Electronic Commerce Protection Bill
Second Reading—Debate Adjourned
Hon. Donald H. Oliver moved second reading of Bill C-27, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.
He said: Honourable senators, I am pleased to rise in my place today to begin second reading debate on Bill C-27, the electronic commerce protection act. I have actively supported a stand-alone piece of legislation to combat spam for some six years. I have introduced, on separate occasions, two private member's bills in this place in pursuit of my goal to prevent unsolicited messages on the Internet, so I take much personal satisfaction in seeing this bill come from the other place where its principles enjoyed widespread support.
Some honourable senators may recall that in February 2005, when I spoke in this chamber on Bill S-15, I quoted Bill Gates. He had pointed out that spam had become more than an annoyance; it exposed families and children to pornography and fraudulent content, and it cost businesses millions of dollars a year.
I also reminded this chamber of what was then a new phenomenon called "phishing;" emails in which someone falsely claimed to be a legitimate enterprise in an attempt to scam the user into providing private information that could be used for identity theft.
Today, the problems associated with spam have become even worse. Some of the most malicious forms of spam include "Trojan horses" and other "malware" that gives others control over one's computer, turning it into what has been called a "zombie computer." By remotely controlling these zombies, spammers spread further emails.
It is little wonder, then, that the volume of spam continues to grow. Unsolicited emails represent between 80 per cent and 90 per cent of email traffic around the world. It is estimated that last year, a total of 62 trillion spam emails were sent.
A poll in 2007 found that Canadians received an average of 130 spam messages each week. That number was up 51 per cent from the previous year. I am sure that we can provide our own anecdotal evidence that the amount of spam continues to grow. In April 2008, an EKOS survey showed that 72 per cent of Canadians considered spam to be a major problem.
Honourable senators, when spam is used in these ways, it undermines the trust that businesses and consumers have in the digital world. As I have pointed out in this chamber before, spam is a serious threat to the great promise of the Internet for individuals, for businesses, for governments and for society at large.
The last time I brought forward an anti-spam bill, some industry stakeholders argued that Canada did not need a piece of stand-alone legislation. Some thought that all Canada required was more public awareness so that consumers could stop buying from spammers.
Honourable senators, this was a weak argument then. It is even weaker now, at a time when we want to encourage trust and confidence in the digital economy. We want consumers to know that the Government of Canada is on guard against those who would use email for malicious and fraudulent purposes.
In fact, the bill before us represents part of the Government of Canada's broad-based efforts to foster more electronic commerce in Canada and put us at the forefront of the digital economy. The Government of Canada has begun consultations on ways to modernize the Copyright Act. It also intends to table amendments to the Personal Information Protection and Electronic Documents Act, PIPEDA.
In the years that have passed since I introduced my first piece of anti-spam legislation, the government has marshalled the forces necessary to win the war against spam. We have the findings, for example, of the 2005 report of the Task Force on Spam that called for strong legislation against spam. Honourable senators, I had an opportunity to appear on two occasions before that task force. On each occasion, I was asked to bring forward arguments to try to persuade them that we did need a stand-alone piece of legislation. I was successful in that.
We continue to learn from the experience of other countries in constructing and applying their anti-spam regimes. For example, we saw how the legislation in Australia was very effective in cutting down the amount of spam-based pornography and the impact that the private right of action had in curtailing phishing and other forms of spam in the United States.
Honourable senators, I believe that the bill before us has benefited from study by the Standing Committee on Industry, Science and Technology in the other place and will capture the intent of both Senator Goldstein's and my efforts with our private members' bills. It is a long awaited measure that will put in place many of the recommendations of the Task Force on Spam. We will finally have legislation that will put an end to Canada's reputation as a place where spammers can flourish.
Bill C-27 prohibits the sending of unsolicited commercial electronic messages; the use of false and misleading representations online, including websites and addresses; the use of computer systems to collect electronic addresses without consent; the unauthorized altering of transmission data; the installation of computer programs without consent; and the unauthorized access to a computer system to collect personal information without consent.
Much of the strength of the bill before us comes from the enforcement regime. Honourable senators may recall that I pointed to the enforcement challenges when speaking on my original bill. I was pleased to see that the bill before us not only outlines the various responsibilities of the CRTC, the Competition Bureau and the Privacy Commissioner, but it enables these bodies to work together and with their international counterparts.
For example, the CRTC will enforce the provisions against sending unsolicited commercial messages and will have responsibility for the provisions that prohibit the altering of transmission data without authorization. It will further prohibit the surreptitious installation of programs on computer systems and networks by requiring consent for the installation of all computer programs. In this way, we can help stem the flow of malicious computer programs such as spyware and keyloggers.
Bill C-27 gives the Competition Bureau a mandate to address false and misleading representations online and deceptive marketplace practices such as false headers and website content.
The Office of the Privacy Commissioner has responsibilities to protect personal information in Canada. Bill C-27 prohibits the collection of personal information without consent through unauthorized access to computer systems and the unauthorized compiling or supplying of lists of electronic addresses.
Honourable senators, the bill provides the CRTC with administrative monetary penalties, AMPS, of up to $1 million per violation for individuals and up to $10 million for businesses. The Competition Bureau will also administer AMPS under the current AMPS regime in the Competition Act of up to $750,000 for individuals with $1 million for subsequent violations and up to $10 million for businesses with $15 million per subsequent violation.
Bill C-27 also provides a private right of action in which individuals and businesses may pursue actions against spammers in the civil courts. For example, it would permit an online retailer that was a victim of a denial of service attack to pursue both the persons who conducted the attack and the persons who paid for and directed the attack to recoup the actual business losses incurred and, in appropriate circumstances, obtain statutory damages.
As we introduce these provisions to protect the interests of consumers against spam, we must also take care not to restrict the legitimate use of emails for commerce. I will speak to some of those specifics of the bill later.
Clause 6 of Bill C-27 prohibits the sending of unsolicited commercial electronic messages, commonly referred to as spam. The consent regime to allow for the sending of commercial electronic messages is based on an "opt-in" regime that stipulates no electronic message can be spent without the individual opting in by way of express consent or at least implied consent.
Implied consent arises where there is an existing business relationship or an existing non-business relationship. Implied consent covers situations where intended use or disclosure is obvious from the context and the organizations can assume, with little or no risk, that the individual is aware of and consents to the reception of the commercial electronic message. This implied consent can be used within a 24-month period unless, of course, the individual has opted out of receiving messages.
There is a time-limited exemption for those existing businesses and non-business relationships that are in effect prior to the act coming into force. These are covered in what is called the transitional or grandfather clauses found in clause 63.1 of the bill. They extend the implied consent regime for a period of 36 months — which I think is a long time — to allow commercial entities time to contact existing clients and obtain their express consent for future communications.
The act also permits implied consent to be used in the case where there has been conspicuous publication of an electronic address, such as on a website or in a print advertisement. In these circumstances, the sender's message must be relevant to the person's business, role, functions or duties in a business or official capacity.
Honourable senators, there is a clause that clarifies that in the instance of the sale of a business, the purchaser is deemed to have an existing business relationship with the seller's clientele.
In these ways, we cut down unsolicited email, but we leave the electronic avenues open for legitimate commerce.
Honourable senators, transmission data relates to the telecommunications functions of dialling, routing, addressing or signalling a message. Clause 7 of Bill C-27 prohibits the unauthorized alteration of transmission data. This forbids any person from changing the transmission data of any message that would cause the message to be delivered to a destination other than or in addition to that requested by the sender, unless the alteration is made with the express consent of the sender or in accordance with a court order.
This clause prohibits persons from accessing networks in order to alter transmission data. This addresses, among other things, the issue of "pharming" whereby violators intentionally alter the transmission data to redirect unsuspecting Internet users to false websites or caller ID spoofing, where individuals alter the caller ID in an attempt to identify themselves as a trusted source, such as a financial institution.
(1600)
Clause 8 of the bill prohibits the unauthorized installation of a computer program on another person's computer system which causes an electronic message to be sent from the computer system, unless the express consent of the owner or authorized user of the computer system has already been acquired.
This clause is designed to address the installation of malicious computer programs, which include malicious software, viruses and spyware, as these programs are often a precursor to more malicious online activity. The clause also prohibits the further use of the computer program installed to send out electronic messages without consent, as a computer infected with a virus can be remotely controlled. It should be noted, honourable senators, that the majority of spam is currently sent through virus-infected computers.
Another issue addressed by this provision is something called a denial of service attack, which is also conducted through remotely controlled computers. Denial of service attacks are attempts to keep a server, a network or a website down by flooding it with a whole series of unwanted traffic.
Express consent is always required in order to install a new computer program, with certain exceptions allowing for automatic updates or upgrades. This bill contains provisions to ensure, for example, that automatic upgrades to antivirus software will not be treated as spam under the law. This means that running some applets such as JavaScript and Flash programs will not require express consent every time these programs are run. Other limited exceptions are also defined.
The Competition Act amendments add violations respecting misleading and deceptive representation in online commercial messaging, including false headers, subject lines, websites and electronic addresses. These new prohibitions are designed to allow the Competition Bureau to better address aspects that relate to unfair and deceptive market practices.
The amendments to PIPEDA contained in clause 78 of the bill address the unauthorized collection of electronic addresses, commonly referred to as address harvesting, and the collection of personal information without consent by way of unauthorized access to a computer system. Address harvesting is the collection of bulk lists of email addresses by automated means.
The second amendment is meant to protect personal information stored on commercial or corporate computer systems from unauthorized collection. While clause 8 of the bill addresses unauthorized installation of computer programs, this clause addresses the subsequent use of such software to collect personal information about the computer users themselves.
Honourable senators, I believe this bill strikes the balance required to encourage the digital economy to flourish based on innovation on the part of legitimate businesses and confidence on the part of consumers.
I have said in this chamber many times that Canada has been one of the few industrialized countries that did not have a regulatory regime to control spam. Today, I am pleased, excited and proud to see that this lack of protection for businesses and consumers will soon be at an end. I urge all honourable senators to join me in supporting the principle of this significant piece of legislation.
(On motion of Senator Tardif, debate adjourned.)
