Electronic Commerce Protection Bill
Second Reading—Debate Adjourned
Hon. Donald H. Oliver moved second reading of Bill C-27, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.
He said: Honourable senators, I am pleased to rise in my place today to begin second reading debate on Bill C-27, the electronic commerce protection act. I have actively supported a stand-alone piece of legislation to combat spam for some six years. I have introduced, on separate occasions, two private member's bills in this place in pursuit of my goal to prevent unsolicited messages on the Internet, so I take much personal satisfaction in seeing this bill come from the other place where its principles enjoyed widespread support.
Some honourable senators may recall that in February 2005, when I spoke in this chamber on Bill S-15, I quoted Bill Gates. He had pointed out that spam had become more than an annoyance; it exposed families and children to pornography and fraudulent content, and it cost businesses millions of dollars a year.
I also reminded this chamber of what was then a new phenomenon called "phishing;" emails in which someone falsely claimed to be a legitimate enterprise in an attempt to scam the user into providing private information that could be used for identity theft.
Today, the problems associated with spam have become even worse. Some of the most malicious forms of spam include "Trojan horses" and other "malware" that gives others control over one's computer, turning it into what has been called a "zombie computer." By remotely controlling these zombies, spammers spread further emails.
It is little wonder, then, that the volume of spam continues to grow. Unsolicited emails represent between 80 per cent and 90 per cent of email traffic around the world. It is estimated that last year, a total of 62 trillion spam emails were sent.
A poll in 2007 found that Canadians received an average of 130 spam messages each week. That number was up 51 per cent from the previous year. I am sure that we can provide our own anecdotal evidence that the amount of spam continues to grow. In April 2008, an EKOS survey showed that 72 per cent of Canadians considered spam to be a major problem.
Honourable senators, when spam is used in these ways, it undermines the trust that businesses and consumers have in the digital world. As I have pointed out in this chamber before, spam is a serious threat to the great promise of the Internet for individuals, for businesses, for governments and for society at large.
The last time I brought forward an anti-spam bill, some industry stakeholders argued that Canada did not need a piece of stand-alone legislation. Some thought that all Canada required was more public awareness so that consumers could stop buying from spammers.
Honourable senators, this was a weak argument then. It is even weaker now, at a time when we want to encourage trust and confidence in the digital economy. We want consumers to know that the Government of Canada is on guard against those who would use email for malicious and fraudulent purposes.
In fact,
the bill before us represents part of the Government of Canada's
broad-based efforts to foster more electronic commerce in Canada and put
us at the forefront of the digital economy. The Government of Canada
has begun consultations on ways to modernize the Copyright Act. It also
intends to table amendments to the Personal Information Protection and
Electronic Documents Act, PIPEDA.
In the years that have passed
since I introduced my first piece of anti-spam legislation, the
government has marshalled the forces necessary to win the war against
spam. We have the findings, for example, of the 2005 report of the Task
Force on Spam that called for strong legislation against spam.
Honourable senators, I had an opportunity to appear on two occasions
before that task force. On each occasion, I was asked to bring forward
arguments to try to persuade them that we did need a stand-alone piece
of legislation. I was successful in that.
We continue to learn
from the experience of other countries in constructing and applying
their anti-spam regimes. For example, we saw how the legislation in
Australia was very effective in cutting down the amount of spam-based
pornography and the impact that the private right of action had in
curtailing phishing and other forms of spam in the United States.
Honourable
senators, I believe that the bill before us has benefited from study by
the Standing Committee on Industry, Science and Technology in the other
place and will capture the intent of both Senator Goldstein's and my
efforts with our private members' bills. It is a long awaited measure
that will put in place many of the recommendations of the Task Force on
Spam. We will finally have legislation that will put an end to Canada's
reputation as a place where spammers can flourish.
Bill C-27
prohibits the sending of unsolicited commercial electronic messages; the
use of false and misleading representations online, including websites
and addresses; the use of computer systems to collect electronic
addresses without consent; the unauthorized altering of transmission
data; the installation of computer programs without consent; and the
unauthorized access to a computer system to collect personal information
without consent.
Much of the strength of the bill before us comes
from the enforcement regime. Honourable senators may recall that I
pointed to the enforcement challenges when speaking on my original bill.
I was pleased to see that the bill before us not only outlines the
various responsibilities of the CRTC, the Competition Bureau and the
Privacy Commissioner, but it enables these bodies to work together and
with their international counterparts.
For example, the CRTC will
enforce the provisions against sending unsolicited commercial messages
and will have responsibility for the provisions that prohibit the
altering of transmission data without authorization. It will further
prohibit the surreptitious installation of programs on computer systems
and networks by requiring consent for the installation of all computer
programs. In this way, we can help stem the flow of malicious computer
programs such as spyware and keyloggers.
Bill C-27 gives the
Competition Bureau a mandate to address false and misleading
representations online and deceptive marketplace practices such as false
headers and website content.
The Office of the Privacy
Commissioner has responsibilities to protect personal information in
Canada. Bill C-27 prohibits the collection of personal information
without consent through unauthorized access to computer systems and the
unauthorized compiling or supplying of lists of electronic addresses.
Honourable
senators, the bill provides the CRTC with administrative monetary
penalties, AMPS, of up to $1 million per violation for individuals and
up to $10 million for businesses. The Competition Bureau will also
administer AMPS under the current AMPS regime in the Competition Act of
up to $750,000 for individuals with $1 million for subsequent violations
and up to $10 million for businesses with $15 million per subsequent
violation.
Bill C-27 also provides a private right of action in
which individuals and businesses may pursue actions against spammers in
the civil courts. For example, it would permit an online retailer that
was a victim of a denial of service attack to pursue both the persons
who conducted the attack and the persons who paid for and directed the
attack to recoup the actual business losses incurred and, in appropriate
circumstances, obtain statutory damages.
As we introduce these
provisions to protect the interests of consumers against spam, we must
also take care not to restrict the legitimate use of emails for
commerce. I will speak to some of those specifics of the bill later.
Clause
6 of Bill C-27 prohibits the sending of unsolicited commercial
electronic messages, commonly referred to as spam. The consent regime to
allow for the sending of commercial electronic messages is based on an
"opt-in" regime that stipulates no electronic message can be spent
without the individual opting in by way of express consent or at least
implied consent.
Implied consent arises where there is an existing
business relationship or an existing non-business relationship. Implied
consent covers situations where intended use or disclosure is obvious
from the context and the organizations can assume, with little or no
risk, that the individual is aware of and consents to the reception of
the commercial electronic message. This implied consent can be used
within a 24-month period unless, of course, the individual has opted out
of receiving messages.
There is a time-limited exemption for
those existing businesses and non-business relationships that are in
effect prior to the act coming into force. These are covered in what is
called the transitional or grandfather clauses found in clause 63.1 of
the bill. They extend the implied consent regime for a period of 36
months — which I think is a long time — to allow commercial entities
time to contact existing clients and obtain their express consent for
future communications.
The act also permits implied consent to be
used in the case where there has been conspicuous publication of an
electronic address, such as on a website or in a print advertisement. In
these circumstances, the sender's message must be relevant to the
person's business, role, functions or duties in a business or official
capacity.
Honourable senators, there is a clause that clarifies
that in the instance of the sale of a business, the purchaser is deemed
to have an existing business relationship with the seller's clientele.
In
these ways, we cut down unsolicited email, but we leave the electronic
avenues open for legitimate commerce.
Honourable senators,
transmission data relates to the telecommunications functions of
dialling, routing, addressing or signalling a message. Clause 7 of Bill
C-27 prohibits the unauthorized alteration of transmission data. This
forbids any person from changing the transmission data of any message
that would cause the message to be delivered to a destination other than
or in addition to that requested by the sender, unless the alteration
is made with the express consent of the sender or in accordance with a
court order.
This clause prohibits persons from accessing networks
in order to alter transmission data. This addresses, among other
things, the issue of "pharming" whereby violators intentionally alter
the transmission data to redirect unsuspecting Internet users to false
websites or caller ID spoofing, where individuals alter the caller ID in
an attempt to identify themselves as a trusted source, such as a
financial institution.
(1600)
Clause 8 of the bill prohibits
the unauthorized installation of a computer program on another person's
computer system which causes an electronic message to be sent from the
computer system, unless the express consent of the owner or authorized
user of the computer system has already been acquired.
This clause
is designed to address the installation of malicious computer programs,
which include malicious software, viruses and spyware, as these
programs are often a precursor to more malicious online activity. The
clause also prohibits the further use of the computer program installed
to send out electronic messages without consent, as a computer infected
with a virus can be remotely controlled. It should be noted, honourable
senators, that the majority of spam is currently sent through
virus-infected computers.
Another issue addressed by this
provision is something called a denial of service attack, which is also
conducted through remotely controlled computers. Denial of service
attacks are attempts to keep a server, a network or a website down by
flooding it with a whole series of unwanted traffic.
Express
consent is always required in order to install a new computer program,
with certain exceptions allowing for automatic updates or upgrades. This
bill contains provisions to ensure, for example, that automatic
upgrades to antivirus software will not be treated as spam under the
law. This means that running some applets such as JavaScript and Flash
programs will not require express consent every time these programs are
run. Other limited exceptions are also defined.
The Competition
Act amendments add violations respecting misleading and deceptive
representation in online commercial messaging, including false headers,
subject lines, websites and electronic addresses. These new prohibitions
are designed to allow the Competition Bureau to better address aspects
that relate to unfair and deceptive market practices.
The
amendments to PIPEDA contained in clause 78 of the bill address the
unauthorized collection of electronic addresses, commonly referred to as
address harvesting, and the collection of personal information without
consent by way of unauthorized access to a computer system. Address
harvesting is the collection of bulk lists of email addresses by
automated means.
The second amendment is meant to protect personal
information stored on commercial or corporate computer systems from
unauthorized collection. While clause 8 of the bill addresses
unauthorized installation of computer programs, this clause addresses
the subsequent use of such software to collect personal information
about the computer users themselves.
Honourable senators, I
believe this bill strikes the balance required to encourage the digital
economy to flourish based on innovation on the part of legitimate
businesses and confidence on the part of consumers.
I have said in
this chamber many times that Canada has been one of the few
industrialized countries that did not have a regulatory regime to
control spam. Today, I am pleased, excited and proud to see that this
lack of protection for businesses and consumers will soon be at an end. I
urge all honourable senators to join me in supporting the principle of
this significant piece of legislation.
(On motion of Senator
Tardif, debate adjourned.)