Review of the Internet traffic management practices of Internet service providers

Final reply of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunication Commission (CRTC)

July 2009

In November 2008, the Canadian Radio-television and Telecommunication Commission (CRTC) initiated a public proceeding to review the Internet traffic management practices of Internet Service Providers (ISPs).

The CRTC called for written submissions in February 2009. The OPC welcomed the opportunity to contribute to the public discussion with respect to the protection of personal information on the Internet, and submitted comments.

As part of the review proceedings, the CRTC held public hearings from July 6 to 14 2009. All parties who submitted initial comments were invited to participate. Parties were also invited to submit a “final reply” to the proceedings by July 28th 2009. A final reply is intended to give the parties a last opportunity to address any issues raised during the proceedings. A final reply is also meant to ensure that the CRTC has the most complete record of relevant issues and evidence as possible upon which to ground any future policy direction, order or telecom decision relating to Internet traffic management.

The OPC’s submission and final reply are made pursuant to our legislative mandate to protect the privacy rights of individuals, foster public understanding of privacy, and promote the privacy protections available in Canada. Both OPC submissions to this proceeding are focused on the privacy implications about the potential uses of deep packet inspection (DPI) and more generally the crucial need - and growing expectation - of Canadians that their personal information is protected online.

July 28, 2009

Mr. Robert A. Morin
Secretary General
Canadian Radio-television and Telecommunications Commission
Ottawa, ON
K1A 0N2

Dear Mr. Morin:

Re: Telecom Public Notice CRTC 2008-19 – Review of the Internet traffic management practices of Internet service providers; Final Reply Submission from the Office of the Privacy Commissioner of Canada

1. On February 18 2009, the Office of the Privacy Commissioner of Canada (OPC)^{Footnote 1} made a submission^{Footnote 2} to the Canadian Radio-television and Telecommunications Commission (CRTC) as an interested party to the above proceedings. The OPC’s submission was made pursuant to its legislative mandate to protect the privacy rights of individuals and promote the privacy protections available to Canadians.^{Footnote 3}

2. The OPC’s initial submission was focused on the privacy implications of Internet traffic management practices employed by internet service providers (ISPs). Specifically, the OPC’s comments addressed privacy concerns about the potential use of Deep Packet Inspection (DPI).

3. From July 6th to July 14th, 2009 the CRTC conducted 7 days of public hearings (the hearings) for the proceeding. The CRTC heard evidence from public interest advocacy groups, industry organizations, manufacturers of equipment and technologies used to manage networks, ISPs and interested individuals.

4. The CRTC has given parties the opportunity to respond to issues raised during the proceedings in a Final Reply. This submission serves as the OPC’s Final Reply to privacy issues raised by the CRTC Panel and parties that appeared at the hearings.

5. The OPC acknowledges that the ISPs and others gave evidence before the Hearing Panel that DPI is not currently used by operators for purposes other than network management. The ISPs stated that customer personal information^{Footnote 4}, that is being handled in Internet traffic management practices (ITMPs) such as DPI, is not being used for marketing purposes. Specifically, ISPs claimed that they do not engage in targeted or behavioural advertising using information obtained through DPI.

6. The Personal Information Protection and Electronic Documents Act (PIPEDA),^{Footnote 5} applies to personal information^{Footnote 6} handled by ISPs in the course of providing Internet services to customers. PIPEDA requires that there be informed and meaningful consent for any purpose different from the original.

7. Our Final Reply will address the following:

The CRTC has a statutory obligation and recognized expertise to protect privacy.
PIPEDA provides a basic standard for privacy protection: The CRTC may set higher, industry specific guidelines.
Privacy and legitimate business interests can be addressed using a balancing test: The example of OPC Findings under PIPEDA.
Canadians care about personal privacy and are entitled to know how their personal information is being handled and protected.

I. The CRTC has a statutory obligation and recognized expertise to protect privacy.

8. According to Canadian telecommunications policy, the CRTC is required to safeguard the privacy of individuals and their communications. This policy is set out in paragraphs 7(a) and (i) of the Telecommunications Act: ^{Footnote 7}

7. It is hereby affirmed that telecommunications performs an essential role in the maintenance of Canada’s identity and sovereignty and that the Canadian telecommunications policy has as its objectives

(a) to facilitate the orderly development throughout Canada of a telecommunications system that serves to safeguard, enrich and strengthen the social and economic fabric of Canada and its regions;

…

(i) to contribute to the protection of the privacy of persons.

9. During the Hearings, a number of parties to the proceeding took the position that they preferred that the CRTC refrain from regulating the Internet traffic management practices of ISPs with respect to privacy. In response, the Panel reminded the parties that, under the Act, the CRTC not only has statutory authority to protect privacy, but indeed, an express obligation to do so, reflecting the intention of Parliament in its enabling legislation.

10. Moreover, the CRTC is a specialized, decision-making, tribunal with recognized expertise over telecommunications matters.^{Footnote 8} Bill C-27, the Electronic Commerce Protection Act (ECPA) currently before the Standing Committee on Industry, Science and Technology is an example of Parliament recognizing the specific expertise of both the OPC and the CRTC over areas of overlapping concern.^{Footnote 9} The CRTC has the institutional knowledge and experience to craft appropriate measures to encourage technological innovation and economic growth, within this industry, and ensure that the privacy of Internet users in Canada is respected.

II. PIPEDA provides a basic standard for privacy protection: The CRTC may set higher, industry specific guidelines.

11. In exercising its powers under the Telecommunications Act, the CRTC may apply higher standards to protect privacy than those contemplated by PIPEDA.^{Footnote 10}

12. Our original submission noted that the CRTC and the OPC have recognized complementary statutory roles regarding privacy protection.^{Footnote 11} Their statutory roles are related, but not redundant. While the OPC and CRTC have overlapping jurisdiction with respect to both privacy protection and communications service providers,^{Footnote 12} their functions and powers differ significantly.

13. The Telecommunications Act is sector-specific. The Act enables the CRTC to create specific guidelines and regulations to address concerns within the industry. The Act gives the CRTC the ability to enhance privacy protection for Canadians. For example, under the Telecommunications Act, the CRTC has:

the authority to make binding decisions and orders
the ability to regulate both Internet services and the use of communications technologies used to deliver those services. This is a significant regulatory power which allows the CRTC to ensure that privacy is built into technologies used by the communications industry across Canada.

14. As noted by the Panel during the hearings, PIPEDA is, in contrast to the Telecommunications Act, a statute of general application. PIPEDA broadly applies to personal information collected by an organization in the course of commercial activity. The Act applies to organizations across diverse industries and in a wide variety of contexts.

15. PIPEDA represents a basic standard for how organizations should manage personal information. The CRTC, through its regulatory powers may exceed PIPEDA’s standard if, in their expert opinion, the proposed requirement is consistent with the public interest and Canadian telecommunications policy, as set out under the Telecommunications Act.^{Footnote 13}

III. Privacy and legitimate business interests can be addressed using a balancing test: The example of OPC Findings under PIPEDA.

16. The legislative purpose of PIPEDA is to protect personal information while recognizing the reality of modern commerce, which, increasingly, is characterized by virtual, electronic transactions, propelled by rapid advances in information technology.^{Footnote 14}

17. The bedrock of PIPEDA is individual consent, which can be express or implied, depending on the circumstances. ^{Footnote 15} Even with consent, organizations must limit collection, use, and disclosure of personal information, for purposes that a reasonable person would consider appropriate under the circumstances.^{Footnote 16}

18. The “reasonable person” test is central to privacy protection under PIPEDA and echoes the Oakes^{Footnote 17} test developed by the Supreme Court of Canada.

19. The OPC has applied^{Footnote 18} the reasonable person test, with its consideration of less privacy-invasive methods, as part of an overall assessment of reasonableness under PIPEDA. The test is applied contextually, on a case-by-case basis, to strike the appropriate balance between individual privacy concerns, and legitimate business interests.

20. From a privacy perspective, this approach is consistent with the Chair’s observations during the hearings.^{Footnote 19}

IV. Canadians are concerned about privacy and are entitled to know how their personal information is being handled and protected.

21. Whether the collection, use, or disclosure of personal information is perceived as minimal, or conducted for a legitimate purpose in the ordinary course of business, it should be remembered that whenever personal information is implicated, the issue of privacy will be raised. This is also true in instances where an organization claims to merely “access” personal information using DPI, and not “monitor,” store or disclose that information for purposes other than network management.

22. Privacy is fundamentally a right from which other essential freedoms flow. The OPC’s initial submission for this proceeding cites extensive Canadian jurisprudence and statute law confirming this principle.^{Footnote 20} Members of the Panel repeatedly affirmed throughout the hearings that privacy is a fundamental right. Privacy has an inherent social and human value that transcends a singular regulatory regime or statute.

23. Canadians have mounting concerns about the preservation of privacy rights. They are entitled to have clear, easily accessible, and meaningful safeguards of their personal information, and how it is managed by ISPs implementing traffic management practices. They expect that their personal information will not be misused, and will be treated with a high standard of care by the organizations they choose to do business with, and that the public bodies tasked with the duty to protect their privacy, not hesitate to do so.

Respectfully submitted,

Original signed by

Jennifer Stoddart
Privacy Commissioner of Canada

Footnote 1

Office of the Privacy Commissioner of Canada

Return to footnote 1

Footnote 2

Deep Packet Inspection: Review of the Internet traffic management practices of Internet Service Providers by the Office of the Privacy Commissioner of Canada.

Return to footnote 2

Footnote 3

Office of the Privacy Commissioner of Canada, About Us, Mandate and Mission

Return to footnote 3

Footnote 4

Section 2(1) of PIPEDA provides that “personal information” means “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” For examples of OPC findings on what constitutes personal information, see OPC Interpretation “The Meaning of Personal Information” (2008), citing PIPEDA Case Summary #25 (2001) – A broadcaster accused of collecting personal information via Web site and PIPEDA Case Summary #319 (2005): ISP’s anti-spam measures questioned.

Return to footnote 4

Footnote 5

2000, c. 5

Return to footnote 5

Footnote 6

Information need not be recorded for it to constitute personal information. It is sufficient that the information be about an identifiable individual even if the information is not in a recorded form, such as oral conversations, biological samples and real time video surveillance. While the absence of a recording may go to the issue of collection, it does not change the fact that the information is personal information (Morgan v. Alta Flights Inc. (2006) FCA 121, affirming (2005) FC 421).

Return to footnote 6

Footnote 7

S.C. 1993, c. 38

Return to footnote 7

Footnote 8

British Columbia Telephone Co. v. Shaw Cable Systems (B.C.) Ltd., [1995] 2 S.C.R. 739 at paras 30 and 33 – http://csc.lexum.umontreal.ca/en/1995/1995rcs2-739/1995rcs2-739.html; Englander v. Telus Communications Inc., 2004 FCA 387 (2004) at para 72.

Return to footnote 8

Footnote 9

Speech, Notes for an address by Konrad von Finckenstein, Q.C., Chairman, Canadian Radio-television and Telecommunications Commission to the Standing Committee on Industry, Science and Technology, Ottawa, Ontario, June 18, 2009 regarding Bill C-27, the Electronic Commerce Protection Act (ECPA). See also generally Bill C-27, ECPA.

Return to footnote 9

Footnote 10

Telecom Decision CRTC 2003-33, May 30, 2003

Return to footnote 10

Footnote 11

Telecommunications Policy Review Panel, Ch. 6 Social Regulation http://www.telecomreview.ca/eic/site/tprp-gecrt.nsf/eng/rx00060.html

Return to footnote 11

Footnote 12

Englander v. Telus Communications Inc., 2004 FCA 387 at 79

Return to footnote 12

Footnote 13

Return to footnote 13

Footnote 14

Section 3 of PIPEDA states as its purpose: “to establish, in an era in which technology increasingly facilitates the collection, use and disclosure of information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

Return to footnote 14

Footnote 15

Clause 4.3 of Schedule 1, and section 7 of PIPEDA listing the exceptions to the consent requirement.

Return to footnote 15

Footnote 16

Ss 3 and 5(3) of PIPEDA; see also OPC fact sheet: Complying with the Personal Information Protection and Electronic Documents Act (2005).

Return to footnote 16

Footnote 17

In the seminal constitutional law case, R. v. Oakes [1986] 1 S.C.R. 103 – http://scc.lexum.umontreal.ca/en/1986/1986rcs1-103/1986rcs1-103.html

Return to footnote 17

Footnote 18

For example, see the OPC’s Findings under PIPEDA, particularly: PIPEDA Case Summary #351 (2006) – Use of personal information collected by Global Positioning System considered.

Return to footnote 18

Footnote 19

Transcript of proceedings before the CRTC – Review of the internet traffic management practices of internet service providers at 6337 and 6818.

Return to footnote 19

Footnote 20

Ibid, note 2 at paras 17 and 18.

Return to footnote 20

Date modified:: 2009-09-15

Language selection

Search and menus

Search