By Bram Abramson
A RARE CRTC DECISION on the appeal of a “notice to produce”, compelling Hydro-Québec to produce the personal information associated with 10 service addresses, has shed further light on how the Commission will use the information-gathering powers of Canada’s Anti-Spam Legislation (CASL) when dealing with intermediary service providers.
Compliance and Enforcement Decision CRTC 2020-196, issued on June 18 against Hydro-Québec, echoes a similar 2016 decision in the Royal Bank of Canada’s appeal of a third-party notice to produce. The Hydro-Québec decision interprets the CRTC’s CASL information-gathering authority largely in terms of whether the information compelled by the notice “may aid”, “could … help”, or “can be of assistance” in an investigation.
Placed alongside the 2016 RBC decision and a controversial 2018 information bulletin on indirect liability for intermediaries like telcos, ISPs, web hosts, and payment processors, the decision contributes to a growing Commission body of guidance on how it will address the role of intermediaries, including common carriers, under CASL.
Notices to produce
From the mid-1980s through to about a decade ago, the CRTC’s activities regulating unsolicited communications were mostly about phone calls and faxes. That changed in 2010, when Canada’s anti-spam legislation added “commercial electronic messages” and uninvited computer programs to the CRTC’s unsolicited communications portfolio. The Commission promulgated regulations and two different sets of guidelines in 2012; began enforcement in 2014; and has since issued two more sets of guidelines; six formal decisions; 16 published notices of violations, undertakings and citations; and, at last check, nearly $1.3 million in fines.
The CRTC’s enforcement activity in this area is underwritten by information gathered using orders called “notices to produce”. CASL lets the CRTC issue these production notices, which may include personal information, for three purposes: to verify compliance; to identify a contravention; or to assist a foreign counterpart’s investigation of a similar contravention. (The international component is grounded by international agreements between the CRTC and its Five Eyes counterparts in the U.S., U.K., Australia, and New Zealand, as well as Japan.)
Someone receiving a notice to produce but who takes issue with its scope can apply for it to be reviewed. CASL unifies within the CRTC the authority to issue these notices, enforce them, and decide on first-order applications to review them. An application to review must show the production notice is unreasonable in the circumstances, requires disclosure of privileged information like legal advice, or lacks protections to prevent disclosure. The CRTC, in turn, typically includes little information in its notices as to the nature of the investigation.
This makes it hard to know what the circumstances are which would make a production notice “unreasonable”. CED 2020-196 reflects this difficulty. It finds “Hydro-Québec’s representations on this issue reveal a potential misunderstanding … of the circumstances of the issuance of the NTP,” because they “appear to assume” the notice to produce pertained to the behaviour of the Hydro-Québec ratepayers living at the 10 addresses the CRTC listed, whereas the information could also, for instance, help to “identify new addresses not yet known to Commission enforcement staff where … evidence may be found.”
Intermediary responsibility
Recent years have seen an increasing emphasis – especially when intermediaries are involved – on designing enforcement in ways that meet at least the 1980 OECD Fair Information Practices Principles (FIPPs), like “limiting collection”, embedded into most privacy laws. Telcos have begun to publish transparency reports providing insight into what personal information they have been compelled to disclose, and law enforcement guides identifying under what conditions they will do so and will tell affected parties about it.
In the civil setting, courts receiving applications for “Norwich orders”, which compel an innocent third party to provide information about a potential defendant, have applied a careful test, including whether the third party is the only practicable source of that information. In the more stringent criminal setting the Supreme Court established, in its landmark 2014 Spencer decision, that personal information gathered from a telco not lawfully compelled to provide it may not be admissible where, for instance, the telco’s terms of service protect that information. In the same vein, telcos stewarding this kind of information have taken active steps to challenge orders that are over-broad, as Rogers and Telus did in the tower dump case.
The CRTC’s production notice authority in respect of third parties under CASL is not subject to Norwich Order tests. It does not, as the Hydro-Québec decision underlines, engage criminal law. No balancing test calling out privacy rights is written into CASL’s broad notice to produce authority. Neither the CRTC Act establishing the CRTC, nor CASL delegating this authority to the CRTC, requires the Commission’s exercise of these powers by requiring it to pursue the objective of “contribut[ing] to the protection of the privacy of persons”, as the Telecommunications Act does (and as the Yale Report recommended the Broadcasting Act do).
Intermediaries regarding themselves as having responsibilities stewarding the personal information of their customers have suggested the CRTC ought to exercise its discretion under CASL in ways that align with larger trends. The Commission’s 2016 letter decision gave little weight to the RBC’s Norwich-like argument that “the [Notice to Produce] is overbroad and places a disproportionate burden on RBC, since information could be more appropriately obtained directly from the numbered company.” Nor was the Commission moved by RBC’s related argument that the Privacy Act requires it to limit the collection of personal information to what is related directly to an operating program or activity – as opposed, presumably, to information that “could be” useful. CED 2020-196 confirms this approach.
Next steps
The regulatory authority CASL establishes in respect of both commercial electronic messages and uninvited computer programs plays an important role in providing a safe, secure communications environment. The rapid increase in the CRTC’s issuance under CASL of notices to produce, which the Commission’s helpful semi-annual compilations show have risen from 18 to 57 to 71 to 131 over the last four reporting periods, are surely the result of an increased focus on complex, large-scale, cybersecurity-comprising activity.
In other domains the industry has been well-served by consulting widely on establishing guidance that has helped the CRTC take into account a broad range of expertise and potential circumstances, and helped regulated parties have confidence and increased predictability in the manner in which they are regulated. Absent legislative reform, CASL ties the Commission’s hands somewhat in its ability to follow its ordinary procedure in the broadcasting and telecommunications sectors to hear third-party representations on reviews of specific notices to produce. However, it is difficult to imagine the Commission could not do so in respect of broader guidance, particularly in view of the impact of the subject matter of Compliance and Enforcement Information Bulletin CRTC 2018-415 on intermediaries, including telecommunications service providers acting as common carriers. It’s surprising it was issued without such consultation.
As the agency charged with overseeing sectors whose privacy responsibilities – and efforts to embed these alongside safety and security in the specialized communications sectors – continue to grow in importance, the CRTC has a number of tools available to it to continue to review and codify its approach to intermediary liability and responsibility. For instance, consulting more broadly on the possibility of structuring the discretion the Commission exercises in these matters would allow stakeholders like the Office of the Privacy Commissioner to provide broad guidance, as it has usefully done in past proceedings. In the same way, breaking out its semi-annual reporting figures, on notices to inform, into first- and third-party figures, would provide for enhanced monitoring of one aspect of this topic.
The CRTC’s approach to its unsolicited communications responsibilities has tended to diverge from that taken to its telecommunications and broadcast responsibilities, starting with a focus on “compliance and enforcement” as the broad heading for such activities. The decision in CED 2020-196 is consistent with that divergence. Perhaps, in some matters, the Commission might find that embracing convergence is the better approach.
