On April 29, 2014, University of Ottawa law professor Michael Geist revealed that in 2011, nine of Canada’s major telecom providers and social media sites received 1.2 million data requests from government agencies. The companies complied in 784,756 cases. The total number of requests and disclosures from all telecom companies is likely higher. Read PEN Canada’s statement here.
Postdoctoral Fellow Christopher Parsons put together a guide for customers to request their personal information directly from telecom providers. In this blog, originally published by the Citizen Lab, Parsons argues that “Canadians are not powerless,” and outlines how individuals can take action.
Responding to the Crisis in Canadian Telecommunications
Why You Can Request Your Personal Information
Per Canadian privacy law, all Canadians can request that companies explain and disclose the kinds of personal information that they retain about the requesting Canadian citizen. Principle 4.9 of Schedule 1 and section 8 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), legitimizes such requests and compels organizations to respond to requests when those companies have significant connections with Canada. Obviously, Canadian telecommunications companies that have their headquarters in Canada and that primarily service Canadians meet this requirement.
Using PIPEDA it is possible for Canadians to learn what information their telecommunications companies hold about them, for how long, for what purposes, and when they disclose that information. In effect, it can empower Canadians to understand how companies manage the personal information entrusted to them and then make informed decisions about whether they want to maintain that commercial relationship. Significantly, based on the disclosures from the Privacy Commissioner of Canada, it was only after a telecommunications subscriber complained about how their information might be shared that they learned their information had been disclosed to government state agencies.
A Template to Request Access
The following template can be used to compel information your telecommunications provider to disclose the personal information it collects, retains, manages, and discloses about you. The text is written without an assumption of you sending it by email or letter mail, nor is is written for specific services (i.e. for just wireless or just internet services information). As a result, you should be able to send the letter to whatever companies that are providing you with telecommunications service.
Feel free to modify the text as you deem necessary. Sections that are bolded require you to insert information, such as the company, the mailing address, your personal information, or your account information.
[Subscriber mailing address]
[Mailing information for company]
To: [Company] Privacy Officer,
Re: [Name of Account Subscriber]
Dear Privacy Officer:
I am a subscriber to your telecommunications service, and am interested in understanding the kinds of personal information that you maintain and retain about me. This is a request to access my personal data under Principle 4.9 of Schedule 1 and section 8 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
I am requesting a copy of all records which contain my personal information from your organization. The following is a non-exclusive listing of all information that [name of company] may hold about me, including the following:
- All logs of IP addresses associated with me, my devices, and/or my account (e.g. IP addresses assigned to my devices/router, IP addresses or domain names of sites I visit and the times, dates, and port numbers)
- Listing of “subscriber information” that you store about me, my devices, and/or my account
- Any geolocational information that you may have collected about me, my devices, and/or associated with my account (e.g. GPS information, cell tower information)
- Text messages or multimedia messages (sent and received, including date, time, and recipient information)
- Call logs (e.g. numbers dialed, times and dates of calls, call durations, routing information, and any geolocational or cellular tower information associated with the calls)
- Information collected about me, or persons/devices associated with my account, using one of your company’s mobile device applications
- Any additional kinds of information that you have collected, retained, or derived from the telecommunications services or devices that I, or someone associated with my account, have transmitted or received using your company’s services
- Any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies
If your organization has other information in addition to these items, I formally request access to that as well. Please ensure that you include all information that is directly associated with my name, phone number, email, or account number, as well as any other account identifiers that your company may associate with my personal information.
You are obligated to provide copies at a free or minimal cost within thirty (30) days in receipt of this message. If you choose to deny this request, you must provide a valid reason for doing so under Canada’s PIPEDA. Ignoring a written request is the same as refusing access. See the guide from the Office of the Privacy Commissioner at: http://www.priv.gc.ca/information/guide_e.asp#014. The Commissioner is an independent oversight body that handles privacy complaints from the public.
Please let me know if your organization requires additional information from me before proceeding with my request.
Here is information that may help you identify my records:
Full Name: [Name]
Account Number: [Number]
Email Associated With Account: [Email address]
Phone Number Associated with Account: [Phone number]
The following includes contact information for many of Canada’s telecommunications companies. It parallels the list of companies that Citizen Lab previously asked to voluntarily disclose how, how often, and why they share information with government agencies.
The Office of the Bell Privacy Ombudsman
160 Elgin St.
Ottawa ON K2P 2C4
Attn: Privacy Manager
1st Floor, Fort William Building
P.O. Box 2110
St. John’s, NL A1C 5H6
Attn: Privacy Officer
P.O. Box 8660, Station A
6080 Young Street, 8th Floor
Halifax, NS, B3K 5M3
COGECO CABLE INC.
Attn: Caroline Dignard, Chief Privacy Officer
5 Place Ville-Marie, Suite 1700
Montréal, Québec, H3B 0B3
Distributel Communications Limited. c/o Privacy Officer
177 Nepean St. Suite 300,
Ottawa, ON, K2P 0B4
Chief Privacy Officer
800 De La Gauchetière Street West
Montréal, Quebec, H5A 1K3
Allstream Privacy Officer
200 Wellington Street West, Suite 1200
Toronto, Ontario M5V 3G2
Primus Telecommunications Canada Inc.
Primus Legal Department c/o Privacy Officer
5343 Dundas Street West
Toronto, ON, M9B 6K5
Chief Privacy Officer
Rogers Group of Companies
333 Bloor Street East
Toronto, Ontario, M4W 1G9
Chief Privacy Officer
13th Floor, 2121 Saskatchewan Drive
Regina , SK. S4P 3Y2
Shaw Privacy Officer
630–3rd Ave. S.W.
Calgary, AB, T3P 4L4
TekSavvy Solutions Inc.
800 Richmond Street
Chatham, Ontario N7M 5J5
TELUS Communications Company Privacy Request Centre
PO Box 2590, Station M
Canada T2P 5J6
Attn: Alain Charlebois, Vice-President, Human Resources
612 St-Jacques Street West, 4th floor, North Tower
Montreal (Quebec) H3C 4M8
Globalive Wireless Management Corp.
Chief Privacy Officer
207 Queen’s Quay West
Suite 710, PO Box 114
Toronto, ON M5J 1A7
Xplornet Communications Inc.
Attn: Chief Privacy Officer
300 Lockhart Mill Road
P.O. Box 9060
Woodstock, NB, E7M 6B5
Dealing with Non-Responses
Most Canadian companies, and their associated privacy officers, should be familiar with receiving, processing, and responding to these requests for personal information. However, you may find that companies ignore you, or actively resist disclosing information, or attempt to mislead you. Here are a few tips to try to get your personal information if you think the company that you’re working with is failing to comply with your request.
Many of Canada’s ISPs have significant bureaucracies and not all of them are equally resourced or staffed. As a result, sometimes things just get lost. The first thing you can do if you don’t receive a response (including an acknowledgement of receiving your request) is to send a polite note or reminder. This will, ideally, (re)initiate’s the company’s policies and bureaucratic structures to respond to your request. If 30 days go by and you don’t hear anything, then send a polite note asking why they have failed to provide you with your personal information. If you still haven’t heard from them after this reminder, then you can complain to the federal privacy commissioner.
Complaint to the Privacy Commissioner of Canada
The federal Office of the Privacy Commissioner of Canada (OPC) is a designated ombudsperson; the office effectively acts as the federal point-institution for all things privacy. If a company either refuses to disclose your information, or is providing information in a manner that you think is misleading or false (e.g. they say they’ve given you everything, but you have very good reason to believe that the company has/is collecting further information about you) then you have the option of filing a written request to the Office. In your written complaint you’ll want to explain everything that you’ve done to date: when you sent your first request, responses from the company (if there have been any), and why you have a problem with their (lack of) response. Importantly, you don’t need to be a lawyer or privacy specialist to file a complaint!
Note that the OPC does not accept complains by email so you’ll need to file by letter mail to the below address or submit via their website:
Office of the Privacy Commissioner of Canada
Place de Ville, Tower B
112 Kent Street, 3rd Floor
Ottawa, Ontario K1A 1H3
Telephone: 613–947–1698 or 1–800–282–1376
Web complaint address: https://complaint-plainte.priv.gc.ca/en/
The OPC can act as a mediator between you and the telecommunications company in question, helping all parties involved to resolve the company’s failure to disclose your information. Alternately, they can investigate the company’s practices to see if they are actively flouting federal law. Ideally, however, getting the OPC involved will mean that the company will (eventually) disclose your personal information.
Why Your Requests Matter
Beyond simply exercising your legal rights, these requests matter on both the personal and the national level. Personally, by filing these requests you will be empowered to think about whether you’re OK with the amount(s) of information that your telecommunications companies collect or record about you, the duration of time they record that information, and their willingness to explain who they share information with. In effect, you won’t be at the mercy of pundits and talking heads to explain whether the collection of data matters to your life, in the abstract, because you’ll have the data in hand to make your own decisions and reach your own conclusions.
Beyond self-empowerment, it’s important for Canadians generally to file these requests to telecommunications companies because the companies have so steadfastly refused to communicate with the experts, with government bodies, and with interested members of the press. Almost all of the “polite” ways of figuring out what these companies are up to have been exhausted: it’s time, unfortunately, to compel these companies to explain why they collect data, how much of it they collect, and explain why they disclose the information. To be clear, telecommunications companies in the United States and Europe have already begun releasing “transparency reports”, or documents explaining how and why the companies share information with state agencies. Those reports are the result of American and European publics supporting their civil advocates and privacy officers, lending their incredibly powerful voices to the policy and legal efforts that had been ongoing for years. Canadians are amongst the most digitally connected populations on earth: now it’s time for us all to figure out who’s been monitoring, and disclosing, who we’ve been connecting to and whether existing practices need to be reined in.
Christopher Parsons is a Postdoctoral Fellow at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto and a Principal at Block G Privacy and Security Consulting. His research interests focus on how privacy (particularly informational privacy, expressive privacy and accessibility privacy) is affected by digitally mediated surveillance and the normative implications that such surveillance has in (and on) contemporary Western political systems. He is currently attending to a particular set of technologies that facilitate digitally mediated surveillance, including Deep Packet Inspection (DPI), behavioral advertising, and mobile device security. He is interested in how these technologies influence citizens in their decisions to openly express themselves or to engage in self-censoring behavior on a regular basis.
Photo credit: Headshot from christopher-parsons.com. Slider photo by credit Lord Bullgod via Flickr.