Telecom Decision CRTC 2003-33

Ottawa, 30 May 2003

See also: 2003-33-1

Confidentiality provisions of Canadian carriers

Reference: 8665-C12-14/01 and 8665-B20-01/00

In this decision, the Commission finds that implied consent is not an appropriate type of consent for the disclosure of confidential customer information. The Commission does, however, find it appropriate to provide for other forms of express consent beyond the current written consent requirement. Additionally, the Commission directs all Canadian carriers to show cause why, as a condition of providing service to all resellers not currently covered by confidentiality requirements, they should not include in their service contracts with such resellers the requirement that these resellers abide by the same confidentiality requirements as the carriers.

Introduction

1. One of the objectives of Canadian telecommunications policy is to contribute to the protection of the privacy of persons, as set out in section 7 i) of the Telecommunications Act.Canadian carriers, with the exception of providers of mobile wireless services that are not switched, such as paging providers, are currently required to comply with the confidentiality provisions first set out in Review of the general regulations of the federally regulated terrestrial telecommunications common carriers, Telecom Decision CRTC 86-7, 26 March 1986 (Decision 86-7) as amended by Telecom Order CRTC 86-593, 22 September 1986 and, in the case of all local exchange carriers, as further amended by Provision of subscribers' telecommunications service provider identification information to law enforcement agencies, Order CRTC 2001-279, 30 March 2001 (Order 2001-279) as amended by Provision of subscribers' telecommunications service provider identification to law enforcement agencies, Telecom Decision CRTC 2002-21, 12 April 2002, (Decision 2002-21) (together, the confidentiality provisions). In Decision 86-7, the Commission determined that, unless disclosure is pursuant to a legal power, Canadian carriers could not disclose any customer information to any person other than the customer, without the written consent of the customer, except for the customer's name, address and listed telephone number. The only circumstances in which such consent was not required were those in which the information was provided to:

• a person who, in the reasonable judgement of the Canadian carrier, is seeking the information as an agent of the customer;
• another telephone company, provided the information is required for the efficient and cost-effective provision of telephone service and disclosure is made on a confidential basis with the information to be used only for that purpose;
• a company involved in supplying to the customer telephone or telephone directory related services, provided that the information is required for that purpose and disclosure is made on a confidential basis with the information to be used only for that purpose; or
• an agent retained by the Canadian carrier in the collection of the customer's account, provided the information is required for and is to be used only for, that purpose.

2. In Order 2001-279, as amended by Decision 2002-21, the Commission provided for release, by the local exchange carrier to a law enforcement agency, in accordance with the terms of a tariff approved by the CRTC, of the identity of the service provider, but not the name of the customer, associated with a specific telephone number.

3. The confidentiality provisions are included in the terms of service of the incumbent local exchange carriers (ILECs) for tariffed telecommunications services and, generally, in contracts between Canadian carriers and their customers for forborne telecommunications services. Since 1987, the Commission has imposed the confidentiality provisions when it has exercised its forbearance power with respect to services of Canadian carriers, except in the case of wireless services that are not publicly switched.

4. On 15 November 2000, Bell Canada, Bell Mobility, Bell Nexxia, Island Telecom Inc., Maritime Tel & Tel Limited, MT&T Mobility, Incorporated, MTS Communications Inc., NBTel Inc., NewTel Communications Inc. and NewTel Mobility Limited (collectively Bell Canada et al.) filed an application pursuant to Part VII of the CRTC Telecommunications Rules of Procedure,seeking revisions to their confidentiality provisions.

5. Bell Canada et al. requested increased flexibility in the manner in which they could obtain consent from its customers for disclosure of confidential customer information to affiliates¹. Specifically, Bell Canada et al. proposed that they be allowed to disclose confidential customer information to their affiliates based on implied consent. Bell Canada et al. submitted that their proposal was consistent with the Personal Information Protection and Electronic Documents Act (PIPED Act). Bell Canada et al. also requested that disclosure to non-affiliates be allowed with express customer consent, but that written consent not be the only means of express consent.

6. In response to the application, the Commission received interventions from TELUS Communications Inc. (TCI) and AXXENT Corp. (AXXENT) in conjunction with AT&T Canada Ltd. (AXXENT et al.). TCI supported the proposed changes and requested that the Commission amend TCI's own General Terms of Service in the same manner as requested by Bell Canada et al. AXXENT et al. submitted that the issue should be subject to a broader public review due to the importance of the issue to all carriers.

7. In light of the public significance of the issues raised by Bell Canada et al. in its Part VII application, the Commission issued CRTC seeks public input on the confidentiality provisions of Canadian carriers, Public Notice CRTC 2001-60, 29 May 2001 (Public Notice 2001-60) that initiated a proceeding which examined the current restriction on Canadian carriers' disclosure of confidential customer information. In Public Notice 2001-60, the Commission raised a number of issues in order to help it identify what type of consent should be sufficient to allow a Canadian carrier to disclose confidential customer information to its affiliates. Subsequently, the Commission issued CRTC seeks public input on the confidentiality provisions of Canadian carriers, Public Notice CRTC 2001-60-1, 31 May 2001 (Public Notice 2001-60-1), a corrected version of Public Notice 2001-60. The Commission made all Canadian carriers parties to the proceeding and placed on the record of the proceeding initiated by Public Notice 2001-60-1 the Part VII application made by Bell Canada et al., as well as the interventions received in response to that application.

8. The Commission received submissions from the following parties: AT&T Canada Corp., on behalf of itself and AT&T Canada Telecom Services (collectively AT&T Canada), AXXENT on its behalf and on behalf of AT&T Canada Corp., Call-Net Enterprises Inc., on behalf of itself and its wholly-owned subsidiaries (collectively Call-Net), Bell Canada et al. and Northern Telephone, NorTel Mobility, Northwestel Inc., Northwestel Mobility Inc., Saskatchewan Telecommunications, Télébec ltée and Télébec Mobilité (collectively the Companies), the Consumers' Association of Canada, National Anti-Poverty Organization and l'Union des consommateurs (formerly known as Action Réseau Consommateur) (collectively the Consumer Groups), the Canadian Wireless Telecommunications Association (CWTA), the Information and Privacy Commissioner of Ontario (IPC Ontario), Microcell Telecommunications Inc. on behalf of Microcell Connexions Inc. and Microcell Solutions Inc. (collectively Microcell), Mr. Murray Long, Rogers Communications Inc. on behalf of The Rogers Group of Companies which include Rogers Broadcasting Limited, Rogers Cable Inc. and Rogers Wireless Inc. (collectively RCI) and TELUS Corporation, on behalf of TELUS Communications Inc. and its affiliates including TELUS Mobility (collectively TCI).

9. In addition, although it did not participate actively in the proceeding, The British Columbia Public Interest Advocacy Centre, on behalf of the BC Old Age Pensioners' Organization, the Consumers' Association of Canada (BC Branch), the Council of Senior Citizens' Organizations of BC, federated anti-poverty groups of BC, the Senior Citizens' Association of BC, the West End Seniors' Network, End Legislated Poverty, the Tenants Rights Action Coalition and the Information Policy Committee - B.C. Library Association wrote to indicate their support of the submissions made by the Consumer Groups.

10. In part I of this decision, the Commission addresses whether it is appropriate to permit implied consent for the disclosure of confidential information to affiliates. In part II of this decision, the Commission addresses appropriate forms of express consent. Finally, in part III of this decision, the Commission addresses other issues that were raised in this proceeding.

Part I - Implied consent

Positions of the parties

11. The Companies submitted that the type of consent required should be proportionate to the sensitivity of the information, the type of relationship between the customer and the company, and the nature of the transaction. They argued that implied consent should generally be sufficient for disclosure of confidential customer information to affiliates. The Companies argued that when a customer subscribed to a service or purchased a product from either themselves or one of their affiliates, consent to disclosure of confidential customer information to affiliates for marketing and other identified business purposes could be implied. The Companies submitted that customers expected the sharing of personal information among common-branded companies that provided a range of related communications services. The Companies also argued that express consent would always be needed for disclosure of confidential customer information to non-affiliates.

12. The Companies submitted that, with the exception of credit information, the vast majority of customer information likely to be shared with their affiliates was not particularly sensitive. The Companies indicated that a customer's address and contact information and the fact that a given customer also subscribed to a service provided by a sister or parent company were the type of information they proposed to share with their affiliates.

13. The Companies stated that information with greater sensitivity would be treated with a higher level of care, in accordance with the PIPED Act. They also argued that their internal privacy codes would provide appropriate protection to their customers.

14. The Companies also argued that they needed greater flexibility in disclosing confidential customer information to their affiliates because the existing confidentiality provisions disadvantaged them compared to other telecommunications service providers such as resellers, stand-alone Internet service providers and even broadcast distribution undertakings (BDUs) that are not subject to the confidentiality provisions.

15. TCI and RCI supported the Companies' submission that implied consent would be the appropriate form of consent for disclosure of confidential customer information to affiliates, considering that customers perceived corporate groups as single entities and expected corporate groups to share personal information. They added that, under the Companies' proposal, customers would be made aware of the organizations' privacy policies and could easily exercise an opt-out option.

16. The Consumer Groups submitted that express consent should be mandatory for the disclosure of confidential customer information to affiliates, except where the disclosure was necessary for the service requested by the customer and where such sharing would be reasonably expected in the circumstances. The Consumers Group submitted, in this regard, that the sensitivity of customer information varied from individual to individual and from context to context.

17. The Consumer Groups argued against the Companies' assertion that customers expected their confidential customer information to be shared among affiliates with their implied consent. The Consumer Groups placed a copy of a market research survey carried out by Ekos Research Associates Inc. on the public record of this proceeding. The Consumer Groups claimed that, contrary to the Companies' assertion, the survey demonstrated that a significant proportion (84%) of Canadians neither expected nor wanted such sharing of their data.

18. The IPC Ontario submitted that Canadian carriers should only be permitted to disclose confidential customer information to an affiliated company with the express consent of the customer unless the personal information was clearly not sensitive and a reasonable person would consider the sharing of this information among affiliated companies to be appropriate in the circumstances. The IPC Ontario submitted that, in that case, implied consent might be appropriate.

19. Mr. Long submitted that the form of consent must generally match the sensitivity of the data. He stated that the type of consent could only be determined upon knowing exactly what information the telephone companies intended to share with their affiliates.

20. Mr. Long noted that the Canadian Standards Association Privacy Code (the CSA Code) advocated the use of express consent whenever the information was likely to be considered sensitive and the use of implied consent when the information was not of a sensitive nature. He pointed out that since the CSA Code did not include any further guidance on defining what was sensitive personal information, other than reference to medical and financial records, organizations must develop and apply their own normative standards of data sensitivity. Mr. Long submitted that when there was doubt about the sensitivity of the information in question, express consent should be the default mode.

21. Mr. Long argued that, if implied consent was allowed for less sensitive data, certain conditions should be in place. Mr. Long submitted that, for instance, for previously collected information, customers should be afforded a fair and reasonable opportunity to exercise their right to opt-out and a reasonable time period of at least three months to exercise such a right. Mr. Long also argued that previously collected information should not be disclosed without adequately informing customers through an information campaign consisting of billing inserts, white pages information, web site information, a privacy hotline and brochures or other information resources. Mr. Long stated, lastly, that customers should have an ongoing right to withdraw consent from such information sharing. Where new customer personal information is collected, Mr. Long stressed that the opt-out opportunity must be immediately offered to customers and be continuously available.

22. AT&T Canada, CWTA and Microcell all shared the view that implied consent might be appropriate, but not in all circumstances, depending on the customer's reasonable expectations.

The Commission's determinations

23. The Commission notes that the PIPED Act sets out regulations and standards relating to the privacy of personal information. However, the Commission also notes that its jurisdiction in this matter stems not from the PIPED Act, but from the Telecommunications Act, and that in exercising its discretionary powers pursuant to the Telecommunications Act, it may apply different standards than those contemplated by the PIPED Act.

24. The confidentiality provisions, which protect the confidentiality of customer information, are incorporated in the tariffs of the ILECs and imposed on Canadian carriers in respect of services (except for non-public-switched wireless services) from which the Commission has forborne. The Commission considers that these provisions are even more relevant today than when they were first implemented, due to the advent of new technologies and the emergence of electronic commerce, which allow information to be easily processed, re-arranged and exchanged.

25. In the Commission's view, implied consent for the disclosure of confidential customer information to affiliates, as proposed by the Companies, is inappropriate, for three reasons. First, customers, under the Companies' proposal, might be unaware that their confidential information, such as billing information, could be disclosed to affiliates. Second, customers might not be aware of all of a Canadian carrier's affiliates, and therefore, would not necessarily be aware of the affiliates to whom their information would be disclosed. Third, the onus of protecting the confidentiality of customer information would be inappropriately shifted from carrier to customer who would need to contact his/her carrier to exercise the opt-out option.

26. In balancing the objectives of the Telecommunications Act, the Commission does not consider that either the Companies or those parties who supported the Companies' proposals for implied consent have demonstrated that their interest in lowering the consent threshold outweighs the interests of customers in retaining control over disclosure of their confidential information.

27. In light of the above, the Commission finds that implied consent for the disclosure of confidential customer information to affiliates would not provide sufficient privacy protection to customers.

28. As for the Companies' suggestion that the existing rules disadvantage them compared to other telecommunications providers that are not subject to the confidentiality provisions, the Commission notes that the confidentiality provisions apply equally to all Canadian carriers, which would include BDUs that offer telecommunications services as Canadian carriers within the meaning of the Telecommunications Act, except in respect of wireless services that are not public switched wireless services. The Commission also notes that, in general, resellers, including stand-alone Internet service providers, are held to the confidentiality provisions through contracts with Canadian carriers for the use of the carriers' services. The Commission notes, further, that nothing precludes a group of affiliated Canadian carriers from organizing to provide all its telecommunications services via a single Canadian carrier, thus eliminating the issue of whether customer confidential information may be disclosed to its affiliates.

29. In light of the above, the Commission finds that where consent is required, express consent remains the appropriate type of consent for the disclosure of confidential customer information to affiliates.

Part II - Forms of express customer consent

Positions of the parties

30. All parties, including the Consumer Groups, IPC Ontario and Mr. Long agreed that written consent was not always required for obtaining express customer consent. IPC Ontario argued that what was important was not that express consent be obtained in writing, but rather that there be a written record of any express consent. Mr. Long submitted that to require written consent under all circumstances was out of step with marketplace realities, and that Canadian carriers required more flexibility in the mode of consent sought.

31. AT&T Canada submitted that, depending on the circumstances, there were various acceptable alternative means for obtaining a customer's express consent. AT&T Canada indicated that the customer transfer process for migrating local customers offered examples of such acceptable means. Based on this process, AT&T Canada identified four alternatives for obtaining express consent:

• written confirmation;
• oral confirmation verified by an independent third-party;
• electronic confirmation through use of a toll-free number; or
• electronic confirmation via the Internet.

32. Mr. Long submitted that, in addition to AT&T Canada's list of proposed methods for obtaining express customer consent, the use of an opt-in check-off box, an electronic opt-in mechanism using the Internet, telephone key pad or other device, and a verbal consent followed by a letter confirming that consent was authorized would be appropriate means of obtaining customers' express consent.

33. TCI submitted that permissible forms of express consent would include, but not be limited to, consent given via email, web interface, live telephone and interactive voice response system.

34. Microcell stated that it was reasonable to expect that a customer conducting a transaction over a company's web site could provide consent using a "click-through" form or using a company's integrated voice response system.

35. The Consumer Groups, CWTA, Microcell, Mr. Long, RCI and TCI noted that, pursuant to the PIPED Act, consent must be informed.

The Commission's determinations

36. The Commission notes that customers currently use a variety of methods for communicating with Canadian carriers, and that it has found a number of methods of obtaining express customer consent acceptable in addition to a written document signed by the customer. For example, in Optel Communications Corporation vs. Bell Canada - CRTC clarifies contract requirements for local link service, Order CRTC 2000-250, 30 March 2000 (Order 2000-250), the Commission determined that oral confirmation verified by an independent third-party, electronic confirmation through the use of a toll-free number and electronic confirmation via the Internet, were acceptable methods of demonstrating express customer consent. These same methods of obtaining express customer consent have also been used for the past three years to protect customers from the unauthorized transfer of their long distance or local exchange service.

37. In the Commission's view, these methods would allow Canadian carriers greater flexibility in obtaining customers' consent to the disclosure of their confidential information while still allowing a sufficient level of privacy protection. The Commission notes that the other methods proposed by TCI and Microcell for obtaining customer consent and some of the methods proposed by Mr. Long, involving consent via the Internet, are largely variations on the methods approved in Order 2000-250, and would therefore be acceptable. However, Mr. Long's proposal that verbal consent from the customer followed by a letter of confirmation from the Canadian carrier to that customer would inappropriately put the onus on the customer to dispute the confirmation letter and would not, therefore, be an acceptable method of obtaining express customer consent.

38. In light of the above, the Commission finds that it is appropriate to permit Canadian carriers to use other forms of express consent as alternatives to written consent. In particular, the Commission finds that the following methods of obtaining express customer consent for disclosure of confidential customer information by Canadian carriers are appropriate, as alternatives to the current requirement for a document to be signed by the customer:

• oral confirmation verified by an independent third party;
• electronic confirmation through the use of a toll-free number; or
• electronic confirmation via the Internet.

Part III - Other related issues

Extension of confidentiality requirements

39. The Companies submitted that they were at a competitive disadvantage since the confidentiality provisions applied only to Canadian carriers, and not to other competitive service providers such as all resellers, including resellers of Internet service. TCI supported the Companies' position.

40. The Consumer Groups submitted that all competing companies under the Commission's jurisdiction should be subject to the same confidentiality requirements.

41. The Commission notes that, in a letter decision dated 1 February 2000, it required all local exchange carriers, as a condition of providing telecommunications services to resellers of local services, to include in their service contracts and other arrangements with those resellers the requirement that such resellers provide specific consumer safeguards, one of which was to ensure that their customers benefited from the confidentiality provisions.

42. The Commission considers that it would be in the public interest to require all Canadian carriers, as a condition of providing telecommunications services to all resellers of their telecommunications services, including resellers of Internet service, to include in their service contracts and other arrangements with those resellers the requirement that such resellers ensure that their customers benefit from the confidentiality provisions.

43. The Commission directs all Canadian carriers to show cause by 30 June 2003 why, as a condition of providing telecommunications services to any resellers not currently covered by the confidentiality requirements, they should not include in their service contracts and other arrangements with such resellers the requirement that these resellers abide by the confidentiality provisions.

44. At the same time, Canadian carriers are to serve a copy of their submissions on all parties to Public Notice 2001-60-1.

45. Parties may file comments with the Commission by 29 July 2003 serving a copy on the Canadian carrier in question. The Canadian carrier may file reply comments by 8 August 2003.

Application to share customer information

46. Call-Net proposed that Canadian carriers who wished to share confidential customer information between and with their affiliates without any direct consent, written or otherwise, should apply to the Commission for permission to do so, outlining which affiliates will be sharing the information, the relationships between the affiliates, the services offered by the affiliates and the reason for allowing the sharing of information. Call-Net proposed that only affiliates providing telecommunications services as defined in the Telecommunications Act should be allowed to share such information.

47. All other parties to the proceeding shared the view that the mechanism proposed by Call-Net would inappropriately deprive the individual customer of the right to provide or not provide consent.

48. The Commission considers Call-Net's proposal to be inappropriate, as it would deprive customers of their right to provide or not provide consent to the disclosure of confidential customer information. The Commission, therefore, denies Call-Net's proposal.

Conclusion

49. Considering all of the above, the Commission directs Canadian carriers to modify their existing tariffs, customer contracts and other arrangements to incorporate the following words:

50. The Commission directs those Canadian carriers that offer services pursuant to approved tariffs to file for approval proposed tariff pages reflecting the determinations made in paragraph 49, no later than 30 June 2003.

51. The Commission directs Canadian carriers to include, on a going forward basis, provisions reflecting the direction given in paragraph 49 in customer service contracts and other arrangements for all forborne services, except forborne mobile wireless services that are not switched (affected forborne services). In addition, these provisions will also apply to all existing customers of affected forborne services, regardless of whether the provisions were included in the service contracts or other arrangements entered into by those customers.

Secretary General

This document is available in alternative format upon request and may also be examined at the following Internet site: www.crtc.gc.ca

Footnotes

[1] Bell Canada et al. defined an affiliated company as where one company is a subsidiary of another, both companies are subsidiaries of the same company, or two companies are affiliated with a third company at the same time. Bell Canada et al. noted that this interpretation of "affiliate" is consistent with the definition of "affiliated bodies corporate" in subsection 2(2) of the Canadian Business Corporations Act.

Date modified:

2003-05-30