Steven Harroun to the to the Standing Committee on Industry, Science and Technology
November 9, 2017
Steven Harroun, Chief Compliance and Enforcement Officer
Canadian Radio-television and Telecommunications Commission
Check against delivery
Thank you, Mr. Chair, for providing us with another opportunity to appear before you as part of your review of Canada’s anti-spam legislation (CASL).
I am joined today by my colleagues – Kelly-Anne Smith, CRTC Senior Legal Counsel, and Neil Barratt, Director of Electronic Commerce Enforcement.
We have followed your proceedings closely and welcome this chance to comment on some of the recommendations for changes to the legislation that the Committee has heard.
We know that concerns were raised by many witnesses about various aspects of CASL. Despite their criticisms, the legislation is largely effective. You heard repeated testimony endorsing that view during your hearings – from consumer advocates representing vulnerable communities, various technical experts and academics.
As we explained during our first appearance, it is important to keep in mind that CASL came into force only three years ago. In that short time, the CRTC has built up its expertise in cyber threats and computer forensics, operationalized the Spam Reporting Centre and taken enforcement actions against companies in violation of the law. As such, while the review is welcome, we believe that it could be counterproductive to open up the legislation in these early days.
Businesses have invested in compliance programs and systems based on CASL as it is currently written. It would be costly and burdensome to review and modify those systems now.
Even though it is still early days, Mr. Chair, we think the legislation has already proven its worth. You heard from our colleagues at the Department of Innovation, Science and Economic Development that one year after CASL's implementation, a third-party study showed there was 29% less spam email in Canadians' inboxes, and a 37% reduction in spam originating from Canada. Internationally, Canada is no longer in the top 10 spam-producing countries. And according to some sources, since CASL came into effect, it is no longer in the top 20.
We believe strongly that any challenges or burden of compliance need to be balanced against the significant consumer and privacy benefits CASL provides.
This doesn’t diminish the perception among some witnesses that compliance is challenging. There’s no question that adapting to the new legislation takes time and effort. As we outlined the first time we addressed this Committee, that’s why we publish substantial guidance and conduct regular outreach to both consumers and businesses to assist them. And they are coming to the CRTC’s website to find information: our spam and CASL-related pages attracted nearly 100,000 visits last year alone.
In fact, we designed numerous guidance documents and tools specifically to address issues that witnesses raised with your Committee – including the installation of computer programs and compliance for SMS messages.
Guidance comes in many forms. For instance, since our last appearance, the CRTC published a decision related to a company called Compu-Finder. Among other things, the decision provided extensive guidance to industry on the business-to-business exemption, unsubscribe function, implied consent, conspicuous publication and due diligence.
It’s true that our early enforcement efforts have mostly targeted major senders of commercial electronic messages. This was based on the scope and volume of complaints and targeted by commercial sector to encourage broad-based compliance, all of which is consistent with our mandate under CASL.
But, what’s overlooked is that a lot of our work actually protects businesses and consumers from malicious threats. As one example, we assisted with the takedown of a command and control server infecting computers around the world. We also contact organizations whose email servers have been compromised – sending out unwanted, malicious or fraudulent emails – to help them clean up their infrastructure.
Mr. Chair, what concerns us is that witnesses have made statements about the chilling effect CASL has had on business, something we believe needs to be put into perspective.
Creating exemptions for every situation – even when well-intentioned – would only make the legislation harder for businesses to understand and for the CRTC and our partners to enforce.
More to the point, large companies have a duty and the resources to appropriately comply. Your Committee heard from Canadian entrepreneurs and innovators that market-based solutions for CASL compliance exist. It’s up to businesses to use them.
We also disagree with the assertion that CASL increases cybersecurity risks. We collaborate across government to ensure that our activities feed into a comprehensive approach to Canadian cybersecurity.
One final issue I want to briefly touch on is the criticism of the legislation’s opt-in requirement. Committee members undoubtedly recognize that, in today’s challenging online environment, it’s even more important that consumers consent to any application installed on their devices.
The opt-in regime was adopted after extensive study, including a broad review of international best practices. Experience in other countries with opt-out regimes has been less than successful.
Transitioning to an opt-out regime at this point would be complex and have significant consumer impacts. It would also negatively affect our ability to use the intelligence tools we have at our disposal, including the Spam Reporting Centre.
For all these reasons, Mr. Chair, we think that it would be wise to take a cautious approach to changing the legislation at this time. We firmly believe that the current CASL regime is appropriate and effectively promotes the public good, and we think that the Committee should give it time to achieve that goal.
We would now be happy to answer any questions that you or your Committee members may have.
Toll-free: 1 (877) 249-CRTC (2782)
TTY: (819) 994-0423
Ask a question or make a complaint
Report a problem or mistake on this page
- Date modified: