Canadians have become increasingly troubled by reports revealing that telecom and Internet companies receive millions of requests for subscriber data from a wide range of government departments. In light of public concern, some Internet and telecom companies have begun to issue regular transparency reports that feature aggregate data on the number of requests they receive and the disclosures they make.
The transparency reports from companies such as Rogers, Telus, and TekSavvy have helped shed light on government demands for information and on corporate disclosure practices. However, they also paint an incomplete picture since companies have offered up inconsistent data and some of the largest, including Bell, have thus far refused to come clean on past requests and disclosures.
My weekly technology law column notes that the Privacy Commissioner of Canada released a report last week that showed that all transparency reports are not created equal. For example, TekSavvy has provided information on the content of the disclosures, the number of accounts affected, and instances where users were notified. By contrast, companies such as Rogers, Telus, Allstream, and Wind Mobile have not disclosed this information, offering more limited data.
In an effort to create greater uniformity in transparency reporting, Industry Canada has just released new transparency reporting guidelines. The government states that it has released the guidelines “to help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities.”
While the Privacy Commissioner of Canada lauded their release, the guidelines raise several significant concerns.
First, for rules purporting to enhance transparency, their development was surprisingly secretive. The Privacy Commissioner states that they were developed in consultation with the government and “industry stakeholders”, yet the public and privacy groups appear to have been excluded from the process. Given the importance of guidelines that are fundamentally about the rights of the public to know when their personal information is being disclosed, a secretive, exclusionary process badly taints the final result.
Second, the guidelines effectively create new limitations on the transparency where previously none existed. For example, TekSavvy’s transparency report provides specific aggregated number of disclosures (e.g. 52 requests for data on customer usage of devices in 2012 and 2013). The government guidelines prohibit specific disclosures where the number is less than 100, requiring companies to instead present a range of 0 – 100. The result is less transparency, not more. Moreover, the guidelines prohibit regional information (it must be Canada-wide) and their release must be delayed by at least six months from the time of the original request.
Third, the limits on transparency come without an appropriate regulatory or legal process. The government could have addressed the issue of transparency reporting within the Digital Privacy Act, which recently received royal assent. Indeed, the issue was repeatedly discussed during committee hearings. Yet by adopting a closed-door, non-transparent approach, the government has pushed new limitations on Internet and telecom companies without the opportunity for public comment or debate.
Fourth, disclosure under the guidelines is not mandated as the government has been careful to note that disclosure is merely an option. However, the law requires organizations to be open about their privacy practices, which arguably would include transparency reporting on personal information requests and disclosures. Further, individuals are entitled to demand that companies provide access to their information file, including details on how their personal information is used and whether it has been disclosed. By emphasizing the voluntary nature of the guidelines and declining to establish a clear legal requirement, the government may have actually weakened corporate transparency obligations.
Canadian companies have been slow to respond to the increased demand for greater transparency in how their personal information is collected, used, and disclosed. The new guidelines represent a good first step in standardizing the public data, but they ultimately fall short due to a secretive process, new limits on disclosure, and the absence of an unequivocal requirement to keep the public informed.