Proceeding to establish a mandatory code for mobile wireless services

Submission of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunication Commission (CRTC)

December 4, 2012

Mr. John Traversy
Secretary General
Canadian Radio-television and Telecommunications Commission
Central Building
1 Promenade du Portage
Gatineau, Quebec K1A 0N2

Re: Telecom Notice of Consultation CRTC 2012-557 - Proceeding to establish a mandatory code for mobile wireless services

Dear Mr. Traversy:

1. On October 11, 2012 the CRTC released Telecom Decision 2012-556 that stated “…the Commission finds it necessary to develop a mandatory code to address the clarity and content of mobile wireless service contracts and related issues (the Wireless Code).”^{Footnote 1} Also on October 11, 2012 the CRTC issued Telecom Public Notice 2012-557 inviting participants to comment on the establishment of a mandatory code for mobile wireless service providers and announcing a public consultation for January 28, 2013.
2. The Office of the Privacy Commissioner of Canada (OPC) makes this submission as an interested party to the proceedings, pursuant to its legislative mandate^{Footnote 2} to protect the privacy rights of individuals and promote the privacy protections available to Canadians.^{Footnote 3} In our comments, which we are limiting to those issues that relate to our mandate, we put forward that the Wireless Code should include a provision that supports compliance with federal private-sector privacy legislation and well developed privacy policies.

3. Our submission consists of the following sections:

   I - The Complementary Roles and Authorities of the OPC and CRTC
   II - Privacy Policies are Required for Compliance with PIPEDA
   III - Responses to Selected Issues Raised in the Call for Comments
   

   a) Content and Application of the Wireless Code
   b) Clarity of Contract Terms and Conditions
   c) Changes to Contract Terms and Conditions
   d) Additional Considerations

I - The Complementary Roles and Authorities of the OPC and CRTC

4. The OPC’s mandate is to oversee compliance with the Privacy Act, which applies to the personal information management practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector legislation. PIPEDA applies to organizations that collect, use, or disclose individuals’ personal information in the course of commercial activity. It does not apply to those organizations in provinces that are deemed to have substantially similar private sector privacy legislation which, as of the date of this submission, are British Columbia, Alberta and Quebec. Ontario, New Brunswick, and Newfoundland also have substantially similar legislation, but limited to the personal health information management practices of health custodians in their respective jurisdictions.
5. PIPEDA, however, continues to apply to federal works, undertakings, or businesses (FWUBs) across Canada, which includes telecommunication companies. In relation to FWUBs, PIPEDA covers both customer and employee personal information.
6. Schedule 1 of PIPEDA^{Footnote 4} provides the framework for the collection, use, and disclosure of personal information for those organizations subject to the Act and contains 10 principles related to fair information practices. These principles, which are based on the Canadian Standards Association Model Code for the Protection of Personal Information, also provide individuals with the foundation to control how organizations subject to the Act handle their personal information.
7. The CRTC derives its authority to regulate the telecommunications industry from the Telecommunications Act. Under section 7 of the Telecommunications Act, the telecommunications policy objectives include the safeguarding and protection of individuals’ telecommunications privacy. In particular, paragraphs 7(a) and (i) of the Telecommunications Act state:^{Footnote 5}

   7(a) to facilitate the orderly development throughout Canada of a telecommunications system that serves to safeguard, enrich and strengthen the social and economic fabric of Canada and its regions;…

   7(i) to contribute to the protection of the privacy of persons.

8. As my Office has noted in previous submissions to the CRTC, while the OPC and CRTC’s roles are complementary, they are not redundant, given the difference in functions and powers.^{Footnote 6} PIPEDA is a statute of general application that applies to diverse industries, while the Telecommunications Act is sector-specific and enables the CRTC to create specific guidelines and regulations to address concerns within the industry.^{Footnote 7}
9. The CRTC also has the ability to enhance privacy by exceeding PIPEDA’s standard if, in the Commission’s opinion, it is consistent with the public interest and telecommunications policy; it can make binding orders and decisions.^{Footnote 8} The complementary roles support the objectives of the CRTC’s telecommunication policy for the orderly development and protection of the privacy of persons in the Canadian telecommunications system.
10. While the Commission, under the Policy Direction^{Footnote 9}, is to “…rely on market forces to the maximum extent feasible as the means of achieving the telecommunications policy objectives…”^{Footnote 10} we recognize that the Commission is of the view that “…market forces alone cannot be relied upon to ensure that consumers have the information they need to participate effectively in the competitive mobile wireless market.”^{Footnote 11}

II - Privacy Policies are Required for Compliance with PIPEDA

11. Under PIPEDA, each organization engaged in commercial activity must have a privacy policy in place. Privacy policies are essential in helping individuals make informed decisions regarding their personal information, which factors into whether or not an organization has obtained knowledge and consent.
12. My Office has issued a number of findings with respect to the telecommunications sector and privacy policies.^{Footnote 12} For example, an organization’s privacy policy may not be compliant with PIPEDA if: individuals are not provided with ready access to the privacy policies; information about the organization’s personal information management practices is buried in privacy policies; there is failure to use clear and plain language that is understandable to ordinary customers; or customers do not have detailed information for the uses and sharing of their personal information.^{Footnote 13}
13. The OPC regularly commissions surveys on individuals’ attitudes towards privacy. Our most recent survey found that roughly 9 out of 10 individuals indicated some level of concern with businesses requesting too much personal information, not keeping information secure, selling it to other organizations, or having their personal information used in spam or unsolicited marketing.^{Footnote 14} Unclear and ambiguous privacy policies will do little to mitigate these concerns. Invisible and inaccurate dissemination of information handling practices may compromise an individual’s trust and expectations.
14. The OPC also regularly commissions surveys on the privacy practices of businesses. Our most recent survey found that only 62% of businesses indicated they had a privacy policy.^{Footnote 15} Importantly, an organization that does not put in place a clear and accurate privacy policy, or that does not develop one at all, is at high risk of finding itself off- side of PIPEDA.

III - Responses to Selected Issues Raised in the Call for Comments

a) Content and Application of the Wireless Code

15. Given that telecommunication organizations are subject to PIPEDA, it is strongly recommended that the Wireless Code explicitly reference PIPEDA obligations and the associated personal information principles found in Schedule 1. In addition, emphasis should be placed on demonstrating accountability, and maintaining comprehensive, up-to-date, readily-accessible, clear and easy-to-understand policies, regarding information management practices.
16. PIPEDA applies to all telecommunications companies given their status as a FWUB; as such, federal privacy obligations for telecommunication companies covered by the Wireless Code should apply to all such organizations across Canada.
17. The OPC would also support the Commission, given its sector-specific legislative authority and specialized expertise, if it saw fit to introduce more detailed privacy-enhancing provisions, in accordance with the general principles of PIPEDA, and as a means of better supporting 7(a) and 7(i) of the Telecommunications Act.

b) Clarity of Contract Terms and Conditions

18. Part of privacy compliance involves demonstrating accountability, which includes relaying necessary information to explain the organization's privacy policies and procedures. My Office, along with the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia, has issued a guidance document on accountability, which specifies that a building block of privacy management is having, and successfully communicating, the organization’s privacy policy. Specifically, the guidance states that the communication should:
    • be clear and understandable;
    • provide enough information so that the public knows the purpose of the collection, use and disclosure of personal information as well as how it is safeguarded and how long it is retained;
    • notify individuals if their personal information is being transferred outside of Canada;
    • include information on who to contact with questions or concerns; and
    • be made easily available to individuals.
19. My Office has noted that consumers may not always be aware of what is happening with their personal information because it is often buried in a policy that is difficult to understand.^{Footnote 16} This is supported by our polling of Canadians in 2011 where more than half of the people surveyed indicated that privacy policies tend to “…be either somewhat vague (35%) or very vague (18%)…”^{Footnote 17}
20. Without the use of clear and unambiguous language to explain the service provider’s information-handling practices, there may be a question as to whether knowledge and consent have effectively been obtained.
21. My Office’s 2010 Consultation Report on Online Tracking, Profiling and Targeting, and Cloud Computing^{Footnote 18} and Guidance document on Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps^{Footnote 19} both state that the small size of mobile screens pose a particular challenge for providing clear and understandable information to individuals. Furthermore, PIPEDA requires an organization to be open about its management of personal information and individuals must be able to acquire the information without unreasonable effort. The small screen size on mobile devices may lead to challenges in obtaining meaningful consent.
22. While our guidance on mobile applications is aimed at application developers, it provides a number of best practices in addressing the challenge of obtaining meaningful consent in the mobile environment. Innovative solutions factoring in small screen size of mobile devices and mobile navigation are necessary to address these particular challenges. Given the unique challenges of the mobile environment, these realities should be factored in to the Wireless Code.

c) Changes to Contract Terms and Conditions

23. The information contained in a privacy policy is a consumer’s window on how an organization handles personal information it has. If there is a change to how personal information is being handled, then the question of renewing consent needs to be explored. Principle 4.2.4 of Schedule 1 of PIPEDA states:

    “When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.” ^{Footnote 20}

24. Therefore, a change in how an organization handles personal information needs to be evaluated to ensure that it is consistent with the purposes identified in the privacy policy for which consent was initially provided.
25. As wireless carriers change their information-handling practices or update their policies and procedures, and recognizing that PIPEDA requires the knowledge and consent of an individual, customers should be informed of these changes in order to confirm their ongoing consent to help foster a culture of compliance and consumer trust and confidence.

d) Additional Considerations

26. Mobile devices are used by individuals to conduct a variety of personal activities such as banking, shopping, maintaining personal diaries or exercise/diet logs, and conducting searches and conversations on highly sensitive matters such as health. As such, mobile devices are a gateway for potentially large and diverse amounts of personal information. In addition, the Global Positions System (GPS) found in these devices serve as a means to track a device, and thus can reveal location information about an individual, their habits and movements, with the potential to create a rich portrait of the individual.^{Footnote 21}
27. Given the sensitivity and amount of personal information that is collected, organizations should be encouraged to limit the collection, use and disclosure of personal information, establish defined retention periods for this information and clearly inform users on how they collect and disclose the information, including location information.
28. This is all the more important considering the ease with which mobile devices can be lost or stolen, which significantly increases the risk of identity theft.
29. In overview, the effectiveness of the Wireless Code should be measured against the CRTC’s objectives of ensuring a secure telecom industry and contributing to privacy protection. Its success as a mandatory policy instrument will depend, in part, on the degree to which it incites organizations to inform customers of their personal-information management practices and to respect the terms and conditions agreed upon.

Conclusion

30. We respectfully submit that addressing privacy is an essential component of the Wireless Code. Privacy protection should be woven throughout the Code to address the informational risks inherent to mobile devices and ensure that organizations effectively meet their legal obligations.
31. Privacy compliance requires that organizations provide individuals with all of the information they need to make informed decisions with respect to their personal information. Without a strong privacy-sensitive framework, there is a risk that invisible, or unclear, practices could undermine consumer trust or confidence, and result in an organization failing to meet its legislative compliance requirements.

Sincerely,

(Original signed by)

Jennifer Stoddart
Privacy Commissioner of Canada