411Numbers ceases practice of removing information for a fee
PIPEDA Findings #2019-005
March 25, 2019
Complaint under the Personal Information Protection and Electronic Documents Act (the Act or PIPEDA)
411Numbers is the operator of more than a dozen websites providing free access to telephone numbers and other associated information of individuals residing in Canada and other countries around the world. It generates revenues through advertising and (formerly) the collection of removal fees.
The complainant alleged that 411Numbers: (i) collected, used and disclosed his personal information (i.e., name, address and unlisted phone number) without his knowledge and consent by posting his personal information on its website; (ii) used his information for an inappropriate purpose, namely to generate revenue through a paid removal service; (iii) required individuals to provide more information than was necessary for the purposes of using the removal services; and (iv) was unresponsive to his privacy-related queries. The complainant’s personal information was removed from the website during the course of this investigation.
411Numbers asserted that our Office did not have jurisdiction to investigate this matter for reasons including that the company was incorporated under the laws of Hong Kong and its servers were located outside Canada. In our view, however there was a real and substantial connection between 411Numbers’ operations and Canada, in respect of both Canadian and non-Canadian residents’ information.
411Numbers took the position that the information in question was “publicly available” such that it did not require consent to include the information on its websites. We found that name, address and telephone number published by a telecommunications company in a “white-pages” directory represents “publicly available” information pursuant to the Regulations Specifying Publicly Available Information, and, as such, the respondent does not require the consent of individuals to publish such information. In our view, however, the information associated with unlisted telephone numbers does not fit within the definition of “publicly available”, such that individuals’ consent was required. The organization had not obtained consent to collect, use and disclose that information.
During our investigation, 411Numbers ceased its practice of removing information for a fee, and as such, this element of the complaint was determined to be resolved.
With respect to the allegation of over-collection, individuals formerly had to provide copies of their passport, driver’s license and a utility bill to have their information removed from the website. We found this to be more than necessary for the purpose of verifying the name and address of an individual requesting the removal of their information from the listing service. Individuals now only need to complete an online form. We therefore considered this portion of the complaint to be resolved.
On the basis of 411Numbers’ commitments, our Office determined the matter to be well founded and conditionally resolved.
- The complainant raised four principle allegations. First, he alleged that 411Numbers HK Limited (411Numbers or the respondent) collected, used and disclosed his personal information without his knowledge and consent by posting his personal information on www.411numbers.ca. The information at issue was his contact details consisting of his name (first, middle and last), full mailing address, and unlisted telephone number.
- The complainant stated that his address and telephone number are not listed in the telephone directory, and that he did not consent to the disclosure of this information by 411Numbers.
- Second, he alleged that 411Numbers used his information for an inappropriate purpose, namely to generate revenue through its paid removal service.
- Third, he alleged that 411Numbers required individuals to provide more information than was necessary for the purposes of using its removal services, namely copies of the requestor's passport, driver's licence, and a utility bill.
- Finally, he alleged that he was unable to communicate with 411Numbers about his privacy concerns. He stated that when he attempted to write to the company using the email address on its website he did not receive a response.
Summary of Investigation
- The respondent operates websites that provide free access to local telephone directory information. In Canada, this information is provided through the www.411numbers.ca and www.411numbers-canada.com websites. The respondent also operates substantially similar websites for listings in Argentina, Australia, Belgium, Brazil, France, Germany, Italy, the Netherlands, Portugal, Spain, Switzerland and the United States (the country-specific websites).Footnote 1
- Specifically, 411Numbers offers users the ability to search the name, address or telephone number of an individual. If the information is available, 411Numbers provides the name, address and telephone number associated with the search.
- The respondent submitted that it generates revenues primarily through third party advertising on its websites. At the time our Office received the complaint, 411Numbers also generated revenue secondarily via the collection of removal fees, but it has since ceased this practice (see paragraphs 24-27 below).
- During the course of our investigation, 411Numbers informed our Office that it had removed the complainant’s personal information from its database, and that it had informed the complainant of this.
- While we were investigating this complaint, our Office also received similar complaints from other individuals who indicated that their unlisted telephone numbers were published on 411Numbers’ website without their consent. One of the complainants was a Canadian judge who feared that the publication of his address and telephone number put his family at risk. He had attempted several times to request the removal of his information directly from the respondent but was unsuccessful. The respondent did, however, remove the information after our Office intervened.
- We also received complaints from individuals in other countries concerned about their personal information being disclosed on the respondent’s country-specific websites without their consent.Footnote 2
- Finally, during the course of the investigation, our Office was contacted by the data protection authority for Berlin, Germany, about several complaints it had received in relation to the respondent’s paid and free removal services for its non-Canadian websites.
Connection to Canada
- 411Numbers is incorporated under the laws of Hong Kong. The company represented that its servers are located in the United States and Sweden, and that it does not purchase the data included on its websites from Canadian organizations.
- The company is, however, owned and operated by an individual residing in the province of Quebec, Canada. The respondent indicated that the company’s owner is also the company’s sole employee, performing his duties from his home in Quebec, despite representations on the respondent’s website referring to the 411Numbers “Team”, including a set of profiles of several individuals on the Team.
- At the time our Office received the complaint, the respondent was contracting with a company in Quebec for the purposes of mail receipt and forwarding. This company’s address was listed on 411Numbers’ websites as its contact address for enquiries. Shortly after we commenced our investigation, the respondent changed its contact address to that of another third-party mail-forwarding service located in Berlin, Germany. Mail sent to this contact address is forwarded to the respondent’s owner in Quebec.
Collection of Information
- The respondent maintained that the only personal information it collects, uses and discloses is the name, telephone number and address of individuals. 411Numbers informed our Office that, with respect to the information on its Canadian websites, it obtained the information exclusively from three foreign-based companies. For two of the companies, it paid for the databases, and, for the third, it stated that it obtained the information for free.
- 411Numbers represented that it does not know how these three organizations obtained the data in question, and that there was no contract in place surrounding the data acquisitions. We note that one of the companies from which 411Numbers claims to have purchased information appears to be a US data broker with a Better Business Bureau rating of “F”, the lowest possible rating.Footnote 3
Screening for Unlisted Numbers
- In order to screen the databases it acquired for its Canadian websites to ensure they did not include unlisted numbers, 411Numbers indicated that it proceeded with a manual sampling of the data (the information associated with approximately 1 000 phone numbers), by comparing the information to data found in other similar directories to ensure the same information was already available online (i.e. to identify and exclude unlisted numbers and associated data from public access on the websites). The respondent claimed that a subsequent automated sampling process was carried out involving approximately 100 000 entries, again to determine that the information in its database was otherwise available online. These sampling processes were not documented and, as of this date, are unverified.
- The respondent asserted that these sampling processes were the only way to monitor the content of its database since residential telephone service providers systematically refuse to disclose unlisted numbers to it. It further claimed that for this reason, 411Numbers cannot fully update its database to ensure no unlisted numbers are provided.
- The respondent took the position that paragraphs 7(1)(d), 7(2)(c.1) and 7(3)(h.1) of PIPEDA allow organizations to collect, use and disclose personal information about individuals without their consent where the information is publicly available and specified by the Regulations. More specifically, 411Numbers indicated that “personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory”, is “publicly available” information pursuant to paragraph 1(a) of the Regulations Specifying Publicly Available Information, SOR/2001-7 (the “Regulations”).
- 411Numbers supported its position by referring to the Federal Court of Appeal decision in Englander v. Telus Communications Inc., 2004 FCA 387 to the effect that telephone service providers are required to obtain the consent of subscribers before publishing all non-confidential numbers (i.e., those of subscribers who have not requested that their numbers be removed from directories), and that once published, the information in those directories becomes publicly available.
- 411Numbers further supported its position by referring to PIPEDA Case Summary 2002-38, indicating that our Office determined that white page listings consist of personal information to which the public has access and, as a result, the collection, use and/or disclosure of such information does not require the consent of the individual concerned.
- In support of its position that it did not require consent, the respondent also noted that it did not compile the information in its database, nor did it sort the information or add any information that would allow for the identification of an individual. Finally, the respondent added that it does not sell the information, nor discloses it to third parties (other than by way of the directory services offered through its websites).
Removal for a Fee
- The respondent informed our Office that, for approximately one-year (from the end of May 2015 until May 2016), it offered a service whereby individuals could pay for the removal and de-indexing of their personal information.
- The respondent explained that the cost of this service varied from $0.99 to $14.99. It claimed that the fee was in relation to de-indexing the information from Google search results only (i.e., via a request to Google to de-index the page from its search results, claiming to be able to have de-indexing effected more quickly than individuals could themselves), not for the removal of the information from its websites or database, which was always free. It further claimed that the fee varied, depending on the costs associated with the actions required to complete the de-indexing process (i.e. the extent to which 411Numbers had to deal with Google). 411Numbers emphasized that it always offered individuals the option to request the removal of their personal information from its websites at no cost, and that this was unlike telephone service providers, which charge $2 per month to provide an unlisted number.
- However, a screenshot submitted by the complainant, of 411Numbers’ webpage advertising its paid removal service, entitled “Express Removal”, would appear to indicate that its paid service was not only for deindexing. The screenshot clearly indicates that the paid service, at a cost of $19.99, included the immediate removal of information from its database, in addition to the removal of the information in question from Google search results and other ancillary services (ongoing support, a guarantee, etc.). Furthermore, the screenshot indicates that the “Express Removal” service was contrasted with the “Standard Removal” service, which was free but was stated to take 2-3 weeks to process in comparison to the “instant” removal promised for the paid service.
- 411Numbers estimated that it had fulfilled about 350 paid removal requests with respect to its Canadian websites prior to ceasing that service in May 2016, although it claimed that copies of these requests were not retained.
Collection for Data Removal Services
- Documentation requirements associated with the respondent’s removal service have evolved since it first offered the service.
- The respondent explained that from mid-May 2015 until September 2015, anyone wishing to have their information removed from its website needed to access the removal page of the website, print a form, complete it and send it to 411Numbers along with copies of their passport, driver’s license and a utility bill. It claimed that copies of these records were required to verify the identity of the requestor. The respondent represented that no copies of any of the documents were retained by 411Numbers once the individual’s identity had been validated.
- Following an intervention by the Quebec Commission d’accès à l’information (the CAI), documentary evidence of which was provided to our Office, 411Numbers changed its practice to only require that individuals provide a copy of a recent utility bill containing their name and address in order to verify identities. The respondent maintained that these documents were not retained once the individual’s identity had been verified.
- In May 2016, in respect of its Canadian websites, 411Numbers ceased requiring any proof of identity for removal requests, which can now be submitted online.
- 411Numbers indicated that once a removal request is fulfilled, all of the information associated with that individual is removed from the website. The information is also removed from its database, with the exception of the phone number, which is retained in order to ensure that the information is not re-posted on its websites following periodic updates to the database.
- Although 411Numbers informed our Office that it does not maintain statistics surrounding the number of removal requests, it estimated that approximately 500 Canadians had made free removal requests since its online directory service was launched. 411Numbers estimated that, prior to September 2015, for at least 30 of the removal requests, individuals had provided copies of their passports, driver’s license and a utility bill. It further estimated that about 325 removal requests with respect to its Canadian websites, including requests from telephone service providers, had been granted. The respondent did not explain why the remaining requests were not granted. None of these estimates have been supported by any evidence.
Accountability, Openness and Challenging Compliance
- At the outset of the investigation, our Office encountered difficulties in obtaining information from the respondent. Although initial emails sent to the email address listed on the respondent’s website were answered, it was by individuals who appeared to not have knowledge of the respondent’s obligations under the Act. The emails were from individuals who identified themselves as “Legal Advisor” or “Support Supervisor” for the respondent, although, as noted above, the respondent indicated that it only had one employee.
- Despite multiple requests to these individuals, we were initially not provided with the name of a Chief Privacy Officer to whom we could send details of the complaint and then were later informed that the company did not have one. 411Numbers subsequently advised us that the respondent’s owner is responsible for privacy matters, including compliance with the Act.
- Also during our initial communications using the respondent’s main email address, a person who identified herself as a “Legal Advisor” for 411Numbers provided a contact telephone number that did not work, and eventually failed to respond to repeated requests for written representations in response to the complaint. It was only after a letter was directed to the respondent’s owner specifically, indicating that the OPC could invoke its formal production order powers, that the respondent provided a response to the complaint.
- The respondent indicated that it used a third-party service provider to administer its email system. In response to the complainant’s allegation that he could not contact the respondent, 411Numbers indicated that he had possibly used a wrong email address as it was unaware of any technical problems with the system. However, other complainants and our Office also encountered difficulties in communicating with the respondent through the email address on its website.
- In making our determination, we applied the following provisions of the Act: subsections 2(1) and 5(3), paragraphs 7(1)(d), (2)(c.1) and (3)(h.1), Principles 4.1, 4.1.2, 4.1.4, 4.3, 4.3.3, 4.8, 4.8.3 and 4.10 of Schedule 1 of the Act, and paragraph 1(a) of the Regulations.
- Subsection 2(1) defines personal information as information about an identifiable individual.
- Subsection 5(3) provides that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
- Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information except where inappropriate.
- Paragraphs 7(1)(d), 7(2)(c.1) and 7(3)(h.1) are exceptions to the consent requirement in Principle 4.3. Specifically, they permit the collection, use or disclosure without consent of information that is publicly available and is specified by the Regulations. The Regulations set out distinct classes of such information, including, under paragraph 1(a), personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public where the subscriber can refuse to have their personal information appear in the directory.
- Principle 4.3.3 maintains that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of the information beyond that required to fulfill the explicitly specified and legitimate purposes.
- Principle 4.1 provides that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the Principles in Schedule 1.
- Principle 4.1.2 provides that the identity of the individual(s) designated by the organization to oversee the organization’s compliance with the Principles shall be made known upon request.
- Under Principle 4.1.4, an organization is required to, among other things, implement policies and practices to give effect to the Principles, including establishing procedures to receive and respond to complaints and inquiries, and training staff and communicating to staff information about the organization’s policies and practices.
- Principle 4.8 provides that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Principle 4.8.3 states that an organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.
- In accordance with Principle 4.10, an individual shall be able to address a challenge concerning compliance with the Principles in Schedule 1 to the designated individual or individuals accountable for the organization’s compliance.
- PIPEDA will apply to an organization that is based outside of Canada where there is nevertheless a “real and substantial” connection with the organization’s activities and this country.Footnote 4
- While the respondent is formally incorporated in Hong Kong and states that its servers are located outside of the country, its operations are in fact carried out from Canada by an individual who is the respondent’s sole owner and employee. The respondent’s directing mind is in Canada and the revenues generated by its websites flow to Canada. In the circumstances, this represents a real and substantial connection with Canada sufficient for the Act to apply, both in relation to its Canadian websites as well as its other country-specific websites.
- 411Numbers did not purport to have obtained the consent of individuals to collect, use and disclose their telephone numbers and associated information. In its view, the information is publicly available per the Regulations, such that consent is not required.
- We accept that “listed numbers”, and associated information, represent publicly available information within the meaning of the Regulations, such that consent is not required for its publishing on the respondent’s websites.
- Our Office has found that name, address and telephone number published by a telecommunications company in a “white-pages” directory (i.e., where subscribers can elect that their personal information not be included in the directory) represents publicly available information pursuant to paragraph 1(a) of the Regulations.Footnote 5
- This finding is consistent with an excerpt from the “Regulatory Impact Analysis Statement” that was prepared for the Regulations,Footnote 6 which indicates that the intention of Parliament was to include “information from Directory Assistance or from online telephone directories that also provide individuals with a right of refusal to appear in the directory” in the Regulations. It further states that “Other directories, including those published on the internet, would qualify for the exemption if they are based on a telephone subscriber directory.” [Emphasis added]
- The focus of this investigation is, however, on 411Numbers’ collection, use and disclosure of personal information in relation to unlisted telephone numbers. The telephone numbers and associated names and addresses that are not currently listed in a “white pages” directory like that described in paragraph 55 above, do not fit within the definition of “publicly available” per subsection 1(a) of the Regulations. The respondent therefore cannot rely on the publicly available exception for its collection, use and disclosure of unlisted telephone numbers and associated information published on its directory service.
- It is clear from the evidence provided by the complainant and others who contacted our Office that the respondent has published unlisted numbers on its websites. It is also clear that the respondent has not exercised due diligence to ensure that its databases do not include unlisted numbers. For instance, the respondent did not know how the three companies referenced in paragraph 16 had acquired the information in question, or had acquired consent, and it did not take even basic steps to ensure that unlisted numbers were not included in the databases, such as entering into written contracts with the companies or requiring that they take steps to filter out unlisted numbers.
- While the respondent claims to have attempted to carry out some limited verification of the databases, this was inadequate and does not provide sufficient assurances that the databases do not include unlisted numbers. Furthermore, this claim is unverified and not supported by any evidence submitted.
- We also note that telephone directory information is not static. A customer can opt to have their information removed from the directory through the unlisted number service offered by their telecommunications service provider. Therefore an organization providing directory information must also take reasonable measures, in addition to vetting databases it acquires up front, to ensure on an ongoing basis that its directory is current and up-to-date and does not disclose unlisted numbers.
- The respondent argued that it is impossible for it to take additional steps to filter out unlisted numbers because telecommunications service providers refuse to provide it with the names of their customers who have subscribed to the unlisted number service. We would note, however, that it is nevertheless up to the respondent to ensure that it has developed a business model that can comply with the law. It cannot shift responsibility to third parties if its practices are non-compliant.
- The respondent also suggested that it is sufficient that individuals can request to remove their information from its site for free. However, individuals may not be aware that their personal information is on the respondent’s website. In the case of unlisted numbers, which individuals expect will be kept private, it is not reasonable to expect that they will search the web to discover if an organization with which they have no prior relationship is publishing their information.
- It is our view, therefore, that the respondent contravened Principle 4.3 as it published the complainant’s, and inevitably many others’, unlisted contact information without knowledge and consent.
Appropriate purpose – Removal for a fee
- We note that 411Numbers no longer offers its paid removal service on its websites. As such, this aspect of the complaint is now resolved. We would note, however, that the publication of personal information for the purposes of encouraging individuals to pay to have it removed would likely be considered to be inappropriate under s. 5(3) of the Act. Furthermore, charging for removal of information that was posted without the requisite consent would also likely be considered inappropriate.
Over collection – Removal and de-indexing services
- As discussed above, 411Numbers explained to our office that there were three phases to its practices surrounding removal requests (the first being in place at the time the complaint was received by our Office):
PHASE FREE REMOVAL PAID REMOVAL May to September 2015 Copy of passport, driver’s license and utility bill Copy of passport, driver’s license and utility bill September 2015 to May 2016 Utility bill Utility bill May 2016 to present Online request form without identification N/A (service no longer provided)
- In our view, the amount and type of information required during the first phase was clearly more than necessary for the purpose of verifying the name and address of an individual requesting the removal of their information from such a listing service. In this regard, 411Numbers was in violation of Principle 4.3.3 of Schedule 1 to PIPEDA.
- However, 411Numbers has since adjusted its practice to require no identification documents from individuals submitting a removal request.
Accountability, Openness and Challenging Compliance
- The complainant, other complainants, and our Office all experienced difficulty in communicating privacy concerns to the respondent. It appears that all communications on behalf of 411Numbers were carried out by the sole employee and owner of the website. Furthermore, the evidence suggests that this individual was insufficiently aware of the respondent’s obligations under the Act, including the importance of responding promptly and diligently to a privacy complaint and identifying the person at 411Numbers who is responsible for overseeing compliance with the Act when requested to do so.
- We are therefore of the view that the respondent has failed to meet its obligations with respect to accountability, openness and challenging compliance under Principles 4.1, 4.1.2, 4.1.4, 4.8, and 4.10.
Preliminary Report of Investigation
- In a Preliminary Report of Investigation (PRI), we made certain recommendations to 411Numbers with a view to allowing it to comply with its obligations under the Act. More specifically, we recommended that the respondent:
- Remove the personal information of all individuals with unlisted phone numbers from each of its websites, including from all its country-specific websites. The respondent should submit to our Office a detailed plan on how it will achieve this within mutually acceptable timelines, including by providing an explanation as to how all unlisted numbers will be identified and associated information deleted from its database and websites. This plan should include measures to ensure that that newly unlisted numbers are removed promptly and proactively on an ongoing basis;
- Implement due diligence measures to ensure that any listings it obtains from third parties in the future do not contain unlisted numbers;
- Develop the following measures to enhance its accountability, openness and ability to respond to individuals’ wishing to challenge its compliance with the Act and submit documentation thereof to our Office for our review and comment before implementation:
- Put in place procedures to ensure that individuals can contact the respondent with privacy complaints and that such complaints are handled appropriately; and
- Ensure that its customer service representatives receive adequate training with respect to the respondent’s obligations under PIPEDA and how to respond to privacy complaints.
- Subsequent to sharing our PRI, our Office confirmed with 411Numbers that the scope of recommendation (a) at para. 71 above included the removal of the personal information of all individuals with unlisted phone numbers, from each of its websites, including in respect of individuals residing outside Canada. We reiterated our view that there is a real and substantial connection between the practices in question and Canada, as detailed in para. 52 above. We noted additionally that Canadian laws, like PIPEDA, can apply to practices affecting individuals residing outside Canada, particularly where the benefits associated with those practices flow back to Canada.
411Numbers’ response to the Preliminary Report of Investigation
- Regarding recommendation (a) at para. 71 above, 411Numbers provided the following staged commitments to remove the personal information of all individuals, Canadian and non-Canadian, with unlisted phone numbers from each of its websites, including from all its country-specific websites (i.e., unlisted phone numbers, as well as associated personal information like names and addresses):
- for the Canadian websites, it will remove the personal information associated with unlisted phone numbers within 90 days of receiving this Report of Findings, using software to compare its database with the most recent Canada411 listings;
- for the websites associated with France, Germany, Italy, the Netherlands, Spain and the United States, it will either: (i) within 45 days of receiving this Report of Findings, remove all of the personal information associated with unlisted numbers; or (ii) if it determines that the requisite data cannot be identified and removed from one or more of those websites, shut those websites down within 30 days of receiving this Report of Findings; and
- it will, within 10 days of receiving this Report of Findings, shut down the websites associated with Australia and Belgium.
Note: In response to this recommendation, Central and South American websites as well as those associated with Portugal and Switzerland were shut down prior to the issuance of this Report of Findings.
- 411Numbers agreed to provide, within 90 days of receiving of this Report of Findings, proof that it has effectively removed all of the personal information associated with unlisted numbers. In this regard, 411Numbers committed to provide the OPC with: (i) a list of telephone numbers that have been removed from the websites; as well as (ii) a copy of the computer algorithm used to execute this commitment.
- Regarding recommendation (b) at para. 71 above, 411Numbers committed to verifying any listings obtained from third parties against Whitepages listings (i.e., listings known not to contain unlisted numbers), to remove the data associated with any unlisted numbers prior to integrating the listing into a website under its control.
- In terms of recommendation (c) at para. 71 above, 411Numbers committed to implement the following measures:
- Have procedures in place, for all of the websites under its control, to receive and appropriately handle privacy complaints, and provide a copy of the procedures to the OPC within 60 days of receiving this Report of Findings.
- Develop a training document that sets out 411Numbers’ obligations under PIPEDA and how to respond to privacy complaints, and ensure that all current and future employees receive adequate training in this regard. A copy of the training document will be provided to the OPC within 90 days of receiving this Report of Findings.
- Our Office has a continuing interest in ensuring that the respondent adopts the measures needed to bring it into compliance with the Act and follows through on the express commitments it has made to our Office in this regard. As such, we will be monitoring and reviewing the corrective actions the respondent has committed to undertake pursuant to the agreed upon timeframe. At such time, we will gauge whether the respondent has fully complied with the recommendations and, if necessary, we will address any outstanding concerns in accordance with our authorities under the Act.
- Given the respondent’s commitments as outlined above, our Office considers this matter well-founded and conditionally resolved.
- Date modified: