On April 29, 2014 the Interim Privacy Commissioner of Canada, Chantal Bernier, revealed that Canadian telecommunications companies have disclosed enormous volumes of information to state agencies. These agencies can include the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Canadian Border Services Agency, as well as provincial and municipal authorities. Commissioner Bernier’s disclosure followed on news that federal agencies such as the Canadian Border Services Agency requested access to Canadians’ subscriber data over 19 thousand times in a year, as well as the refusal of Canadian telecommunications companies to publicly disclose how, why, and how often they disclose information to state agencies.
This post argues that Canadians are not powerless. They can use existing laws to try and learn whether their communications companies are disclosing their personal information to state agencies. I begin by explaining why Canadians have a legal right to compel companies to disclose the information that they generate and collect about Canadians. I then provide a template letter that Canadians can fill in and issue to the telecommunications companies providing them with service, as well as some of the contact information for major Canadian telecommunications companies. Finally, I’ll provide a few tips on what to do if companies refuse to respond to your requests and conclude by explaining why it’s so important that Canadians send these demands to companies providing them with phone, wireless, and internet service.
Why You Can Request Your Personal Information
Per Canadian privacy law, all Canadians can request that companies explain and disclose the kinds of personal information that they retain about the requesting Canadian citizen. Principle 4.9 of Schedule 1 and section 8 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), legitimizes such requests and compels organizations to respond to requests when those companies have significant connections with Canada. Obviously Canadian telecommunications companies that have their headquarters in Canada and that primarily service Canadians meet this requirement.
Using PIPEDA it is possible for Canadians to learn what information their telecommunications companies hold about them, for how long, for what purposes, and when they disclose that information. In effect, it can empower Canadians to understand how companies manage the personal information entrusted to them and then make informed decisions about whether they want to maintain that commercial relationship. Significantly, based on the disclosures from the Privacy Commissioner of Canada, it was only after a telecommunications subscriber complained about how their information might be shared that they learned their information had been disclosed to government state agencies.
A Template to Request Access
The following template can be used to compel information your telecommunications provider to disclose the personal information it collects, retains, manages, and discloses about you. The text is written without an assumption of you sending it by email or letter mail, nor is is written for specific services (i.e. for just wireless or just internet services information). As a result, you should be able to send the letter to whatever companies that are providing you with telecommunications service.
Feel free to modify the text as you deem necessary. Sections that are bolded require you to insert information, such as the company, the mailing address, your personal information, or your account information.
Subscriber mailing address:
Mailing information for company]:
To: [Company] Privacy Officer,
Re: [Name of Account Subscriber]
Dear Privacy Officer:
I am a subscriber to your telecommunications service, and am interested in understanding the kinds of personal information that you maintain and retain about me. So this is a request to access my personal data under Principle 4.9 of Schedule 1 and section 8 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
I am requesting a copy of all records which contain my personal information from your organization. The following is a non-exclusive listing of all information that [name of company] may hold about me, including the following:
- All logs of IP addresses associated with me, my devices, and/or my account (e.g. IP addresses assigned to my devices/router, IP addresses or domain names of sites I visit and the times, dates, and port numbers)
- Listing of ‘subscriber information’ that you store about me, my devices, and/or my account
- Any geolocational information that you may have collected about me, my devices, and/or associated with my account (e.g. GPS information, cell tower information)
- Text messages or multi-media messages (sent and received, including date, time, and recipient information)
- Call logs (e.g. numbers dialed, times and dates of calls, call durations, routing information, and any geolocational or cellular tower information associated with the calls)
- Information collected about me, or persons/devices associated with my account, using one of your company’s mobile device applications
- Any additional kinds of information that you have collected, retained, or derived from the telecommunications services or devices that I, or someone associated with my account, have transmitted or received using your company’s services
- Any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies
If your organization has other information in addition to these items, I formally request access to that as well. Please ensure that you include all information that is directly associated with my name, phone number, e-mail, or account number, as well as any other account identifiers that your company may associate with my personal information.
You are obligated to provide copies at a free or minimal cost within thirty (30) days in receipt of this message. If you choose to deny this request, you must provide a valid reason for doing so under Canada’s PIPEDA. Ignoring a written request is the same as refusing access. See the guide from the Office of the Privacy Commissioner at: http://www.priv.gc.ca/information/guide_e.asp#014. The Commissioner is an independent oversight body that handles privacy complaints from the public.
Please let me know if your organization requires additional information from me before proceeding with my request.
Here is information that may help you identify my records:
Full Name: [Name]
Account Number: [Number]
Email Associated With Account: [Email address]
Phone Number Associated with Account: [Phone number]
The following includes contact information for many of Canada’s telecommunications companies. It parallels the list of companies that Citizen Lab previously asked to voluntarily disclose how, how often, and why they share information with government agencies.
The Office of the Bell Privacy Ombudsman
160 Elgin St.
Ottawa ON K2P 2C4
Attn: Privacy Manager
1st Floor, Fort William Building
P.O. Box 2110
St. John’s, NL A1C 5H6
Attn: Privacy Officer
P.O. Box 8660, Station A
6080 Young Street, 8th Floor
Halifax, NS, B3K 5M3
COGECO CABLE INC.
Attn: Caroline Dignard, Chief Privacy Officer
5 Place Ville-Marie, Suite 1700
Montréal, Québec, H3B 0B3
Distributel Communications Limited. c/o Privacy Officer
177 Nepean St. Suite 300,
Ottawa, ON, K2P 0B4
Chief Privacy Officer
800 De La Gauchetière Street West
Montréal, Quebec, H5A 1K3
Allstream Privacy Officer
200 Wellington Street West, Suite 1200
Toronto, Ontario M5V 3G2
Primus Telecommunications Canada Inc.
Primus Legal Department c/o Privacy Officer
5343 Dundas Street West
Toronto, ON, M9B 6K5
Chief Privacy Officer
Rogers Group of Companies
333 Bloor Street East
Toronto, Ontario, M4W 1G9
Chief Privacy Officer
13th Floor, 2121 Saskatchewan Drive
Regina , SK. S4P 3Y2
Shaw Privacy Officer
630–3rd Ave. S.W.
Calgary, AB, T3P 4L4
TekSavvy Solutions Inc.
800 Richmond Street
Chatham, Ontario N7M 5J5
TELUS Communications Company Privacy Request Centre
PO Box 2590, Station M
Canada T2P 5J6
Attn: Alain Charlebois, Vice-President, Human Resources
612 St-Jacques Street West, 4th floor, North Tower
Montreal (Quebec) H3C 4M8
Globalive Wireless Management Corp.
Chief Privacy Officer
207 Queen’s Quay West
Suite 710, PO Box 114
Toronto, ON M5J 1A7
Xplornet Communications Inc.
Attn: Chief Privacy Officer
300 Lockhart Mill Road
P.O. Box 9060
Woodstock, NB, E7M 6B5
Dealing with Non-Responses
Most Canadian companies, and their associated privacy officers, should be familiar with receiving, processing, and responding to these requests for personal information. However, you may find that companies ignore you, or actively resist disclosing information, or attempt to mislead you. Here are a few tips to try to get your personal information if you think the company that you’re working with is failing to comply with your request.
Many of Canada’s ISPs have significant bureaucracies and not all of them are equally resourced or staffed. As a result, sometimes things just get lost. The first thing you can do if you don’t receive a response (including an acknowledgement of receiving your request) is to send a polite note or reminder. This will, ideally, (re)initiate’s the company’s policies and bureaucratic structures to respond to your request. If thirty days go by and you don’t hear anything, then send a polite note asking why they have failed to provide you with your personal information. If you still haven’t heard from them after this reminder, then you can complain to the federal privacy commissioner.
Complaint to the Privacy Commissioner of Canada
The federal Office of the Privacy Commissioner of Canada (OPC) is a designated ombudsperson; the office effectively acts as the federal point-institution for all things privacy. If a company either refuses to disclose your information, or is providing information in a manner that you think is misleading or false (e.g. they say they’ve given you everything, but you have very good reason to believe that the company has/is collecting further information about you) then you have the option of filing a written request to the Office. In your written complaint you’ll want to explain everything that you’ve done to date: when you sent your first request, responses from the company (if there have been any), and why you have a problem with their (lack of) response. Importantly, you don’t need to be a lawyer of privacy specialist to file a complaint!
Note that the OPC does not accept complains by email so you’ll need to file by letter mail to the below address or submit via their website:
Office of the Privacy Commissioner of Canada
Place de Ville, Tower B
112 Kent Street, 3rd Floor
Ottawa, Ontario K1A 1H3
Telephone: 613–947–1698 or 1–800–282–1376
Web complaint address: https://complaint-plainte.priv.gc.ca/en/
The OPC can act as a mediator between you and the telecommunications company in question, helping all parties involved to resolve the company’s failure to disclose your information. Alternately, they can investigate the company’s practices to see if they are actively flouting federal law. Ideally, however, getting the OPC involved will mean that the company will (eventually) disclose your personal information.
Why Your Requests Matter
Beyond simply exercising your legal rights, these requests matter on both the personal and the national level. Personally, by filing these requests you will be empowered to think about whether you’re OK with the amount(s) of information that your telecommunications companies collect or record about you, the duration of time they record that information, and their willingness to explain who they share information with. In effect, you won’t be at the mercy of pundits and talking heads to explain whether the collection of data matters to your life, in the abstract, because you’ll have the data in hand to make your own decisions and reach your own conclusions.
Beyond self-empowerment, it’s important for Canadians generally to file these requests to telecommunications companies because the companies have so steadfastly refused to communicate with the experts, with government bodies, and with interested members of the press. Almost all of the ‘polite’ ways of figuring out what these companies are up to have been exhausted: it’s time, unfortunately, to compel these companies to explain why they collect data, how much of it they collect, and explain why they disclose the information. To be clear, telecommunications companies in the United States and Europe have already begun releasing ‘transparency reports’, or documents explaining how and why the companies share information with state agencies. Those reports are the result of American and European publics supporting their civil advocates and privacy officers, lending their incredibly powerful voices to the policy and legal efforts that had been ongoing for years. Canadians are amongst the most digitally connected populations on earth: now it’s time for us all to figure out who’s been monitoring, and disclosing, who we’ve been connecting to and whether existing practices need to be reined in.
[box]Note: This post first appeared on the Citizen Lab website[/box]