Telecommunications: "Mathew Englander - Toonie or Loonie? - Assessing the Impact of the Englander v. Telus Decision"

by Rajen Akalu

This paper considers privacy in the telecommunications sector through an analysis of the recent case of Englander v Telus Communications Inc.[2] as well an in depth discussion with Drew McArthur, CPO at Telus who was interviewed as part of our research.

Introduction

The Englander case concerns the interpretation of the PIPED Act with respect to the personal information published in telephone directories. The complainant in the case asserted that in failing to obtain the consent of its first time customers, Telus had contravened the knowledge and consent requirements of the PIPED Act. It was also alleged that the charging of a $2 fee for providing a Non-Published Number Service (NPNS) was in contravention of the spirit, if not the letter, of the PIPED Act. The Federal Court of Appeal agreed with Mr. Englander's reasoning in relation to the knowledge and consent issue, but rejected the latter argument.

The case is significant from the standpoint of privacy for the following four reasons which will be examined in turn: First, it provides a view of privacy based on a particular set of facts from a number of perspectives. As privacy is a value that must be viewed in its context, we are afforded an analysis of privacy as applied to a specific set of circumstances. Second, the case highlights the problem of self-regulatory codes enshrined in legislative enactment. Third, the Court in Englander provides some interesting commentary on the principle of openness and consent and finally, there are some valuable insights on the role of the Office of the Privacy Commissioner that can be distilled from the case.

Perspectives on Privacy

Central to the privacy debate in the consumer context are three different perspectives: the activist perspective, the corporate perspective and the centralist perspective.[3] The activist perspective argues that harmful social costs will be incurred if free-market forces and technological advancements proceed unchecked.[4] The corporate perspective by contrast takes the view that companies have a fundamental business imperative to collect, use, and disclose personal information in the course of operations. The imposition of unfettered restrictions in this regard may, in certain cases, introduce market distortions and impede an organization's ability to compete efficiently. Lastly, there is the centralist perspective. Here, proponents contend that consumers require choice. These choices can be made more meaningful if ‘reasonable' corporate access to personal information is permitted.[5]

These perspectives are seen in the Englander case. Mathew Englander, could well be characterized as an activist; championing the cause of privacy and vindicating his rights on behalf of Canadian consumers. Telus typifies the corporate perspective on this issue, viewing privacy as a variable (and there are many) in the organization's operational equation. The court in the Englander case arguably takes a centralist position in partially ruling in favour of the complainant on the consent issue but agreeing with Telus with respect to the charging of a $2 fee for NPNS.

Breach of Consent Requirement

At the core of the three perspectives on privacy lies the perennial question of who controls information given by consumers. This is of particular salience in this case since the PIPED Act will not apply to information deemed publicly available.[6]

The argument for regarding personal information contained in a telephone directory being readily available is supported by the Canadian Radio-Television and Communications Commission (CRTC).[7] The telecommunications sector is unique among federally regulated industries with respect to privacy. This is because in addition to the requirements of the PIPED Act, telecommunications companies (telcos) are also subject to regulation by the CRTC which also has as part its mandate, the protection of privacy.[8]

The CRTC has expressed the view that "the provision of directories form an essential part of, and significantly enhance the value of, the company's basic telephone service."[9] As a result telcos are required to distribute directories free of charge to customers.[10] Moreover, in reporting on directory listings the CRTC commented that "...subscribers currently expect that, unless they request an unlisted number, their telephone numbers will be published in the telephone companies' directories and will be available through directory assistance."[11]

However the increased accessibility of subscriber information and the ability to manipulate this data make de-listing one's name perhaps the only way of affording the consumer some measure of control concerning how their data is subsequently used. Taking the above factors into account the Commission found it appropriate to require telcos to provide NPNS at a rate that does not exceed $2 per month for residential subscribers.[12]

The Court makes the important observation that while publicly available information can be collected, used and disclosed without consent, this cannot apply to the organization that initially collects the information for the purpose of publishing a telephone directory, which, once published, will become publicly available.[13]

The Court goes on to note that consent for information that will be made publicly available must take place on or before the time of enrolment in the service.[14] The court's centralist position with respect to privacy is seen in the statement that:

First-time customers have the right to know before their personal information becomes "publicly available" within the meaning of section 7 of the Act, with all the consequences that might flow from such publicity, that they can exercise their right to privacy and choose not to be listed. This seems to me, a fair compromise between one's right to privacy and the industry's needs.

Though correct, it is unfortunate that the Court declined the opportunity to comment on information in the public sphere. The increased sophistication of data manipulation technology permits even publicly available information to be aggregated to provide a detailed digital portraiture of an individual.[15]

Thus the Englander decision can be regarded as a narrow holding in this regard. Whether industries beyond the telcos sector will inform their customers of the consequence of initial collection remains to be seen. Though this is unlikely, the case deals with a regulated industry sector pursuant to a fact pattern that is not likely to recur in future cases. Thus its applicability across the spectrum of businesses would appear limited. Other telcos however will no doubt be revising their policies to inform customers of their right to have their information excluded from the directory for a fee.

Charging of Fees

The complainant, as well as others, is fundamentally opposed to the imposition of a fee for the right to control how their personal information is subsequently used.[16] The view taken is that there are circumstances (such as a victim suffering spousal abuse) that warrant NPNS as a matter of necessity. Although it was not argued that there can never be a fee charged for asserting rights to privacy this could only be accomplished under the PIPED Act if the statute provided for it.[17] However it was found that the CRTC, in approving rates and services and taking into account the protection of the privacy of Canadians, signals Parliament's intent that the imposition of fees for providing privacy services were indeed contemplated.

There was also mention of the fact that fees for this service may also constitute an economic barrier to low income groups. The Court made short work of this argument in stating that while this proposition "may have validity from an access to services perspective, the use of fees is not specifically a protection of privacy issue."[18]

The PIPED Act and Self-Regulation

Of relevance in the Englander case are the comments made about the PIPED Act and self-regulation. Self-regulation takes the traditional governmental regulatory model of legislation, enforcement and adjudication and applies them to the private sector.[19] The fair information practices are rules created for a self-regulatory regime.[20] While there is wide support for the principles as sound public policy, the question that remains, even after the enactment of the PIPED Act, is whether legislation is the appropriate regulatory instrument in this context. This is of particular relevance in the advent of the review of the Act scheduled next year.[21]

The stated purpose of the PIPED Act is "...to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances..." In providing its historical account of the factors influencing the enactment of the PIPED Act, the Court examines the tension between the Council of Europe model for privacy[22] and the fair information practices, championed by the OECD.[23] The OECD principles were intended to be non-binding but helped to build trust and promote disclosure of personal information which in turn, facilitates relationship marketing.[24] The Council of Europe model by contrast favoured implementation in to national law. The tension between the legislative and self-regulatory approach to privacy protection in the commercial context was a central theme in the discussions which led to the creation of the Canadian Standards Association Model Code of the Protection of Personal Information.[25]

Part 4 of the CSA Standard became Schedule 1 to the PIPED Act. Perrin et al[26] state that "with the full support of the industry players who contributed to the CSA Standard, but to the great bewilderment of privacy experts and legal scholars everywhere, the drafters of this legislation set the task of incorporating the text of the standard in the law." As a consequence modifications of the legal text of the Act would invariably ensue.

The problem with this approach is that industry codes serve entirely different functions to legislation. Codes express a general aspiration which is in the main voluntary, normative, non-binding in orientation and of general applicability. Legislation on the other hand is prescriptive and creates specific binding legal rights and obligations. The Court in Englander notes that the CSA Standard was "the product of intense negotiations between competing interests, which proceeded on the basis of self-regulation and which did not use nor purport to use legal drafting."

The incorporation of a voluntary instrument into law presents difficulties for analysis of issues in this context. This is because the rules of statutory construction are of little application in the context of interpreting a code. This is underscored by s. 5(2) of the PIPED Act which states that the use of ‘should' does not impose a legal obligation. The Court therefore concluded that "[i]n these circumstances, flexibility, common sense and pragmatism will best guide the Court."[27] This marked departure from legal reasoning is problematic in the context of privacy discourse since the value of a decision based on ‘common sense' will be of limited application in future cases.

Coupled with the protean nature of privacy, which makes it highly elusive to definition with any legal precision, we find a situation where we are further away from understanding what is meant by an expectation of privacy as well as the harms caused by a loss of privacy. Clearly, privacy is not an absolute value but the present regulatory framework does little to further our understanding of this concept. The resulting uncertainty is problematic for both business as well as consumers.

Consent and Openness

As noted above the Court in Englander held that Telus infringed the consent requirement of Schedule 1 of the PIPED Act in failing to inform its first time customers, at the time of enrolment, of the primary and secondary purposes for which their personal information was collected and not informing them of the availability of the NPNS.

The Court highlights Principle 2, "Identifying Purposes"[28] and 3 "Consent"[29] to be of particular relevance in the Englander case. These principles, the Court remarks "...clearly impose on the organization the burden of making clear to the individual all the purposes for which the personal information is collected at or before the time of collection." The obligation on the part of the firm will vary depending on the circumstances and type of information being collected.

The Court also remarks that in complying with Principle 8, "Openness," which requires an organization to make available specific information about its policies and practices relating to the management of personal information may be the basis of a finding of ‘tacit consent', should it be demonstrated that first time customers are aware of the brochures at the time they subscribe.[30]

A central theme of the "Implementing PIPEDA: A review of Internet privacy statements and on-line practices" project has been the extent to which companies are open about their privacy practices. Ideally, openness should mirror knowledge and consent, but the reality is that an information asymmetry exists between company and individual in a depersonalized arrangement. The absence of a clear legal recourse makes the need for organizations to provide information about their personal information management practices far greater. Cavoukian has suggested that consumers are "far less willing to entrust their personal data to organizations that, at a minimum, don't have a posted privacy statement."[31]

The Role of the OPC

The Office of the Privacy Commissioner has a clear policy making mandate to promote privacy through the research and development of information programs to foster public understanding on the subject of privacy as well to encourage organizations to develop detailed policies and practices, including organizational codes of practice to comply with the PIPED Act.[32]

The PIPED Act however seems to suggest that its role is both conciliatory as well as adversarial when it comes to handling individual privacy complaints and protecting privacy as a whole.

In practice it would appear the OPC has a strategy of conciliation and confidentiality with respect to the handling of individual complaints. This is entirely appropriate, given the sensitive nature of the information to which the Commissioner is privy. The OPC does, pursuant to the PIPED Act have the discretion "...to make public any information relating to the personal information practices of an organization if the Commissioner considers that it is in the public interest to do so." [33]

Toward the end of its judgment, the Court remarks in obiter that the Office of the Privacy Commissioner "...is not a tribunal and has no decision-making power under the PIPED Act. At best, the Commissioner can form an opinion on the issue and include it in his report."[34] Lawford has suggested that this is tantamount to regarding case summaries as "legally worthless.[35]" This view perhaps fails to recognize that the Commissioner serves a policy making function and has ability to issue policy statements, opinions, or in this case findings. This flows from the executive rather than judicial character of such bodies.

The reluctance on the part of the Commissioner to exercise this power is to some extent understandable in view of the fact that a practice regularly naming respondents would compromise its mediation function. However, naming can serve as a sanction for non-compliance as well as an incentive to comply if the procedures which will result in publication are clearly articulated with industry players. Suggested criteria for this process could include the severity of the breach of privacy to a given class, harm caused to the individual complainant as well as failure to promptly implement recommendations.

At present the practice of reporting case summaries with names removed provides little assistance to individuals and practitioners attempting to follow these issues as they evolve creating considerable uncertainty and frustration, particularly for privacy advocates.

Conclusion

The Englander v. Telus decision is not a ‘David and Goliath' story but rather an examination of competing perspectives on issue of privacy. The case provides a good illustration of the activist, corporate and centralist perspectives in the privacy debate. All of these positions have intrinsic validity, but fail to fully address the problem when taken individually. If nothing else the Englander decision provides a context for discussion on the issue of privacy with respect to these perspectives.

In this context the PIPED Act is shown to suffer from an internal contradiction as to purpose, attempting to satisfy the needs of both industry and individuals. The case also illustrates the difficulties in enshrining industry codes in law. This approach is understandable given the fact the privacy value is not absolute and difficult to define. However if we are to move beyond decisions based on ‘common-sense' and refine our understanding of what is meant by an expectation of privacy and the harm that results from its loss, a willingness to cultivate the jurisprudence in this area will be needed. The OPC can contribute to this development if it is prepared to name respondents under prescribed circumstances. This, it is submitted, would add greatly to privacy discourse by providing a more substantive basis for discussion between the activist and corporate viewpoints.