Welcome to PrivacyInfo.ca, a site maintained by Professor Michael Geist of the University of Ottawa, Faculty of Law. The site features summaries of all of the Canadian Privacy Commissioner's decisions under the Personal Information Protection and Electronic Documents Act (PIPEDA) . While those decisions are available in full-text on the Commissioner's site, this site provides additional search functionality, including full-text searches as well as searching by individual provisions, sector, and outcome.
The site also contains links to Canadian privacy legislation, privacy law news, and other resources. For regular updates of new decisions and additions to the site, click here.
This site is not affiliated in any way with the Canadian Privacy Commissioner's office. It is provided for informational purposes only and should not be treated or relied upon as legal advice.
Assistant Privacy Commissioner has ruled that the privacy risks posed by the USA Patriot Act are similar to those found in Canada and therefore not grounds to rule that the privacy protection afforded by a U.S. email provider is not comparable to Canadian-based providers. The finding arises from a complaint launched by CIPPIC against Canada.com over the use of a U.S.-based provider. In assessing the USA Patriot Act issue, the Assistant Privacy Commissioner found that:
The risk of a U.S.-based service provider being ordered to disclose personal information to U.S. authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to (and may be just as likely to receive) similar types of orders to disclose personal information of Canadians to Canadian authorities. There are also several former bilateral agreements in place between analogous Canadian and U.S. organizations that provide for the cooperation and exchange of relevant information. In light of such arrangements, there are many alternatives to a Section 215 Order to obtain information about Canadians.
I focused on these issues several years ago in a submission to the B.C. Information and Privacy Commissioner co-authored with Milana Homsi.
The Vancouver Sun features a letter to the editor today from Canadian Bankers Association President Nancy Hughes Anthony on the do-not-call list and iOptOut.ca. The CBA professes support for the DNC, noting that "it's easy for Canadians to opt out of telemarketing calls. Simply sign up for the national Do Not Call list." Hughes Anthony neglects to mention that CBA members are exempt under the DNC where there is a prior or current business relationship. Under the rules, that means your current bank gets to call for a wide array of additional services even if your number is on the DNC list. Moreover, if you simply inquired with another bank about a mortgage rate or credit card offering, they can continue to call you for another six months. The CBA has a history of defending its right to make these telemarketing calls. In 2004, it made submissions to the CRTC asking that its members be excluded from new telemarketing rules, arguing that its practices "do not constitute 'undue inconvenience or nuisance'."
With respect to iOptOut.ca, the CBA raises three objections, of all of which were dismissed by CRTC Chair Konrad von Finckenstein.
First, they express concern about the privacy risk associated with an email opt-out. Of course, it is up to Canadians to decide how to transmit their personal information and not for the CBA to decline to observe the law because it objects to the transmission approach. Second, they are concerned that the bank will not actually get the email transmissions (in other words, banks make it hard to opt-out via email and then claim that it is too hard to opt-out via email). This too is easy to address - identify a specific opt-out email address so that it goes to the right place with no spam blockers. Third, they argue that they have privacy obligations to ensure the accuracy of a customer's personal information. There is no reason to believe that this obligation cannot be met through services such as iOptOut.ca by confirming names and numbers within their internal lists. In sum, the CBA and its members should respect Canadians' choices and the CRTC decision on iOptOut. With penalties of up to $15,000 per violation, failiure to do so could get costly.
My weekly technology law column (Toronto Star version, Ottawa Citizen version, homepage version) builds on the CRTC's announcement last week that the national do-not-call registry (DNC) will be operational by September 30th. I report that the CRTC also recently affirmed the ability for Canadians to use third-party websites - particularly iOptOut.ca - to opt-out telemarketing calls from organizations that are currently exempt under the law.
Last March, I established iOptOut.ca, a website that enables Canadians to opt-out of many exempted organizations with a few easy clicks at no cost. Visitors to the site are asked to enter their phone number (and email address if they wish) and to indicate their calling preferences for nearly 150 organizations. The public reaction has been extremely supportive. Since its launch, the site has sent out millions of opt-out requests on behalf of tens of thousands of Canadians. The reaction from several leading associations has been less enthusiastic. Within weeks of its debut, both the Canadian Marketing Association and the Canadian Bankers Association sent letters to CRTC Chair Konrad von Finckenstein complaining about the service and seeking support for their position that requests generated from the site were invalid. In fact, the CMA sent a notice to its members stating that "it is the view of the Association that members need not honour do-not-call requests that originate from the organization in question."
Von Finckenstein recently responded to the letters (CMA letter, CBA letter - posted with CRTC permission) with an unequivocal rejection of the complaints, providing a clear indication that failure to honour the opt-out requests could lead to significant penalties (companies face penalties of up to $15,000 per violation under the law). The response begins by noting that the DNC rules require "all telemarketers to maintain internal do-not-call lists and to abide by consumers' requests not be called" and that "there is no prohibition on consumers making such a request through a third party." The response also dismisses concerns of false registrations and affirms that "a consumer can make a do not call request to an organization even though the consumer does not have an existing business relationship with that organization."
Having established that consumers have the right to opt-out in a manner consistent with iOptOut.ca, the von Finckenstein response concludes that "to the extent that these requests are sent to organizations that engage in telemarketing, and that are therefore subject to the rules regarding do not call lists, these requests would be in compliance with the Act and the current Unsolicited Telecommunications Rules as outlined above. In short, on the basis of the facts as I understand them and have stated above, I consider that do not call requests made through iOptOut are valid and should be honoured."
The CRTC response sends a strong signal of its determination to fully enforce the DNC. The CMA and CBA may not like Canadians' newfound ability to stop telemarketing calls through the DNC and iOptout.ca, but the law - and the CRTC - says that they're going to have to live with it.
The CRTC has today confirmed that the national do-not-call registry will launch by September 30th. Given the number of exempt organizations - registered charities, political parties, polling companies, newspapers, businesses with a prior business relationship - Canadians will still need to individually opt-out of hundreds of additional organizations for the phone to stop ringing. iOptout.ca, which has processed millions of these individual opt-out requests since its launch in the spring, will come out of beta in time for the CRTC launch and will be ready to piggyback the CRTC's DNCL with the possibility of signficant penalties for those organizations who do not respect the opt-out requests. More on iOptOut's development in the coming weeks.
CIPPIC has filed several more complaints over the use of deep-packet inspection by Canadian ISPs and asked the Privacy Commissioner to investigate ISP use of DPI for behavioural targeting.
First (12/06/2007)
Previous
#10 of 27
Next 
Last (12/01/2009) 
