Commissioner’s Findings – Bell Canada

Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0081
Ms Philippa Lawson
Public Interest Advocacy Centre One Nicholas Street, Suite 1204 Ottawa, ON K1N7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against Bell Canada (Bell) under the Personal Information Protection and Electronic Documents Act (the Act}. In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Bell was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you alleged that Bell was not bringing to the attention of its residential local telephone customers (a) its policy of sharing customer data with affiliates for secondary marketing purposes and (b) the corresponding opportunity for customers to opt-out of such sharing.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any telecommunications company, such as Bell, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
Some weeks after filing your original complaint, you specified to my Office that you had intended your complaint against Bell to apply to the information practices of the affiliates as well. You may have assumed that Bell’s affiliates formed part of the Bell corporate entity. Bell’s affiliates are in fact separate corporate entities; moreover, only three of them are federal works, undertakings, or businesses subject to the Act. A separate complaint file has been opened for each of these three Bell affiliates that fall under my jurisdiction, and I will issue separate letters of findings for each in due course.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Bell’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is Bell. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

• It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
• There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
• Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
• Companies commonly fall short of meeting this obligation in several ways:
  • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
  • reliance on fine print buried in a long document;
  • failure to use clear, plain language understandable to the ordinary consumer;
  • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
  • failure to provide an easily executable opting-out procedure.

• The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

In 1986, the Canadian Radio-television and Telecommunications Commission (CRTC) imposed a restriction on Bell’s disclosure of customers’ personal information. This restriction appears as follows in Article 11 (“Confidentiality of Customer Records”) of the Bell Canada Terms of Service:
11.1 Unless a customer consents in writing or disclosure is pursuant to a legal power, all information kept by Bell Canada regarding the customer, other than the customer’s name, address and LISTED TELEPHONE number, are confidential and may not be disclosed by Bell Canada to anyone other than:

• the customer;
• a person who, in the reasonable judgement of Bell Canada, is seeking the information as an agent of the customer;
• another telephone company, provided the information is required for the efficient and cost-effective provision of telephone service and disclosure is made on a confidential basis with the information to be used only for that purpose;
• a company involved in supplying the customer with telephone or telephone directory related services, provided the information is required for that purpose and disclosure is made on a confidential basis with the information to be used only for that purpose; or
• an agent retained by Bell Canada in the collection of the customer’s account, provided the information is required for and is to be used only for that purpose.

Thus, with the very limited exceptions noted, Bell is prohibited by the CRTC from disclosing customers’ information, other than publicly available information (i.e., names, addresses, and telephone numbers already listed in directories), to anyone, including its affiliates, without the express written consent of the individual customer.
My Office’s investigation has confirmed that Bell does not make a practice of disclosing customer information to its affiliates and does not have express written consent for such disclosure from most of its residential and business customers. Bell has explained that, because the process of obtaining express written consent would be cumbersome, the company some time ago made the decision not to seek such consent from customers, but rather to forego such disclosure of information in general.
One notable exception is a form that customers are asked to fill out in Bell stores, authorizing Bell Canada/ Bell Mobility to share, with the store representative, customers’ information relating to the products and services. Another exception was a direct mail-out to approximately 100,000 customers in the year 2000, seeking written consent for disclosure of customer information to all the Bell companies. I note that both of these exceptions comply with Article 11 in that they seek express written consent from the individual customer. Bell affirms, furthermore, that it has never relied upon any consent obtained from the mail-out; in other words, no information has actually been disclosed on the basis of any response from this initiative. Bell has also pointed out that it has never disclosed customer information to companies other than its affiliates, even though Article 11 would permit such third-party disclosures, too, provided that customers’ express written consent was obtained.
Despite having abided by Article 11 since its inception, in November 2000 Bell (along with many other telecommunications companies likewise subject to it) applied to the CRTC to have this restriction modified so as to permit disclosure of confidential customer information to affiliates without having to obtain written consent from the customer. Bell for one believes that Article 11 is unduly more stringent than the Act, which allows for implied consent in some circumstances. You yourself have made a submission to the CRTC, to the effect that Article 11 should remain unchanged. The CRTC has not yet issued a decision in this matter.
On the basis of these facts, I am required to determine whether Bell is in compliance with Principle 4.3 of Schedule 1 to the Act as far as the disclosure of customers’ personal information to its affiliates is concerned. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
On the evidence, I am satisfied that Bell does not make a practice of disclosing customers’ personal information to its affiliates. I am also satisfied that, in the exceptional circumstances where the company has contemplated such disclosure, it has duly informed the individual customer of its intention and has endeavoured to obtain the individual’s express written consent as required by the CRTC. I therefore have no grounds upon which to find that Bell has contravened Principle 4.3 of Schedule 1 to the Act.
Accordingly, I conclude that your complaint against Bell is not well-founded.
Whatever the outcome of its application regarding Article 11,1 trust that Bell will continue to meet all its obligations under the Act, taking due account of the entirely reasonable expectations about consent that you have articulated in your complaint.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
George Kauwanski Privacy Commissioner of Canada
 

Commissioner’s Findings – Bank of Nova Scotia

Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0085
Ms Philippa Lawson
Public Interest Advocacy Centre
One Nicholas Street, Suite 1204
Ottawa, ON K1N7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against the Bank of Nova Scotia (Scotiabank) under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Scotiabank was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you made three allegations of failure on Scotiabank’s part: (1) failure to adequately bring to the attention of its customers its practices of using and sharing customer data for secondary marketing purposes and the opportunity for customers to opt out of such practices; (2) failure to provide full and clear information as to potential secondary uses and sharing of customer data; and (3) failure to provide customers with an opting-out method that can be executed immediately, easily, and at minimal effort and cost.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any bank, such as Scotiabank, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Scotiabank’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is Scotiabank. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

• It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
• There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
• Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
• Companies commonly fall short of meeting this obligation in several ways:
  • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
  • reliance on fine print buried in a long document;
  • failure to use clear, plain language understandable to the ordinary consumer;
  • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
  • failure to provide an easily executable opting-out procedure.
• The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

In your complaint against Scotiabank, you have expressed the view that the bank’s privacy brochure entitled “The Scotiabank Group & You: A Question of Privacy” is particularly inadequate for purposes of the Act. In the above-mentioned EKOS survey, this document had been the subject of specific consumer testing.
Scotiabank currently has 12 Canadian subsidiaries, which together with the parent company compose what is known corporately as the “Scotiabank Group”. Although Scotiabank does not refer to these subsidiaries as affiliates, it does readily acknowledge that it discloses to them, for marketing purposes, the personal information of customers. The bank affirms that it requires all members of this group to comply with the Act, as well as the Scotiabank Group Privacy Code.
This 21-page Privacy Code is one of three privacy-related information products that Scotiabank makes available to its customers both at its branches and on its website. Another is the above-mentioned brochure, which is essentially a condensed nine-page version of the Privacy Code. The third is a three-page text entitled “Scotiabank Group Privacy Agreement”, which is included in the companion booklets for each of the products and services offered by Scotiabank.
It should be mentioned here that the Privacy Code, the longest and most detailed of the three with respect to the bank’s privacy policy and practices, is the only one of the three that is not provided directly to individual customers as a matter of policy when they apply in person for Scotiabank’s products or services. Therefore, since it is not immediately on hand for the individual to use as a reference in making the consent decision, it is the least relevant of the three to the central issue of your complaint – that is, whether Scotiabank obtains valid informed consent to secondary purposes of marketing. The focus of concern in this case is the brochure and the Privacy Agreement – especially the latter, since it is the document to which Scotiabank’s various application forms make explicit reference in obtaining customers’ consent to terms and conditions.
On inquiry by my Office, Scotiabank has explained its policy in respect of obtaining customers’ consent to the disclosure of their personal information to other members of the Scotiabank Group. Our investigation has confirmed that, for customers who approach the bank in person to apply for a product or service, the bank instructs its front-line sales representatives as follows.
First, the representative is to give the customer a copy of both the privacy brochure and the appropriate companion booklet for the product or service in question. Then, the representative is required to explain the product or service and, in doing so, to draw attention to, and explain the uses of, the Privacy Agreement contained in the booklet. Specifically, the representative is to explain that the Agreement is used to identify why and how the bank collects, uses, and discloses customers’ personal information; to obtain customers’ consent in that regard; to inform customers of their right, subject to legal and contractual requirements, to withhold or withdraw consent and of the consequences of their doing so; and to provide customers with further information about privacy policies via a cross-reference to the privacy brochure.
Next, by reference to a coded record, the representative is to determine, and document in the bank’s Customer Information System, the customer’s preferences with regard to the disclosure of information with other Scotiabank Group members. In other words, the representative is expected to inquire and note by code whether the customer consents to all marketing efforts (code Y) or whether he or she prefers to opt out of specific efforts – for example, direct mail marketing (code 3) or telephone solicitation (code 4) or solicitation by subsidiaries (code 7).
The customer is ultimately to be asked to sign the appropriate application form, which includes an acknowledgement of receipt of the companion booklet and an agreement to be bound by the terms and conditions of the Privacy Agreement it contains. On signing the application form, if the customer has not indicated preferences otherwise, he or she is assumed to concur with the Privacy Agreement. It should be noted, however, that Scotiabank’s application forms do not themselves display any explicit terms or conditions related to the collection, use, or disclosure of personal information. Nor do customers themselves receive any record of having considered or indicated preferences during the application process.
In order to open an account, a new Scotiabank customer must visit a branch in person, but an existing customer may open a new account electronically. In the latter event, on-line application forms provide the customer with links to companion materials as well as to all of the bank’s privacy-related information products, including the 21-page Privacy Code. These electronic forms have a “Terms and Conditions” section, which reads in part, “By clicking “I agree”, you agree to the terms and conditions of the … Account Agreement, as well as the Terms and Conditions of the Scotiabank Group Privacy Agreement…”. At this point, another link to the Privacy Agreement is provided. The customer indicates consent by clicking on the “I agree” icon.
As to the contents of the relevant privacy-related materials, the privacy brochure informs the reader that, with consent and where the law allows, a Scotiabank Group Member may share personal information, other than health information, with other Scotiabank Group Members so that they may tell customers directly about their services. The brochure does not indicate what organizations or types of organizations belong to the Scotiabank Group. On the subject of personal information collected, the brochure states:
“To the best of curability [emphasis added], we will seek your prior consent to verify and supplement it with external sources such as credit or other bureaus or employers.” On the subject of opting-out, the brochure does explain with reasonable clarity the circumstances in which customers may exercise the right to refuse or withdraw consent. However, the only reference to a procedure for opting-out consists in a suggestion that customers should make the necessary arrangements with the appropriate branch or office. The brochure also warns that, if a customer refuses or withdraws consent to the collection, use, or disclosure of information, the bank may not be able to provide some products, services, or information of value to the customer, although it clarifies that products or services will not be unreasonably withheld.
The Privacy Agreement is more specific than the brochure about the purposes for which personal information is collected and about the situations and manner in which it may be used and disclosed within the Scotiabank Group. The Agreement does not list specific organizations belonging to the group, but does list the types of organizations involved in terms of the services they provide – for example, companies engaged in deposits, loans and other personal financial services, in trust and custodial services, in insurance services, et cetera. The Agreement also contains a footnote to the effect that the Scotiabank Group means collectively Scotiabank and its Canadian subsidiaries and that a current list of domestic subsidiaries may be obtained from any group member’s branch or office. Moreover, Scotiabank affirms that it instructs front-line staff to provide a copy of this list on request to any customer who wants to know to what specific companies the bank may disclose information for marketing purposes.
In a three-paragraph section headed “Refusing or Withdrawing Consent”, the Privacy Agreement spells out even more clearly than the brochure the customer’s right to opt out of the bank’s collection, use, and disclosure of personal information. Notably, this section specifies as follows: “You can tell us any time to stop using information about you to market our products and services or to stop sharing information with other Scotiabank Group members.” However, the Agreement suggests only that the customer should “contact” a branch or office in order to refuse or withdraw consent. It also uses identical wording to that of the brochure to warn that the bank may not be able to provide some products, services, or information of value if a customer refuses or withdraws consent.
As I have mentioned, Scotiabank’s privacy brochure and Privacy Agreement, as a matter of policy, are issued directly to new or established customers who apply in person for products or services. These information products, along with the Privacy Code, are also made easily available by means of electronic linkage to established customers who apply for new products and services on line.
But the question arises, what about long-established customers who have not opened a new account in some time and therefore would not have had the current privacy brochure and Privacy Agreement personally issued to them? How would such customers be deemed to have consented to such information disclosures as are set out in these documents?
In response to this question, Scotiabank has pointed out that, although its current Privacy Agreement dates from the introduction of the Act on January 1, 2001, there was an earlier version that came into effect in May 1997 and was issued to customers on opening new accounts. Before then, and as far back as October 1992, the bank relied upon consent clauses incorporated in application forms. Our investigation has revealed that these prior consent clauses and the earlier version of the Privacy Agreement were much more broadly stated than the bank’s current information products and did not give any indication that customers could refuse or withdraw consent to disclosures of personal information for secondary purposes.
Scotiabank has pointed out that the number of longstanding customers who have never obtained a new product or service and received a Privacy Agreement in the process would be very small. The bank has also stressed the wide availability of its current privacy-related information products and suggested that any such customer who was interested in the bank’s privacy policies could have easily obtained any of these products from a local branch or from the website.
In your complaint, you suggested that Scotiabank should provide a 1-800 number as an easy, low-cost means for customers to withdraw consent instead of requiring them to “contact” a branch. In response, the bank has noted that it does not actually require the customer to visit the branch, but rather has always meant “contact” to include the option of phoning-in or e-mailing. It has also noted that it does in fact already provide a 1-800 number for customer use. Nevertheless, the bank has acknowledged that the brochure and Privacy Agreement do not make explicit reference to telephone or e-mail, and do not advertise the existing 1-800 number, as specific means of withdrawing consent. The bank has found your suggestion to be reasonable, and has agreed to clarify in the next reprint of its privacy materials that customers may withdraw consent by using the 1-800 number, by telephoning a branch, or by e-mail.
Scotiabank has also acknowledged that customers may find its use of the phrase “to the best of our ability” confusing in the context of seeking consent. The bank has agreed to clarify this point, too, in future reprints of privacy materials.
Despite these concessions, however, Scotiabank has taken the position that its privacy communications materials, notably the brochure and the Privacy Agreement, collectively represent a reasonable effort, in accordance with Principle 4.3.2 of Schedule 1 to the Act, to bring to customers’ attention both the bank’s intended disclosures of personal information for secondary marketing purposes and the individual customer’s right to refuse or withdraw consent to such purposes. On this basis, the bank contends that it does obtain valid informed consent from its customers.
On the basis of these facts, I am required to determine whether Scotiabank is in compliance with Principles 4.3 and 4.3.2 of Schedule 1 to the Act. In this case, where the central issue is that of consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; it further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
Allow me to say firstly that I consider your expectations regarding consent, as you have expressed them in your submission, to be entirely reasonable and in keeping with the Act. Notably, Principle 4.3.2 clearly supports the expectation that consent be based on purposes stated in clear, plain language understandable to the ordinary consumer and in adequate detail for the consumer to appreciate the nature and extent of the collections, uses, and disclosures contemplated. Furthermore, where consent regarding personal information is being sought, I consider it reasonable for the individual to expect not to have to read fine print or search for information in a document that is not immediately at hand. Finally, where consent to optional secondary purposes is presented as a condition for supply of the primary product or service, I consider it only reasonable for the individual to expect to be provided with a convenient opting-out procedure that can be executed easily, immediately, and inexpensively.
The question is, does Scotiabank meet these reasonable expectations? On review of the communications materials in question and the bank’s official process for obtaining consent, I am on the whole satisfied that Scotiabank does meet these reasonable expectations.
In the first place, notwithstanding a certain ambiguity of expression (which the bank has readily agreed to clarify) and the absence of a 1-800 number assigned explicitly to the purpose of withdrawing consent (an omission which the bank has readily agreed to redress), I am satisfied that Scotiabank does in fact provide customers with an easy, immediate, and inexpensive opting-out procedure in the form of telephone or e-mail access to local branches.
Secondly, it is clear that the bank does not rely upon fine print or documents not immediately at hand.
Thirdly, all things considered, I am of the view that the language of the bank’s communications materials, especially that of the Privacy Agreement itself, does convey to individuals in a reasonably understandable manner how their personal information will be used or disclosed. Although in your complaint you raised some valid concerns about Scotiabank’s privacy brochure in particular, in my view these concerns, when considered in the context of the bank’s communications materials collectively and its policy on matters of consent generally, do not amount to a contravention of Principle 4.3.2.
For example, you have quite correctly pointed out that the brochure does not identify the members of the Scotiabank Group. However, I accept that in cases where membership is changeable it is sometimes impractical to provide an exhaustive listing of current members in a standing privacy document. I am mindful, too, that the document of primary interest in this case is not the brochure, but rather the Privacy Agreement, which does at least make the effort to inform customers of the types of organizations involved in the Scotiabank Group. Scotiabank is quite prepared to provide a list of its group’s current membership to any customer curious enough to ask for one.
All in all, I have found the process of consent to be as important a consideration in this case as the consent-related documentation at issue. In particular, I am favourably impressed with Scotiabank’s policy of personally bringing optional secondary purposes to the attention of customers, presenting these purposes in terms of preferences for consideration, and in effect guiding them through an opt-out procedure on the spot. Provided that this policy was confirmed to be consistently applied and was extended somehow to the realm of on-line applications for products or services, I would be very much inclined to recommend it as an exemplary method of obtaining consent, very much akin to the “opt-in” form of consent that you favour.
In sum, I have determined that the communications materials, as well as the process, in question do constitute a reasonable effort on Scotiabank’s part to ensure that the individual is advised of the secondary purposes for which personal information will be used or disclosed and do thus serve as a valid basis for knowledge and consent. I find therefore that the bank is in compliance with Principles 4.3.5, 4.3.2 and 4.3 of Schedule 1 to the Act.
Accordingly, I conclude that your complaint against Scotiabank is not well-founded.
Nevertheless, since our investigation has confirmed that the bank’s consent procedures could be improved in certain ways, I make the following recommendations as best practices:

1. Scotiabank should take steps to implement the proposed modifications to its procedure for withdrawing consent and to all references to that procedure in its privacy communications materials.
2. Scotiabank should take steps to implement the proposed clarification of the phrase, “To the best of our ability,” at every instance in its privacy communications materials.
3. In all instances of the warning to the effect that withdrawal of consent may result in withholding of products, services, or information, Scotiabank should clarify its meaning, with particular emphasis on identifying the products, services, or information in question.
4. Scotiabank should modify its hard-copy and on-line application forms for products and services so as to directly indicate conditions relating to the collection, use, or disclosure of personal information and to include a record, copiable to the customer, of indicated preferences in respect of secondary marketing purposes.
5. As occasion arises to have business contact with any customer of long standing to whom the current privacy brochure and Privacy Agreement have never been directly issued, Scotiabank should take such occasion to provide these documents to the customer.

Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, Ontario, K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,
 

Report: Consumer Privacy Under PIPEDA: How Are We Doing?

This report is available in PDF format [pdf file: 0.28mb]

Executive Summary

This report assesses the efficacy to date of the federal Personal Information Protection and Electronic Documents Act (PIPEDA), and identifies significant gaps and grey areas in the data protection regime, from the consumer perspective.
All relevant findings of the Privacy Commissioner to the end of October 2004 were considered to create an update, nearly four years after implementation of PIPEDA, on how it protects consumer privacy in the marketplace. As a practical exercise, this report revisits the targets of complaints filed by the Public Interest Advocacy Centre (PIAC) against major corporations for not properly obtaining consent to secondary marketing. This analysis shows continuing problems with these corporations’ use of “implied consent” obtained by “opt-out” mechanisms.
This report concludes that PIPEDA is a sheep in wolf’s clothing. As a general rule, PIPEDA has not been kind to consumers. Personal experience with the finding process has been painful, especially amongst those who found that they had to take findings of the Privacy Commissioner to Federal Court for “enforcement”. The procedural decisions made by the Office of the Privacy Commissioner of Canada have been highly questionable, and greatly reduce the effectiveness of, and exacerbate the difficulties for consumers with, PIPEDA. Some findings under PIPEDA that could have significantly impacted upon an established business model have been decided to permit the continuation of that business model, despite a privacy breach.
To some extent, results that are not favourable to consumer privacy rights are to be expected in a standards-based, non-prescriptive law such as PIPEDA that seeks to balance those privacy rights with business information use. However, the depth of the negative experience of consumers under PIPEDA suggests the need for major reforms to PIPEDA to make its process more practical and effective for consumers.

SOMMAIRE

Ce rapport évalue l’efficacité, à ce jour, de la Loi fédérale sur la protection des renseignements personnels et les documents électroniques, et identifie les importantes lacunes et zones grises du régime de protection de l’information du point de vue du consommateur.
Toutes les conclusions pertinentes du Commissaire à la protection de la vie privée communiquées à la fin du mois d’octobre 2004 ont été prises en compte afin d’effectuer une mise à jour sur la façon dont la Loi sur la protection des renseignements personnels et les documents électroniques protège la vie privée du consommateur dans le marché, presque quatre ans après sa mise en oeuvre. Sur le plan pratique, ce rapport examine de nouveau l’objet des réclamations enregistrées par le Centre pour la défense de l’intérêt public (PIAC) contre les principales sociétés par actions qui obtiennent à mauvais escient le consentement des personnes aux fins de commercialisation secondaire. Cette analyse montre des problèmes récurrents avec l’utilisation du « consentement tacite » obtenu grâce à des systèmes d’option de non-participation.
Ce rapport en conclut que la Loi sur la protection des renseignements personnels et les documents électroniques est un agneau déguisé en loup. En règle générale, la Loi sur la protection des renseignements personnels et les documents électroniques n’avantage pas les consommateurs. L’expérience personnelle avec le mécanisme des conclusions a été pénible, surtout pour les personnes qui ont découvert qu’elle devaient prendre les conclusions du Commissaire à la protection de la vie privée auprès du tribunal fédéral pour des « ordres ». Les décisions procédurales prises par le Bureau du Commissaire à la protection de la vie privée du Canada ont été extrêmement discutables, réduisent sérieusement l’efficacité de la Loi sur la protection des renseignements personnels et les documents électroniques et ne font qu’aggraver les difficultés pour les consommateurs. Certaines conclusions en vertu de la Loi sur la protection des renseignements personnels et les documents électroniques qui auraient pu avoir une influence significative sur un modèle de gestion établi ont été adoptées afin de permettre la continuité de ce modèle, malgré la violation du respect de la vie privée.
Dans une certaine mesure, les résultats qui vont à l’encontre des droits de la protection des renseignements personnels du consommateur devraient figurer dans une loi non-prescriptive axée sur les normes telle que la Loi sur la protection des renseignements personnels et les documents électroniques qui cherche à établir un équilibre entre les droits de la protection des renseignements personnels et l’utilisation des renseignements commerciaux. Cependant, l’étendue de l’expérience négative des consommateurs avec la Loi sur la protection des renseignements personnels et les documents électroniques suggère le besoin de l’amender en grande partie afin que son application soit plus pratique et efficace pour les consommateurs.

Personal Information Protection and Electronic Documents Act

PIAC’s position on the process of determining whether provincial privacy legislation is substantially similar to the Personal Personal Information Protection and Electronic Documents Act
Richard Simpson, Director General
Electronic Commerce Branch, Industry Canada

Re: Process for determination of “Substantially Similar” provincial provisions to the Personal Information Protection and Electronic Documents Act (Canada Gazette Notice, Part 1, September 22, 2001)

Dear Mr. Simpson:
The Public Interest Advocacy Centre (PIAC) is a national, non-profit organization which has provided legal services and research to Canadian consumers, and the organizations that represent them, for twenty-five years. PIAC’s members include individuals, groups and organizations representing 1.2 million Canadians. As you may be aware, PIAC has been extensively involved in the development of the Personal Information Protection and Electronic Documents Act (the PIPED Act).
Given our extensive experience with this legislation, PIAC would like to comment on the Canada Gazette Notice, Part 1, September 22, 2001 regarding the process for determination of “substantially similar” provincial provisions to the Personal Information Protection and Electronic Documents Act. We believe the substance of what will be considered substantially similar legislation, as reported in the Notice, is well thought out and expressed. We are pleased to see that all ten privacy principles must be maintained, independent oversight is necessary, and the collection, use and disclosure of personal information must be in all cases”appropriate and legitimate”.These are essential conditions for substantial similarity.
However, we are concerned about the process by which provincial legislation will be reviewed and potentially approved as substantially similar. Primarily, we are concerned about the potential for important decisions on “substantial similarity” to be made without input from the public. Because any determination of legislation as “substantially similar” to the PIPED Act will essentially provide an exemption from the Act for an organization, sector or a whole province/territory, it is imperative that the utmost be done to ensure that all concerned stakeholders are consulted. We recognize that Industry Canada will be consulting with the appropriate provincial or territorial government who drafted the legislation and that the Privacy Commissioner will be notified. As well, doubtless, there will be consultation with the requesting organization or sector. However, there appears to be no opportunity for public comment. We suggest that this oversight be remedied: Industry Canada should be required to seek public input when considering any requests for a determination of “substantially similar” under the PIPED Act.
At the very least, the fact that certain legislation or proposed legislation is being assessed to determine if it is substantially similar should be made public by way of notice in the Canada Gazette. If this is not done, the most directly affected party, Canadian consumers, will not have an opportunity to comment on fundamental changes to a law designed to protect them.
We hope that you are able to use our suggestions regarding the process of establishing “substantially similar” legislation to the Personal Information Protection and Electronic Documents Act. We continue to work in this area and would be happy to consult with you on this issue. Please contact me if there is any further information you require. My contact information is above, or you can reach me by email at kpriestman@piac.ca
Sincerely,
Kathleen Priestman, Research Analyst

Inadequate approaches to opt-out consent

Also available as a PDF [pdf file: 0.07mb]
Philippa Lawson, Counsel
(613) 562-4002 x.24
plawson@piac.ca
Mr. George Radwanski Privacy Commissioner of Canada 112 Kent Street Ottawa, Ontario K1A 1H3
BY EMAIL and MAIL Dear Commissioner Radwanski: Complaint re: Inadequate Approaches to Opt-out Consent
Please accept this formal complaint under s.11 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), regarding business non-compliance with the requirement, under the PIPEDA, for individual knowledge and consent to the collection, use and disclosure of personal consumer information for the purpose of secondary marketing purposes. Based on recent market research conducted for us by EKOS Research Associates Inc.1, it is clear that many companies are not obtaining informed consent (either implicit or explicit) from individuals to the collection, use, and/or disclosure of personal data for secondary marketing purposes.
The non-compliance we are complaining about is widespread and appears to reflect prevailing business practice in the retail market. For the purpose of investigation, however, we recognize that you need company-specific complaints. We therefore submit the following specific complaints:

• the failure of Bell Canada to bring to the attention of its residential local telephone customers (a) its policy of sharing customer data with affiliates for secondary marketing purposes, and (b) the corresponding opportunity for customers to opt-out of such sharing;
• the failure of HBC (Hudson’s Bay Company), in respect of its credit card and rewards program, a) to adequately bring to the attention of customers:
  • to adequately bring to the attention of customers: its practices of using and sharing customer data for secondary marketing purposes, and ii) the opportunity for customers to opt-out of such practices;
  • to provide adequately clear information as to potential secondary uses and sharing of customer data, and
  • to provide applicants with a method of opting-out of such uses and sharing that can be executed immediately, easily, and at minimal effort and cost.
• the failure of MBNA Canada Bank, with respect to its Mastercard service: a) to adequately bring to the attention of its customers: i) its practices of using and sharing customer data for secondary marketing purposes, and ii) the opportunity for customers to opt-out of such practices; b) to provide adequately clear information as to potential secondary uses and sharing of customer data, and c) to provide applicants with a method of opting-out of such uses and sharing that can be executed immediately, easily, and at minimal effort and cost.
• the failure of the Bank of Nova Scotia: a) to adequately bring to the attention of its customers: i) its practices of using customer data, and sharing such data with affiliates, for secondary marketing purposes, and ii) the opportunity for customers to opt-out of such practices; b) to provide full and clear information as to potential secondary uses and sharing of customer data, and c) to provide customers with a method of opting-out of such uses and sharing that can be executed immediately (e.g., from the customer’s residence), easily, and at minimal effort and cost.
• the failure of AIR MILES reward program:
  • to adequately bring to the attention of its customers: i) its practices of using customer data, and sharing such data with affiliates, for secondary marketing purposes, and ii) the opportunity for customers to opt-out of such practices;
  • to provide full and clear information as to potential secondary uses and sharing of customer data, and
  • to provide customers with a method of opting-out of such uses and sharing that can be executed immediately, easily, and at minimal effort and cost.

These examples2, in our view, involve violation of the basic PIPEDA requirement for “the knowledge and consent of the individual…for the collection, use, or disclosure of personal information, except where inappropriate.” (Principle 3, Schedule 1)
We submit first that, in respect of secondary marketing purposes, it is always appropriate to ensure the individual’s knowledge and consent, such that the exception does not apply. Secondary marketing involves no higher public interest such as law enforcement, health, or security that would override the general duty to obtain consent.
The issue then becomes: when can consent reasonably be inferred? (i.e., when can companies rely on “implied consent” to secondary marketing purposes) This is where there is clearly a difference of view between the marketers and the marketed.
Companies appear to take the view that customer consent to secondary marketing can be deemed to have been given, as long as the policy is stated in some document that is accessible to the customer. They do not consider that they have any obligation to bring to the attention of the individual customer the practices in question or the negative option regarding those practices. As a result, most consumers are not aware of the practices or of the negative option, contrary to the requirements of the PIPEDA. If they are not aware, they clearly are not consenting, implicitly or otherwise.
Failure to bring to the attention of the individual, so as to ensure awareness, was the single most common deficiency in company practices that we came across in our survey. It is manifested most commonly in two forms: (a) reliance on a document which is not provided to the individual customer, and which the customer must find on their own initiative, and (b) reliance on fine print buried in a long document, which most customers do not read in full and which companies do not realistically expect them to read in full.
Other common deficiencies which render the “implied consent” relied upon by companies meaningless, include:
*failure to provide the relevant information in clear, plain language such that the ordinary consumer can easily understand what they are being assumed to have consented to;
*failure to provide adequately detailed information such that the consumer can fully appreciate the extent and purpose of uses and sharing to which they are consenting, and

• failure to provide a method of executing the negative option which is easy, does not require the use of computers (which many consumers do not have), involves minimal effort on the part of the consumer (e.g., does not require the consumer to write a letter and mail it to a postal address), and can be executed at minimal cost (e.g., does not require a long distance telephone call).

Our recent survey of Canadians’ expectations and desires regarding business collection, use and disclosure of their personal information for secondary marketing purposes confirms that the common practice of assuming customer consent to such purposes is unjustified. A copy of the survey report, which we sent to you earlier this year, is enclosed.
Attitudes vary widely among Canadians, such that businesses cannot assume anything about consent to secondary marketing. For example, 38% of respondents were not comfortable with companies using their personal information “in order to advise [them] of new products and services that may interest [them]”. A higher proportion of Canadians (48%) are uncomfortable with the sharing of such information among affiliates for the same secondary marketing purposes.
Yet, only a tiny percentage of consumers actually execute the negative options offered to them by companies, in respect of data use and sharing for secondary marketing purposes. For example, Bell Canada reports that only 500 of its customers have exercised an opt-out with respect to affiliate sharing.3 This is a tiny fraction of a percent of Bell’s residential customer base.4 Aliant Telecom reports only 30 instances of customer opt-out – again, a tiny fraction of a percent of their total residential customer base.5 Representatives from Air Miles have stated in the media that only a very small percentage of their customers exercise the negative option.
Clearly, there is an enormous mis-match between the proportion of Canadians who say they would like to exercise the opt-outs, and the proportion of Canadians who actually do. The cause is clear: most people are either inadequately informed, or simplyunaware, of the practices in question and of the opportunity to opt-out. Of the minority who are aware, many likely fail to act on their desires because of the effort required to exercise the opt-out.
Our survey shows that over half (54%) of those participating in loyalty programs are unaware of the fact that many of these programs collect, use and disclose information about their purchasing habits in order that companies can target them with new products and services. (53% of all respondents reported being unaware of this fact, suggesting widespread unawareness of common business practices in using and sharing customer data.) Clearly, consumers cannot be consenting to practices of which they are unaware. Yet, companies continue to assume customer consent to practices of which a majority of Canadians say they are unaware. Surely, this cannot be considered compliance with the PIPEDA.
The survey shows that a large majority of Canadians (82%) want to be asked for their permission before a company uses their personal information to build a profile on them for the purpose of marketing new products and services. Deeming consent, or assuming that it has been implicitly given when we know that a sizeable proportion of Canadians don’t consent to these practices, does not constitute “obtaining permission” or “obtaining consent” as required under the PIPEDA.
We should note that a clear majority of respondents to our survey want companies to use opt-in approaches to consent to secondary marketing (as opposed to opt-out): 69% do not consider opt-out approaches, in general, to be acceptable methods of obtaining consent. This preference for opt-in approaches was clearly evident in focus group testing as well, even after participants were made aware of the costs of opt-in approaches both to companies and to themselves as consumers.
Opt-out approaches were considered acceptable only under certain conditions: that the opt-out provision is brought to the customer’s attention, that it is clearly worded and sufficiently detailed, and that it is easy to execute. As noted above, these conditions are not met in practice. (In fact, we have yet to identify an opt-out approach which meets all of these conditions.)
In conclusion, it is clear that the current business practice of deeming consumer consent to the collection, use and disclosure of personal data for secondary marketing purposes does not reflect actual consumer expectations or desires. It surely does not meet the legislative requirement under PIPEDA for the individual’s knowledge and consent to such data use and sharing.
We respectfully request confirmation from you that opt-out approaches to individual consent to the collection, use and/or disclosure of personal data for secondary marketing purposes meet the requirements of the PIPEDA only if they:

• are brought to the attention of the individual,
• are clearly worded,
• provide sufficient detail for the consumer to make an informed choice, and
• are easy to execute with minimal effort.

All of which is respectfully submitted,
original signed
Philippa Lawson Counsel
cc: Bell Canada Hudson’s Bay Co. MBNA Canada Bank Bank of Nova Scotia AIR MILES
1 Copy attached. A copy of this report was sent to you earlier this year, as well.
2 We would be happy to discuss further with you the particular deficiencies of each company’s information practices.
3 See Bell Canada’s response to ARC et al’s question in the proceeding initiated by CRTC Public Notice2001-60, regarding customer consent to sharing of customer data with affiliates, in TheCompanies(ARCetal)27Aug01-6.4 Bell has app. 8.65 million residential network access lines.
5 App. 950,000 NAS.
 

Comments to CRTC on Reverse Directory Services – Reply comments

Canadian Radio-Television and Telecommunications Commission
Ottawa, Ontario
K1A 0N2
Attention: Ms. Ursula Menke Secretary General
Dear Ms. Menke:
Re: Public Notice CRTC 2001-56: Reverse Search Directory Assistance
1. We are in receipt of comments from Bell et al, Telus, and SaskTel in this proceeding. The following reply comments are made on behalf of Action Réseau Consommateur, the Consumers’ Association of Canada, and the National Anti-Poverty Organization (“ARC et al”), in response to the above-noted public notice.
Reverse Directory Services are privacy invasive
2. Bell et al argue that reverse directory services are privacy enhancing, rather than privacy invasive. ARC et al appreciate the advantages that such services provide to persons who wish to discover the identity and/or address of callers or others for whom they have only a telephone number. However, to characterize such information retrieval as privacy-enhancing is to stretch the definition of privacy beyond its normal meaning. Moreover, it focuses entirely on the needs of the information-seeking party, while ignoring the needs of the party whose information is being sought from a third party without their knowledge.
3. Some individuals have legitimate needs to remain anonymous, or to keep their location confidential. Those seeking refuge from abusive relationships or stalkers clearly need to be able to control the availability of such information. Consumers seeking information on sensitive topics such as personal health advice may not want their identity or address made known to the agency they are consulting. Social workers and others who deal professionally with troubled persons may not want their home addresses publicly available. It is essential that such persons are able to maintain their privacy without extra effort or expense. Reverse directory services threaten to further erode the legitimate privacy needs of consumers.
4. For these reasons, ARC et al submit that the damage to privacy caused by reverse directory services outweighs the informational benefits of the services, such that the public interest is better served by limiting the availability of such services.
5. Should the Commission nevertheless continue to permit the provision of reverse directory services by regulated telephone companies, ARC et al submit at a minimum that: Street address information should not be made available under any circumstances
6. Some telephone companies wish to make street addresses available via reverse directory services. ARC et al strongly oppose such a policy, on the grounds that it would unduly threaten the privacy and safety of subscribers, and is in any case unnecessary: those seeking detailed address information can and should obtain such information from the individual to which it pertains. No party to this proceeding has identified countervailing benefits of such information provision.
Reverse directory services should not be available for the purpose of compiling or updating telemarketing lists
7. ARC et al appreciate that reverse directory services as proposed by the telephone companies in this proceeding are targeted at individual subscribers, and would be neither economic nor practical for use by telemarketers to compile and update marketing lists. However, this may not always be the case. If the service is not intended to be used by telemarketers, ARC et al agree with Bell et al’s suggestion that any such service include a restriction that it is not available for the purpose of compiling or updating telemarketing lists.
Subscribers should be able to opt-out of reverse directory services
8. As stated in their earlier submission, ARC et al urge the Commission to ensure that subscribers are able to opt out conveniently of any reverse directory services, and are made aware of this right. There is no reason to treat reverse directory services any differently from other listing services in this respect.
9. ARC et al agree with Telus that consumer rights in this respect should be the same regardless of the company in question. Other directory publishers and operator service providers should be subject to the same rule requiring meaningful subscriber opt-out opportunities.
All of which is respectfully submitted,
Philippa Lawson
Counsel for ARC et al
cc: Interested parties, PN 01-56
 

Comments to CRTC on Reverse Directory Services – Initial comments

Canadian Radio-Television and Telecommunications Commission
Ottawa, Ontario
K1A 0N2
Attention: Ms. Ursula Menke Secretary General
Dear Ms. Menke:
Re: Public Notice CRTC 2001-56: Reverse Search Directory Assistance
1. The following submission is made on behalf of Action Réseau Consommateur, the Consumers’ Association of Canada, and the National Anti-Poverty Organization (“ARC et al”), in response to the above-noted public notice.
2. As a preliminary matter, ARC et al submit that regulations governing the privacy of customer personal information, including reverse search directory assistance (“RSDA”), should be consistent across all telephone companies. As the Commission notes, privacy concerns are common to all telephone company customers. There is no reason to apply different standards of privacy protection to different telephone companies.
Application of the PIPED Act
3. The new federal privacy law, Personal Information Protection and Electronic Documents Act (“the PIPED Act”), now applies to telephone companies. It requires that companies obtain customer consent to the disclosure of that customer’s personal information. Personal information, under the PIPED Act, is defined as “information about an identifiable individual”, and hence includes published name, telephone number, and address – information that the Commission has treated as “non-confidential”. However, through its Regulations Specifying Publicly Available Information, the PIPED Act makes an exception to the requirement for consent for “personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory”. Hence, telephone companies are not restricted from offering RSDA under the PIPED Act.
4. While the Commission should ensure that its rulings are consistent with the PIPED Act, it must not fetter its discretion by treating the PIPED Act as the final answer on all matters to do with customer privacy. In exercising its obligations under the Telecommunications Act, the Commission must take into account many other relevant factors and policy objectives specific to the telecommunications industry and to telecommunications subscribers. Hence, the Commission is free to establish higher standards of privacy protection under the Telecommunications Act than are required under the PIPED Act.
5. It has also been pointed out that reverse search services are already available via the Internet and commercial publications. Hence, prohibiting or restricting telephone companies from offering this service will not solve the general problem of privacy invasion caused by the ability of marketers, stalkers and others to obtain personal information via a telephone number.
6. ARC et al appreciate this situation, but submit that it does not justify enhancing the potential for privacy invasions through the provision by telephone companies of a RSDA service.
7. The Public Notice poses two questions:
a) whether the provision of RSDA service by the telephone companies is appropriate in light of the objectives of the Telecommunications Act; and
b) if the provision of RSDA service by the telephone companies is appropriate, what common tariff conditions should exist for telephone companies under CRTC jurisdiction.

Is the provision of RSDA service appropriate?

8. One of the Canadian telecommunications policy objectives set out in section 7(i) of the Telecommunications Act is “to contribute to the protection of privacy of persons”.
9. The provision of reverse directory services is clearly invasive of privacy, and hence contrary to this objective. The more detailed the information provided via a reverse directory (e.g., street location vs. municipality), the more privacy-invasive the service.
10. However, invasions of privacy may be justified for public policy reasons, or where individual consent to the invasion has been obtained or can reasonably be implied.
11. ARC et al submit that there is no public policy rationale justifying the non-consensual provision of reverse directory services, given the obvious infringement to privacy that they pose. Hence, the provision of such services should be only with the individual’s consent.
12. Previous approaches to RSDA, including that of the PIPED Act, assume that once a person’s telephone number and address is published in a telephone directory indexed alphabetically by name, that person has implicitly consented to the re-indexing of this information by telephone number and to the consequent disclosure of their listed name and location to any third party for any purpose.
13. This reasoning is flawed for a number of reasons. First, customers who have consented to the publication of their name in the alphabetical telephone directory have not necessarily consented to the provision of their name and location to third parties upon the provision of a telephone number. There is a material difference between the disclosure of a published address and/or telephone number upon the provision of a name, and the disclosure of name and/or address upon the provision of a number. The former is a service commonly requested by and provided to individuals seeking to contact other individuals whose names they know. The latter is a service with little value to the ordinary citizen/consumer – rather, it is likely to be used primarily by commercial entities seeking to collect name and address information for unsolicited marketing or other privacy-invasive purposes.
14. Second, while it is true that unlisted service is available to subscribers who wish to avoid the publication of this information, unlisted service is only available for a fee (a recurring monthly rate of up to $2/month). Hence, many lower income subscribers who would like to take this service, do not for affordability reasons. Moreover, unlisted service provides no alternative for those subscribers who wish to be listed in the regular directory, but who do not wish to have their names or locations provided via RSDA. Unlisted service is therefore neither a fair nor realistic alternative for most consumers. The Commission must ensure that privacy can be achieved by all subscribers, not just those with high disposable incomes or extensive privacy needs.
15. For all these reasons, ARC et al submit that the provision of RSDA services by telephone companies without the individual’s consent is inappropriate in light of Telecommunications Act objectives.
16. ARC et al note that a previous application by Telus for reverse directory services that would have provided listed address as well as name upon provision of a telephone number was denied by the Commission, on the grounds that the provision of specific address information was too privacy-invasive. ARC et al agree that Bell’s proposed service is significantly less privacy-invasive insofar as it does not provide specific address information, and does not even make this information available via the RSDA to operators. Nevertheless, ARC et al submit that the provision of name and location via RSDA should be subject to individual subscriber consent.
What conditions should be placed on RSDA services?
17. While Bell Canada does not propose any measures to ensure that RSDA listings are consensual, it is noteworthy that Bell permits its subscribers to opt-out of its Internet-based Canada 411 listings, along with other disclosures of customer listing information (see p.29 of the Bell Canada English Telephone Directory). The only significant difference between the proposed RSDA and Canada 411 is that users must pay for the former. While this charge will likely limit use of the proposed service, it does not justify the failure to offer a free opt-out. Consumers must at a minimum be able to opt-out of a reverse directory service for free, they way they can for Canada 411.
18. Moreover, ARC et al submit that, for the RSDA service to be compatible with subscriber privacy under the Telecommunications Act, there must be an opt-out process that is effectively brought to the consumer’s attention before the subscriber’s name is provided via a reverse directory service, as well as regularly after the fact. In other words, there must be a much more effective opt-out than is currently provided by Bell Canada in respect of Canada 411 listings, for example. All opt-outs should be effected (i.e., the listing removed from the directory) within a short period (e.g., 48 hours) of the request. In this respect, ARC et al propose that the opt-out option be brought to subscribers’ attention annually via the monthly bill and/or bill inserts, as well as via the print directory and the Companies’ privacy policies.
All of which is respectfully submitted,
Philippa Lawson
Counsel for ARC et al
cc: Interested parties, PN 01-56

Consumer Reporting Practices

Letter to Privacy Commissioner Regarding Consumer Reporting Practices

George Radwanski
Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3
Dear Mr. Radwanski,
Please find enclosed PIAC’s report, Consumer Reporting and Privacy: The Need for Better Consumer Protection. The main finding of the report is that the new Personal Information Protection and Electronic Documents Act has the potential to bring much needed improvements in privacy protection to the consumer reporting system. However, some vigilance will be required to ensure that these improvements actually occur.
In particular, we would like to draw your attention to two subjects we discuss in the report:
1. Credit Scores: We found that consumer reporting agencies and financial institutions compute scores based on consumers’ financial and demographic information. Yet, the existence of such scores, and the scores themselves, are kept secret from consumers. We feel that consumers should be informed about the use of their personal information to compute these scores, and that consumers should be given access to scores about themselves upon request. 2. Consent Forms: We found that the forms in which consumers give their consent to having their personal information disclosed to consumer reporting agencies, and used by these agencies to create dossiers on them, did not clearly explain these uses and disclosures or the purposes for them. We feel that consumers should be fully informed about how their information is used and disclosed in the consumer reporting system.
We hope that you will conduct a full investigation of consumer reporting practices in the financial sector in light of the fact that the Personal Information Protection Act will apply to both consumer reporting agencies and major creditors on January 1.
Please feel free to contact me should you have any questions or comments on this matter.
Yours sincerely,
Angie Barrados
Researcher

A Consultation Paper: Proposed Ontario Privacy Act

Comments on A Consultation Paper: Proposed Ontario Privacy Act

From:
Public Interest Advocacy Centre
1204 – 1 Nicholas Street
Ottawa, Ontario
K1N 7B7
www.piac.ca
Contact:
Angie Barrados, barrados@web.ca
or
Philippa Lawson, pippa@web.ca

Question 1

We agree that the proposed Privacy Act should include rules on whether minors can give consent and that 13 is a reasonable age to be considered able to give this type of consent. The Canadian Marketing Association (CMA) Code of Ethics is good model to follow on this issue. The CMA Code considers someone under 13 to be a child, but also specifies that CMA members should use “discretion and sensitivity” in marketing to young people (people between the ages of 13 and 19) “to address the age, knowledge, sophistication and maturity of this audience”.
We recommend that there be some limitations on the collection of information from young people (ages 13 – 19) for marketing purposes. As the discussion paper notes, the collection of personal information in the private sector has become more and more intensive, for the purposes of both targeting promotions and providing personalized services. In many instances, an incentive will be offered to disclose personal information, which presents a trade-off between privacy and other benefits. Young people may not be equipped to fully assess this type of trade-off. Therefore, young people should be not be subject to offers of benefits in exchange for permission to build up a profile about them. For instance, unlimited Internet service should not be offered to a fourteen-year old in exchange for creating a profile of her Internet use.
Also, we recommend that there be some safeguards in place to protect vulnerable adults. The legislation should specify that contracts with consumers that involve building up a profile about them should allow a consumer to withdraw from the contract without penalties. For instance, if a consumer wishes to withdraw from a loyalty program, they should be able to do so, as well as withdraw their consent to having the information already collected being used, without having to pay the organization any compensation.

Question 2

The Act should allow for the indirect collection of personal information only in circumstances where consent can reasonably be implied.

Question 3

We agree that the Act should limit the use of “opt-out” consent. As the discussion paper suggests, an “opt-out” is meaningful only if it is clearly worded, brought to the attention of the consumer, and made with full information as to the implications of the choice. We therefore recommend that the Act specify the following requirements for valid consent via “opt-out” provisions:

• The opt-out option should be clearly worded, and should explain the implications of the choice which the consumer is being asked to make.
• The opt-out consent should be separate and distinct from any other consents given by the consumer or agreements made by the consumer.
• The consumers’ attention should be directed to the opt-out option, either verbally or via large, bold type in a written document.
• Opting out should require no extra effort on the part of the consumer. For instance, the consumer should not be required to make a separate telephone call or a separate written request in order to opt out. It should be no more difficult for the consumer to exercise the opt out choice than it is for him or her to exercise the converse choice, which involves consenting to the collection of the information.
• In the case of ongoing customer relationships (e.g., telephone service), the opt-out option should be offered to existing customers who have not chosen to opt-out at regular intervals, and at least every two years.

Question 4

We agree that the Act should allow for implied consent in limited circumstances. The approach to this issue outlined in the discussion paper is sound. The key point is that consent should only be implied for uses of information that relate to the primary purpose for which the information was collected, and for uses that a person would reasonably expect in the circumstances.

Question 5

We agree that the Act should require organizations to explain their security safeguards. As the discussion paper suggests, it is important that information security is not compromised by requiring overly specific information. On the other hand, enough information should be available for consumer to be able to understand generally the security safeguards, and to compare the safeguards offered by different organizations.
5A Openness Principle
Although Question 5 did not ask about the proposal that the legislation not adopt the CSA Code’s Openness Principle, we would like to make some comments on this subject. The discussion paper suggests that an organization’s privacy practices will be made clear by requiring an explanation of security safeguards, and by requiring disclosure to individuals of the sources of its personal information and the organizations to which it has disclosed personal information. In our view, this proposal lacks important consumer safeguards that are provided by the CSA Code’s Openness Principle.
There are many instances in which individuals will have an interest in knowing about the more general information management policies and practices of the organization, in addition to the specific information about them held by the organization, for instance. Individuals should have a legal right to such information, and organizations should be legally obliged to disclose such information upon request.
For example, individuals have the right under the Consumer Reporting Act to inspect their own credit reports and thereby to find out what information it contains and with what organizations it has been shared. Yet these disclosures do not answer many other important and legitimate questions the consumer may have relating to the privacy of their credit information, such as:

• What types of organizations may obtain access to my credit report in the future?
• What type of information does the credit reporting agency intend to collect about me in the future?
• Can I consent to having my credit report disclosed without having my SIN disclosed?
• Is my husband’s credit report linked to my own, or not?

In fact, to truly be able to assess whether it is in their interest to allow certain information to be shared with credit reporting agencies, or allow their credit report to be shared, consumers need to know how the credit reporting system works. Without knowledge of the ground rules, consumers cannot fully appreciate the implications of either giving or withholding consent, and hence, their right to withhold consent is significantly less meaningful. As long as the data protection regime is based on the concept of individual knowledge and consent, openness is an absolutely critical piece of the puzzle.
The discussion paper seeks to regulate outcomes rather than processes. Requiring organizations to draft policies can be viewed as a process, but requiring certain key disclosures about their practices is surely an outcome, not merely a process. It is unrealistic to assume that organizations will make such disclosures of their own accord. Credit reporting agencies, for example, do not publish information that answers the four questions enumerated above, and are not willing to give complete answers upon request. It is even harder to obtain information about data protection practices from some other organizations that deal with personal information(1).
Without the disclosure of information that follows from the Openness and Accountability principles of the CSA Code, public scrutiny of organization practices will be considerably more difficult. In the area of privacy, public scrutiny is particularly important because privacy invasions by their very nature occur largely without the knowledge of affected individuals and are difficult to detect. Public scrutiny is essential in order to encourage compliance with privacy laws and to facilitate their enforcement.
The Openness Principle serves an important purpose within the CSA Code. Without it, the consumers’ consent is considerably less informed, and thus less meaningful. Without statutory requirements for openness, the Ontario legislation will be significantly weaker than the CSA Code and Bill C-6. Indeed, it may not meet the “substantially similar” requirement of Bill C-6.

Question 6

The accuracy of personal information should be subject to an additional statutory requirement reflecting the CSA Code’s requirement that information be as accurate as necessary for the purposes for which it will be used. Such a statutory requirement is important because it places a responsibility on the organization to devote an appropriate level of resources to ensuring the accuracy of its databases. For organizations holding large databases, the extent to which the data is accurate is directly proportional to the amount of routine data checking and verifying. Under the government’s proposed approach, the regulator would not be able to compel an organization to improve its database accuracy, even if the organization was clearly not devoting enough attention to maintaining an accurate database. The legislation need not instruct organizations on how to achieve ongoing accuracy, but it should require a certain level of accuracy as an outcome of the organization’s information management practices.

Question 7

Yes, the Act should require contractual safeguards when personal information is sent to another jurisdiction. In addition, it should be clear that consent is required for such inter-jurisdictional disclosures. This is important given the difference in informational privacy rights among different jurisdictions.

Question 8

Yes, the proposal for transition is appropriate, although it should take into account that organizations subject to the federal legislation should be ready to comply with it in January 2001, and thus would not need the year-long transition period to comply with the Ontario legislation.

Question 9

We agree that clear, workable rules are desirable. We also agree that some “process” (vs. outcome) requirements of the CSA Code, such as the requirement for staff training, need not be included in legislation. However, we feel strongly that substantive, outcome-oriented aspects of the Accountability, Openness and Accuracy Principles in the CSA Code should be included. Two specific concerns we have in this regard are:

• that the proposed approach does not provide consumers with the ability to obtain enough information about an organization’s practices to make meaningful choices about whether to consent to the collection, use and disclosure of their personal information; and
• that the proposed approach does not protect consumers from organizations that do not take reasonable measures to ensure the accuracy of their databases.

Question 10

Sectoral codes must not be allowed to dilute legislated standards nor to weaken existing processes for enforcement and consumer redress. On the other hand, properly constructed sectoral codes can achieve even more effective regulation than general cross-sectoral legislation. It is important in this respect to appreciate that the proposed sectoral code approach will require additional effort to ensure that the legislated standards are being met, and that consumers are not being short-changed as a result of less rigorous or more permissive sectoral codes. In order to achieve effective regulation via sectoral codes, it is essential that:

• the standards set out in sectoral codes be no lower than those set out in the general statute;
• consumers continue to have access to the same legislative protections and processes that they would otherwise have (i.e., the codes should be enforceable in the same way as the principles set out in the legislation);
• the sector be defined as clearly as possible, and there must be a clear and simple method of determining which codes apply to which organizations;* the regulatory process for developing such codes include:
  • an open, transparent process that involves equal representation of industry and non-industry stakeholders;
  • participant funding to allow non-industry stakeholders to participate effectively in the process; and
  • rigorous advance notice to the public of the code approval process and an opportunity for public input;
• once approved under the legislation, codes be easily accessible by the public; and
• there be follow-up public education and awareness programs.

The example of credit reporting illustrates both the potential advantages and the potential pitfalls of the sectoral code approach. On one hand, it makes sense to apply more detailed rules (such as those contained in the Consumer Reporting Act) to credit reporting agencies, since credit reporting involves complex transactions of personal information as well as technical issues specific to that industry. On the other hand, a major player within the credit reporting industry is aggressively seeking to be exempted from general data protection legislation. A process to develop a sectoral code would clearly present an opportunity for this industry to pursue lower standards of data protection than required by the general legislation, and to avoid addressing the many privacy concerns raised by the industry’s current operations(2). Developing a fair sectoral code consistent with the protections set out in general data protection legislation will be a major challenge in the case of credit reporting.

Question 11

Generally, the exemptions and exceptions to the proposed Act are reasonable, but we do have concerns in three areas:
Private Enforcement of Contractual Rights:
While we agree that certain contractual enforcement activities involving the collection, use or disclosure of personal information should not be impeded by data protection legislation, it is important that this exemption is not overly broad. Private enforcement of contractual rights should not be an excuse for unnecessary uses or disclosures of personal information. In particular, creditors and collection agencies should not be permitted to use or disclose any personal information collected in the course of debt collection for secondary purposes (i.e., purposes other than collecting the specific debt). This would include disclosure to credit bureaus, since such disclosure is not necessary for the purpose of collecting the debt.
In order for interested persons to respond fully to this proposal, the government should list examples of exemptions that would fall under this provision.
Public Domain Information:
We strongly oppose a broad exemption for “public domain information”. Indeed, this is one area in which we consider current practices of the Ontario government and Ontario municipalities, while permitted under the Freedom of Information and Protection of Privacy Acts, to be in clear violation of fundamental privacy principles. Specifically, we strongly object to the disclosure by governments of public registry data to third parties for marketing or other secondary purposes. Section 27 of the Municipal Freedom of Information and Protection of Privacy Act and section 37 of the Freedom of Information and Protection of Privacy Act exempt “personal information that is maintained for the purpose of creating a record that is available to the general public” from the full set of provisions protecting individual privacy in those statutes.
This exemption is overly broad; it fails to recognize that just because a record is publicly available does not meant that it should be “fair game” for anyone seeking to use the information for any purpose. In fact, most, if not all, of the registries in question were created and made publicly available at a time when the information therein could not be easily compiled, manipulated, sold, and used for commercial purposes. Times have changed. With the advent of computers and information technology, it is possible for entire databases to be transferred at the click of a mouse. No longer do researchers have to pore over handwritten records in chronological order to find what they are seeking; a simple keyword search will pull up the entry in seconds.
The implications for public registries of this transformation are enormous. Suddenly, the mere fact of technological capability has changed the meaning of “publicly available”. It is up to our lawmakers to ensure that the original intention of making such registries publicly available is identified and achieved, but not broadened. In particular, the Ontario government should take this opportunity to limit the use and disclosure of information in public registries; secondary purposes such as products marketing should not be permitted.
At a minimum, the Ontario government’s exemption for “public domain information’ should be consistent with the federal government’s regulation on the same topic, to be finalized later this year.
Statutory Authorization:
The proposed exemption for collection, use or disclosure authorized by another law is deficient, and clearly does not meet the standard set by the federal legislation which exempts disclosures only where “required by law” (subs.7(3)(i)). Simply because another statute authorizes certain collection, use, or disclosure of personal information does not mean that such collection, use or disclosure is appropriate in the circumstances. If data protection rights (i.e., to knowledge and consent ) are to be meaningful, they must not be so easily overridden. Individuals deserve to be notified and given an opportunity to refuse the collection, use or disclosure of their personal information whether or not such activities are authorized by statute. Indeed, data protection rights should take precedence in all cases of statutory authorization. Only where another statute requires collection, use, or disclosure should the requirement for knowledge and consent be lifted.
This is an important area in which the proposed approach falls short of the federal legislation, and thus where the Ontario government risks failing to achieve substantial similarity with the federal statute.

Question 12: Enforcement Regime

We view as one of the weaknesses of the federal data protection legislation its requirement that any legal enforcement be accomplished via the court system. This is a problem for individual consumers because court actions are too costly for the vast majority of complainants in privacy cases. It will be the very rare individual who deems it worthwhile to pursue a privacy invasion in court, especially where no measurable damages have occurred. Thus, enforcement of the law will be weak. For this reason, we support a legislative framework which includes the ability of government authorities to make binding orders, non-compliance with which is both punishable by fines and/or other penalties, and actionable either by the state or by the affected individual.
A key provision for compliance and enforcement purposes is that empowering the oversight agency to publicize its findings. An essential corollary to this power is statutory protection from liability for any such public statements or disclosures. Publicity can be the most potent tool of enforcement, at least with respect to businesses who deal with the public or who operate in the public eye. Some businesses dealing with personal information, however, are not well-known by the general public and do not deal with consumers directly. Publicity may not be such a powerful tool in respect of their non-compliance. Hence, publicity should be considered as just one of many available enforcement tools.
Question 12 asks specifically about the desirability of an administrative appeals process. It seems to be suggesting an appeals mechanism for corporate defendants in enforcement actions. If such an appeal process is put in place, it should be available to both complainants and respondents. Given that most such appeals are likely to be taken by respondents, however, the value of it for complainants is likely to be minimal. Indeed, there is a risk that such an administrative tribunal would become “captured” by the industry it is meant to regulate, an unfortunate reality with which administrative lawyers have been grappling for years. The easiest way to avoid such a result is simply not to create the tribunal in the first place, and to rely instead upon the court system. If a tribunal is established, it should be staffed not by political appointees but rather by Ontario Court judges, or at least by legally trained persons familiar with concepts of due process as well as privacy rights.

Question 13

We agree with the proposals on enforcement powers, but would emphasize that the results of the enforcement agency’s activities should in all cases be made public. Mediation reports, compliance orders and assurances of voluntary compliance should be published, and done so in a manner that is easily accessible to the public. Such publication of enforcement activities will ensure that:

• consumers have access to important information about the organizations they deal with;
• the enforcement agency will be publicly accountable, and thus held to a high standard of performance; and
• other organizations will see that government is serious about enforcing the legislation, which will in turn encourage compliance.

The enforcement agency should have the mandate to investigate all privacy issues under its jurisdiction which come to its attention. As mentioned above, privacy invasions occur in secret and are difficult to detect. The nature of privacy makes it likely that a complaint is just the “tip of the iceberg” in terms of a privacy issue. The enforcement agency should not be limited to addressing the specific complaint, but should also have the power to investigate further issues arising from the complaint.
Also, the enforcement agency should be able to initiate investigations in the absence of a formal complaint if it has any reasonable grounds to suspect non-compliance. We were appalled to discover recently that unregistered consumer reporting agencies (tenant blacklists) were operating openly in Ontario. These agencies had been openly advertised in the Yellow Pages under “credit reporting agencies” for several years, yet no-one tasked with enforcing the Consumer Reporting Act had noticed this flagrant violation of the law. This example shows that a complaints-based investigative power is not enough, and that the oversight agency itself needs the power to conduct proactive monitoring and enforcement activities.
There also needs to be a serious commitment by the government to ensuring strong enforcement of the legislation, if the consumer protection contained in it is to be meaningful. In our report on the consumer reporting industry(3), we raise serious concerns about the Ontario government’s apparently weak enforcement of its Consumer Reporting Act, including the facts that:

• Most consumers do not know that the Ministry of Consumer and Commercial Relations takes complaints about credit reporting agencies. There is little effort to raise consumer awareness of this, and, in fact, current practices at the Ministry make it difficult for consumers to reach the appropriate official.
• There is little public accountability in respect of the government’s enforcement of the Consumer Reporting Act. We were forced to make a Freedom of Information request to get basic information about the governments’ investigations of consumer reporting agencies.
• A tenant blacklist was found to be operating in flagrant violation of the laws of Ontario, yet the responsible government authority made no investigation of its database to ensure that the information it contained had not been collected and/or disclosed illegally.

Clearly, the proposed Ontario Privacy Act needs to improve significantly upon the current Ontario Consumer Reporting Act in respect of enforcement.
1. Recently, in the course of a research project we contacted 40 companies that had good privacy policies. Of these, only 11 agreed to answer questions about their practices for our research project.
2. For more information about the privacy concerns raised by the consumer reporting sector, please refer to PIAC’s forthcoming report, Protecting Consumers’ Privacy in the Consumer Reporting System that will be available shortly.

Letter to Minister Anne McLellan regarding the Privacy Act review

The Honourable Anne McLellan P.C., M.P.
Minister of Justice and Attorney General of Canada
284 Wellington Street
Ottawa, Ontario K1A 0H8
Dear Minister McLellan,
We are writing to applaud your recent commitment to review the federal Privacy Act, and urge you to ensure that the review is a thorough one.
Like many Canadians, we were dismayed to find out that Human Resources Development Canada (HRDC) was keeping a database like the Longitudinal Labour Force File (LLFF). We were pleased that the Minister of Human Resources and Development responded quickly to the deep public concern about the LLFF by announcing that it would be dismantled, and that better information management practices would be introduced in HRDC. The Minister of Human Resources and Development’s commitments address data protection in the context of HRDC’s social and labour market policy research, but a greater problem remains, which is that the federal Privacy Act actually permitted a database like LLFF to be amassed with little internal government oversight or clear disclosure of its existence to the public.
The LLFF controversy has shown that the Privacy Act needs to be strengthened to better protect consumers’ privacy rights. In particular, limitations on data matching need to be clarified and included in the Privacy Act. Also of great concern is the legal uncertainty about whether citizens’ rights as set out in the Act apply in the context of all federal government activities, or whether these rights can be infringed upon when permitted by other federal legislation.
The recent passage of the Protection of Personal Information and Electronic Documents Act was a great step foward for privacy protection in Canada. Now it is important to ensure that a similar standard of privacy protection is in place in the federal public sector. We urge you to undertake the Privacy Act review without delay, and to take seriously the results of the Privacy Commissioner’s review of the Act and his comprehensive recommendations on its amendment.
Yours sincerely,
Michael Janigan
Executive Director/
General Counsel
cc.
The Honourable John Manley, Minister of Industry
The Honourable Jane Stewart, Minister of Human Resources and Development
Bruce Phillips, Privacy Commissioner