introduction is by Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario. This was actually produced by the Canadian Institute of Chartered Accountants, which is trying to educate its clients about some of the important things.
I want to start off from a business perspective looking back. Some of these businesses may very well be the businesses that are improperly using information they receive from individuals over the net. It states that:
Information privacy is the right of an individual to exercise control over the collection, use, disclosure and retention of his or her personal information. Personal information (also known as personally identifiable information...) is any information, recorded or otherwise, relating to an identifiable individual.
It includes such things as credit card numbers, debit card numbers, social insurance and security numbers, driver's licence numbers, and health cards, all of which deal with a fair bit of sensitive information. This leads to the whole situation of things like identity theft.
A constituent wrote me an email over the weekend to thank my staff for giving her some hints and tips on what she could do to protect herself because she had lost her wallet with all her information in it and had in fact had an indication that someone was already using some of that information. Things happen quickly when information gets into the hands of the wrong people.
The report talks about a privacy breach. On page 83 it says that:
A privacy breach is unauthorized access to, collection, use, or disclosure of personal information. The breach could be the result of an inadvertent act such as the loss of a laptop or by a deliberate act such as an attack from a computer hacker. Both, however, are considered breaches since the information is no longer under your protection.
Other examples of privacy breaches [include] misplaced fax, CD-ROM, or USB drive key[,]...sales receipts with credit card information thrown into recycling bin instead of the shredder[,] old computers reused with personal information still present on the hard drive[,] or customer files stolen during a break-in.
The consequences of a privacy breach could be a number of things such as:
damage to reputation or brand[,] loss of consumer confidence[,] reduced revenues [and] unexpected costs to compensate victims.
The potential damage to reputation or brand can be severe. In a survey of individuals who had received notification of a breach, almost 20% of the respondents terminated their relationship with the company, and another 40% were reconsidering their relationship.
We can see that this is not an inconsequential item we are dealing with for either side. The individual's private information needs to be protected, and a business whether small, medium or large has a role to play in protecting that information which they legitimately acquire through business transactions. There is often the temptation to utilize that information for unauthorized uses.
There was a case recently within the Government of Canada involving, and I will try not to be too specific, a program to do with a grant for doing something energy related. People who applied for that grant started to receive information on other areas of the government. When someone applies to the Government of Canada for a grant, I would suggest that they do not expect to find themselves on a mailing list and getting information to do with other matters related to the government.
The government itself is also strongly targeted here with regard to its practices. We have to be vigilant to ensure that none of the information the government collects, regardless of the department, is inadvertently or advertently used for a purpose which was unauthorized by the person who made contact with the government in the first place.
There is one other thing that I thought was kind of interesting. Under privacy impact assessment, there is a quick privacy self-assessment. I thought it would be interesting to let members know what small and medium-sized businesses might do.
The first item is, do we know our privacy obligations?
Some businesses are busy. I must admit, from an accountant's perspective, most people who run small and medium-sized businesses are more interested in doing business than they are in keeping the books and dealing with the myriad of paperwork and legislative reporting, but this is about knowing the privacy obligations, both federal and provincial, because there are some differences.
The second item is, has the organization assigned responsibility for compliance with privacy legislation and policy?
This is an important aspect, because it is an indication of whether the company is taking it seriously, that it has a serious responsibility to comply with provincial and federal legislation and to be proactive in terms of protecting the information of individuals.
The third accountability and management assessment question is, has the organization conducted an inventory of personal information to identify what information has been collected, where the information is collected from, who has access to that information and to whom may be the information be disclosed externally?
That is extremely important, because as we well know, one of the ways that people get on mailing lists is that people who accumulate personal information tend to share it or sell it to others. All of a sudden, like a pyramid scheme, it just continues to expand to where all information seems to be in the hands of all people.
The fourth assessment point is, does the organization make use of online privacy resources, for example, websites of the privacy commissioners or the Canadian Institute of Chartered Accountants, to assist with privacy compliance and awareness of privacy developments?
Keeping on top of it is clearly very important, and it will be important for us also to readily assess the evolution of this electronic vehicle that is being used and has caused a great deal of difficulty and problems for individuals and for businesses.
The next point asks, has the organization adopted a privacy policy that addresses collection, use, disclosure to third parties, secure disposal of personal information and retention of personal information as it applies to particular operations?
With regard to that last point about the retention, there is a shelf life for information. For instance, if we have information about someone who is deceased, all of a sudden, if it is made known, that information has to be destroyed.
Our committee has dealt with even something like Google Street View. There are some privacy implications there. There are a couple of others where we have provided information to offshore parties as well, being able to control that or make sure of that when we are complying under obligations we have, for instance, with the United States, which requires that for any aircraft that even just flies over any its air space, documents have to be provided as to who the passengers are and where they came from, et cetera.
Those are extremely important because our private information, our personal information, is everywhere.
I must admit that I tend to keep thinking about whether I should just report as lost and not recoverable all my cards and the other things that have my personal information on them and get new numbers, simply as almost a reaction to what can happen.
Just last week I got a phone call from my bank. I have a U.S. credit card because I have family in the United States, and we travel sometimes to visit them and I use that card. I have not been to California in about 10 years because that is not where my family is, but I was advised that there were two $1,000 charges to my U.S. credit card. The bank took all the information and advised me that those charges would not be left on my account, and I have a new card today.
Some cards do protect us, but not all of them. It is incumbent on people to understand what can happen when their personal information is used or stolen. Do they have coverage in some fashion? Some of the instruments we use do provide protection.
There are two more questions on the privacy policy side.
The sixth question asks, is the privacy policy made available to individuals prior to or at the time that the personal information is collected? Basically, do employees know what is going on and are they aware of all of the policy related to the activity they are undertaking?
Finally, the self-assessment asks, are your employees aware of the privacy policy and able to direct individuals to it?
I found this to be an excellent document. It also has a checklist on privacy procedures, training and disclosure to third parties. One could even score oneself on this.
I would certainly recommend this document to hon. members or others who might want to know a bit more from the perspective of business and how it would be able to interact with this legislation. This legislation would help businesses understand the kinds of things they must be aware of and cautioned not to do. It would also make businesses aware of the kinds of things they could do proactively, and that is a complement to the legislation.
Again, this document is called “The Canadian Privacy and Data Security Toolkit for Small and Medium-Sized Enterprises”, and it is published by the Canadian Institute of Chartered Accountants. I am sure that hon. members would be able to get it.
I appreciate the fact that this legislation has come forward. I think there will be good support from all hon. members. We need this bill to give us the foundation or the basis on which to be able to assure Canadians that we are taking all reasonable steps to provide an environment in which personal information is protected from those who would misuse it or use it for other wrongful purposes.
The bill itself is fairly straightforward. I appreciate that this was a lot of work for committee. I commend committee for going through it. I did notice the breadth of the work that has been done not only at committee, but by others prior to committee work. A long evolutionary process has brought us to this point.
It is extremely important that members also familiarize themselves with this. I hope members take an opportunity in their householders to advise their constituents about important legislation such as this, as well as some tips for Canadians at large to help them safeguard their personal information.
:
Mr. Speaker, I would first like to say that we support this bill. I see the committee chair nodding his head that, yes, it is an excellent bill. I must say, this bill is a good start. This new legislation specifically targets unsolicited commercial electronic messages. Citizens have been demanding such a bill for some time, and it is sorely needed. Not only are commercial emails sent with the prior consent of the recipient important to electronic commerce, but they are also essential to the development of the online economy.
By drafting legislation prohibiting spam and protecting personal information and privacy, as well as computers, emails and our networks, the proposed legislation is designed to allow individuals and companies to sue spammers and hold any businesses whose products and services are promoted using these means partially responsible for spamming activity.
As well, email marketers would be required to obtain informed consent from recipients to receive emails; provide an opting-out mechanism for further emails; and create a complaints system. That is the main purpose of the bill. Since most spam Canadians receive comes from other countries, international anti-spam measures are needed. The government should continue its efforts to harmonize anti-spam policies and encourage countries to work together on enforcing anti-spam legislation.
I would like to talk about this a bit longer. We know that spam comes from all over the world. That is one thing. But Canadian law applies only to Canada and Canadians, not to other countries. How might this affect us as consumers? What sort of commercial impact might it have? Businesses here in Canada will not be able to distribute advertising on the Internet using software or other ways of communicating with a computer.
The biggest problem is that because other countries are not subject to this law and their legislation is not harmonized with Canada's, they can keep on sending messages. If I have a business and I decide to send advertising over the Internet for doors, windows and other things, I cannot send a mass mailing. But a business in another country can.
We have to be competitive with industries around the world, because we are part of a global economy now. So what reason do we have to protect consumers? Protecting them against phishing or hacking is one thing, but we must not forget business. That was the committee's main concern. We must not prevent businesses here from continuing to make a profit. Eight billion transactions are carried out on the Internet. I believe that Canadian businesses should enjoy a share of this growth with all the people here in Canada.
It is vital that we ask ourselves whether we want to protect our industries or consumers. Should we let others continue to do business without our being able to participate? These are the questions that should be raised, and they have been raised. They have not received a full answer, but this bill is a major step, because it proposes a concrete measure within a timeframe. It took four years to come up with this legislation, because we wanted something better. As we know, things change much more rapidly with the Internet, where six months is an eternity.
So, fairly soon after this bill is passed, we will have to take time to see how things are unfolding and to make adjustments, as cyberpirates target us.
By the way, how do we define spam? Spam is any electronic commercial message, any text, audio, voice or visual message sent by any means of telecommunication—whether by email, cellular phone text messaging or instant messaging—without the consent of recipients. Therefore, it is reasonable to conclude that its purpose is to encourage participation in a new commercial activity, and that it includes electronic messages that offer to purchase, sell, barter or lease a product, good, service, land or an interest or right in land, or offer a business, investment or gaming opportunity.
I mentioned what spam is. It has to do with commercial activities, including offers to purchase, sell, barter or lease a product, good, service, land or an interest or right in land. All these are commercial activities that exist here. With this legislation, these people will no longer be able to use the Internet to send their messages.
What is left for these people to be competitive? Not much. They could use mail services. However, this can be costly, considering that, as I mentioned, such costs will not be incurred in other countries. We always hear—as one member said—that spam requires a lot of work. It takes someone to prepare these emails. If, all of a sudden, we prevent our industries from using the Internet to sell or rent all the products that I listed earlier, what are they going to do? As I just said, they will have to rely on mail services.
Just think how clogged up the system could get if every industry decided to send a mass mailing to all the other businesses, or to households. How much time would businesses spend opening mail, instead of emails? Of course, Canada Post would be pleased, since postal rates are exorbitant, but businesses would no longer be competitive, because of these costs. We should not forget that, because this is a significant economic consideration.
Having said what is considered spam, it is also important to point out what is not. What is not spam are messages sent by an individual to another individual with whom they have a personal or family relationship. For instance, I have no personal ties to you, Mr. Speaker. Imagine I send you a message, not as a member, since that is not allowed. So imagine that someone from outside the House sends you an email, he or she could be subject to fines, since this legislation no longer allows emails from one person to another. The bill reads:
—a message that is sent to a person who is engaged in a commercial activity and consists solely of an inquiry or application related to that activity.
Regarding commercial activities, witnesses came to testify that, initially, the bill required 18 months of contact with the other person. Let me give an example. I know that about every four or five years, family situations and incomes change, so people could be selling their house and buying a new one. With this new law, the real estate agent who sold me my house can no longer contact me after 18 months. In fact, he would be subject to a fine, if the 18-month time limit has passed. In committee, we were able to change that timeframe to 24 months. We would have preferred it to be even longer, to allow businesses and individuals to continue communicating with their existing clients.
As I said, the purpose of this bill was to restrict commercial activity, which is important here.
(a) that is, in whole or in part, an interactive two-way voice communication between individuals;
(b) that is sent by means of a facsimile to a telephone account; or
(c) that is a voice recording sent to a telephone account.
(c) that is of a class, or is sent in circumstances, specified in the regulations.
This bill will completely define the issue. There will surely be some flaws, as with any bill, whether it is good or bad. Since this is a new bill, there are always flaws because we forgot something or did not think to regulate something. Over time, we will have to re-examine the bill, more quickly than any other bill, to ensure that we have not left anything out.
The only circumstances under which spam could be sent would be if the person to whom the message is sent has consented to receiving it, whether the consent is express or implied. So, if I send a message and the individual agrees to receive it, a relationship has been established.
Let us take that same real estate agent, and let us assume that I heard from one of my colleagues that his brother-in-law has a house to sell. I would not be able to send that brother-in-law an email to let him know that his brother-in-law had informed me about the house for sale, or to tell him that I know someone who would be interested in buying the house. I could not do that.
I could only do it over the telephone. I could directly contact the individual via telephone or meet them in person. I would have to establish contact before doing business with this person.
So therein lies the problem. Anyone who wishes to establish a business relationship with another person must now do so via the telephone or mail, or meet the individual in person. They could not send a simple email.
We are setting limits. That is the message I want to get across. We are setting limits, but we cannot limit other countries in sending us these messages. We have to consider doing that and count on the goodwill of other countries such as the United States, Australia, France or other European countries. This type of legislation needs to be harmonized. Many countries do not have such regulations or laws. They can therefore do what they want because they are not subject to such legislation.
In addition to being in a form that conforms to the prescribed requirements, the message will have to make it possible to identify and contact the sender. The message must include an unsubscribe mechanism, with an email address or hyperlink, so that the recipient can indicate that he or she does not want to receive any further commercial electronic messages from the sender. If I send a message or an email, at the end of that message there specifically needs to be a box to check or a note explaining to the person how to stop receiving further messages.
I think this is the right approach, but in order for it to be successful inquiries would be necessary. The CRTC would have interesting powers. It could require a person to preserve transmission data, produce a copy of a document that is in their possession and prepare a document based on data, information or documents that are in their possession. It could also conduct a site visit in order to gather such information or, if necessary, to establish whether there was a violation.
Because it cannot do that itself, note that it will have to get a warrant from a justice of the peace prior to entering premises. It cannot do that by itself; the CRTC cannot do it by itself; the Competition Bureau has certain powers, but there again its powers are limited. Today, the Competition Bureau has no powers of inquiry. That is why there is Bill , which will give the Competition Bureau three types of powers of inquiry: an exclusive power of inquiry, a power of inquiry to summon and protect witnesses, and a power to search. That is what is important.
How can agencies conduct inquiries and do the work for which they have been created if they have no power? I have introduced Bill to give the Competition Bureau this power so it can conduct inquiries and do the work we expect of it.
If the court believes that a person has violated any of those provisions, it may, which is not to say that it will have to, order that the applicant be paid an amount representing the loss or damages suffered, or any expenses incurred. If it is impossible for the applicant to establish those amounts, the court may order that the applicant be paid a maximum of $200 per contravention, up to a maximum of $1 million. I am choosing my words carefully: not “shall order”, but “may order”. That is very different.
As I said earlier, the CRTC, the Competition Bureau and the Office of the Privacy Commissioner must also consult one another, and they may share any information with one another in order to carry out their activities and responsibilities pursuant to their respective powers.
So there are three agencies: the CRTC, the Office of the Privacy Commissioner and the Competition Bureau. Together, they have certain powers under the bill. However, they must be capable of communicating with one another. We know that these agencies have their private preserves and they are not prone to disclosing information.
The Office of the Privacy Commissioner is another thing again. The Liberal member referred to this earlier. That Office is an important player in this regard.
Unsolicited commercial electronic messages are becoming a serious social and economic problem that undermines the personal and commercial productivity of Quebeckers. Not only do they hinder email use for personal communications but they also threaten the growth of legitimate e-commerce. As I mentioned earlier, when people are assigned to open these emails, time is lost and businesses become less competitive. That causes a problem.
I would like to point out something else. The minister, or another organization somehow involved in Bill , has managed to ensure that a clause in this bill could jeopardize the National Do-Not-Call List (DNCL). A door has been opened because one of the clauses states that the DNCL—set up by this government and containing the telephone numbers of seven million people who do not wish to be unnecessarily pestered by telemarketers—could be deactivated. They have now made it possible, within one year, to eliminate a list that cost millions to set up.
:
Mr. Speaker, I will be splitting my time with the member for .
I am pleased to speak to Bill , the electronic commerce protection act.
I think that the last interchange is an indication that the legislation before us may have its shortcomings but the urgency with respect to bringing the legislation forward is undeniable. It is undeniable because of the invasiveness of spam and that people's lives can be turned absolutely upside down by those who use spam with the intent to defraud and to use information that is available through access to information. It has been pointed out that no technological firewall or router can act as a barrier and people are absolutely susceptible to those who have spent a huge amount of time thinking of how they can, through an email invasion, access information that will be used fraudulently.
This is not an issue over which the government or any particular party has proprietary rights. In this House we all share the responsibility to have in place a legislative regime that anticipates the nature of this invasion through electronic commerce with the intent to defraud or to put forward false information.
We all share the desire to develop the tools. This will not be the end. The committee has made amendments to original legislation that was put forward through a committee or a task force process. This bill will go through the Senate process. I would assure members of the House, and I refer in particular to the interchange that just took place, there will be other mechanisms undoubtedly, other tools that will be developed through the continuing process of developing the legislation.
I am sure there are people who are watching who only see bits and pieces of the debate. People do not always see the total context within which the debate on legislation is taking place. I would like to provide a chronology to put things in context.
Spam is a serious concern for individual Canadians and businesses. Back in 2004-05, the then Liberal government established a task force to look at anti-spam legislation. That task force brought forward recommendations which generally paralleled the bill before us. Those recommendations were aimed at prohibiting the sending of spam without prior consent as a first principle. The second principle was that it would be an offence to use false or misleading statements to disguise the origins or true intent of an email.
The task force led to a number of key recommendations. I think there were 22 recommendations in all. The government of the day established a series of round tables to seek input from the business community and the community in general.
At that time, the specific recommendations were to prohibit the sending of spam without prior consent as the first principle, to prohibit the use of false or misleading statements disguising the origins or intent of an email, and to prohibit the installation of unauthorized programs. Spam artists are so cunning that if a person does give clearance to a misleading and disguised email, information with respect to even the person's passwords can be made available, which gives access to the person's email content, websites, et cetera. The final principle that was established through that task force was to prohibit the unauthorized collection of personal information or email addresses.
This bill has all of the elements of those task force recommendations and looks to implement the recommendations of that task force. As I have said, this is not a Liberal approach or a Conservative approach; in fact, it appears that the bill has the support of all parties in the House.
There is one aspect of the bill that is different from the regime that was put forward back in 2004-05 under those recommendations, and that is with respect to fines and the implications with respect to what may happen if one is found guilty of violating the intent of the legislation. The fines for these violations can go up to a maximum of $1 million for individuals and $10 million for businesses. It establishes rules for warrants, for information, as was discussed by the last speaker and in questions, and in particular, that information being available through warrants during investigations and injunctions that can be sought on spam activity while under investigation.
The bill also establishes the private right of action, allowing individuals and businesses the ability to seek damages from the perpetrators of spam. That is a particularly important principle. We have talked about victims and victims' statements during criminal proceedings and recently with the bill that firms up the interventions with respect to parole and the ongoing communication with those who have been victimized with respect to how the provisions of parole are carried out.
This bill also attempts to err on the side of victims. It gives them the ability to seek damages from the perpetrators of spam, depending upon the nature of invasion of privacy and the activity that took place.
It was pointed out that the committee had some problems with flaws in this bill. Clause 6 seemed to be a little too broadly written and, as has been pointed out by other speakers, could suppress a very legitimate part of our application of technology and the whole sector. It could impose an adverse position with respect to those who are creative within the technology, the rules of the technology and so on. It was pointed out that the committee was not satisfied to that extent. However, amendments were made to the bill.
The bill also maintains a very strong and some have said heavy-handed position, but given the nature of the illegal activity going on, I think that all of the House would concur with the committee's intent to make those who are guilty suffer.
Generally speaking, those in the stakeholder groups were not satisfied with the original task force recommendations, and there may be some who are still not satisfied with the bill. However, as I have indicated, it has gone through the committee stage, amendments have been made and at this point I think we have to err on the side of those who use their email and other technology for positive and high value-added activity and go after those who would victimize those who are using the technology.