posted by:Angela Long // 11:59 PM // June 27, 2006 // ID TRAIL MIX
While your Account Information may be personal to you, these records constitute business records that are owned by AT&T. As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others, or respond to legal process.
In addition, it also requires customer agreement with the policy as a term of the service. It states (in bold print):
In other words, if you don’t agree with the policy, which means agreeing to the use of your personal information in the ways set out by AT&T, you can’t use AT&T’s service.
Much of the brouhaha surrounding the latest antics of AT&T in the U.S. has to do with allegations that the company has been allowing the National Security Administration access to not only customer account information, but also to data that customers have transmitted through AT&T’s services, such as e-mails, without warrants, in the name of national security to subvert potential terrorist attacks on the US, an on-going red hot issue for privacy advocates. The company’s new policy widens the scope of to whom and in what circumstances it will be able to provide it’s customers’ information to government authorities. It states:
We may disclose your information in response to subpoenas, court orders, and other legal process, or to establish or exercise our legal rights or defend against legal claims. We may also use your information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the Service Terms or the Acceptable Use Policy, or as otherwise required or permitted by law.
Meanwhile, what can AT&T customers do if they choose to distance themselves from AT&T? Dozens of readers have put that question to me since Wednesday’s column ran. Short answer: Not all that much. There are other local and long-distance companies...but they often rely on AT&T’s network to get calls through or have policies similar to AT&T’s.
As a condition of using the Services, you agree to and must comply with the terms and conditions of this Agreement, which will be binding on you.
Schedule 1 of PIPEDA provides the principles with which commercial enterprises are to adhere to with respect to the collection, retention and dissemination of personal customer information. The harbinger of PIPEDA is consent of the individual, meaning that people must consent to all collection, retention and dissemination of information at the time it is collected by a company. This means that companies must tell their customers upfront what information they will collect and how they will use that information. This all seems fine and good, until we consider whether there are any limits on the kinds of information that companies are able to collect or on the uses of that information. It appears that there are no such limits, and as long as the customer is informed of what the company is doing with the information there is compliance with the principles of PIPEDA. To me, it all seems largely circuitous. Companies are essentially allowed to collect, retain and use personal information for any purpose, as long as that purpose is identified by the company, communicated to the customer and consented to by the customer. There are no real limits on the kinds of purposes, since the purposes are defined by the companies themselves.
To illustrate my point, look at Principle 4.2.2 and 4.2.3 of Schedule 1:
4.2 Principle 2 — Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfil these purposes. The Limiting Collection principle (Clause 4.4) requires an organization to collect only that information necessary for the purposes that have been identified.
The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.
The purposes are to be identified by the company itself. That may not be problematic in and of itself, but when looked at with the other principles contained within PIPEDA, it becomes harder to swallow. Principle 4.3.3. states:
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
A company cannot require an individual to consent to a purpose that was not explicitly specified in order to obtain a product or service. The problem is that the corollary of this statement must also be true, a company CAN require the consent of an individual to the collection, use or disclosure of information to obtain a product or service where that collection, use or disclosure has been defined and explicitly specified as a legitimate purpose. And who determines the legitimate purposes? Going back to Principle 4.2, the companies themselves are able to set their own purposes for gathering information. If consumers don’t agree to these purposes and do not wish to consent to them, they are out of luck as the company will not be required to contract with them.
This state of affairs seems unfair, to say the least. To allow companies to set their own purposes for the collection and use of personal information, some which may not be seen by consumers as legitimate (ie. the sharing of information with other companies within the same corporate family, or even worse transgressions) and then to allow them to deny the provision of a product or service on the basis of disagreement with such purposes does not seem to be in line with the general purpose of PIPEDA, which is to protect information of individuals. This may be acceptable (a big MAY) in some situations, where there is ample choice in the market for consumers. They can choose to go to companies who have information purposes more in line with their own views. But as Lazarus points out, this kind of consumer choice is waning. First, there is less and less choice about who to do business with, especially in the telecommunications industry where virtual corporate monopolies exist. Second, more and more companies are invoking all encompassing privacy policies that give them wide scope to deal with the personal information of their customers. And as long as they disclose this to customers at the outset, they have complied with PIPEDA. Increasingly, then, consumers must either consent (I would actually question whether this is true consent given the circumstances) to such policies or go without products and services. And as more and more companies adopt broad collection and use purposes, there is less and less privacy. Given this state of affairs my question is where there actually exists any substantive protection for personal information collected within the commercial sphere at all?
thanks very much for your careful and interesting analysis. i have tried to propose a solution to this problem in the context of DRM end user licence agreements, arguing that private law principles provide ample authority for setting aside the take-it-or-leave-it agreements of the sort you discuss.
to get a sense of that argument, jump to: http://idtrail.org/files/Kerr%20-%20If%20Left%20to%20Their%20Own%20Devices....pdf
Posted by: ian at June 27, 2006 09:39 AM
I think PIPEDA provides at least one limit you may have overlooked. Section 5(3) of PIPEDA provides that:
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
In Eastmond v. CP Railway, the Federal Court of Canada applied former Commissioner Radwanski's four part test to assess whether the purpose of a particular collection of personal information was appropriate.
Looking at the Eastmond test, organizations bound by PIPEDA might ask themselves the following questions to ensure that their collection, use, and/or disclosure (CUD)of personal information will pass muster:
Is the CUD necessary to meet a specific need?
Is the CUD likely to be effective in meeting that need?
Is the loss of privacy proportional to the benefit gained?
Is there a less privacy-invasive way of achieving the same end?
Each of these questions warrants a satisfactory answer, but the critical question in an "A T &T" context may be the last question.
In a society bound by the rule of law and constitutional principles, including those providing for judicial safeguards, the state is not generally permitted to invade privacy without first going before a judge and convincing that independent adjudicator that a warrant ought to be granted in the paricular circumstances. Barring narrowly defined exigent circumstances, the judicial process is the "less-invasive way of achieving the same end". An "A T &T" shouldn't be able to contract out of these constitutional and statutory limits either.
Americans still have reason to hope that the US Congress will insist on bringing the NSA program back under the U.S. Constitution and the jurisdiction of a FISA Court that already provides law enforcement and security agencies with considerable latitude to intrude on privacy. On the other hand, it is not clear to me that Canadians have yet to absord the significance of the bargains Parliament struck in the Anti-Terrorism Act, including those allowing a Minister to authorize the CSE to intercept communications between people in Canada and those on or "overseas".
Posted by: confoederatus at June 27, 2006 10:30 AM