Good afternoon, everyone.
We're here to conduct meeting 36 of the Standing Committee on Industry, Science and Technology. The meeting is pursuant to the order of reference of Friday, May 8, 2009, concerning , the anti-spam bill, otherwise known, in its short form, as the Electronic Commerce Protection Act.
Welcome to all of you, members of the committee and our three witnesses today.
From the Department of Industry, we have Madam Janet DiFrancesco, director general of the electronic commerce branch.
Welcome.
We also have Mr. Philip Palmer, senior general counsel of legal services at Industry Canada, and
[Translation]
Mr. André Leduc, Policy Analyst, E-Commerce Policy.
Welcome, everyone.
[English]
Before we begin with an opening statement from officials, I want to wish a happy 54th birthday today.
Voices: Hear, hear!
[Translation]
The Chair: In our mother tongue, we say, hartelijk gefeliciteerc.
[English]
So happy birthday to you. I just heard about it; I wish you a good day today.
Without further ado, we'll begin with a 10-minute opening statement from officials.
:
Thank you, Mr. Chairman.
I'm pleased to be here today as the new director general of the electronic commerce branch at Industry Canada, having recently replaced Richard Simpson, who appeared alongside Minister Clement and Assistant Deputy Minister Helen McDonald in June.
As you indicated, I'm joined here today by our legal counsel, Philip Palmer, and from my staff, André Leduc.
[Translation]
Industry Canada has made a commitment to increasing confidence in the digital economy, to clarifying the rules of the domestic and international markets, promoting the adoption and use of e-business and eliminating barriers to the use of e-business. The electronic commerce protection bill represents an importing step in achieving these objectives. Our department is pleased with the support this initiative has received in the testimony and briefs that have been submitted to the committee.
[English]
It is no surprise that there has been such interest in this legislation, as the Internet is now the communications platform of the emerging economy. ECPA is about more than just the nuisance of spam; it is about malicious and detrimental activities that dissuade Canadians and Canadian businesses from taking part in the online marketplace.
I should note that ECPA could not have been drafted without the important work of the task force on spam and their recommendations, as well as the experience shared with us by global partners, specifically New Zealand, Australia, and the United States. By working closely with these counterparts, Canada has drafted world-leading legislation based on the best and most effective aspects from legislative initiatives from around the world.
[Translation]
Spam and on-line threats come from both inside and outside Canada. The current bill contains important provisions designed to protect Canadian consumers and businesses from the most dangerous and harmful types of spam and will introduce a regulatory system that will protect the privacy and personal safety of Canadians in the on-line environment. The bill will include a set of clear rules that will benefit all Canadians and that will increase their trust in on-line communications and electronic business.
[English]
I would like to take this opportunity to address a couple of the common misperceptions about the legislation.
The committee has heard a number of witnesses express concern about the consent regime. It should be noted that there is no time limit to express consent. Once an individual has provided express consent to a person, the consent can only end when the individual opts out or unsubscribes. The 18-month period with respect to existing business relationships allows companies to imply consent in order to give them time to obtain the individual's express consent.
Secondly, with regard to the private right of action, some witnesses have indicated that they do not see a need for it. We believe this provision provides an important mechanism that will allow individuals and groups of individuals to pursue violators and enable telecommunications service providers and Internet service providers to pursue those who threaten their networks. It would, for example, enable a bank or financial institution to take civil action against phishers who falsely impersonate their organizations in an attempt to defraud their customers.
[Translation]
Mr. Chairman, we have examined the concerns expressed before your committee and have prepared motions respecting a number of them. At Mr. Lake's request, we have distributed to all members an annotated version of the bill indicating the amendments proposed by the government. More than 40 amendments are planned, a number of which are of a technical nature.
[English]
Our purpose is to strengthen confidence in online commerce, and the opportunity for public comment presented by the committee's study of Bill has been most helpful. Of all the areas discussed, those that provoked the most comments were those relating to the perceived breadth of the legislation and the requirements respecting express and implied consent. We considered these concerns carefully, and amendments are being proposed to better focus those provisions that were considered too broad.
In brief, the amendments deal with the definition of commercial electronic messages, existing business relationships, business-to-business relationships, third party referrals, and the installation and update of programs and applets.
First, with regard to commercial electronic messages, we recommend expanding the range of situations in which the sending of e-mails is excepted from the requirements of express consent. For instance, correspondence in reply to an inquiry is clearly exempt, as would be ongoing correspondence relating to insurance policies, warranties, subscriptions, and other longer-term relationships.
Secondly, amendments have been drafted concerning existing business relationships. For example, for those relationships that are in effect prior to the act coming into force, a transitional or grandfather clause will extend the implied consent regime for a period of 36 months to allow commercial entities time to contact existing clients and obtain their express consent for future communications. Similarly, we have clarified by way of proposed amendment that the 18-month period concerning an “existing business relationship” referred to in subclause 10(4) commences on the date that the subscription, membership, account, or loan has been terminated, as opposed to the beginning of that relationship.
You will also find an amendment that clarifies that in the instance of the sale of a business, the purchaser is deemed to have an existing business relationship with the seller's clientele.
In the context of business-to-business relationships, we have suggested expanding implied consent to encompass the conspicuous publication of an electronic address, such as on a website or in a print advertisement. In these circumstances, the sender's message must relate to the business or office held by the recipients. Implied consent would also be extended to cover situations where it is reasonable to believe that consent has been given—for instance, in giving out a business card or providing an e-mail address in a letter.
We have recognized the importance in certain industries of being able to contact referrals through e-mail and have drafted an amendment to this effect. In the document before you, you will find a provision permitting under certain conditions unsolicited commercial messages that are follow-ups to third party referrals.
In terms of consent to installation of computer programs, you will find proposed amendments to clarify that automatic updates—for example, daily or weekly updates to anti-virus software—will not require consent for each update as long as this is set out as part of the original contract under which the software was installed.
Similarly, you will find that there are proposals to ensure that running applets such as JavaScript or Flash programs will not require express consent each time they are run.
Last, during witness testimony, a suggestion was made to have the administrative monetary penalties, or AMPs, provision amended to provide further assurance that companies that make an honest mistake will not be subject to heavy fines. It has been suggested that the CRTC be given the capability to suspend AMPs for a specified period of time, and that if the business does not violate the act again during that time period, the AMP could be lifted. As a result, we propose that clause 25 be amended to indicate that the CRTC has the ability to reduce, suspend, or waive an administrative monetary penalty.
[Translation]
I want to thank you for your review of the Electronic Business Protection Act. We are convinced that this work will result in healthy regulation and that the bill will take into account the interests of businesses and consumers in an equitable manner.
[English]
We welcome the committee's questions. Thank you.
:
Thank you, Mr. Chairman.
Thanks as well for being here this afternoon.
Pardon me for being late. I was used to always going to Room 308, where I went and saw that you were in another place.
First, I have examined your document in broad terms and seen that the observations and requests made by the businesses that have testified before us do not seem to have been considered.
I want to raise one point. I'd like to have an explanation from you of this option that businesses would have of sending e-mails without obtaining prior consent.
Could you tell me why this is the case? Because in the testimony and hearings we've had, a number of business representatives said that, since the purpose of this bill is to promote electronic business, among businesses, obtaining consent should be necessary.
Why have you not accepted those demands?
:
You're welcome, Mr. Chair.
To the witnesses, thank you for being here today.
I just want to focus, if I could, for a moment on this opt-in versus opt-out, because there seems to be a philosophical divide among proponents and opponents--maybe not of the whole bill, because most people are in favour of the bill, but of certain sections of the bill, based on opt-in versus opt-out. I want you to correct me if I'm wrong. I have a scenario for you.
Whether you opt in or opt out, the scenario starts with a transaction that occurs at some point between a consumer and a company. Right at that point, there's a divide. There's the marketing strategy, I guess, that would be undertaken under this legislation, and then there's the marketing strategy that would be undertaken under an opt-out regime.
Under the opt-in regime, it seems as though the marketing strategy would be for the company to clearly indicate a choice in some form, on a form, for whether customers want to receive more information from the company itself or its partners. It seems like the marketing strategy would be to try to persuade the customer, the consumer, to say yes to that.
I would think that if you're doing an electronic transaction, you'd probably actually require the customer to answer yes or no. I mean, that would be a logical marketing strategy and a good strategy if you're a marketer. I come from a marketing and sales background, so I'm trying to think about the way I would approach this. It seems to me under that this option we have a fairly transparent marketing strategy there.
Under the opt-out regime, it seems to me that you would, from a marketing strategy--I would be doing this--probably try to have a form that's long enough so that nobody reads through the whole form, and then you would hide the option to opt out somewhere within that form--
Voices: Oh, oh!
Mr. Mike Lake: --so that no one opts out. From a strategic sampling, it seems as though that would make sense so that you can keep your list of available people you can e-mail as long as possible.
Both of those would be legitimate marketing strategies, given the appropriate circumstance. Do I have anything wrong in terms of what this legislation entails versus what an opt-out legislation might entail?
:
I think you're dealing specifically with a set of circumstances, whether the check box is ticked or whether it's not ticked. You get right down to the basics. The American model is an opt-out model, whereby nobody has to have prior consent or permission to send out any commercial electronic message at any time. The opting out is that unsubscribe mechanism. So every time I get an e-mail, I have to unsubscribe for it. And if there are 300 million businesses, they each get a shot at me, and I have to unsubscribe every single time. A “you can spam” act is basically what it turned out to be. In fact, many groups within the United States that are trying to protect the citizens are saying don't unsubscribe, because all you're doing is giving effect to your e-mail address. If you're confirming your e-mail address, then you're just going to be bombarded even more. That's the opt-out strategy.
The opt-in strategy is already under way. The Canadian Marketing Association appeared here. Most industry best practice is when we're getting your e-mail address. One, how are they getting the e-mail address? I'm writing it on a sheet of paper at the point of purchase, here it is. And in that form, when I'm writing my personal information in there and I'm writing in my e-mail address, it should state why you're collecting the e-mail address and what you intend to do with it. So if you intend to send me e-mails about products or services at that enterprise, and I'm filling in my e-mail address, that's express consent.
The question we should always ask ourselves before we go all over the place is, how are they collecting my electronic address? If I'm giving it to them, well, it's at that point where they should say, “Is it okay if we contact you or have partner organizations contact you to offer you a better deal the next time you rent a car?” And that's the idea here. For a legitimate, responsible enterprise, when they're collecting that address, it's to get my consent to send me further e-mails, to use this electronic communications vehicle as a preferred method to contact me. Because yes, it is the cheapest method to contact clients, whether they're prospective or existing.
:
We could define that through taxes too. We could use a definition of taxes, which could be a quite easy way to do it. And not-for-profits have to be registered by the federal government or the provincial governments.
I'm running out of time, so I want to ask you two quick questions to get your input on them. I'll ask the questions and then turn it over to you to get the answers so there's enough time.
The 18-month period of implied consent, post the beginning of the relationship, is going to put it all over the map. It will be hard to follow when that date falls, so I'm a little bit concerned about that.
Last, the biggest one I'm really concerned about is the one about third parties, number six, that under certain unsolicited commercial messages that are follow-ups to third party or referrals.... I have checked into your notations here, and I'm really concerned about the definition of “family” and “personal relationships” as defined in the regulations. I'm wondering whether “family” refers to a brother, sister, or cousin-in-law. Not all of us get along with all of our family, and I'm just wondering whether that gives broad consent to allow people to be approached just through their relationship. And who is defining that and who is going to police that is going to be really interesting.
I will turn it over to you for the answers.
:
The 18-month thing was a clarification. It came through the witness hearings--i.e., what happens if I have a subscription to
House & Home magazine for two years and the subscription is about to run out, but they've also run out of the 18 months? We're saying that they get the 18 months at the end of the subscription to contact me and see if I'd be interested in again subscribing for the next two years.
It was really with regard to memberships, subscriptions. If it's a point of purchase, where I purchase something and that's the end of the relationship, at the end of the purchase, then the 18 months starts there. So it was more of a clarification for those other things.
With regard to the third party referral, we wanted to be sure that we heard....
Oddly enough, Paul Vaillancourt, the financial adviser who appeared before you, is my financial adviser.
Voices: Oh, oh!
Mr. André Leduc: I didn't know he was appearing. It was just kind of odd to see him in the room.
Actually, Paul got me through a third party referral.
A voice: So you're in a conflict.
Mr. André Leduc: Yes.
We didn't want to allow third party referral to.... We understand, for financial advisers, real estate agents, and other professional or business service-type people, that referrals are key to their business, and that they have lost the ability to contact referrals through the do-not-call legislation. That said, we didn't want to let the referrals thing be anybody to anybody at any given time. So we said that in order for me to refer somebody to my financial adviser, I have to have a personal or family relationship with this person...to be defined in regulations, although “family” we're fairly solid on; we're going to follow what's in the Income Tax Act already.
So you have to have that kind of one-to-one relationship. And if you don't want to refer your cousin, don't refer your cousin.
We're going to use those definitions. Then the person who's sending the e-mail--i.e., my financial adviser--has to name, in that e-mail, the person who has made the referral.
If you fail to meet these criteria that we're naming here, you will be in violation of the act. We've tried to make allowances for business, the functionality of using this medium to contact prospective clients, but at the same time not poking a hole big enough that somebody could drive a truck through in the act and you might as well not have the legislation.
So we really did try to have a useful third party referral that didn't allow for absolutely everything to happen there.
Thank you for being here today.
My question goes to clause 12. I guess there's some concern around the part that says “a computer system located in Canada is used to send, route or access the electronic message”. Now, “access” and “send” I can understand--that's under our jurisdiction—but “route”? That's where I start getting concerned.
If we have a company who's dealing with an American customer or a foreign customer, and we want that processing, that routing, to go through Canada...because that is jobs that are here; it's not affecting Canadians, because it's only being routed through. Are we shackling Canadian companies by forbidding them from allowing the information to be routed through and off to another country? Or are we allowing them to...?
I just feel that our companies are being restricted unfairly. If that's the case, what's to stop the companies now in Canada from saying, “You know what? This is too strict; we can route from anywhere in the world, so we're shifting our jobs and our companies south of the border or somewhere in a third world country”?
:
That's a very good question.
The jurisdictional clause is designed to permit enforcement on behalf of Canadians. Now, as you're aware, telecommunications service providers are not liable for carrying traffic. So if there were traffic between Los Angeles and New York that is in the form of unsolicited e-mails, even if they violate U.S. law, the Canadian has not committed a contravention of the act in Canada. There is no violation.
What it does, though, is this. If the communications company is being swamped by e-mails coming into its network such that they can't properly manage traffic, it allows them to complain so that Canadian authorities can cooperate with authorities offshore to try to track down who's doing this and how can we shut it down and which country is in the best position to deal with it. But without a violation in Canada, we would not be able to get to first base of saying, listen, international partner, we've got a problem here and we need your help to fix it.
It does one other thing as well, which is that it gives the TSP that is concerned about the harm that's being done to its network potentially the right to bring a private right of action against the perpetrators. While our AMP regime and a finding by the CRTC may not be enforceable abroad, normally a Canadian judgment of a Canadian court would be, and that we think is a possible important remedy for the Canadian telecommunications service providers.
:
In appearances before the committee and in representations that have been made to Industry Canada over the summer, we have had a number of variants on the idea that instead of having a due diligence defence there should be a defence of honest mistake; in fact, inadvertence.
Our response to this is that in section 33 we have actually two categories of defence that are recognized with respect to AMPs, and they're equally applicable to the private right of action. These are, first of all, due diligence, which is the general standard that's applicable to any person where they may have been negligent or they may have caused harm without having intended it. The notion there is that as long as reasonable efforts have been made that avoid the actual harm that was caused--so you put in place, in our case, procedures to ensure that you don't e-mail people who haven't given permission--then you're okay, even if once in a while you make a mistake.
But the second part of it says that every rule and principle of the common law that would be a defence against a charge or offence is applicable in this situation. Through that mechanism we also bring in--and I can't think of many circumstances where it would apply--the concept of a mistake of fact, inadvertence, or any other standard of defence that's available at law.
So I think that rather than changing our standards...we've actually got a very flexible standard, the general rule being due diligence, which is usually enough for most corporate entities. But beyond that, they can rely on other defences that are available at common law. It's for the imagination of lawyers to imagine what other defences they might possibly want to bring, depending on the circumstances, if they need to.
:
Philip addressed the due diligence defence and the common law principles, but we're getting to the fact where, okay, you boo-boo once, you enter into a compliance agreement, and then you do it again, and those are in the factors to be considered under clause 20. When developing the penalties, you have to take this list of factors into consideration.
Beyond the due diligence defence, this is a compliance regime. So Mr. Misener appears, he's afraid Amazon might make a mistake one day: something happens with the technology, a new employee makes a mistake. What do we do? Well, they're likely going to hear from their clientele or the people who shouldn't have received that e-mail message: “Hey, you should have taken me off your list three months ago; I asked to be off the list.” So they're going to know they've done something wrong. The first thing they should do is approach one of the three enforcement agencies and say, “We think we've had an error here; we always intend to be compliant with this legislation, and we'd like to enter into an undertaking”, which is clause 21.
Short of that, short of their recognizing the mistake, then they'll be served the notice of violation, either by the CRTC, the Competition Bureau, or the Office of the Privacy Commissioner, and they have the opportunity then for the due diligence defence. And the same rules apply for the private right of action.
And failing being able to defend themselves, if it is an honest mistake, those factors for the scope, the nature of the violation, whether they profited from it—all of the negative implications of what they've done—have to be considered before we can process the monetary penalty. So if they didn't make any money from it and they didn't really mean to do it, they're likely not going to suffer a monetary penalty. And that's the key to those factors under clause 20.
And the last thing, barring all of that, should all of those safety valves for the honest mistake fail and they don't like the decision of the CRTC, they can appeal the CRTC's decision in the Federal Court and get another day in court.
:
Thank you very much, Mr. Leduc.
Thank you, Mr. Rota.
We're going to go to Mr. Wallace now, but before we do, one of the interesting things in this discussion is that the one factor we've not heard any testimony on or any discussion about is the IT costs associated with all the spam.
I can tell you from my previous life that we spent thousands of dollars trying to control this stuff and we were never completely successful. I don't know about members around this table, but I'm constantly bumping up against the limit on my mailbox size, which I think is about 100 megabytes of mailbox storage space. And if 90% of what we get is spam that we don't actually receive because of filters, that means that the House of Commons' IT department probably has over and above that, let's say, 900 megs of storage of e-mail clutter that they have on the back end, which they've got to clean out every so often. And the Internet connections that Parliament has to the outside world are probably, you know, 30%, 40%, or 50% larger than they have to be just to handle all the spam.
So you add it up, and if you're looking at $100 per person per year—let's say $70 a year of extra storage costs, $30 a year for extra access to the Internet through T3 or T2 pipes, you know—and 5,000 accounts on the Hill, it's half a million dollars a year in lost productivity because of all this spam that's floating out there, and that's never factored into any of the discussion here.
I can tell you from personal experience that we spent tens of thousands of dollars, in my life as an IT executive, trying to put in place systems, software on routers, software on exchange servers, increased bandwidth to the net, in order to compensate for all this junk coming down the pipe.
Without further ado, I'll go to Mr. Wallace.