A-388-03
2004 FCA 387
Mathew Englander (Appellant)
v.
TELUS Communications Inc. (Respondent)
and
Privacy Commissioner of Canada (Intervener)
Indexed as: Englander v. TELUS Communications Inc. (F.C.A.)
Federal Court of Appeal, Décary, Nadon and Malone JJ.A.--Vancouver, October 7; Ottawa, November 17, 2004.
Privacy -- Personal Information Protection and Electronic Documents Act (PIPED Act) -- Publication of customers' information in telephone directories -- Whether fees chargeable to keep numbers confidential -- Nature of consent required from first-time customers -- Whether Federal Court having jurisdiction over rate issue -- Review, exposition of history of PIPED Act -- Principles established by Organization for Economic Cooperation and Development (OECD) Guidelines incorporated in Canadian Standards Association's self-regulatory Model Code, approved by Standards Council of Canada -- Code became Schedule 1 to Act -- Governor in Council concerned fees for unlisted number service could deter subscribers from de-listing -- CRTC issued order unlisted number fee not to exceed $2 per month -- Principles, rules of interpretation used in Privacy Act context should not be hastily applied to PIPED Act as "purpose" provisions dissimilar -- PIPED Act reconciled competing interests: privacy, needs of commercial organizations -- Code, legislation reflected compromise after intense negotiation -- Difficulty of incorporating into legislation code intended as voluntary instrument -- Court's interpretation had to be pragmatic, flexible -- Proceedings under Official Languages Act applicable as similar -- Whether appellant had standing on consent issue -- Necessity for both knowledge, consent -- Organization bears burden to make clear all purposes for information collection -- Timing of essence: brochures supplied after collection, use not evidence of timely consent -- Judge erred in placing on subscriber responsibility for self-education as to listing options -- No informed consent -- PIPED Act's comprehensive complaint mechanism takes precedence over Telecommunications Act -- PIPED Act not expressly prohibiting fee for unlisted number service -- TELUS infringed Act, s. 5 in failing to advise new customers, upon enrolment, of primary, secondary purposes of collection, availability of unpublished number service.
Telecommunications -- Publication of personal information in telephone directories -- Interpretation of Personal Information Protection and Electronic Documents Act -- Issues: whether fees chargeable for unlisted number service, nature of consent required by Act for listing personal information of first-time customers, and whether CRTC has exclusive jurisdiction over fees charged for privacy services -- TELUS infringed PIPED Act, s. 5 in failing to advise new customers, upon enrolment, of primary, secondary purposes for information collection.
Federal Court Jurisdiction -- Whether Court having jurisdiction to consider legality of rates imposed by CRTC for unpublished telephone number service -- F.C. Judge held Court lacking jurisdiction -- Reversed by F.C.A. -- Matter one of concurrent or overlapping jurisdiction.
This was an appeal from a Federal Court judgment dismissing an application for a hearing pursuant to Personal Information Protection and Electronic Documents Act (PIPED Act), section 7.
The appellant filed a complaint against TELUS under Act, section 11, asking the Commissioner to determine whether the consent to disclosure allegedly secured by TELUS from new customers met the statutory standard and whether TELUS could charge a monthly fee for its non-published number service (the rate issue), which is a condition for not publishing personal information in its telephone directory. The Commissioner rejected appellant's complaint, stating simply that TELUS had authority to charge a monthly fee for the non-published number service. As for the consent issue, he concluded that, in initiating service, TELUS obtained valid consent to publish personal information in its white pages.
The appellant then made a section 14 application to the Federal Court, but it was denied, Blais J. concluding that the Court lacked jurisdiction over the rate issue, as it is a matter within exclusive CRTC jurisdiction. On the consent issue, the Judge determined that TELUS did have valid consent.
In order to properly interpret the PIPED Act, it was necessary to review its history. In 1980 the Organization for Economic Cooperation and Development (OECD) published Guidelines setting out eight principles which are still considered fundamental to fair information services. These principles dealt with: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation and accountability. But there was friction between the self-regulatory approach proposed by the OECD and the legislative approach proposed by the Council of Europe. In Canada, a self-regulatory Model Code for the Protection of Personal Information was adopted by the Canadian Standards Association (CSA) in 1995 and was approved by the Standards Council of Canada in 1996. It set out ten principles in Part 4, retaining those in the OECD Guidelines, the two additional principles, consent and challenging, having been referred to under collection limitation and individual participation in the OECD Guidelines. Part 4 of the CSA Standard became Schedule 1 to the Act. The CSA Standard had been "developed by consensus" meaning that there was substantial agreement--though not necessarily unanimity--among concerned interests.
At about the same time, the Minister of Industry had established the Information Highway Advisory Council to advise as to how Canada could most benefit from the "Information Highway". In response to a public discussion paper, consumer representatives favoured legislated privacy protection while business preferred to self-regulate according to the CSA Standard. The Council recommended that Government develop flexible legislation based on the CSA Standard. The drafters of the legislation decided to incorporate the CSA Standard, "a carefully crafted consensus document, with every clause negotiated but not drafted in legislative language" as a Schedule, and to make the modifications in the body of the law so as to retrofit the language of the code to serve as legal text. The Act received Royal Assent in 2000 and was phased into force between 2001 and 2004. In 2001, the European Commission ruled that the PIPED Act met the European Union's 1995 Data Protection Directive adequacy requirements, which meant that personal data from member states could be transferred to Canada.
The non-published number service (NPNS) is regulated by the CRTC; in British Columbia the tariff is a $2 per month in addition to a $9.50 set-up fee. The CRTC directed telephone companies to notify customers calling to initiate service, or with privacy concerns, as to how their names could be removed from listings sold or rented to third parties. In 1996, the Governor in Council required the CRTC to make a report evaluating the unlisted number service, noting a concern that the pricing of the unlisted number service might deter subscribers from de-listing their personal information from telephone directories. The CRTC responded with a 25-page report in which it concluded that, due to long-established practice, subscribers have an expectation that, unless they request an unlisted number, their numbers will be published in directories and given out by directory assistance and thus can be considered as having consented to such use if service is commenced without requesting an unlisted number. The Commission added that, in view of the increased accessibility of subscriber listing information in easily manipulated forms, it was more important than ever that unlisted number service not be priced beyond the financial reach of subscribers. Having invited submissions regarding the rates for unlisted number service, the CRTC issued Telecom Order CRTC 98-109 in which it concluded that it was "appropriate that the telephone companies provide an unlisted number service at a rate that does not exceed $2 per month for residence subscribers". In 2003, Telecom Decision 2003-33 was issued. It determined that implied consent was inappropriate for the disclosure to affiliates of confidential customer information apart from name, address and listed phone number. The decision noted that the Commission's jurisdiction derived from the Telecommunications Act and that, in exercising its powers under that Act, the Commission might apply standards different from those of the PIPED Act.
The issues were: whether fees can be charged to customers who wish their numbers kept confidential; the nature of consent required by the Act for listing personal information of first-time customers; and whether the CRTC has exclusive jurisdiction over the legality of fees charged for privacy services. The procedural issues included what is required to have standing to apply for a PIPED Act, section 14 Federal Court hearing.
Held, the appeal should be allowed in part.
The principles and rules of interpretation developed in the Privacy Act context should not be too hastily applied to PIPED Act, Part 1 and Schedule 1, the two "purpose" provisions being dissimilar. While the PIPED Act is directed at the protection of an individual's privacy, it is also concerned with the collection, use and disclosure of personal information by commercial organizations. It attempts to reconcile two competing interests: privacy and organizational needs. It expressly recognizes that the right of privacy is not absolute. Indeed, one author has explained that the code represents a compromise following " intense negotiation between business, consumer groups and government". That compromise was carried forward by the legislation. The focus of Schedule 1 is not collection prevention and disclosure--which are almost taken for granted--but the purposes for which the information is collected, used or disclosed. The purposes must be appropriate and legitimate, and reasonable efforts must be made to ensure that the individual is advised of and understands them. It was inherently difficult to incorporate into legislation a code written as a voluntary instrument and the Court was little guided by wording such as: knowledge and consent are required "except where inappropriate". It was up to the Court to strike a balance between two competing interests. Since the non-legal drafting of Schedule 1 did not lend itself to typical rigorous construction, the Court had to be guided by flexibility, common sense and pragmatism.
The questions here at issue were not dissimilar to those dealt with by this Court in Forum des Maires de la Péninsule acadienne v. Canada (Food Inspection Agency), and while that case involved the Official Languages Act, the proceedings that could be launched in Federal Court under the two statutes were so similar that the reasoning in Forum des Maires could be applied to the case at bar. The investigations into a complaint carried out by the Privacy and Official Languages Commissioners follow the same pattern. At issue in both proceedings is not the Commissioner's report but the conduct of the person against whom the complaint is filed. A hearing under Act, subsection 14(1) is de novo and, since Act, section 15 provides that the Commissioner may be a "party" at the hearing, to show any deference to his report would be unfair as giving him a head start.
TELUS submitted that appellant lacked standing on the consent issue in that he did not allege infringement of his privacy interests and relied on the wording "tout intéressé" in the French version of subsection 11(1). But while the Commissioner might be able to decline to prepare a report if a complainant is found to lack any personal interest, once a report has been prepared and his decision to do so has not been challenged, the person who filed the complaint is a complainant for purposes of a section 14 Court application--even if his own personal information is not at stake.
While much argument addressed the Act, section 7 and paragraph 1 of the Regulations, they had no application to the case at bar. They could not apply to the very organization that initially collects information to publish a directory that will, once published, become publicly available. The fact that the use of personal information contained in publicly available telephone directories can be so widespread due to these Regulations would suggest that the Court ought to exercise additional caution when deciding issues in relation to initial directory listings.
Principles 2 (identifying purposes) and 3(consent) were at the heart of this appeal and the latter required both knowledge and consent. Under Principle 2, an organization has to identify the purposes of the collection at or before the time when the information is collected. Furthermore, if information is later to be used for a purpose not previously identified, that new use must be identified and consent secured prior to use for the new purpose. Clauses 4.2.3. and 4.2.4. clearly impose upon the organization the burden of making clear to the individual all of the purposes for which the personal information is being collected at or before the time of collection. Timing is of essence with respect to both Principles 2 and 3. Brochures given out after collection (or even use) cannot be relied upon to determine whether consent was obtained in time. Compliance with Principle 8 (openness) will most often come too late to comply with Principle 3.
In determining that TELUS had valid consent to publish customers' personal information in its directories, the Judge remarked that, due to long-standing and well-established practice, customers had a reasonable expectation that, unless they subscribe to NPNS, their listing information will be published in the phone directory. It was a subscriber's responsibility to educate himself as to the available listing options. This Court could not, however, conclude that proper consent was given by first-time customers for the use by TELUS of their personal information in its Internet directory assistance service, directory file service and basic listing interchange file service and its CD-Rom service as these were not identified at the time of enrolment nor was there evidence that new customers would reasonably consider them appropriate. There was no evidence of any effort by TELUS to advise first-time customers of the secondary purposes at the time of collection. The Judge, in failing to make a specific finding regarding those services, committed reviewable error.
The Judge's conclusion regarding the primary uses, that it was for customers to request an unlisted number, was incompatible with the duty of seeking informed consent imposed by Act, Part 1 and Schedule 1. There is no informed consent if the new subscriber is unaware of the possibility of opting out. These new customers have a right to know--before the personal information becomes "publicly available" within the meaning of section 7--that they can exercise their right to privacy by choosing not to be listed.
The Judge held that the Court lacked jurisdiction over the rate issue as that was a matter within the Commission's exclusive jurisdiction. While the Privacy Commissioner is not a tribunal and his report is not a "decision" , the CRTC is a decision-making tribunal. Under the Act, paragraph 32(g) the CRTC is empowered to make any order relating to the rates, tariffs or telecommunications services of Canadian carriers, and under section 52, in discharging its duties, the Commission may determine any question of law or fact. The question was whether the Commission's jurisdiction over the rate issue--which the Court was prepared to assume--ousted the Court's jurisdiction over that issue. The PIPED Act provides a comprehensive complaint mechanism and, in the circumstances described in subsection 4(3), takes precedence over the Telecommunications Act. For the Court to be able to determine whether an organization has violated subsection 5(1), it had to have power to decide whether imposition of a fee was permissible--a pure question of law. There was no explicit wording in the Telecommunciations Act which would oust the Court's jurisdiction. There was either concurrent or overlapping jurisdiction and were the Court to determine that fees could not be charged, the Commission would have to revise its tariff.
The Court could not accept appellant's proposition, that the Telecommunications Act did not permit imposition of a fee for unlisted number service nor that the PIPED Act overrules the Telecommunications Act. The two statutes are not contradictory: PIPED Act does not expressly prohibit the imposition of fees.
TELUS infringed PIPED Act, section 5 in failing to advise first-time customers, upon enrolment, of the primary and secondary purposes for which the information was collected and of the availability of non-published number service. But complainant not having been personally aggrieved, the Court would not grant a remedy involving a money payment but only make an order which was future-oriented.
statutes and regulations judicially
considered
Canada Evidence Act, R.S.C., 1985, c. C-5.
Canadian Charter of Rights and Freedoms, being Part I of the Constitution Act, 1982, Schedule B, Canada Act 1982, 1982, c. 11 (U.K.) [R.S.C., 1985, Appendix II, No. 44]. |
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, E.T.S. No. 108, Strasbourg, 28.I.1981. |
Federal Courts Act, R.S.C., 1985, c. F-7, ss. 1 (as am. by S.C. 2002, c. 8, s. 14), 18 (as am. by S.C. 1990, c. 8, s. 4; 2002, c. 8, s. 26). |
Official Languages Act, R.S.C., 1985 (4th Supp.), c. 31, s. 77(1). |
Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, ss. 1, 3, 4(1),(3), 5, 7, 11, 13(1)(a),(2), 14, 15, 16, 17(1), 27(1), Sch. I. |
Privacy Act, R.S.C., 1985, c. P-21, s. 2. |
Order Varying Telecom Decision CRTC 95-14 and Requiring the CRTC to Report on the Matter of Directory Subscriber Listings, SOR/96-322. |
Regulations Specifying Publicly Available Information, SOR/2001-7, s. 1. |
Standards Council of Canada Act, R.S.C., 1985, c. S-16. |
Statute Revision Act, R.S.C., 1985, c. S-20. |
Statutory Instruments Act, R.S.C., 1985, c. S-22. |
Telecommunications Act, S.C. 1993, c. 38, ss. 7(i), 25, 27, 32(a),(g), 47, 48, 52. |
cases judicially considered
applied:
Forum des maires de la Péninsule acadienne v. Canada (Food Inspection Agency), [2004] 4 F.C.R. 276; (2004), 243 D.L.R. (4th) 542; 324 N.R. 314; 2004 FCA 263.
distinguished:
R. v. Badger, [1996] 1 S.C.R. 771; (1996), 133 D.L.R. (4th) 324; [1996] 4 W.W.R. 457; 181 A.R. 321; 37 Alta. L.R. (3d) 153; 105 C.C.C. (3d) 289; [1996] 2 C.N.L.R. 77; 195 N.R. 1; 116 W.A.C. 321.
considered:
BC Tel--Revenue Requirements for 1993 and 1994, Telecom Decision CRTC 94-1; Local Competition, Telecom Decision CRTC 97-8; Provision of Directory Database Information and Real-Time Access to Directory Assistance Databases, Telecom Decision CRTC-95-3; Reference: 8665-C12-14/01 and 8665-B20-01/00. Confidentiality provisions of Canadian carriers, Telecom Decision CRTC 2003-33; Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403; (1997), 148 D.L.R. (4th) 385; 46 Admin. L.R. (2d) 155; 213 N.R. 161; R. v. Côté, [1996] 3 S.C.R. 139; (1996), 138 D.L.R. (4th) 385; 110 C.C.C. (3d) 122; [1996] 4 C.N.L.R. 26; 202 N.R. 161; CRTC Telecom Order 98-109, February 4, 1998.
referred to:
Eastmond v. Canadian Pacific Railway (2004), 16 Admin. L.R. (4th) 275; 33 C.P.R. (4th) 1; 254 F.T.R. 169; 2004 FC 852; Maheu v. IMS Health Canada (2003), 24 C.P.R. (4th) 70; 226 F.T.R. 269; 2003 FCT 1; affd (2003), 29 C.P.R. (4th) 425; 314 N.R. 393; 2003 FCA 462; Chiasson v. Canada (2003), 226 D.L.R. (4th) 351; 303 N.R. 54; 2003 FCA 155; St. Anne Nackawic Pulp & Paper Co. v. Canadian Paper Workers Union, Local 219, [1986] 1 S.C.R. 704; (1986), 73 N.B.R. (2d) 236; 28 D.L.R. (4th) 1; 184 A.P.R. 236; 86 CLLC 14,037; 68 N.R. 112; Weber v. Ontario Hydro, [1995] 2 S.C.R. 929; (1995), 125 D.L.R. (4th) 583; 30 Admin. L.R. (2d) 1; 12 C.C.E.L. (2d) 1; 24 C.C.L.T. (2d) 217; 30 C.R.R. (2d) 1; 183 N.R. 241; 82 O.A.C. 321; Regina Police Assn. Inc. v. Regina (City) Board of Police Commissioners, [2000] 1 S.C.R. 360; (2000), 183 D.L.R. (4th) 14; [2000] 4 W.W.R. 149; 189 Sask. R. 23; 50 C.C.E.L. (2d) 1; 241 N.R. 16; 2000 SCC 14; Quebec (Attorney General) v. Quebec (Human Rights Tribunal), [2004] 2 S.C.R. 223; (2004), 240 D.L.R. (4th) 609; 2004 SCC 40; Nova Scotia (Workers' Compensation Board) v. Martin; Nova Scotia (Workers' Compensation Board) v. Laseur, [2003] 2 S.C.R. 504; (2003), 231 D.L.R. (4th) 385; 4 Admin. L.R. (4th) 1; 28 C.C.E.L. (3d) 1; 110 C.R.R. (2d) 233; 310 N.R. 22; 2003 SCC 54.
authors cited
Canadian Radio-television and Telecommunications Commission. Report to the Governor in Council on Directory Subscriber Listings and on Unlisted Number Service, December 23, 1996
Drapeau, M. W. and M. A. Racicot. Federal Access to Information and Privacy Legislation, Annotated 2004. Toronto: Carswell, 2004.
Geist, Michael. Internet Law in Canada, 3rd ed. Concord, Ont.: Captus Press, 2002.
Guilelines Governing the Protection of Privacy and Transborder Flows of Personnal Data, 23 September, 1980.
Perrin, S. et al. The Personal Information Protection and Electronic Documents Act: An annotated Guide Toronto: Irwin Law Inc., 2001.
Regulatory Impact Analysis Statement, G. Gaz 2001.II.32.
APPEAL from Federal Court Trial Division decision ((2003), 235 F.T.R. 1) raising numerous issues with respect to personal information published in telephone directories. Appeal allowed in part.
appearances:
Mathew Englander on his own behalf.
Lisa A. Warren for respondent.
Sean T. McGee for intervener.
solicitors of record:
Farris, Vaughan, Wills & Murphy, Vancouver, for respondent.
Nelligan O'Brien Payne LLP, Ottawa, for intervener.
The following are the reasons for judgment rendered in English by
[1]Décary J.A.: This appeal raises numerous issues related to the interpretation of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (the Act or PIPED Act), and pertaining to personal information published in telephone directories. Some of the issues are of a substantial nature: whether fees can be charged to customers who ask that their telephone numbers remain confidential; what type of consent is required by the Act for the listing of first-time customers' personal information in telephone directories; what rules should guide the interpretation of a self-regulatory code transformed into a statute and whether the Canadian Radio-television and Telecommunications Commission (the CRTC) has exclusive jurisdiction to determine the legality of fees charged for privacy services. Others are of a procedural nature: the requisite standing to apply to the Federal Court for a hearing under section 14 of the Act; the nature of the so-called "hearing"; the deference, if any, owed to the report on a complaint prepared by the Privacy Commissioner of Canada (the Commissioner), Mr. Radwanski, under section 11 and the adjudication of costs to an allegedly public interest litigant.
[2]The relevant facts can be found in the impugned decision of the Trial Division, reported at (2003), 235 F.T.R. 1 (F.C.T.D.). Essentially, this matter arose as a result of a complaint filed by the appellant under section 11 of the Act against the respondent (TELUS). The appellant had asked the Commissioner to determine whether the consent allegedly obtained by TELUS from its first-time customers for disclosure of personal information met the standards set up in the Act (the consent issue) and whether TELUS could charge him a monthly fee for the non-published number service (NPNS) which is a condition for not publishing personal information in its telephone directory (the rate issue).
[3]The Commissioner prepared a report of his findings and dismissed the complaint (A.B., Vol. 1, at page 68). His reasons are to say the least laconic.
[4]With respect to the rate issue, he states (A.B., Vol 1, at page 70):
. . . I have concluded that TELUS has the authority to charge its customers $2.00 per month for non-published telephone service and I do not find this an unreasonable practice so as to contravene principle 4.3.3 of the Schedule.
[5]With respect to the consent issue, his relevant conclusions can be summarized as follows.
With respect to subsection 5(3) of the Act, he concludes that (ibid):
. . . a reasonable person would consider TELUS' initiation of service practice and subsequent publishing of customers' personal information in TELUS' White Pages an appropriate collection, use and disclosure of the information.
With respect to clause 4.3 of Schedule 1, he concludes that (ibid):
. . .TELUS' practice of initiating service includes obtaining valid consent from its customers to publish their personal information in its publicly available White Pages Directory.
With respect to clause 4.5 of Schedule 1, he concludes that (ibid):
. . . TELUS obtains valid consent to publish customers' personal information in its White Pages Directory and, by doing so, customers consent to having their personal information available to the public. TELUS only discloses publicly available information as specified by the Act under the Regulations Specifying Publicly Available Information to Dominion Information Services in BC, and TELUS Advertising Services in Alberta, and therefore, is in compliance with the Act.
[6]These reasons are not very helpful. But since it is not the report but the complaint with which the Court deals in these proceedings (as we shall see), the generality of the report is of little consequence at the end of the day.
[7]The appellant then applied to the Federal Court for a hearing pursuant to section 14 of the Act. The application was dismissed. In his reasons, Mr. Justice Blais found that the hearing was neither an appeal from the Commissioner's report nor an application for judicial review of that report and that he was to exercise his discretion de novo; that the Commissioner's report was entitled to some deference with respect to decisions clearly within his jurisdiction; that the appellant had standing to raise the consent issue even though there was no evidence of TELUS collecting, using or disclosing any of his personal information without his consent; that TELUS had valid consent under the Act to publish its customers' personal information on TELUS directories; and that the Federal Court had no jurisdiction over the rate issue as it is a matter within the exclusive jurisdiction of the CRTC. The Judge also refused to recognize the appellant's public interest standing and ordered him to pay costs, which were assessed at $11,906.41.
The historical background of Part 1 of the PIPED Act
[8]A brief review of the history of the PIPED Act, including part of the CSA [Canadian Standards Association] Standard which is incorporated into it as Schedule 1, is crucial for a proper understanding and interpretation of its relevant provisions. Most of the observations I will make in this regard take their inspiration from the The Personal Information Protection and Electronic Documents Act: An Annotated Guide (Perrin, Black, Flaherty & Rankin, Toronto: Irwin Law Inc., 2001). I am grateful to these learned authors and apologize for using their material often verbatim.
[9]Prior to the 1970s, attempts had been made in various international documents to protect privacy. "It was soon recognized, however, that these documents were too vague--particularly in the face of the growing sophistication of data processing--to ensure adequate protection of civil liberties in the area of personal data protection" (Annotated Guide, at page 2). The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was developed by the Council of Europe in 1981 (E.T.S. No. 108, Strasbourg, 28.I.1981). In 1978, a committee was established by members of the Organization for Economic Cooperation and Development (OECD) to develop guidelines on basic rules governing transborder dataflow and the protection of personal data and privacy. Guidelines were developed in consultation with the experts working at the Council of Europe on Convention 108, "but the thrust of the OECD activity was non-regulatory, while the Council of Europe developed a set of similar principles that were implemented in national law" (ibid., at page 2). The OECD Guidelines were published in 1980 and "developed a set of eight principles that are still regarded as the fundamentals of fair information services." These eight principles are [Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 23 September, 1980]:
Collection Limitation Principle
. . .
7. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. |
Data Quality Principle
8. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. |
Purpose Specification Principle
9. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. |
Use Limitation Principle
10. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: |
(a) with the consent of the data subject; or
(b) by the authority of law.
Security Safeguards Principle
11. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. |
Openness Principle
12. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. |
Individual Participation Principle
13. An individual should have the right: |
(a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
(b) to have communicated to him, data relating to him
(i) within a reasonable time;
(ii) at a charge, if any, that is not excessive;
(iii) in a reasonable manner; and
(iv) in a form that is readily intelligible to him;
(c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
(d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Accountability Principle
14. A data controller should be accountable for complying with measures which give effect to the principles stated above. |
[10]The friction between the self-regulatory approach proposed by the OECD and the legislative approach proposed by the Council of Europe made its way into Canada. Most industries believed that privacy legislation would be bad for business. In the early 1990s, a suggestion was made to the Canadian Standards Association (CSA) (composed of consumers and business representatives, representatives of the federal and provincial governments, labour unions, professional associations. . .) to set up a committee to develop a standard for data protection based on the OECD Guidelines. The CSA self-regulatory Standard was drafted between 1993 and 1995. In September 1995, the Canadian Standards Association Model Code for the Protection of Personal Information (CAN/CSA- Q830-95) (the CSA Standard) was adopted by the CSA. It was approved as a National Standard of Canada by the Standards Council of Canada in 1996. (The Standards Council of Canada is an institution governed by the Standards Council of Canada Act, R.S.C., 1985, c. S-16.)
[11]The CSA Standard sets out ten principles in Part 4. It retains in different language and in a different order the eight principles defined in the OECD Guidelines. The two other principles, "consent" and "challenging," were already referred to in the "Collection Limitation Principle" and the "Individual Participation Principle", respectively clauses 7 and 13 of the OECD Guidelines. The CSA Standard, however, expands considerably on the wording used in the OECD Guidelines. Part 4 of the CSA Standard would eventually become Schedule 1 to the Act, the text of which will be reproduced later in these reasons (at paragraph 21).
[12]In the Preface to the first edition of the CSA Standard, the CSA notes that it was "developed by consensus, which is defined by CSA Regulations Governing Standardization as `substantial agreement reached by concerned interests. Consensus includes an attempt to remove all objections and implies much more than the concept of a simple majority, but not necessarily unanimity'." It goes on, in the Introduction, to establish the context in which the CSA Standard was adopted:
Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve the quality of our lives. This technology also gives rise to concerns about the protection of privacy rights and the individual's right to control the use and exchange of personal information. By implementing recognized fair-handling practices for personal information, organizations can materially demonstrate their commitment to the protection of personal information. Organizations should balance their need for personal information with an individual's desire for a certain measure of anonymity. This document is a voluntary national standard for the protection of personal information. The Standard addresses two broad issues: the way organizations collect, use, disclose, and protect personal information; and the right of individuals to have access to personal information about themselves, and, if necessary, to have the information corrected. Then interrelated principles form the basis of the Standard. Each principle is accompanied by a commentary that elaborates on the principle. A workbook on the implementation of the principles is available to organizations intending to adopt this Standard. Organizations will be able to tailor specific codes using the workbook as a guide. The Standard will (a) provide principles for the management of personal information; (b) specify the minimum requirements for the adequate protection of personal information held by participating organizations; (c) make the Canadian public aware of how personal information should be protected; and (d) provide standards by which the international community can measure the protection of personal information in Canada. Canada committed itself to privacy protection in 1984 by signing the Organization for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Guidelines [. . .] were used as the basis for the development of this Standard. The protection of personal information is increasingly important at the international level.
[13]In the meantime (in 1994), the Minister of Industry had created the Information Highway Advisory Council to inform him on how Canada could most benefit from the Information Highway. "In response to a public discussion paper, most consumer representatives, privacy commissioners, and privacy advocates replied that they wanted legislated privacy protection, while most businesses stated that they could self-regulate to the CSA Standard." In 1995, the Advisory Council recommended to the Minister that the Government "develop flexible framework legislation based on the CSA Standard and work with the provinces to harmonize their efforts" (Annotated Guide, at page XIV).
[14]A consultation paper was released in January 1998. Seeking a compromise through discussion, the Government eventually came up with the following requirements (Annotated Guide, at pages XIV-XV):
· The law must be based on the CSA Standard, which was a carefully crafted consensus document, with every clause negotiated but not drafted in legislative language. |
· The same marketplace rules must hold for the entire country, in a period where markets were rapidly converging and competitors who were historically under different jurisdictions were now entering each other's markets (banks and insurance, telecommunications carriers and Internet service providers, direct marketers in all sectors). |
· The law must not set up new unjustified barriers to internal and international trade, and must not disadvantage responsible players by allowing data havens or offshore rivals to escape regulation. |
· The Privacy Commissioner would be responsible for oversight, in a light flexible model. Not only should the implementation of the legislation be amenable to audit by independent third parties, but the Commissioner should also have authority to audit practices independent of any complaint. |
· The heart of successful privacy protection lies in awareness of all parties of rights, expectations, responsibilities, and the actual facts of data processing and dataflow. There is a tremendous need for public education and awareness, and a vital role for the Privacy Commissioner to play. |
[15]Eventually, "with the full support of the industry players who contributed to the CSA Standard, but to the great bewilderment of privacy experts and legal scholars everywhere, the drafters of this legislation set about the task of incorporating the text of the standard intact in the law. It was decided to incorporate it as a Schedule and make the modifications in the body of the law that would inevitably be required to retrofit the language of the code to a legal text" (Annotated Guide, at page 11). Part 4 of the CSA Standard became Schedule 1 to the PIPED Act.
[16]The Act received Royal Assent on April 13, 2000 and came into effect in phases from January 1, 2001 to January 1, 2004.
[17]On January 20, 2001, the European Commission ruled that the PIPED Act met the adequacy requirements of the European Union's Data Protection Directive adopted in 1995 and aimed at protecting personal information and harmonizing privacy laws amongst its member states. As a result, personal data from the member states may be transferred to Canada (European Decision pursuant to Directive 95/46/EC-January 20, 2001, reproduced in Federal Access to Information and Privacy Legislation, Annotated 2004, Drapeau and Racicot, Toronto: Carswell, 2004, at page 1-558).
The legislative framework
[18]The Act comprises five parts. The first one is the only part which covers substantial issues; it deals with the "Protection of Personal Information in the Private Sector." As to the other parts, they deal with technical issues (electronic documents and amendments to the Canada Evidence Act [R.S.C., 1985, c. C-5], the Statutory Instruments Act [R.S.C., 1985, c. S-22] and the Statute Revision Act [R.S.C., 1985, c. S-20]). This appeal is solely concerned with the first part.
[19]The first part is complemented by Schedule 1, "Principles set out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96." By virtue of subsection 5(1) of the Act, and subject to other sections of the Act, every organization is bound to comply with the obligations set out in Schedule 1.
[20]The first part and Schedule 1 are summarized as follows in the Statutes of Canada:
Part 1 of this enactment establishes a right to the protection of personal information collected, used or disclosed in the course of commercial activities, in connection with the operation of a federal work, undertaking or business or interprovincially or internationally.
It establishes the following principles to govern the collection, use and disclosure of personal information: accountability, identifying the purposes for the collection of personal information, obtaining consent, limiting collection, limiting use, disclosure and retention, ensuring accuracy, providing adequate security, making information management policies readily available, providing individuals with access to information about themselves, and giving individuals a right to challenge an organization's compliance with these principles.
It further provides for the Privacy Commissioner to receive complaints concerning contraventions of the principles, conduct investigations and attempt to resolve such complaints. Unresolved disputes relating to certain matters can be taken to the Federal Court for resolution.
[21]The following provisions are particularly relevant to this appeal:
CHAPTER 5
An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act
. . .
1. . . .
Personal Information Protection and
Electronic Documents Act
Part I
Protection Of Personal Information
in the Private Sector
. . .
Purpose
3. The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Application
4. (1) This Part applies to every organization in respect of personal information that
(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
. . .
(3) Every provision of this Part applies despite any provision, enacted after this subsection comes into force, of any other Act of Parliament, unless the other Act expressly declares that that provision operates despite the provision of this Part.
Division 1
Protection Of Personal Information
5. (1) Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.
(2) The word "should", when used in Schedule 1, indicates a recommendation and does not impose an obligation.
(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
. . .
7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if
. . .
(d) the information is publicly available and is specified by the regulations.
(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if
. . .
(c.1) it is publicly available and is specified by the regulations; or |
. . .
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
. . .
(h.1) of information that is publicly available and is specified by the regulations; |
. . .
Division 2
Remedies
Filing of Complaints
11. (1) An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1.
. . .
Commissioner's Report
13. (1) The Commissioner shall, within one year after the day on which a complaint is filed or is initiated by the Commissioner, prepare a report that contains
(a) the Commissioner's findings and recommendations;
. . .
(2) The Commissioner is not required to prepare a report if the Commissioner is satisfied that
(a) the complainant ought first to exhaust grievance or review procedures otherwise reasonably available;
(b) the complaint could more appropriately be dealt with, initially or completely, by means of a procedure provided for under the laws of Canada, other than this Part, or the laws of a province;
(c) the length of time that has elapsed between the date when the subject-matter of the complaint arose and the date when the complaint was filed is such that a report would not serve a useful purpose; or
(d) the complaint is trivial, frivolous or vexatious or is made in bad faith.
If a report is not to be prepared, the Commissioner shall inform the complainant and the organization and give reasons.
. . .
Hearing by Court
14. (1) A complainant may, after receiving the Commissioner's report, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner's report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of that Schedule as modified or clarified by Division 1, in subsection 5(3) or 8(6) or (7) or in section 10.
. . .
15. The Commissioner may, in respect of a complaint that the Commissioner did not initiate,
(a) apply to the Court, within the time limited by section 14, for a hearing in respect of any matter described in that section, if the Commissioner has the consent of the complainant;
(b) appear before the Court on behalf of any complainant who has applied for a hearing under section 14; or
(c) with leave of the Court, appear as a party to any hearing applied for under section 14.
16. The Court may, in addition to any other remedies it may give,
(a) order an organization to correct its practices in order to comply with sections 5 to 10;
(b) order an organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a); and
(c) award damages to the complainant, including damages for any humiliation that the complainant has suffered.
17. (1) An application made under section 14 or 15 shall be heard and determined without delay and in a summary way unless the Court considers it inappropriate to do so.
. . .
Division 4
General
. . .
27. (1) Any person who has reasonable grounds to believe that a person has contravened or intends to contravene a provision of Division 1, may notify the Commissioner of the particulars of the matter and may request that their identity be kept confidential with respect to the notification.
. . .
SCHEDULE 1
(Section 5)
Principles Set out in the National
Standard of Canada Entitled Model
Code for the Protection of
Personal Information,
CAN/CSA-Q830-96
4.1 Principle 1--Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
. . .
4.1.4
Organizations shall implement policies and practices to give effect to the principles, including
(a) implementing procedures to protect personal information;
. . .
(d) developing information to explain the organization's policies and procedures.
4.2 Principle 2--Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
. . .
4.2.2
Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfil these purposes. The Limiting Collection principle (Clause 4.4) requires an organization to collect only that information necessary for the purposes that have been identified.
4.2.3
The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.
4.2.4
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. . . .
. . .
4.3 Principle 3--Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. [Note omitted.]
4.3.1
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).
4.3.2
The principle requires "knowledge and consent". Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
4.3.3
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
4.3.4
The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. . . .
4.3.5
In obtaining consent, the reasonable expectations of the individual are also relevant. . . .
4.3.6
The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. . . .
4.3.7
Individuals can give consent in many ways. For example:
(a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
(c) consent may be given orally when information is collected over the telephone; or
(d) consent may be given at the time that individuals use a product or service.
The regulatory context of the non-published number service
[22]The non-published number service (NPNS) is a telecommunications service regulated by the CRTC. The tariff applicable in British Columbia is CRTC 1005, General Tariff Item 145. The monthly service charge for NPNS is $2 and there is a one-time set-up fee of $9.50 (A.B., Vol. 1, at pages 87-88).
[23]On January 25, 1994, in Telecom Decision CRTC 94-1 [BC Tel--Revenue Requirements for 1993 and 1994], the CRTC expressed the view "that the provision of directories form an essential part of, and significantly enhances the value of, the company's basic telephone service" (A.B., Vol. 2, at page 393). On May 1, 1997, in Telecom Decision CRTC 97-8 [Local Competition], the CRTC required that telephone directories be provided free of charge to customers (A.B., Vol. 2, at page 309).
[24]On March 8, 1995, in Telecom Decision CRTC 95-3 [Provision of Directory Database Information and Real-Time Access to Directory Assistance Databases], the CRTC ordered various telephone companies, including TELUS, to send billing inserts to their customers informing them of the provision of non-confidential listing information to third parties and of the means available to have their names and related information excluded. In addition, the CRTC directed those companies that had not already done so to implement measures to inform customers calling to initiate service, or with privacy concerns, of the method by which their names could be removed from listings that are sold or rented to third parties (A.B., Vol. 1, at page 185).
[25]On June 25, 1996, by Order in Council P.C. 1996-1001 [Order Varying Telecom Decision CRTC 95-14 and requiring the CRTC to Report on the Matter of Directory Subscriber Listings, SOR/96-322], the Governor in Council required the CRTC to report "on the matter of directory subscriber listings, including the appropriate level of protection that should be accorded to subscriber listings and an evaluation of the unlisted number service" (A.B., Vol. 1, at page 172; C. Gaz. 1996.II.2172). Two "whereas" are worth noting (A.B., Vol. 1, at page 171; C. Gaz. 1996.II.2172):
Whereas the Governor in Council has determined that the pricing of the unlisted number service may deter subscribers from delisting their personal information from telephone companies' directories and that such a service should be made available to subscribers of other telecommunication services;
Whereas the Governor in Council has determined that privacy safeguards should be cost-effective and competitively neutral and should not unduly interfere with the introduction of new services;
[26]The CRTC issued a public notice inviting submissions. The Privacy Commissioner accepted the invitation and recommended, inter alia, the following (A.B., Vol. 2, at pages 489-491):
RECOMMENDATION 2.--When telephone companies collect information from new or existing subscribers, they should tell the subscribers about all primary and possible secondary uses of their personal information, who might use the information, and all means available to the subscriber to control or prohibit these uses.
RECOMMENDATION 3.--Service providers should always ask new subscribers whether they want their listings fully or partially listed, unpublished, or unlisted.
RECOMMENDATION 4.--Service providers should not charge for de-listing or not publishing listings.
The Commissioner's observations leading to his recommendation 4 read (A.B., Vol. 2, at pages 490-491):
Subscribers must normally pay to have their listing unpublished or to keep it unlisted. In the United States, monthly de-listing charges range from $0.65 in California to $2.54 in New York. In Canada, monthly de-listing charges are on average 132% higher than in the United States, ranging from $1.55 in Manitoba to $5.75 in the Maritime provinces.
Both the Privacy Commissioner and the federal Cabinet agree that these high charges may discourage de-listing or non-publication, and thus prevent many subscribers from protecting their privacy. Between a quarter and a third of American subscribers have had their listings removed from directories and directory assistance. Figures for Canada are not available, but the Commissioner suspects that fewer Canadians take advantage of de-listing.
De-listing and not publishing listings affect both published directories and the level of directory assistance required from service providers or their affiliated publishers. The Commissioner, however, does not believe that this justifies infringing upon the privacy of subscribers. Indeed, revenues lost through de-listing would be offset by reduced printing costs (directories would be thinner). Furthermore, revenues from providing directory assistance would increase.
[27]On December 23, 1996, the CRTC submitted its 25-page Report to the Governor in Council on Directory Subscriber Listings and on Unlisted Number Service (A.B., Vol. 1, at page 182).
[28]The Report sets out a list of applicable principles established by Industry Canada which must be taken into account (A.B., Vol. 1, at pages 190-191; Report, at pages 6-7):
(1) Canadians value their privacy. Personal privacy considerations must be addressed explicitly in the provision, use and regulation of telecommunications services.
(2) Canadians need to know the implications of the use of telecommunications services for their personal privacy. All providers of telecommunications services and government have a responsibility to communicate this information in an understandable and accessible form.
(3) When telecommunications services that compromise personal privacy are introduced, appropriate measures must be taken to maintain the consumer's privacy at no extra cost unless there are compelling reasons for not doing so.
(4) It is fundamental to privacy that there be limits to the collection, use and disclosure of personal information obtained by service providers and generated by telecommunications networks. Except where clearly in the public interest, or as authorized by law, such information should be collected, used and disclosed only with the express and informed consent of the persons involved.
(5) Fundamental to privacy is the right to be left alone. A balance should exist between the legitimate use of unsolicited telecommunications and their potential for intrusion into personal privacy. All parties have a responsibility to establish ground rules and methods of redress so that Canadians are able to protect themselves from unwanted and intrusive telecommunications.
(6) Privacy expectations of Canadians may change over time. Methods of protecting telecommunications privacy must be reviewed from time to time to meet these changing expectations and to respond to changing technologies and services.
To these must be added the determination in Order in Council P.C. 1996-1001 that privacy safeguards should be cost-effective and competitively neutral and should not unduly interfere with the introduction of new services.
The Commission notes that the above principles may conflict with one another, and considers that any choice as to which should prevail in a given situation would depend on an assessment of the individual circumstances, taking into account such factors as the nature of the service, the nature of the information and any past practices that may have evolved.
[29]The Report then finds that (A.B., Vol. 1, at pages 194-195):
. . . the provision of primary exchange service by the telephone company has generally included a listing in the directory, the provision of White and Yellow Pages directories, and the availability of the subscriber's telephone number through directory assistance. The exception has been when the subscriber requested, at a fee, an unlisted telephone number. The Commission considers that, as a result of this long-established practice, subscribers currently expect that, unless they request an unlisted number, their telephone numbers will be published in the telephone companies' directories and will be available through directory assistance. In the Commission's view, subscribers can be considered to have consented to this use if they initiate service without requesting an unlisted number.
. . .
The Commission considers that . . . subscribers to primary exchange service are regarded as having consented to the publication of their information in independent directories. [My emphasis.]
[30]With respect to unlisted number service, the Report states (A.B., Vol. 1, at page 201):
In assessing the appropriate balance with respect to unlisted number service, the Commission considers that the factors noted by Stentor must be weighed against concerns as to privacy, which have become more acute as a result of increased accessibility of subscriber listing information, particularly in forms that are easily manipulated, and the fact that subscribing to the service may now be the only effective way for subscribers to control dissemination of their listing information. Given the current environment, it is increasingly important that unlisted number service not be priced beyond the financial reach of subscribers.
In the past, the Commission has set rates for unlisted number service to maximize revenues to the telephone companies. The Commission's preliminary view is that this policy is no longer appropriate in light of current regulatory circumstances. The Commission's initial view is that charges should not be entirely eliminated, and that the current circumstances are not sufficient to warrant offering the service below cost. Rather, the commission considers that a cost-based rate would provide an acceptable compromise, taking into account the potential revenue impact of a reduced rate and given that the use of the telecommunications system is enhanced by having subscriber listing information readily available. In light of the above, the Commission considers that rates for unlisted numbers should be re-examined with the aim of establishing rates based on current costs plus contribution. [My emphasis.]
[31]On August 27, 1997, the CRTC invited submissions regarding the rates for unlisted number service and related issues (A.B., Vol. 1, at page 210). Following the receipt of submissions, including that of the Privacy Commissioner (which was not put in evidence in the record before us), the CRTC issued Telecom Order CRTC 98-109 in which it concluded as follows (A.B., Vol. 1, at pages 229-230):
31. Based on the information filed in this proceeding, the Commission considers that to set a cost-based rate would fail to take adequate account of considerations such as the usefulness of a reasonably complete directory and the revenue impact of reduced rates.
32. However, given increasing personal privacy concerns, the Commission also considers it inappropriate that monthly rates for unlisted number service for residence subscribers remain at levels that were established in the past with a view to maximizing revenues available to subsidize basic residential service.
33. Taking into account the increasing privacy concerns, as well as factors such as the revenue impact of reduced rates for unlisted number service and the contribution that readily available subscriber listing information makes to the usefulness of the network, the Commission considers it appropriate that the telephone companies provide an unlisted number service at a rate that does not exceed $2 per month for residence subscribers. [My emphasis.]
[32]Of interest is the submission made to the CRTC by the Information and Privacy Commissioner of Alberta (A.B., Vol. 1, at pages 502-503):
It is my view that setting rates for unlisted number service to maximize revenue for the service provider is completely unacceptable. As I stated in my earlier submission, I am fundamentally opposed to the notion that individuals should have to pay for their right to control the use that is made of their personal information. Accordingly, I believe that the present system of maximizing revenue is completely unfair.
It is not appropriate to set rates for unlisted number service to discourage people from utilizing this service. There are a number of instances where people need this type of service to ensure that they are adequately protected from harmful circumstances. For example, if a spouse who is the victim of abuse requires to keep his or her telephone number unavailable, this should not be at an unreasonable cost. The cost for the service should be based on the actual cost with no mark-up, to the service provider and not based on potential lost revenues if this information is not available to the general public.
I strongly believe that people have a right to privacy. While this may not be without cost, the cost should be defensible and based on the actual cost of providing the service. If the actual cost is not reasonable, the service providers should be directed to reduce costs within a specific time period to an acceptable level. I am convinced that today's technology makes this possible.
[33]On December 13, 2000, the Governor in Council made the Regulations Specifying Publicly Available Information, SOR/2001-7 (the Regulations), which were to come into force on January 1, 2001:
Regulations Specifying Publicly
Available Information
Information
1. The following information and classes of information are specified for the purposes of paragraphs 7(1)(d), (2)(c.1) and (3)(h.1) of the Personal Information Protection and Electronic Documents Act:
(a) personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;
(b) personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice;
[34]In the Regulatory Impact Analysis Statement [C. Gaz. 2001.II.32] which accompanies (but is not part of) the Regulations, the following comments are worth noting:
Regulatory Impact Analysis Statement
(This statement is not part of the Regulations.)
Description
. . .
Telephone Directories
One association pointed out that the exception for the telephone directory is based on the individual's ability to refuse to appear in the directory but that the refusal can only be exercised by paying for an unlisted number (this is a condition set by several of the telephone companies). They argued that this fee was an economic barrier to lower income people who may not wish to be listed but who cannot afford to exercise their right to refuse and suggested adding "without incurring any cost for such refusal". While this point may have validity from an access to services perspective, the use of fees is not specifically a protection of privacy issue. [My emphasis.]
[35]On May 30, 2003, the CRTC issued Telecom Decision CRTC 2003-33 [Reference: 8665-C12-14/01 and 8665-B20-01/00. Confidentiality provisions of Canadian Carriers] in which it found that implied consent is not an appropriate type of consent for the disclosure to affiliates of confidential customer information other than the customer's name, address and listed telephone number. It also found that it is appropriate to permit Canadian carriers to use other forms of express consent as alternatives to written consent, these alternatives being: oral confirmation verified by an independent third party; electronic confirmation through the use of a toll-free number; or electronic confirmation via the Internet. Of particular significance for the purpose of this appeal is the following comment made by the CRTC at paragraph 23 of its decision:
The Commission notes that the PIPED Act sets out regulations and standards relating to the privacy of personal information. However, the Commission also notes that its jurisdiction in this matter stems not from the PIPED Act, but from the Telecommunications Act, and that in exercising its discretionary powers pursuant to the Telecommunications Act, it may apply different standards than those contemplated by the PIPED Act.
Interpreting Part 1 and Schedule 1 of the Act
[36]One should not be hasty in applying to Part 1 and Schedule 1 of the PIPED Act principles and rules of interpretation developed in the context of the Privacy Act [R.S.C., 1985, c. P-21], if only because of the dissimilarity between their two "purpose" provisions:
PIPED Act
Purpose
3. The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Privacy Act
purpose of act
2. The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.
[37]The purpose of the Privacy Act was described as being twofold by La Forest J. in Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403, at paragraph 64. First, it is to "protect the privacy of individuals with respect to personal information about themselves held by a government institution;" and, second, to "provide individuals with a right of access to that information."
[38]The purpose of the PIPED Act is altogether different. It is undoubtedly directed at the protection of an individual's privacy; but it is also directed at the collection, use and disclosure of personal information by commercial organizations. It seeks to ensure that such collection, use and disclosure are made in a manner that reconciles, to the best possible extent, an individual's privacy with the needs of the organization. There are, therefore, two competing interests within the purpose of the PIPED Act: an individual's right to privacy on the one hand, and the commercial need for access to personal information on the other. However, there is also an express recognition, by the use of the words "reasonable person," "appropriate" and "in the circumstances" (repeated in subsection 5(3)), that the right of privacy is not absolute.
[39]The PIPED Act is a compromise both as to substance and as to form.
[40]With respect to the compromise on substance, Michael Geist, in Internet Law in Canada, 3rd ed., Concord, Ont.: Captus Press, 2002, at page 303, puts it as follows:
The subject of intense negotiation between business, consumer groups, and government in the early and mid-1990s, the Code represents a compromise between the need to protect individual privacy and the desire of organizations to collect personal data for marketing and other commercial purposes. This compromise remains intact in the new law, and is reflected in its purpose clause, which explicitly refers to the balance between the competing interests of individuals and business. (An early version of the bill referred only to personal privacy.)
[41]Five of the ten principles set out in Schedule 1 (accountability, accuracy, safeguards, individual access and challenging compliance) impose on organizations obligations pertaining essentially to their internal handling of personal information once it is in their possession. One principle (openness) relates to the public relations policy of organizations with respect to their management of personal information. The four other principles (identifying purposes, consent, limiting collection and limiting use, disclosure and retention) are of a more substantial nature, in the sense that they purport to ensure that individuals do not reveal their personal information unless they know for what specific purposes it will be used or disclosed, unless these purposes are legitimate and unless they consent to the use and disclosure that is intended to be made of that information. These are the four principles that are in play in these proceedings.
[42]It appears from a reading of clauses 4.2 (identifying purposes), 4.3 (consent), 4.4 (limiting collection) and 4.5 (limiting use, disclosure and retention), that the focus of Schedule 1 is not so much on the prevention of collection, use and disclosure of personal information, which are almost taken for granted, as on the purposes for which the information is collected, used or disclosed. These purposes must be appropriate and legitimate, and reasonable efforts must have been made to ensure that the individual is advised of and understands them. Once these purposes are identified and once informed consent is expressly or implicitly obtained, the individual's information can be collected, used or disclosed.
[43]The PIPED Act is also a compromise as to form, as is amply demonstrated by the recital of its historical background. Schedule 1 is an exact replica of Part 4 of the CSA Standard adopted in 1995, which Standard in turn was based on the OECD Guidelines adopted in 1980 and to which Canada had adhered in 1984. Both the CSA Standard and the OECD Guidelines are the product of intense negotiations between competing interests, which proceeded on the basis of self-regulation and which did not use nor purport to use legal drafting.
[44]The authors of the Annotated Guide have set out a number of reasons which make it inherently difficult to incorporate in legislation a code that was written originally as a voluntary instrument [at page 6]:
First, the standard was a mix of recommendations and requirements, usually written as "shoulds" and "shalls." In the regime of voluntary standards, a "should" is often regarded as best practice and treated as a necessity unless there are strong reasons not to do so, but this kind of flexibility is not recognized in legal drafting.
Second, the definitions used in the standard do not follow legal drafting style, and in some cases (for instance, "consent"), they embodied policy decisions that would have been more appropriately addressed in the text of the code.
Third, there was a certain amount of repetition and cross-referencing in the code of practice that is problematic in legislation.
Fourth, two of the more difficult issues to decide were dealt with in the code as notes. There were the exceptions to the requirement for consent and the exceptions to the right of access. General statements using examples were incorporated as notes, partly because it was very difficult to reach agreement on text in the context of a voluntary exercise. These notes were too vague for the law, but since they contained very important exceptions, they had to be dealt with somehow. All these issues made the incorporation of the code in its totality an unattractive option from a legal drafting point of view.
[45]The Court is sometimes left with little, if any guidance at all. Clause 4.3, for example, requires knowledge and consent "except where inappropriate." Clause 4.3.4 sets up a standard of "sensitivity of the information," only to add that "any information can be sensitive, depending on the context." Clause 4.3.5 then goes on to say that "[i]n obtaining consent, the reasonable expectations of the individual are also relevant."
[46]All of this to say that, even though Part 1 and Schedule 1 of the Act purport to protect the right of privacy, they also purport to facilitate the collection, use and disclosure of personal information by the private sector. In interpreting this legislation, the Court must strike a balance between two competing interests. Furthermore, because of its non-legal drafting, Schedule 1 does not lend itself to typical rigorous construction, In these circumstances, flexibility, common sense and pragmatism will best guide the Court.
The nature of the hearing and the deference owed to the Commissioner's report
[47]Similar issues were recently examined by this Court in the context of the Official Languages Act [R.S.C., 1985 (4th Supp.), c. 31] (see Forum des maires de la Péninsule acadienne v. Canada (Food Inspection Agency), [2004] 4 F.C.R. 276 (C.A.) (Forum des maires)). While the case dealt with a different statute, the provisions in the Official Languages Act with respect to the proceedings that may be commenced in the Federal Court are so similar to those found in the Personal Information Protection and Electronic Documents Act that the same reasoning can apply (see also, Eastmond v. Canadian Pacific Railway (2004), 16 Admin. L.R. (4th) 275 (F.C.), Lemieux J., at paragraphs. 118-120) . I find no difference on a procedural point of view between an application "for a remedy" ("former un recours") under subsection 77(1) of the Official Languages Act and an application "for a hearing" ("que la Cour entende") under subsection 14(1) of the Act. The investigations carried out pursuant to a complaint by the Official Languages Commissioner and the Privacy Commissioner basically follow the same pattern. The application to the Federal Court in both cases may be made by a complainant and is to be heard in a summary way. What is at issue in both proceedings is not the Commissioner's report, but the conduct of the party against whom the complaint is filed. And the remedial power of the Court in the PIPED Act, even though not drafted in Charter [Canadian Charter of Rights and Freedoms, being Part I of the Constitution Act, 1982 Schedule B, Canada Act 1982, 1982, c. 11 (U.K.) [R.S.C., 1985, Appendix II, No. 44]], language, is remarkably broad.
[48]As found in Forum des maires, therefore, the hearing under subsection 14(1)of the Act is a proceeding de novo akin to an action and the report of the Commissioner, if put in evidence, may be challenged or contradicted like any other document adduced in evidence. I may add a further argument in support of this finding: according to section 15 of the Act, the Commissioner may appear as a "party" at the hearing. To show deference to the Commissioner's report would give a head start to the Commissioner when acting as a party and thus could compromise the fairness of the hearing. The Official Languages Act contains a similar provision, subsection 77(1).
The standing
[49]The appellant concedes that he has no personal interest in the consent issue to the extent that he does not allege that his privacy interests were infringed by TELUS' action. As a result, TELUS argues that the appellant lacks the common law interest to address the Court on the consent issue. There is no challenge to the appellant's standing in regard to the rate issue.
[50]We are dealing, here, with express statutory language where recourse is open to any "complainant" (subsection 14(1) of the Act). While a complainant is "an individual" who has filed a complaint with the Commissioner (subsection 11(1)), it flows from subsection 14(1) that only a complainant with respect to whose complaint a report was prepared by the Commissioner can apply to the Court. Where the Commissioner does not prepare a report for any of the reasons mentioned in subsection 13(2) (for example where the complaint is found by the Commissioner to be trivial, frivolous, vexatious or made in bad faith), the complainant cannot seek the benefit of a hearing under section 14 and hence must be satisfied with a judicial review proceeding under section 18 [as am. by S.C. 1990, c. 8, s. 4; 2002, c. 8, s. 26] of the Federal Courts Act [R.S.C., 1985, c. F-7, s. 1 (as am.by S.C. 2002, c. 8, s. 14)]. (I note in passing that the recourse under section 14 appears to be open only to the complainant, and not to the organization against which the complaint was made, with the awkward result that the only avenue open to the organization could be that of judicial review.)
[51]TELUS argues, by reason of the words "tout intéressé" found in the French text of subsection 11(1), that an individual who has no personal interest may not file a complaint with the Commissioner and should be restricted to having a "whistle blowing" interest under section 27 of the Act. That may well be the case before the Commissioner and it may well be that the Commissioner could refuse to prepare a report where he finds that a complainant has no personal interest, but I express no opinion on either matter. However, in situations where the Commissioner has prepared a report, and where his decision to do so has not been challenged, the individual who has filed the complaint becomes a complainant for the purposes of an application to the Court pursuant to section 14 of the Act as soon as the report is sent to that individual, whether or not his own personal information is at stake. (Compare with Maheu v. IMS Health Canada (2003), 24 C.P.R. (4th) 70 (F.C.T.D.), Lemieux J., at paragraph 59; affd (2003), 29 C.P.R. (4th) 425 (F.C.A.).)
[52]I recognize that the granting of standing in these circumstances is exceptional, but I cannot read the provisions of the Act otherwise, and even more so when one considers that the hearing before the Court is, pursuant to the very words of subsection 14(1), "in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner's report". The recognition of standing to bring proceedings to the Court does not, however, affect the inherent jurisdiction of the Court to decline to hear a matter which no longer has any object or which is normally considered non-justiciable (see Chiasson v. Canada (2003); 226 D.L.R. (4th) 351 (F.C.A.)). Nor does it affect the duty of the Court not to grant a remedy which would lead it astray from its role as judicial arbiter (see Forum des Maires).
The consent issue
[53]Much was said before us and in the reasons of the Federal Court about section 7 of the Act and paragraph 1(a) of the Regulations. On the one hand, they exempt an organization from the requirement under clause 4.3 of Schedule 1 of obtaining the knowledge and consent of the individual when the personal information is "publicly available." On the other hand, they deem to be publicly available personal information consisting of the name, address and telephone number of a subscriber that appears in a publicly available telephone directory (but only where the subscriber can refuse to have the information appear in the directory).
[54]With respect, I am of the view that section 7 of the Act and paragraph 1(a) of the Regulations are not applicable in the case at bar. The provisions apply when personal information consisting of the name, address and telephone number of a subscriber already appears in a publicly available telephone directory. They enable organizations to collect, use or disclose that existing information for their own purposes. But the provisions do not, and indeed cannot, apply to the very organization that initially collects the information for the purpose of publishing a telephone directory that will, once published, become publicly available.
[55]Indeed, the fact that the use of personal information contained in publicly available telephone directories can be so widespread because of these Regulations militates in favour of the Court exercising additional caution when determining issues pertaining to initial listings in telephone directories.
[56]Principles 2, "Identifying Purposes," and 3, "Consent," are at the heart of this appeal. Principle 3, I hasten to add, despite its name, "requires `knowledge and consent'" (clause 4.3.2). In other words, Principle 3 requires informed consent.
[57]Principle 2 requires an organization to identify the purposes for which personal information is collected at or before the time the information is collected (clause 4.2). It also requires the organization to specify the identified purposes to the individual at or before the time of the collection (clause 4.2.3) and, where personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use and the consent of the individual is required before information can be used for that purpose (clause 4.2.4).
[58]Clauses 4.2.3 and 4.2.4 are particularly relevant in the case at bar as they clearly impose on the organization the burden of making clear to the individual all the purposes for which the personal information is collected at or before the time of collection.
[59]Principle 3 requires "[t]he knowledge and consent of the individual . . . for the collection, use or disclosure of personal information, except where inappropriate." In appropriateness is not defined and I suspect that it may refer at least to section 7 of the Act which authorizes collection without knowledge or consent in some circumstances (see paragraph 21 [of these reasons]). (I note that the English text of subsections 7(1), (2) and (3) refers to "knowledge or consent," while the French text refers to "à l'insu de l'intéressé et sans son consentement" (my emphasis). Nothing in my view turns on the difference as it appears clearly from clause 4.3 of Schedule 1 that the principle of consent requires knowledge and consent.)
[60]Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used (clause 4.3.2). Consent, and therefore knowledge, are required for the collection of personal information and the subsequent use or disclosure of this information and, typically, an organization will seek consent for the use or disclosure of the information at the time of collection (clause 4.3.1). The form of the consent sought by the organization, and the way in which the organization seeks consent, may vary, depending upon the circumstances and the type of information (clauses 4.3.4 and 4.3.6). In obtaining consent, the reasonable expectations of the individual are relevant (clause 4.3.5). Implied consent would generally be appropriate when the information is less sensitive (clause 4.3.6). Examples of ways in which individuals can give consent are: on application forms, on checkoff boxes, over the telephone, at the time of use, all of which imply that the consent is given at the time of collection and before use.
[61]Timing, therefore, as was the case with respect to Principle 2, is also of the essence with respect to Principle 3. In most instances, the requirement of knowledge and consent has to be met by the organization at the time of collection and prior to use. Brochures and tools which are made available to the individual after the time of collection and sometimes even after the time of use cannot be relied on to determine whether knowledge was acquired and consent given by an individual at the time of collection. These brochures and tools are made available by the organization in compliance with Principle 8, "Openness," which requires organizations to make readily available to individuals specific information about its policies and practices relating to the management of personal information. Compliance with Principle 8 will generally come too late for compliance with Principle 3. Openness can, of course, set the course for a finding of tacit consent should it be eventually demonstrated that first-time customers are aware of the brochures at the time they subscribe.
[62]It was found by the Judge that TELUS and its affiliates use and disclose the names, addresses, and telephone numbers appearing in a telephone directory of TELUS customers (the "listing information") through the following services (at paragraph 15 of the reasons):
- Printed telephone directories commonly known as the White Pages. There is one annual White Pages for the region described as "Metro Vancouver" and there are several others covering sub-regions or neighbourhoods within Vancouver. Each White Pages includes the listing information of TELUS' customers residing in the applicable region or sub-region who have not subscribed for NPNS.
- When new customers subscribe for local residential service, they are automatically included in the directories unless they also subscribe for NPNS. If they subscribe for NPNS, their listing must be manually "flagged" to ensure that their listing information is not included with the information that is provided to directory assistance and for the purpose of printing the directory. NPNS accounts also require ongoing extra security and special handling. Thus, the provision of NPNS results in some additional costs to TELUS.
- Dial-in directory assistance commonly known as "411", which TELUS offers to members of the general public, generally for a fee.
- Internet directory assistance called "People Finder", also offered to members of the general public. It is a service provided by TELUS Advanced Services Inc., an affiliate of TELUS. This service also offers a reverse-lookup function, whereby a member of the general public can enter a telephone number and find out listing information associated with it. However, the listing information of TELUS customers who have subscribe for NPNS is not included in the database.
- Through services called Directory File Service and Basic Listing Interchange File Service, TELUS discloses, for a fee, listing information of its customers. The CRTC requires TELUS to provide these services to independent directory publishers and certain other organizations, pursuant to Tariff Items 23 and 210 in British Columbia.
- TELUS' directory publisher, Dominion Information Services Inc. (Dominion), provides selected listing information, for a fee, to selected organizations (List Services). The listing information so provided excludes all information for TELUS customers who have subscribed for NPNS as well as for those who have requested to be "de-listed".
- Dominion also provides listing information in a CD-ROM format that can be purchased as a retail product under licence to anyone who wishes to purchase it. The CD-ROM can be used for reference only, has limited printout availability, and is copy protected and encrypted to avoid misuse. The licences provide that it cannot be used to publish alternate directories or to print the entire contents.
[63]TELUS' practice with respect to seeking the consent of its first-time customers was summarized as follows by the Judge (at paragraphs 38-40):
In his affidavit, Jim Brooks, TELUS Vice-President, Business Transformation, informs us of the procedure that is followed when a customer subscribes to a new telephone line. TELUS customer service representatives are instructed to indicate to customers that the telephone line includes a listing in TELUS directories; customers are asked how they would like their personal information to appear in the directories; and the representatives discuss privacy concerns and listing options with the customer if the customer expresses an interest in not being published. New customers also receive a welcoming letter with an accompanying brochure entitled "Our privacy Commitment to You". The brochure sets out, inter alia, the purposes for which TELUS collects, uses, and discloses customers' personal information. It also advises customers of their right to be de-listed.
The White Pages specifically detail how TELUS uses personal information and the various privacy oriented service options provided by TELUS. They also indicate to whom TELUS discloses information and how a customer's information can be used. There are also specific instructions on how customers can withdraw their consent, verify or change their personal information at any time.
Furthermore, TELUS maintains a toll free number which is dedicated to providing information to customers who wish to discuss privacy issues. TELUS also maintains a website where customers can obtain information about its privacy practices. In addition to those services, TELUS employs a full-time Privacy Officer who is accountable for privacy policies and practices.
[64]The Judge, before reaching his conclusion at paragraph 48 that TELUS had "valid consent under the PIPEDA to publish its customers' personal information in [their] directories," expressed the opinion that (at paragraph 41)
It is a long-standing and well established practice of telephone companies to include directory listings as part of residential telephone services. Thus, in addition to being notified of the fact by TELUS, customers have a reasonable expectation that unless they subscribe to NPNS, their listing information will be published in the phone directory.
and (at paragraph 47):
. . . I believe that once a TELUS representative has asked a new subscriber how he or she would like his or her listing information to appear in the telephone directory, it is open to that subscriber to enquire on the options available to him or her. If the privacy of such information is fundamental or simply desired by a subscriber, it is his or her responsibility to educate him or herself, either by asking the representative or through the various tools which have been put at the public's disposal by TELUS.
[65]I find, in the circumstances, that proper consent was not, and could not have been given, by TELUS first-time customers with respect to the use by TELUS of the personal information in its Internet directory assistance service, in its directory file service and basic listing interchange file service and its CD-ROM service. These services were not identified at the time of enrolment and there is no evidence that they were so connected with the primary purposes of telephone directories that a new customer would reasonably consider them as appropriate. There is no evidence that TELUS made any "effort," let alone a "reasonable" one, within the meaning of clause 4.3.2, to ensure that its first-time customers are advised of the secondary purposes at the time of collection. The Judge makes no specific finding with respect to these services, which in itself is a reviewable error.
[66]With respect to the primary purposes, the Judge found that reasonable first-time customers would be well aware of the established practice of telephone companies to include directory listings as part of their residential telephone services (I include here the 411 service as well) and that a reasonable person would consider such purposes to be appropriate. Such deemed knowledge would enable TELUS to assume that the first-time customers are aware of the primary purposes for which their personal information is collected and implicitly agree to their name, address and telephone number appearing in the directory listings unless they say otherwise at the time of enrolment. The Judge's finding seems to be based on a short passage in the CRTC's Report to the Governor in Council on Directory Subscriber Listings and on Unlisted Number Service (see paragraph 29 [of these reasons]).
[67]The Judge's conclusion and the CRTC's finding that first-time customers can be considered to have consented to the primary uses if they do not, on their own initiative, request an unlisted number, are not compatible, in my respectful view, with the very exercise of seeking informed consent before or at the time of enrolment mandated by Part 1 of the Act and by Schedule 1. A consent is not informed if the person allegedly giving it is not aware at the time of giving it that he or she had the possibility to opt out. First-time customers have the right to know before their personal information becomes "publicly available" within the meaning of section 7 of the Act, with all the consequences that might flow from such publicity, that they can exercise their right to privacy and choose not to be listed. This, it seems to me, is a fair compromise between one's right to privacy and the industry's needs.
Whether the Court has jurisdiction to examine the legality of the rates imposed by the CRTC with respect to the use of the non-published number service
[68]As I understand the appellant's argument, TELUS cannot be permitted to charge its customers merely for exercising their statutory right to privacy. This practice would infringe clause 4.3.3 of Schedule 1 which prescribes that "[a]n organization shall not, as a condition of the supply of a . . . service, require an individual to consent to the collection . . . of informa-tion." I will come back to this provision when I examine the merits of the rate issue. I merely quote it now to explain the type of jurisdiction we are talking about at this point.
[69]The Judge at paragraph 60 of his reasons found that the Court had no jurisdiction over the rate issue, "as it is a matter within the exclusive jurisdiction of the CRTC." Counsel for the respondent, in support of that finding, relies on the line of reasoning stemming from the decision of the Supreme Court of Canada in St. Anne Nackawic Pulp & Paper Co. v. Canadian Paper Workers Union, Local 219, [1986] 1 S.C.R. 704; Weber v. Ontario Hydro, [1995] 2 S.C.R. 929; Regina Police Assn. Inc. v. Regina (City) Board of Police Commissioners, [2000] 1 S.C.R. 360 and, more recently, in Quebec (Attorney General) v. Quebec (Human Rights Tribunal), [2004] 2 S.C.R. 223.
[70]I must say at the outset that I find this whole exercise somehow sterile. I do so for two reasons. First, the issue will ultimately and in any event be decided by the Federal Court of Appeal, either on appeal (as here) from a decision of the Federal Court made under the PIPED Act or on appeal on a question of law from a decision of the CRTC made under the Telecommunications Act [S.C. 1993, c. 38]. Second, the CRTC did not assert, let alone exercise, its jurisdiction on the issue and there is no risk, therefore, of conflicting decisions. At worst, as can be seen from the abstract quoted in paragraph 35 [of these reasons], the CRTC appears to be of the view that its privacy standards may differ from those set out in the PIPED Act. This startling proposition may have to be examined when the occasion arises.
[71]The issue, here, is not whether the Privacy Commissioner, but whether the Federal Court has jurisdiction. The Commissioner, in any event, is not a tribunal and has no decision-making power under the PIPED Act. At best, the Commissioner can form an opinion on the issue and include it in his report. As the report is not a "decision," there can be no conflict with the decision of a court or tribunal found to have exclusive, concurrent or overlapping jurisdiction to determine the issue.
[72]The CRTC, on the other hand, is a decision-making tribunal. Section 25 of the Telecommunications Act prohibits any Canadian carrier from providing a telecommunications service except in accordance with a tariff filed and approved by the CRTC that specifies the rate. Section 27 ensures that every rate charged for a telecommunication service is "just and reasonable." Paragraph 7(i) includes in the list of objectives of the Canadian telecommunications policy that of "contribut[ing] to the protection of the privacy of persons."
[73]Paragraph 32(a) allows the CRTC, for the purposes of Part III, which is the one with which we are concerned, to "approve the establishment of classes of telecommunications services and permit different rates to be charged for different classes of services." Paragraph (g) goes on to give the CRTC the power, "in the absence of any applicable provision in this Part, [to] determine any matter and make any order relating to the rates, tariffs or telecommunications services of Canadian carriers."
[74]Section 47 orders the CRTC to exercise its powers with a view to implementing the Canadian telecommunications policy objectives and ensuring that carriers provide services and charge rates in accordance with section 27. Section 48 empowers the CRTC to "make a determination in respect of anything prohibited, required or permitted to be done under Part . . . III" (i.e. sections 25 to 46). Section 52 provides that the CRTC "may, in exercising its powers and performing its duties under this Act . . . determine any question of law or of fact".
[75]It is therefore arguable, taking into account the relevant provisions and circumstances, that the CRTC has jurisdiction to determine the legality of the rates it otherwise approves (see Nova Scotia (Workers' Compensation Board) v. Martin; Nova Scotia (Workers' Compensation Board) v. Laseur, [2003] 2 S.C.R. 504, at page 537). Since the CRTC did not intervene in these proceedings, I shall limit myself to assuming, without deciding, that it has jurisdiction.
[76]What remains to be decided is whether the CRTC's jurisdiction over the rate issue ousts the Federal Court's jurisdiction over the same issue.
[77]The PIPED Act provides a comprehensive complaint mechanism to the Privacy Commissioner, and ultimately, to the Federal Court. It also takes precedence, in the circumstances described in subsection 4(3) of the Act, over the Telecommunications Act.
[78]Complaints are made under section 11 "against an organization for contravening a provision of Division 1 [i.e. sections 5 to 10] or for not following a recommendation set out in Schedule 1." In order for the Federal Court, acting pursuant to section 14 of the Act, to determine whether an organization has failed, in violation of subsection 5(1), to comply with the obligations set out in Schedule 1, in this case clause 4.3.3, the Court must have the power to decide whether the imposition of a fee is permissible under that clause. This is a pure question of law which pertains to the very statute that the Court is being asked to enforce. It would take explicit wording in the Telecommunications Act to oust the jurisdiction of the Federal Court when acting under the PIPED Act. There is no such explicit wording. (See Eastmond, at paragraphs 92-117, cited at paragraph 47 above.)
[79]I therefore reach the conclusion that there is either concurrent jurisdiction or overlapping jurisdiction, to use the words of the Supreme Court of Canada in Weber and in Quebec (Attorney General) v. Quebec (Human Rights Tribunal), at paragraph 69. Should the Federal Court, or this Court in appeal, decide that fees cannot be charged, the CRTC would have to revise its tariff in the same way it would have had to revise its tariff had it decided on the merit that the fee could be legally imposed and its decision on that point had been reversed on an appeal to the Court made under the provisions of the Telecommunications Act.
Whether the imposition of a fee contravenes the requirements of the PIPED Act
[80]The appellant submits that by conditioning an unlisted number on payment by the individual of a fee, TELUS contravenes clause 4.3.3 of the Schedule. It will be useful to reproduce the text of that clause again:
4.3.3
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
[81]The appellant does not argue that fees can never be charged for the exercise of one's statutory right. He argues, rather, that a fee can only be charged if a statute provides for it.
[82]I take issue with the appellant's proposition that no statute or regulations allow imposition of a fee in the case at bar. Quite to the contrary, it appears from the clear wording of the Telecommunications Act that, when approving rates and services, the CRTC must take into consideration the objectives of the Canadian telecommunications policy, including that of contributing to the protection of the privacy of persons. Services may therefore be provided for the protection of privacy and rates may be imposed for the provision of those services. There could not be clearer indications that Parliament contemplated the imposition of fees for providing privacy services.
[83]The appellant contends, however, that the PIPED Act overrules the Telecommunications Act. That, however, would be so only if there were contradictory provisions in the two statutes. I find no provision in the PIPED Act which expressly prohibits the imposition of fees and clause 4.3.3 of Schedule 1, on which the appellant relies, can by no means be interpreted as he suggests. The "service" referred to in that clause is the telephone service and the clause prevents TELUS from seeking from its customers a consent wider than is necessary for the supply of that service.
[84]The appellant could not provide the Court with any authority directly on point to support his proposition. He referred to two decisions of the Supreme Court of Canada which deal with Aboriginal rights. I am not prepared to adopt wholesale to typically administrative law issues principles developed in the context of Aboriginal law. In any event, these decisions are not very helpful to the appellant. In R. v. Badger, [1996] 1 S.C.R. 771, it was found that the Treaty at issue and the Natural Resources Transfer Agreement did not permit the imposition of a licensing fee for exercising a treaty right. In R. v. Côté, [1996] 3 S.C.R. 139, where a regulation imposed the payment of a user fee to the state for the exercise of an Aboriginal right connected to land, the Court found that a fee was permissible when it represented a tailored user fee directed at improving the means of transportation upon the tract of land. The Court even added that the access fee "effectively facilitates rather than restricts the constitutional rights of the appellants" (at paragraph 80).
[85]In the case at bar, as in Côté, the fee facilitates rather than restricts the appellant's right to privacy and there is no issue as to the financial burden it puts on the appellant. No evidence was led that the rate was such as to be unbearable. To the contrary, the evidence is that it had been a major concern of the Governor in Council, of the various interveners and eventually of the CRTC itself to set a rate that would not discourage non-listing and thus prevent many subscribers from protecting their privacy. Indeed the CRTC, in its Report to the Governor in Council on Directory Subscriber Listings and on Unlisted Number Service, expressed the view that "it is increasingly important that unlisted number service not be priced beyond the financial reach of subscribers" (supra, paragraph 30). A rate that does not exceed $2 per month for residence subscribers was approved. No one has argued before us that it was not a "just and reasonable rate" within the meaning of section 27 of the Telecommunications Act, an argument the Court would have in any event declined to hear because that issue is within the exclusive domain of the CRTC.
Whether the appellant is a public interest litigant
[86]The appellant seeks costs in any event of the cause on the basis that he is a public interest litigant.
[87]The appellant is self-represented. He is at best only entitled to be reimbursed the reasonable costs he has incurred. I will order that he be reimbursed his reasonable costs in the Federal Court and in this Court because he ends up being successful in part in his application. I need not decide if he would have been entitled to such reimbursement had he lost.
Disposition
[88]In the end, I would allow the appeal in part, set aside the decision of the Federal Court dated June 3, 2003 and find well founded in part the complaint filed by the applicant against TELUS on January 1, 2001.
[89]I would find that TELUS has infringed section 5 of the Personal Information Protection and Electronic Documents Act in not informing its first-time customers, at the time of enrolment, of the primary and secondary purposes for which their personal information was collected and in not informing them at that time of the availability of the non-published number service.
[90]As the Court is not dealing here with a complainant who has been personally aggrieved, I am only prepared to order a remedy which will not comprise the payment of money and which will be future-oriented. I would therefore order TELUS to comply with the obligation set out in the above paragraph. Counsel for TELUS suggested at the hearing, and the Court agreed with her, that should a ruling go against her client, TELUS should have the opportunity to make written representations concerning the remedy. I would give TELUS four weeks from the date of this order to serve and file representations with respect to the manner and the timetable of its implementation of the remedy described above. I would then give the appellant two weeks to reply. In the circumstances, judgment will only issue at a later date.
[91]As to costs, I would order TELUS to reimburse the appellant the reasonable costs he has incurred in the Federal Court and in this Court. I would also order TELUS to reimburse to the appellant the costs of $11,906.41 which were paid to it by the appellant as a result of the decision of the Federal Court.
Nadon J.A.: I agree.
Malone J.A.: I agree.