Non-Parliamentary Submissions by the OPC on Privacy Issues
Review of the regulatory measures associated with confidential customer information and privacy
Submission of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunication Commission (CRTC)
In February 2009 the Canadian Radio-television and Telecommunications Commission (CRTC) called for written submissionson the appropriateness of continued regulatory measures to safeguard confidential customer information collected, used and disclosed by telecommunications service providers (TSPs).The deadline for submissions was 20 March 2009.
The Office of the Privacy Commissioner’s (OPC) submission calls on the CRTC to maintain requirements for TSPs to obtain express consent from customers when disclosing confidential customer information. The OPC also urged the CRTC to maintain its important regulatory role in protecting personal information at a time when the threats to privacy are ever increasing.
March 20, 2009
Mr. Robert A. Morin
Canadian Radio-television and Telecommunications Commission
Dear Mr. Morin:
Re: Telecom Public Notice CRTC 2009-71 - Review of the regulatory measures associated with confidential customer information and privacy; CRTC Reference: 8663-C12-200903387
- In December 2006, the Governor General in Council, on the recommendation of the Minister of Industry, issued a DirectionFootnote 1 to the Canadian Radio-television and Telecommunications Commission (CRTC) on Implementing Canadian Telecommunications Policy Objectives (the Policy Direction).
- In April 2008, the CRTC released Telecom Decision 2008-34 - Action Plan for reviewing social and other non-economic regulatory measures in light of the Policy Direction. The Action Plan identified regulatory measures associated with privacy safeguards and obligations as a general matter for review.
- Pursuant to the Action Plan, the CRTC issued Telecom Public Notice 2009-71 on 13 February, 2009, inviting submissions on the continued appropriateness of regulatory measures associated with customer confidentiality provisions and with other privacy safeguards and obligations.
- On 6 March 2009, the Office of the Privacy Commissioner of Canada (OPC) informed the CRTC of our intention to participate in these proceedings. We believe the proceedings raise significant issues with respect to the protection of the personal information of customers collected, used and disclosed by telecommunications service providers (TSPs).
- The OPC makes these submissions as an interested party to the proceedings, pursuant to its legislative mandateFootnote 2 to protect the privacy rights of individuals and promote the privacy protections available to Canadians.Footnote 3
- The OPC’s submissions focus on the pressing need for the CRTC to maintain regulatory measures to protect consumer privacy. Our submissions specifically call on the CRTC to maintain requirements for TSPs to obtain express consent from their customers to disclose their confidential customer information.
- The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to personal information handled by TSPs in the course of providing telecommunications services to customers. PIPEDA requires TSPs to obtain consent from individuals with respect to the collection, use and disclosure of their personal information. PIPEDA also provides individuals with access rights to their personal information and a complaint mechanism for alleged violations of the Act. This regime provides strong privacy protection for consumers.
- CRTC rules with respect to the disclosure of confidential customer information provide an important, additional layer of protection in safeguarding consumer privacy in the telecommunications industry. Under CRTC rules, nearly all TSPs are prohibited from disclosing confidential customer information without express consent. Footnote 4 Customer name, address and listed telephone number are not considered confidential customer information and are exempted from the consent requirement. This approach is consistent with the provisions relating to publicly available information under section 7 of PIPEDA and its regulations.Footnote 5
- Confidential customer information may include personal information such as:
- calling history (e.g. to whom, when and where a call is made, duration of call, calling patterns);
- billing history;
- banking information provided for payment transactions;
- unlisted phone numbers; and
- subscription to available telecommunications features and services.
- The OPC respectfully submits that the CRTC retain its existing regulatory measures to safeguard confidential customer information and protect consumer privacy given:
- increasingly powerful and sophisticated technologies that collect, process, store and disseminate vast amounts of personal information across borders;
- the unchecked, and potentially harmful practices of international databrokers;
- the significant harms to Canadians from ID theft and other fraudulent and criminal uses of personal information, and
- intrusions from unsolicited telemarketing calls.
- Privacy is often viewed as a fundamental human right and, arguably, the right from which many other essential freedoms flow: individual autonomy and decision-making, freedom of speech, freedom of association, and freedom of thought.Footnote 6 Criminal Code sanctions, together with privacy law requirements, have set strict limits on government action or private sector practices with regard to accessing private information.Footnote 7 Privacy is not a new public policy issue, but it is one that is attracting increasing wider public attention as the serious consequences of unlimited and uncontrolled collection and sharing of consumer personal information come to light.
- In her Annual Report to Parliament, the Privacy Commissioner of Canada stated that concern among Canadians about their loss of privacy and the misuse of their personal information has never been greater.Footnote 8 Public opinion research conducted by the OPC in 2008 revealed that more than half of Canadians are concerned about giving up their personal information to retailers.Footnote 9 Respondents cited a number of concerns, including the safety of putting information online, identity theft and fraud.Footnote 10 PIPEDA findings made by our Office regarding the activities of Online Data Brokers recognize the discomfort individuals have over the indiscriminate, non-consensual collection, use, and disclosure of personal information by profiling and data broker organizations.Footnote 11
- In this age of electronic information storage, dissemination, and data processing, personal information can be collected, shared and matched with a click of a button.Footnote 12 The Commissioner has noted in an address to the Canadian Marketing Association that Canadians are sensitive to how easily personal information such as a telephone number can be matched with other available personal information to create detailed consumer profiles that are shared or sold to telemarketers or other organizations without their appropriate consent, or knowledge.Footnote 13 The OPC detailed in its previous submissions to the CRTC regarding the privacy implications of deep packet inspection (DPI) the potential concerns about consumer tracking.Footnote 14 Of particular concern is that without adequate safeguards in place, consumer tracking data may fall into the wrong hands or be used for unanticipated purposes.
- Together with PIPEDA, the CRTC’s current regulatory measures safeguarding confidential customer information prevent a significant amount of consumer information from entering the unchecked international market in personal information. The CRTC’s rules and regulatory powers represent an important control Canadians depend on to protect their personal information.
- Our submissions will address the following:
I. CRTC and OPC Jurisdiction over Privacy is Complementary, not Redundant
- The OPC’s Jurisdiction and Statutory Role under PIPEDA
- The CRTC’s Jurisdiction and Statutory Role under the Telecommunications Act
II. Responses to interrogatory questions:
1) Customers of telecommunications service providers cannot rely on market forces to protect their privacy
- The CRTC acknowledges that market forces cannot adequately protect Privacy
- Maintaining Confidentiality in Customer Information in the face of powerful data collecting technologies, data brokers, and criminal activity operating across borders
I. CRTC and OPC Jurisdiction over Privacy is Complementary, not Redundant
- The CRTC and the OPC have complementary roles regarding privacy protection.Footnote 15 Their statutory roles are related, but not redundant. While the OPC and CRTC have overlapping jurisdiction with respect to privacy protection and TSPsFootnote 16, their functions and powers significantly differ.
- Regulatory measuresFootnote 17 regarding the confidentiality of customer information do not duplicate privacy protections under PIPEDAFootnote 18. PIPEDA broadly applies to personal information handled by an organization in the course of commercial activity. The Act applies to organizations across diverse industries, in a wide variety of contexts. In contrast, customer confidentiality requirements for TSPs providing regulated services are specific, prescribing the terms and conditions for disclosing confidential customer information.Footnote 19
a) OPC Jurisdiction and Statutory Role under PIPEDA
- The mandate of the OPC is to oversee compliance with the Privacy ActFootnote 20, which applies to the personal information handling practices of the federal government department and its agencies, and PIPEDAFootnote 21, Canada’s private sector privacy law. PIPEDA applies to organizations that collect, use and disclose personal information in the course of commercial activity. Footnote 22 PIPEDA covers the personal information of customers and employees of federal works, undertakings and businesses such as telecommunications companies.Footnote 23
- The Privacy Commissioner is primarily an Ombudsman. The Commissioner’s current role under PIPEDA mirrors that of the Privacy Act, which was designed to monitor the information handling practices of the federal government. In that role, the Commissioner tries to resolve individual complaints as well as Commissioner-initiated complaints made against private sector organizations under PIPEDA. The Commissioner has a variety of tools at her disposal to promote compliance with PIPEDA, including public education, research, audits, investigations, mediation, and in certain circumstances, litigation.
- In this two-stage process. the Commissioner makes findings on complaints, offering guidance and expertiseFootnote 24 on how PIPEDA applies to the day-to-day collection, use and disclosure of personal information by a wide range of organizations. The subject matter of the complaints is varied. They include workplace privacy, privacy of health information, financial confidentiality, secondary marketing practices and the transborder flow of personal information. Unresolved disputes can be taken to the Federal Court by the complainant or the Commissioner.
- The legislative purpose of PIPEDA is to protect personal data in a manner that recognizes the reality of modern commerce, which is increasingly characterized by virtual, electronic transactions, enabled by rapid advances in information technology.Footnote 25 The bedrock of PIPEDA is individual consent, which can be express or implied, depending on the circumstances.Footnote 26 Even with consent, organizations must limit collection, use and disclosure of personal information to purposes that a reasonable person would consider appropriate under the circumstances.Footnote 27 The “reasonable person” test is central to privacy protection under PIPEDA. The test is applied contextually in each case to strike the appropriate balance between individual privacy concerns and business interests.
- Section 4(3) of PIPEDA provides that the Act and its requirements take precedence over all subsequently enacted statutes, which include the Telecommunications Act and its regulations. It should be noted, however, that PIPEDA represents a basic standard for how organizations should handle personal information. The CRTC, through its regulatory measures may exceed PIPEDA’s standard if, in their expert opinion, it is consistent with the public interest and Canadian telecommunications policy as set out under the Telecommunications Act.
b) CRTC Jurisdiction and Statutory Role under the Telecommunications Act
- Under the Telecommunications Act, the CRTC’s mandate is to regulate and supervise the Canadian broadcasting and telecommunications systems to ensure that they serve the Canadian publicFootnote 28. The CRTC is a specialized, decision-making tribunal with recognized expertise over telecommunications matters.Footnote 29 In carrying out its responsibilities in both broadcasting and telecommunications, the CRTC must act in the public interest consistent with the statutes under which it operates.
- According to Canadian telecommunications policy, the CRTC is required to safeguard the privacy of individuals and their communications. This policy is set out in paragraphs 7(a) and (i) of the Act:
7. It is hereby affirmed that telecommunications performs an essential role in the maintenance of Canada’s identity and sovereignty and that the Canadian telecommunications policy has as its objectives
(a) to facilitate the orderly development throughout Canada of a telecommunications system that serves to safeguard, enrich and strengthen the social and economic fabric of Canada and its regions;…
(i) to contribute to the protection of the privacy of persons.
- Under the Act, the CRTC has the ability to enhance privacy protection in ways not available to the OPC. The following CRTC powers represent an important layer of privacy protection for Canadians:
- the authority to make binding decisions and orders relating to tariffs, such as capping fees for unlisted phone numbers or regulatory obligations of TSPs;
- the CRTC may “prohibit or regulate the use by any person of the telecommunications facilities of a Canadian carrier for the provision of unsolicited telecommunications to the extent that the Commission considers it necessary to prevent undue inconvenience or nuisance;”
- The CRTC not only regulates telecommunications services, but also telecommunications technologies. This is a significant regulatory power which allows the CRTC to ensure that privacy is built into technologies used by the telecommunications industry across Canada.
- In exercising its discretionary powers under the Telecommunications Act, CRTC may apply higher standards to protect privacy than those contemplated by PIPEDA.Footnote 30 In the context of the disclosure of confidential personal information by TSPs, the CRTC has consistently found that express consent, rather than implied consent is appropriate, and expanded the forms of express consent in response to industry concerns.Footnote 31 Under PIPEDA, implied consent may be allowed in certain circumstances, which is a lower privacy threshold for organizations to meet.
II. Responses to interrogatory questions:
1) Customers cannot rely on Market forces to protect their privacy
(a) The CRTC acknowledges that market forces cannot adequately protect Privacy
- In its reports and decisions, the CRTC has consistently recognized the importance of privacy to Canadians — a number of which pre-date PIPEDA’s coming into force in 2000.
- In 1996, the CRTC submitted its Report to the Governor in Council on Directory Subscriber Listings and on Unlisted Number ServiceFootnote 32. The Report sets out a list of applicable principles established by Industry Canada which must be taken into account: Footnote 33
(1) Canadians value their privacy. Personal privacy considerations must be addressed explicitly in the provision, use and regulation of telecommunications services...
(3) When telecommunications services that compromise personal privacy are introduced, appropriate measures must be taken to maintain the consumer's privacy at no extra cost unless there are compelling reasons for not doing so.
(4) It is fundamental to privacy that there be limits to the collection, use and disclosure of personal information obtained by service providers and generated by telecommunications networks. Except where clearly in the public interest, or as authorized by law, such information should be collected, used and disclosed only with the express and informed consent of the persons involved.
- Considering these principles, the CRTC made the following findings in the Report
- In light of growing privacy concerns, the Commission will examine telephone company practices that might give subscribers more control over their listing as it appears in telephone directories…
- The Commission also considers that the treatment of cellular listing information has created an expectation on the part of mobile wireless service subscribers that their telephone numbers will not be published or disclosed to third parties without express consent, and that no fee will apply for non-publication.
- Accordingly, the Commission considers that the publication of mobile wireless numbers without the express consent of the subscribers would constitute a violation of the privacy principle requiring that, except where clearly in the public interest, information should be collected, used and disclosed only with the express and informed consent of the persons involved.
- While these principles and findings were applied and made in the context of reviewing Directory Subscriber Listings and Unlisted Number Services, they remain instructive in reviewing regulatory measures associated with confidential customer information and privacy.
- The CRTC has addressed privacy concerns in several decisions. The following are some privacy decisions that support using regulatory measures to protect confidential customer information and consumer privacy:
- Telecom Decision 86-7 — The CRTCFootnote 34 determined that telecommunications carriers should be prohibited from disclosing most information regarding a customer unless customer consent in writing is obtained or disclosure is legally required. This position was supported the Privacy Commissioner at the time.
- Telecom Decision 2003-33, as amended by Decision 2003-33-1Footnote 35 — The CRTC found that implied consent is not an appropriate type of consent for the disclosure to affiliates of confidential customer information other than the customer's name, address and listed telephone number. The Commission recognized, however, that it was appropriate to expand the list of acceptable means of obtaining express customer consent.Footnote 36
- Telecom Decision 2004-27Footnote 37 — The CRTC directed all Canadian carriers, as a condition of providing telecommunications services, to include in their service contracts or other arrangements with resellers, the requirements that the resellers abide by the confidentiality provisions approved in previous decisions.
- Telecom Decision CRTC 2006-15 — The CRTC expressly acknowledged that given the emergence of new technologies and electronic commerce facilitating the exchange and processing of information:
“market forces, even buttressed by the provisions of the PIPED Act, are unlikely to sufficiently protect the privacy interests of customers in a forborne environment. The Commission considers, therefore, that the maintenance of the customer confidentiality provisions and the Commission's ability to use section 24 of the Act to address ongoing privacy issues in a forborne market is necessary.” Footnote 38
- The CRTC’s findings in Telecom Decision 2006-15 are more applicable than ever. The realities of today’s networked environment and the current demands of the electronic marketplace underscore the importance of the CRTC’s decision that continued regulation is necessary to protect privacy.
(b) Maintaining Confidentiality in Customer Information in the face of powerful data collecting technologies, data brokers, and criminal activity operating across borders
- As part of its public education mandate, the OPC has publicly emphasized that information technology is rapidly expanding, having a profound effect on an individual’s ability to control how others in other jurisdictions use his or her personal information.Footnote 39 The OPC has argued in its amicus curiae brief in support of the US Federal Trade Commission’s position in a case before the US Tenth Circuit Court of Appeals against Abika/Accusearch, a transborder databroker alleged to have misused the personal information of both Canadians and Americans, that the borderless nature of the Internet has not only expanded the markets available to businesses, but has also allowed for the personal information of Canadians to be easily and indiscriminately collected, used and disclosed by domestic and foreign entities — with or without consent.Footnote 40 The proliferating trade in confidential telephone records is an example of this growing phenomenon.
- The Privacy Commissioner of Canada herself has been the victim of the improper collection, use and disclosure of confidential telephone records. In November 2005, a Canadian magazine reporter purchased records of the Privacy Commissioner of Canada’s telephone calls from a US based databroker, which was in the business of providing paying customers with access to personal information they requested about others, typically without individual consent. Upon an OPC initiated investigation, it was determined that the US databroker obtained this information, unlawfully from three of Canada’s largest telecommunications companies. Footnote 41
- As the OPC argues in its amicus briefFootnote 42, tangible harm can result from the collection, use and disclosure of personal information by organizations that actively sell personal information pertaining to individuals in Canada. Given the modern ability of “infomediaries” to correlate information from numerous disparate sources and the multiplicity of organizations that use such data brokers, personal information can make its way into a series of other databases accessible to others without authorization.
- Harm can result from the misuse of personal information, and regulatory agencies must be able to prevent these harms in order to protect consumers. Identity theft, other fraud and reputational damage can result from the indiscriminate and unlimited collection of personal information such as customer information. In 2006, almost 8000 victims reported losses of $16 million to PhoneBusters, the official Canadian Anti-fraud Call Centre. Footnote 43 Citing statistics from the Canadian Council of Better Business Bureaus, the Canadian Department of Justice stated that identity theft may cost Canadian consumers, banks and credit card firms, stores and other businesses more than $2 billion annually.Footnote 44 Setting and maintaining restrictions on the disclosure of customer information by TSPs are significant regulatory measures the CRTC can take to protect against these harms.
- We respectfully submit that removing regulatory measures safeguarding the confidentiality of customer information would diminish privacy protection in Canada. Eliminating these measures would deprive customers of TSPs a significant avenue of redress before an expert decision-maker with significant powers to protect privacy under the Telecommunications Act. Continued protection for customer privacy will enhance, not burden, Internet information flows and e-commerce. Consumers are entitled to have their customer information handled appropriately, in ways that guard against the serious risks of financial and reputational damage, and intrusions from unsolicited telemarketing calls. We urge the CRTC to maintain its important role in protecting Canadians against these harms at a time when threats to privacy are ever increasing.
Original signed by
Privacy Commissioner of Canada