Steven Harroun to the Standing Committee on Industry, Science and Technology
September 26, 2017
Steven Harroun, Chief Compliance and Enforcement Officer
Canadian Radio-television and Telecommunications Commission
Check against delivery
Thank you, Mr. Chair, for inviting us to appear before your Committee to share the Canadian Radio-television and Telecommunications Commission’s (CRTC’s) experience with Canada’s anti-spam legislation (CASL). With me today are my colleagues Kelly-Anne Smith, Senior Legal Counsel, and Neil Barratt, Director of Electronic Commerce Enforcement.
This is our first opportunity to discuss the Act with you since its introduction. So, I think it would be helpful to provide a high-level overview of our responsibilities under CASL.
The legislation gives the CRTC the authority to regulate certain forms of electronic contact to provide Canadians with a secure online environment, while ensuring that businesses can compete in the global marketplace.
Mr. Chair, without going into too much detail, under CASL the CRTC regulates:
- the sending of commercial electronic messages
- the alteration of transmission data in electronic messages, and
- the installation of computer programs on another person’s computer system, in the course of commercial activity.
The fundamental underlying principle is that such activities can only be carried out with consent.
CASL is an opt-in regime. This means that consent must be obtained before sending commercial electronic messages, altering transmission data or installing software. Commercial electronic messages (whether email, text message or other format) must contain an unsubscribe mechanism that is clearly and prominently set out and readily performed. This allows recipients to withdraw their consent if they no longer wish to receive messages. Messages must also identify the sender and/or the person on whose behalf the message is being sent and contain contact details such as an email address, mailing address and website.
Mr. Chair, our objective is to promote and ensure compliance with the Act. During the past three years, the CRTC has made it a priority to offer information sessions across the country and publish guidance materials for the business, consumers and the legal community.
As an example, my staff and I delivered six information sessions last May in Toronto to over 1,200 businesses. These presentations help to raise awareness among businesses of their responsibilities when marketing products and services to Canadians, and allow us to share lessons learned from investigations. As we do in every seminar, I made it clear that the CRTC is available to offer advice and support to help businesses comply with the Act.
We also promote CASL to Canadians through our website, interactions with consumer groups and on the phone and by email with our client service specialists. Consumer alerts are published on our website to warn Canadians of non-compliant online practices so they are aware and report any suspected violations. We want Canadians to report violations, and they are – in great number.
The CRTC acts on the complaints it receives and has a number of tools to bring individuals and businesses into compliance, including the issuance of notices of violation with accompanying administrative monetary penalties.
We look at a variety of factors to determine what the appropriate enforcement action should be. Our compliance approach includes interventions ranging from education to enforcement.
Our options include a warning letter regarding a minor violation requiring corrective action.
We can also issue a notice of violation. This enforcement measure often includes an administrative monetary penalty.
We also enter into undertakings with parties who voluntarily agree to come into compliance. This often means that the party implements a corporate compliance program to prevent future violations. It also could entail paying a specified amount – although this payment is not considered an administrative monetary penalty. This has been a particularly useful tool, as we have reached undertakings with several parties that cooperated with our investigations.
Depending on the nature of the violation, the CRTC can impose up to $1 million per violation in the case of an individual. And up to $10 million per violation in the case of other persons (e.g. corporations). We also have the authority to seek a judicially pre-authorized warrant to enter a residence or business to verify compliance with the Act and/or determine if a violation of the Act has occurred.
Mr. Chair, the CRTC has had success enforcing the legislation in the short time it has been in force.
For instance, along with national and international partners, in December 2015 the CRTC took down a command-and-control server disseminating spam and malicious malware located in Toronto, as part of a coordinated international effort. This disrupted one of the most widely distributed malware families, which had infected more than a million personal computers in over 190 countries.
Of course, in today’s interconnected world, spam and other electronic threats are not confined to Canada. One of the tools Parliament provided the CRTC is the ability to share information and seek enforcement assistance from our international counterparts. To date, the CRTC has entered into agreements with enforcement agencies in the United States, the United Kingdom, Australia and New Zealand.
Internationally, we collaborate with partners through the Unsolicited Communications Enforcement Network, or UCENet. The purpose of this network is to promote international spam enforcement cooperation and address related problems, such as online fraud and deception, phishing and the dissemination of viruses.
The CRTC has signed a memorandum of understanding with 12 enforcement agencies from eight different countries through UCENet. We share our knowledge and expertise through training programs and staff exchanges, and inform each other of developments in our respective countries’ laws.
Domestically, CASL allows us to share information and cooperate on investigations with our partner enforcement agencies, the Competition Bureau and the Office of the Privacy Commissioner. In 2013, the CRTC signed a memorandum of understanding with our partners to facilitate cooperation, coordination and information sharing. However, there are limited tools within CASL to allow the CRTC to share information with other domestic law enforcement and cybersecurity partners.
Working with our partners, we are better equipped to ensure that people who distribute commercial messages – domestic or foreign – comply with Canada’s anti-spam legislation.
Mr. Chair, I’m not suggesting that the Act is perfect. I suspect you will hear a lot of suggestions about what needs fixing from various witnesses who will address the Committee in the months ahead.
The CRTC would like the chance to appear before your members again, before you wrap up your review and begin writing your report. We will closely follow the proceedings and can provide feedback on the ideas you may hear and respond to any questions you might have about what will, or will not, work. As you and the members of the Committee are aware, legislation must be enforceable in order to be effective.
As you conduct your review, it is important to keep in mind that CASL has been in force for a relatively short period of time and covers a broad range of activities. The activities and ensuing investigations under the Act are complex, and we have yet to fully apply the legislation.
We would now welcome any questions you may have.
Toll-free: 1 (877) 249-CRTC (2782)
TTY: (819) 994-0423
Ask a question or make a complaint
Report a problem or mistake on this page
- Date modified: