Appearance before the Standing Committee on Industry, Science and Technology (INDU) on the review of Canada’s Anti-spam Legislation (CASL)

October 24, 2017
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Thank you for the invitation to appear before you today on your review of Canada’s Anti-Spam Legislation (CASL).

Context

CASL has been positive in helping to fight spam and address certain online threats that can be harmful to Canadians.

Responsibility for enforcing compliance with the legislation is assigned to three enforcement agencies: the CRTC, the Competition Bureau and the OPC. 

For its part, the OPC is responsible for investigating address harvesting and spyware, both of which generally involve the collection and use of personal information without consent.

This responsibility forms an integral part of the OPC’s broader PIPEDA mandate which sets out rules governing the collection, use and disclosure of personal information in the course of commercial activities.

CASL also empowers the three agencies to share information and collaborate in enforcing the law. 

We have worked to develop open dialogue with our CASL partners, to better use existing expertise and resources at the federal level. 

For example, we have accessed and made use of the Spam Reporting Centre (SRC) at the CRTC to help identify address harvesters or entities suspected of distributing spyware.

Our first CASL investigation

Our first investigation under CASL was initiated at my discretion after examining multiple reports made to the SRC about a Quebec-based training provider called Compu-Finder.

Compu-Finder used e-mail addresses — some of which were collected via address harvesting software — to send out recurring e-mail messages to individuals, many without adequate consent. 

Collaborating and sharing information with the CRTC, we were able to conclude our investigation in 2016, producing impactful results for Canadians.

Our investigation served to enhance the company’s practices and provided guidance to businesses on responsible e-mail marketing that respects people’s personal information.

Wajam case

Most recently, we completed an investigation into a Canadian company called “Wajam”. 

The company distributed their program as an unsolicited add-on to free software.

The program tracks a user’s online search queries, and integrates the results with content shared by an individual’s contacts on social media networks.

Our investigation found that the company was not obtaining meaningful consent to install the software and it was preventing users from withdrawing consent by making it difficult to uninstall the software. 

As a result of our investigation, the company stopped distributing the software in Canada, ceased collecting personal information from Canadians who had already installed the software, and agreed to destroy all Canadian user information in its possession.

Changes in technology

By their nature, spyware and address harvesting pose dangerous threats and can be difficult for Canadians to detect. 

These issues are not likely to be the subject of traditional consumer-driven complaints. 

This is leading us to adopt a more proactive enforcement approach for CASL matters, including the greater use of Commissioner Initiated Investigations like the ones I have just described.

In addition to Commissioner-initiated investigations, we are also focussing our CASL-related efforts on:

  • outreach,
  • issuing educational and guidance material for consumers and organizations on protecting their computers, and,
  • understanding spyware and ransomware.

Non-Spam CASL Amendments to PIPEDA

I should also mention the significant positive impact that certain consequential PIPEDA amendments, introduced through CASL, have had on our compliance outcomes generally.

The ability to decline or discontinue complaints has taken us part of the way in allowing us to focus efforts on matters that present greatest risk to Canadians. 

That said our enforcement resources remain taxed with a continuous high volume of complaints that challenge my goal of advancing our pro-active efforts to better serve Canadians.   

The ability to collaborate and share information with domestic and international counterparts — another consequential PIPEDA amendment — has had a profound effect on our Office’s capacity to deliver impactful enforcement outcomes across the globe. 

Since those provisions came into effect in 2011, our Office has participated in numerous collaborative and joint investigations, including our first joint investigation with our Dutch counterpart into Whats App in 2013, as well as last year’s joint Ashley Madison investigation with our Australian equivalent and the US Federal Trade Commission (FTC).

For the Committee’s consideration

CASL has only been in place a short time, so we are still gaining experience.   

From my perspective so far, the law has provided the OPC with additional, useful tools.

Nevertheless, I believe the following legislative changes to CASL would be worthy of consideration:

1. Giving the OPC more flexibility to share information with the CRTC and the Bureau.

At present, under ss. 58-59, the three bodies can share information and use that information but this is limited to specific CASL-related purposes as set out in those sections.

As noted previously, CASL also amended PIPEDA to give the OPC the ability to share information with domestic and international counterparts, but these provisions do not include the CRTC or the Competition Bureau.

In past investigations under PIPEDA outside of the context of CASL, issues have surfaced that overlap with the jurisdiction of the CRTC or Competition Bureau.

In those instances we think it would have been helpful to be able to share information.

To address this, either PIPEDA or CASL could be amended to give the OPC more flexibility to share information with the CRTC and the Competition Bureau more broadly to address matters that intersect between consumer and privacy protection.

2. Clarifying the conflict provision in CASL (s. 2) which states that CASL takes precedence over PIPEDA in the event of a conflict.

We would like a reformulation of section 2 to say that CASL can add to the provisions of PIPEDA, but does not lower those standards.

This is not an abstract concern, as we have already encountered one instance where the organization attempted to argue that it did not need to comply with PIPEDA because of an exception in CASL.

I would refer the Committee here to our report of findings in Compu-Finder as an example of why this clarification is required.

3. Clarifying the “spyware” provision – s. 7.1(3)

As a result of CASL, PIPEDA removed the possibility of resorting to consent exceptions to justify the collection or use of personal information that has been made by accessing a computer system (or causing one to be accessed) in contravention of an Act of Parliament. 

To further clarify this provision, we recommend that the reference in the provision to accessing a computer system “in contravention of an Act of Parliament” more explicitly include unauthorized installation of a computer program within the meaning of section 8 of CASL

In other words, where an organization has installed a computer program on someone’s computer without consent in violation of CASL, the organization should not be permitted under PIPEDA to use the program to collect or use personal information from that computer.

We think s. 7.1(3) of PIPEDA could be made clearer in this respect.

Conclusion

The OPC works diligently to educate individuals and organizations on the privacy implications of digital technologies, social trends and business practices and to enforce privacy protections.

CASL enforcement is a key part of this suite of activities.

While individuals should take steps to be aware of risks and to protect their personal information, it should not all rest on individuals.  

Organizations too must do their part.

Thank you and I would be pleased to take any questions.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: