The Privacy Commissioner of Canada has released the long-awaited decision on Bell’s targeted ads program. The Commissioner’s press release soft-pedals the outcome – “Bell advertising program raises privacy concerns” – but the decision is clear: Bell’s so-called relevant ads program violates Canadian privacy law. As I wrote earlier this year, the key issue in the case centered on whether Bell should be permitted to use an opt-out consent mechanism in which its millions of customers are all included in targeted advertising unless they take pro-active steps to opt-out, or if an opt-in consent model is more appropriate. Given the detailed information collected and used by Bell, I argued that opt-in consent was the right approach.
The Privacy Commissioner of Canada agrees:
In our view, for the reasons expressed above, the RAP clearly involves the use of sensitive personal information. As such, the sensitivity of the information at issue leads us to the conclusion that Bell must obtain express consent for the RAP in the circumstances. This conclusion is further supported by our assessment of the reasonable expectations of Bell Customers, which is set out below.
The decision includes detailed analysis of why the opt-in standard is appropriate and why Bell’s insistence that the personal information is not sensitive is wrong. The decision concludes:
we remain of the view that Bell cannot rely on the opt-out consent of its customers in order to implement the RAP. Both the sensitivity of the information at issue and the reasonable expectations analysis lead us to the conclusion that such consent is not appropriate in the circumstances. In our preliminary report, we recommended that Bell provide its customers with the opportunity to make an express opt-in choice regarding whether or not they consent to Bell’s use of their personal information for the RAP. Bell refused to comply with our recommendation. [emphasis added]
Bell’s decision to violate Canadian privacy law leaves the Privacy Commissioner of Canada with little alternative: it must pursue the case in the Federal Court of Canada. Yet that approach will takes years as the case will have to be mounted from scratch. In the meantime, Bell will presumably continue to violate the law.
[Update: Bell now says it will abide by the Privacy Commissioner of Canada’s ruling including the opt-in approach issue.]
The case is a perfect illustration of why Bill S-4, the Digital Privacy Act, should be amended to include order making power (I argued for order making power during my appearance before the Industry committee last month). The government cannot credibly claim that its bill offers Canadians strong privacy protections when the country’s largest telecommunications company can simply refuse to comply with the law and the Privacy Commissioner of Canada’s only recourse is lengthy, expensive litigation. Provincial privacy commissioners have order making power as do virtually all data protection and privacy commissioners around the world. As currently drafted, PIPEDA leaves the Privacy Commissioner of Canada with little power to fully protect Canadians’ privacy with companies such as Bell seemingly free to reject his decisions.
Pingback: Bell’s Targeted Ad Tracking Program Violates Canadian Law: Privacy Commissioner | iPhone in Canada Blog - Canada's #1 iPhone Resource
Please mention that the question of whether the entire program is permissible under Canadian telecommunications law is at issue in our CRTC application (with CAC). If that succeeds, an trip to the Federal Court may not be necessary.
184. (1) Every one who, by means of any electro-magnetic, acoustic, mechanical or other device, wilfully intercepts a private communication is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years.
There is an allowance for telecoms to intercept private communications “as it relates to performance factors … of the system,” but I think it would be a pretty hard sell for Bell to argue that selling advertising to third parties is at all relevant to that.
Someone really ought to go to jail for this.
One problem you forget, most traffic on the internet is not encrypted, and could be intercepted on unencrypted wireless links, which would be most hotspots, when you are on wifi this information actually is received by all devices listening to the same frequency.
A good section of the Logs would also be clear text and directed to them, from such services as DNS servers. URL’s could be coming from Firewall Logs, and many other services. So it becomes hard to say they violated privacy, when lots of this information will be captured and stored by many different services and providers not just Bell.
Now if they were actively engaging in Man in the Middle Attacks of encrypted data, would fulfill the above definition, which bell doesn’t seem to be doing, but with some of the extra changes by web providers can actually prevent some of these.
The issue from the article, which was the issue was the fact that they were using, information they already have about you. You would be surprised the amount of Meta-data that you provide to Bell, and many other companies such as advertisers, analytic companies, search engines, and the list goes on.
In fairness to Bell, it’s not the only service that defaults to tracking, and I recall it provided a pretty clear and simple opt-out when I activated my phone. By comparison, I had to learn to find Google’s “Privacy Dashboard” through media reports, and have never had it point to an opt-out.
Bell does not have access to its Microsoft-hosted email service (and Microsoft has been the best of the big services about privacy), but Google of course famously tracks and sells the content of Gmail messages and anything else one on its services, subject to user-initiated Privacy Dashboard settings.
Yes but the difference being you surrender your privacy to google in exchange for wonderful FREE services. In Bells case you’re already paying Bell for the service and they take your meta data (much more personal than Google) and turn around and make more money off that data with no compensation to you. And they put the onus on you to opt out.
Pingback: Social media in government: 6 to 12 April 2015 | The Brussels chronicle
Given that order making authority would require a massive overhaul of the OPC structure an a significant investment in the office, are “name and shame” and ensuing Federal Court applications not reasonable enough for now? Or will organizations who now appear to be serial offenders (e.g. Bell) simply view losses at the Federal Court as a cost of doing business?
Any Quebec residents interested in participating in a national class action lawsuit can call Brendan at 416-964-7950. If interested, please try to do so quickly.