As the U.S. communications regulator unveiled a plan last week to hold Internet providers to a higher standard on customer privacy, Canadians might have felt a sense of déjà vu.
The Federal Communications Commission (FCC) announced a proposal on Wednesday that, if finalized, would require U.S. broadband Internet service providers (ISPs) to obtain "opt-in" consent from customers before sharing their information with third parties such as advertisers.
Under the proposal, ISPs could still use customer information for their own billing and marketing purposes – for example, an ISP that sees a customer is streaming a lot of data would be permitted to offer that customer an upgraded service package. However, broadband providers would have to expressly ask for consent before they share customer data. "When consumers sign up for Internet service, they shouldn't have to sign away their right to privacy," the FCC said in a statement.
It's an issue that already came to the fore in Canada after BCE Inc.'s targeted online-advertising program, which tracked cellphone users' browsing habits, app usage and phone calls to provide information to third-party advertisers and display specially tailored ads. That program sparked an investigation by the federal Office of the Privacy Commissioner (OPC) and a complaint to the Canadian Radio-television and Telecommunications Commission (CRTC).
The OPC inquiry concluded last April that BCE should have given its users the chance to opt-in to having their behaviour tracked rather than automatically tracking them. The federal privacy watchdog had no power to impose an order on BCE that would have forced it to change its approach (which did allow users to opt-out from consent), but the OPC said it was considering taking the matter to court. BCE eventually said it would withdraw its "Relevant Ads" program.
Internet users are often asked to surrender a certain amount of personal information – such as location data, browsing habits and demographic details – in exchange for using a "free" service such as Google's e-mail platform or an app such as Facebook. But the BCE targeted-ads case raised the difficult question of why Internet users should sacrifice some of their privacy to a service provider they are already paying.
The FCC referred to this tension in its proposal last week, stating, "A consumer's relationship with her ISP is very different than the one she has with a website or app. Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee."
The Public Interest Advocacy Centre and the Consumers' Association of Canada (PIAC-CAC) also raised that issue in a complaint to the CRTC over BCE's targeted-ad program. By the time Canada's telecom regulator released its ruling on the case in October, BCE had withdrawn the program and the CRTC said it did not have to make a ruling on the BCE situation as the issue was moot.
Geoff White, a lawyer who frequently acts for PIAC-CAC and represented the advocacy groups in the BCE relevant-ads matter, said in a recent interview he would like to see the CRTC take a similar, pro-active step as the FCC, adding that the time is right because public concern about privacy is growing.
"With this rush toward big data, combined with people who are giving up so much data about themselves and measuring themselves [with fitness apps and other lifestyle trackers] – all these trends are coming to a head," he said. "I think sooner or later something's going to have to happen because I truly believe Canadians are concerned with privacy and this notion that privacy is dead needs to be challenged.
"It's all a question of transparency and consent when it comes to personal information. It's about whether or not people are sufficiently aware of what's happening and whether or not they're given the chance to actually do something about it," Mr. White said.
CRTC spokeswoman Patricia Valladao said in an e-mail that while the OPC is responsible for the oversight of federal privacy legislation and the majority of privacy matters, the CRTC "has also imposed various privacy safeguards and obligations," including the requirement to keep telecom customers' personal information confidential.
She said the commission has also established an "expectation" that service providers seek opt-in consent before sharing customer data for the purpose of targeted advertising. The CRTC's decision in the BCE matter did not call for a broader inquiry into such practices, but Ms. Valladao said "this expectation was explicitly set out" in that ruling.
"The commission continues to monitor privacy-related issues related to the provision of communications services as they arrive," she added.
For its part, the OPC says the Personal Information Protection and Electronic Documents Act (PIPEDA) contains provisions related to consent, and the commissioner has outlined its position on how that should be interpreted in several cases, including the BCE relevant-ads investigation.
"We have said that express, or opt-in, consent should be used whenever possible and in all cases when the personal information is considered sensitive," Tobi Cohen, a spokeswoman for the OPC, said in an e-mail. She declined to comment specifically on the FCC proposal.
Privacy Commissioner Daniel Therrien told a parliamentary committee last week that there is a "critical need" to overhaul the federal Privacy Act. That legislation applies to the way government institutions handle private information, but some of his remarks to the committee also ring true for commercial companies such as telecom service providers handling customer data.
"In the digital world, it is infinitely easier to collect, store, analyze and share huge amounts of personal information – making it far more challenging to safeguard all of that data and raising new risks for privacy," Mr. Therrien said.