PIAC Research Shows Consumers Interested in Universal “Privacy Box”, More Options in Protecting Online Privacy

New PIAC Report: The Privacy Box: Enabling Consumer Choice and Meaningful Consent in Online Privacy
16 August 2017, OTTAWA – A new research report published by the Public Interest Advocacy Centre (PIAC) shows Canadians value their online privacy and would be interested in the development of a universal “Privacy Box” which would allow them to access standardized privacy settings for online services and applications.
Focus groups in English and French with internet users in Toronto and Ottawa showed many Canadians value privacy for privacy’s sake. Focus group participants were especially concerned about sharing of their information with third parties and the collection of certain types of sensitive information such as location, employment and sexual orientation. Many also felt that online tracking activities were not clearly disclosed.
“PIAC’s report shows that many consumers feel lost when it comes to their online privacy, even when many mainstream services publish privacy policies and some provide personal privacy settings,” said John Lawford, Executive Director and General Counsel to PIAC. “It is time to re-examine the effectiveness of current privacy policies and privacy tools.”
When presented with the concept of a “Privacy Box” initiative, focus group participants emphasized the importance of the right to be able to choose when to share their information and to determine how that information is used by or disclosed to third parties. They were also concerned about prohibiting the collection of information they believed was sensitive or private. Participants generally preferred a Privacy Box that was prominent, straightforward, and easy to understand, with a limited number of options.
Privacy Box Sample Design

“This research shows consumers are interested in a Privacy Box, a one-stop shop for key privacy settings and information which they could set and revisit anytime worry-free,” said Alysia Lau, Counsel, Regulatory and Public Policy to PIAC and author of the report. “All online companies should take these findings seriously.”
The report recommends the incorporation of privacy by design requirements into the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the allocation of public funding for privacy by design initiatives. The report also recommends that the Office of the Privacy Commissioner of Canada issue guidelines on the adoption and implementation of a Privacy Box, as well as a privacy by design standard, and that it re-examine the effectiveness of current privacy tools such as privacy policies and online user terms.
“Privacy by design has a bright future in protecting personal privacy. Policy makers must recognize this and provide the support and funding these initiatives need,” added Lau. “Online privacy will remain a critical consumer issue moving forward.”
 
Access the full report in English here.
Access the full report in French here.
 
The Public Interest Advocacy Centre has received funding from Innovation, Science and Economic Development Canada’s Contributions Program for Non-profit Consumer and Voluntary Organizations. The views expressed in this report are not necessarily those of Innovation, Science and Economic Development Canada or of the Government of Canada.
 
For more information please contact:
John Lawford
Executive Director & General Counsel
Public Interest Advocacy Centre (PIAC)
(613) 562-4002 ext. 25
jlawford@piac.ca
Alysia Lau
Barrister & Solicitor | Counsel, Regulatory and Public Policy
Public Interest Advocacy Centre (PIAC)
(613) 562-4002 ext. 38
alau@piac.ca

PIAC's Comments on the Office of the Privacy Commissioner of Canada's Discussion Paper on Privacy and Consent

Canadian consumers generally are not aware of and do not understand how information about their online activities is being collected and used. The problem is not that online businesses are unable to obtain consent, but that consumers’ personal information too often is being used without meaningful consent.
PIPEDA requires online business to obtain informed consent for the collection, use and disclosure of individuals’ personal information. Individuals’ privacy rights are undermined by accepting hollow ‘contractual-type’ consent. Requiring true informed consent serves the objectives of privacy law, including giving user’s confidence in sharing the information required to engage in online transactions, enhancing user’s informational self-determination, and giving effect to the preferences of users as consumers and as citizens.
Read PIAC’s Comments on the Office of the Privacy Commissioner of Canada’s Discussion Paper on Privacy and Consent.

Do the Watchers Need More Watching, New Report Asks

New PIAC report “Off the Grid:  Pinpointing Location-based Technologies and the Law”
OTTAWA, September 8, 2015 – Consumers need more effective privacy rules to protect the collection, use and disclosure of their location, says a new report released today by the Public Interest Advocacy Centre (PIAC). PIAC’s report, entitled “Off the Grid:  Pinpointing Location-based technologies and the Law,” examined whether Canada has sufficient protections in place to address the risks posed by location-based technologies (LBTs). The report also addressed whether Canadian consumers have sufficient disclosure regarding how and when telecommunications service providers collect and use location-based personal information.
“Location is highly unique, highly identifiable, and highly personal in nature, even when anonymized and aggregated,” said John Lawford, Executive Director and General Counsel at PIAC. “Given a general lack of transparency regarding the collection, use and disclosure of personal information, it is essential that consumers have a more effective legal framework to protect them from the rapid developments in information collection technology, especially those capturing location,” Lawford continued.
One of the report’s key findings is that the current privacy protections may not be sufficient for the purposes of balancing the privacy interests of individuals against location-based marketing and the provision of location-based services. A stronger default of privacy protection for location information, as seen in Europe, may therefore be required.
The report recommended a series of measures to the Office of the Privacy Commissioner of Canada (OPC), including the strict enforcement of the “appropriate purpose” and “specific purpose” provisions of Personal Information Protection and Electronic Documents Act (PIPEDA), possible amendments to PIPEDA and further research into consumer awareness of mobile device location tracking. PIAC also recommended the Canadian Radio-television and Telecommunications Commission (CRTC) undertake a fact-finding process into the collection, use and disclosure of location information by telecommunications service providers (TSPs).
“At a minimum the OPC should produce guidance about the appropriate level of consent required for location-based information,” said Geoffrey White, External Counsel to PIAC, and the author of the report for PIAC. “In addition, a CRTC review of TSP privacy practices would inform Canadians which TSP’s collect their subscribers’ location, and who is purchasing or sharing information about subscriber location from third parties,” White concluded.
 
To see the full report, please consult the following link:
OCA 2014-15 – Off the Grid – Location-based technologies and the law – Final Report
To view the report in French, please consult the following link:
OCA 2014-15 – Off the Grid – Location-based technologies and the law – Final Report_FR
 
PIAC received funding from Industry Canada’s Contributions Program for Non-Profit Consumer and Voluntary Organizations to prepare the report. The views expressed in the report are not necessarily those of Industry Canada or the Government of Canada.
 
For more information please contact:
John Lawford
Executive Director & General Counsel
Public Interest Advocacy Centre (PIAC)
(613) 562-4002 ×25
lawford@piac.ca
www.piac.ca
Geoff White
External Counsel to PIAC
(613) 562-4002 ×24

Privacy Commissioner: Bell’s approach to privacy a bad RAP

OTTAWA, April 7, 2015 – The Public Interest Advocacy Centre (PIAC) applauds findings released today by the Office of the Privacy Commissioner of Canada (OPC) regarding Bell Canada’s (Bell) collection and use of information about its customers for behavioural marketing under its “relevant ads program” (RAP).
In the fall of 2013, Bell announced it would be collecting and using customer information derived from its customers’ use of Bell services for the purposes of serving its customers targeted ads based on behavioural profiling.
The OPC received 170 complaints about the RAP from the public. In January 2014, PIAC, along with the Consumers’ Association of Canada (CAC), filed a formal complaint about Bell’s behavioural advertising to the Canadian Radio-television and Telecommunications Commission (CRTC), which regulates telecommunications companies, including Bell, and has the authority to impose specific privacy obligations on them.
In findings released today, the Privacy Commissioner found that Bell’s notifications to customers–given the vast scope of information being collected and its sensitivity–do not provide sufficient detail to form the basis of meaningful consent under federal privacy law. The OPC found that Bell should instead obtain express consent from its customers for the RAP. The Privacy Commissioner also acknowledged that the lawfulness of Bell’s practice under telecommunications law was still before the CRTC, and that the CRTC’s decision on PIAC and CAC’s applications could affect their analysis further.
PIAC and CAC had major concerns with Bell’s behavioural marketing program, concerns echoed in the OPC’s finding released today. “The Privacy Commissioner recognized that using the incredible amount of personal information available to telecommunications service providers for the new purpose of targeted advertising changes the fundamental relationship with those customers,” said Geoffrey White, Counsel to PIAC and CAC. As a result, he added, “At the very minimum, the law requires telecoms to obtain opt-in consent for behavioural advertising.”
In PIAC and CAC’s application to the CRTC about Bell’s RAP, the depth and breadth of Bell’s tracking and profiling of its customers came to light in a series of questions from the CRTC.
“There is no question that what Bell is doing, and how Bell is doing it, is inappropriate and today’s findings recognize that,” said John Lawford, Executive Director and Counsel to PIAC. “We look forward to the CRTC’s decision on our complaint, and are optimistic that the CRTC will impose further constraints on telcos looking to try to monetize the confidential information they collect from their customers as they communicate through the network.”
For more information about PIAC-CAC’s complaint to the CRTC click here.
For more information about the Privacy Commissioner’s findings click here.
For more information please contact:
Geoff White
Counsel for PIAC and CAC
(613) 612-1190
gwhite@piac.ca
John Lawford
Executive Director & General Counsel
Public Interest Advocacy Centre (PIAC)
(613) 562-4002 ×25
Mobile: (613) 447-8125
lawford@piac.ca
www.piac.ca

Canadian Consumers Need More Protection Dealing with “Free” Services

OTTAWA, March 26, 2014–Canadian consumers have little protection should they encounter a problem or become involved in a dispute with online free service providers, according to a report released today by the Public Interest Advocacy Centre (PIAC) entitled, No Such Thing as a Free Lunch: Consumer Contracts and “Free” Services. The report points to the growing the disparity of interests between companies offering free services and consumers when companies seek methods to monetize their “free” businesses, ultimately consumers stand to lose.
“Current legislative and regulatory regimes fail to provide sufficient protection to Canadians using free online services,” noted John Lawford, PIAC’s Executive Director & General Counsel. Lawford continued, “Consumers shouldn’t have to gamble with their privacy each time they wish to send an email, connect with family or use an online storage solution.”
The report recommends an update to current provincial consumer protection laws so they apply to those accessing free services online that monetize user-provided value. The report also cited the need for amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) allowing the Office of the Privacy Commissioner the ability to investigate and enforce elements of Canada’s privacy regime through fines or mandatory orders. “As the potential for conflict between consumer and corporate interests grows, it is time to provide the Office of the Privacy Commissioner of Canada the necessary tools to protect Canadians using online services,” noted Jonathan Bishop, PIAC’s Research Analyst.
The report also called for a statutory breach of confidence tort allowing a user to make a claim against web companies that unnecessarily use private information gathered on their website. In addition, the report recommends creation of methods for assessing market power from a competition law perspective that can be applied to the online free services sector.
To see the full report, please consult the following link:

 

thumb_pdfNo Such Thing as a Free Lunch: Consumer Contracts and “Free” Services.
Download File: free_services.pdf [size: 0.61 mb]

 
To view the report in French, please consult the following link:

thumb_pdfUn repas gratuit, ça n’existe pas : Les contrats de consommation et les services « gratuits »
Download File: free_services_fin_fr.pdf [size: 0.75 mb]

PIAC received funding from Industry Canada’s Contributions Program for Non-Profit Consumer and Voluntary Organizations to prepare the report. The views expressed in the report are not necessarily those of Industry Canada or the Government of Canada.
For more information please contact:
John Lawford
Executive Director & General Counsel
Public Interest Advocacy Centre (PIAC)
(613) 562-4002×25
Mobile (613)447-8125
lawford@piac.ca
www.piac.ca
Jonathan Bishop
Research & Parliamentary Analyst
Public Interest Advocacy Centre (PIAC)
(613) 562-4002×23
jbishop@piac.ca
www.piac.ca

CRTC asked to stop Bell Mobility’s “Relevant Ads” Program

OTTAWA – The Public Interest Advocacy Centre (PIAC) and the Consumers’ Association of Canada (CAC) today filed an application challenging Bell Canada’s collection, use and disclosure of customer information gathered from its own wireless customers for behavioural and other marketing.
The application, which was filed with the Canadian Radio-television and Telecommunication Commission (CRTC), argues that Bell’s unprecedented collection, use and disclosure of customer information for marketing is contrary to Canadian telecommunications policy – rules intended to protect Canadians’ privacy.
In November of 2013 Bell announced that it would begin, without customers’ express consent, to track a range of customer information known to Bell from that customer’s use of Bell’s own services (including age, gender, location, browsing history, app and device feature usage, TV viewing, and calling patterns) in order to deliver targeted ads to their Bell Mobility subscribers based on their behaviour.
“Bell has overstepped its role as a neutral provider of telecommunications services”, said John Lawford, PIAC’s Executive Director and General Counsel. “Canadians have every right to be concerned about their personal privacy when the company they pay for telephone, wireless, internet and TV service begins tracking and using information about them in this way.”
“Bell is trying to ‘double-dip’ by taking your subscription fees and then selling information based on your use of the services you just paid for”, said Bruce Cran, President of CAC. “It’s inappropriate – and asking that Canadians “opt-out” of this program they never asked for is wrong.”
PIAC invites all Canadians to submit comments on the PIAC/CAC application, which can be found at https://services.crtc.gc.ca/pub/TransferToWeb/2014/8665-P8-201400762.zip
For more information:
John Lawford
General Counsel and Executive Director
Public Interest Advocacy Centre
(613) 562-4002×25
(613) 447-8125 (cell)
jlawford@piac.ca
Bruce Cran
President
Consumers’ Association of Canada
604-418-8359

PIAC Comments on the Draft Regulations to the Canadian Anti-Spam Legislation (CASL)

Canadian consumers have a direct and crucial interest in the timely and efficient implementation of the anti-spam regulations which have been the subject of this version of the proposed regulations as well as the prior version, which PIAC commented upon together with Option consommateurs. In this filing with Industry Canada, PIAC argues for prompt adoption of the regulations and cautions Industry Canada to monitor two potential consent loopholes that were introduced in response to industry lobbying.
Read the PIAC Comments on Anti-Spam Regulations CASL [pdf file: 0.06mb]

Commissioner’s Findings – Bell Mobility

Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0216
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204 Ottawa, ON K1N7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against Bell Mobility under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Bell Mobility was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes. Specifically, you alleged that Bell Mobility was not bringing to the attention of its customers (a) its policy of sharing customer data with other Bell Canada affiliates for secondary marketing purposes and (b) the corresponding opportunity for customers to opt-out of such sharing.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any telecommunications company, such as Bell Mobility, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
You initially filed a complaint against Bell Canada. Some weeks later, you clarified to my Office that you had intended your complaint to apply to the information practices of Bell Canada’s affiliates as well. You may have assumed that Bell’s affiliates formed part of the Bell corporate entity. Bell’s affiliates are in fact separate corporate entities; moreover, only three of them are federal works, undertakings, or businesses subject to the Act. A separate complaint file has been opened for each of these three Bell affiliates that fall under my jurisdiction. Bell Mobility is one of the three.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Bell Mobility’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

  • It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
  • There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
  • Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
  • Companies commonly fall short of meeting this obligation in several ways:
    • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
    • reliance on fine print buried in a long document;
    • failure to use clear, plain language understandable to the ordinary consumer;
    • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
    • failure to provide an easily executable opting-out procedure.
  • The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

Bell Mobility readily acknowledges that it does disclose customers’ personal information for marketing purposes to Bell ExpressVu, another Bell Canada affiliate that is subject to the Act. The information in question comprises contact data (i.e., name, mailing address, home and work telephone numbers, e-mail address), as well as indications of services or products purchased, average monthly billing, credit records, and complaint records. Bell Mobility’s disclosure of such information to Bell ExpressVu is limited at present, but is expected to increase in the future.
Bell Mobility also acknowledges that it does not itself actively seek, at the time an individual customer purchases a product or subscribes to a service, consent to disclosure of the customer’s personal information to Bell ExpressVu. Rather, like other Bell Canada affilitates, Bell Mobility relies upon the notion of “implied consent” as explained in Bell Canada’s privacy code, the “Bell Code of Fair Information Practices”. Bell Mobility and its sister affiliates have adopted as their own the parent company’s privacy policy and practices, as set out mainly in two documents – the 17-page Bell Code and the 9-page “Bell Customer Privacy Policy”.
The Bell Code defines implied consent as “consent that can reasonably be inferred from an individual’s action or inaction.” Clause 3.7 of the Code states as follows:
In general, the use of products and services by a customer… constitutes implied consent for the Bell companies to collect, use and disclose personal information for all identified purposes.
As far as the exchange with Bell ExpressVu in particular is concerned, Bell Mobility takes clause 3.7 to mean that, if a customer obtains a product or service at Bell Mobility, he or she implicitly consents to having personal information disclosed to Bell ExpressVu.
The Code does identify the “Bell companies” in question and sets out five general purposes for their collection of personal information, including “To develop, enhance, market or provide products and services.” However, the Code does not indicate that this or any other of the purposes applies specifically to disclosures of information between Bell companies and indeed does not specify that the companies disclose customers’ personal information to one another. On being asked to explain this omission, Bell Canada maintained that such disclosure is implicit in the treatment of the Bell companies collectively as a single organization for the purpose of the Code.
Bell Canada’s Privacy Policy does assign a purpose specifically to disclosures of personal information between Bell Companies, as follows:
The purpose for sharing information among the Bell companies is to help us identify your information, communication and entertainment needs, and provide you with relevant information, advice, and solutions.
It is to be noted, however, that this purpose is not identical with any of the five stated in the Bell Code. It seems closest in meaning to “To develop, enhance, market or provide products and services”, but the verb “market” is conspicuously absent.
Bell Canada communicates its privacy policy and practices to customers through mail-outs (e.g., inserts in telephone bills), the white pages of the telephone directory, websites, and literature made available at Bell World stores. In the year 2000, a brochure entitled “The Bell Privacy Policy and You” was mailed out as a bill insert to all Bell customers.
That brochure included a notification to the effect that customers who did not wish to have their personal information disclosed among Bell companies (listed in the brochure) could withdraw consent by calling Bell Canada at the number shown on bills or electronically via Bell’s various websites. The brochure also stated that customers could view or obtain copies of the Bell Code and Privacy Policy by the same means.
Bell Canada’s white-pages telephone directory likewise informs customers that, if they wish to view or obtain a copy of the Bell Code or Privacy Policy, or if they have concerns about their privacy, they may contact one of the Bell websites or call the number on their telephone bill. However, the directory does not indicate any method or possibility of opting-out of information disclosures among the Bell companies.
The Bell Canada website contains the Bell Code and Privacy Policy as well as other privacy-related information, including instructions on opting-out of information disclosure among the Bell companies and an electronic opt-out form to be used for that purpose. Bell Mobility’s website links back to the Bell Canada site and is thus also linked indirectly to the privacy-related information and the electronic opt-out form. However, although Bell Mobility accepts opt-outs from its customers via this electronic form as well as by telephone or in writing, its own website makes no direct reference to an opportunity or method of opting-out or even to the practice of sharing information with other Bell affiliates. Nor does Bell Mobility, in any other situation or manner, make a point of advertising these optional considerations to its customers.
Nevertheless, on the basis of the information provided in Bell Canada’s privacy-related communications materials, notably the Bell Code and Privacy Policy, Bell Mobility has taken the position that its own customers are duly informed, in accordance with Principle 4.3.2 of Schedule 1 to the Act, both of the purposes for which personal information will be used and disclosed, and of the opportunity for easily opting-out of the specific practice of information disclosure among affiliates. Furthermore, Bell Mobility contends that the disclosure of personal information among common-branded companies providing a range of related communications services is consistent with the reasonable expectations of its customers as contemplated under Principle 4.3.5.
On the basis of these facts, I am required to determine whether Bell Mobility is in compliance with Principles 4.2.3, 4.3, and 4.3.1 of Schedule 1 to the Act. In this case, where the central issue is consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.2.3 states that identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.1 states, in part, that an organization will typically seek consent for the use or disclosure of the information at the time of collection. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
I will begin by stating that I consider your expectations regarding consent, as you have expressed them in your submission, to be entirely reasonable and in keeping with the Act. First and foremost, I note that Principles 4.2.3 and 4.3.1 clearly support your expectation that an organization should not merely make policy documents generally available, but should actually bring to the attention of the individual at the time of collection its purposes for collecting, using, and disclosing personal information. When an organization collects personal information during an application, subscription, or purchasing process, it should take reasonable steps during the same process to specify to the individual, and seek the individual’s express consent for, any intended secondary uses or disclosures. It follows that the organization should be prepared to provide the individual, on the spot, with whatever information he or she may require to make a knowledgeable consent decision. In such situations, I consider it entirely reasonable, as you have suggested, for an individual to expect not to have to seek out or otherwise rely upon information that is not immediately at hand.
I also consider it only reasonable for the individual to expect to be informed, likewise during the same process, of the opportunity and a convenient method for withdrawing consent.
Finally, where an organization intends to disclose personal information that the individual is likely to consider sensitive, such as credit records and complaint records, I consider it reasonable for the individual to expect to be consulted directly and positively in the matter of consent. In such a situation, the organization should use positive or “opt-in” consent rather than the negative option.
It is obvious that, in relying wholly upon its parent company’s notion of implied consent, Bell Mobility does not meet the reasonable expectations described above and deemed relevant under Principle 4.3.5. At the time of collecting a customer’s personal information during a subscription or purchasing process, Bell Mobility does not supply the customer with information about its intention to disclose personal information to its sister affiliate Bell ExpressVu, to obtain the customer’s consent for such disclosure, or to notify the customer of the opportunity and method of opting-out of such disclosure. It is not reasonable for Bell Mobility to rely upon the presumption of the customer’s knowledge and consent on the basis of general policy documents that it has not itself brought directly to the attention of the customer.
I find therefore that Bell Mobility has failed to comply with Principles 4.2.3 and 4.3.1 and, having failed to meet the individual’s reasonable expectations regarding consent as deemed relevant under Principle 4.3.5, is also in contravention of Principle 4.3.
Accordingly, I conclude that your complaint is well-founded.
I am recommending that Bell Mobility, at the time of collecting personal information from any customer during a subscription or purchasing process, directly inform the individual customer of the purposes for which personal information is collected and seek his or her consent for intended uses and disclosures. In implementing this recommendation, Bell Mobility should ensure that:

  • purposes are stated in such a manner that the customer can reasonably understand how personal information is to be used or disclosed, in accordance with Principle 4.3.2 of Schedule 1;
  • intended uses and disclosures are well-defined especially in respect of
    • the items or types of information to be used or disclosed;
    • the parties to which information is to be disclosed; and
    • the purposes for which information is to be disclosed (e.g., direct marketing);
  • the customer is directly notified of the opportunity to withdraw consent to specific optional purposes (e.g., direct marketing); and
  • the customer is provided with, and directly notified of, an easy, immediate, and inexpensive means of opting-out (e.g., a check-off box or toll-free telephone number).

I am also recommending that Bell Mobility, at the time of collecting personal information during a subscription or purchasing process, provide individual customers with an opt-in consent form relating specifically to disclosures to Bell ExpressVu and to any other party to which Bell Mobility intends to disclose personal information of a potentially sensitive nature, such as credit information.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,
George Radwanski
Privacy Commissioner of Canada
 

PIAC Complaint Upheld: Privacy Commissioner Finds Social Network Must Respect Teen Privacy

FOR IMMEDIATE RELEASE
Attention: News and Business Editors
PIAC Complaint Upheld: Privacy Commissioner Finds Social Network Must Respect Teen Privacy
March 1, 2012
(OTTAWA)— The Office of the Privacy Commissioner of Canada decision released today finding popular youth-oriented social networking site Nexopia.com Inc.’s privacy practices are in violation of Canadian privacy law comes in response to a complaint filed over two years ago by the Public Interest Advocacy Centre (PIAC).
PIAC, a consumer advocacy group based in Ottawa, applauded the Office of the Privacy Commissioner of Canada’s decision concerning Nexopia.com Inc. (Nexopia) under the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Commissioner’s decision upheld all of PIAC’s concerns and issued 24 recommendations to Nexopia to improve the privacy of their teen social networking users.
“The Privacy Commissioner’s finding tells social networking sites with teen users that these services must create spaces for expression that are privacy-respecting and give real control to teens over their online privacy,” said John Lawford, co-counsel for PIAC on the complaint.
The Office of the Privacy Commissioner of Canada agreed with PIAC, finding that Nexopia’s default privacy settings of sharing all user profile information with the whole internet as a default setting do not properly consider the reasonable expectations of its users under the age of 18.
The Privacy Commissioner also found that Nexopia violated Canadian privacy law with respect to its collection, use and disclosure of personal information collected at registration, sharing personal information with advertisers and other third parties and the retention of personal information of users and visitors. Nexopia has agreed to implement corrective measures in relation to 20 of the Privacy Commissioner’s recommendations. Nexopia has agreed to change its default privacy settings to share profile information only with users’ “friends” on the site by June 30, 2012.
“This is a huge step forward for online youth privacy,” said Janet Lo, co-counsel for PIAC on the complaint. “We are pleased that Nexopia has stated it will change its system to respect Canadian privacy law moving forward. We are, however, disappointed that Nexopia has said it will not comply with the Privacy Commissioner’s recommendations to change its data retention practices. Nexopia insists on archiving the personal information of its users indefinitely, even after a user deletes his or her account.”
PIAC is a non-profit organization that provides legal and research services on behalf of consumer interests, and, in particular, vulnerable consumer interests, concerning the provision of important public services.
The Office of the Privacy Commissioner of Canada’s finding is found at: PIPEDA Report of Findings #2012-001
A redacted version of PIAC’s original complaint filed January 18, 2012 can be found at Nexopia_Complaint_FINAL2_redacted
For more information, please contact:
Janet Lo
Counsel
Public Interest Advocacy Centre
Ottawa, ON K1N 7B7
(613) 562-4002×24
(613) 562-0007 (Fax)
jlo@piac.ca
John Lawford
Counsel
Public Interest Advocacy Centre
ONE Nicholas Street, Suite 1204
Ottawa, ON K1N 7B7
(613) 562-4002×25
(613) 562- 0007 (Fax)
jlawford@piac.ca

Lawful Access Legislation Lacks Safeguards

Press Release

FOR IMMEDIATE RELEASE
 
February 14, 2012
Lawful Access Legislation Lacks Safeguards
OTTAWA –The Government’s “lawful access” bill lacks essential safeguards to protect consumers’ privacy, today warned the Public Interest Advocacy Centre (PIAC). The short-titledProtecting Children from Internet Predators Act, Bill C-30 introduced today in Parliament, has weak oversight mechanisms and permits indiscriminate “fishing expeditions” into consumers’ internet use for any offence, according to PIAC.
“Now is the time for Canadians to tell their MPs that the new surveillance tools introduced in this bill are intrusive and their use has to be carefully scrutinized to ensure they are only used to serious crimes and where there is some basis for suspicion. As written the bill permits abuse of the tools in the name of general law enforcement,” says John Lawford, counsel for PIAC, an Ottawa-based non-profit organization that provides legal representation, research and advocacy on behalf of consumers.
The bill provides police and security agencies access to consumers’ “subscriber information” such as e-mail and IP address, without a warrant. “This is not phonebook information that is being accessed,” added Lawford, “these identifiers have never been publicly available at the consumer level. Therefore accessing them, and the further information that they lead to is not appropriate without a warrant because Canadians don’t expect such monitoring of their internet use by the state.”
PIAC calls on the Parliamentary committee that will be studying Bill C-30 to consider substantive amendments to ensure stronger oversight of these new powers and to add appropriate suspicion-based criteria for access to subscriber internet identifiers.
PIAC is also member of the “Stop Online Spying” (SOS) coalition of consumer and civil liberties groups that have additional specific concerns with the lawful access legislation, such as its cost to consumers and its potential negative effect on network security. Anyone wishing to join the coalition or sign the SOS petition should visit www.stopspying.ca Consumers are also invited to call or write their Member of Parliament to express their views on the legislation and to encourage others to do so.
For more information:
John Lawford
Counsel
Public Interest Advocacy Centre
ONE Nicholas Street, Suite 1204
Ottawa, Ontario
K1N 7B7
(613) 562-4002×25
(613) 562-0007 (Fax)
jlawford@piac.ca

Home (Grid Demo)