Good morning and thank you, Mr. Chair, for providing us with another opportunity to appear before you as part of your review of Canada's anti-spam legislation, known as CASL.
My name is Steven Harroun, and I'm the chief compliance and enforcement officer at the CRTC. I am joined today by my colleagues Kelly-Anne Smith, CRTC senior legal counsel, and Neil Barratt, director of electronic commerce enforcement.
We have followed your proceedings closely, and welcome this chance to comment on some of the recommendations for changes to the legislation that the committee has heard. We know that concerns were raised by many witnesses about various aspects of CASL. Despite their criticisms, the legislation is largely effective. You heard repeated testimony endorsing that view during your hearings—from consumer advocates, various technical experts, and academics.
As we explained during our first appearance, it is important to keep in mind that CASL came into force only three years ago. In that short time, the CRTC has built up its expertise in cyber-threats and computer forensics. We've operationalized the spam reporting centre and taken enforcement actions against companies in violation of the law. As such, while the review is welcome, we believe it could be counterproductive to open up the legislation in these early days. Businesses have invested in compliance programs and systems based on CASL as it is currently written. It would be costly and burdensome to review and modify those systems now.
Even though it is still early days, we think the legislation has already proven its worth. You heard from our colleagues at the Department of Innovation, Science and Economic Development that only one year after CASL's implementation, a third-party study showed there was 29% less spam email in Canadians' inboxes, and a 37% reduction in spam originating from Canada.
Internationally, Canada is no longer in the top 10 spam-producing countries. And according to some sources, since CASL came into effect, it is no longer in the top 20.
We believe strongly that any challenge or burden of compliance needs to be balanced against the significant consumer and privacy benefits CASL provides.
This doesn't diminish the perception among some witnesses that compliance is challenging. There's no question that adapting to new legislation takes time and effort. As we outlined the first time we addressed this committee, that's why we publish substantial guidance and conduct regular outreach to both consumers and businesses to assist them. They are coming to the CRTC's website to find information. Our spam- and CASL-related pages attracted nearly 100,000 visits last year alone. In fact, we designed numerous guidance documents and tools specifically to address issues that witnesses raised with your committee, including the installation of computer programs and compliance for SMS messages.
Guidance comes in many forms. For instance, since our last appearance, the CRTC published a decision related to a company called Compu.Finder. Among other things, the decision provided extensive guidance to industry on the business-to-business exemption, unsubscribe function, implied consent, conspicuous publication, and due diligence.
It's true that our early enforcement efforts have mostly targeted major senders of commercial electronic messages. This was based on the scope and volume of complaints and targeted by the commercial sector to encourage broad-based compliance, all of which is consistent with our mandate under CASL. However, what's overlooked is that a lot of our work actually protects businesses and consumers from malicious threats. As one example, we assisted with the takedown of a command and control server infecting computers around the world. We also work with organizations whose email servers have been compromised—sending out unwanted, malicious, or fraudulent emails—to help them clean up their infrastructure.
What concerns us is that witnesses have made statements about the chilling effect CASL has had on business, something that we believe needs to be put into perspective. Creating exemptions for every situation, even when well-intentioned, would only make the legislation more difficult for businesses to understand and for the CRTC and our partners to enforce.
More to the point, large companies have a duty and the resources to appropriately comply. Your committee heard from Canadian entrepreneurs and innovators that market-based solutions for CASL compliance exist. It's up to businesses to use them.
We also disagree with the assertion that CASL increases cybersecurity threats and risks. We collaborate across government to ensure that our activities feed into a comprehensive approach to Canadian cybersecurity.
One final issue I want to briefly touch on is the criticism of the legislation's opt-in requirement. Committee members undoubtedly recognize that in today's challenging online environment, it's even more important that consumers consent to any application installed on their devices. The opt-in regime was adopted after extensive study, including a broad review of international best practices. Experiences in other countries with opt-out regimes have been less than successful. Transitioning to an opt-out regime at this point would be complex and have significant consumer impacts. It would also negatively affect our ability to use the intelligent tools we have at our disposal, including the spam reporting centre.
For all these reasons, Mr. Chair, we think it would be prudent to adopt a cautious approach at this time when it comes to making amendments to the act. We firmly believe that CASL's current regime is adequate and effectively promotes the public good, and that the committee should allow it sufficient time to achieve this goal.
We'd now be happy to answer any questions you or your committee members may have.
The commission already has direction in the legislation in what the appropriate circumstances are in the factors that the commission and the chief compliance and enforcement officer have to take into consideration when determining whether to issue a notice of violation with an administrative penalty, and, if so, what that quantum should be. When we're looking at those factors—number of complaints, number of violations, nature of the violations—that's when we consider whether we should issue a penalty, and, if so, what that quantum should be.
That particular section of the act, section 20, gives the chief compliance and enforcement officer the discretion to determine the appropriate remedy and what the quantum should be. There are several factors that are enunciated as well as the opportunity for the chief compliance and enforcement officer to consider other factors. It's that particular tool that allows him to determine whether a penalty is appropriate, and if so, what the quantum should be.
As my colleague suggested, in order to properly investigate and enforce the act, the commission needs the discretion to determine on a case-by-case basis the appropriate remedy. If we are placed with issuing a notice of violation to a first-time violator, in which the violation is of such a proportion that they're sending malware or installing botnets, that is not the appropriate tool. What the chief compliance and enforcement officer needs to do is determine the appropriate tool to use in this circumstance to ensure compliance, to bring the company into compliance with the law. Sometimes that's a warning letter, but oftentimes it's not. If the behaviour is egregious, if it's an egregious violation of the act, if, when examining the factors enunciated in section 20, it's a strong violation, then he needs to use a stronger tool to ensure compliance with the act.
One would have to look at the precedent that would set. Let's say in a graduated system the first time you offend, it's a warning letter; the second time, it's a citation; and maybe it's not until the fifth time that we consider an administrative monetary penalty. Well, one of the key components of the legislation is to make sure we don't have recidivism. I don't want people to be in front of me a second time. I don't want to investigate the same company a second and third time.
From the very first time we choose any level of enforcement action, from a warning letter right to an administrative monetary penalty, I want that to solve the problem. The goal is compliance, ultimately.
It's interesting, because when I first got here, I worked on and was successful in getting the elimination of tax deductibility for fines and penalties. I'm redoing some of that work, however, because some loopholes have popped up over the last decade that are actually allowing for tax deductibility of some of the compliance fines. That's another story in itself. The point is that it's costing money to do this.
There was a case that I thought was interesting. One of our telecoms came here—I can't remember which one it was—and said that they had been fined, I think, but had received no warning. I know there is supposed to be a notification process and that usually there are provisions for undertakings in respect of rectification of a situation and so forth. It's not that it just happens.
Do you have any comments on that? Maybe you can you walk us through what happens if I do send spam. Are there several interventions before an actual fine takes place?
I was surprised by one, though, who suggested that there hadn't been much communication.
I guess my expectation as an elected representative would be that if we had continual abuses, the fines and penalties would move, I guess, stronger and faster. Is that the potential out there if that does take place? That's what I expect, at least, and I think that's what my constituents expect when it comes to spamming.
Again, I come from the perspective that this is a privilege: to receive unsolicited information that's designed for the purpose of the engagement of resources, that being your data, your device, and all those different things that can affect you quite seriously, from your privacy to a number of things, I don't view that as a warranted right to dispense that information upon people. I think that's a privilege. That's my perspective, anyway.
I would expect, then, that if there's an escalation or a continual pattern, there would be a reciprocal response from the CRTC on that.
Thank you so much for coming back. As you said, the law has been in place for three years. I think what we heard from the testimony that came in is that people are giving us feedback about how they're working within it.
To the point my colleague made, I think we heard from businesses that they are trying to comply. I think that's certainly the intent, and they're looking to us to understand where there could be some improvements to help with compliance. For sure, applaud and know that the intent here is to try get at anti-spam and at the bad actors that can hurt overall confidence. The intent is to protect consumers. We heard, virtually overwhelmingly and unanimously, that there needs to be some clarification in some of the definitions. Maybe that's what I'll focus on, and you can talk about that.
For commercial electronic messages, we heard from many, almost everyone, asking for some clarity around that, because there's a lack of understanding around a CEM for business-to-business use. We heard examples of someone or an organization not being able to communicate to a customer to give them a notification.
Can you talk to us from your perspective? We heard the testimony. Is it worthwhile to do some further clarification on the definition of CEM to help with compliance?
I'll start, and then my legal counsel will get me out of trouble.
I think that's a really good point. Obviously, for every piece of guidance that we give, we try to provide that clarification on everything from the definition of a commercial electronic message to other issues.
I think it's interesting; I read the blues on the weekend from this committee on the entire study, and you're right that people bring that back. What I found interesting in some of that testimony is, for me, clarity on the fact that people don't understand some of the exemptions. There are exemptions for business to business. There are exemptions for charities. If I am a credit card holder with a certain company, and they want to text me or email me to tell me something about my account because I've given them that information, that is permitted; there is an existing business relationship there.
I was a bit surprised by some of the testimony I was reading in that they felt they couldn't do certain activities or that they were unable to do certain activities.
With respect to certain clarifications with CEM, I'll let Kelly-Anne tell you more, but I think the key thing for me as the chief compliance and enforcement officer is to make sure that we don't get so granular that it becomes even more challenging for people to comply or for me to enforce a particular activity.
The definition in the act is a broad definition, I think. We have heard as well that there's a lack of clarity with respect to the definition. I think the definition contains other definitions, other terms that you need to refer to other terms, in order to determine what those terms mean.
In the recent Compu.Finder decision, the commission itself has provided some clarification and some guidance as to what in their view constitutes a commercial electronic message. I think the definition is so broad in order to capture circumstances where a party could be soliciting. If you want to make tweaks to the definition, it is your opportunity to do so. I do note that when the witnesses testified, people criticized the definition but didn't offer any suggestions for how we could clarify the definition. I would certainly be open to commenting on how we could clarify the definition, but I would exercise caution there. If you tighten it up too much, you might restrict our enforcement of real spam emails that are sent.
There are so many exemptions, some of which are not even consent-based, that if you have any kind of relationship with a party, you really can send a commercial electronic message.
Thank you again for coming back.
Neil, there were some questions being asked earlier by Mr. Baylis about the amount of enforcement you did. I think somebody did the quick math and said you only did nine every year for the last three years. Being a former police officer, though, I've had three or four guys work on a very serious crime case for four of five years with only one charge. You casually let slide that one of your investigations lasted upwards of two years. I know you need to get the evidence, and you need to have the right materials, if you're going to do the fine.
Can you expand on that a little bit? Let's look at maybe Rogers or Porter Airlines, two that came up that all the lawyers want to throw at us and stuff like that. How long would that investigation have taken, and how many people would you have had working on it?
I don't have the details specifically for that one, but you are right that they take a lot of time and can often require several investigators to be involved at the same time.
In general terms, an investigation is going to start with the intelligence we have in the spam reporting centre or elsewhere, but we need to be able to validate all that information. In the case of a legitimate company that's sending out messages, we need to ask them to get their consent records. There can often be millions of records, so we're talking about a spreadsheet with millions of lines for each email: who they're sending emails to, when their business relationship was established, and things of that nature.
Going through all of that information obviously takes time. We need to then also contact any complainants we may have and get witness statements to validate and corroborate the other information we have. It's a long process, and when we get into cases that are multi-party, such as the coupons investigation that I referred to earlier, then you have several legal entities that you're looking into at the same time, and people in different jurisdictions. In that case we had one American and one Canadian. It necessarily takes a little longer when we're dealing with partners in the U.S., for example.
What I heard is that the CRTC focuses on education and investigation as well as enforcement. I also heard that you have an outreach group that goes across the country and tries to educate and answer questions.
You also talked about the fact that, because of those sessions, and because of some of the inquiries made to the outreach organization, you've made some improvements in things such as frequently asked questions, graphics, and posting. You also touched on subsection 6(6) as an example.
Now, if I break it down, there's some legislative clarification that could be done, and there's some better practices clarification that could be done, and I'm getting the sense that you're doing a lot of that clarification through the various means you have.
Through this process, what have you heard that would help us to identify one, two, or three areas on the legislative side, as part of this exercise, so we could say that, if we make this amendment or if we make this change, it would improve the situation through better education and better adoption, leading to higher compliance, and therefore, a reduction in the number of complaints?
I will share my time with my colleague.
I really appreciate your answer about the compliance and all the penalties. I thought in the beginning that we would have to change the legislation, but I think the discretion we have right now is helping both you and the small business owner.
Speaking about complaints, can you help me to understand how it works in your organization? You receive a complaint. You have compliance people who are going to look at it. After that, you have the enforcement. In terms of the process, from a complaint to an action from the enforcement team, what would be the delay, and what would be the timing? Please just give me some details about that in order to help me understand your organization a little better.
It's a really good point. I've raised it before. We get approximately 4,000 complaints from Canadians into our spam reporting centre every week, so you can extrapolate that to 15,000 to 20,000 a month.
As a general practice, it's our intelligence folks, if you will, who look at those complaints. They identify trends. Are there patterns, are there particular organizations, or are there particular types of activities going on? We do regular case selection meetings, where we have our intelligence folks, if you will, talk to our enforcement folks and say that they have seen these areas as an issue in the past few weeks, months, or whatever. That helps to inform our investigations, going forward. That's how we pick cases to move on.
As I said, with 4,000 complaints a week, obviously with a small team we're not investigating every complaint. What we are doing is looking at the various pieces of the puzzle in our spam reporting centre, and we also use other sources of information provided by our friends at Public Safety, the RCMP, and others. I believe you had representatives from Spamhaus here earlier this week. We look at all these pieces of data. It's not just the complaint from Joe or Jane Canadian; it's also the other pieces that help inform the decision-making when we move on to an enforcement activity.
I'll try to keep it bow-tie-related.
My line of questions recently has been about social media, because we've heard conflicting testimony. Does it apply? Does it not? We certainly did hear from the bureau that it does. In terms of the CRTC, just as an example, Facebook reached two billion users per month this past summer, but within their platforms they also have other things. Facebook messenger is reaching well over a billion users now. These platforms are moving exceedingly quickly. You know all the other ones, such as Snapchat and Instagram; I won't mention them all.
How does this CASL legislation apply, and the potential penalties or infractions, to social media?
It is interesting, though, about the private right of action. It is one of the tools, that now will be put in abeyance, for responding to activity that is illegal, or potentially even with settlements. Is there anything else you can do that would actually help with the enforcement right now in terms of the CRTC? The private right of action was one of the tools. We looked at all the different methods of how to rein in some of these things. The private right of action was seen as one of those elements to combat spam, especially in the more egregious situations where there were habitual and ongoing problems.
With that now in abeyance for the moment, are there any alternatives that we can do, or that we should be looking at, to shore up this situation, or is it just wait and see, nothing changes, with your department?