Internet service provider accused of withholding e-mails sent to suspended account

PIPEDA Case Summary #2002-66

[Principles 4.3, 4.3.2, and 4.5, Schedule 1; section 5(3)]

Complaint

An individual complained that her internet service provider (ISP), by continuing to take in and store her e-mails while her account was under suspension and by withholding them from her pending payment of arrears, had improperly used her personal information without her knowledge and consent for a purpose other than that for which it had been collected.

Summary of Investigation

The ISP suspended the complainant's account twice for non-payment. After the second time, the complainant contacted the company in an effort to have her arrears waived. When a company representative told her that waiver was not possible, the complainant spoke of canceling her account. The representative claimed that she had understood the complainant's comments to be a threat rather than an instruction. The complainant did not subsequently confirm her intention.

The complainant obtained evidence that the ISP was still absorbing and withholding her e-mails. She contacted the ISP to inquire why it was continuing to do so even after she had cancelled her account. She also demanded the release of any stored e-mails. A representative informed her that her account was officially deemed to be still under suspension, not canceled, and that paying the arrears would allow her to reactivate the account and retrieve her stored e-mails.

The complainant objected to the practice of storing and denying access to e-mails in any case. With persistence, she managed to retrieve 24 stored e-mails from the ISP and to terminate her account without having to pay her arrears.

The ISP's position was that a suspension policy including storage and withholding of e-mails pending payment was an industry standard that a reasonable person would consider appropriate. The ISP contended that the complainant had consented to such policy and practice when she had signed the original service agreement. After the complaint, the ISP took steps to clarify its service agreement as it related to the suspension policy and practices; nevertheless, the company maintained that the original explanation had been clear enough for the complainant to understand.

It is indeed standard industry practice to continue receiving e-mails, to store them, and to deny the individual access to them while an account is under suspension. One of the larger ISPs, however, has recently abandoned this practice in favour of returning e-mails to senders with notification of non-delivery. The complainant's ISP objected to this alternative because of the alleged difficulty of phrasing a suitable notification.

Commissioner's Findings

Issued August 28, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because internet service providers are federal works, undertakings, or businesses as defined in the Act.

Application: Principles 4.3, 4.3.2, and 4.5, Schedule 1; section 5(3).

On the matter of the ISP's effort to inform the complainant, the Commissioner determined as follows:

• Although the ISP's current amended service agreement does explain the practice of storing and denying access to e-mails pending payment of arrears, the original agreement made no such effort. It gave the complainant no way of knowing how the company intended to handle her incoming e-mails during a suspension of her account.
• Contrary to the ISP's contention, the language of its original service agreement was not sufficient for the complainant's understanding and did not constitute a reasonable effort on the ISP's part to inform the complainant of purposes related to use of her personal information in the event of an account suspension.

The Commissioner found therefore that the ISP had been in contravention of Principles 4.3 and 4.3.2.

On the matter of consent to a purpose other than that for which personal information had been collected, the Commissioner determined as follows:

• Given the non-compliance with Principles 4.3 and 4.3.2, the ISP's original service agreement was not a sufficient basis for the complainant's knowledge and consent regarding the suspension policy and practices.
• Nor could the ISP's continued absorption, storage, and withholding of e-mails pending payment of arrears be in any reasonable sense deemed uses consistent with the purpose for which the company ordinarily collected e-mails on behalf of its clients.

The Commissioner found that the company, having used the complainant's personal information without her consent for purposes other than that for which it had been collected, was in contravention of Principle 4.5.

On the question whether the ISP had now brought itself into compliance with the provisions of the Act by explaining its suspension practices in a reasonably understandable manner, the Commissioner offered the following considerations:

• Under consideration is a valid contract between a company and a consenting customer.
• The company has promised in writing to provide the service of channeling communications for the individual for a fee, and has also stipulated in a reasonably understandable manner its practices related to the suspension of accounts.

The Commissioner found therefore that the company, having latterly taken steps to explain its account suspension practices in an understandable manner, was now in compliance with Principles 4.3, 4.3.2, 4.5 of Schedule 1 and with section 5(3) of the Act.

The Commissioner concluded that the complaint was well-founded.

Further Considerations

The Commissioner remained concerned about the implications of storing and withholding potentially important messages without informing the intended recipient of their existence or the sender of their non-delivery. The practice falsely leads the sender to believe that the message has gone through unimpeded. The Commissioner recommended, in the interests of best practice, that the ISP immediately cease collecting, storing, and denying access to, e-mails addressed to holders of accounts under suspension and adopt instead the practice of deflecting such e-mails back to the senders with notification to the effect that the messages could not be delivered. He also recommended that the ISP make provision for giving the holder of a suspended account access to any e-mails already received by the company, but still not retrieved by the customer, at the time the suspension took effect.