I thank the Committee for inviting me here today. What you are doing is very important. CASL is flawed and needs re-examination.
I am a senior partner with the law firm McCarthy Tetrault. I am also an Adjunct professor of intellectual property law at Osgoode Hall Law School and am on the advisory boards of the think tanks Macdonald Laurier Institute (MLI) and CIGI. I am here today in my personal capacity.
I have been closely involved with CASL for many years.
I appeared before this Committee when it first examined CASL. I pointed out that CASL was so flawed that it would, among other things, literally have made the use of browsing on the Internet illegal.
I worked with officials trying to fix CASL at the Committee stage.
I was involved extensively during the first and second Industry Canada consultations into the regulations. I also made a personal submission to the consultations recommending changes. See, Evaluating the Industry Canada CASL regulations: my submission to the consultation available @ https://barrysookman.com/2013/02/05/evaluating-the-industry-canada-casl-regulations-my-submission-to-the-consultation/.
I have been extensively involved in advising clients from all sectors of the economy including large and small businesses, charities, the educational sector and other not for profits, the media, and software companies on how to comply with CASL.
CASL is, and is seen as, complex, disproportionate and wrongly focused. To be frank, it is ridiculed by many organizations. It is particularly onerous on small businesses.
CASL’s over breadth makes communicating over networks illegal or legally uncertain in countless situations that Parliament could never have intended. Here are some examples.
- Take a start-up business that wants to use a public trade directory to email prospective customers and investors. That is most likely illegal under CASL and especially hurts small businesses trying to grow and develop new markets.
- A person leaves his/her former employer to start a business or join another business and wants to email former clients, patients, customers or former colleagues to let them know. Or the person wants to email an old schoolmate that the person used to be good friends with. That is illegal under CASL in many cases.[i] It deprives individuals of the ability to use valuable connections important to their livelihoods and deprives people of information they would want to know.
- A charity or not for profit wants to continue sending newsletters to someone it has been sending them to even before CASL became law. If the newsletter is funded in part by the inclusion of only one ad, say a vision correction device ad in a newsletter sent out by the CNIB, the charity likely has to cut off the recipient unless it can find a donation by the person in last 2 years or a record of obtaining an express consent. This deprives individuals including those most vulnerable from receiving information they want and need. It is also illegal under CASL to send an email asking people if they want to continue to receive these newsletters.
- Organizations want to send out electronic Christmas cards to current and former clients, customers and to colleagues. They want to include a corporate logo and tag line promoting the organization. These items by themselves may make the cards CEMs because they promote their businesses.[ii] If the recipients haven’t expressly consented to receiving CEMs and haven’t done business with the organization in the last 2 years, it is questionable and likely illegal to send them. So much for Christmas cheer and keeping in touch.
- A new online newspaper wants to send trial copies to members of the public. In the physical world a publisher could leave complimentary copies in mail boxes. It’s illegal online if the paper includes a single ad or if it asks people if they want to subscribe. This is especially unfortunate as it hampers establishing new media, something we need to foster, as a healthy press is critical to our democracy.
- There is a business to business exception in CASL. It applies to organizations but not to individuals carrying on business as sole proprietorships. CASL operates in a discriminatory way for no good reason, in this case hurting small businesses.
- CASL makes it illegal for a child to email neighbors promoting his/her lemonade stand or asking if they need a babysitter or want their lawns mowed to try and earn some school money. It’s breadth is not subject to any de-minimis or reasonable limitations.
- A person wants to send a CEM using an SMS message. But, even if the person has consent to send the message the person can’t legally do it because the character limits don’t enable people to include all of the identifying and unsubscribe information the CRTC regulations prescribe. The person might comply by including a hyperlink in the message to a website, but if the person doesn’t have a website or can’t use an appropriate link shortener, the person can’t use SMS, unless the message is totally exempt from CASL.[iii] CASL effectively impedes the use of modern messaging systems it purports to regulate.
- I have other examples in a FAQ I wrote which is being translated for this Committee. See, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline (available @ https://barrysookman.com/2015/01/14/casl-the-unofficial-faq-regulatory-impact-statement-and-compliance-guideline/).
These problem all flow from CASL’s flawed structure which prohibits a broad open ended range of communications subject only to a limited number of exceptions.
The computer program provisions are also problematic. For example:
- If you are a network provider, other than a telecommunications service provider, and don’t have an express consent, you can’t transmit updates to secure software or hardware against cyber-attacks.
- It is also illegal for software companies to install patches to software to improve safety and remove security vulnerabilities without express consents.
- Manufacturers are challenged in getting consents to update software in embedded systems such as from thermostats to motor vehicles. They often aren’t the direct supplier and don’t have relationships with buyers.
So what has happened in the real world and not the theoretical world of those that conceived CASL?
- CASL has had no material, if any, impact on the purveyors of damaging and deceptive spam, spyware, malware, and other related network threats, which were the stated objectives of CASL. As a practical matter, the burdens of CASL fall mainly on legitimate businesses.
- Many business have invested and continue to expend resources to try and comply. I can tell you it is not easy. Each type of message has to be analyzed to determine if it is a CEM and the whether the organization has consent and whether it is still valid. It’s like answering law school exams. Complex record keeping systems have been put in place to track all consents and unsubscribes.
- Use of electronic messaging has been chilled. Myriads of messages don’t get sent because organizations are risk adverse don’t know for sure if they can be sent. This hurts consumers. Information is vital in free markets for helping consumers make choices and for maintaining competition.
- Many organizations don’t comply or fully comply.
- There is a well known case of the game show Jeopardy refusing, at least temporarily, to accept Canadian applicants because of CASL. CASL deprives Canadians of opportunities they want. See, This law may be stopping Canadians from playing Jeopardy! What is the Canadian Anti-Spam Legislation? http://nationalpost.com/news/canada/this-law-may-be-stopping-canadians-from-playing-jeopardy-what-is-the-canadian-anti-spam-legislation/amp.
- I know of one business that has moved its server operations outside of Canada because of its extra-territorial reach. Canadians lose jobs because of this.
All these impacts of CASL hurt our economy. They also impinge on fundamental freedoms of expression Canadians have under the Charter. The Charter protects commercial speech. There is no doubt that CASL impedes commercial speech. The encroachment, in my view, cannot be justified because the combination of the law and regulations, among other things, do not minimally impair this right and the encroachments on speech are not proportional.
If the government of Canada really wants an efficient and competitive digital marketplace, CASL needs to be fixed.
My most important recommendation is for this Committee to assess all of provisions of CASL against the Government’s justifications for it. CASL was repeatedly represented to Canadians before it was enacted and during the regulatory process as a law targeting damaging and deceptive spam, spyware, malicious code, botnets, and other related network threats. Yet, the anti-spam prohibitions target ordinary commercial electronic messages and the so called malware provisions apply to practically all computer programs, whether malicious or not. CASL’s breadth cannot be defended based on the justifications put forward for it. I wrote about this issue in an article I have given to this Committee, Michael Geist’s defense of Canada’s indefensible anti-spam law CASL (available @ https://barrysookman.com/2014/07/14/michael-geists-defense-of-canadas-indefensible-anti-spam-law-casl/).
Given that CASL impairs freedoms of expression in Internet communications, I urge the Committee to recommend that CASL be recalibrated to what is really needed to protect the public against malicious, fraudulent and harmful forms of electronic messages and malware.
There are other specific changes this Committee could recommend.
- Redefine what is a CEM. The prohibitions should be limited to those that are fraudulent or misleading or which are sent in bulk or, at worst, predominately contain advertising or marketing messages.
- If CASL is not right sized, then all business to business CEMs should be excluded. There is no good reason for impeding innovation under the guise of protecting businesses that don’t want or need it.
- On the private right of action, if CASL is fully right sized to match its goals – so it targets really bad actors – then it can remain. If CASL is not properly calibrated, it should be eliminated, or limited as it is in the United States, to ISPs whose systems largely filter most of the unwanted electronic messages. The ISPs, in fact, filter out 99% of unwanted bulk spam rendering CASL much less needed than when it was first conceived.
- Permit messages to be sent where there is either express consent or where consent is inferred (as in Australia) or implied. If an organization has a valid consent under Canada’s privacy law PIPEDA, that should suffice. That would avoid organizations having to comply with two separate regimes both requiring consents, something they find incredibly frustrating and wasteful. Botnets and bulk fraudulent spammers will never have any color of consent under these standards so the public will be protected.
- Clarify which messaging systems CASL applies to. Then ensure the rules work practically for those messaging systems.
- Permit consents to be obtained on an enterprise basis and to include use by affiliates.
- Exempt all transactional messages including those that provide safety information. (Those referred to in s6(6)).
- Include de-minimis exceptions so that CASL does not apply, as it now does, to kids marketing their lemonade stands to neighbors, or seeking babysitting or jobs cutting grass.
- Exempt not for profits such as educational institutions.
- Limit the computer program prohibitions to true malware and spyware.
- If the computer program provisions are not narrowed to address true malware and spyware, expand the consents to installation of computer programs to include express or any implied or inferred consents.
- Broaden the exceptions to the computer program provisions to permit organizations to counter cyber-threats to networks and software.
Many, but not all of these changes, can be made by updating the GIC regulations.
I urge this Committee to recognize that the public can be adequately protected by a much more tailored form of anti-spam/malware law. Doing this would significantly reduce compliance costs and would enable all organizations throughout the country to devote scarce resources to innovating and creating jobs rather than expending them on red tape.
I ask the Committee to use this opportunity to recommend to Parliament that CASL be fixed. Until this is done, the private right of action should remain suspended.
* These speaking notes include a few tweaks and additions for publication here.
[i] The existing business relationship exception does not apply because the exception is the former employers. The personal relationship exception criteria would not apply because there is no current personal relationship.
[ii] CASL, s.1(20(d)
[iii] CRTC Regulations s2(1) and 2(2).