In today’s communications driven world, no one collects as much information about its customers as telecom companies. As subscribers increasingly rely on the same company for Internet connectivity, wireless access, local phone service, and television packages, the breadth of personal data collection is truly staggering.
Whether it is geo-location data on where we go, information on what we read online, details on what we watch, or lists identifying with whom we communicate, telecom and cable companies have the capability of pulling together remarkably detailed profiles of millions of Canadians.
My weekly technology law column (Toronto Star version, homepage version) notes that how that information is used and who can gain access to it has emerged as one the most challenging and controversial privacy issues of our time. The companies themselves are tempted by the prospect of “monetizing” the information by using it for marketing purposes, law enforcement wants easy access during criminal investigations, and private litigants frequently demand that the companies hand over the data with minimal oversight.
As a result, courts and privacy commissioners have regularly faced questions about the rights and responsibilities associated with subscriber information. For example, the Privacy Commissioner of Canada ruled last year that Bell’s “relevant advertising program”, which provided advertisers with the ability to target ads based on subscriber personal information, ran afoul of Canadian privacy law because the company simply presumed that it could use the information without an explicit, opt-in consent.
The Canadian courts have similarly grappled with a myriad of privacy issues, including whether basic subscriber information carries with it a reasonable expectation of privacy (the Supreme Court of Canada ruled that it does) or if an Internet provider can be required to reveal the identities of Internet subscribers in a copyright infringement lawsuit (it can subject to conditions limiting how the information is used).
Earlier this month, an Ontario court escalated the privacy rights of subscribers in a high-profile case involving Rogers and Telus, who were asked by police to provide “tower dump” records that would have revealed information on thousands of cellphone users. The two telecom companies rejected the request, noting that the disclosure would affect tens of thousands of people who were merely located in the vicinity of a cellphone tower during the specified period.
Given the detailed information that would have been available (including billing and credit card information), the lack of safeguards over the information, and the over breadth of the request, the companies argued that an order to produce the information would breach the reasonable expectation of privacy of the affected cellphone users. The court proceeded to establish a series of guidelines aimed at forcing law enforcement to provide detailed justifications for disclosures in similar circumstances.
While that alone would be a notable ruling, the court went further by ruling that the companies had a positive obligation to defend the privacy interests of their subscribers.
Lawyers representing the police had questioned whether the telecom companies were entitled to raise the privacy rights of their subscribers. The court noted that individual cellphone users were unlikely to appear in court to defend their privacy interests, meaning their concerns would be unaddressed unless the companies took it upon themselves to question the production order. Moreover, since customer contracts reference privacy rights, the court reasoned that the companies were contractually obligated to assert the privacy interests of their subscribers.
The confirmation that telecom and Internet providers are obligated to defend the privacy interests of their subscribers represents a sea change in approach. For years, companies have been largely content to remain on the sidelines, arguing that they are merely intermediaries without the ability to step into the shoes of their customers. In fact, even in the Telus and Rogers tower dump case, Bell was conspicuously absent.
The courts are now sending the unmistakable message that the privacy interests of subscribers are too important to be left without representation. Companies promise privacy protection in their contracts and that includes stepping up to defend customers to ensure that personal information is properly safeguarded, that appropriate justifications for disclosure are provided, and the information is not misused in any way.