Steven Harroun and Daniel Roussy to the Standing Committee on Access to Information, Privacy and Ethics

Ottawa, Ontario
May 9, 2017

Steven Harroun, Chief Compliance and Enforcement Officer
Canadian Radio-television and Telecommunications Commission

Check against delivery

Thank you, Mr. Chair, for inviting us to appear before your Committee.

My name is Steven Harroun and I am the CRTC’s Chief Enforcement and Compliance Officer. With me today is my colleague Daniel Roussy, General Counsel and Deputy Executive Director of the CRTC’s Legal sector.

We appreciate the valuable work your members do to protect Canadians’ privacy, a significant concern in today’s digital age.

We recognize that the focus of your current work is on the Personal Information Protection and Electronic Documents Act. The CRTC follows the privacy legislation, as all federal government departments and agencies, but has no direct experience as a regulatory body with this Act.

We understand, however, that the Committee is interested in hearing about our experience in enforcing Canada’s anti-spam legislation. We believe there are aspects of our experience that may be useful to consider as part of your study, in particular our ability to impose administrative monetary penalties.

Mr. Chair, let me begin with a brief overview of the legislation to provide context for our observations about the effectiveness of such penalties.

In a nutshell, Canada’s anti-spam legislation – known colloquially as CASL – is meant to provide Canadians with a secure online environment, while ensuring that businesses can compete in the global marketplace.

CASL gives the Commission the authority to regulate certain forms of electronic contact consisting of the sending of commercial electronics messages, the alteration of transmission data in electronic messages and the installation of computer programs on another person’s computer system, in the course of commercial activity. The fundamental underlying principle is that such activities can only be carried out with consent.

The CRTC is responsible for CASL’s administrative monetary penalty framework, which includes the imposition of penalties for violations.

CASL is an opt-in regime, which means that consent must be obtained prior to the sending of commercial electronic messages to Canadians. CASL applies to commercial electronic messages sent via email and through social media accounts, as well as text messages sent to cellphones. Consent to receive these messages can be either express or implied, as stipulated in the Act.

Express consent means that the person has clearly and proactively agreed to receive the message. For example, someone voluntarily opts in by signing up at a website. Once express consent is obtained, commercial electronic messages can be sent until the recipient notifies the sender that he or she no longer wants to receive them.

Consent can be implied for example, through an existing business relationship with a consumer, based on a previous commercial transaction. It also pertains to personal or family relationships or an existing non-business relationship, such as membership in a club, association or voluntary organization.

In every case, CASL sets out that the burden of proof regarding consent rests with the person alleging consent.

In addition to consent, senders of commercial electronic messages must clearly identify themselves in each message. Each message must also contain an unsubscribe mechanism that is clearly and prominently set out, which allows consumers to readily unsubscribe if they no longer wish to receive messages.

Mr. Chair, CASL was never intended to eliminate all spam. Its objective is to deter the most damaging and deceptive forms of spam and other electronic threats such as identity theft, phishing and the spread of spyware and malware.

When it is alleged that a violation has occurred, the Chief Compliance and Enforcement Officer has a number of tools at his disposal to ensure the Act is complied with.

Our enforcement tools include:

• A warning letter, to bring to the attention of the business a minor violation requiring corrective action.
• A notice of violation, which is issued for more serious offences. The enforcement measure may include a monetary penalty. Notices are also published on our website. We warn Canadians of illegal online practices so they are aware and report any suspected violations.
• An undertaking, which is similar to a negotiated settlement or agreement with the other party, where the company or individual undertakes to come into compliance. For instance, a party might need to implement a corporate compliance program or report on its activities. Or, it may have to pay a specified amount – although this payment is not considered a monetary penalty.

The Chief Compliance and Enforcement Officer uses his discretion in selecting and applying the most appropriate enforcement response. Our goal is to ensure compliance with the law and prevent recidivism.

Underpinning these enforcement tools are the CRTC’s outreach and education efforts. Before the law came into force, the CRTC delivered information sessions to interested parties across the country to explain the new requirements and encourage compliance. To this day, we continue to undertake an education and outreach program and share lessons learnt from enforcement actions taken.

It’s important to understand that administrative monetary penalties are just one part of our tool box. Penalties tend to be used as a last resort after all other efforts have failed. While we have issued warning letters, monetary penalties have been reserved for the most egregious cases.

Depending on the nature of the violation, the CRTC has the authority to impose up to $1 million per violation for individuals. And up to $10 million per violation for a corporation or group. There are factors laid out in the legislation that we must take into consideration when determining the appropriate penalty.

The tools provided to us in CASL to protect Canadians are not limited to monetary penalties. The Chief Compliance and Enforcement Officer also has the authority to seek a judicially pre-authorized warrant in order to enter a residence or business to verify compliance with the Act.

For example, along with national and international partners, the CRTC took down a command-and-control server disseminating spam and malicious malware located in Toronto in December 2015, as part of a coordinated international effort. This disrupted Win32/Dorkbot – one of the most widely distributed malware families, which had infected more than a million personal computers in over 190 countries.

Of course, in today’s interconnected world, spam and other electronic threats are not confined to Canada. One of the most important tools Parliament provided the CRTC is the ability to share information and seek enforcement assistance of our international counterparts. To date, the CRTC has entered into international agreements with The Federal Trade Commission and the Federal Communications Commission in the United States and the Department of Internal Affairs in New Zealand.

As well, to address the challenge of spam coming from outside our borders, we collaborate with our international partners through the Unsolicited Communications Enforcement Network, or UCENet. The purpose of this Network is to promote international spam enforcement cooperation and address spam related problems, such as online fraud and deception, phishing, and dissemination of viruses.

The CRTC has also signed a memoranda of understanding with 11 enforcement agencies from eight different countries through UCENet. These countries include the U.S., Australia, New Zealand, the Netherlands, the United Kingdom, Korea and South Africa. We share our knowledge and expertise through training programs and staff exchanges, and inform each other of developments in our respective countries’ laws.

Working with our partners, we are better equipped to ensure that people who distribute commercial messages – local or foreign – comply with Canada’s anti-spam legislation.

In conclusion, we are convinced that administrative monetary penalties, when used with other enforcement methods, are a real deterrent to non-compliance. We believe that companies have changed their practices to avoid potential penalties. This observation is based on our experience with CASL to date, as well as on our experience in enforcing the telemarketing over the past decade.

If we have any advice to offer, Mr. Chair, it is that enforcement agencies need a broad range of tools in their arsenal, which they can tailor to the circumstances of each case.

We would now welcome any questions you may have.

- 30 -

Contacts

Media Relations
(819) 997-9403

General Inquiries
(819) 997-0313
Toll-free: 1 (877) 249-CRTC (2782)
TTY: (819) 994-0423
Ask a question or make a complaint

Stay Connected
Follow us on Twitter @CRTCeng
Like us on Facebook www.facebook.com/crtceng