Welcome, everybody, to meeting number 75 of the Standing Committee on Industry, Science and Technology.
Pursuant to the order of reference of Wednesday, June 14, 2017, we are looking at the Canadian anti-spam legislation, CASL.
Today, we have Scott Smith, director of intellectual property and innovation policy at the Canadian Chamber of Commerce.
From the Desjardins Group, we have Ms. Diallo, senior legal counsel, as well as Natalie Brown, director.
From the Public Interest Advocacy Centre, we have Alysia Lau, external counsel for regulatory and public policy, and John Lawford, executive director and general counsel.
As an individual, we have Barry Sookman, partner with McCarthy Tétrault.
We are going to jump right into it. You will each have eight minutes to do your presentation.
We are going to start with Mr. Smith.
Thank you so much, and my thanks to members of the committee for having me here today. It's good to see you all again.
I'm here representing the Canadian Chamber of Commerce. I think you all know who we are. We represent a network of 450 chambers of commerce across the country, boards of trade, and over 200,000 businesses of all sizes, in all sectors, and in all regions. We're the largest business organization in the country. We also represent over 100 sector associations, so by extension we basically represent the views of the business community in Canada.
Since 1925 the Canadian Chamber of Commerce has connected businesses of all sizes, from all sectors, and from all regions, in pursuing public policies that will foster a strong, competitive economic environment that benefits business, communities, and families.
In 2014, making those connections became a little more complicated. I'll start by saying that none of the organizations I represent like spam. No one does, unless of course you're a spammer. If you regard spam as a massive intrusion of unwanted bulk email advertising sent into your inbox by nefarious criminals lurking on the Internet, then 10 years ago spam was a big problem. According to Trustwave, which is a global services company, in 2008 92.6% of global email traffic was spam. By 2015 that number had declined to 54%. In 2016 it was back up to 59%. But here's the catch. In 2008 much of the unwanted messaging was reaching your inbox; by 2016 it wasn't.
Trustwave is measuring the volume of traffic entering their servers and comparing spam to legitimate messages. The spam that's filtered out never reaches you. In fact, the ISPs managing all of your email accounts have gone to great lengths and expense to build filters with sophisticated algorithms that achieve a 99% success rate in eliminating spam.
The real problem now is cybersecurity. According to Fung Global Retail and Technology, and IBM X-Force, the total amount of spam found with ransomware attachments in 2015 was 1%; in 2016 that number jumped to 43%. The bad guys found a new platform.
While there are tools in CASL that would be useful in going after these bad guys, the breathtaking scope of CASL clutters the digital landscape and distracts enforcement efforts away from the problems that really matter. The trouble is that CASL does not define spam as a massive intrusion of unwanted bulk email. The law applies to everyone. It applies to multinational companies, small businesses, trade associations, charities, and individuals, and it captures single messages from one individual to another. While the private right-of-action provisions in CASL have been delayed from coming into force, the provisions still represent a significant risk to the business community down the road, assuming that they do come into force at some time.
The law regulates electronic commerce by restricting the use of electronic communications media to send commercial electronic messages. In effect, the law requires the consent of a recipient to send an email, text, instant message, or any other form of electronic message unless the sender has a narrowly defined pre-existing relationship. The law does not permit the sending of an electronic message in order to obtain that consent, so if you want to email somebody to talk about a business venture, even if it's one-on-one you can't send an email asking them to meet you for coffee.
In essence, CASL places unreasonable limits on free speech, it stifles innovation, and it puts the competitiveness of Canadian business at risk. On February 19, 2016, the National Post published an article saying that Canadians could no longer appear on Jeopardy! The Jeopardy! organization couldn't send a note to prospective contestants because they were fearful of violating CASL. It's a glib example, but it's illustrative of the challenges that organizations face when attempting to do business in this country. The law has been in force for about three years now, and I still get frequent calls from businesses outside of Canada asking what CASL is all about. More often than not, the choice of these businesses is to avoid the Canadian marketplace, after they find out the rules.
We released a survey about CASL earlier this week. It will be in the field for a few more weeks. I'll paraphrase from one of the comments we've received back so far.
Prospecting for new business is very difficult. It is almost impossible to track how long you can rely on implied consent for a lead and how you can contact them. The record-keeping required is also very challenging. You need a screenshot of where the email address or contact info was published, and you need to know when. There is no one-size-fits-all, off-the-shelf technology solution to track records of consent. It means we must make a huge technology investment. This particular company says they've done a lot to become CASL-compliant, including investing in the technology and legal advice, and from a marketing perspective, they believe that they are onside. The challenge is the sales team, as they feel very uncomfortable with where they stand in terms of documenting, contacting, and prospecting for new clients.
I'll get into a few specifics. Organizations are struggling with CASL compliance in the following areas.
First, they are struggling with the definition of commercial electronic messages, CEM, which is exceptionally vague, and could inadvertently cover many messages that are not commercial advertisements or promotion of a commercial product or service.
Second, CASL does not permit the installation of a computer program without obtaining express consent. We believe this will have, or has had, unforeseen, negative impacts on consumers given the fact that data analytics is now a massive global innovation opportunity that's likely being darkened in Canada because of CASL.
Third, the information requirements for acquiring express consent are onerous, as the system asks for a voice recording, for instance, for verbal consent, and this will need to be stored, tracked, and managed over time.
Fourth, managing the deadlines around implied consent is too difficult. There was an effort to make things more efficient by allowing certain types of implied consent, but that implied consent expires. The reality is, when you have multiple levels of messages going through the system and consent is going through third parties, managing unsubscribes is very difficult.
Fifth, many of the exceptions are too vague. For instance, in section 3(d) of the CRTC regulation, it states that:
Section 6 of the Act does not apply to a commercial electronic message... (d) that is sent and received on an electronic messaging service if the information and unsubscribe mechanism that are required under subsection 6(2) of the Act are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.
Most small businesses won't even read that.
Sixth, the record-keeping standard is difficult to achieve. According to regulators, consent can be achieved not only by digital or written format, but also through voice. However, section 13 puts the onus on the sender to prove consent. This has created a predicament for businesses. Even if they acquire valid consent, they will be unable to document it in a sufficient way, forcing them to abandon the message in the first place.
Seventh, the private right of action, which I've mentioned, is still a concern among businesses. The likelihood of a business being drawn into a class action lawsuit, even if they are in full compliance, would be a significant burden on that business.
Eighth, there is an issue related to vicarious liability. Section 53 creates potential personal liability for officers and directors of corporations that violate CASL where due diligence is the only defence. We view this as extreme.
Finally, there is an issue related to proportionality. The punishments don't fit the crime. Compliance agreements that have been implemented by the CRTC to this point have imposed massive penalties on legitimate companies that had minor errors in their attempts to achieve compliance. Instead of following along with the due diligence argument when companies were attempting to do the right thing, the CRTC fined them hundreds of thousands of dollars. The same is true in the case of very small companies that had infractions. Yes, they were out of compliance, but a $15,000 fine? This is a very significant amount of money for a small company.
I will wrap this up.
The government's objective in bringing this legislation was to “deter spam and other damaging and deceptive electronic threats such as identity theft, phishing”, and it “helps protect Canadians while ensuring that businesses can continue to compete in the global marketplace.” I would argue that CASL has not met that objective.
Disproportionate compliance spending hurts the Canadian economy. Businesses could be spending this money on innovation, hiring, marketing, and expansion, and I would urge this committee to take a stand on this legislation and make recommendations for a significant overhaul that will meet the objective of promoting a framework of effective electronic commerce in this country.
Thank you very much.
Honourable members, on behalf of the Desjardins Group, thank you for inviting us to testify before your committee.
I am pleased to be here today to talk about something as important as the review of Canada's anti-spam legislation, that I will call CASL. It is an important piece of legislation for our industry, and it has a considerable impact on how we communicate with our members and clients.
As the Chair said, my name is Aïsha Fournier Diallo. I am senior legal counsel with the Desjardins Group, more specifically with its subsidiaries in property and casualty insurance that do business across Canada. My job is to support the validation of the legal risks associated with Canada's anti-spam legislation. Naturally, we are called upon to interpret the legislation every day.
Let me introduce Natalie Brown. She is the director of the caisse network and she leads a team that deals with credit card services, payments and litigation.
Although my remarks will be mostly in French, we will be happy to answer your questions in both languages.
First, I will say a quick word about the Desjardins Group because I would like to move on to CASL.
It was here, in Ottawa, that the idea for the Desjardins Group was born. Right next door, across the road, Alphonse Desjardins was a Hansard reporter for more than 25 years. After a debate on loan sharking, he got the idea to found a co-operative financial group that would address the needs of smaller depositors.
Today, 117 years later, the Desjardins Group is the largest co-operative financial group in Canada, and the 6th largest in the world, with assets of over $270 billion.
Our close to 1,100 caisses and financial centres in Quebec and Ontario, together with our online platforms and subsidiaries from coast to coast to coast, serve over seven million members and clients. It should be noted that a third of our service centres are located in less densely populated areas.
From heritage to insurance management, including business services, the group employs just under 48,000 employees and 5,000 managers.
That said, I would like to say what a pleasure it is to be among you today, honourable members, to share with you my point of view.
I came to Desjardins as a lawyer in 2013, about one year before the legislation came into force. I was able to witness the impact it had on what we do and how we communicate with our members and clients.
People's expectations towards communications have changed. Our modes of communication have also changed. Clients expect us to reach out to them in the most natural and effective way possible. You have to put yourself in the shoes of the consumer, which we do every day since we are in contact with them. They want emails and texts, and are looking for an easy way to connect with us.
This is why organizations should be able to communicate with their clients and their members without having to constantly worry about whether they are violating a section of Canada's anti-spam legislation. With every message we send, we have to ask: does my email or text comply with the law? Is it a commercial electronic message, a CEM? Do I have the necessary valid consent to send it? Is it excluded under the legislation? Is the prescribed information included in the email?
Imagine having to do this every single time you send an email to a member or client.
In the past, the government said, “Canadians deserve an effective law that protects them from spam and other electronic threats that lead to harassment, identity theft and fraud.” As Mr. Smith said, no one is against this. However, the law is far too broad.
People, like ourselves for instance, who work everyday with this legislation while trying to support our business operations have been anxiously waiting for this review. We hope that the government will take advantage of this opportunity to undertake an in-depth review of this legislation so that it may achieve its goal, while at the same time finding a balance that will allow organizations that have legitimate reasons to communicate with their clients to do so without fear and with the benefit of more streamlined legislation.
CASL is one of the most restrictive pieces of anti-spam legislation in the world. It was a great idea, protecting Canadians from spam. No one likes spam. But in our view, there has been a chilling effect on marketing and business communications, primarily for four reasons: the lack of clarity and the interpretive issues that exist in the act that require either clarification or amendments to the law; the fact that it is an opt-in consent model piece of legislation, meaning that you need an express or implied consent to send commercial electronic messages; the incredibly steep administrative penalties that the CRTC can impose for violations of the act; and the possibility of lawsuits from consumers through the private right of action.
The interpretive issues and lack of clarity make it difficult for lawyers like us to provide firm advice to their clients and for clients to be confident that they are in compliance with the law. There is no room for error under CASL, and all are extremely cautious, therefore missing opportunities to communicate with the clients for legitimate reasons, particularly in the one-on-one context. It should be easy for small businesses and larger ones to understand CASL and to apply it.
I am going to give an overview of the major interpretive issues we have faced these past few years, and we will provide you with a brief explaining them in greater detail, because there are quite a few.
First of all, the definition of a “commercial electronic message” is so broad that it includes practically any commercial message, even if the message is sent to a client with whom we have a perfectly legitimate commercial relationship.
As I said earlier, with every message, its content and the context in which it is sent have to be considered. You need to be aware of things like hyperlinks in the emails, clickable logos, in short, anything that could be seen as promoting the image of whoever is sending the email, and that includes a lot of things. For example, the fraud prevention email we would like to send to our members and clients could be considered a CEM because of the hyperlinks it includes. If a hyperlink leads to our website where our products and services are advertized, we have to ask whether it compromises the email by turning it into a CEM, which is prohibited.
The fact that our clients have to consult us before they send an email to their clientele with every new initiative and new campaign or innovation complicates things a great deal. We need more clarity to make sure that the nature of the messages we send, like the fraud prevention email, cannot be misinterpreted, even if they include hyperlinks, logos or elements that promote the Desjardins Group.
We feel it necessary to clarify the definition of CEM and to relate it back to the legislation's original purpose, which is to protect consumers from spam and the electronic threats that could lead to harassment, identity theft and fraud. Essentially, we need the assumption to be that Canadian companies have no ill intent when they communicate with their clients, and focus rather on the truly problematic communications.
I am now going to talk to you about the notion of consent and related provisions. As you know, the law requires express and implicit consent. Some of the provisions around implicit consent are a bit murky, and as a large financial group, we need to know who can benefit from this consent. Therefore, we recommend an opt-out option, that way, we would administer an unsubscribe mechanism instead of getting bogged down with consent management.
There is still one more area I want to cover. Earlier, Mr. Smith mentioned that subsection 6(6) is unclear. Indeed, some emails that shouldn't even qualify as CEMs are prohibited under this subsection.
Finally, I would like to mention the private right of action provision. We are very happy that it was suspended and we think it should be completely struck from the act. As a regulatory body, the CRTC can interpret the act. We believe that it is better to defer to such a body on matters of interpretation instead of overwhelming the courts.
I would like to thank you once again for inviting us to testify today. I sincerely believe it is possible to find a balance that would allow organizations to communicate more freely with their clients while at the same time protecting the interests of Canadians.
The Public Interest Advocacy Centre, or PIAC, is a national, non-profit organization and registered charity that provides legal and research services on behalf of consumer interests, and in particular, vulnerable consumer interests, concerning the provision of important public services.
PIAC has been active on the spam file since before the anti-spam task force was constituted in 2004. We testified before this committee in relation to then Bill in 2009 in support of the legislation. We supported the legislation as passed in 2010.
Our message today is simple. Canadians benefit from some of the world’s strongest protections against spam. Canada’s anti-spam legislation generally keeps business from sending spam unless the recipient has provided express prior consent and can easily unsubscribe. This is the great Canadian innovation. Trust consumers and citizens to control their privacy in the marketplace not marketers.
Has CASL been working for consumers? Currently, the CRTC is receiving about 5,000 complaints a week about email marketers not respecting CASL. One report from spring 2015 found outgoing spam volumes from Canada dropped 37% and overall email volume, spam and legitimate email, received by Canadians also dropped about 30% in the immediate period after CASL came into full force on July 1, 2014.
Since then Canadians have enjoyed the control of their email and other electronic communications by giving their consent to email, texts, and other electronic messages only to those companies with which they deal and by being able to unsubscribe from any email list that they wish.
Companies can still reach Canadians via email. There is no commercial email ban. Consumers buying products and services or who reach out to the company in question can expect two years of emails before the existing business relationship is deemed stale and the emails must stop. While consumers have a valid contract with a company, emails are allowed during the contract and for two years after that contract ends, unless of course the consumer unsubscribes on the handy link on each of these emails.
If a company does not follow these simple rules that put consumers in control, consumers can report the spam by completing a complaint form at fightspam.ca. As mentioned, up to 5,000 consumers a week file complaints.
Spam still wastes consumers’ time and reduces their confidence in electronic commerce, as it continues to deliver not only irrelevant, unrequested marketing but also deceptive and fraudulent messages and malware. What is different now is that the CRTC, Competition Bureau, and Privacy Commissioner of Canada can pursue companies for doing all these things.
I thank the committee for inviting me here today. What you are doing is very important. CASL is flawed and needs re-examination.
I am a senior partner with McCarthy Tétrault. I am also an adjunct professor of intellectual property law, and I am on the advisory boards of the Macdonald-Laurier Institute and CIGI. I am here today in my personal capacity.
I have been closely involved in CASL for many years. I appeared before this committee when it first examined CASL, and I pointed out that CASL was so flawed that it would, among other things, literally have made browsing on the Internet illegal.
I worked with officials trying to fix CASL at the committee stage. I was extensively involved in the regulatory process, the first and second consultations on the regulations. I made a personal submission the committee.
I have been extensively involved in advising clients from all sectors of the economy, including large and small businesses, charities, the educational sector and other not-for-profits, the media, and software companies on how to comply with CASL.
I know what's happening on the ground and the impacts CASL is having.
CASL is, and is seen as, complex, disproportionate, and wrongly focused. To be frank, it is ridiculed by many organizations. It is particularly onerous for small businesses.
CASL's overbreadth makes communicating over networks illegal or legally uncertain in countless situations that Parliament could never have intended.
Let me give you a few examples. Take a start-up business that wants to use a public trade directory to email prospective customers and investors. This is most likely illegal under CASL, and it especially hurts small businesses trying to grow and develop new markets. To take another example, a person leaves his or her former employer to start a business or join another business and wants to email former clients, patients, customers, or former colleagues to let them know. Or the person wants to email an old schoolmate the person used to be good friends with. That is illegal under CASL in many cases.
It also deprives individuals of the valuable connections they have, which are important to their livelihoods, and it deprives recipients of information they would want to know. I would want to know if my doctor moved.
Say a charity or not-for-profit wants to continue sending newsletters to someone it has been sending them to even before CASL became law. If the newsletter is funded in part by the inclusion of only one ad, say, a vision correction device ad in a newsletter sent out by the CNIB, the charity likely has to cut off the recipient unless it can find a donation by the person in last two years or a record of obtaining express consent. Records weren't kept before CASL came into being. This deprives individuals, including the most vulnerable, from receiving information they want and need. It is also illegal under CASL to send an email asking people if they want to continue to receive emails, including from the CNIB.
Organizations want to send out Christmas cards to current and former clients, customers, and colleagues. They want to include a corporate logo and tag line promoting the organization. These items by themselves may make these cards CEMs, because they promote their businesses. If the recipients haven't expressly consented to receiving CEMs and haven't done business with the organization in the last two years, the cards likely cannot be sent. So much for Christmas cheer and keeping in touch.
A new online newspaper wants to send trial copies to members of the public. In the physical world, a publisher could leave complimentary copies in mailboxes. It's illegal online if the paper includes a single ad or if it asks people if they want to subscribe. This is especially unfortunate as it hampers establishing new media, something we need to foster in this world of fake news, as a healthy press is critical to our democracy.
There is a business-to-business exception in CASL. It has a number of conditions. It applies to organizations but not to individuals carrying on business as sole proprietorships. CASL operates in a discriminatory way for no good reason—in this case, discriminating and hurting small businesses.
CASL makes it illegal for a child to email neighbours promoting his or her lemonade stand, to ask if they want a babysitter, or to ask if they can mow their grass to earn a little school money. Its breadth is not subject to any de minimis or reasonable limitation. Do you want your kids not to be able to promote their lemonade stands?
A person wants to send a CEM using an SMS. Even if the person has consent to send the message, the person can't legally do it because the character limits don't enable people to include all of the identification and unsubscribe information the CRTC regulations prescribe. The person might try to comply by including a hyperlink in the message to a website, but if the person doesn't have a website—which not every young small business has—and can't find a tool that lets them shorten the hyperlink, they effectively can't use SMS messages. CASL effectively impedes the use of the modern messaging systems it purports to regulate.
These problems all flow from CASL's flawed structure, which prohibits a broad range of communications subject to a limited number of exceptions. The computer program provisions also have many difficulties.
What's happened in the real world and not the theoretical world of those people who conceived of CASL? CASL has had no material impact on the purveyors of damaging and deceptive spam, spyware, malware, and other related network threats, which were the stated objectives of CASL. As a practical matter, the burdens fall on legitimate businesses. Many businesses have invested and continue to expend resources to comply with CASL, and it's not easy for the reasons Natalie Brown explained. Use of electronic messaging is chilled, because organizations don't know if they can send messages, and they are very concerned about the excessive AMPs that can be levied.
What should this committee do?
My most important recommendation for this committee is to assess all the provisions of CASL against the government's justification for it. CASL was repeatedly represented during the legislative process and the regulatory process as a law targeting the most damaging and offensive type of spam and malware, yet these prohibitions target ordinary commercial electronic messages and computer programs that have nothing to do whatsoever with malware.
Given that CASL impairs freedoms of expression in Internet communication, I urge this committee to recommend that CASL be recalibrated to what it was really intended to do, and that is to deal with the really bad actors.
I'll just say one more point because I realize, Mr. Chairman, that you have already given me a substantial indulgence, which I appreciate. If CASL were recalibrated, the CRTC could reallocate resources to deal with the real problems Canadians have. We have a real problem with cybersecurity and a real problem with malware. That should be the focus, not legitimate businesses like Desjardins that want to continue to communicate with their customers.
Thank you, Mr. Chairman.
You ask a very good question.
There are two kinds of ways in which the problems with CASL can be addressed.
One is legislative, like the private right of action. Only Parliament can address that because it's in the legislation, and at some point, it has to come into force or be killed or amended.
Two, the Governor in Council has a very broad regulatory authority, and many of the problems Canadians have occur because during the regulatory process there was—I think—a too narrow approach in what the exemptions should be, and when you have a structure that says that everything's illegal unless it falls within an exemption, you have a problem. Imagine a criminal law that prevented you from going out at night except if you were going to work or school or coming to the committee. You're bound to miss some, and that means a lot of things are going to be illegal until the regulatory process can catch up.
So the approach that the Governor in Council should have taken, in my respectful view, is to have had very generous exemptions so the act would apply to things that really counted, but it wouldn't discriminate against small business. There was no need, for example, for this law to apply to businesses, to business communications, at all, because they don't want it, they don't need it, and they see it as stifling innovation.
One thing this committee could recommend is that the Governor in Council re-review the regulations so that some of these things that are blatantly causing problems can be fixed.
I would add that it might be debatable whether receiving a message from Mr. Bernier would be spam or not, but I'll leave that for others to decide.
Voices: Oh, oh!
Mr. Brian Masse: Before I get into comments, I was here for the original anti-spam legislation, and I think it's important to put some contextual element as to why it came about. I missed last week, but what I'm receiving here, at least the impression, is that this came out of left field, but that's not the case.
In 2004 there was, under the Martin administration, a national spam task force that went across this country and heard from businesses and from consumers and so forth, and they reported back unanimously to Parliament to act, because Canada was one of the few G7 nations without anti-spam legislation. We were the source daily of nine billion pieces of spam. In fact, countries that were comparable to Canada at that time were Nigeria, and other places like that.
Technology obviously has evolved, and I put forward the recommendation to review after three years. It was Conservative legislation that was put in place here. I'm glad that it is getting a review because a lot of things have changed. There have been some business elements that have changed with this, but also too, I think it's important that the cybersecurity element is looked at.
I see it differently in terms of approaching and how we got to this point. I see it as, I pay for this device. I pay for the ongoing service for the device. I pay for the use of it, and the maintenance, and if it gets infected by somebody sending something that I didn't want, or I didn't ask for, I have to be the person who loses my privacy, and has to pay for the cleanup. Sometimes the devices are damaged physically or damaged through the software. I have to pay for the servicing, all those different things. I believe it's a privilege to send me marketing or consumer information. If I'm a customer of my bank, Canada Trust or something else, it's their privilege, it's not their right, to send me something.
I approach it from that perspective because it was also an economic issue. The mere fact that we had so many people trapped going through so many emails...and we all know in our offices what we receive. I come from the day, sadly enough, where your fax machine used to spit out the equal of that, and some people now say what's a fax machine?
My first question would be to Mr. Smith. One thing I have heard across the board here is the lack of understanding of rules. One thing I do like is a rules-based system of understanding exactly what is required and how. You read a good segment there with regard to that communication. If right now, we weren't to change anything with regard to the responsibilities or roles, how do you think that it could actually be condensed or what type of a playbook could be created to actually narrow it down so it's easier for businesses to really understand? We really want to get to the worst of the worst. Can that be done?
Thank you very much. That was really informative.
My riding is probably not that different from those of some of my colleagues'. It's a mix of start-ups, technology companies, large organizations, Canadian headquarters for multinationals, and then people—seniors, consumers, and just people. I've heard a lot here, and I'm wondering if we could talk about that balance.
The work that we need to be doing as a committee, in looking at this legislation, is to really examine how we might improve it so that we can actually get to the objectives that are intended. We heard about cybersecurity. We heard about the increase in malware. That is, of course, alarming, but we also want to make sure that there isn't a legislative regime that will chill the effect of good business practices, good competition, and the ease with which businesses do what they need to do, which increasingly now is digital and electronic.
Mr. Lawford and Ms. Lau, there is some suggestion by others here to narrow the scope of definition of a CEM, and to therefore be more focused, alleviating some of the unnecessary obligations we've heard of in the legislation for small business owners and perhaps for start-ups. What do you think? Could that work?
Those are good questions. If I could, I would like to spend just a minute on the question you addressed to Mr. Lawford.
One way of assessing the legislation is by comparing it to international norms. It was represented to this committee back when CASL was being reviewed that this legislation was the same as what was in Australia, the same as what was in New Zealand; that was incorrect. Although the law was somewhat modelled after that, the definition of CEM in those countries was closed, not open-ended, and the consents were not only expressed consents but included inferred consents without narrow, closed categories. If you look at international norms, even the closest norm we were trying to model was not in line with international standards. It was ratcheted up to make it even more of a straitjacket.
To get to your question, I think that is something somebody should really look at. In terms of cybersecurity, this is a problem with third parties inserting computer programs into systems and thereby hijacking systems, turning them into botnets or acquiring information, including—if you look at 142 million individuals' recent information in the Equifax case—2.5 million more. These are the kinds of things that the legislation does target, except that it doesn't permit the installation of programs where needed to combat cybersecurity.
I've always thought that, in addition to that, the legislation should actually permit the installation of counter-cybersecurity programs on the target that is attacking, in order to protect Canadians. I've also thought, as well, that ISPs should have the power to block foreign spamming sites and foreign malicious sites, to protect Canadians. It would be sort of an umbrella, if you will, to protect Canadians at large, as opposed to every ISP doing it or every organization doing it.
There's a lot that this committee could do, both with CASL and otherwise, to protect Canadians on cybersecurity.
I am new to this committee. I am replacing my colleague Frank Baylis.
I would like to thank our six witnesses for their presentations, all of which were quite informative.
Ma question is for Mr. Sookman. I am the member for , a riding in downtown Laval that's home to many small and medium-sized businesses.
Not only did you mention that CASL should not target our SMEs, you went even further.
In your post dated June 7, 2017, you said, “You should instantly sense something is wrong with a law if it could make kids promoting lemonade stands to their neighbours or trying to get a babysitting job, or a person recommending a dentist to an acquaintance, illegal.” However, the exemptions provided for in CASL and its regulations—family relationships, personal relationships and recommendations—would potentially apply to each of those cases.
In your opinion, should we broaden the scope of the exemptions provided for by the act and its regulations? Further, should we include new exemptions from the act's prohibitions?