Telecom Decision CRTC 2022-238
Ottawa, 6 September 2022
Public record: 8665-P8-202005769
Public Interest Advocacy Centre – Request to define the privacy requirements for telecommunications service providers in the context of any digital contact tracing technologies app
Summary
One of the objectives of the Canadian telecommunications policy is to contribute to the protection of the privacy of persons, as set out in paragraph 7(i) of the Telecommunications Act (the Act). In furtherance of this objective, the Commission has taken certain regulatory measures in this decision to further protect Canadians’ confidential customer information.
The Public Interest Advocacy Centre (PIAC) filed an application in which it requested that the Commission define the privacy requirements for telecommunications service providers (TSPs) in the context of any digital contact tracing technologies (DCTTs) app. PIAC also requested that the Commission design a regulatory test in relation to the use of DCTTs for public health purposes that would determine whether or not confidential customer information (CCI) can be disclosed.
While the Commission noted that aspects of the application are not subject to the Commission’s regulatory purview under the Act, it acknowledged that PIAC’s application raised certain policy concerns pertaining to TSPs’ role with regard to customers’ privacy that merit further consideration. Accordingly, in this decision the Commission clarifies its CCI rules. In particular, the Commission confirms that CCI includes Internet Protocol addresses and mobile wireless telephone numbers; and that, absent the application of an exception, express consent to disclose CCI must be meaningful, and therefore clear and informed, in order to be valid. The Commission also clarifies that using publically available data to confirm CCI is not permitted.
Furthermore, while the Commission is satisfied that the CCI rules clearly apply to most TSPs, it acknowledges that there is a gap with respect to mobile wireless data services. To address this, the Commission extends the CCI rules to all Internet service providers and wireless service providers and requires that they abide by the following:
- Unless a customer provides express consent or disclosure is pursuant to a legal power, all information kept by the company regarding the customer, other than the customer’s name, address, and listed telephone number, is confidential and may not be disclosed by the company to anyone, subject to the exceptions identified in the appendix to this decision and any other applicable exception that the Commission may have approved.
- For the purposes of this requirement, the forms of acceptable express consent are those set out in Telecom Decision 2005-15.
- All service providers must also comply with the additional privacy provisions set out in Telecom Regulatory Policy 2009-657 and Telecom Regulatory Policy 2017-11, to the effect that personal information collected for the purposes of Internet traffic management is not to be used for another purpose and is not to be disclosed.
However, the Commission determines that it is not necessary nor appropriate to adopt further measures beyond the CCI rules in relation to the handling of customer information by TSPs. Therefore, the Commission denies PIAC’s request to design a regulatory test in relation to the handling of customer information in the context of DCTTs that would determine whether or not CCI can be disclosed for public health purposes absent express consent. If a TSP or other entity considers that additional flexibility should be provided in order to permit a TSP to disclose CCI to a public authority absent express consent, it can apply to the Commission, and the Commission can then consider the matter.
Regulatory Background
- The Commission’s requirements regarding the use of confidential customer information (CCI) by telecommunications services providers (TSPs) [the CCI rules] are rooted in Telecom Decision 86-7, in which the Commission established the terms of service for carriers then under its jurisdiction. The CCI rules provide that all information about a customer, other than a customer’s name, address, and listed telephone number, is confidential and may not be disclosed absent express consent, with some exceptions.
- The CCI rules have been imposed as conditions of service under section 24 and, more recently, under section 24.1 of the Telecommunications Act (the Act). In some instances, those conditions of service have also been incorporated into tariffs, but in other instances they are stand-alone conditions of service imposed over the years and set out in various Commission determinations.
- In Telecom Decision 2003-33, the Commission stated that the confidentiality provisions first set out in Telecom Decision 86-7 apply equally to all Canadian carriers with regard to their provision of services except in respect of wireless services that are not publicly switched. In that decision, the Commission also found it appropriate to provide for other forms of express consent as alternatives to written consent.
- The CCI rules have also been clarified and refined in subsequent decisions. In particular, the Commission further expanded the forms of express consent required by carriers for the disclosure of CCI,Footnote 1 and modified the exceptions to the requirement to obtain prior express consent, with different exceptions having been adopted over the years.Footnote 2
- In addition to the CCI rules, in Telecom Regulatory Policy 2009-657, the Commission supplemented its existing provisions concerning the protection of personal information. The Commission noted that certain technologies used as part of Internet traffic management practices have the capacity to both collect and use personal information derived from the flow of network traffic without the knowledge or consent of consumers, a capacity that gave rise to privacy concerns. As such, the Commission directed all primary Internet service providers (ISPs), as a condition of providing retail Internet services, not to disclose or use for other purposes personal information collected for traffic management purposes.
- In Telecom Regulatory Policy 2017-11, the Commission directed non-carriers, also known as resellers, as a condition of offering and providing any telecommunications services, to abide by (i) all applicable existing consumer safeguard obligations, including the CCI rules, and (ii) certain requirements set out in Telecom Regulatory Policy 2009-657, including those related to the use and disclosure of personal information collected for the purposes of traffic management.
Application
- The Commission received an application from the Public Interest Advocacy Centre (PIAC), dated 9 September 2020, in which PIAC requested Commission action in relation to the CCI rules, particularly as they regard the use of digital contract tracing technologies (DCTTs) apps. PIAC focused specifically on the use of the COVID Alert appFootnote 3 and the ABTraceTogether app.Footnote 4 PIAC’s concern was that government entities, in possession of Internet Protocol (IP) addresses or mobile wireless telephone numbers obtained via the relevant apps, could obtain associated customer information from TSPs via simple requests.
- PIAC requested that the Commission, in the context of the use of any DCTTs app, impose conditions of service on TSPs intended to contribute to the privacy of persons. More precisely, PIAC requested that the Commission (i) define the privacy requirements that TSPs must follow and confirm that they are the same as the privacy requirements for CCI developed under telephony decisions; (ii) establish a regime whereby TSPs, absent express consent, would only be permitted to disclose subscriber information in relation to a DCTT where the disclosure meets a test as specified by the Commission; and (iii) specify substantive, transparency, and accountability requirements in the above-noted test to encourage compliance with the privacy rules determined by the Commission.
- PIAC also indicated that the Commission may wish to open a broader inquiry into any TSPs’ activities related to contact-tracing apps or to network-level facilitation of individual customer location or other personal or communication details.
- As an initial response, the Commission issued a letter, dated 28 October 2020, in which it acknowledged that PIAC’s application raised certain policy concerns pertaining to TSPs’ role with regard to customers’ privacy that merit further consideration, but stated that it was concerned that aspects of the application appear to go beyond matters directly related to TSPs’ actions to include matters that are not subject to the Commission’s regulatory purview under the Act.
- As a result, the Commission stated that it would only consider matters subject to the Act, specifically,
- issues that pertain to the role of TSPs in the handling of CCI;
- issues relating to what information should qualify as CCI; and
- any resulting measures that should apply to the TSPs’ collection, use, and disclosure of that information.
- The Commission received interventions regarding the application from Urs Hengartner, Marc Nanni, Beanfield Technologies Inc. (Beanfield), Bell Canada (Bell), the Canadian Wireless Telecommunications Association (CWTA), Iristel Inc. (Iristel), the Office of the Privacy Commissioner of Canada (OPCC), Rogers Communications Canada Inc. (RCCI), Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC), Saskatchewan Telecommunications (SaskTel),TBayTel, TekSavvy Solutions Inc., (TekSavvy), TELUS Communications Inc. (TCI), and Vaxination Informatique (Vaxination).
Issues
- The Commission has identified the following issues to be addressed in this decision:
- Is there a gap in the CCI rules, in particular with respect to the provision of Internet access services or mobile wireless data services?
- Is additional Commission intervention warranted in order to properly protect the privacy interests of telecommunications users and, if so, what measures should the Commission adopt?
Is there a gap in the CCI rules, in particular with respect to the provision of Internet access services or mobile wireless data services?
Positions of parties
PIAC’s overall position
- PIAC acknowledged the unprecedented and deadly challenge of the COVID-19 virus and the need for significant public health measures to deal with it, including contact tracing. However, it considered that any DCTTs app or system, including the two apps it explicitly identified, can come at the potential expense of confidentiality and citizen privacy and must be used in the fairest and most open and transparent manner, non-coercively, non-discriminatorily, and only for the intended purpose(s).
- PIAC raised concern that a government authority, in possession of an IP address or mobile wireless telephone number obtained through the operation of a DCTT, could ultimately use that information to obtain subscriber information from a TSP without the subscriber’s express consent. PIAC argued that the app user, having been asked for explicit consent to upload diagnosis keys in an app installation, reasonably consented to any government use of that status. However, PIAC added that the consent given in the sign-up processes for both the COVID Alert app and ABTraceTogether app does not constitute valid, explicit consent by the customer under the Commission’s present privacy rules for disclosure by TSPs of subscriber information in their possession.
PIAC’s position regarding the Commission’s existing CCI rules
- PIAC acknowledged that the Commission has imposed rules to protect the privacy of CCI and that these requirements apply to the regulated services of telecommunications companies. However, PIAC argued that, because the Commission has not updated the CCI rules to apply to Internet and mobile wireless services, it is necessary to explicitly apply similar rules to those services as a condition of service, pursuant to the Commission’s authority under sections 24 and 24.1 of the Act.
- PIAC asserted that it considers IP addresses and mobile wireless telephone numbers to be personal information, adding that IP addresses have been consistently found by courts and accepted by the Commission as being linkable to private information. It noted the Commission’s efforts in Telecom Regulatory Policy 2009-657 to ensure that customer IP addresses are not used for tracking, identification, or individual surveillance, adding that this decision amounts to an effective declaration by the Commission that IP addresses are private information.
- Further, PIAC suggested that the Commission should set out rules that would govern possible disclosure by TSPs of subscriber information or other subscriber data associated with either IP addresses or telephone numbers that may have been gleaned from a DCTT.
- PIAC noted that the CCI rules allow for the disclosure of CCI in some circumstances, including (i) when the TSP has prior, verifiable, explicit consent from the customer or, (ii) absent consent or lawful power, for public order reasons.
- PIAC specifically cited the following public order exceptions from Bell Canada’s General Tariff which provide that the company may disclose CCI, absent consent or lawful power, to
- a public authority or agent of a public authority, if in the reasonable judgement of the Company, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information; or
- a public authority or agent of a public authority, for emergency public alerting purposes, if a public authority has determined that there is an imminent or unfolding danger that threatens the life, health or security of an individual and that the danger could be avoided or minimized by disclosure of the information.
- With respect to the specific potential harms noted above, PIAC was of the view that the CCI rules, and specifically the above-referenced public order exceptions, do not permit a TSP to release any subscriber information in relation to DCTTs app information.
Interveners
- The OPCC stated that its submission was informed by its review of the COVID Alert apps and the joint statement issued by the federal, provincial, and territorial privacy Commissioners, Supporting public health, building public trust: Privacy principles for contact tracing and similar apps. The CWTA and some TSPs (Bell, RCCI, TBayTel and TCI) noted that the apps have been thoroughly reviewed and vetted by federal and provincial privacy commissioners.
- The CWTA, along with RCCI, TBayTel, and TCI, commented on the role of TSPs in the COVID-19 tracking apps, noting that TSPs were not involved in their development, implementation, or operation. The CWTA and some TSPs (RCCI, Sasktel, and TCI) submitted that TSPs do not collect or record any information from the apps nor are they involved in the matching or notification of any positive COVID-19 diagnoses resulting from their use, adding that the role of TSPs is limited to the transmission of app data over their networks.
- With respect to customer information, the OPCC submitted that the Personal Information and Electronic Documents Act (PIPEDA) provides important protections for the handling of personal information by TSPs. Specifically, under PIPEDA, TSPs are required to obtain consent from individuals with respect to the collection, use, and disclosure of their personal information, subject to specific exceptions.
- The OPCC further submitted that, in light of current law, absent exigent circumstances or a reasonable law, law enforcement officials need prior judicial authorization to obtain subscriber information from telecommunications companies and that Criminal Code sanctions, together with privacy law requirements, have set strict limits on government action or private sector practices with regard to accessing private information.
- The OPCC was of the view that the CCI rules provide an important additional layer in safeguarding consumer privacy in the telecommunications industry. The OPCC noted that the CCI rules prohibit TSPs from disclosing CCI without express consent, except in specified circumstances. Furthermore, and by way of reference to certain past Commission pronouncements, the OPCC stated its understanding that the Commission’s CCI rules apply to all service providers, including wireless service providers (WSPs), except in relation to the provision of mobile wireless services that are not switched,Footnote 5 and that the Commission’s existing definition of CCI captures IP addresses and mobile wireless telephone numbers. The OPCC submitted, however, that if there is any doubt or ambiguity about whether IP addresses and mobile wireless telephone numbers satisfy the Commission’s existing definition of CCI, or whether the existing rules apply to WSPs, then it urged the Commission to extend the rules as needed.
- Bell, the CWTA, RCCI, Sasktel, TBayTel, and TekSavvy argued that there is no need for Commission intervention as there is already a robust existing privacy framework, which includes the CCI rules and PIPEDA, governing the collection, use, and disclosure of subscriber information.
- In general, the views of the CWTA and the TSPs were as follows:
- the CCI rules apply to all TSPs, including ISPs, WSPs, and resellers, and IP addresses and mobile wireless telephone numbers are afforded protection under applicable privacy rules;
- the Commission’s current privacy framework prohibits TSPs from disclosing CCI without express consent of the customer, except in certain specified circumstances; and
- the respective privacy policies and service contracts of TSPs are consistent with Canadian privacy law and the Commission’s privacy framework and are not limited to wireline telephone but apply more widely to the telecommunications services they provide.
- RCCI suggested that the Commission should address PIAC’s application by simply reminding all TSPs that the Commission’s rules respecting the protection of customer information already apply to customer information related to mobile wireless telephone numbers and Internet addresses, and to update their terms of service and privacy policies to ensure that this is the case.
- Marc Nanni, Bell, and the CWTA stated that CCI is broadly defined in the CCI rules to include all subscriber information held by TSPs regarding the customer, other than the customer’s name, address, and listed telephone number and therefore already includes IP address information.
- Urs Hengartner and Marc Nanni supported PIAC’s proposals, specifically relating to PIAC’s view that IP addresses should be considered CCI and that conditions should be put in place to protect the flow of subscriber information, including IP addresses, from TSPs to the government or to other interests not explicitly addressed in the CCI rules. Marc Nanni added that mobile wireless telephone numbers should also be included in those protections.
- Vaxination submitted that PIAC’s application provides the Commission with an opportunity to strengthen the rules to prevent any TSP from taking advantage of its privileged position in order to look at telecommunication flows, and to foster trust in the privacy of users of Canada’s telecommunications system.
- With respect to the consent collected by the COVID-19 tracing apps, most interveners, except the OPCC and TBayTel, did not provide any opinion as to whether the sign-up process for the apps could be used to provide consent for TSPs to disclose CCI. However, the OPCC noted that TSPs are prohibited from disclosing CCI without express consent, except in specified circumstances. TBayTel explicitly noted that subscribers who installed COVID-19 tracing apps did not give consent for TSPs to disclose CCI in relation to those apps.
Commission’s analysis
- The purpose of the CCI rules is to safeguard consumer privacy and to provide consumers with appropriate control over the use and disclosure of their personal information by TSPs.
- As noted above, the CCI rules do not result from a single decision applicable to all service providers and services. Rather, they have evolved over many years and have, over time, been imposed on different services and service providers.
- Most of the TSPs and other parties took the position that the CCI rules and associated measures that have been adopted for local telephony services applied equally to the provision of Internet access services on all networks, including mobile wireless data networks. Furthermore, TSPs appear to have implemented privacy policies that appear to be generally in accordance with the Commission’s CCI framework.
- While the Commission is satisfied that that the CCI rules clearly apply to most TSPs, it acknowledges that there is a gap on the mobile wireless side and that there is, amongst stakeholders, a level of uncertainty as to whether any other gaps might exist.
- In Telecom Decision 96-14, the Commission distinguished mobile wireless switched voice services from other mobile wireless services (which include mobile wireless data services).Footnote 6 A different forbearance regime was established for each of those two service categories. The Commission unconditionally forbore from regulating mobile wireless data services, including with regards to its powers to impose conditions of service under section 24 of the Act. As a result, any CCI rules that may have been in place with regard to the provision of mobile wireless data services by wireless carriers would have been eliminated at that time. The Commission only reasserted its powers under section 24 in relation to such services in Telecom Decision 2010-445, when it imposed the confidentiality requirements found in Telecom Regulatory Policy 2009-657 on mobile wireless data providers. However, those requirements only concern information collected for the purposes of traffic management, and not CCI more generally.
- With respect to the provision of Internet access services by carriers other than incumbent local exchange carriers (including small incumbent local exchange carriers) and mobile wireless carriers, the Commission is of the view that further clarification of the applicability of the CCI rules to such carriers is called for, as the Commission did not unambiguously apply the CCI rules to all carriers when it addressed confidentiality provisions in its previous decisions.
- On the other hand, there does not appear to be any ambiguity in relation to the application of the CCI rules to non-carrier TSPs, because in Telecom Regulatory Policy 2017-11, the Commission unambiguously extended existing CCI requirements to all non-carrier TSPs, as well as the relevant requirements first set out in Telecom Regulatory Policy 2009-657. In order to better ensure that the privacy of Canadians is protected regardless of the service or service provider they use, the Commission acknowledges the importance of symmetrically applying the CCI rules to all service providers with respect to the provision of telecommunications services.Footnote 7
- With respect to whether CCI includes a customer’s IP address and mobile wireless telephone number, the Commission notes that it has never set out an itemized list of information that it considers to qualify as CCI for the purposes of its regulatory measures. Rather, when the Commission first imposed obligations regarding CCI in Telecom Decision 86-7, it identified what information was not considered to be CCI, namely, the customer’s name, address, and listed telephone number. All other information kept by the carrier regarding a customer was considered to be confidential.
- The Commission acknowledges that an IP address or a mobile wireless telephone number, on its own, cannot be used to identify an individual. However, when connected with other information, it can be used for that purpose. Accordingly, any IP address or unlisted mobile wireless telephone number associated with a customer is to be considered CCI. The Commission notes, however, that disclosure of IP addresses across the network is required for the Internet to function (e.g., a computer seeking to interact with another computer must identify itself to that other computer by way of an IP address) and clarifies that such disclosure does not run afoul of its regulations.
- The Commission confirms that the CCI rules prohibit a TSP from releasing any customer information as part of a disclosure request, including the customer’s name, address, or listed telephone number, where it could be used in conjunction with any CCI to individually identify a customer, unless one of the disclosure exceptions applies. Although the information formally disclosed in such a case may not be considered confidential under the CCI rules, should a service provider, in response to a request from a third party, disclose the name of an end user associated with an IP address or mobile wireless telephone number already known to the requester, it would reveal more than just a name. Because it would disclose the identity of a person using a specific IP address, it would also disclose a connection between the subscriber and CCI, which could yield highly sensitive information that could not be gleaned from the name or listed telephone number alone.
- The Commission agrees with PIAC’s assertion that the sign-up processes for the COVID-19 contact tracing apps referenced in its application do not appear to provide adequate consent for TSPs to release subscriber information linked to IP addresses or mobile wireless telephone numbers. Moreover, the Commission notes that the record of this proceeding provides no indication that TSPs have been requested to disclose subscriber information associated with an IP address or mobile wireless telephone number obtained through the operation of DCTTs apps.
- Additionally, while the Commission has defined express consent in relation to the disclosure of CCI, the Commission clarifies that under the CCI rules, absent the application of an exception, express consent must be meaningful, and therefore clear and informed, in order to be valid. The Commission also notes that PIPEDA and the Privacy Act both require that individuals be informed about possible uses of data when consenting to their data being collected and stored.
- In light of the above, the Commission
- acknowledges the existence of a gap in the application of the CCI rules with respect to the provision of mobile wireless data services by mobile wireless carriers, and that there may be a lack of clarity as to whom the CCI rules apply to, with regard to the provision of which services
- acknowledges the importance of symmetrically applying the CCI rules to all WSPs and ISPs with regard to the provision of mobile wireless and Internet access services consistent with the 2006 Policy Direction;Footnote 8 and therefore
- requires pursuant to sections 24 (regarding carriers) and 24.1 (regarding non-carriers) of the Act that, as a condition of offering or providing telecommunications services, all TSPs are required, with regard to the provision of Internet access services, and all WSPs, with regard to the provision of mobile wireless services, save for mobile wireless services that are not publicly switched, abide by the following:
- Unless a customer provides express consent or disclosure is pursuant to a legal power, all information kept by the company regarding the customer, other than the customer’s name, address, and listed telephone number, is confidential and may not be disclosed by the company to anyone subject to the exceptions identified in the appendix to this decision and any other exception that the Commission may have approved that applies.Footnote 9
- For the purposes of the above requirement, the forms of acceptable express consent are those set out in the appendix to this decision.
- All service providers must also comply with additional privacy provisions, set out in Telecom Regulatory Policy 2009-657 and Telecom Regulatory Policy 2017-11, to the effect that TSPs are not to use personal information collected for the purpose of Internet traffic management for other purposes and are not to disclose such information.
- Furthermore, in order to eliminate any uncertainty, the Commission
- confirms that any IP address or unlisted mobile wireless telephone number associated with a customer is to be considered CCI;
- clarifies that the CCI rules prohibit a TSP from disclosing a customer’s name, address or listed telephone number if, as part of a disclosure request, it is given any CCI relating to that customer, including, but not limited to, the customer’s IP address or mobile wireless telephone, and asked to provide information relating to the person associated with that IP address or phone number, unless one of the disclosure exceptions is applied; and
- confirms that, under the CCI rules, express consent must be meaningful and therefore clear and informed in order to be valid.
Is additional Commission intervention warranted in order to properly protect the privacy interests of telecommunications users and, if yes, what measures ought to be adopted?
Positions of parties
- PIAC submitted that, if it was demonstrably and absolutely needed to effectively implement public health-led contact tracing, then contact tracing using CCI generated by TSPs could and possibly should be permitted, without the express consent of the customer, but subject to certain requirements including notice to the affected customers.
- To assist the Commission in the event that it considers it appropriate to create such an exception to the CCI rules, PIAC proposed a specific legal and regulatory test, referred to as a “COVID-app disclosure request” test, that, in its view, would maximally protect the privacy of consumers. Under PIAC’s proposed regime, a TSP would first need to apply to the Commission for permission to disclose a customer’s CCI. Such applications would then be resolved by way of a test such as that proposed by PIAC.
- Marc Nanni was of the view that a test prior to the disclosure of CCI would avoid any potential abuses of CCI.
- On the other hand, the CWTA, the OPCC, RCCI, and Bell were of the view that PIAC did not demonstrate that additional measures, such as the proposed test, are necessary. Beanfield, Bell, the CWTA, Iristel, RCCI, SaskTel, TBayTel, TCI, and TekSavvy submitted that no new exceptions are required as they (or in the case of the CWTA, their member TSPs) already have comprehensive lawful access policies and procedures in place in accordance withPIPEDAand Commission decisions concerning CCI, and that the existing lawful access policies would apply to a request for disclosure from the federal or any provincial government in connection with the COVID-19 apps. They argued that, under those rules and policies, a TSP could not simply disclose customer information linked to a specific IP address or mobile wireless telephone number on request.
- As noted above, the OPCC submitted that there are strict limits on government action or private sector practices with regard to accessing private information.
- The OPCC submitted that, in the absence of any identified public health need to obtain, without consent, the subscriber information of DCTTs app users from a TSP, there was no legitimate reason for creating a new exception to the important protections afforded by the Commission’s existing CCI rules. They added that creating such an exception would run directly counter to the expectations of users and the commitments that have been made to them by government authorities with respect to the COVID Alert app, and that if there is a public health need to access the identity of users for contact tracing or otherwise, then this should be considered in the design of the app, taking into account the privacy principles for contact-tracing and similar apps.
- The CWTA and RCCI argued that the COVID-app disclosure request test would, if adopted, impose an entirely unnecessary and intrusive additional layer of privacy regulation. RCCI noted that PIAC's proposed test and related process would require (i) an application to the Commission by the TSP, notice to the person (or persons) whose information it is proposing to disclose, participation by that individual if they wish to participate, and a decision by the Commission; and (ii) that notice of such a decision would need to be given to the individual affected, along with an opportunity to contest the result, where prior notice cannot be given. Both the CWTA and RCCI were of the view that the proposed test would be difficult to apply, because the Commission does not have the requisite expertise to assess such public health-related requests.
- The CWTA and some TSPs elaborated on how TSPs handle requests from government or law enforcement authorities for subscriber information, noting a highly developed legal framework set out in applicable laws of general application, including PIPEDA, the Criminal Code and the Canadian Security Intelligence Service Act. The CWTA stated that TSPs will only disclose subscriber information to a government or law enforcement authority when presented with a valid order made by a court, person, or body with the jurisdiction to compel the information (e.g., a production order or warrant) or where the authority has identified its lawful authority to obtain the information. The CWTA added that TSPs review the validity of each request and verify the requests for appropriate jurisdiction, mistakes, errors, or omissions; and that they consider the breadth and scope of the request. Further, they stated that TSPs routinely ask for additional information and justification from authorities regarding such requests, push back against incomplete, incorrect, or overly broad requests, and require any errors to be remedied before fulfilling a request. The CWTA noted that, in some cases, requests are denied.
- However, some interveners were of the view that additional measures were warranted. Specifically, Beanfield proposed that the Commission launch a proceeding to modernize the Commission’s privacy and CCI rules. CIPPIC also supported a broader consultation.
Commission’s analysis
- TSPs currently have robust procedures in place to handle requests for subscriber information from government or law enforcement authorities. The Commission’s CCI rules allow disclosure without prior express consent in very specific circumstances, which do not include generic requests from government agencies. Disclosure in the absence of express consent can only be made pursuant to a legal power or where specific exceptions apply. With regard to the general exception that allows for disclosure of CCI, absent express consent, pursuant to a legal power, and PIAC’s concern that this could allow for such disclosure in the absence of a warrant or other judicial instrument, the Commission is of the view that the record of this proceeding does not provide compelling evidence as to why compliance with constitutionally compliant legislation raises concerns that need to be addressed by the Commission. It would not be appropriate for the Commission to adopt measures that would have the effect of preventing or hindering an entity from complying with legislation duly enacted by the relevant legislature in pursuit of public interest objectives or with statutory instruments adopted pursuant to such legislation.
- Furthermore, and specifically with respect to the matter of constitutional compliance, where a government actor attempts to obtain subscriber information for the purpose of enforcing a statutory or regulatory scheme, the protections of section 8 of the Canadian Charter of Rights and Freedoms (the Charter) against unreasonable searches and seizures will be engaged.Footnote 10 The Supreme Court of Canada’s (SCC) decision in R. v. Spencer,Footnote 11 which was referred to by a number of parties to this proceeding, is instructive in this regard because it concerned a request made by police to Shaw Communications Inc. to disclose subscriber information relating to an IP address in its possession. In that decision, the SCC found that there was a reasonable expectation of privacy in subscriber information linked to an IP address since disclosure of such information will often reveal intimate details about an individual.Footnote 12 The SCC therefore ruled that such requests by a law enforcement entity constitute a search for the purposes of section 8 of the Charter. In the Commission’s view, such reasoning can be applied with respect to subscriber information relating to any device connected to publicly accessible networks.
- Where section 8 of the Charter is engaged, a search conducted in the absence of a warrant or judicial production order is presumed to be unreasonable unless it can be shown that the search was conducted in light of pressing circumstances, such as where the information is required to prevent imminent harm to a person, or was authorized by a reasonable law.Footnote 13
- The assessment of the reasonableness of a warrantless search will necessarily be contextual. Where a search relies on a statutory search power, the assessment will depend to a large extent on the objectives pursued by the relevant statute, the nature of the privacy interests at stake—which, in the case of subscriber information linked to an IP address or mobile device connected to a publicly accessible telecommunications network, will generally be substantial—and the degree of intrusiveness upon those privacy interests that the law authorizes.Footnote 14
- It bears emphasizing that it is the government actor attempting to obtain subscriber information from an ISP or WSP for the purpose of enforcing a statutory or regulatory scheme absent a warrant or judicial production order that would shoulder the burden of demonstrating the reasonableness of the warrantless search.
- With respect to PIAC’s view that the public order exceptions as set out in Bell Canada’s General Tariff are not sufficient to permit disclosure, without express consent, of subscriber information to a government authority for the purposes of public tracing, even in situations where there is a demonstrable need to effectively implement public health-led contact tracing using CCI generated by TSPs, the Commission notes that those exceptions were not meant for that theoretical scenario.Footnote 15 Amongst other matters, the specific exceptions identified by PIAC incorporate a standard of “imminent” or “imminent or unfolding” danger that speaks to the existence of circumstances requiring urgent action in order to prevent the realization of the underlying danger or otherwise minimize its consequences, and where it would not be feasible to obtain a lawful order to disclose.
- With regard to PIAC’s proposed new COVID-app disclosure request exception, the record of this proceeding does not demonstrate that the ability of a government actor to compel the disclosure of CCI using appropriate and Charter-compliant legal powers, such as a production order, is insufficient to address the hypothetical scenarios put forth in PIAC’s application and that a new exception is required.
- Moreover, while such a test would provide TSPs with another avenue to disclose CCI without express customer consent, no TSP has requested the adoption of such a test.
- Accordingly, the Commission finds that it is not necessary nor warranted to impose new measures in relation to the handling of customer information by TSPs, including the creation of a specific exception that would govern the disclosure, for public health purposes, of subscriber information linked to the IP address or mobile wireless telephone number of a user of a DCTTs app, absent express consent from the underlying customer to do so.
- In light of the above, the Commission denies PIAC’s request to develop a regime to permit disclosure of subscriber information in relation to public health contact tracing endeavours, such as its proposed COVID-app disclosure request, and to specify substantive, transparency, and accountability requirements in that regime.
- The Commission notes that, if a TSP or other entity considers that additional flexibility should be provided in order to permit a TSP to disclose CCI to a public authority absent express consent, such TSP or other entity can apply to the Commission and the Commission can then consider the matter. In such a case, it will be incumbent on the applicant to demonstrate that its proposal adequately protects the privacy interests of subscribers of telecommunications services having regard to the objective or objectives sought in requesting additional flexibility.
Conclusion
- In light of all of the above, the Commission
- acknowledges the existence of a gap in the application of the CCI rules with respect to the provision of mobile wireless data services by mobile wireless carriers, and acknowledges that there may be a lack of clarity as to whom the CCI rules apply to, with regard to the provision of which services;
- acknowledges the importance of symmetrically applying the CCI rules to all WSPs and ISPs with regard to the provision of mobile wireless and Internet access services consistent with the 2006 Policy Direction; and therefore
- requires pursuant to sections 24 (regarding carriers) and 24.1 (regarding non-carriers) of the Act that, as a condition of offering or providing Internet access services or publicly switched mobile wireless services, all TSPs are required, with regard to the provision of Internet access services, and all WSPs, with regard to the provision of mobile wireless services, save for mobile wireless services that are not publicly switched, to abide by the following:
- Unless a customer provides express consent or disclosure is pursuant to a legal power, all information kept by the company regarding the customer, other than the customer’s name, address, and listed telephone number, is confidential and may not be disclosed by the company to anyone subject to the exceptions identified in the appendix to this decision and any other exception that the Commission may have approved that applies.Footnote 16
- For the purposes of the above requirement, the forms of acceptable express consent are those set out in the appendix to this decision.
- All service providers must also comply with the additional privacy provisions, set out in Telecom Regulatory Policy 2009-657 and Telecom Regulatory Policy 2017-11, to the effect that TSPs are not to use personal information collected for the purpose of Internet traffic management for other purposes and are not to disclose such information.
- The Commission confirms that any IP address or unlisted mobile wireless telephone number associated with a customer is to be considered CCI. However, the Commission notes that in order for the Internet to function, IP addresses must be disclosed across the network (e.g., a computer seeking to interact with another computer must identify itself to that other computer by way of an IP address). Therefore, the Commission clarifies that such disclosure does not run afoul of its regulations.
- The Commission confirms that the CCI rules prohibit a TSP from disclosing a customer’s name, address or listed telephone number or any other customer information if, as part of a disclosure request, it is given the customer’s IP address or mobile wireless telephone number and asked to provide information relating to the person associated with that IP address or mobile wireless telephone number, unless one of the disclosure exceptions is applied.
- The Commission confirms that, under the CCI rules, express consent must be meaningful, and therefore clear and informed, in order to be valid.
- The Commission denies PIAC’s request to develop a regime to permit disclosure of subscriber information in relation to public health contact tracing endeavours, such as its proposed COVID-app disclosure request, and to specify substantive, transparency, and accountability requirements in that regime.
- The Commission notes that, if a TSP or other entity considers that additional flexibility should be provided in order to permit a TSP to disclose CCI to a public authority absent express consent, such TSP or other entity can apply to the Commission and the Commission can then consider the matter. In such a case, it will be incumbent on the applicant to demonstrate that its proposal adequately protects the privacy interests of subscribers of telecommunications services having regards to the objective or objectives sought in requesting additional flexibility.
Policy Directions
- The 2006 Policy Direction requires that the Commission, when exercising its powers and performing its duties, should, amongst other matters, rely on market forces to the maximum extent feasible as a means of achieving the Canadian telecommunications policy objectives set out in section 7 of the Act. Furthermore, when relying on regulation, the Commission should use measures that are efficient and proportionate to their purpose and that interfere with the operation of competitive market forces to the minimum extent necessary to meet the policy objectives.
- The Commission considers that market forces alone cannot be relied upon to achieve the policy objective set out in paragraph 7(i) of the Act, namely, to contribute to the protection of the privacy of persons.
- In Telecom Decision 2006-15, the Commission found that market forces, even buttressed by the provisions of PIPEDA, were unlikely to sufficiently protect the privacy interests of customers. This conclusion was based on the Commission’s experience with customer confidentiality provisions, and on the advent of new technologies and the emergence of electronic commerce, which allows for information to be more easily processed, rearranged, and exchanged. There is nothing on the record of this proceeding that would indicate that the Commission’s previous conclusions about the ability to rely on market forces are no longer appropriate.
- In addition, the Commission’s rules require that consent to disclose, where required, be express, whereas PIPEDA does allow for consent to be implied in certain circumstances. The Commission considers that the express consent standard is appropriate and would not be achieved by way of reliance on market forces alone.
- Finally, the Commission’s rules are imposed on TSPs as conditions of service and are subject to the enforcement powers provided the Commission, including the ability to impose administrative monetary penalties in the event of non-compliance. By contrast, and as recognized in Telecom Regulatory Policy 2009-723, PIPEDA does not provide the same enforcement tools to the relevant enforcing agency, the OPCC.
- The Commission considers that this decision fulfills subparagraph 1(a)(ii) of the 2006 Policy Direction,Footnote 17 because it will not materially interfere with the operation of competitive market forces. In this regard, the Commission’s determinations in this decision serve to formalize a situation that most parties believes to already be in place, namely that the Commission’s existing CCI-related measures applies to all service providers with respect to the provision of all services, save for non-switched mobile wireless services.
- Moreover, the determinations in this decision serve to further a symmetrical application of the CCI rules for all TSPs and are therefore consistent with subparagraph 1(b)(iii) of the 2006 Policy Direction.Footnote 18
- With regard to PIAC’s proposed new exception and the associated test, as the Commission has noted above, the record of this proceeding does not show that such a regulatory measure would be necessary to protect consumer interests. For similar reasons, adoption of this proposal would be contrary to the 2006 Policy Direction because a new exception, under such circumstances, would not be an efficient or proportionate measure.
- The 2019 Policy DirectionFootnote 19 requires the Commission, in exercising its powers and performing its duties under the Act in order to implement Canadian telecommunications policy objectives, to consider how its decisions can promote competition, affordability, consumer interests, and innovation.
- The Commission is of the view that its determinations in this decision fulfill paragraph 1(a) of the 2019 Policy DirectionFootnote 20 because, through the clarification of the scope of the Commission’s privacy framework and the extension of this framework to mobile wireless switched data services offered by carriers, they promote consumer interests.
- Further, the Commission is of the view that its determinations in this decision fulfill subparagraph 1(a)(iv) of the 2019 Policy DirectionFootnote 21 because, by confirming and clarifying the applicability of the CCI rules in the context of DCTTs apps, it will establish certainty for the parties and for Canadians. Clarity and transparency with regard to the CCI rules will serve to protect the rights of consumers in their relationships with their TSPs.
- With regard to PIAC’s proposed new exception and associated test, the record of this proceeding does not show that such a regulatory measure would be necessary to protect consumer interests.
Secretary General
Related documents
- Application of regulatory obligations directly to non-carriers offering and providing telecommunications services, Telecom Regulatory Policy CRTC 2017-11, 17 January 2017; as amended by Telecom Regulatory Policy CRTC 2017-11-1, 10 July 2017, and Telecom Regulatory Policy CRTC 2017-11-2, 17 July 2018
- Modifications to forbearance framework for mobile wireless data services, Telecom Decision CRTC 2010-445, 30 June 2010
- Regulatory measures associated with confidentiality provisions and privacy services, Telecom Regulatory Policy CRTC 2009-723, 25 November 2009
- Review of the Internet traffic management practices of Internet service providers, Telecom Regulatory Policy CRTC 2009-657, 21 October 2009
- Use of E9-1-1 information for the purpose of providing an enhanced community notification service, Telecom Decision CRTC 2007-13, 28 February 2007
- Forbearance from the regulation of local exchange services, Telecom Decision CRTC 2006-15, 6 April 2006
- Part VII application to revise Article 11 of the Terms of Service, Telecom Decision CRTC 2005-15, 17 March 2005
- Confidentiality provisions of Canadian carriers, Telecom Decision CRTC 2003-33, 30 May 2003; as amended by Telecom Decision CRTC 2003-33-1, 11 July 2003
- Telecom Order CRTC 99-991, 13 October 1999
- Forbearance from regulation of mobile wireless services provided by municipally owned telephone companies, Telecom Decision CRTC 98-18, 9 October 1998
- Regulation of mobile wireless telephone services, Telecom Decision CRTC 96-14, 23 December 1996
- Forbearance – Services provided by non-dominant Canadian carriers, Telecom Decision CRTC 95-19, 8 September 1995
- AGT, NBTel and Newfoundland Tel – Amendments to the General Regulations, Telecom Decision CRTC 95-6, 13 January 1995, as amended by Telecom Decision CRTC, 16 May 1995
- Review of the general regulations of the federally regulated terrestrial telecommunications common carriers, Telecom Decision CRTC 86-7, 26 March 1986; as amended by Telecom Order CRTC 86-593, 22 September 1986
Appendix to Telecom Decision CRTC 2022-238
In order to provide clarity, the general confidential customer information (CCI) rules are set out below.
All telecommunications service providers (TSPs), whether they be carriers or non-carriers (e.g. resellers), are to abide by the following in relation to the provision of telecommunications services, with the exception of non-switched mobile wireless services:
Unless a customer provides express consent or disclosure is pursuant to a legal power, all information kept by the company regarding the customer, other than the customer’s name, address, and listed telephone number, including but not limited to IP addresses and unlisted mobile wireless telephone numbers, is confidential and may not be disclosed by the company to anyone other than
- the customer;
- a person who, in the reasonable judgment of the company, is seeking the information as an agent of the customer;
- another telephone company, provided the information is required for the efficient and cost-effective provision of telephone service and disclosure is made on a confidential basis with the information to be used only for that purpose;
- a company involved in supplying the customer with telephone or telephone directory-related services, provided the information is required for that purpose and disclosure is made on a confidential basis with the information to be used only for that purpose;
- an agent retained by the company in the collection of the customer’s account, provided the information is required for and is to be used only for that purpose;
- a public authority or agent of a public authority, for emergency public alerting purposes, if the public authority has determined that there is an imminent or unfolding danger that threatens the life, health, or security of an individual and that the danger could be avoided or minimized by disclosure of information; or
- an affiliate involved in supplying the customer with telecommunications and/or broadcasting services, provided the information is required for that purpose and disclosure is made on a confidential basis with the information to be used only for that purpose.
While the above lays out the general set of exceptions, the Commission acknowledges that it has previously approved certain TSP-specific exceptions. Such exceptions continue to apply, as relevant.
Express consent may be taken to be given by a customer where the customer provides the following:
- written consent;
- oral confirmation verified by an independent third party;
- electronic confirmation through the use of a toll-free number;
- electronic confirmation via the Internet;
- oral consent, where an audio recording of the consent is retained by the carrier; or
- consent through other methods, as long as an objective documented record of customer consent is created by the customer or by an independent third party.
In order for it to be valid, express consent must be meaningful and therefore clear and informed.
- Date modified: