Canadian telecom company privacy practices were back in the spotlight this month with the release of a transparency report from Rogers Communications. The report provides new insights into how much – or how little – Canadians know about when their personal information is disclosed to government agencies.
For Rogers customers, the good news is that recent changes in the law, including court decisions that set limits on the disclosure of mass data from cellphone towers and that protect Internet subscriber information – are having a significant effect. Law enforcement agencies are still able to obtain data on hundreds of thousands of people, but warrantless access to basic subscriber information has stopped.
My weekly technology law column (Toronto Star version, homepage version) notes that the latest Rogers report is the first from the company since the release in 2015 of telecom transparency guidelines that garnered support from the federal privacy commissioner, Industry Canada, and the telecom sector. The guidelines attempt to provide a common framework for disclosure so that the public will be better able to compare privacy protections and policies among Canada’s major telecom companies.
The Rogers report (along with a similar report recently released by Telus) demonstrates a much-needed willingness to defend customer privacy in cases where the companies believe law enforcement has overreached.
Despite some emerging privacy friendly practices, however, there is still room for improvement. According to documents obtained under the Access to Information Act, during the development of the guidelines, many companies resisted recommendations from the privacy commissioner to include specific detail on warrants for subscriber information.
For example, Rogers noted that certain details would require significant system changes and it therefore urged that those details be made optional. Similarly, SaskTel argued that “customers are interested in the broader question of disclosure rather than minute detail.” Multinational companies such as Google and Microsoft emphasized the need for Canadian guidelines to be consistent with global standards given that those companies release data for dozens of countries.
While current reports would benefit from more fulsome disclosure, astonishingly, some companies have yet to release any transparency reports. The list of transparency holdouts include Bell, Canada’s largest telecom company.
The problem lies with the non-binding approach to transparency disclosures. After an industry-wide meeting organized by the privacy commissioner held in April 2015, Rogers noted that “it was indicated at this meeting that any guidelines adopted would fall short of regulation, but would regarded as more substantive than voluntary guidelines.” Yet if the non-regulatory approach does not work, it falls to the federal privacy commissioner to take action.
Canadian privacy law requires all organizations to be accountable for the personal information they collect, use, and disclose. Given the standardization of transparency reporting, there is a strong argument that non-disclosure represents a failure to meet the accountability requirements found in the law.
Even with the potential for enforcement action against transparency holdouts, another major shortcoming will remain: the government and law enforcement agencies themselves. The documents indicate that the privacy commissioner recognized the need for those agencies to participate in the transparency process so that Canadians could also learn about requests for their information from those doing the requesting.
However, the government agencies rejected the request. Public Safety Canada, speaking on behalf of other departments, indicated that transparency was important but that it was not prepared to join the discussion at that time. Interestingly, Rogers appeared prepared to accept a mandatory reporting requirement, but only if a similar obligation was placed on requesting bodies, such as law enforcement.
That position opens the door to fixing the current weakness in the transparency reporting system. Telecom reporting consistent with the guidelines should be made mandatory and given the Liberal government’s commitment to openness and transparency, it should be ready to add disclosure of government requests for personal information to the list of transparency reforms.