Committees / News

Debating C-27: My Appearance Before the Industry Committee

Yesterday I appeared before the Standing Committee on Industry, Science and Technology to discuss Bill C-27, the Electronic Commerce Protection Act.  The Conservatives, NDP, and Bloc have also demonstrated strong support for the bill.  The Liberals have been cautious, indicating that they support the principle but expressing “significant concerns” about specific provisions.  My opening tried to address some of those concerns and the dialogue that followed led to a lively debate.  My opening statement is posted below.  Audio of the hearing available here and transcript available here.

 

Appearance before the Standing Committee on Industry, Science and Technology
June 11, 2009

Good afternoon.  My name is Michael Geist.  I am a law professor at the University of Ottawa, Faculty of Law, where I hold the Canada Research Chair in Internet and E-commerce Law.  I am also a syndicated weekly columnist on law and technology issues for the Toronto Star and the Ottawa Citizen.  I was a member of the National Task Force on Spam struck by the Minister of Industry in 2004 and on the board of directors of the Canadian Internet Registration Authority, which manages the dot-ca domain name space, from 2000 – 2006.  I also currently serve on the Privacy Commissioner of Canada’s Expert Advisory Committee.

I appear before this committee today in a personal capacity representing only my own views.

The introduction of Bill C-27 – the Electronic Commerce Protection Act – represents the culmination of years of effort to address concerns that Canada is rapidly emerging as a spam haven.  I don’t think I have to convince you that spam is problem.  Whether it is the cost borne by consumers, schools, businesses, and hospitals in dealing with unwanted email or the shaken confidence of online banking customers who receive phished or phoney emails, there is a real need to address the problem.  C-27 will not eradicate spam – no country can do so alone – but it will finally help to clean up our backyard.

Members of the committee have noted that this is broad legislation that extends beyond just spam.  I would submit that this is a feature, not a bug.  With much talk of the need for a national digital strategy, C-27 fits nicely within that framework by providing much-needed consumer protection legislation for e-commerce.  I think it is fair to say that the Spam Task Force members recognized the need to address the issue toward the end of the mandate and that the steps in this bill are consistent with our recommendations.

While legislation is broad, I think it is important to emphasize that the exceptions are as well.  There are three in particular that are noteworthy:

1.    Consent.  Under this law, consent trumps all.  Indeed, any business – any organization – can do anything it likes with respect to electronic marketing or software installation.  So long as it obtains consent.  There are rules around that consent – form requirement for electronic marketing and disclosure for software, but I don’t think that is such an onerous obligation.  Indeed, whenever a potential concern is raised, I think the first question to ask is why seeking consent is unreasonable. Is it unreasonable to obtain consent before installing a program on my computer?  Is it unreasonable to obtain consent before sending me a commercial message about a house or service or product?  In almost every instance, I think the answer is no – consent is a reasonable requirement.

Moreover, it is not an uncommon requirement as other laws have also adopted this opt-in consent model.  Australia and New Zealand both have opt-in and Japan even switched its law to opt-in after opt-out proved unsuccessful.

2.    Business-to-Business exception.  I have heard some claims that this legislation will hamper business as it seeks to use email to promote its products or services to other businesses.  The reality is that the legislation contains a business-to-business exception (Section 6(5)(b)). The concerns are unwarranted.

3.    The Consumer exceptions.  These are pretty broad, indeed arguably too broad.  They mirror most of the DNCL exceptions and there are many people who would argue that they go too far and fail to meet consumer expectations.  Consider the business-to-consumer exception that covers 18 months for existing customers and 6 months for non-customers who merely make an inquiry.  Think about that – someone who merely inquires about a long distance plan or hotel room availability is then subject to six months of electronic messaging under the guise of “implied consent.” I think it is reasonable to ask why a business should be entitled to contact a consumer for six months without any consent merely because the consumer has made a single inquiry.

My point here is that the net of the legislation may be broad, but so too are the exceptions that will continue to permit commercial activity.  Some businesses may argue it goes too far, while some consumers may believe it does not go far enough.  Perhaps that is a sign that an appropriate balance has been struck.

Consider the application of these principles to several of the criticisms that were highlighted earlier this week:

  1. Jurisdiction.  The legislation covers connections with Canada including the routing of a message through Canada.  This approach merely builds on existing jurisdictional law with respect to a real and substantial connection.  If the message fleetingly enters Canada, I suspect that the test might not be met and it is a non-issue from a liability perspective.
  2. Software updates.  As I referenced earlier, it seems perfectly reasonable to expect a software vendor to obtain consent from the end-user before installing anything on their computer.  To suggest otherwise, would be to surrender control over their personal computer and face the prospect of security breaches, as occurred in the infamous Sony rootkit case.
  3. Real estate agent emails.  As I am sure you are aware, real estate scams are among the most common with references to swampland in Florida being shorthand for fraudulent offers.  Do we really want to exempt an area that suffers from significant spam concerns?
  4. Tough penalties including a private right of action.  This is another feature, not a bug.  Yes, the bill has tough penalties.  The experience in countries like Australia is that anti-spam law only works if the penalties are sufficiently tough that you create some economic risk for spammers.  Otherwise, they’ll keep on doing what they’re doing.  There have been lawsuits against Canadian spammers but they’ve been launched elsewhere because Canadian law didn’t measure up.  We should fix that.

Are there any changes needed?  There are at least two amendments I can think of.  The first is the review provision that was noted in the discussion earlier this week.  This is a fast-moving area and mandated reviews make sense.

The second involves the computer software consent provision.  In the main, I think the provision gets it right.  However, there may be a limited number of instances – the use of javascript on web pages comes to mind – where the provision would prove problematic.  It is not easy to craft a rule that targets all the harms (botnets, spyware, surreptitious installations, keystroke logging) while leaving aside benign activities.

I would suggest a small addition by adding a Section 10(3) that would allow for implied consent for certain types of computer programs where the person has consented to the installation of that type of computer program by way of their preferences in their web browser.  This would cover off programs like Java and JavaScript that users typically address in their preferences.

Let me conclude with a warning against the lobbying efforts to water down the reasonable standards found in this legislation.  We have seen this before with the do-not-call list.  That bill started with some good principles, but faced intense lobbying and scare tactics.  By the end of the process, Canadians were left with a system that is widely recognized as a failure with 80% of calls continuing and security breaches of the do-not-call list itself.  We must avoid a similar outcome for anti-spam legislation.  Change may be scary to some, but do not let scare tactics dissuade you from moving forward with this much needed legislation.  I welcome your questions.

2 Comments

  1. Chris Bruner says:

    Section 10(3)
    I think implied consent for computer programs is the wrong way to go. I think a better way is for browsers to ask for consent, and optionally blanket consent for certain program types. That way the Law doesn’t need to be constantly updated as the technology evolves, consent must always be asked. But the computer can act as an agent in obtaining that consent for any particular case.

  2. Ian Marsman says:

    Basic bias of legislators
    I have seen that legislators make efforts to protect businesses and their efforts to connect with customers, even though those efforts can range from irritating to illegal. Legislation seems to be intended to be lenient on business. On the other hand, when it comes to copyright legislation the intent seems to be to come down hard on the public to the point of making it difficult to engage in reasonable and legal use of copyrighted materials. Why is it that politicians, ostensibly voted in by people and not corporations, slant legislation towards corporations and corporate lobby groups? We should not as citizens have to struggle against the stream just to go about our daily lives.