Non-Parliamentary Submissions by the OPC on Privacy Issues

Review of the regulatory measures associated with confidential customer information and privacy

Submission of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunication Commission (CRTC)

March 2009


In February 2009 the Canadian Radio-television and Telecommunications Commission (CRTC) called for written submissionson the appropriateness of continued regulatory measures to safeguard confidential customer information collected, used and disclosed by telecommunications service providers (TSPs).The deadline for submissions was 20 March 2009.

The Office of the Privacy Commissioner’s (OPC) submission calls on the CRTC to maintain requirements for TSPs to obtain express consent from customers when disclosing confidential customer information. The OPC also urged the CRTC to maintain its important regulatory role in protecting personal information at a time when the threats to privacy are ever increasing.


March 20, 2009

Mr. Robert A. Morin
Secretary General
Canadian Radio-television and Telecommunications Commission
Ottawa, ON
K1A 0N2

Dear Mr. Morin:

Re: Telecom Public Notice CRTC 2009-71 - Review of the regulatory measures associated with confidential customer information and privacy; CRTC Reference: 8663-C12-200903387

  1. In December 2006, the Governor General in Council, on the recommendation of the Minister of Industry, issued a Direction1 to the Canadian Radio-television and Telecommunications Commission (CRTC) on Implementing Canadian Telecommunications Policy Objectives (the Policy Direction).
  2. In April 2008, the CRTC released Telecom Decision 2008-34 - Action Plan for reviewing social and other non-economic regulatory measures in light of the Policy Direction. The Action Plan identified regulatory measures associated with privacy safeguards and obligations as a general matter for review.
  3. Pursuant to the Action Plan, the CRTC issued Telecom Public Notice 2009-71 on 13 February, 2009, inviting submissions on the continued appropriateness of regulatory measures associated with customer confidentiality provisions and with other privacy safeguards and obligations.
  4. On 6 March 2009, the Office of the Privacy Commissioner of Canada (OPC) informed the CRTC of our intention to participate in these proceedings. We believe the proceedings raise significant issues with respect to the protection of the personal information of customers collected, used and disclosed by telecommunications service providers (TSPs).
  5. The OPC makes these submissions as an interested party to the proceedings, pursuant to its legislative mandate2 to protect the privacy rights of individuals and promote the privacy protections available to Canadians.3
  6. The OPC’s submissions focus on the pressing need for the CRTC to maintain regulatory measures to protect consumer privacy. Our submissions specifically call on the CRTC to maintain requirements for TSPs to obtain express consent from their customers to disclose their confidential customer information.
  7. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to personal information handled by TSPs in the course of providing telecommunications services to customers. PIPEDA requires TSPs to obtain consent from individuals with respect to the collection, use and disclosure of their personal information. PIPEDA also provides individuals with access rights to their personal information and a complaint mechanism for alleged violations of the Act. This regime provides strong privacy protection for consumers.
  8. CRTC rules with respect to the disclosure of confidential customer information provide an important, additional layer of protection in safeguarding consumer privacy in the telecommunications industry. Under CRTC rules, nearly all TSPs are prohibited from disclosing confidential customer information without express consent. 4 Customer name, address and listed telephone number are not considered confidential customer information and are exempted from the consent requirement. This approach is consistent with the provisions relating to publicly available information under section 7 of PIPEDA and its regulations.5
  9. Confidential customer information may include personal information such as:
    • calling history (e.g. to whom, when and where a call is made, duration of call, calling patterns);
    • billing history;
    • banking information provided for payment transactions;
    • creditworthiness;
    • unlisted phone numbers; and
    • subscription to available telecommunications features and services.
  10. The OPC respectfully submits that the CRTC retain its existing regulatory measures to safeguard confidential customer information and protect consumer privacy given:
    • increasingly powerful and sophisticated technologies that collect, process, store and disseminate vast amounts of personal information across borders;
    • the unchecked, and potentially harmful practices of international databrokers;
    • the significant harms to Canadians from ID theft and other fraudulent and criminal uses of personal information, and
    • intrusions from unsolicited telemarketing calls.
  11. Privacy is often viewed as a fundamental human right and, arguably, the right from which many other essential freedoms flow: individual autonomy and decision-making, freedom of speech, freedom of association, and freedom of thought.6 Criminal Code sanctions, together with privacy law requirements, have set strict limits on government action or private sector practices with regard to accessing private information.7 Privacy is not a new public policy issue, but it is one that is attracting increasing wider public attention as the serious consequences of unlimited and uncontrolled collection and sharing of consumer personal information come to light.
  12. In her Annual Report to Parliament, the Privacy Commissioner of Canada stated that concern among Canadians about their loss of privacy and the misuse of their personal information has never been greater.8 Public opinion research conducted by the OPC in 2008 revealed that more than half of Canadians are concerned about giving up their personal information to retailers.9 Respondents cited a number of concerns, including the safety of putting information online, identity theft and fraud.10 PIPEDA findings made by our Office regarding the activities of Online Data Brokers recognize the discomfort individuals have over the indiscriminate, non-consensual collection, use, and disclosure of personal information by profiling and data broker organizations.11
  13. In this age of electronic information storage, dissemination, and data processing, personal information can be collected, shared and matched with a click of a button.12 The Commissioner has noted in an address to the Canadian Marketing Association that Canadians are sensitive to how easily personal information such as a telephone number can be matched with other available personal information to create detailed consumer profiles that are shared or sold to telemarketers or other organizations without their appropriate consent, or knowledge.13 The OPC detailed in its previous submissions to the CRTC regarding the privacy implications of deep packet inspection (DPI) the potential concerns about consumer tracking.14 Of particular concern is that without adequate safeguards in place, consumer tracking data may fall into the wrong hands or be used for unanticipated purposes.
  14. Together with PIPEDA, the CRTC’s current regulatory measures safeguarding confidential customer information prevent a significant amount of consumer information from entering the unchecked international market in personal information. The CRTC’s rules and regulatory powers represent an important control Canadians depend on to protect their personal information.
  15.  Our submissions will address the following:

    I. CRTC and OPC Jurisdiction over Privacy is Complementary, not Redundant

    1. The OPC’s Jurisdiction and Statutory Role under PIPEDA
    2. The CRTC’s  Jurisdiction and Statutory Role under the Telecommunications Act

    II. Responses to interrogatory questions:

    1) Customers of telecommunications service providers cannot rely on market forces to protect their privacy

    1. The CRTC acknowledges that market forces cannot adequately protect Privacy
    2. Maintaining Confidentiality in Customer Information in the face of powerful data collecting technologies, data brokers, and criminal activity operating across borders   

I. CRTC and OPC Jurisdiction over Privacy is Complementary, not Redundant

  1. The CRTC and the OPC have complementary roles regarding privacy protection.15 Their statutory roles are related, but not redundant. While the OPC and CRTC have overlapping jurisdiction with respect to privacy protection and TSPs16, their functions and powers significantly differ.
  2. Regulatory measures17 regarding the confidentiality of customer information do not duplicate privacy protections under PIPEDA18. PIPEDA broadly applies to personal information handled by an organization in the course of commercial activity. The Act applies to organizations across diverse industries, in a wide variety of contexts. In contrast, customer confidentiality requirements for TSPs providing regulated services  are specific, prescribing the terms and conditions for disclosing confidential customer information.19

a) OPC Jurisdiction and Statutory Role under PIPEDA

  1. The mandate of the OPC is to oversee compliance with the Privacy Act20, which applies to the personal information handling practices of the federal government department and its agencies, and PIPEDA21, Canada’s private sector privacy law. PIPEDA applies to organizations that collect, use and disclose personal information in the course of commercial activity. 22  PIPEDA covers the personal information of customers and employees of federal works, undertakings and businesses such as telecommunications companies.23
  2. The Privacy Commissioner is primarily an Ombudsman. The Commissioner’s current role under PIPEDA mirrors that of the Privacy Act, which was designed to monitor the information handling practices of the federal government. In that role, the Commissioner tries to resolve individual complaints as well as Commissioner-initiated complaints made against private sector organizations under PIPEDA. The Commissioner has a variety of tools at her disposal to promote compliance with PIPEDA, including public education, research, audits, investigations, mediation, and in certain circumstances, litigation.
  3. In this two-stage process. the Commissioner makes findings on complaints, offering guidance and expertise24 on how PIPEDA applies to the day-to-day collection, use and disclosure of personal information by a wide range of organizations. The subject matter of the complaints is varied. They include workplace privacy, privacy of health information, financial confidentiality, secondary marketing practices and the transborder flow of personal information. Unresolved disputes can be taken to the Federal Court by the complainant or the Commissioner.
  4. The legislative purpose of PIPEDA is to protect personal data in a manner that recognizes the reality of modern commerce, which is increasingly characterized by virtual, electronic transactions, enabled by rapid advances in information technology.25 The bedrock of PIPEDA is individual consent, which can be express or implied, depending on the circumstances.26 Even with consent, organizations must limit collection, use and disclosure of personal information to purposes that a reasonable person would consider appropriate under the circumstances.27 The “reasonable person” test is central to privacy protection under PIPEDA. The test is applied contextually in each case to strike the appropriate balance between individual privacy concerns and business interests.
  5. Section 4(3) of PIPEDA provides that the Act and its requirements take precedence over all subsequently enacted statutes, which include the Telecommunications Act and its regulations. It should be noted, however, that PIPEDA represents a basic standard for how organizations should handle personal information. The CRTC, through its regulatory measures may exceed PIPEDA’s standard if, in their expert opinion, it is consistent with the public interest and Canadian telecommunications policy as set out under the Telecommunications Act.

b) CRTC Jurisdiction and Statutory Role under the Telecommunications Act

  1. Under the Telecommunications Act, the CRTC’s mandate is to regulate and supervise the Canadian broadcasting and telecommunications systems to ensure that they serve the Canadian public28. The CRTC is a specialized, decision-making tribunal with recognized expertise over telecommunications matters.29  In carrying out its responsibilities in both broadcasting and telecommunications, the CRTC must act in the public interest consistent with the statutes under which it operates. 
  2. According to Canadian telecommunications policy, the CRTC is required to safeguard the privacy of individuals and their communications. This policy is set out in paragraphs 7(a) and (i) of the Act:

    7. It is hereby affirmed that telecommunications performs an essential role in the maintenance of Canada’s identity and sovereignty and that the Canadian telecommunications policy has as its objectives

    (a) to facilitate the orderly development throughout Canada of a telecommunications system that serves to safeguard, enrich and strengthen the social and economic fabric of Canada and its regions;…

    (i) to contribute to the protection of the privacy of persons.

  3. Under the Act, the CRTC has the ability to enhance privacy protection in ways not available to the OPC.  The following CRTC powers represent an important layer of privacy protection for Canadians:
    • the authority to make binding decisions and orders relating to tariffs, such as capping fees for unlisted phone numbers or regulatory obligations of TSPs;
    • the CRTC may “prohibit or regulate the use by any person of the telecommunications facilities of a Canadian carrier for the provision of unsolicited telecommunications to the extent that the Commission considers it necessary to prevent undue inconvenience or nuisance;”
    • The CRTC not only regulates telecommunications services, but also telecommunications technologies. This is a significant regulatory power which allows the CRTC to ensure that privacy is built into technologies used by the telecommunications industry across Canada.
  4. In exercising its discretionary powers under the Telecommunications Act, CRTC may apply higher standards to protect privacy than those contemplated by PIPEDA.30 In the context of the disclosure of confidential personal information by TSPs, the CRTC has consistently found that express consent, rather than implied consent is appropriate, and expanded the forms of express consent in response to industry concerns.31 Under PIPEDA, implied consent may be allowed in certain circumstances, which is a lower privacy threshold for organizations to meet.

II. Responses to interrogatory questions:

1) Customers cannot rely on Market forces to protect their privacy

(a) The CRTC acknowledges that market forces cannot adequately protect Privacy
  1. In its reports and decisions, the CRTC has consistently recognized the importance of privacy to Canadians — a number of which pre-date PIPEDA’s coming into force in 2000.
  2. In 1996, the CRTC submitted its Report to the Governor in Council on Directory Subscriber Listings and on Unlisted Number Service32. The Report sets out a list of applicable principles established by Industry Canada which must be taken into account: 33

    (1) Canadians value their privacy. Personal privacy considerations must be addressed explicitly in the provision, use and regulation of telecommunications services...

    (3) When telecommunications services that compromise personal privacy are introduced, appropriate measures must be taken to maintain the consumer's privacy at no extra cost unless there are compelling reasons for not doing so.

    (4) It is fundamental to privacy that there be limits to the collection, use and disclosure of personal information obtained by service providers and generated by telecommunications networks. Except where clearly in the public interest, or as authorized by law, such information should be collected, used and disclosed only with the express and informed consent of the persons involved.

  3. Considering these principles, the CRTC made the following findings in the Report
    • In light of growing privacy concerns, the Commission will examine telephone company practices that might give subscribers more control over their listing as it appears in telephone directories…
    • The Commission also considers that the treatment of cellular listing information has created an expectation on the part of mobile wireless service subscribers that their telephone numbers will not be published or disclosed to third parties without express consent, and that no fee will apply for non-publication.
    • Accordingly, the Commission considers that the publication of mobile wireless numbers without the express consent of the subscribers would constitute a violation of the privacy principle requiring that, except where clearly in the public interest, information should be collected, used and disclosed only with the express and informed consent of the persons involved.
  4. While these principles and findings were applied and made in the context of reviewing Directory Subscriber Listings and Unlisted Number Services, they remain instructive in reviewing regulatory measures associated with confidential customer information and privacy.
  5. The CRTC has addressed privacy concerns in several decisions. The following are some privacy decisions that support using regulatory measures to protect confidential customer information and consumer privacy:
    • Telecom Decision 86-7 — The CRTC34 determined that telecommunications carriers should be prohibited from disclosing most information regarding a customer unless customer consent in writing is obtained or disclosure is legally required.  This position was supported the Privacy Commissioner at the time.
    • Telecom Decision 2003-33, as amended by Decision 2003-33-135 — The CRTC found that implied consent is not an appropriate type of consent for the disclosure to affiliates of confidential customer information other than the customer's name, address and listed telephone number. The Commission recognized, however, that it was appropriate to expand the list of acceptable means of obtaining express customer consent.36
    • Telecom Decision 2004-2737 — The CRTC directed all Canadian carriers, as a condition of providing telecommunications services, to include in their service contracts or other arrangements with resellers, the requirements that the resellers abide by the confidentiality provisions approved in previous decisions.
    • Telecom Decision CRTC 2006-15 — The CRTC expressly acknowledged that given the emergence of new technologies and electronic commerce facilitating the exchange and processing of information:

      “market forces, even buttressed by the provisions of the PIPED Act, are unlikely to sufficiently protect the privacy interests of customers in a forborne environment. The Commission considers, therefore, that the maintenance of the customer confidentiality provisions and the Commission's ability to use section 24 of the Act to address ongoing privacy issues in a forborne market is necessary.” 38

  6. The CRTC’s findings in Telecom Decision 2006-15 are more applicable than ever. The realities of today’s networked environment and the current demands of the electronic marketplace underscore the importance of the CRTC’s decision that continued regulation is necessary to protect privacy.
(b) Maintaining Confidentiality in Customer Information in the face of powerful data collecting technologies, data brokers, and criminal activity operating across borders
  1.  As part of its public education mandate, the OPC has publicly emphasized that   information technology is rapidly expanding, having a profound effect on an  individual’s ability to control how others in other jurisdictions use his or her personal information.39 The OPC has argued in its amicus curiae brief in support of the US Federal Trade Commission’s position in a case before the US Tenth Circuit Court of Appeals against Abika/Accusearch, a transborder databroker alleged to have misused the personal information of both Canadians and Americans, that the borderless nature of the Internet has not only expanded the markets available to businesses, but has also allowed for the personal information of Canadians to be easily and indiscriminately collected, used and disclosed by domestic and foreign entities — with or without consent.40 The proliferating trade in confidential telephone records is an example of this growing phenomenon.
  2. The Privacy Commissioner of Canada herself has been the victim of the improper collection, use and disclosure of confidential telephone records. In November 2005, a Canadian magazine reporter purchased records of the Privacy Commissioner of Canada’s telephone calls from a US based databroker, which was in the business of providing paying customers with access to personal information they requested about others, typically without individual consent. Upon an OPC initiated investigation, it was determined that the US databroker obtained this information, unlawfully from three of Canada’s largest telecommunications companies. 41
  3. As the OPC argues in its amicus brief42, tangible harm can result from the collection, use and disclosure of personal information by organizations that actively sell personal information pertaining to individuals in Canada. Given the modern ability of “infomediaries” to correlate information from numerous disparate sources and the multiplicity of organizations that use such data brokers, personal information can make its way into a series of other databases accessible to others without authorization.
  4. Harm can result from the misuse of personal information, and regulatory agencies must be able to prevent these harms in order to protect consumers. Identity theft, other fraud and reputational damage can result from the indiscriminate and unlimited collection of personal information such as customer information. In 2006, almost 8000 victims reported losses of $16 million to PhoneBusters, the official Canadian Anti-fraud Call Centre. 43 Citing statistics from the Canadian Council of Better Business Bureaus, the Canadian Department of Justice stated that identity theft may cost Canadian consumers, banks and credit card firms, stores and other businesses more than $2 billion annually.44 Setting and maintaining restrictions on the disclosure of customer information by TSPs are significant regulatory measures the CRTC can take to protect against these harms. 

Conclusion

  1. We respectfully submit that removing regulatory measures safeguarding the confidentiality of customer information would diminish privacy protection in Canada. Eliminating these measures would deprive customers of TSPs a significant avenue of redress before an expert decision-maker with significant powers to protect privacy under the Telecommunications Act. Continued protection for customer privacy will enhance, not burden, Internet information flows and e-commerce. Consumers are entitled to have their customer information handled appropriately, in ways that guard against the serious risks of financial and reputational damage, and intrusions from unsolicited telemarketing calls. We urge the CRTC to maintain its important role in protecting Canadians against these harms at a time when threats to privacy are ever increasing.

Sincerely,

Original signed by

Jennifer Stoddart
Privacy Commissioner of Canada


Endnotes

1 Order Issuing a Direction to the CRTC on Implementing the Canadian Telecommunications Policy Objectives, P.C. 2006-1534, 14 December 2006, pursuant to section 8 of the Telecommunications Act, S.C. 1993, c. 38 - http://laws.justice.gc.ca/en/ShowFullDoc/cs/T-3.4///en

2 Mandate and Mission of the OPC - http://www.priv.gc.ca/aboutUs/index_e.asp

3 Under the Privacy Act, Ch. P-21- http://laws.justice.gc.ca/en/P-21/index.html ; Personal Information Protection and Electronic Documents Act, 2000, c. 5 - http://laws.justice.gc.ca/en/ShowTdm/cs/P-8.6///en

4 Terms of Service, Item 10 of the General Tariff, Article 11 – Confidentiality of Customer Records, as set out in Review of the general regulations of the federally regulated terrestrial telecommunications common carriers, Telecom Decision CRTC 86-7, as amended by Telecom Order CRTC 86-593; Telecom Decision CRTC 2003-33-1; and Telecom Decision CRTC 2005-15

5 Publicly Available Information - SOR/2001-7 – December 13, 2000 - http://canadagazette.gc.ca/archives/p2/2001/2001-01-03/html/sor-dors7-eng.html

6 There is a long line of jurisprudence from the Supreme Court of Canada affirming that the right to privacy is worthy of constitutional protection: Hunter v. Southam Inc., [1984] 2 S.C.R. 145; R. v. Morgentaler, [1988] 1 S.C.R. 30; R. v. Dyment, [1988] 2 S.C.R. 417; R. v. Duarte, [1990] 1 S.C.R. 30; R. v. Hebert, [1990] 2 S.C.R. 151; R. v. Wong, [1990] 3 S.C.R. 36; R. v. Broyles, [1991] 3 S.C.R. 595; R. v. Osolin, [1993] 4 S.C.R. 595; Rodriguez v. British Columbia (Attorney General), [1993] 3 S.C.R. 519; R. v. Evans, [1996] 1 S.C.R. 8; R. v. Edwards, [1996] 1 S.C.R. 128;
Godbout v. Longueuil (City), [1997] 3 S.C.R. 844; Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403; Aubry v. Éditions Vice-Versa, [1998] 1 S.C.R. 591; Lavigne v. Canada (Office of the Commissioner of Official Languages), [2002] 2 S.C.R. 773; Ruby v. Canada (Solicitor General), [2002] 4 S.C.R. 3; R. v. Tessling, [2004] 3 S.C.R. 432; R. v. A.M., 2008 SCC 19; R. v. Kang-Brown, 2008 SCC 18.

7 See, for example, s.184 (willfully intercepting private communications); s.342.1 (fraudulently acquiring the substance, meaning or purport of any function of a computer system); s.430(1.1) (mischief; willfully obstructing, interrupting or interfering with the lawful use of data or rendering data meaningless, useless or ineffective) Criminal Code, R.S.C. 1985, c. C-46.

8 Privacy Commissioner of Canada, Jennifer Stoddart, Annual Report to Parliament 2005-Report on the Personal Information Protection and Electronic Documents Act - http://www.priv.gc.ca/information/ar/200506/2005_pipeda_e.asp

9 News Release - Canadians concerned about giving retailers their personal information - Ottawa, July 3, 2008 - http://www.priv.gc.ca/media/nr-c/2008/nr-c_080703_e.asp  

10 The Personal Information Canadians Give to Retailers Final Report, Submitted to: The Office of the Privacy Commissioner of Canada, January 2008, Ipsos-Reid Corporation - http://www.priv.gc.ca/information/survey/2008/ipsos_2008_01_e.asp

11 Key Issues - On-Line Data Brokers - November 18, 2005 - http://www.priv.gc.ca/legislation/let/let_051118_e.asp

12 OPC Fact Sheet - Protecting Your Personal Information http://www.priv.gc.ca/fs-fi/02_05_d_12_e.asp

13 The Importance of Trust Canadian Marketing Association's 2004 National Convention & Trade Show - May 4, 2004, Ottawa, Ontario, Address by Jennifer Stoddart Privacy Commissioner of Canada - http://www.priv.gc.ca/speech/2004/sp-d_040504_e.asp

14 Review of the Internet traffic management practices of Internet service providers - Submission of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunications Commission (CRTC) - http://www.priv.gc.ca/information/pub/sub_crtc_090218_e.asp

15 Telecommunications Policy Review Panel, Ch. 6 Social Regulation http://www.telecomreview.ca/eic/site/tprp-gecrt.nsf/eng/rx00060.html

16 Englander v. Telus Communications Inc. 2004 FCA 387 at 79 - http://decisions.fca-caf.gc.ca/en/2004/2004fca387/2004fca387.html

17 pursuant to the Telecommunications Act, S.C. 1993, c. 38

18 2000, c. 5

19 Supra, note 4.

20 R.S.,1985, c.P-21

21 2000, c. 5

22 OPC Guides: Your Privacy Rights: A Guide for Individuals to the Personal Information Protection and Electronic Documents Act http://www.priv.gc.ca/information/02_05_d_08_e.asp; and Your Privacy Responsibilities: A Guide for Businesses and Organizations to the Personal Information Protection and Electronic Documents Act http://www.priv.gc.ca/information/guide_e.asp

23 OPC Factsheet: Application of the Personal Information Protection and Electronic Documents Act to Employee Records http://www.priv.gc.ca/fs-fi/02_05_d_18_e.asp

24 State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2009 NBCA 5 (CanLII) at para 16 - http://www.canlii.org/en/nb/nbca/doc/2009/2009nbca5/2009nbca5.html  

25 Section 3 of PIPEDA states as its purpose: “to establish, in an era in which technology increasingly facilitates the collection, use and disclosure of information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

26 Clause 4.3 of Schedule 1, and section 7 of PIPEDA listing the exceptions to the consent requirement. See also OPC - Determining the appropriate form of consent under the Personal Information Protection and Electronic Documents Act Fact Sheet - http://www.priv.gc.ca/fs-fi/02_05_d_24_e.asp

27 Ss 3 and 5(3) of PIPEDA; see also OPC Fact Sheet: Complying with the Personal Information Protection and Electronic Documents Act - http://www.priv.gc.ca/fs-fi/02_05_d_16_e.asp

28 About the CRTC - http://www.crtc.gc.ca/eng/backgrnd/brochures/b29903.htm. The CRTC also has jurisdiction to regulate and supervise the Canadian broadcast system under the Broadcast Act ( 1991, c. 11 ) - http://laws.justice.gc.ca/en/B-9.01/ .

29 British Columbia Telephone Co. v. Shaw Cable Systems (B.C.) Ltd., [1995] 2 S.C.R. 739 at paras 30 and 33 - http://csc.lexum.umontreal.ca/en/1995/1995rcs2-739/1995rcs2-739.html; Englander v. Telus Communications Inc., 2004 FCA 387 (2004) at para 72 - http://decisions.fca-caf.gc.ca/en/2004/2004fca387/2004fca387.html. Decisions of the CRTC can be appealed to the Federal Court of Appeal on questions of law or jurisdiction: s. 64, Telecommunications Act.

30 Telecom Decision CRTC 2003-33, May 30, 2003;

31 Terms of Service, Item 10 of the General Tariff, Article 11 – Confidentiality of Customer Records, as set out in Review of the general regulations of the federally regulated terrestrial telecommunications common carriers, Telecom Decision CRTC 86-7, as amended by Telecom Order CRTC 86-593; Telecom Decision CRTC 2003-33-1; and Telecom Decision CRTC 2005-15

32 Report to the Governor in Council on Directory Subscriber Listings and on Unlisted Number Service, (A.B., Vol. 1, at page 182) http://www.crtc.gc.ca/eng/topics/telecom/governor.htm

33 Ibid, at 5 and CRTC Telecom Decision 95-14 http://crtc.gc.ca/eng/archive/1995%5CDT95-14.htm

34 Telecom decision 86-7 - review of the general regulations of the federally regulated terrestrial telecommunications common carriers - http://www.crtc.gc.ca/eng/archive/1986/DT86-7.HTM

35 Telecom Decision CRTC 2003-33-1- Confidentiality provisions of Canadian carriers - http://www.crtc.gc.ca/eng/archive/2003/dt2003-33-1.htm

36 Telecom Decision CRTC 2005-15 further directed Canadian carriers to modify their existing tariffs, customer contracts, and other arrangements to amend the list of acceptable methods of obtaining express consent as determined in Decision 2003-33-1.

37 Telecom Decision CRTC 2004-27 - Follow-up to Telecom Decision CRTC 2003-33 - Confidentiality provisions of Canadian carriers - http://www.crtc.gc.ca/eng/archive/2004/dt2004-27.htm

38 Telecom Decision CRTC 2005-15 - Part VII application to revise Article 11 of the Terms of Service, at paras 356, 358 and 366-67 - http://www.crtc.gc.ca/eng/archive/2005/dt2005-15.htm

39 The Unique Challenges to Privacy Rights Posed by the Internet and Other Emerging Technologies: Remarks at the Internet Law Conference The Second Wave: New Developments, Challenges and Strategies, March 27-28, 2008, Lisa Madelon Campbell and Daniel Caron, Legal Services, Policy and Parliamentary Affairs Branch - http://www.priv.gc.ca/speech/2008/sp-d_080327_lc_e.asp

40 OPC Key  Issues: Online data brokers - http://www.priv.gc.ca/legislation/let/let_051118_e.asp. The databroker in this case is currently involved in litigation with the US Federal Trade Commission. The OPC has been granted leave to appear as amicus curiae in the case before the US Tenth Circuit Court of Appeals: Brief Of Jennifer Stoddart, Privacy Commissioner Of Canada As Amicus Curiae In Support Of Appellee And Affirmance Of The District Court Decision Case No. 08-8003 Accusearch, inc., d/b/a Abika.com, and Jay Patel, v. Federal Trade Commission http://www.priv.gc.ca/leg_c/08-8003_e.asp

41 PIPEDA Case Summary #372, Disclosures To Data Brokers Expose Weaknesses In Telecoms’ Safeguards http://www.priv.gc.ca/cfdc/2007/372_20070709_e.asp

42 Brief Of Jennifer Stoddart, Privacy Commissioner Of Canada As Amicus Curiae In Support Of Appellee And Affirmance Of The District Court Decision Case No. 08-8003 Accusearch, inc., d/b/a Abika.com, and Jay Patel, v. Federal Trade Commission http://www.priv.gc.ca/leg_c/08-8003_e.asp

43 The Canadian Anti-Fraud Call Centre - http://www.phonebusters.com/.

44 Identity Theft - Distinction between Identity Theft and Identity Fraud http://www.justice.gc.ca/eng/news-nouv/nr-cp/2007/doc_32179.html