Thank you for inviting us, my colleagues and me, to appear before you today on your review of Canada's Anti-Spam Legislation.
We think this legislation has been positive in helping to fight spam and address certain online threats that can be harmful to Canadians.
As you know, responsibility for enforcing compliance with the legislation is assigned to three enforcement agencies: the CRTC, the Competition Bureau and the Office of the Privacy Commissioner of Canada.
For its part, the office is responsible for investigating address harvesting and spyware, both of which generally involve the collection and use of personal information without consent.
This responsibility forms an integral part of the office's broader mandate of the Personal Information Protection and Electronic Documents Act, or PIPEDA, in other words, the act respecting the protection of personal information in the private sector, which sets out rules governing the collection, use, and disclosure of personal information in the course of commercial activities.
Canada's Anti-Spam Legislation also empowers the three agencies to share information and collaborate in enforcing the law. We worked with our partners in applying this legislation. In particular, we have accessed and made use of the Spam Reporting Centre at the CRTC to help identify address harvesters or entities suspected of distributing spyware, which has resulted in two major investigations so far.
Our first investigation involved Compu-Finder, a Quebec-based training provider.
Compu-Finder used email addresses—some of which were collected via address harvesting software—to send out recurring email messages to individuals, many without adequate consent.
We collaborated and shared information with the CRTC. Our investigation served to enhance Compu-Finder's practices and provided guidance to businesses in general on responsible email marketing that respects people's information.
Most recently, we completed an investigation into a Canadian company called Wajam Internet Technologies, which distributed its program as an unsolicited add-on to free software. The program tracks a user's online search queries and integrates the results with content shared by an individual's contacts on social media networks.
Our investigation found that Wajam Internet Technologies was not obtaining meaningful consent to install the software and was preventing users from withdrawing consent by making it difficult to uninstall the software.
As a result of our investigation, the company stopped distributing the software in Canada, ceased collecting personal information from Canadians who had already installed the software, and agreed to destroy all Canadian user information in its possession.
By their nature, spyware and address harvesting pose dangerous threats and can be difficult for Canadians to detect.
These issues are not likely to be the subject of traditional consumer-driven complaints or that consumers will recognize them.
This is leading us to adopt a more proactive enforcement approach for Canada's Anti-Spam Legislation matters, including the greater use of commissioner-initiated investigations like the ones I have just described.
Our proactive efforts also include outreach, issuing education and guidance material for consumers and organizations on protecting their computers, and understanding spyware and ransomware.
Canada's Anti-Spam Legislation has also made amendments to PIPEDA, which have improved our compliance outcomes generally, in other words, the compliance of other provisions of the act respecting the protection of personal information in the private sector that go beyond the two behaviours set out in Canada's Anti-Spam Legislation. These were consequential powers associated with the adoption of Canada's Anti-Spam Legislation.
The ability to decline or discontinue complaints has taken us part of the way in allowing us to focus efforts on matters that present the greatest risk to Canadians.
That said, our enforcement resources remain taxed with a continuous high volume of complaints.
The ability to collaborate and share information with domestic and international counterparts—another consequential PIPEDA amendment—has had a profound effect on our office's capacity to deliver impactful enforcement outcomes across the globe.
Since those provisions came into effect in 2011, our office has participated in numerous collaborative and joint investigations, including our first joint investigation with our Dutch counterpart into WhatsApp in 2013, as well as last year's Ashley Madison investigation with our Australian equivalent and the U.S. Federal Trade Commission.
CASL has only been in place a short time, so we're still gaining experience, but from my perspective so far, the law has provided the OPC with useful additional tools. Nevertheless, I believe the following legislative changes to CASL would be worthy of consideration. There are three.
First, give the OPC more flexibility to share information with the CRTC and the Competition Bureau. At present, under sections 58 and 59, the three bodies can share information and use that information, but this is limited to specific CASL-related purposes as set out in those sections.
As noted previously, CASL also amended PIPEDA to give the OPC the ability to share information with domestic and international counterparts, but these provisions do not include the CRTC and the Competition Bureau. In past investigations under PIPEDA, outside of the context of CASL, issues have surfaced that overlap with the jurisdiction of the CRTC or the Competition Bureau, and in those instances we think it would have been very helpful to be able to share information and to collaborate with our colleagues. To address this, either PIPEDA or CASL could be amended to give the OPC more flexibility to share information with the CRTC and the Competition Bureau more broadly, to address matters that intersect between consumer and privacy protection.
The second amendment would be to clarify the conflict provision in CASL, section 2, which states that CASL takes precedence over PIPEDA in the case of a conflict. We would like a reformulation of section 2 to say that CASL can add to the provisions of PIPEDA, but does not lower those standards.
This is not an abstract concern, as we have already encountered one instance where the organization attempted to argue that it did not need to comply with PIPEDA because of an exception to CASL. I would refer the committee to our report of findings in Compu-Finder as an example of why this clarification is required.
Finally, we would suggest clarifying the spyware provision. This is subsection 7.1(3). As a result of CASL, PIPEDA removed the possibility of resorting to consent exceptions to justify the collection or use of personal information that has been made by accessing a computer system, or causing one to be accessed, in contravention of an act of Parliament. To further clarify this provision, we recommend that the reference in the provision to accessing a computer system “in contravention of an Act of Parliament” more explicitly include unauthorized installation of a computer program within the meaning of section 8 of CASL.
In conclusion, Mr. Chair, the OPC works diligently to educate individuals and organizations on the privacy implications of digital technologies, social trends, and business practices, and to enforce privacy protections. CASL enforcement is a key part of this suite of activities. While individuals should take steps to be aware of risks and to protect their personal information, it should not all rest on individuals. Organizations, too, must do their part.
Thank you. I will be pleased to try to answer your questions.
I'm going to focus on a few main points, many of which have been echoed by others who have appeared before you.
The CBA sections believe that CASL must strike a balance between protecting consumers from damaging and deceptive electronic communications while at the same time allowing businesses to compete in a global marketplace. CASL's interpretation and application need to be clarified to meet the act's objective, which is to protect consumers by really targeting bad actors. In our view, current application and enforcement efforts are not in line with the act's objectives. Instead, legitimate businesses doing the best that they can to comply are being targeted.
In its current form, CASL is confusing and overly complex. CASL is an unclear statute, and there are two separate sets of regulations that go with it. This makes compliance very difficult for organizations, especially for small and medium-sized businesses, as well as not-for-profits, who have limited resources. The CBA sections have set out in our written submission a number of the more problematic interpretation areas in CASL.
One example, and you've heard that many times, is the broad definition of commercial electronic message, which is open to significant interpretation. This overbreadth limits messages that may benefit consumers, and has a chilling effect on innovation and competition. Canadian organizations, out of fear of being non-compliant, have reduced their email marketing efforts, creating an anti-competitive environment.
Another example is the requirement for installing computer programs, which deems express consent if it is reasonable to believe through the person's conduct that they consented. It is very unclear, however, what conduct will be sufficient to meet that threshold.
The CBA sections encourage publishing all in one place guidance materials that are updated regularly. For example, it would be very helpful to have a regularly updated Q and A web page addressing some of the more complex interpretative issues that are being raised from time to time by practitioners.
The guidance is also difficult to find. Some is provided by the CRTC, some by the Competition Bureau, some by the Office of the Privacy Commissioner, and some by ISED.
The CBA sections encourage greater transparency of CASL's enforcement and oversight mechanisms. Currently, there is little information about how the CRTC decides which cases to investigate, and what monetary fines to impose. As well, it is unclear from reported decisions to what extent the CRTC is actually applying the due diligence defence.
Organizations are also not typically advised of complaints prior to commencement of an investigation, nor are they given an opportunity to respond to complaints in an informal manner. We believe this is a missed opportunity.
An informal mechanism that allows organizations to respond to complaints and make the necessary changes during the normal course of business would be a wonderful opportunity to deal with a lot of these complaints that you see coming into the CRTC's complaint spam centre. This would reduce significant investigation costs down the road, and would be particularly useful in cases of unintentional non-compliance, or differing interpretations.
The CBA sections also encourage a thorough analysis of the appropriateness of the private right of action provision, and its scope in the context of the whole of CASL. In our view, bringing the private right of action into force without clear guidance is premature. Even without the private right of action, CASL has a broad range of enforcement tools, and you heard from Commissioner Therrien this morning. In our view, any lack of compliance is more likely the result of the confusing and onerous nature of CASL, rather than the current enforcement tools being insufficient.
We want to note, in particular, the application of the private right of action under the false or misleading representation provisions of the Competition Act. The need for the private right of action in this context remains questionable particularly given the Competition Bureau's existing oversight and enforcement. The relevant provision, section 74.011, is also concerning because certain subsections contain no materiality threshold.
Finally, we also want to note the inordinate cost and resource burden of CASL on charities and non-profits. We would recommend that they be exempt from all of CASL's provisions, except for the ID, content, and unsubscribe requirements as they relate to commercial electronic messages.
In conclusion, the CBA sections once again appreciate the opportunity to share our views on CASL. Given its complexities, we believe a more extensive consultation is needed under the statutory review, and we encourage you to invite more stakeholder feedback and more detailed feedback.
Thank you for having us here today.
We will be pleased to answer your questions.
With apologies to the Bard of Avon, friends, parliamentarians, countrymen, lend me your ears; I come to praise CASL, not to kill it. The evil that critics of CASL do lives with them; the good is oft imbued in its sections; so let it be with CASL.
CASL's noble adversaries may tell you the law is too ambitious, as if this was a grievous fault.
CASL enshrines the work of the 2005 federal task force on spam. Best practices found in our final report are now global industry standards, but best practices mean nothing without disincentives to bad actors.
CASL is a crowdsourced law, taking input from hundreds of people working tens of thousands of hours. The Messaging Anti-Abuse Working Group, for example, MAAWG, is an industry association of 185 member companies, all anti-spam professionals, such as Apple, Facebook, Google, Amazon, and Bell Canada. MAAWG participated throughout the CASL process and sent a letter to the urging the passage of the law as it was tabled.
My name is Neil Schwartzman. I'm the executive director of the Coalition Against Unsolicited Commercial Email. I wrote the world's first distributed spam filter, and 20 years later, here we are. I'm a management consultant. My clients include the world's largest company and the world's biggest sender of commercial email, neither of which spam. It's not that hard. I also teach cyber-investigation methods to international law enforcement.
Spam filtering costs recipient networks $20 billion a year. We pay for spam. Spam has become much worse of late: ransomware and phishing payloads are vicious. Ninety per cent of the spam that hits our networks is affiliate spam, which you've heard we should allow. Affiliate spam is an open sewer spraying a billion messages per hour at our families, friends, and colleagues. Unsolicited junk email, texts, and phone calls from Walmart, DirecTV, and Fidelity are some of the affiliate spam sent by third parties, earning commissions from the brand to send spam. CASL was purpose-built to remedy such activity.
The Privacy Commissioner and other law enforcement agencies just this year have completed a five-country sweep against affiliate spammers. Results have yet to be published, but we will be hearing about that. Studies from Cloudmark, Inbox Marketer, Return Path, and Cisco have proven CASL to reduce spam coming into Canada and going out of it. That's data, not opinion.
Law enforcement can't possibly investigate, nor do they know about all of the spam attacks. CASL's PRA, a right integral to the American CAN-SPAM Act, has been suspended, lamentably preventing Canadian ISPs, businesses, and organizations from seeking compensation for damages done to their network by spam.
Declarations of CASL's damaging effects that some have made here are laughable. The OECD two weeks ago projected that Canada's economic growth for 2018 is the best in the G7. Quebec is enjoying the lowest unemployment rate in three decades. Our economy is not hurting. We hear about how legitimate companies have been caught in the CASL net. In two cases prosecuted by the CRTC, the marketing departments of Rogers and Kellogg's used spam email lists provided to them by third party firms. Yes, legitimate companies bear costs to become compliant, just as when PIPEDA came into force.
Businesses must be vigilant. Data breaches occur daily. Business email compromise costs tens of millions of dollars. CASL defines modern standards of data integrity and permission that companies must maintain in the global economy. In the EU, the updated GDPR privacy law comes into effect in 2018. Failure to maintain parity with them will put us at a severe economic disadvantage.
Why are some afraid of CASL? It's because it's working. CASL is so frightening to spammers that they lobby Canada's law enforcement and legislators. American groups with direct ties to black-hat spam organizations will present you with information in the coming weeks. They've been invited here.
With this in mind, I exhort you to leave CASL intact. Adjust, yes, and clarify, doubtless, but do not come here to kill CASL. Do Caesar proud.
Thank you for inviting us here.
Good afternoon to our distinguished members of Parliament. Thank you for inviting us to speak with you today.
My name is Matthew Vernhout, and I am here on behalf of CAUCE, the Coalition Against Unsolicited Commercial Email. In my professional capacity, I am the director of privacy and industry relations for the email analytics firm, 250ok; the chair of the Email Experience Council's advocacy subcommittee; and an active member of the global email community.
I participated in the drafting of America's CAN-SPAM Act, and I had the pleasure of speaking to this committee in support of CASL in 2009.
I have published dozens of articles, been quoted in the press, spoken at numerous industry events, and consulted with some of North America's top brands regarding CASL compliance. In fact, one of the comparative benchmark reports I authored for ISED was recently cited in the CRTC's decision on the constitutional challenge by Compu-Finder.
The positive effects of CASL on the email industry are remarkable. I'm delighted to say analysis finds the email industry thriving and experiencing significant growth. Businesses ensure they have recipient consent, and they are seeing the positive benefits of those actions. A common trend has emerged from several published reports in the last three years: more messages are delivered to Canadian consumer inboxes post-CASL, due to better list management practices and consumer trust. A recent industry report shows that two countries with the toughest anti-spam legislation, Canada and Australia, also have the best deliverability of commercial emails to inboxes in the G8 nations studied.
The basic framework of CASL is a series of email marketing best practices that have been the basis of most of my consulting efforts over the last 17 years: ask for permission, honour opt-outs, and be clear as to who you are and why you're sending the messages. CASL has taken these ideas and made them the law of the land.
As my colleague stated, CASL is working to diminish spam. Moreover, it is working to make legitimate email marketing more successful and more effective. There is far too much baseless fear, uncertainty, and doubt being spread by the naysayers of CASL, many of whom are neither anti-abuse nor marketing professionals.
When I speak with marketers about their compliance efforts and the challenges they face to make their digital marketing compliant, I hear, “This is a lot of work, but it's not nearly as difficult as I thought it would be.”
However, we still have a long road ahead of us. The spam reporting centre receives 6,000 complaints per week, totalling more than one million complaints since 2014. For example, blacklist operator SURBL notes that there are currently 70 “.ca” domains spamming counterfeit goods targeting Canadian consumers. There are also active spam gangs set up on hosting providers in Montreal, Hamilton, and Vancouver.
Regarding the PRA suspension, this renders CASL toothless. The PRA should be revisited to allow network operators who carry the cost of spam to avail themselves of redress.
In closing, it is our hope that the law remains a strong and viable tool to protect email marketing, networks, and consumers from unwanted spam messaging. Canadians, like all consumers, deserve nothing less.
Sure. Thanks for the question.
From a large business perspective, you gather the resources and you do what you need to do to comply. As someone who has worked on implementing CASL internally at a few organizations, but also in working with external counsel and my colleagues in other companies, and the discussion we have at the CBA across the different sections as well, it is truly amazing the amount of time spent, and org charts and step-by-steps that you have to develop in order to make sure that you're actually complying with all the different pieces because it is unnecessarily complex. You shouldn't need a lawyer to implement CASL, and unfortunately, you do. When you think of a small enterprise where they have a few employees, or larger ones—and you heard from the Canadian Marketing Association, an organization which in about 2025 may have spent upwards of $40,000—it's mind-boggling.
Once again, the idea is not to get rid of CASL, but rather to have it focus on what it should be focusing on. For small and medium-sized enterprises to be sending electronic communications to their customers or trying to do prospects, even before CASL came around, people used to insist on consent. However, it's all the little things you need to do to ensure that you have complied that bogs everybody down and it's the fallout from the non-compliant element. If it were more akin to PIPEDA, on which we heard from Commissioner Therrien before, it's a complaints-based model. If you make a mistake or you have a judgment call that you make that's not quite agreed to by everybody else, you have an opportunity as an organization to make it right without necessarily seeing yourself subject to a very formal investigation or fines.
Unfortunately, in the way it's been enforced here in Canada by the CRTC, it has had a chilling effect. You don't want to be that organization that then has to have a settlement agreement or notice of violation.
That was one of my talking points, that we were the last country in the G8 to adopt an anti-spam law. It's embarrassing that some would like to do away with the law. It's an excellent law, and it's one that is respected as the best in the world among my colleagues.
Absolutely it could do with some adjustments, but in terms of the GDPR which is coming into effect May 25, 2018, we are about to encounter a degree of onerousness in data integrity that the world hasn't seen before, and that's a good thing.
The GDPR builds on the European privacy directive, which has been around for about a decade, with no teeth, with no ability to take punitive action. The GDPR gives countries the ability to force companies back into compliance, to respect the individual's right to say no, to be forgotten, to be left alone by marketers, or to willingly give that data to them and enjoy the benefits.
One thing that's very important is that the difference from the junk mail or the bulk mail that ends up on your doorstep is the marketer pays to get it there. They pay Canada Post to bring it to you. They pay for the printing. They pay for everything. Spammers do not. The recipients end up paying for that.
I'll talk about a small company here in Ottawa: striker.ottawa.on.ca was their domain. It's a consulting company that, for some reason, ended up on the spammer lists, and now they get one million spam a day. They've been driven out of business using that domain. There's not enough spam filtering in the world to compensate for that kind of flood.
We need to be a leader, and we are absolutely positioned to be such. I think it would be a matter of pride for everybody in this room that we can maintain parity with the EU.
As Commissioner Therrien explained, there is no doubt they have a very narrow and small piece of CASL that they implement, so obviously any sort of outreach they can do to clarify so that there is no inadvertent.... Being offside of those provisions would be helpful, but if we slide to the rest of CASL, which is where you're hearing a lot of the concern that we are expressing here today and from others who have come before us, yes, there have been a lot of people out on the road trying to explain CASL, but the guidance that organizations have been provided has not been sufficient to remove the fear and the chilling effect that being inadvertently non-compliant could result in something fairly onerous for your organization. That applies to large organizations, small and medium-sized enterprises, and charities as well. So yes, we are all for it, and we think any legislation needs it, so we definitely think there needs to be more, and it needs to be very focused.
We also need to get a message, separate from any changes to CASL, because we've made recommendations about some changes we might want to CASL. There needs to be a message about what the approach to enforcement is going to be. If you are an organization that is trying to do the right thing, “It's okay, don't worry, we can work with you to get you onside” is not the messaging they're getting, so they're spending a lot of money unnecessarily. They're developing a lot of processes that maybe they don't.... There is confusion, also, for individuals who are receiving these messages simply because of the way CASL has been structured.
You heard from Mr. Sookman, and Mr. Elder as well, that when you have a statute that prohibits everything unless it's permitted through exceptions and exemptions, you're offside if you can't fit yourself within those narrow exceptions.
That's some of what our members are struggling with when they are helping their organizations or advising organizations, big and small alike, and not-for-profits as well. That's what we're struggling with. We just want to get to a place where business can operate. We're not talking about the bad spammers here. We want to continue that. This is just about legitimate business trying to do the right thing, so more guidance would be great, but some changes to CASL as well.
Let's make no mistake. Legitimate companies spam, too. They do, all the time. Matt and I have been doing it for 20 years. The amount of non-compliance among legitimate companies is high. CASL has put a stop to that.
On Internet of things updates, I think we could talk for hours, if you want to go to lunch. Your light bulbs should scare you. They really should. The amount of destruction that is happening as a result of IoT and the inability—not by law, but by connectivity—to update this stuff, I think absolutely should be a subject of investigation by this committee. I'd be happy to elucidate to that end.
We keep hearing about charities, but charities are specifically exempt under CASL. I don't understand what the onerous thing is. We keep hearing about the chilling effects of CASL. I don't understand how.... We have data that shows that there is more mail being delivered to Canadian consumers. It is being more effectively delivered, and our economy is growing, yet there is a chilling effect. I'm not feeling the cold; I'm actually quite warm right now.
You have to understand, in terms of the way ISPs work, we get complaints. Consumers hit, “this is spam“, “this is spam”, and “this is spam”. We put a block up in front of, let's say, one of Matt's clients because Matt helps them to send.... They have to come to us with proof that they had permission to send anyway, so what CASL is asking for is exactly the same proof that is demanded of senders every single day of the week. If they don't have proof that you signed up to his list, I'd block them permanently so they don't get to send mail to Bell Canada or Rogers—the ISP side, not the marketing side—or any other network operator in the world. That happens every single day. It's been normal, standard operating procedure for decades.