Consultation regarding trends and future developments in television

Submission of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunications Commission (CRTC)

June 20th, 2014

John Traversy
Secretary General
Canadian Radio-television and Telecommunications Commission
Central Building
1 Promenade du Portage
Gatineau, Quebec K1A 0N2

Re: Broadcasting Notice of Consultation CRTC 2014-190 - Phase 3 of Let's Talk TV: A Conversation with Canadians

Dear Mr. Traversy:

1. On April 24, 2014 the CRTC released Broadcasting Notice of Consultation CRTC 2014-190.Footnote 1 The consultation notice requests information regarding trends and future developments in television, and comments on issues for possible approaches for a revised framework for the television system.

2. The Office of the Privacy Commissioner of Canada (OPC) makes this submission as an interested party to the proceedings, pursuant to its legislative mandateFootnote 2 to protect the privacy rights of individuals and promote the privacy protections available to Canadians.Footnote 3

3. The OPC is responsible for overseeing compliance with the Privacy Act, which applies to the personal information management practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private sector legislation. PIPEDA applies to organizations that collect, use, or disclose individuals' personal information in the course of commercial activity.Footnote 4

4. In our comments, which we are limiting to those issues that relate to our mandate, we will focus on the topic of enhanced audience measurement using set-top boxes (STBs).

5. We note that the information from STBs can contain very granular information about individual viewing habits. Given the scale and scope of the information collected by STBs, this information can reveal very detailed portraits of individuals. To the extent data collected relates to solely viewing habits of individuals, this could be personal information, and depending on the nature of the shows and content viewed, this information could be considered sensitive.

6. As such, it is crucial that the use of STBs to collect audience measurement data be implemented in a manner that is respectful of consumer privacy rights and accords with existing privacy laws.

7. Our submission will address first the question of whether STB audience measurement involves personal information, and then will consider the following questions raised in the consultation paper that have an implicit bearing on privacy and activities related to the role and mandate of our Office:

  • What methodology should be used to collect data for STB audience measurement?
  • If the Commission were to enable the collection and use of such data, what privacy protection methods should be established?
  • What type of STB model should be developed for the establishment of such a measurement system that maintains the privacy of individual Canadians?

What is personal information and how does it relate to STB audience measurement?

8. From a privacy perspective, the first issue that needs to be addressed is whether the information at issue is personal information. Generally speaking, personal information is information "about" an identifiable individual. "About" means that the information is not just the subject of something but also relates to or concerns the subject.Footnote 5 Information will be about an "identifiable individual" where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information.Footnote 6

9. For example, broadcasting distribution undertakings (BDUs) could have the capacity to link data from STBs back to individual subscribers. As such, even if data is collected in an anonymous fashion, it may still be "personal information" in the hands of BDUs.

10. In some instances, information involved with STB audience measurement is not necessarily restricted to television content viewed, but can be tied to purchasing habits.

11. Even if STB audience measurement information is "supposedly" anonymized, there remains the risk of possible re-identification. If there is a serious possibility that an individual could be identified through the use of anonymized information, alone or in combination with other information, that information would still be information about an "identifiable individual".

12. It is difficult to fully evaluate the privacy impacts of STB audience measurement given that little information has been provided about the nature and scale of the data that could be collected, who will be collecting it and with whom it may be shared. Depending on the nature of the shows and content viewed, an individual's viewing habits could be considered sensitive. Indeed, information could potentially involve sensitive topics, such as politics, religious affiliation, health issues, and sexual orientation.

13. In the event that an individual's television content viewing information is further combined with other information, the scale and scope of profiling and tracking can reveal even more detailed profiles, habits and preferences.

14. Therefore, in our view, the information that could be collected in STB audience measurement would likely be personal information under Canadian privacy legislation, and indeed could be considered quite sensitive personal information.

What methodology should be used to collect data for STB audience measurement?

15. To the extent that STB audience measurement involves the collection of personal information, it should only be done with the consent of the individuals concerned.

16. STB audience measurement should not only identify the types of personal information that will be collected, but should limit the types of information it collects to the purposes identified.

17. Should the information being collected, alone or in combination with other information, be sensitive, express consent to its collection, use and disclosure would be necessary. As well, consideration should be given to how individuals would supply or withdraw their consent.

If the Commission were to enable the collection and use of such data, what privacy protection methods should be established?

18. If the Commission were to enable the collection and use of such data, it is recommended that privacy protections take into consideration organizations' legislative privacy responsibilities and best practices for responsible information management practices.

Given the scale and scope of information potentially involved with STB audience measurement, and the risks associated with re-identification, these considerations include, but are not limited to:

  • a. Existing legislative requirements in Canada, including PIPEDA and substantially similar privacy legislation;
  • b. Obligations under the Privacy Act for those organizations subject to that Act.
  • c. The full range of collection, use and disclosure of personal information through the STB ecosystem. This would include information gathered through the technical architecture and shared/disclosed among stakeholders and third-parties;
  • d. Addressing accountability for personal information practices used for STB audience measurement;
  • e. Identification of the purposes of the collection, and clear communication of these purposes to individuals;
  • f. Limitations of STB audience measurement to purposes for which it was collected;
  • g. Limitations on the collection, use and disclosure of personal information;
  • h. Recognition that anonymous or de-identified information, when combined with information from other sources and databases, could produce data that can be linked back to identify specific individuals, and appropriate controls to mitigate such linkages;
  • i. Assessment of the sensitivity of the information involved with STB audience measurement, including commensurate measures for security and consent;
  • j. Clear and feasible mechanisms for individuals to provide, and withdraw, consent;
  • k. Appropriate safeguards, including technological security measures and controls;
  • l. Development of audit, program and operational controls to monitor risks and identify potential threats, including activities such as a privacy impact assessment and a technical risk analysis; and
  • m. Privacy training for employees, including how such training will be undertaken, delivered, and updated.

19. The OPC has developed a number of documents to help plan activities related to the protection of personal information. For example, the OPC, along with the Offices of the Information and Privacy Commissioners of Alberta and British Columbia, has developed a Self-Assessment Tool for Organizations for securing personal information.Footnote 7

This document highlights issues to support the responsible planning and implementation of securing personal information. These include, but are not limited to:

  • a. Risk management,
  • b. Security policies,
  • c. Human resources security,
  • d. Physical security,
  • e. Technical security,
  • f. Incident management, and
  • g. Business continuity planning.

20. In addition, the OPC, along with the Offices of the Information and Privacy Commissioners of Alberta and British Columbia, have also worked together to develop Getting Accountability Right with a Privacy Management Program.Footnote 8 This document provides guidance on what it means to be an accountable organization and outlines the steps to develop and strengthen an organization's privacy management program.

What type of STB model should be developed for the establishment of such a measurement system that maintains the privacy of individual Canadians?

21. In examining the privacy issues related to STB audience measurement, there are a number of factors that need to be scoped in order to fully assess the privacy risks and accountability measures. These include identifying the economic business model with respect to the information used in STB audience measurement, the data flows and stakeholders involved, the extent to which information would be combined with other data (including offline and online information of individuals), and the methods used to anonymize data.

22. If the CRTC develops frameworks for STB audience measurement, it is recommended that these frameworks recognize legislative privacy responsibilities, and limit the personal information collected, used, and disclosed throughout the initiative, including information disclosed to third parties.

Conclusion

23. While the OPC recognizes the role of innovation in encouraging economic growth, such growth requires respect for customers' personal data. Meeting obligations related to information and privacy rights is a catalyst for building trust and, as a result, encourages greater consumer participation in the digital economy.

24. Technological innovation solutions may often involve large amounts of information, especially information that combines offline and online activities. This can raise privacy considerations for Canadians, especially when there is the potential to include demographic, subscriber information, and sensitive information.

25. We look forward to learning how this matter will unfold in Canada, and we urge interested parties to build privacy protections upfront, and to clearly identify the governance structure. It is essential that parties in this system are held accountable for privacy protection, in keeping with Canadians' expectations.

26. Our Office appreciates the opportunity to respond to this consultation and the Commission's efforts to promote discussion on this issue.

Sincerely,

(Original signed by)

Daniel Therrien
Privacy Commissioner

Date modified: