PIAC Position Paper on Digital Contact Tracing Technologies
As part of PIAC’s filing a CRTC Part 1 Application Regarding “COVID Alert” App, “ABTraceTogether” App and Related Matters, we filed in the Appendix a Position Paper, giving full exploration of digital contact tracing technologies (DCTTs). To make this document, A “Privacy-First” Canadian Public Policy Approach to Digital Contact Tracing Technology (“DCTT”) Related to COVID-19 & Future Pandemics, more visible, we have separated this document out at this link. This study was prepared by Deborah Smith-Webber, external counsel to PIAC.
PIAC also has discussed our Application to the CRTC regarding COVID Alert and ABTraceTogether, among other DCTTs, in our first “We Fight for That” podcast, which is available for download now. Please subscribe! We are also preparing our next podcast to update you on the status of this Application.
Revised Letter Findings – Privacy Commissioner Response to PIAC Response
Dear Mr. Lawford,
The Assistant Privacy Commissioner, Heather Black, has asked that I respond on her behalf to your November 14, 2003 letter regarding the revised letters of finding in files #6100-0216, and #6100-0217. I must say, at the outset, that this is a highly unusual situation. Upon receipt of the original letters of finding, Bell Canada approached our Office on behalf of its subsidiaries and provided prima facie evidence that some of the facts determined through our investigation were inaccurate. It also advised that it had been prejudiced in its relationships with its regulator, the CRTC, because the findings in the complaint against Mobility had become a matter of public record. Bell indicated that Mobility is subject to the Article 11 restriction discussed in the revised letter of finding, and that it complies fully
with that restriction.
The former Privacy Commissioner made a commitment to Bell that our Office would conduct new investigations to determine if there had indeed been any errors in determining the facts. We decided that there was no need to invite further representations from the parties, since it was uncontested that Mobility is subject to the Article 11 restriction, and since the outcome in the complaint against ExpressVu was the same as in the original finding.
In hindsight, I acknowledge that we should have contacted PIAC to inform it that new letters of finding would be issued. I apologize for the oversight. I am pleased to read from your letter that PIAC was generally pleased with our Office’s approach.
Having set out the circumstances of these particular complaints, I would hasten to add that we do not anticipate having to deal with such an anomalous situation again. In the ordinary course of events, the OPC considers itself functus once a letter of finding has been issued.
Gerald Neary
Director General
Investigations and Inquiries
Revised Letter Findings – PIAC Response to Revised Complaint Findings
Ms. Heather Black Assistant Privacy Commissioner of Canada 112 Kent Street Ottawa, Ontario K1A 1H3
BY EMAIL and MAIL Dear Assistant Commissioner Black:
Revised Letter Findings re: Inadequate Approaches to Opt-out Consent
I am writing on behalf of the Public Interest Advocacy Centre (PIAC) regarding Revised Letter Findings 6100-0216 and 6100-0217, dated November 7, 2003.
We were somewhat surprised that the OPC had undertaken to review these matters and issue a revised decision. There is no indication in the file that PIAC nor Ms. Lawson were contacted as to the “further detailed inquiries” or “additional information” into Bell Mobility and Bell ExpressVu’s practices. To our knowledge, neither Ms. Lawson nor PIAC were invited to comment any further with regard to these inquiries.
PIAC feels very strongly about the issue of inadequate opportunities for consumers to opt-out in situations of implied consent. These matters dealt directly with these questions, and while we were generally pleased with the approach you took to these issues in these revised letter findings, we would have appreciated notice and an opportunity to comment prior to any new decisions.
We also are interested at what point after the OPC makes an initial letter decision that it considers itself functus.
Sincerely,
Original Signed
John Lawford Barrister & Solicitor Research Analyst
cc: Bell Mobility Bell ExpressVu
Fed.Gov.Cybercrime and Lawful Access Proposals
Public Interest Advocacy Centre
Comments on Federal Government’s “Lawful Access” Consultation PDF version is also available [pdf file: 0.21mb]
Introduction
The Public Interest Advocacy Centre (PIAC) is a national non-profit organization devoted to the representation of consumer interests in matters involving public utilities, essential services, and public interest issues of broad application to Canadians. PIAC has developed a strong record of consumer advocacy since its inception in 1976, and is widely recognized as an important and influential voice for ordinary consumers in a variety of marketplace issues. Over the past decade, PIAC has become a leading advocate of consumer privacy interests, in the context, especially, of the electronic marketplace. PIAC is governed by a distinguished volunteer Board of Directors from across the country, and is supported by member groups and donors representing hundreds of thousands of Canadians.
PIAC is grateful for the opportunity to comment on the important issues raised in the Consultation Document issued August 25, 2002 by the Government of Canada on “Lawful Access”. We commend the Government on its efforts to reach out to, and obtain input from, civil society through advance consultations on these issues. However, our ability to provide feedback is limited due to a lack of detail and clarity regarding the legislative proposals as well as the problems they are designed to overcome. Our comments below are therefore more general than might otherwise have been the case.
We look forward to an opportunity to review and comment on more specific legislative proposals accompanied by more substantial evidence as to their need.
Guiding Principles
The guiding principles for lawful access in Canada have already been established in the Canadian Charter of Rights and Freedoms, and Supreme Court jurisprudence interpreting these fundamental rights and freedoms. Under section 8 of the Charter, “everyone has the right to the secure against unreasonable search and seizure”, “subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society”. A significant body of jurisprudence has developed under this principle, providing helpful guidance as to where the line is to be drawn between reasonable and unreasonable intrusions by the state into the personal lives of individuals.
The Supreme Court of Canada has repeatedly confirmed the importance of privacy as an essential aspect of an individual’s liberty in a free and democratic society. As noted by the Court,
“The very efficacy of electronic surveillance is such that it has the potential, if left unregulated, to annihilate any expectation that our communication will remain private.”
The Court has also emphasized the importance of prior judicial authorization as an essential safeguard against undue invasion of individual privacy by the state:
“The state’s interest in detecting and preventing crime begins to prevail over the individual’s interest in being left alone at the point where credibly-based probability replaces suspicion. History has confirmed the appropriateness of this requirement as the threshold for subordinating the expectation of privacy to the needs of law enforcement.”
In R. v. Oakes, the Court established a clear test for the determination of whether a given infringement of Charter rights is reasonable and demonstrably justified. This test requires a sufficiently important objective served by the infringement, a rational connection between the means and the ends, and minimal impairment of the right in question.
We agree with the Privacy Commissioner of Canada that any new privacy-invasive measure that purports to enhance security must meet the following test:
- it must be demonstrably necessary in order to meet some specific need;
- it must be demonstrably likely to be effective in achieving its intended purpose. In other words, it must be likely to actually make us significantly safer, not just make us feel safer;
- the intrusion on privacy must be proportional to the security benefit to be derived; and
- it must be demonstrable that no other, less privacy-intrusive, measure would suffice to achieve the same purpose.
General Conclusions
Having reviewed the Consultation Document, and participated in a day-long consultation with government officials, it is PIAC’s view that the Government’s proposals for greater lawful access to private communications have not been demonstrably justified, according to the test articulated by both the Supreme Court of Canada and the Privacy Commissioner of Canada. In particular,
- it is not clear that greater access by law enforcement to electronic communications will in fact, or is even likely to, increase the security of Canadians;
- the privacy intrusions that would result from these proposals are clearly significant, while the security benefit to be derived therefrom is unclear;
- it has not been demonstrated that no other, less privacy-intrusive, measure (e.g., focused on technological and/or administrative impediments) would suffice to achieve the same purpose of enhanced security.
We fully appreciate the need for law enforcement agencies to be able to protect citizens against criminal activity without undue effort. We are as interested as everyone in the security and safety of Canadians. However, we strongly oppose measures that provide law enforcement agencies with greater powers of intrusion into the private lives of individuals, without adequate safeguards against the abuse of such powers.
Lack of Supporting Data
The legislative reforms being considered are premised on a need for enhanced state power in the face of technological change and specific barriers that exist today. Yet, the government has provided little evidence to justify the significant privacy intrusions posed by increased lawful access. Without specific information as to the extent and nature of the problem(s) to be rectified, it is impossible to conduct the “cost/benefit” analysis required by the Supreme Court.
Indeed, PIAC is unable to answer most of the specific questions posed in the Consultation Document because of the lack of information provided to justify the proposals.
If evidence is available to justify the proposed measures, it should be made public, so that Canadians can weigh it and thus make informed judgements as to whether the security benefits of the measures outweighs the privacy costs. If such evidence does not exist, then there is no case for the measures in question, and they should be dropped.
Technical or Legal Problems?
The Consultation Document identifies a number of technological developments that have created problems for law enforcement investigations (p.4). It would appear that the problems in question are technical, rather than legal. If law enforcement agencies have difficulty dealing with new technologies of communication, the solution is not to lower the legal standard for interception or search and seizure; rather, it is to provide law enforcement agencies with the technical expertise they need to deal with the evolving environment.
Technological Neutrality
The proposals would effectively establish a lower standard for interception and/or search and seizure in the online context, versus in the offline context. Yet, no justification in principle has been provided applying a different standard depending on the mode of communication used. PIAC submits that legal standards should not differ according to technology. Not only would this be unprincipled; it would lead to a situation in which the government is constantly playing legislative “catch up” with new technologies. Criminal Code standards should be designed to apply regardless of technology, and legislative reform should focus on ensuring that the standards in question are worded so as to incorporate all relevant technologies (rather than on establishing lower standards for certain types of technology).
Maintaining Lawful Access Capability vs. Increasing Lawful Access Capability
The Consultation Document states that the objective of the Lawful Access proposals is “to maintain lawful access capabilities for law enforcement and national security agencies in the face of new technologies”. Yet, the proposals go much further than maintaining existing lawful access capabilities – instead, they would significantly increase the ability of law enforcement and national security agencies to intercept, search and seize electronic communications of individuals, and personal information about individuals in electronic form.
PIAC has no objection to updating Canadian legislation so that the well-established Canadian standards of lawful access to private communications and personal data are clearly applicable in the context of new communications technologies. We do, however, object to a substantial weakening of such well-established safeguards.
The Council of Europe Convention on Cyber-Crime
It is unclear to what extent the proposals in question have been driven by forces outside Canada. According to the Consultation Document, the Council of Europe Convention on Cyber-Crime requires that ratifying countries provide in their domestic law for Production Orders, Preservation Orders, and an offence in relation to computer viruses that are not yet deployed. PIAC’s comments on these specific proposals are set out below.
In general, however, we are concerned that some aspects of this Convention may be inconsistent with Canadian values, insofar as it requires provision for an unreasonable level of state incursion into the private lives of individuals, without adequate privacy safeguards. In our view, Canada should not ratify the Convention if to do so would be inconsistent with Canadian values and rights as set out in our Charter of Rights and Freedoms and interpreted by the Supreme Court of Canada.
What position did Canada take in the negotiations?
There is absolutely no information available as to the position that Canada took in the negotiations. If this information were available, it would aid in understanding and framing the lawful access proposals.
What are the options being considered (and not considered)?
Similarly, no information is available to understand which options were considered and rejected in the process leading to the convention signing. Why was there no pre-signing consultation to review and direct the position that Canada would take?
Lack of Corresponding Privacy Safeguards
While clearly aware of privacy concerns, the government does not appear to have made a serious attempt to weigh them against the pressure from law enforcement agencies for easier access to personal information in the electronic environment.
Privacy, as much as national security, is under attack
The same technologies that law enforcement agencies complain are hindering their ability to investigate criminal activities, have also provided the basis for an unprecedented erosion of individual privacy. Individual privacy is increasingly under assault by virtue of the vastly easier access to vastly greater quantities of personal information available electronically. We find it particularly ironic in this context that the government seeks to further erode individual privacy, in the name of the public interest. If anything, privacy protections for electronic communication should be stronger than for non-electronic communications, given the unprecedented opportunities that electronic technologies offer for surveillance and intrusion.
The Need for Privacy Safeguards
In contrast to the Lawful Access legislative proposals, is the government’s recent legislative initiative on Money Laundering (The Proceeds of Crime Act). Just over two years ago, the federal government consulted with the Privacy Commissioner and the public on legislation designed to detect and deter money laundering and to facilitate the investigation and prosecution of money laundering offences. In response to concerns raised by the Privacy Commissioner and stakeholders, the government included a number of measures designed to limit otherwise enormous systemic individual privacy invasions that would have been authorized. For example, Bill C-22 (as it then was) included provisions:
- exempting lawyers from the requirement to disclose communications, where such communications are subject to solicitor-client privilege;
- requiring the police to obtain a judicial warrant in order to obtain detailed information from the new Financial Transactions and Reports Analysis Centre of Canada (FTRAC);
- limiting the use of information by FTRAC or other officials to purposes of exercising powers or performing duties and functions under the Act;
- making a punishable offence the improper disclosure of information; and
- giving the Privacy Commission oversight powers in relation to FTRAC’s handling of personal information.
In contrast, the Lawful Access proposals contain no safeguards against abuse of the increased powers they would provide.
Recommended Safeguards
The proposal assumes almost unlimited levels of citizen trust in law enforcement and national security agencies; trust that historically has not always been deserved. It argues for the need to infringe upon individual rights, suggesting this will enhance collective public security. As noted above, PIAC does not consider that the proposals have been adequately justified.
Should they nevertheless proceed, any proposals for greater access by law enforcement agencies to private communications and information must be accompanied by strong oversight mechanisms that ensure public accountability, transparency and scrutiny. This oversight should require routine reporting on measures undertaken in the name of law enforcement and national security and an accounting of the efficacy of these measures. Such reporting would enhance public confidence in the government and its agents exercising their rights to intercept and collect personal data.
Specific and severe penalties for improper use or disclosure of personal data collected via lawful access, as well as for improper attempts to access personal data, should be introduced
Specific procedures should be enacted for the destruction of information seized or acquired as part of a lawful access endeavour, at a minimum these should include:
- Specific guidelines to be followed for destruction
- Specific guidelines to be followed to notify parties whose information has been intercepted
Specific procedures should be enacted for the handling of intercepted or seized information that is subject to legal privilege.
In summary, we believe that all interception and/or search and seizure of electronic communications should require judicial approval, should identify a specific target, should identify specific information to be seized/intercepted and should have a specific rationale and justification for the seizure or interception. We also believe that any orders issued should be time-limited.
Intercept Capability
The government is proposing to introduce a general requirement in legislation to ensure intercept capability, with the specific details to be contained in regulations proclaimed at the time the legislation will come into force. It is proposed that all service providers (wireless, wireline and Internet) be required to ensure that their systems have the technical capability to provide lawful access to law enforcement and national security agencies.
We recognize that there may be a need for assurance, on the part of law enforcement agencies, of the ability to intercept and monitor electronic communications upon the issuing of judicial authorization. However, the government has failed to present evidence that the deployment of this massive surveillance infrastructure is necessary. For example, we do not know how many investigations have been thwarted as a result of the lack of technical capability. Moreover, the lack of clarity regarding evidentiary thresholds, oversight and safeguards makes us unable to provide an opinion on this proposal.
The Consultation Document suggests that many of the important details of such interception capability requirement (e.g., cost recovery) would be left to regulation. It is important that any regulations be subject to full public review. We echo the call from CWTA and CAIP and request that the draft legislation and accompanying regulations be made available for a full and complete public review, and that sufficient time be provided for interested parties to assess their impact and submit comments.
Effect on future innovation and adoption of technology
It is possible that impact the proposed requirement for intercept capability will have an adverse effect on future innovation in this industry. In particular, if intercept requirements are not applied to current infrastructure but only “when a significant upgrade is made to their systems or networks”, ISPs may be disinclined to upgrade their operations or capabilities. This could limit innovation and is therefore arguably in conflict with Canadian telecommunications policy.
Cost implications
We are concerned that the cost of constructing the surveillance infrastructure may unnecessarily burden the industry, and hence the telecommunications user. This, again, is arguably in conflict with Canadian telecommunications policy. In any case, it is impossible for us to address this issue fully without more information as to the costs in question.
It is certain than there will be disagreement between the industry groups and others with respect to costs. Some have envisioned the ISPs assuming the costs of ‘lawful access’, others have envisioned the government providing funding through some form of authorized tariff. Either way, it is clear that the citizen, as a telecommunications user or as a taxpayer, will be responsible for the costs of ‘lawful access’. Any such costs should be minimized.
Email Interception
The government seeks input on whether, or when, email constitutes a communication subject to interception, or instead a document subject to search and seizure. Different standards for access apply, depending on which approach is taken.
Reasonable expectation of privacy
Canadians have come to expect a high degree of privacy in email, despite widespread awareness of the ease with which such communications can be accessed by third parties. Increasingly, we are using email to communicate highly sensitive information, and indeed are relying on it to the same extent that we rely on postal mail. Canadians have, we submit, a similar reasonable expectation of privacy in email as they do in other forms of communication.
However, it is important to recognize the limits of the “reasonable expectation” test, where rapidly developing technology is concerned. Internet and email communications is an area in which technology and business practices have far outpaced the law. As a result, “reasonable expectations” may be based not on what is desirable, but rather on what we know to be the case, as undesirable as it may be. The legal treatment of email should not be determined by technological capability, but rather by our values as a society. If we wish to be able to communicate privately by email, without the possibility of unjustified surveillance, we should construct our laws so as to protect that desire. Principle, not technology, should guide our determination of this issue, as it did in the context of cellular telephone privacy.
Proceeding on this basis, PIAC submits that the Criminal Code should be amended to clarify that email, at least while in transit, constitutes a “private communication” under s.183. It would then be subject to the same procedural safeguards as all other interceptions under this provision.
Interception or Search and Seizure?
While in transit, interception of email is clearly just that: interception. It is a good question, though, at what point in the process of communication/delivery email is no longer a communication subject to interception, and is instead a document subject to search and seizure. The Criminal Code should be clear about when and where the line is to be drawn, if at all, between these two possibilities.
Access to Subscriber and Service Provider ID
Definitions CNA: Customer Name and Address (in effect the identity of the subscriber). LSPID: Local Service Provider Identification (identifies the company that provides services to the subscriber).
The government’s consultation document states that, “Basic customer information such as name, billing address, phone number and name of service provider, has historically been made available by service providers without a prior judicial authorization (such as a search warrant).” Recent changes in the telecommunications sector, however, have left law enforcement agencies with a patchwork of differing and inconsistent policies among service providers, regarding the provision of this information upon request. The PIPED Act, for its part, permits (but notably does not require) private organizations to disclose this information upon request by law enforcement officials without judicial authorization. Instead, it is left to the government to determine what limits, if any, should apply in respect of access by law enforcement agencies to this information.
Notwithstanding the discretion afforded service providers by virtue of PIPEDA, we believe that from a public policy perspective, it is beneficial to build a clear, consistent, privacy-protective policy framework that balances all of the competing interests.
LSPID
The CRTC recently ruled on the LSPID issue in the context of telephone service providers, requiring that, in order to obtain this information from Bell Canada, a law enforcement agency (LEA) must identify its lawful authority to obtain the information, and indicate that:
- it has reasonable grounds to suspect that the information relates to national security, the defence of Canada, or the conduct of international affairs;
- the disclosure is requested for the purpose of administering or enforcing any law of Canada, a province, or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing or administering any such law; or
- it needs the information because of an emergency that threatens the life, health or security of an individual, or the LEA otherwise needs the information to fulfill its obligations to ensure the safety and security of individuals and property.
PIAC submits that the CRTC test for LSPID disclosure by Bell Canada is appropriate, and should be adopted in respect of other communications service providers.
CNA
On the other hand, we believe that access to CNA data should require judicial authorization. Customer name and address information can be sensitive information, depending on the context. It is not clear why we should grant law enforcement agencies unimpeded access to this information. Clearly, much of this information is already easily accessible in the marketplace, through published directories. However, many subscribers choose to protect their privacy by not publishing their contact information; in these cases, at least, individuals have a high expectation of privacy regarding their contact information, and such expectations should be reflected in the standard applied for lawful access.
With respect to Internet address information, we strongly object to a lower standard of access given that the ability to link such information to identified individuals would permit the collection of a vast amount of personal information.
Some may argue that by requiring judicial authorization for CNA release, we will create a system that is expensive, inconvenient and unfairly burdens the law enforcement or national security agency. We submit that these are not the only factors to consider when drafting public policy. Rather, it is imperative in a free and democratic society to balance the legitimate needs of the state with appropriate roadblocks to protect the rights of the citizenry from incursion by the state; this may, in fact, be expensive and inconvenient and may burden the state. Freedom has a cost; we believe the state can more properly bear the burden of this cost.
Obligation to collect where none exists
We have been asked to comment on whether the obligation should be imposed on service providers to collect this information in circumstances where they are not currently collecting this information for their own purposes. This obligation would likely affect those service providers and retailers selling prepaid and other anonymous telephone cards and phones.
We would imagine, for this to be implemented, a customer would need to present approved identification to a retail clerk (e.g. a convenience store clerk) who would verify and copy down the identification; this would then be forwarded to the service provider. This would be a gross invasion of privacy and present even greater opportunities for data leakage or loss (and subsequent threats such as identity theft).
In discussing this point, we are struck by the fact that this proposal appears to conflict with the implicit premise of the consultation as attempting to overcome differences in legal process necessitated by technology. For example, if we require name and address to be supplied by persons purchasing pre-paid cards and anonymous wireless phones; why are we not similarly requiring persons utilizing the services of Canada Post to identify themselves? Should we not seal all Canada Post street mailboxes and require people depositing mail to present themselves at a government approved post office and present their government approved identification to a government approved counter clerk? Most correspondents would recognize the lunacy and Orwellian effect of such an unprecedented level of state intrusion.
We should not afford any lesser protection, or impose any higher burden on service providers, retailers and end users merely because they wish to avail themselves of technology solutions as an alternative to Canada Post.
Other mechanisms to provide subscriber and service provider information
The government raises the topic of ‘other mechanisms’ for law enforcement and national security agencies to access subscriber (CNA) and service provider (LSPID) information, arguing that, “the only way in which this information can be obtained is through the time-consuming and costly process of directly contacting each local carrier.” The Canadian Association of Chiefs of Police has suggested the concept of a national database be constructed containing CNA and LSPID information for ‘lawful access’ use.
We recognize that it is not always an easy task for law enforcement and national security agencies to obtain CNA and LSPID information. We recognize that considerable cost and effort may be expended to locate this information. However, we believe that these are not the only factors to consider when drafting public policy. Creation of a national database of any personal information, even limited to CNA information, raises the potential for misuse and should therefore be avoided.
Production Orders
In keeping with requirements under the Council of Europe Convention on Cyber-Crime, the Government proposes to create a new type of authorization for lawful access to documents held by a private body. A “production order” would require the custodian of documents to deliver or make available the documents within a specified period.
The concept of production orders raises concerns about forcing private service providers into a role of agents of the state. It is at least questionable whether such “conscription” of third parties to carry out law enforcement activities is appropriate. It would undoubtedly interfere with the primary role of serving customers, and would effectively expand the reach of law enforcement well beyond current limits.
Three types of production order are being considered:
- General production order
- Specific production order for traffic data
- Specific production order for CNA and LSPID data
General Production Orders
PIAC does not support the creation of production orders in the absence of clear evidence showing how existing warrant powers (supplemented with assistance orders where necessary) are insufficient. Such evidence has yet to be provided.
The need for anticipatory orders, permitting law enforcement agencies to monitor transactions for a specified period of time, is also insufficiently documented. In any case, we cannot perceive a situation in which any such order would or should require a different standard than currently applies to search and seizure, or to interception of communications.
If general production orders are nevertheless created, they should be subject to the same procedural safeguards as currently apply to search warrants (or interception, where appropriate). To apply any lower standard would be to go beyond the objective of maintaining existing lawful access capabilities, in the new electronic environment.
Production Orders for “Traffic Data”
It is suggested that issuance of specific production orders would be subject to a lower standard than that for issuance of general production orders. In particular, the Consultation paper suggests that “the standard for Internet traffic data should be more in line with that required for telephone records and dial number recorders in light of the lower expectation of privacy in a telephone number or Internet address, as opposed to the content of a communication”.
PIAC disagrees. First, it is not at all clear how “traffic data” in the Internet context could be stripped of content that is not available in the telephone context. Second, it is not clear that individuals have a low expectation of privacy in respect of their Internet address, at least once they know what other information about them could, or would necessarily, be transmitted along with Internet address information.
The Lawful Access Consultation document does not define traffic data. However, a definition is found in The Council of Europe Convention on Cyber-Crime. Under the Convention, traffic data is defined as, ” any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service.”
It is notable that the explanatory memorandum to the Convention cautions against the simplistic notion that Internet “traffic data” can be easily separated from more substantive information in which a higher expectation of privacy exists:
”… the privacy interest is generally considered to be less with respect to the collection of traffic data than interception of content data. Traffic data about time, duration and size of communication reveals little personal information about a person or his or her thoughts. However, a stronger privacy issue may exist in regard to data about the source or destination of a communication (e.g. the visited websites). The collection of this data may, in some situations, permit the compilation of a profile of a person’s interests, associates and social context. Accordingly, Parties should bear such considerations in mind when establishing the appropriate safeguards and legal prerequisites for undertaking such measures…”
It has become apparent during the course of this consultation that it simply is not possible to clearly separate ‘traffic’ data from ‘content’ data (i.e., data that reveals much more about an individual) in the internet context. See A Pascual’s “Access to traffic data: when reality is far more complicated than a legal definition.” What looks like mere “traffic data” to a computer layperson, for example, could be a wealth of personal information in the hands of a computer expert.
Given that internet ‘traffic data’ can be so rich in information about an person’s lifestyle, interests, views, etc., the standard for lawful access to such data should be at least as high as currently required for interception of communications or searching of records. Otherwise, the government will not be maintaining current standards of lawful access, but will in fact be expanding them.
As noted by the Privacy Commissioner of Canada, George Radwanski, “Agents of the state in Canada cannot order Canada Post to photocopy the address on every envelope we send, nor can they order bookstores to keep a record of every book we buy, let alone of every page of every magazine we leaf through. There is no reason why they should be able to exercise such powers with regard to every e-mail someone sends or every Web site he visits.”
Preservation Orders
Preservation orders do not currently exist in Canadian law. They are being proposed pursuant the Council of Europe Convention, so as to provide law enforcement with a further tool of access. A preservation order would require the service providers to store and save existing data specific to a transaction or client. The order would be temporary, remaining in effect only as long as it takes law enforcement agencies to obtain a judicial warrant to seize the data or a production order to deliver the data.
No data has been provided to justify the creation of this new order, which constitutes a limited form of data retention. Without clear justification, it should not be adopted.
While the proposed Preservation Order does not raise the same concerns as would routine, longer-term retention of data as proposed in other jurisdictions, it is a step in that direction and could become a “back door” method of obtaining judicial authorization for access, circumventing the higher thresholds that would apply for standard warrants.
We do not believe that a clear case has been made to support the introduction of data-preservation orders. No statistics have been introduced, no rationale has been offered beyond simple reference to the Council of Europe Convention on Cyber-Crime. In any case, the creation of this new type of order would clearly constitute an expansion, rather than a maintenance, of existing lawful access capabilities, and should be rejected on that basis alone.
Virus Dissemination
The Council of Europe Convention on Cyber-Crime requires signatory states to criminalize the creation, sale and possession without right of devices (e.g., computer programs) that are designed or primarily adapted for the purpose of committing offences specified in the Convention, whether or not the virus has been deployed or has caused any form of mischief.
Further, in order to ratify the Convention, new offences in relation to illegal devices (such as viruses) would have to be added. These could include importation, procurement for use, and otherwise making available an illegal device as defined in the Convention.
We generally support the prohibition against viruses, as contemplated by the government. However, we have some concerns about the application of the proposal with respect to a virus that has not been deployed and has not caused any mischief. Some software or devices, due to programming errors (commonly referred to as ‘bugs’) or poor programming technique may fall within scope of this prohibition. Care should be taken to appropriately circumscribe the definition of virus and non-deployed or contingent virus.
In addition, care must be taken not to prohibit the legitimate activities of individuals and companies that possess these devices for analytical, research, design, educational, or anti-virus purposes. Nor should a person be guilty of an offence if they have an undetected virus or other device residing on their computer without their knowledge. Any provision outlawing possession of viruses should be carefully drafted so as to ensure that innocent individuals will not be caught.
Extra-Territoriality
The consultation paper details that the Council of Europe Convention on Cyber-Crime calls for the criminalization of certain offences relating to computers, the adoption of procedural powers in order to investigate and prosecute cyber-crime, and the promotion of international cooperation through mutual legal assistance and extradition in a criminal realm that knows no borders.
We have serious concerns regarding the risk of Canadians being subject to non-Canadian laws based upon a request from another jurisdiction. Canadian law enforcement officials should only enforce Canadian laws and not assist in the enforcement of foreign laws that are substantially different.
Conclusion
The Canadian government, through the Canadian Electronic Commerce Strategy and the policy objectives of the Telecommunications Act has actively encouraged the adoption of new technologies within the Canadian marketplace. Indeed, we rank ahead of many other countries in terms of penetration and user acceptance and even cost in the internet and telecommunication sectors. These accomplishments have brought Canada well deserved praise as well as obvious economic benefit. It would seem that these same new technologies are now being used to justify a potentially invasive state surveillance regime under the guise of ‘lawful access’.
We agree that new technologies necessitate updated legislation, so as to ensure that they are not inappropriately excluded from existing provisions. However, we do not see any reason why electronic mail should be subject to a lower standard of protection than telephone calls or regular mail. We do not see why Internet browsing should be subject to a lower standard of protection than book purchasing or researching in a library. We do not see why our movements should be subject to tracking merely because we choose to use a cellular phone or other wireless device.
Canadians should not be subject to greater monitoring or scrutiny just because they choose to avail themselves of new technologies and convenience. Criminal law principles, including standards for lawful access, should be technology-neutral.
Throughout this consultation process the government has not demonstrated why the proposed measures are necessary, how they are reasonable or that there are no less-intrusive alternatives. Such evidence is required in order to meet the test set out in the Charter of Rights and Freedoms, as well as to convince civil society of the appropriateness of the proposed measures. After a review of the consultation paper and participation in the roundtable activities, we find ourselves left with more questions than answers. We cannot support the proposed new measures for lawful access in their current form given the lack of supporting data, the lack of adequate privacy safeguards inherent in them, and the significant expansion in lawful access that they would permit for one type of technology. We do not believe that the proposals, as currently constituted, meet the test set out by the Supreme Court of Canada for reasonable and demonstrably justified limits on the right to be free from state surveillance.
We therefore call upon the government to take the following steps, if it wishes to pursue this matter further:
- Publish all background materials relating to the Council of Europe Convention on Cyber-Crime, including documents detailing Canada’s position, and explanatory memoranda relating to the Canadian implementation of the convention;
- Provide empirical evidence and full justification for all components of the lawful access proposals;
- Publish draft legislation and accompanying regulations for further consideration and feedback by stakeholders, so that we know what precisely is being proposed;
- Allow sufficient time for a full, thorough and informed public consultation.
All of which is respectfully submitted,
Philippa Lawson
Senior Counsel
Public Interest Advocacy Centre
PIAC comments on CSA Privacy Code
CSA Model Code for the Protection of Personal Information, CAN/CSA-Q830-96
2002-2003 Review Comments of Philippa Lawson, Public Interest Advocacy Centre
Introduction
It has now been six years since the introduction of the CSA Model Code for Data Protection. A number of organizations have modeled their own privacy codes and policies on this standard, and businesses across the country have been attempting to understand their obligations under the Code, now part of the federal Protection of Personal Information and Electronic Documents Act (“PIPEDA”). Similarly, individual consumers have been trying to understand their rights under this new Code and legislation.
It has become clear that some important aspects of the Code are subject to widely differing interpretation. The vagueness of some provisions leaves both businesses and consumers uncertain as to their proper meaning and application, and encourages each interested party to interpret the provision to their advantage. The result is marketplace confusion, increased business expense, reduced utility of the Code, and loss of confidence by consumers in the protections that the Code was meant to afford.
Some of these issues of interpretation have been taken to the Privacy Commissioner by way of complaint under the PIPEDA. A body of authoritative findings is thus gradually clarifying some of the many grey areas of the Code. However, these findings are not legally binding, and are not subject to appeal by respondents. Hence, businesses can decide not to respect a determination by the Privacy Commissioner, and the matter may never be finally resolved.
Moreover, it will take many years for all of the uncertainties inherent in the Code to be addressed by the Privacy Commissioner. Businesses and consumers need certainty earlier rather than later. Businesses want to be able to design their data systems in accordance with the intended meaning of the Code, rather than having to go back and re-design the system, after finding out that their interpretation of a grey area in the Code was wrong.
Finally, it is far preferable for the Code to be clear on its face, than for parties to have to consult jurisprudence in order to understand what the Code means in practice. The latter merely increases business cost and makes it more difficult for organizations to comply.
For all these reasons, the Code should be revised at least so as to clarify certain vaguely worded provisions, and to create greater certainty for businesses and consumers alike.
In addition to uncertainties surrounding key provisions of the Code, it has come to light that some provisions are inappropriately worded, insofar as they fail to provide the level of data protection intended by the Code. These provisions should also be revisited in the review process.
Finally, the Code is deficient insofar as it fails to address some key components of informational privacy.
We note that the PIPEDA will be subject to Parliamentary review in 2005. Given that the PIPEDA is based on the CSA Code, it is important that any updates to the Code be made in advance of this review. The Parliamentary review will then, no doubt, involve a review of the updates to the Code.
Provisions Needing Greater Clarity
3. Consent
At the core of the Code is the concept of individual knowledge and consent. Yet, this critical concept is unclear in the Code and subject to widely differing interpretations in the marketplace. It is essential that the Code address this fundamental issue by distinguishing between the various types of consent and specifying clearly the circumstances under which each is acceptable.
Sub-principles 3.4, 3.5, and 3.6 address this issue, but do so incompletely and confusingly. They need to be revised so as to clarify that there are at least three different types of consent:
- express,
- implied, and
- deemed (e.g., via negative option).
Confusion has resulted from the use of the term “implied consent” to cover not only situations in which consent is actually provided (i.e., where the person would have consented if asked, and where the facts clearly suggest that consent was provided), but also situations in which consent is merely deemed (i.e., where it cannot reasonably be determined that the person would have consented if asked).
There is an important difference between “implied consent” and “deemed consent”. In the former, the individual has actually consented; whether consent can be implied is a matter of fact, not of law. In the latter, it does not matter whether the individual has actually consented; the law (or Code) permits organizations to act as if the individual has consented.
This difference is important insofar as it leads to differing standards of notice in each case. Notice is of less importance in the situation where consent can be implied. This is because consent can only be implied where it is reasonable to assume that the individual is fully aware of the collection, use, or disclosure and agrees to it. On the other hand, notice is of critical importance in those situations where consent is deemed, since the onus is then on the individual to “opt out” if they desire (or, in cases where no opt-out is offered, the individual needs at least to be aware of the uses to which their information will be put).
Negative option consent, the most prevalent form of consent for use of personal data in the marketplace, is a form of “deemed consent”, since it deems consent regardless of whether the individual is actually aware of the use, let alone consents to it. Other forms of deemed consent may also exist.
The Code needs to be revised so as to clearly distinguish between these different forms of consent, applying different standards of notice as appropriate.
The Ontario government has provided an excellent model for a definition of “implied consent” in its Draft Consultation Act. A version of this model is as follows:
“The consent of an individual to the collection, use or disclosure of personal information about the individual by an organization may be implied only if,
- in all the circumstances, the purpose of the collection, use or disclosure as the case may be, is or will become reasonably obvious to the individual;
- it is reasonable to expect that the individual would consent to the collection, use or disclosure; and
- the organization uses or discloses the information for no purpose other than the purpose for which it was collected.
Obvious purpose
As part of making the purpose of the collection, use or disclosure of personal information about an individual by an organization obvious to the individual, the organization may post or provide a notice describing the purpose where it is likely to come to the individual’s attention.”
Negative option consent also needs to be defined and made subject to criteria for validity. As recently determined by the federal Privacy Commissioner, negative option consent is valid only under the following conditions:
- the personal information in question is not sensitive;
- the individual in question would reasonably expect that their consent could be deemed in this circumstance unless they clearly express otherwise;
- the purposes and negative option are brought to the attention of the individual, not merely posted on a website or hidden in contractual fine print where the individual may not notice it;
- the notice is clearly worded, in plain language, so that the ordinary consumer can understand how their information may be used;
- the notice is sufficiently detailed, so that the individual can understand to whom their information may be disclosed,
- the negative option is appropriately dis-aggregated, so as to allow individuals to opt-out of non-essential uses without also opting-out of essential uses; and
- the negative option is convenient, easy-to-use, and inexpensive to execute.
The following is a possible approach to negative option consent in the Code:
“Except where express consent is required, an organization may attempt to obtain the consent of an individual to the collection, use or disclosure of personal information by providing a notice to the individual that meets the following requirements:
- The organization provides the notice to the individual in a manner in which it is likely to come to the individual’s attention.
- The notice is clear and understandable to a reasonable person.
- The notice is accurate and would not mislead a reasonable person.
- The notice clearly states the purpose or purposes of the collection, use or disclosure.
- The notice describes the personal information that is to be collected, used or disclosed.
- The notice clearly explains that the individual has the right to opt out, that the individual may opt out at any time and that, if the individual opts out, the opt-out is not limited in duration.
- The notice explains the consequences of the individual’s opting out.
- The notice provides a means by which the individual can opt out that involves minimal effort by the individual and no cost to the individual, which may include using,
i. a toll-free telephone number,
- electronic means, if the organization is communicating with the individual by electronic means,
- a form with mailing information and pre-paid postage, or
- any other reasonable approach.”
The Code could also provide clearer guidance to organizations on the question of when express consent, as opposed to negative option consent, is required. Such guidance could state as follows:
“An organization shall not use an opt-out notice to obtain a consent of an individual to the collection, use or disclosure of personal information if a reasonable person would not consider it appropriate in the circumstances, having regard to,
- the sensitivity of the information;
- whether the information is personal health information or financial information ;
- the expectations of a reasonable individual;
- the context in which the collection, use or disclosure is to occur;
- the purpose or purposes for which the information is to be collected, used or disclosed;
- the clarity of whatever statements the organization gives to the individual about the purpose or purposes for which the information is to be collected, used or disclosed;
- the degree to which the purpose or purposes of the collection, use or disclosure are congruent with the statements mentioned in clause (f);
- whether the organization is seeking to disclose the information to a party unrelated to the organization;
- whether the organization is in a business or other relationship with the individual; and
- the length of time since the organization first obtained the individual’s consent to the collection, use or disclosure of the information.”
2.3; 3.2 Notice
The issue of notice to individuals is addressed in two principles: under “Identifying Purposes” in 2.3, and again under “Consent”, s.3.2. Given the extent to which organizations rely upon notice as opposed to actual consent, it is strange – indeed troublesome – that the Code does not highlight the issue of notice. Consideration should be given to creating a separate principle under heading “Notice”, in order to clarify the issue and to remove repetition from the Code.
Section 2.3 addresses timing of the notice, stating:
“The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is being collected.”
Section 3.2 states:
“Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.”
As noted above under “Consent”, the standard for notice will differ according to whether consent can be implied, is being obtained expressly, or is being deemed under a negative option. The importance of notice in the case of negative option consent, at least, is such that it warrants greater attention and stronger obligations than currently exist in the Code.
Specification of purposes to the individual at or before the time of collection, use or disclosure should be mandatory, and any allowable exceptions thereto should be specified. This is more appropriate than the current approach under which timely notice is not required, even in situations where it should be provided.
The Code should also provide clearer guidance to businesses as to what constitutes “a reasonable effort to ensure that the individual is advised”. Is posting on a website sufficient? Is notice via company brochures, available at the company premises, sufficient? Is including the notice as part of a lengthy contract sufficient?
3.0, 5.0 Retention
The Code covers retention of personal information both implicitly, through collection and use, and explicitly, in ss.5.0, 5.2 and 5.3. It has become clear, however, that parties differ as to whether retention for a particular purpose constitutes a “use” under the Code, requiring consent. The Code should clarify this through appropriately worded sub-principles under 3.0 and 5.0.
Provisions in need of Strengthening
3. Refusal to Deal
Section 3.3 states:
“An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.”
This section, as currently worded, provides little value to the Code. Meaningful data protection requires that organizations do not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required for the transaction or provision of services in question.
The section as currently worded permits organizations to refuse to deal with individuals even where the personal information requested for a purpose that is neither necessary for the dealing, nor related to it. All that is required is that the purpose be “explicitly specified and legitimate”.
Again, the Ontario government’s consultation draft improved significantly upon the wording of the CSA Code, by addressing the issue of “Tied Selling” as follows:
“An organization shall not, as a condition of dealing with an individual, require the individual to consent to the collection, use or disclosure of personal information beyond that required to fulfill the purpose of the dealing.”
5. Explaining Purposes upon Request
The Code currently states, in s.2.5:
“Persons collecting information should be able to explain to individuals the purposes for which the information is being collected.”
The widespread failure of customer service representative to be able to explain the purposes of their personal information collection to consumers upon request is an ongoing problem in the marketplace. Consumers are unable to exercise their rights under the Code because they cannot, without unreasonable effort, find out why the business is seeking the information. Instead, they are faced with a Hobson’s choice of handing over their personal information for unknown future purposes, or cancelling the transaction (after having spent time and effort selecting the good or service to be purchased). This reality effectively strips the Code of effectiveness for the ordinary consumer the context of ordinary marketplace transactions.
In order for businesses to “get with it” and be able to explain to individuals, at the time that the information is requested, the purposes for which the information is being requested, the Code must make this requirement mandatory.
1. Openness – Disclosing the Source of the Information
This sub-principle merely “encourages” organizations to indicate the source of personal information upon request by the individual. It is unclear why organizations should not be required to do so, where they can determine the source of the information without unreasonable effort.
The scheme set up by this Code is one that relies upon consumer complaints in order to uncover problems. If consumers are unable to determine the source of their personal information obtained by an organization due to the organization’s refusal to indicate the source, they may be unable to formulate a legitimate complaint, and a disgraceful practice may never be uncovered. The Code should require such disclosure to individuals where possible.
New Provisions Needed
Limiting Collection – Other Information
The “Limiting Collection” principle implicitly requires that non-personal information be used wherever it suffices. However, in keeping with the structure of the Code, and given the importance of this point, it would be helpful to make this implicit requirement explicit in an additional sub-principle. Again, the Ontario Consultation Draft provides a useful model:
“An organization shall not collect, use or disclose personal information if other information will serve the purpose of the collection, use or disclosure.”
Limiting Collection – Direct Collection
The Code should include a requirement that personal information be collected directly from the individual to whom it pertains, subject to certain exceptions. Such exceptions could include:
- if the individual consents to having the organization collect the information from the person who has custody or control of it;
- if the individual consents to having the organization that has custody or control of the information disclose it;
- if the person with custody or control of the information is authorized at law to act on behalf of the individual and consents to the disclosure of the information to the organization; or
- if the organization is authorized by law to collect the information in a manner other than directly from the individual.
Collection of Personal Information From or About Children
Many have noted that the Code does not address the specific issue of children’s informational privacy. Consideration should be given to developing a principle addressing this issue.
Commissioner’s Findings – MBNA Canada Bank
Privacy Commissioner Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec.: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0083
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against MBNA Canada Bank (MBNA) under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that MBNA was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you made three allegations of failure on MBNA’s part with respect to its Mastercard service: (1) failure to adequately bring to the attention of its customers its practices of using and sharing customer data for secondary marketing purposes and the opportunity for customers to opt out of such practices; (2) failure to provide full and clear information as to potential secondary uses and sharing of customer data; and (3) failure to provide customers with an opting-out method that can be executed immediately, easily, and at minimal effort and cost.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any bank, such as MBNA, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about MBNA’s Mastercard customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is MBNA. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:
- It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
- There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
- Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
- Companies commonly fall short of meeting this obligation in several ways:
- reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
- reliance on fine print buried in a long document;
- failure to use clear, plain language understandable to the ordinary consumer;
- failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
- failure to provide an easily executable opting-out procedure.
- The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.
In your complaint against MBNA, you have expressed the view that the bank’s Cardholder/Credit Card Agreement and its Privacy Policy Statement are particularly inadequate for purposes of the Act.
MBNA disagrees with your allegations. The bank denies, first of all, that it uses and discloses information for secondary marketing purposes or has any plans to do so. By MBNA’s own interpretation, which I presume is common among marketers, using or disclosing a customer’s personal information for “secondary marketing” would mean the outright sale (or exchange of other consideration between the parties) of the information without the customer’s knowledge and consent to a third party that was not part of MBNA’s corporate family.
MBNA maintains that, on the contrary, the products and services offered to its customers are offered either by MBNA itself or by subcontractors acting on its behalf, under its strict supervision, and with due regard for confidentiality. MBNA also insists that for any product or service, such as credit insurance, that is ultimately fulfilled through a third party, the customer’s personal information is not actually disclosed to that party until the customer has indicated that he or she wishes to purchase the product or service in question – that is, has consented to become a customer of the third party.
My Office’s investigation has confirmed that MBNA does not disclose a customer’s personal information to any such third-party supplier until the customer has made the decision to purchase the product or service in question. However, our investigation has also revealed that when MBNA, through a subcontracted telemarketer, offers its customers a product or service (e.g., credit insurance) that is ultimately to be supplied by a third party, the customer is told only that the product is being offered on behalf of MBNA. No specific third-party supplier is mentioned, nor is the customer asked at that time for specific consent to having personal information disclosed to a third party in the event of accepting the offer in question. The customer does not learn who will be the actual supplier of the product or service until he or she eventually receives an information package from that party in the mail.
MBNA readily acknowledges that it does variously collect, use, or disclose Mastercard customers’ personal information in the course of its business dealings with four groups: (1) credit reporting agencies, (2) its three current affiliates; (3) some 380 “Affinity” partners (i.e., organizations that arrange with MBNA to issue Mastercards in their names); and (4) a number of non-affiliated subcontracting companies. However, MBNA maintains that it fulfils its obligations under the Act in this regard by virtue of the statements it makes about its information-sharing practices both on its credit card application form and in its Cardholder/Credit Card Agreement.
Under the heading “Uses of Information”, MBNA’s Cardholder/Credit Card Agreement states as follows:
From time to time, we may obtain updated credit or personal information about you. We may use and share information about you with credit reporting agencies and others, including merchants and companies whether affiliated with us or not. You hereby consent to any disclosure by us from time to time of any and all information we may have about you and your affairs to any other party that, in our sole opinion, may have legitimate need or use for that information, and to our using and sharing personal and other information about you to our affiliates and others for commercial prospect/on or marketing purposes.
Pursuant to applicable federal law, upon written request, you are entitled to be informed of the existence, use, and disclosure of your personal information. In addition, you may withdraw your consent to our use of your personal information. If your consent is withdrawn at any time to our using, collecting, or disclosing information, you do so on the understanding that we may no longer be able to extend credit to you. We will continue to report the status of your account to credit reporting agencies until your account has been finally settled. To request a copy of our Privacy Statement, please write …..
On inquiry by my Office, MBNA has admitted that the “merchants and companies” mentioned in the first paragraph above, though meant primarily to cover such entities as processing agents and Affinity partners, might conceivably mean anyone. MBNA explained that the companies in question are always changing and that the wording therefore needs to be broad in order to accommodate this constant change and avoid the necessity of continually amending a list of specified companies.
MBNA’s credit card application form, on the front side above the signature line, states as follows:
My signature means that I agree to the Conditions on the reverse side of this form, and consent to, and accept this written notice of, your obtaining a credit report or other information about me from any person. I also agree to the ongoing collection, use and disclosure of information relating to me as set out in the conditions and in the credit card agreement relating to my Account.
On the reverse side of the credit card application, in tiny lettering, the above-mentioned conditions appear, in part, as follows:
/ consent to, and accept this as written notice of your obtaining, disclosing or exchanging any credit, personal or other information about me (including information contained in my personal information file) at any time, from, to or with any credit bureau, personal information agent, credit grantor or insurer, my employer or other person in connection with any relationships between us or those which you or I may wish to establish. You, your affiliates and service providers may use any of the information relating to me or my Account to maintain and administer my Account, to offer services and enhancements, and for any purpose not prohibited by law. I also consent to the use and disclosure at any time of all such personal and other information: (i) for purposes of offering me any other product of yours or anyone else (including your affiliates), that you believe may be of interest to me; (ii) to determine which Account benefits, services or enhancements, and/or which other product or service offers may be of interest to me; and (Hi) for such other purposes as are not prohibited by law ….
My consent to use of my personal information and other information as provided in (i) through (Hi) is optional. If I wish to discontinue such use or to not receive any further marketing materials or future credit card offers from MBNA, or if I wish to receive a copy ofMBNA’s Canada’s Privacy Statement, I may write to you at the following address…
The credit card application also makes reference to the Cardholder/Credit Card Agreement and continues as follows: ”… I have requested and received the card, Account, and Agreement, and … I understand and agree with you to everything written there and here”.
MBNA also makes a credit card application form available on its website. This online form provides links to terms, pricing and conditions, to the same legal disclosures as appear on the reverse side of the hard copy application form, and to the bank’s Privacy Policy Statement. However, the online form does not provide a link to the Cardholder/Credit Card Agreement and makes no specific reference itself to disclosure of information. Its only consent statement reads as follows:
I have read the terms and pricing disclosures for this account and by electronically transmitting this application, I indicate my agreement with each of the terms and conditions. I understand that I will be bound by each of the terms of the Credit Card Agreement without limitation.
MBNA also provides its telemarketers with a brief script for obtaining prospective customers’ consent to submitting a credit application over the telephone. This script reads in part as follows:
… The terms and conditions will be provided to you, if approved. You agree that by submitting this credit request you have consented to MBNA Canada obtaining, disclosing or exchanging any credit, personal or other information about you at anytime, to, from or with any credit bureau or other person.
As mentioned above, MBNA also publishes a Privacy Policy Statement, which provides a fuller account of the bank’s rationale and practices in respect of the collection, use, and disclosure of customers’ personal information. However, this is a document that is not issued to customers as a matter of course. Rather, individuals who wish to read it must take the initiative either to request a copy in writing or gain access to it via the MBNA website.
In contending that it fulfils its obligations under Principle 4.3 (Consent) of Schedule 1 to the Act, MBNA makes three main points.
First, it argues that the statements it makes on taking a prospective customer’s credit card application are sufficient in themselves for the individual to make an informed decision about consent. MBNA believes that the signing of the application form, or the verbal agreement over the telephone after the script is read, constitutes the customer’s explicit consent to the bank’s intentions regarding personal information. The bank correctly points out that Principle 4.3.7(a) specifically recognizes application forms as an acceptable means of obtaining consent.
Second, MBNA argues that it subsequently provides the individual with yet another opportunity to consider the matter of consent in reviewing the Cardholder/Credit Card Agreement. The bank regards this document as affording sufficient information for the customer to reassess the earlier decision to give consent. As the bank sees it, by agreeing to be bound by its terms and conditions, and by signing and using the credit card enclosed, the customer is also reaffirming consent to the bank’s intentions regarding personal information.
Third, MBNA points out that the two documents in question state that, even after giving it, the customer may withdraw consent to the collection, use, and disclosure of his or her personal information.
In sum, the bank submits that, by providing each customer with two separate disclosures requiring consent and a further indication that consent may be withdrawn once given, it has complied with the requirements of the Act.
On the basis of these facts, I am required to determine whether MBNA has indeed complied with the requirements of the Act, specifically Principles 4.3, 4.3.2, and 4.3.3 of Schedule 1 and section 5(3) of the Act. In this case, where the central issue is that of consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; it further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 states that an organization must not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
Finally, section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
Permit me firstly to try to clarify a point of semantics. MBNA has apparently – and, I suggest, incorrectly – taken your reference to “secondary marketing purposes” as meaning purposes of secondary marketing, the term “secondary marketing” ostensibly having a distinct technical meaning among organizations that engage in marketing. What you actually meant, however, was secondary purposes of marketing. MBNA may well take umbrage at an accusation of secondary marketing, according to a definition common in the industry, but there is no such accusation in this case. What you have alleged in effect is that MBNA uses and discloses customers’ personal information for secondary purposes without valid informed consent. The marketing itself may not be secondary in a marketer’s technical sense, but to the individual customer there can be no doubt that MBNA’s marketing purposes are secondary to those for which he or she initially provided personal information to MBNA – that is, purposes of determining credit-worthiness, issuing a credit card, and administering an account.
In any case, regardless of the relative standing of the purposes at issue, the central question here is whether MBNA obtains valid consent in respect of those purposes. On this question, moreover, I am of the view that your expectations regarding consent, as you have expressed them in your submission, are reasonable and in keeping with the Act. Notably, Principle 4.3.2 clearly supports the expectation that consent be based on purposes stated in clear, plain language understandable to the ordinary consumer and in adequate detail for the consumer to appreciate the nature and extent of the collections, uses, and disclosures contemplated. Furthermore, where consent regarding personal information is being sought, I consider it entirely reasonable for the individual to expect not to have to read fine print or search for information in a document that is not immediately at hand. Finally, where consent to optional secondary purposes is presented as a condition for supply of the primary product or service, I consider it only reasonable for the individual to expect to be provided with a convenient opting-out procedure that can be executed easily, immediately, and inexpensively.
The question is, does MBNA meet these reasonable expectations? In answer to this question, I believe that the above-quoted passages from the bank’s communications materials speak for themselves.
On review of those materials, I have determined firstly that MBNA’s credit card application (both the hard copy and the online versions) and Cardholder/Credit Card Agreement do not represent a reasonable effort on MBNA’s part to ensure that the individual customer is advised of the purposes for which personal information will be used or disclosed. Neither document is written in a manner conducive to the individual’s understanding of how his or her personal information will actually be used or disclosed. Indeed, the wording is so broad in each case as to virtually preclude understanding, unless the individual is to understand that MBNA intends to use personal information however it may see fit and disclose it to whomever it may see fit. This, I should add, would hardly be a purpose that any reasonable person would expect or consider appropriate in any circumstances.
Furthermore, the credit card application itself is written not only in legalese, but also in very tiny lettering – two conditions that operate not only against one’s understanding, but even against one’s reading, of a document. As for MBNA’s Privacy Policy Statement, this document is itself too broadly written (albeit significantly more clear and informative than the others) and in any case would not be a sufficient basis for inferring consent in that it is not supplied to individuals and is thus not immediately available as a reference in making the decision regarding consent. Lastly, the script used by telemarketers in taking credit applications over the telephone is the broadest, least informative, and least adequate of all.
I have also determined that MBNA does not adequately inform customers that some products and services offered on its behalf will ultimately be provided by third parties to which the bank will disclose customers’ personal information.
In sum, having determined the inadequacy of the materials and means used in obtaining consent from customers, I find that MBNA is in contravention of Principle 4.3.2 of Schedule 1 to the Act. It follows that these materials and means do not suffice as a basis for consent. It also follows that, in using the application form and the agreement in question, MBNA is in effect requiring individuals to consent, as a condition of the supply of a product or service, to the collection, use, and disclosure of information beyond that required to fulfil explicitly specified purposes. Nor would a reasonable person consider the collection, use, or disclosure of personal information for the secondary purposes as contemplated in these materials to be appropriate in any circumstances without the knowledge and consent of the individual. I find therefore that MBNA is also in contravention of Principle 4.3 and 4.3.3 of Schedule 1 and section 5(3) of the Act.
I also find that MBNA is omitting to provide a convenient, immediate, and easy means of withdrawing consent to optional practices and, therefore, MBNA does not meet the reasonable expectations of the individual as deemed relevant in Principle 4.3.5.
Accordingly, I conclude that your complaint against MBNA is well-founded.
I am recommending that MBNA redraft its communications materials for credit applicants and new customers with a view to facilitating knowledge of purposes as required under Principles 4.3 and 4.3.2 of Schedule 1. In doing so, MBNA should address the customer’s reasonable expectation to be provided with satisfactory answers to the following questions:
- What personal information of mine is to be disclosed? The customer should be informed what specific items or types information, from among those collected, the organization intends to disclose. No reasonable person would consider it appropriate for an organization to leave open-ended or vague the nature of any personal information to be given to others. Also, no reasonable person would consider “opt-out” consent appropriate if the information in question is of a potentially sensitive nature, such as financial information. When relying upon opt-out consent, therefore, the organization should make it clear that the information to be disclosed is of a non-sensitive nature compatible with that form of consent.
- To whom will my personal information be disclosed? The organization should indicate as specifically as possible the parties to which personal information is to be given. Where a comprehensive listing would be impractical, the organization should define intended recipients at least by type or category and where applicable should clarify its business relationship with the recipients (e.g., affiliates, subsidiaries, partners). The organization should not make allowance for unspecified future “others”, but rather should limit recipients to concrete entities or categories currently envisioned. No reasonable person would consider opt-out consent appropriate in circumstances where personal information might eventually be disclosed to parties as yet undetermined or to be added at the organization’s future discretion.
- How exactly will my personal information be used? Secondary purposes should be limited and clearly indicated. If direct marketing is the purpose of disclosing personal information to other parties, the organization should say so. No reasonable person would consider it appropriate for an organization to leave purposes vague or open-ended or to convey the impression that it will use personal information in any way it may see fit in future.
I am also recommending that MBNA, at the time of offering any customer a product or service that will ultimately be supplied by a third party, identify the third-party supplier in question. In the event that the customer agrees to receive the product or service, MBNA should then obtain the customer’s express consent to the disclosure of specified personal information to the third-party supplier.
Finally, I am recommending that MBNA take steps to meet the reasonable expectation of Mastercard customers for an immediate, easy, and inexpensive means of withdrawing consent to the optional collection, use, and disclosure of their personal information. Specifically, I recommend that MBNA provide either a check-off box on the credit card application form and Cardholder/Credit Card Agreement or a 1-800 number for the convenience of customers who wish to withdraw consent.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,
Commissioner’s Findings – Loyalty Management Group Canada Inc
Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent Ottawa (Ontario) K1A1H3
Tel.:(613) 995-8210 Telec: (613) 947-6850 1-800-282-1376
www.privcom.gc.ca
Oct. 16 2002
File: 6100-0084
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against the Loyalty Management Group Canada Inc. (Loyalty) under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Loyalty, in conducting its AIR MILES Reward Program (AMRP), was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you made three allegations of failure on Loyalty’s part: (1) failure to adequately bring to the attention of its AMRP members its practices of using and sharing members’ data with affiliates for secondary marketing purposes and the opportunity for members to opt out of such practices; (2) failure to provide full and clear information as to potential secondary uses and sharing of members’ data; and (3) failure to provide members with an opting-out method that can be executed immediately, easily, and at minimal effort and cost.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies not only to any federal work, undertaking, or business, but also to any company that discloses personal information across borders for consideration. Upon making the determination that Loyalty is a company of the latter type, I was required under section 12 of the Act to accept and investigate your complaint.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”.. .information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Loyalty’s AMRP members as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is Loyalty. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:
- It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
- There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
- Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
- Companies commonly fall short of meeting this obligation in several ways:
- reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
- reliance on fine print buried in a long document;
- failure to use clear, plain language understandable to the ordinary consumer;
- failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
- failure to provide an easily executable opting-out procedure.
- The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.
Loyalty, a wholly owned subsidiary of Alliance Data Systems Corporation of Dallas, Texas, itself comprises a number of divisions or affiliates, which are not separate corporate legal entities and which the company calls its “business units”. The AMRP is one of these business units. It is a frequent-buyer program that rewards members (“Collectors”) for loyal shopping by giving them “air miles’ for their purchases from more than 100 participating companies (“Sponsors”) at more than 12,000 retail locations across Canada. Through the AMRP, Loyalty aims at creating value for these Sponsors by enhancing loyalty among their existing customer relationships or by developing new customer relationships.
When a Collector shops at a Sponsor location and presents an AIR MILES card, the Sponsor records the following information:
- card number;
- basic transaction data, comprising date of transaction, name and address of store, dollar value of purchase, the number of reward miles earned;
- on occasion, the product category (e.g., gasoline) or the type of Collector by the type of card carried (95 percent of Collectors hold a blue card; 5 percent hold a gold card, signifying “best customers” who receive bonus opportunities and privileges).
The Sponsor transmits this basic contact information to Loyalty so that it can credit earned reward miles to the Collector’s account. Loyalty sends the Collector a summary of the account every quarter and invoices the Sponsor for the number of air miles credited to the Collector’s account.
Loyalty readily acknowledges that, in addition to these administrative exchanges of basic information, it uses (among its business units) and discloses (to Sponsors) information about its AMRP Collectors for marketing purposes. As far as disclosure of information to Sponsors is concerned, Loyalty maintains, and my Office’s investigation has confirmed, that the only personal information ever disclosed about any individual Collector consists solely of the following items: name, residential address, e-mail address (if applicable), card number, telephone number (if requested by the Sponsor), and collector type (i.e., according to whether the collector carries a regular blue card or a gold card signifying “best customer” status).
Loyalty provides this basic personal information in response to requests from Sponsors who wish to make offers to Collectors of a certain profile, according to broad search parameters. For example, a Sponsor may ask Loyalty to identify very active Collectors in Western Canada who have earned air miles from five or more different Sponsors over a specific period of time. Most of the time, Loyalty sends the information not directly to the requesting Sponsor, but rather in confidence to a production or mailing house that is under contract to either Loyalty or the Sponsor in question. By the terms of the contract, after preparing personalized direct-mailing packages and compiling a mailing list, the contractor then destroys the data files.
Loyalty’s disclosure of personal information to Sponsors is done under strict usage guidelines and agreements that have been in effect since the AMRP began in 1992. Sponsors are legally bound to treat as confidential the information disclosed to them. The agreements state that the list of Collectors is supplied for a one-time, direct mailing for a specified purpose, cannot be used for any follow-up telephone calls, further mailings, or other communications, and must be returned to the AMRP or destroyed by the Sponsor as agreed. Sponsors are not permitted to copy the information or otherwise retain records of it.
Loyalty does disclose other information about Collectors to Sponsors, but our investigation has confirmed that this is aggregate information that does not identify individuals. We have also confirmed that Loyalty’s AMRP database is not publicly accessible or directly accessible to Sponsors, that Loyalty neither collects from nor discloses to Sponsors information identifying specific items purchased, and that personal information pertaining to Collectors’ transactions with one Sponsor is never disclosed to any other Sponsor.
When an individual chooses to enrol in the AMRP, he or she gives consent to terms and conditions by signing an enrolment form, by word if speaking with a service centre representative or, if enrolment is online, by checking the appropriate box before submitting the form electronically.
Under the heading “Enrollment Terms and Conditions”, the forms display the following text:
/ agree to jbe bound by the Terms and Conditions of the AIR MILES Reward Program, and consent to the use of my personal information in accordance with the Privacy Pledge below.
This privacy pledge, which appears in relatively small print under the title, “Committed to Protecting your Privacy”, is a summary of Loyalty’s Privacy Commitment. Loyalty also publishes the pledge as a separate document, available as a handout or on the company website. I present the pledge in its entirety as follows:
The Loyalty Group, as creator and manager of the AIR MILES Reward Program in Canada, is committed to protecting the privacy of Personal Information obtained from Collectors and Sponsors. The Loyalty Group collects Personal Information for the following purposes:
- to administer the AIR MILES Reward Program, the AIR MILES For Business Program and AIR MILES INCENTIVES, including the management of Collector accounts, to accurately record and update reward mile balances;
- to process Collector redemptions, including the issuance of reward tickets and vouchers;
- to invoice Collector and Sponsor accounts, as appropriate;
- to communicate information and offers to Collectors, Sponsors, and Suppliers;
- to understand and analyze Collectors’ responses, needs and preferences;
- to develop, enhance, market and/or provide products and services to meet those needs; and
- to enable Collectors to participate in promotions and contests.
The Loyalty Group will use this information from time to time to promote additional products, services, Rewards, and special offers from the AIR MILES Reward Program and/or its Sponsors. Collector information is processed and stored in secure and confidential databases in Toronto, Ontario and Dallas, Texas. The Loyalty Group does not give, rent or sell Collector lists from the AIR MILES Reward Program to any organization or individual other than business units of the Loyalty Group, Sponsors and companies contracted to process and manage Collector transactions, redemption requests and communications. The Loyalty Group protects the privacy of Collectors when promoting products and services. If you do not wish to receive marketing or promotional communications other than AIR MILES Summaries, simply inform us in writing to: AIR MILES Customer Service, P.O. Box 602, Station A, Scarborough, Ontario M1K 5K7, or by e-mail to privacyoffice@airmiles. ca. Your ability to collect or redeem AIR MILES reward miles will not be affected. For complete details see our Privacy Commitment at www.airmiles.ca.
It should be noted here that the pledge does not name or otherwise define “business units of the Loyalty Group”. Nor, curiously, does it mention two points that I suspect many prospective members would be relieved to learn: (1) that Loyalty limits its disclosure of information to the items that I have listed above and does not identify specific purchases; and (2) that Loyalty does not disclose Collectors’ transaction information between Sponsors.
Although the pledge clearly indicates that the Collector may withdraw consent to receiving marketing or promotional communications, it only provides for doing so in writing or by e-mail. It does not provide for an immediate, easy, and inexpensive means of opting-out, such as a 1-800 number, for Collectors without internet access. Loyalty has offered the explanation that, for any change Collectors may wish to make to their accounts, the company prefers to have indisputable proof in writing. Loyalty also points out that, in cases where any Collector refuses to provide a written request, the company will accept the request verbally via a toll-free call to its service centre, although this option is not promoted or advertised.
The wording of the privacy pledge on hard-copy forms is identical to that on online forms. However, the script that Loyalty provides to its sales representatives who take applications verbally, usually over the telephone is different. Although this script does instruct the representatives to state purposes for information collection more or less as they are stated on the application forms, it contains none of the other privacy-related information that appears on the forms. For example, it does not make clear that Loyalty gives Collector information only to its own business units, Sponsors, and contractors. Most significantly, it makes no reference to any possibility of withdrawing consent to any of the stated purposes. The wording suggests that the applicant has no option in that regard:
Without this [personal] information and permission to use it for the purposes stated, I will be unable to process the enrollment. Thank-you for calling AIR MILES.
As previously mentioned, Loyalty also has a Privacy Commitment, available both in brochure form and on the website. This 13-page document, which reflects the 10 principles of fair information practices, is the longest and most detailed expression of Loyalty’s privacy policy and practices. For example, unlike the privacy pledge, it does name Loyalty’s business units.
Loyalty has pointed out, moreover, that it makes a concerted effort to communicate its Privacy Commitment, in whole or part, in one form or another, through numerous mailouts to Collectors, as well as through documents on its website. The company affirms that, since the Act came into force, it has distributed to Collectors some 37.5 million pieces of information drawing attention to aspects of its privacy policy and practices, notably the purposes for which it collects personal information and the opportunity for Collectors to opt out of information sharing. On this basis, Loyalty maintains that it does obtain valid informed consent to marketing purposes from its AMRP members.
On the basis of these facts, I am required to determine whether Loyalty is in compliance with Principles 4.3 and 4.3.2 of Schedule 1 to the Act. In this case, where the central issue is consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; it further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
Though not specifically at issue in your complaint against Loyalty, two other provisions of the Act have guided me in my deliberations regarding the general position that you have expressed. These are Principle 4.2.3, which states in part that the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected, and Principle 4.3.1, which states in part that an organization will typically seek consent for the use or disclosure of the information at the time of collection.
I will begin by stating that I consider your expectations regarding consent, as you have expressed them in your submission, to be entirely reasonable and in keeping with the Act. First and foremost, I note that Principles 4.2.3 and 4.3.1 clearly support your expectation that an organization should not merely make policy documents generally available, but should actually bring to the attention of the individual at the time of collection its purposes in respect of collecting, using, and disclosing personal information. Since personal information is most often collected during an application or subscription process, it follows that organizations should take reasonable steps to inform individuals directly of purposes, either in writing or by word of mouth, at the time the individual applies or subscribes for a product, service, or program. Furthermore, Principle 4.3.2 clearly supports the expectation that consent be based on purposes stated in clear, plain language understandable to the ordinary consumer and in adequate detail for the consumer to appreciate the nature and extent of the collections, uses, and disclosures contemplated.
I am also in agreement that, where consent regarding personal information is to be sought, it is entirely reasonable for the individual to expect not to have to read fine print or search for information in a document that is not immediately at hand. Finally, where consent to optional secondary purposes is presented as a condition for supply of the primary product or service, I consider it only reasonable for the individual to expect to be provided with a convenient and well-advertised opting-out procedure that can be executed easily, immediately, and inexpensively.
The question now is, does Loyalty meet these reasonable expectations?
As I have suggested above, in considering this question my focus of concern has to be the information that Loyalty actually provides to individual subscribers at the time they subscribe to the AMRP. I am favourably impressed with Loyalty’s privacy-related communications effort in general and have only minor quibbles with its “Privacy Commitment” document in particular. The fact remains that the only means whereby Loyalty endeavours to inform individuals of purposes during the actual subscription process are the privacy pledge that appears in both the hard-copy and the online application forms and the script that Loyalty representatives use in taking applications by telephone. It is to the pledge and only to the pledge that Loyalty makes explicit reference in obtaining consent to terms and conditions via its application forms.
Let me say, first of all, that, as far as the purpose statements themselves are concerned. Loyalty has in my view done a very reasonable job. These statements, which are included in the telephone script as well as in the pledge that appears on application forms, strike me as being quite clear and understandable. I note in particular that one of the stated purposes reads as follows: “To communicate information and offers to Collectors, Sponsors, and Suppliers.” It is my view that an ordinary consumer, provided that he or she takes the trouble to read this statement before signing on the dotted line, will have little trouble understanding it and thus will hardly be surprised in due course to receive communications in the line of direct marketing.
I am also pleased to note that Loyalty does go on to advertise with reasonable clarity, on its written application forms, the opportunity for individuals to opt-out of receiving marketing communications. Provided only that the advertised means of opting-out be extended to include a toll-free number or a check-off box on application forms, I am inclined to give high marks to Loyalty for meeting the reasonable expectations of individuals in this regard.
As for the written privacy pledge itself, in my presentation of the facts I have already suggested certain areas in which it could be improved towards better meeting the expectations of the individual – in general by clarifying the limited nature of the personal information collected, used, and disclosed and by better defining the limits of intended disclosures. As a consumer myself, I would also expect to see larger print in such a text to be used in making an important decision about one’s personal information. Still, despite these shortcomings, the pledge, too, warrants a passing grade.
I have found that Loyalty has on the whole made a reasonable effort at informing customers of the secondary purposes of marketing in accordance with Principle 4.3.2. However, I do have one concern in this regard. Despite the merits of the pledge and Loyalty’s communications efforts in general, individuals who apply for membership in the AMRP by telephone do not receive the same information as those who apply in writing or electronically. The script used by Loyalty’s representatives is not as clear or informative as Loyalty’s applications forms. The script does not indicate that marketing purposes are optional and that consent to such purposes may be withdrawn. The script leaves one with the impression that the individual must either put up with marketing or not be a part of the program.
In sum, with the exception of telephone applications, I am satisfied that the communications materials as well as the process of obtaining consent, constitute a reasonable effort to ensure that the individual is advised of the secondary purposes for which personal information will be disclosed. This serves as a valid basis for knowledge and consent. However, I have determined that the problematic telephone script and the lack of a toll-free number to withdraw consent, do not satisfy the requirements of Principles 4.3, 4.3.2 and 4.3.5 of Schedule 1 to the Act.
Accordingly, I conclude that your complaint against Loyalty is well-founded.
I am recommending that Loyalty include on AMRP application forms a check-off box for those who wish to withdraw consent to marketing or Loyalty should provide a toll-free number for the same purpose.
I am recommending that Loyalty revise its communications materials, notably the texts used in obtaining consent during the AMRP application process and including the telephone script, where necessary to ensure clarity and consistency in the following respects:
- specifying the items or types of personal information it collects, uses and discloses for marketing purposes;
- defining its disclosure activities (e.g., that personal information is not disclosed between Sponsors and that specific purchases are not disclosed); and
- advertising the opportunity for program members to withdraw consent to marketing purposes and the method of doing so.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
George Radwanski Privacy Commissioner of Canada
Commissioner’s Findings – Hudson’s Bay Company
Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A1H3
Tel.: (613) 995-8210
Fax:(613)947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0082
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against the Hudson’s Bay Company (HBC) under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that HBC was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you made three allegations of failure on HBC’s part with respect to its credit card and rewards program: (1) failure to adequately bring to the attention of its customers its practices of using and sharing customer data for secondary marketing purposes and the opportunity for customers to opt out of such practices; (2) failure to provide adequate information as to potential secondary uses and sharing of customer data; and (3) failure to provide customers with an opting-out method that can be executed immediately, easily, and at minimal effort and cost.
‘ I have determined, first of all, that the subject matter of your complaint does fall within my current jurisdiction under the Act, but only as far as HBC’s operations in northern Canada are concerned.
As of January 1, 2001, the Act applies to any federal work, undertaking, or business or to any organization that discloses personal information across borders for consideration. I have determined that HBC does not disclose personal information across borders for consideration. However, by operation of constitutional law, any business venture in the Yukon, Nunavut, or the Northwest Territories is a federal work, undertaking, or business. HBC has five divisions, one of which, its Fields Stores Division, operates one store in the Yukon and two in the Northwest Territories. On this limited basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about HBC’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is HBC. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:
- It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
- There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.*Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
*Companies commonly fall short of meeting this obligation in several ways:- reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
- reliance on fine print buried in a long document;
- failure to use clear, plain language understandable to the ordinary consumer;
- failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
- failure to provide an easily executable opting-out procedure
- The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.
In your complaint against HBC, you identified that company’s credit card agreement as being particularly inadequate for purposes of the Act.
My Office’s investigation has revealed that HBC’s three Fields stores that fall under my jurisdiction do not participate in the HBC Rewards Program and do not themselves currently collect, use, or disclose personal information in connection with the HBC credit card. Formerly, these stores did in theory take credit card applications, but their involvement in the credit card program would have been limited to forwarding the applications to HBC’s head office in Toronto. The stores in question would not have retained copies and would not themselves otherwise perform any administrative function in respect of credit cards. Moreover, the three stores no longer participate in HBC’s credit card program in any way.
On the basis of these facts, I am required to determine whether HBC is in compliance with Principle 4.3 of Schedule 1 to the Act as far as its operations under my current jurisdiction are concerned. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
In the absence of evidence to the contrary I must conclude that HBC’s three Fields stores in northern Canada do not collect, use, or disclose their customer’s personal information in connection with HBC’s credit card or rewards program. Having no jurisdiction at present for further investigation, I therefore have no basis for finding that HBC is not in compliance with Principle 4.3.
Accordingly, I conclude that your complaint against HBC is not well-founded.
Nevertheless, I would be remiss if I did not take this opportunity to remind HBC that its operations in the rest of Canada will become subject either to the Act or to substantially similar provincial legislation as of January 1, 2004. I also wish to notify HBC that, in your similar complaints against other organizations, I have found your expectations regarding consent, as you expressed them in your general submission, to be reasonable and in keeping with the Act. I would strongly recommend that, in preparing to undertake its more extensive obligations, HBC take due account of the substance of your complaints and of my related findings.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,
George Radwanski Privacy Commissioner of Canada
Commissioner’s Findings – Bell Nexxia
Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0218
Ms Philippa Lawson
Public Interest Advocacy Centre
One Nicholas Street, Suite 1204
Ottawa, ON K1N7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against Bell Nexxia under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Bell Nexxia was not obtaining informed consent from individuals for the collection, use or disclosure of personal information for secondary marketing purposes. Specifically, you complained that Bell Nexxia was not bringing to the attention of its customers (a) its policy of sharing customer information with Bell Canada affiliates for secondary marketing purposes and (b) the corresponding opportunity for customers to opt-out of such sharing.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking or business. By operation of constitutional law, any telecommunications company, such as Bell Nexxia, is a federal work, undertaking or business. On this basis, therefore, I was required under Section 12 of the Act to accept and investigate your complaint.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is Bell Nexxia. For all these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:
- It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
- There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
- Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
- Companies commonly fall short of meeting this obligation in several ways:
- reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
- reliance on fine print buried in a long document;
- failure to use clear, plain language understandable to the ordinary consumer;
- failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
- failure to provide an easily executable opting-out procedure.
- The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.
Bell Nexxia’s customer base comprises the largest 300 private and public sector customers served by Bell Canada and its affiliates. It assists these businesses to develop their communications infrastructure, including information technology functions and provides them with e-business computerized solutions. Bell Nexxia does not provide services to individual consumers.
On the basis of these facts, I am required to determine firstly whether the information at issue is personal information for the purposes of the Act, and if so, whether Bell Nexxia is in compliance with Principle 4.3 of Schedule 1 to the Act.
Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. Principle 4.3 of Schedule 1 to the Act states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The information that Bell Nexxia deals with, pertains to corporations – not “identifiable individuals”. I am satisfied that Bell Nexxia does not collect, use or disclose the personal information of individuals. I therefore have no basis for making a determination in respect of Principle 4.3 of Schedule 1 of the Act.
Accordingly, I conclude that your complaint against Bell Nexxia is not well-founded.
Now that you have my report, I must inform you that, pursuant to Section 14 of the 4 Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in ‘espect of any matter that you complained about or that I have dealt with in my report, and ihat is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.7 or 4.8 of Schedule 1, in clause 4.3, k5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or 7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division 3f the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application •nust be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of he other party be paid by you where the Court is of the view that this is appropriate. A/hile this does not happen often, it is a possibility of which you should be aware. conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Meary, Director General of Investigations, at 1-800-282-1376.
George Radwanski Privacy Commissioner of Canada
Commissioner’s Findings – Bell Express Vu
Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent Ottawa (Ontario) K1A1H3
Tel.:(613) 995-8210 Telec.: (613) 947-6850 1-800-282-1376
www.privcom.gc.ca
File: 6100-0217
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against Bell ExpressVu under the Personal Information Protection and Electronic
Documents Act (the Act). In your complaint, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Bell ExpressVu was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes. Specifically, you alleged that Bell ExpressVu was not bringing to the attention of its customers (a) its policy of sharing customer data with other Bell Canada affiliates for secondary marketing purposes and (b) the corresponding opportunity for customers to opt-out of such sharing.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any telecommunications company, such as Bell ExpressVu, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
You initially filed a complaint against Bell Canada. Some weeks later, you clarified to my Office that you had intended your complaint to apply to the information practices of Bell Canada’s affiliates as well. You may have assumed that Bell’s affiliates formed part of the Bell corporate entity. Bell’s affiliates are in fact separate corporate entities; moreover, only three of them are federal works, undertakings, or businesses subject to the Act. A separate complaint file has been opened for each of these three Bell affiliates that fall under my jurisdiction. Bell ExpressVu is one of the three.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Bell ExpressVu’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:
- It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
- There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
- Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
- Companies commonly fall short of meeting this obligation in several ways:
- reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
- reliance on fine print buried in a long document;
- failure to use clear, plain language understandable to the ordinary consumer;
- failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
- failure to provide an easily executable opting-out procedure.
- The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.
Bell ExpressVu readily acknowledges that it does disclose customers’ personal information for marketing purposes to Bell Mobility, another Bell Canada affiliate that is subject to the Act. The information in question comprises contact data (i.e., name, mailing address, home and work telephone numbers, e-mail address), as well as indications of services or products purchased, average monthly billing, credit records, and complaint records. Bell ExpressVu’s disclosure of such information to Bell Mobility is limited at present, but is expected to increase in the future.
Bell ExpressVu also acknowledges that it does not itself actively seek, at the time an individual customer purchases a product or subscribes to a service, consent to disclosure of the customer’s personal information to Bell Mobility. Rather, like other Bell Canada affiliates, Bell ExpressVu relies upon the notion of “implied consent” as explained in Bell Canada’s privacy code, the “Bell Code of Fair Information Practices”. Bell ExpressVu and its sister affiliates have adopted as their own the parent company’s privacy policy and practices, as set out mainly in two documents – the 17-page Bell Code and the 9-page “Bell Customer Privacy Policy”.
The Bell Code defines implied consent as “consent that can reasonably be inferred from an individual’s action or inaction.” Clause 3.7 of the Code states as follows:
In general, the use of products and services by a customer… constitutes implied consent for the Bell companies to collect, use and disclose personal information for all identified purposes.
As far as the exchange with Bell Mobility in particular is concerned, Bell ExpressVu takes clause 3.7 to mean that, if a customer obtains a product or service at Bell ExpressVu, he or she implicitly consents to having personal information disclosed to Bell Mobility.
The Code does identify the “Bell companies” in question and sets out five general purposes for their collection of personal information, including “To develop, enhance, market or provide products and services.” However, the Code does not indicate that this or any other of the purposes applies specifically to disclosures of information between Bell companies and indeed does not specify that the companies disclose customers’ personal information to one another. On being asked to explain this omission, Bell Canada maintained that such disclosure is implicit in the treatment of the Bell companies collectively as a single organization for the purpose of the Code.
Bell Canada’s Privacy Policy does assign a purpose specifically to disclosures of personal information between Bell Companies, as follows:
The purpose for sharing information among the Bell companies is to help us identify your information, communication and entertainment needs, and provide you with relevant information, advice, and solutions.
It is to be noted, however, that this purpose is not identical with any of the five stated in the Bell Code. It seems closest in meaning to “To develop, enhance, market or provide products and services”, but the verb “market” is conspicuously absent.
Bell Canada communicates its privacy policy and practices to customers through mail-outs (e.g., inserts in telephone bills), the white pages of the telephone directory, websites, and literature made available at Bell World stores. In the year 2000, a brochure entitled “The Bell Privacy Policy and You” was mailed out as a bill insert to all Bell customers.
That brochure included a notification to the effect that customers who did not wish to have their personal information disclosed among Bell companies (listed in the brochure) could withdraw consent by calling Bell Canada at the number shown on bills or electronically via Bell’s various websites. The brochure also stated that customers could view or obtain copies of the Bell Code and Privacy Policy by the same means.
Bell Canada’s white-pages telephone directory likewise informs customers that, if they wish to view or obtain a copy of the Bell Code or Privacy Policy, or if they have concerns about their privacy, they may contact one of the Bell websites or call the number on their telephone bill. However, the directory does not indicate any method or possibility of opting-out of information disclosures among the Bell companies.
The Bell Canada website contains the Bell Code and Privacy Policy as well as other privacy-related information, including instructions on opting-out of information disclosure among the Bell companies and an electronic opt-out form to be used for that purpose. Bell ExpressVu’s website links back to the Bell Canada site and is thus also linked indirectly to the privacy-related information and the electronic opt-out form. However, although Bell ExpressVu accepts opt-outs from its customers via this electronic form as well as by telephone or in writing, its own website makes no direct reference to an opportunity or method of opting-out or even to the practice of sharing information with other Bell affiliates. Nor does Bell ExpressVu, in any other situation or manner, make a point of advertising these optional considerations to its customers.
Nevertheless, on the basis of the information provided in Bell Canada’s privacy-related communications materials, notably the Bell Code and Privacy Policy, Bell ExpressVu has taken the position that its own customers are duly informed, in accordance with Principle 4.3.2 of Schedule 1 to the Act, both of the purposes for which personal information will be used and disclosed, and of the opportunity for easily opting-out of the specific practice of information disclosure among affiliates. Furthermore, Bell ExpressVu contends that the disclosure of personal information among common-branded companies providing a range of related communications services is consistent with the reasonable expectations of its customers as contemplated under Principle 4.3.5.
On the basis of these facts, I am required to determine whether Bell ExpressVu is in compliance with Principles 4.2.3, 4.3, and 4.3.1 of Schedule 1 to the Act. In this case, where the central issue is consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.2.3 states that identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.1 states, in part, that an organization will typically seek consent for the use or disclosure of the information at the time of collection. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
I will begin by stating that I consider your expectations regarding consent, as you have expressed them in your submission, to be entirely reasonable and in keeping with the Act. First and foremost, I note that Principles 4.2.3 and 4.3.1 clearly support your expectation that an organization should not merely make policy documents generally available, but should actually bring to the attention of the individual at the time of collection its purposes for collecting, using, and disclosing personal information. When an organization collects personal information during an application, subscription, or purchasing process, it should take reasonable steps during the same process to specify to the individual, and seek the individual’s express consent for, any intended secondary uses or disclosures. It follows that the organization should be prepared to provide the individual, on the spot, with whatever information he or she may require to make a knowledgeable consent decision. In such situations, I consider it entirely reasonable, as you have suggested, for an individual to expect not to have to seek out or otherwise rely upon information that is not immediately at hand.
I also consider it only reasonable for the individual to expect to be informed, likewise during the same process, of the opportunity and a convenient method for withdrawing consent.
Finally, where an organization intends to disclose personal information that the individual is likely to consider sensitive, such as credit records and complaint records, I consider it reasonable for the individual to expect to be consulted directly and positively in the matter of consent. In such a situation, the organization should use positive or “opt-in” consent rather than the negative option.
It is obvious that, in relying wholly upon its parent company’s notion of implied consent, Bell ExpressVu does not meet the reasonable expectations described above and deemed relevant under Principle 4.3.5. At the time of collecting a customer’s personal information during a subscription or purchasing process, Bell ExpressVu does not supply the customer with information about its intention to disclose personal information to its sister affiliate Bell Mobility, to obtain the customer’s consent for such disclosure, or to notify the customer of the opportunity and method of opting-out of such disclosure. It is not reasonable for Bell ExpressVu to rely upon the presumption of the customer’s knowledge and consent on the basis of general policy documents that it has not itself brought directly to the attention of the customer.
I find therefore that Bell ExpressVu has failed to comply with Principles 4.2.3 and 4.3.1 and, having failed to meet the individual’s reasonable expectations regarding consent as deemed relevant under Principle 4.3.5, is also in contravention of Principle 4.3.
Accordingly, I conclude that your complaint is well-founded.
I am recommending that Bell ExpressVu, at the time of collecting personal information from any customer during a subscription or purchasing process, directly inform the individual customer of the purposes for which personal information is collected and seek his or her consent for intended uses and disclosures. In implementing this recommendation, Bell ExpressVu should ensure that:
(1) purposes are stated in such a manner that the customer can reasonably
understand how personal information is to be used or disclosed, in accordance with Principle 4.3.2 of Schedule 1;
(2) intended uses and disclosures are well-defined especially in respect of
- the items or types of information to be used or disclosed;
- the parties to which information is to be disclosed; and
- the purposes for which information is to be disclosed (e.g., direct marketing);
(3) the customer is directly notified of the opportunity to withdraw consent to specific optional purposes (e.g., direct marketing); and
(4) the customer is provided with, and directly notified of, an easy, immediate, and inexpensive means of opting-out (e.g., a check-off box or toll-free telephone number).
I am also recommending that Bell ExpressVu, at the time of collecting personal information during a subscription or purchasing process, provide individual customers with an opt-in consent form relating specifically to disclosures to Bell Mobility and to any other party to which Bell ExpressVu intends to disclose personal information of a potentially sensitive nature, such as credit information.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,
George Radwanski “Privacy Commissioner of Canada