Review of the Internet traffic management practices of Internet service providers
Final reply of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunication Commission (CRTC)
In November 2008, the Canadian Radio-television and Telecommunication Commission (CRTC) initiated a public proceeding to review the Internet traffic management practices of Internet Service Providers (ISPs).
The CRTC called for written submissions in February 2009. The OPC welcomed the opportunity to contribute to the public discussion with respect to the protection of personal information on the Internet, and submitted comments.
As part of the review proceedings, the CRTC held public hearings from July 6 to 14 2009. All parties who submitted initial comments were invited to participate. Parties were also invited to submit a “final reply” to the proceedings by July 28th 2009. A final reply is intended to give the parties a last opportunity to address any issues raised during the proceedings. A final reply is also meant to ensure that the CRTC has the most complete record of relevant issues and evidence as possible upon which to ground any future policy direction, order or telecom decision relating to Internet traffic management.
The OPC’s submission and final reply are made pursuant to our legislative mandate to protect the privacy rights of individuals, foster public understanding of privacy, and promote the privacy protections available in Canada. Both OPC submissions to this proceeding are focused on the privacy implications about the potential uses of deep packet inspection (DPI) and more generally the crucial need - and growing expectation - of Canadians that their personal information is protected online.
July 28, 2009
Mr. Robert A. Morin
Canadian Radio-television and Telecommunications Commission
Dear Mr. Morin:
Re: Telecom Public Notice CRTC 2008-19 – Review of the Internet traffic management practices of Internet service providers; Final Reply Submission from the Office of the Privacy Commissioner of Canada
1. On February 18 2009, the Office of the Privacy Commissioner of Canada (OPC)Footnote 1 made a submissionFootnote 2 to the Canadian Radio-television and Telecommunications Commission (CRTC) as an interested party to the above proceedings. The OPC’s submission was made pursuant to its legislative mandate to protect the privacy rights of individuals and promote the privacy protections available to Canadians.Footnote 3
2. The OPC’s initial submission was focused on the privacy implications of Internet traffic management practices employed by internet service providers (ISPs). Specifically, the OPC’s comments addressed privacy concerns about the potential use of Deep Packet Inspection (DPI).
3. From July 6th to July 14th, 2009 the CRTC conducted 7 days of public hearings (the hearings) for the proceeding. The CRTC heard evidence from public interest advocacy groups, industry organizations, manufacturers of equipment and technologies used to manage networks, ISPs and interested individuals.
4. The CRTC has given parties the opportunity to respond to issues raised during the proceedings in a Final Reply. This submission serves as the OPC’s Final Reply to privacy issues raised by the CRTC Panel and parties that appeared at the hearings.
5. The OPC acknowledges that the ISPs and others gave evidence before the Hearing Panel that DPI is not currently used by operators for purposes other than network management. The ISPs stated that customer personal informationFootnote 4, that is being handled in Internet traffic management practices (ITMPs) such as DPI, is not being used for marketing purposes. Specifically, ISPs claimed that they do not engage in targeted or behavioural advertising using information obtained through DPI.
6. The Personal Information Protection and Electronic Documents Act (PIPEDA),Footnote 5 applies to personal informationFootnote 6 handled by ISPs in the course of providing Internet services to customers. PIPEDA requires that there be informed and meaningful consent for any purpose different from the original.
7. Our Final Reply will address the following:
- The CRTC has a statutory obligation and recognized expertise to protect privacy.
- PIPEDA provides a basic standard for privacy protection: The CRTC may set higher, industry specific guidelines.
- Privacy and legitimate business interests can be addressed using a balancing test: The example of OPC Findings under PIPEDA.
- Canadians care about personal privacy and are entitled to know how their personal information is being handled and protected.
I. The CRTC has a statutory obligation and recognized expertise to protect privacy.
8. According to Canadian telecommunications policy, the CRTC is required to safeguard the privacy of individuals and their communications. This policy is set out in paragraphs 7(a) and (i) of the Telecommunications Act: Footnote 7
7. It is hereby affirmed that telecommunications performs an essential role in the maintenance of Canada’s identity and sovereignty and that the Canadian telecommunications policy has as its objectives
(a) to facilitate the orderly development throughout Canada of a telecommunications system that serves to safeguard, enrich and strengthen the social and economic fabric of Canada and its regions;
(i) to contribute to the protection of the privacy of persons.
9. During the Hearings, a number of parties to the proceeding took the position that they preferred that the CRTC refrain from regulating the Internet traffic management practices of ISPs with respect to privacy. In response, the Panel reminded the parties that, under the Act, the CRTC not only has statutory authority to protect privacy, but indeed, an express obligation to do so, reflecting the intention of Parliament in its enabling legislation.
10. Moreover, the CRTC is a specialized, decision-making, tribunal with recognized expertise over telecommunications matters.Footnote 8 Bill C-27, the Electronic Commerce Protection Act (ECPA) currently before the Standing Committee on Industry, Science and Technology is an example of Parliament recognizing the specific expertise of both the OPC and the CRTC over areas of overlapping concern.Footnote 9 The CRTC has the institutional knowledge and experience to craft appropriate measures to encourage technological innovation and economic growth, within this industry, and ensure that the privacy of Internet users in Canada is respected.
II. PIPEDA provides a basic standard for privacy protection: The CRTC may set higher, industry specific guidelines.
11. In exercising its powers under the Telecommunications Act, the CRTC may apply higher standards to protect privacy than those contemplated by PIPEDA.Footnote 10
12. Our original submission noted that the CRTC and the OPC have recognized complementary statutory roles regarding privacy protection.Footnote 11 Their statutory roles are related, but not redundant. While the OPC and CRTC have overlapping jurisdiction with respect to both privacy protection and communications service providers,Footnote 12 their functions and powers differ significantly.
13. The Telecommunications Act is sector-specific. The Act enables the CRTC to create specific guidelines and regulations to address concerns within the industry. The Act gives the CRTC the ability to enhance privacy protection for Canadians. For example, under the Telecommunications Act, the CRTC has:
- the authority to make binding decisions and orders
- the ability to regulate both Internet services and the use of communications technologies used to deliver those services. This is a significant regulatory power which allows the CRTC to ensure that privacy is built into technologies used by the communications industry across Canada.
14. As noted by the Panel during the hearings, PIPEDA is, in contrast to the Telecommunications Act, a statute of general application. PIPEDA broadly applies to personal information collected by an organization in the course of commercial activity. The Act applies to organizations across diverse industries and in a wide variety of contexts.
15. PIPEDA represents a basic standard for how organizations should manage personal information. The CRTC, through its regulatory powers may exceed PIPEDA’s standard if, in their expert opinion, the proposed requirement is consistent with the public interest and Canadian telecommunications policy, as set out under the Telecommunications Act.Footnote 13
III. Privacy and legitimate business interests can be addressed using a balancing test: The example of OPC Findings under PIPEDA.
16. The legislative purpose of PIPEDA is to protect personal information while recognizing the reality of modern commerce, which, increasingly, is characterized by virtual, electronic transactions, propelled by rapid advances in information technology.Footnote 14
17. The bedrock of PIPEDA is individual consent, which can be express or implied, depending on the circumstances. Footnote 15 Even with consent, organizations must limit collection, use, and disclosure of personal information, for purposes that a reasonable person would consider appropriate under the circumstances.Footnote 16
18. The “reasonable person” test is central to privacy protection under PIPEDA and echoes the OakesFootnote 17 test developed by the Supreme Court of Canada.
19. The OPC has appliedFootnote 18 the reasonable person test, with its consideration of less privacy-invasive methods, as part of an overall assessment of reasonableness under PIPEDA. The test is applied contextually, on a case-by-case basis, to strike the appropriate balance between individual privacy concerns, and legitimate business interests.
20. From a privacy perspective, this approach is consistent with the Chair’s observations during the hearings.Footnote 19
IV. Canadians are concerned about privacy and are entitled to know how their personal information is being handled and protected.
21. Whether the collection, use, or disclosure of personal information is perceived as minimal, or conducted for a legitimate purpose in the ordinary course of business, it should be remembered that whenever personal information is implicated, the issue of privacy will be raised. This is also true in instances where an organization claims to merely “access” personal information using DPI, and not “monitor,” store or disclose that information for purposes other than network management.
22. Privacy is fundamentally a right from which other essential freedoms flow. The OPC’s initial submission for this proceeding cites extensive Canadian jurisprudence and statute law confirming this principle.Footnote 20 Members of the Panel repeatedly affirmed throughout the hearings that privacy is a fundamental right. Privacy has an inherent social and human value that transcends a singular regulatory regime or statute.
23. Canadians have mounting concerns about the preservation of privacy rights. They are entitled to have clear, easily accessible, and meaningful safeguards of their personal information, and how it is managed by ISPs implementing traffic management practices. They expect that their personal information will not be misused, and will be treated with a high standard of care by the organizations they choose to do business with, and that the public bodies tasked with the duty to protect their privacy, not hesitate to do so.
Original signed by
Privacy Commissioner of Canada
- Date modified: