Public Interest Advocacy Centre (PIAC) Part 1 Application

Submission of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunications Commission (CRTC)

---

Friday, November 27, 2020

Mr. Claude Doucet
Secretary General
Canadian Radio-television and
Telecommunications Commission
Ottawa, ON K1A 0N2

RE: Part 1 Application 2020-0576-98665-P8-202005769 - Public Interest Advocacy Centre - Application Regarding “COVID Alert” App, “ABTraceTogether” App and Related Matters

Introduction

1. Our Office is writing to provide comments with respect to the CRTC’s review of “the Public Interest Advocacy Centre (PIAC) Part 1 Application … requesting that the Commission set out rules in advance for Telecommunications Service Providers (TSPs) regarding possible disclosure of subscriber information or other subscriber data related to either IP addresses or mobile telephone numbers.”^{Footnote 1}
2. In its application, PIAC raises concerns that the existing rules around confidential customer information are insufficient to deal with requests by government authorities to link IP addresses and mobile phone numbers to subscriber information held by TSPs. This is a particular concern in the context of digital exposure notification apps such as the Government of Canada’s COVID Alert app and Alberta’s ABTraceTogether app.
3. The OPC makes these submissions as an interested party to the proceedings, pursuant to its legislative mandate to protect the privacy rights of individuals and promote the privacy protections available to Canadians.^{Footnote 2}
4. The following submissions focus on the scope of confidential customer information and ensuring that the protections apply broadly to all types of personal information relating to a customer, including IP addresses and mobile phone numbers. Given our Office has done significant work on IP addresses and personal information in recent years, we will draw largely upon this body of work.
5. Our submissions are also informed by our review of the COVID Alert app,^{Footnote 3} the joint statement issued by Federal, Provincial and Territorial Privacy Commissioners Supporting public health, building public trust: Privacy principles for contact tracing and similar apps,^{Footnote 4} and our Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19 (“the Framework”)^{Footnote 5}. In the Framework, we recommended that when considering new measures to address public health needs government institutions should ensure that their measures are necessary and proportionate, which means essentially evidence-based, necessary for the specific purpose identified and not overbroad.
6. Our submissions address the following topics:
   1. The role of TSPs in the handling of confidential customer information;
   2. What information should qualify as confidential customer information; and,
   3. Whether additional measures should apply to TSPs’ collection, use and disclosure of subscriber information in the context of exposure notification apps.

Role of TSPs in the handling of confidential customer information

7. Canadians entrust vast amounts of their sensitive personal information to TSPs in order to gain access to mobile, internet, telephone and other telecommunications services in Canada. Not only does personal information hold vast commercial value, but it is also of considerable interest to law enforcement, intelligence and security agencies. Canadians’ right to privacy must remain top of mind in this context.^{Footnote 6}
8. In 2014, the Supreme Court of Canada decision in R v. Spencer was an important step forward in privacy protection. In its unanimous decision, the Supreme Court held that there is a reasonable expectation of privacy in basic telecommunications subscriber information. The Supreme Court agreed that this information could, when combined with other information such as IP addresses, reveal an individual’s anonymous activity online and that, absent exigent circumstances or a reasonable law, law enforcement officials need prior judicial authorization, i.e. a warrant, to obtain subscriber information from telecommunications companies.^{Footnote 7}
9. Given the heightened sensitivity consumers have expressed in connection with the personal information collected by telecommunications firms, privacy safeguards should be strong and clear and commercially held personal information should not be viewed as simply another “data asset” for exploitation.^{Footnote 8} Privacy is a fundamental human right and, arguably, the right from which many other essential freedoms flow: individual autonomy and decision-making, freedom of speech, freedom of association, and freedom of thought. Criminal Code sanctions, together with privacy law requirements, have set strict limits on government action or private sector practices with regard to accessing private information.^{Footnote 9}
10. Proponents of allowing broader access by law enforcement agencies to data held by TSPs have described subscriber data as being similar to “phone book” information. OPC research indicates, unlike simple phone book information, subscriber information when linked to other information can be used to develop very detailed portraits of individuals providing insight into one’s activities, tastes, leanings and lives.^{Footnote 10}
11. An individual’s name and address, when connected to an IP address for instance, can provide the essential link to a vast amount of highly personal information. While subscriber information on its face already reveals some information about the individual (for example, an address can reveal where a person lives, with whom and their socio-economic status), authorities do not seek such information for only its intrinsic value. Rather, they seek it because it allows them to associate an identifiable individual with significant amounts of other, often highly sensitive, personal or private information regarding the individual.^{Footnote 11}
12. A name and address in the hands of a TSP are not simply two individual pieces of data in isolation; all information can be broken down into distinct little pieces that, on their own, reveal little or no biographical core data. However, pieces of seemingly innocuous information, when viewed in their entirety along with other available information, can paint a fairly accurate and complete picture of one’s personal activities, views, opinions, and lifestyle.^{Footnote 12}

What information should qualify as confidential customer information?

13. The Personal Information Protection and Electronic Documents Act (PIPEDA) provides important protections for personal information handled by TSPs in the course of providing telecommunications services to customers. PIPEDA requires TSPs to obtain consent from individuals with respect to the collection, use and disclosure of their personal information, subject to specific exceptions. PIPEDA also provides individuals with access rights to their personal information and a complaint mechanism for alleged violations of the Act.^{Footnote 13}
14. This said, the CRTC, through its regulatory powers, may exceed PIPEDA’s standard if, in its expert opinion, the proposed requirement is consistent with the public interest and Canadian telecommunications policy, as set out under the Telecommunications Act. Indeed, past OPC submissions to the CRTC have noted “the pressing need for the CRTC to maintain regulatory measures to protect consumer privacy.”^{Footnote 14}
15. In this regard, the CRTC’s rules with respect to the disclosure of confidential customer information provide an important, additional layer of protection in safeguarding consumer privacy in the telecommunications industry.
16. Under the CRTC’s rules, TSPs are prohibited from disclosing confidential customer information without express consent, except in specified circumstances. We understand that confidential customer information is defined to mean “all information kept by [a TSP] regarding the customer, other than the customer's name, address and listed telephone number.”^{Footnote 15} Confidential customer information may therefore include personal information such as unlisted phone numbers and subscriber information related to telecommunications services.^{Footnote 16} We also understand that a TSP is defined broadly and that the CRTC’s rules regarding confidential customer information apply to all manner of TSPs, including wireless service providers.^{Footnote 17}
17. In our view, the existing definition of customer confidential information would appear to be broad enough to capture IP addresses and mobile phone numbers, which we understand are generally unlisted. Furthermore, the CRTC’s existing rules regarding customer confidential information would apply to a government authority that requests a TSP to provide a subscriber’s name and address associated with a specific IP address or mobile phone number – the scenario described in PIAC’s application. While a customer’s name and address may not be confidential on its own, linking that name and address to an IP address or mobile phone number would reveal confidential information.^{Footnote 18}
18. This said, if there is ambiguity on this point, we would be in favour of the CRTC clarifying that confidential customer information includes IP addresses and mobile phone numbers. Similarly, if there is any doubt that the existing rules apply to wireless service providers we would urge the CRTC to make this clear and/or extend the rules so that they apply to all TSPs.

Whether additional measures should apply to TSPs’ collection, use and disclosure of subscriber information in the context of exposure notification apps

19. In its application, PIAC requests that the CRTC create a specific exception that would authorize the disclosure without consent of subscriber information of users of a COVID-19 exposure notification app for public health purposes.^{Footnote 19}
20. We question the need and propriety of a specific exception to be created for access to subscriber information held by TSPs in these circumstances. Among other things, the Government of Canada has designed the COVID Alert app to function anonymously and has expressly committed to not attempting to re-identify users of the app except for security purposes or when required by law.^{Footnote 20} Indeed, this commitment is a key feature of the COVID Alert app and a principal safeguard intended to encourage Canadians to adopt the app in high numbers, thereby rendering it more likely to be effective. Alberta’s ABTraceTogether app is designed so that public health authorities can contact users directly via user-provided mobile phone number information without the need to seek a subscriber’s identity from a TSP.^{Footnote 21}
21. In the absence of any identified public health need for obtaining subscriber information of exposure notification app users from a TSP without consent, we do not see a legitimate reason for creating a new exception to the important protections afforded by the CRTC’s existing rules regarding customer confidential information. Moreover, creating such an exception would run directly counter to the expectations of users and the commitments that have been made to them by government authorities. In our view, if there is a public health need to access the identity of users for contact tracing or otherwise, then this should be considered in the design of the app, taking into account the Privacy principles for contact tracing and similar apps.^{Footnote 22}

Conclusion

22. As we know from our research into metadata and into what an IP address can reveal about an individual (referenced in sections above), access to basic subscriber information can unlock details of a person’s interests based on, among other things, websites visited, their organizational affiliations, where they have been and the online services for which they have registered. This goes well beyond a simple residential address.^{Footnote 23}
23. Given these important privacy interests, the CRTC’s rules around confidential customer information provide an important safeguard for Canadians. We are of the view that the CRTC’s existing definition of customer confidential information is broad enough to capture IP addresses and mobile phone numbers and that its rules apply to nearly all TSPs. If there is any doubt, however, we are in favour of the CRTC clarifying the scope of its rules so that they apply broadly to all types of information related to a customer and that they cover all TSPs. We are, in contrast, not in favour of creating a new exception for access to subscriber information without consent for exposure notification app users in the absence of a clear public health need to do so.^{Footnote 24}
24. Thank you in advance for your consideration of these submissions.

Sincerely,