Welcome, everybody. We have a full house today. It's exciting to see.
Welcome to meeting number 72 of the Standing Committee on Industry, Science and Technology. Pursuant to the order of reference of Wednesday, June 14, 2017, and section 65 of An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying Out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, this is a statutory review of the act. That's more than a mouthful.
Today, we have witnesses from the Department of Industry. With us is Mark Schaan, director general of the marketplace framework policy branch in the strategy and innovation policy sector, as well as Charles Taillefer, director of the privacy and data protection policy directorate in the digital transformation service sector.
We also have with us, from the Canadian Radio-television and Telecommunications Commission, Steven Harroun, chief compliance and enforcement officer; Neil Barratt, director, electronic commerce enforcement; and Kelly-Anne Smith, senior legal counsel.
We are going to get started. We have a busy meeting ahead of us.
We'll start with Mr. Schaan. You have 10 minutes to present to us. After the 10 minutes, we'll go to the CRTC.
First of all, I would like to thank you, Mr. Chair, and members of the committee for the invitation to appear before you this morning.
My name is Mark Schaan and I serve as director general of the marketplace framework policy branch in the strategic innovation and policy sector of Innovation, Science and Economic Development Canada.
While our sector broadly includes such policy areas as innovation, telecommunications, and trade, my branch specifically analyzes and proposes improvements for the role of marketplace frameworks in meeting the department's objectives. This includes analysis of corporate governance, bankruptcy and insolvency, competition, and intellectual property to support an efficient marketplace and innovation economy.
More recently, my branch was assigned responsibility for Canada's anti-spam legislation, CASL, and the Personal Information Protection and Electronic Documents Act, PIPEDA, which are key pieces of legislation that are part of a broader legal underpinning that provides a regulatory foundation for commerce, including electronic commerce. Both seek to promote commerce and innovation through facilitating trust and confidence in the digital marketplace.
I am here with Charles Taillefer, director of the privacy and data protection directorate within my branch. His team is responsible for providing policy advice, guidance, and support with respect to CASL.
CASL has its origins with the anti-spam action plan for Canada, which was launched in 2004 and established a private sector task force chaired by ISED. The task force was responsible for looking into the issue of unsolicited commercial email, or spam. By the end of 2004, spam accounted for 80% of all global email traffic. In that same year, the task force on spam held national consultations with stakeholders, and it issued a report in May 2005. In order to combat spam, the report recommended that specific legislation be created.
Canada's new anti-spam law was passed in December 2010. The law, as the chair has pointed out, does not have a short title. Its actual title is “An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying Out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act”.
Given the substantive changes represented within this new framework legislation, a transition period was built into the implementation of the act and, following a Governor in Council order, it entered into force on July 1, 2014.
CASL helps protect Canadians by encouraging the use of safe and secure electronic commerce to carry out commercial activities in the online marketplace.
CASL generally protects Canadians from spam and other electronic threats, while ensuring that businesses can continue to compete in the global marketplace.
The law prohibits: sending of commercial electronic messages without the recipient's consent; altering transmission data in an electronic message without express consent; installation of computer programs without the express consent of the owner of the computer system; using false or misleading representations online in the promotion of products or services; collecting personal information through the illegal access of a computer system; and collecting and using electronic addresses through computer programs, which is also known as electronic harvesting.
Responsibilities for meeting the objectives are shared by a number of federal organizations. ISED operates the national coordinating body for CASL, which is responsible for the policy oversight and coordination of the anti-spam initiative. This also includes monitoring the implementation of the legislation and assessing whether it's meeting its stated objectives.
In addition to the national coordinating body, there are three independent federal agencies responsible for enforcing the act. The Canadian Radio-television and Telecommunications Commission, the CRTC, of which we have representatives with us today, can issue administrative monetary penalties for violations of the anti-spam law. The Competition Bureau can seek administrative monetary penalties or criminal sanctions under the Competition Act. The Office of the Privacy Commissioner also has powers under the Personal Information Protection and Electronic Documents Act related to ensuring the privacy of personal information and handling breaches.
The office of consumer affairs, which is also part of ISED, has an important role to play in terms of information and outreach, as they manage the fightspam.gc.ca website in liaison with the three mentioned agencies and the national coordinating body.
Despite new e-communication filters and blockers, spam and malware remain a significant issue for electronic commerce, and a serious security threat. Spam, while being reduced from the level of 2004, still accounts for over 50% of global email traffic in 2017. Moreover, spam is used as a means to introduce malicious programs, such as ransomware, into computer systems of both consumers and businesses. For example, after the WannaCry ransomware attack, malicious spam rose by 17%.
The scope of the issue is global and requires coordinated international efforts, and our enforcement agencies participate in international forums to impose administrative monetary penalties and conclude investigations on an international scale.
CASL is a key element of the Canadian legal framework to support development of the digital economy. Its stated purpose is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means.
There is evidence that CASL is working. Since the law has been in force, the amount of spam sent from within Canada has been reduced by more than a third. CASL provides for a suite of enforcement tools, including a private right of action, to support anti-spam efforts. The private right of action was scheduled to come into force in July 2017, the same time as the scheduled statutory review under the act. Some Canadian representatives from industry, academia, and civil society had raised concerns over the scope of the private right of action under CASL. As noted in recent ISED consultations with stakeholders, there is a significant sentiment that some aspects of the law could be further clarified.
As all of you know, the coming into force date of the provisions was suspended on June 2, 2017, pending a legislative review by this committee. Legislation such as CASL is foundational to building trust in the digital economy and it is sound practice to review such rules on a regular basis to ensure that they respond effectively and adapt to new developments in this fast-evolving digital marketplace.
In today's markets, business success depends heavily on the flow and utilization of information, making information itself one of the primary raw materials of the modern economy. Consumers and businesses need to trust that this information is managed responsibly for the digital economy to flourish. That is why a balanced and efficient regulatory framework is key, and CASL is a central part of Canada's response to this challenge.
I would be happy to respond to any questions that you may have with respect to ISED's role in administering CASL. My colleagues from the CRTC are also here today and are best placed to respond to questions related to enforcement activities, including interpretation of CASL.
Thank you, Mr. Chair, for inviting us to appear before your committee to share the Canadian Radio-television and Telecommunications Commission's, the CRTC's, experience with Canada's anti-spam legislation, CASL.
With me today are my colleagues Kelly-Anne Smith, senior legal counsel, and Neil Barratt, the director of electronic commerce enforcement.
This is our first opportunity to discuss the act with you since its introduction, so I think it would be helpful to provide a high-level overview of our responsibilities under CASL.
The legislation gives the CRTC the authority to regulate certain forms of electronic contact to provide Canadians with a secure online environment, while ensuring that businesses can compete in the global marketplace.
The fundamental underlying principle is that activities can only be carried out with consent. CASL is an opt-in regime. This means that consent must be obtained before sending commercial electronic messages, altering transmission data, or installing software. Commercial electronic messages, whether email, text message, or other format, must contain an unsubscribe mechanism that is clearly and prominently set out and readily performed. This allows recipients to withdraw their consent if they no longer wish to receive messages. Messages must also identify the sender or the person on whose behalf the message is being sent and contain contact details such as an email address, mailing address, and website.
Our objective is to promote and ensure compliance with the act. During the past three years, the CRTC has made it a priority to offer information sessions across the country and publish guidance materials for businesses, consumers, and the legal community. For example, my staff and I delivered six information sessions last May in Toronto to more than 1,200 businesses. These presentations help to raise awareness among businesses of their responsibilities when marketing products and services to Canadians and allow us to share lessons learned from investigations. As we do in every seminar, I made it clear that the CRTC is available to offer advice and support to help businesses comply with the act.
We also promote CASL to Canadians through our website, interactions with consumer groups, and on the phone and by email with our client service specialists. Consumer alerts are published on our website to warn Canadians of non-compliant online practices so they are aware and report any suspected violations. We want Canadians to report violations, and they are doing so, in great numbers.
The CRTC acts on the complaints it receives and has a number of tools to bring individuals and businesses into compliance, including the issuance of notices of violation, with accompanying administrative monetary penalties.
We look at a variety of factors to determine what the appropriate enforcement action should be. Our compliance approach includes interventions ranging from education to enforcement.
Our options include a warning letter regarding a minor violation requiring corrective action. We can also issue a notice of violation. This enforcement measure often includes an administrative monetary penalty.
We also enter into undertakings with parties who voluntarily agree to come into compliance. This often means that the party implements a corporate compliance program to prevent future violations. It can also entail paying a specified amount, although this payment is not considered an administrative monetary penalty. This has been a particularly useful tool, as we have reached undertakings with several parties that co-operated with our investigations.
Depending on the nature of the violation, the CRTC can impose up to $1 million per violation in the case of an individual, and up to $10 million per violation in the case of other persons, for example, corporations. We also have the authority to seek a judicially pre-authorized warrant to enter a residence or business to verify compliance with the act or determine if a violation of the act has occurred.
The CRTC has had success enforcing the legislation in the short time that it has been in force. For instance, along with national and international partners, in December 2015 the CRTC took down a command-and-control server disseminating spam and malicious malware, located in Toronto, as part of a coordinated international effort. This disrupted one of the most widely distributed malware families, which had affected more than one million personal computers in over 190 countries.
Of course, in today's interconnected world, spam and other electronic threats are not confined to Canada. One of the tools Parliament provided the CRTC is the ability to share information and seek enforcement assistance from our international counterparts. To date, the CRTC has entered into agreements with enforcement agencies in the United States, the United Kingdom, Australia and New Zealand.
Internationally, we also co-operate with partners through the Unsolicited Communications Enforcement Network, or UCENet. The purpose of this network is to promote international spam enforcement co-operation and address related problems such as online fraud and deception, phishing, and the dissemination of viruses.
Through UCENet, the CRTC has signed a memorandum of understanding with 12 enforcement agencies from eight different countries. We share our knowledge and expertise through training programs and staff exchanges and inform each other of developments in our respective countries' laws.
Domestically, CASL allows us to share information and co-operate on investigations with our partner enforcement agencies, the Competition Bureau and the Office of the Privacy Commissioner. In 2013, the CRTC signed a memorandum of understanding with our partners to facilitate co-operation, coordination, and information sharing. However, there are limited tools within CASL to allow the CRTC to share information with other domestic law enforcement and cybersecurity partners.
Working with our partners, we are better equipped to ensure that people who distribute commercial messages, domestic or foreign, comply with Canada's anti-spam legislation.
Mr. Chair, I'm not suggesting that the act is perfect. I suspect that you will hear a lot of suggestions about what needs fixing from the various witnesses who will address the committee in the months ahead. The CRTC would welcome the opportunity to appear before your members again before you wrap up your review and begin writing your report. We will closely follow the proceedings and can provide feedback on the ideas you may hear and respond to any questions you may have about what will or will not work.
As you and the members of the committee are aware, legislation must be enforceable in order to be effective. As you conduct your review, it is important to keep in mind that CASL has been in force for a relatively short period of time and covers a broad range of activities. The activities and ensuing investigations under the act are complex, and we have yet to fully apply the legislation.
We now welcome any questions you may have.
I'll start with the 5,000 complaints a week to our spam reporting centre. I would suggest that compliance is still an issue.
Certainly compliance is key. I'm the chief compliance and enforcement officer. The compliance part of my title is critical to ensuring that businesses are aware of the rules, understand how they can comply with the rules, and understand what's necessary with respect to following the rules. Those education outreach sessions are extremely important.
The ones we did in the early days in 2014 when we were first getting off the ground and the ones we did a couple of months ago are very different. In the early days, we were talking about how you must have an “unsubscribe” and it must link to this, etc. Now, we're providing more guidance and interpretation on recent decisions and compliance programs.
Businesses, individuals, and the legal community are looking at our decisions, interpreting them, and saying, “Oh, I understand now what you mean when you say this”, or “I understand how you're applying this particular regulation.” We're trying to provide that clarity. It is an ongoing initiative. We will do it every year, I would suspect, because there are always people knocking at our door and saying that they need help to understand.
We've relied on a number of third party reports to be able to get an assessment of the degree to which spam makes up the email flows of Canadians. We get it in two ways. One is the degree to which we can rely on the senders to understand their practices, for instance, working with folks on the “Canadian Digital Marketing Report” or others that tell us about senders as well as some information related to recipients.
One year after CASL's implementation, for instance, there was 29% less email in Canadians' inboxes, and a 37% reduction in spam originating from Canada. That came from an organization called Cloudmark, in a 2015 study.
We have data from CIRA and Ipsos that indicates that 84% of Canadians who knew about CASL took advantage of the coming into force to triage the emails coming into their inboxes. The spam reporting centre has received just over 1.1 million submissions. We're trying to triangulate multiple sources of data to be able to get at the issue.
On the sender side, Litmus and others have told us, for instance, that 49% said that CASL had no impact on their email marketing program; they were continuing to market through email because they felt they could be compliant. Twenty-three per cent said that CASL had minimal impact, so clearly there were some shifts. Twenty-seven per cent said that it had a significant or dramatic impact, which means that, potentially, they were significantly addressing their current practices.
The data is third party, and by and large, as we say, we try to get it from a number of sources, to really get at the root of the issue.
Thank you very much to our presenters. That was very informative.
Way back in the day, about 20 years ago, I worked with the first commerce-enabled website in northern Ontario. What a difference a day makes, though, in this particular business.
In preparing for today I was thinking about the different places we have been to since I started around 1997. We used to employ methods, instead of interruption marketing, in permission marketing, trying to get people's emails by various means, whether it was by offering some sort of product or service in return for that email. It was really thought out. It was explained really well to the person in order to get that particular email and any other information that we wanted. We employed that for a very long time.
The reason the spam legislation came along in 2004 is that no one was asking for permission. There were very different methods of grabbing those emails, just pounding people with messaging. Sometimes they would have detrimental results as they were trying to put in the malware, and various things. I applaud the efforts of the government in trying to deal with that. Recollecting as I go down that timeline, in 2004 there was something else that was launched, not only this task force, but of course Facebook.
To begin my line of questioning, in your opinion, how well has this particular piece of legislation, which was introduced recently, been able to keep up with the new tactics people are employing to pilfer emails? What's the success rate?
I understand, through the testimony, that the efforts here in Canada have been great. I've read the story about what happened in Toronto. It was wonderful. But a lot of the complaints are international. I know we have some particular agreements with international countries, but there are countries that are in the news all the time that.... How can we deal with those particular countries, going forward?
I'll start, and then I'll turn it over to my colleagues from the CRTC.
To the point that was made earlier, in general, because the law was framed as technology neutral, by and large it has been able to keep up. I think our own sophisticated understanding of the tools and techniques that are being used by entities requires quite a bit of constant study and work on our part, but the law itself has generally been able to continue to allow for enforcement to be carried out.
I would say, with respect to the notion of consent, that even the Privacy Commissioner in his own report just last week indicated that obtaining meaningful consent has become increasingly challenging in the digital age, where data is ubiquitous, commodified, and maybe processed by multiple players, totally unbeknownst to the individual to whom the data belongs. I think that is something that we continue to examine and analyze and understand. It's something that is changing, as we say. Your point about 2004.... It allowed people to share both very personal information about themselves as well as pictures of their dinners, but also created quite an interesting conceptual issue around consent.
I think from a legal perspective, by and large, we've been relatively successful in keeping up with the technological advancements.
With regard to enforcement, I'll turn to my colleagues.
I'll build on what Mark has been saying.
From an enforcement perspective, the opt-in regime is actually very helpful, because we are able to understand very clearly if someone has given their permission to receive information or emails, etc. That's a very helpful piece.
On the international front, I stand by the fact that we are very active in the international sphere. For example, I've mentioned UCENet, which is an international network of enforcement agencies. Just last year, we held a workshop with the International Institute of Communications on nuisance communications. The importance of that venue was that they are the policy folks, and there are people and countries involved in the IIC who had never met the enforcement side of the piece. We brought those two sides of the puzzle together at a workshop to look at the varying ranges of legislation available to these countries, so that the developed and the developing countries could exchange with each other their lessons learned. We can learn from the enforcement side of the house about what works and what doesn't. If you're about to institute legislation, how can that help?
We at the CRTC took it upon ourselves to sponsor this workshop and bring those two worlds together, and we'll be doing a follow-up actually, later in October, to discuss the next steps, how we can get everybody on the same page moving forward, and who can pick up the ball on particular pieces to ensure that we keep furthering the elimination of nuisance communications to everyone around the world.
It's ironic that you say you get calls from everywhere else. I know we've cited good stats. We still get calls from international partners asking us to help them against the servers in Canada. It's interesting. They see it from the other side of the fence. Across the pond, they say it's over there in Canada. They're the ones doing the spamming. They may not be spamming Canadians, but they're spamming someone else around the world.
I'll start and then go to my colleague.
We talk about compliance and reach out to the business community and individuals to comply. Another side of what we do is ensuring that Canadians are aware of things that are happening.
We're very fortunate at the CRTC. As an independent agency, we're very active on Facebook and Twitter. We do lots of consumer alerts, if you will, along with my colleagues at the office of consumer affairs, to let Canadians know that this activity has happened, that this scam is out there.
We've all heard about the vacation scams and about the Microsoft scams for tech support, etc. We are very active in that space to let Canadians know: first, that this is what's happening; second, that this is what we've been investigating; and third, that if you have given us a complaint about a certain company, this is what has happened.
We try, then, to be active in the space to let Canadians know that they should be aware. Obviously, we can't solve all the problems of the world, but at least we can make awareness important. That's why in our social media space it's very important. As you say, it's no longer the tweens; it's everyone from 12 to 92.