Date: 20041117
Docket: A-388-03
Citation: 2004 FCA 387
CORAM: DÉCARY J.A.
NADON J.A.
MALONE J.A.
BETWEEN:
MATHEW ENGLANDER
Appellant
and
TELUS COMMUNICATIONS INC.
Respondent
and
PRIVACY COMMISSIONER OF CANADA
Intervener
Heard at Vancouver, British Columbia, on October 7, 2004.
Reasons for judgment rendered at Ottawa, Ontario, on November 17, 2004.
REASONS FOR JUDGMENT BY: DÉCARY J.A.
CONCURRED IN BY: NADON J.A.
MALONE J.A.
[1] This appeal raises numerous issues related to the interpretation of the Personal Information Protection and Electronic Documents Act (the Act or PIPED Act), S.C. 2000, c. 5, and pertaining to personal information published in telephone directories. Some of the issues are of a substantial nature: whether fees can be charged to customers who ask that their telephone numbers remain confidential; what type of consent is required by the Act for the listing of first-time customers' personal information in telephone directories; what rules should guide the interpretation of a self-regulatory code transformed into a statute and whether the Canadian Radio-Television and Telecommunications Commission (the CRTC) has exclusive jurisdiction to determine the legality of fees charged for privacy services. Others are of a procedural nature: the requisite standing to apply to the Federal Court for a hearing under section 14 of the Act; the nature of the so-called "hearing"; the deference, if any, owed to the report on a complaint prepared by the Privacy Commissioner of Canada (the Commissioner), Mr. Radwanski, under section 11 and the adjudication of costs to an allegedly public interest litigant.
[2] The relevant facts can be found in the impugned decision of the Federal Court, reported at 2003 FCT 205. Essentially, this matter arose as a result of a complaint filed by the appellant under section 11 of the Act against the respondent (TELUS). The appellant had asked the Commissioner to determine whether the consent allegedly obtained by TELUS from its first-time customers for disclosure of personal information met the standards set up in the Act (the consent issue) and whether TELUS could charge him a monthly fee for the Non-Published Number Service (NPNS) which is a condition for not publishing personal information in its telephone directory (the rate issue).
[3] The Commissioner prepared a report of his findings and dismissed the complaint (A.B. vol. 1, p. 68). His reasons are to say the least laconic.
[4] With respect to the rate issue, he states:
[...] I have concluded that TELUS has the authority to charge its customers $2.00 per month for non-published telephone service and I do not find this an unreasonable practice so as to contravene principle 4.3.3 of the Schedule.
[A.B. vol. 1, p. 70]
[5] With respect to the consent issue, his relevant conclusions can be summarized as follows.
With respect to subsection 5(3) of the Act, he concludes that
[...] a reasonable person would consider TELUS' initiation of service practice and subsequent publishing of customers' personal information in TELUS' White Pages an appropriate collection, use and disclosure of the information.
[Ibid.]
With respect to clause 4.3 of Schedule 1, he concludes that
[...]TELUS' practice of initiating service includes obtaining valid consent from its customers to publish their personal information in its publicly available White Pages Directory.
[Ibid.]
With respect to clause 4.5 of Schedule 1, he concludes that
[...] TELUS obtains valid consent to publish customers' personal information in its White Pages Directory and, by doing so, customers consent to having their personal information available to the public. TELUS only discloses publicly available information as specified by the Act under the Regulations Specifying Publicly Available Information to Dominion Information Services in BC, and TELUS Advertising Services in Alberta, and therefore, is in compliance with the Act.
[Ibid.]
[6] These reasons are not very helpful. But since it is not the report but the complaint with which the Court deals in these proceedings (as we shall see), the generality of the report is of little consequence at the end of the day.
[7] The appellant then applied to the Federal Court for a hearing pursuant to section 14 of the Act. The application was dismissed. In his reasons, Mr. Justice Blais found that the hearing was neither an appeal from the Commissioner's report nor an application for judicial review of that report and that he was to exercise his discretion de novo; that the Commissioner's report was entitled to some deference with respect to decisions clearly within his jurisdiction; that the appellant had standing to raise the consent issue even though there was no evidence of TELUS collecting, using or disclosing any of his personal information without his consent; that TELUS had valid consent under the Act to publish its customers' personal information on TELUS directories; and that the Federal Court had no jurisdiction over the rate issue as it is a matter within the exclusive jurisdiction of the CRTC. The judge also refused to recognize the appellant's public interest standing and ordered him to pay costs, which were assessed at $11,906.41.
The historical background of Part 1 of the PIPED Act
[8] A brief review of the history of the PIPED Act, including part of the CSA Standard which is incorporated into it as Schedule 1, is crucial for a proper understanding and interpretation of its relevant provisions. Most of the observations I will make in this regard take their inspiration from the "The Personal Information Protection and Electronic Documents Act, An Annotated Guide" (Perrin, Black, Flaherty & Rankin, Irwin Law Inc., Toronto, 2001). I am grateful to these learned authors and apologize for using their material often verbatim.
[9] Prior to the 1970s, attempts had been made in various international documents to protect privacy. "It was soon recognized, however, that these documents were too vague - particularly in the face of the growing sophistication of data processing - to ensure adequate protection of civil liberties in the area of personal data protection" (Annotated Guide, p. 2). The Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data was developed by the Council of Europe in 1981 (E.T.S. No. 108, Strasbourg, 1981). In 1978, a committee was established by members of the Organization for Economic Cooperation and Development (OECD) to develop guidelines on basic rules governing transborder dataflow and the protection of personal data and privacy. Guidelines were developed in consultation with the experts working at the Council of Europe on Convention 108, "but the thrust of the OECD activity was non-regulatory, while the Council of Europe developed a set of similar principles that were implemented in national law" (ibid., p. 2). The OECD Guidelines were published in 1980 and "developed a set of eight principles that are still regarded as the fundamentals of fair information services." These eight principles are:
Collection Limitation Principle
7. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Data Quality Principle
8. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Purpose Specification Principle
9. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Use Limitation Principle
10. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:
(a) with the consent of the data subject; or
(b) by the authority of law.
Security Safeguards Principle
11. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Openness Principle
12. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
Individual Participation Principle
13. An individual should have the right:
(a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
(b) to have communicated to him, data relating to him
(i) within a reasonable time;
(ii) at a charge, if any, that is not excessive;
(iii) in a reasonable manner; and
(iv) in a form that is readily intelligible to him;
(c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
(d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Accountability Principle
14. A data controller should be accountable for complying with measures which give effect to the principles stated above.
[OECD Guidelines Governing the Protection of Privacy and
Transborder Flows of Personal Data, 1980]
[10] The friction between the self-regulatory approach proposed by the OECD and the legislative approach proposed by the Council of Europe made its way into Canada. Most industries believed that privacy legislation would be bad for business. In the early 1990s, a suggestion was made to the Canadian Standards Association (CSA) (composed of consumers and business representatives, representatives of the federal and provincial governments, labour unions, professional associations...) to set up a committee to develop a standard for data protection based on the OECD Guidelines. The CSA self-regulatory Standard was drafted between 1993 and 1995. In September 1995, the Canadian Standards Association Model Code for the Protection of Personal Information (CAN/CSA-Q830-95) (the CSA Standard) was adopted by the CSA. It was approved as a National Standard of Canada by the Standards Council of Canada in 1996. (The Standards Council of Canada is an institution governed by the Standards Council of Canada Act, R.S.C. 1985, c. S-16.)
[11] The CSA Standard sets out ten principles in Part 4. It retains in different language and in a different order the eight principles defined in the OECD Guidelines. The two other principles, "consent" and "challenging," were already referred to in the Collection Limitation Principle and the Individual Participation Principle, respectively clauses 7 and 13 of the OECD Guidelines. The CSA Standard, however, expands considerably on the wording used in the OECD Guidelines. Part 4 of the CSA Standard would eventually become Schedule 1 to the Act, the text of which will be reproduced later in these reasons (infra, para. 21).
[12] In the Preface to the first edition of the CSA Standard, the CSA notes that it was "developed by consensus, which is defined by CSA Regulations Governing Standardization as 'substantial agreement reached by concerned interests. Consensus includes an attempt to remove all objections and implies much more than the concept of a simple majority, but not necessarily unanimity'. " It goes on, in the Introduction, to establish the context in which the CSA Standard was adopted:
Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve the quality of our lives. This technology also gives rise to concerns about the protection of privacy rights and the individual's right to control the use and exchange of personal information. By implementing recognized fair-handling practices for personal information, organizations can materially demonstrate their commitment to the protection of personal information. Organizations should balance their need for personal information with an individual's desire for a certain measure of anonymity. This document is a voluntary national standard for the protection of personal information. The Standard addresses two broad issues: the way organizations collect, use, disclose, and protect personal information; and the right of individuals to have access to personal information about themselves, and, if necessary, to have the information corrected. Then interrelated principles form the basis of the Standard. Each principle is accompanied by a commentary that elaborates on the principle. A workbook on the implementation of the principles is available to organizations intending to adopt this Standard. Organizations will be able to tailor specific codes using the workbook as a guide. The Standard will (a) provide principles for the management of personal information; (b) specify the minimum requirements for the adequate protection of personal information held by participating organizations; (c) make the Canadian public aware of how personal information should be protected; and (d) provide standards by which the international community can measure the protection of personal information in Canada. Canada committed itself to privacy protection in 1984 by signing the Organization for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Guidelines [...] were used as the basis for the development of this Standard. The protection of personal information is increasingly important at the international level.
[13] In the meantime (in 1994), the Minister of Industry had created the Information Highway Advisory Council to inform him on how Canada could most benefit from the Information Highway. "In response to a public discussion paper, most consumer representatives, privacy commissioners, and privacy advocates replied that they wanted legislated privacy protection, while most businesses stated that they could self-regulate to the CSA Standard." In 1995, the Advisory Council recommended to the Minister that the Government "develop flexible framework legislation based on the CSA Standard and work with the provinces to harmonize their efforts" (Annotated Guide, p. XIV).
[14] A consultation paper was released in January 1998. Seeking a compromise through discussion, the government eventually came up with the following requirements:
· The law must be based on the CSA Standard, which was a carefully crafted consensus document, with every clause negotiated but not drafted in legislative language.
· The same marketplace rules must hold for the entire country, in a period where markets were rapidly converging and competitors who were historically under different jurisdictions were now entering each other's markets (banks and insurance, telecommunications carriers and Internet service providers, direct marketers in all sectors).
· The law must not set up new unjustified barriers to internal and international trade, and must not disadvantage responsible players by allowing data havens or offshore rivals to escape regulation.
· The Privacy Commissioner would be responsible for oversight, in a light flexible model. Not only should the implementation of the legislation be amenable to audit by independent third parties, but the Commissioner should also have authority to audit practices independent of any complaint.
· The heart of successful privacy protection lies in awareness of all parties of rights, expectations, responsibilities, and the actual facts of data processing and dataflow. There is a tremendous need for public education and awareness, and a vital role for the Privacy Commissioner to play.
[Annotated Guide, pp. XIV, XV]
[15] Eventually, "with the full support of the industry players who contributed to the CSA Standard, but to the great bewilderment of privacy experts and legal scholars everywhere, the drafters of this legislation set the task of incorporating the text of the standard intact in the law. It was decided to incorporate it as a Schedule and make the modifications in the body of the law that would inevitably be required to retrofit the language of the code to a legal text" (Annotated Guide, p. 11). Part 4 of the CSA Standard became Schedule 1 to the PIPED Act.
[16] The Act received Royal Assent on April 13, 2000 and came into effect in phases from January 1, 2001 to January 1, 2004.
[17] On January 20, 2001, the European Commission ruled that the PIPED Act met the adequacy requirements of the European Union's Data Protection Directive adopted in 1995 and aimed at protecting personal information and harmonizing privacy laws amongst its member states. As a result, personal data from the member states may be transferred to Canada (European Decision pursuant to Directive 95/46/EC-January 20, 2001, reproduced in Federal Access to Information and Privacy Legislation, Annotated 2004, Drapeau and Racicot, Thomson Carswell, Toronto, 2004, at 1558).
The legislative framework
[18] The Act comprises five parts. The first one is the only part which covers substantial issues; it deals with the "Protection of Personal Information in the Private Sector." As to the other parts, they deal with technical issues (Electronic documents and Amendments to the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act). This appeal is solely concerned with the first part.
[19] The first part is complemented by Schedule 1, "Principles set out in the National Standard of Canada Entitled Model Code for the protection of personal information, CAN/CSA-Q830-96." By virtue of subsection 5(1) of the Act, and subject to other sections of the Act, every organization is bound to comply with the obligations set out in Schedule 1.
[20] The first part and Schedule 1 are summarized as follows in the Statutes of Canada:
Part 1 of this enactment establishes a right to the protection of personal information collected, used or disclosed in the course of commercial activities, in connection with the operation of a federal work, undertaking or business or interprovincially or internationally.
It establishes the following principles to govern the collection, use and disclosure of personal information: accountability, identifying the purposes for the collection of personal information, obtaining consent, limiting collection, limiting use, disclosure and retention, ensuring accuracy, providing adequate security, making information management policies readily available, providing individuals with access to information about themselves, and giving individuals a right to challenge an organization's compliance with these principles.
It further provides for the Privacy Commissioner to receive complaints concerning contraventions of the principles, conduct investigations and attempt to resolve such complaints. Unresolved disputes relating to certain matters can be taken to the Federal Court for resolution.
[21] The following provisions are particularly relevant to this appeal:
The Act
An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act
Personal Information Protection
and Electronic Documents Act
...
PART 1
PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR
...
Purpose
3. The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Application
4. (1) This Part applies to every organization in respect of personal information that
(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
...
(3) Every provision of this Part applies despite any provision, enacted after this subsection comes into force, of any other Act of Parliament, unless the other Act expressly declares that that provision operates despite the provision of this Part.
DIVISION 1
PROTECTION OF PERSONAL INFORMATION
5. (1) Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.
(2) The word "should", when used in Schedule 1, indicates a recommendation and does not impose an obligation.
(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
...
7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if
...
(d) the information is publicly available and is specified by the regulations.
(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if
...
(c.1) it is publicly available and is specified by the regulations;
...
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
...
(h.1) of information that is publicly available and is specified by the regulations;
...
DIVISION 2
REMEDIES
Filing of Complaints
11. (1) An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1.
...
Commissioner's Report
13. (1) The Commissioner shall, within one year after the day on which a complaint is filed or is initiated by the Commissioner, prepare a report that contains
(a) the Commissioner's findings and recommendations;
...
(2) The Commissioner is not required to prepare a report if the Commissioner is satisfied that
(a) the complainant ought first to exhaust grievance or review procedures otherwise reasonably available;
(b) the complaint could more appropriately be dealt with, initially or completely, by means of a procedure provided for under the laws of Canada, other than this Part, or the laws of a province;
(c) the length of time that has elapsed between the date when the subject-matter of the complaint arose and the date when the complaint was filed is such that a report would not serve a useful purpose; or
(d) the complaint is trivial, frivolous or vexatious or is made in bad faith.
If a report is not to be prepared, the Commissioner shall inform the complainant and the organization and give reasons.
...
Hearing by Court
14. (1) A complainant may, after receiving the Commissioner's report, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner's report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of that Schedule as modified or clarified by Division 1, in subsection 5(3) or 8(6) or (7) or in section 10.
...
15. The Commissioner may, in respect of a complaint that the Commissioner did not initiate,
(a) apply to the Court, within the time limited by section 14, for a hearing in respect of any matter described in that section, if the Commissioner has the consent of the complainant;
(b appear before the Court on behalf of any complainant who has applied for a hearing under section 14; or
(c) with leave of the Court, appear as a party to any hearing applied for under section 14.
16. The Court may, in addition to any other remedies it may give,
(a) order an organization to correct its practices in order to comply with sections 5 to 10;
(b) order an organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a); and
(c) award damages to the complainant, including damages for any humiliation that the complainant has suffered.
17. (1) An application made under section 14 or 15 shall be heard and determined without delay and in a summary way unless the Court considers it inappropriate to do so.
...
DIVISION 4
GENERAL
27. (1) Any person who has reasonable grounds to believe that a person has contravened or intends to contravene a provision of Division 1, may notify the Commissioner of the particulars of the matter and may request that their identity be kept confidential with respect to the notification.
|
Loi visant à faciliter et à promouvoir le commerce électronique en protégeant les renseignements personnels recueillis, utilisés ou communiqués dans certaines circonstances, en prévoyant l'utilisation de moyens électroniques pour communiquer ou enregistrer de l'information et des transactions et en modifiant la Loi sur la preuve au Canada, la Loi sur les textes réglementaires et la Loi sur la révision des lois
Loi sur la Protection des renseignements personnels et les documents électroniques
[...]
PARTIE 1
PROTECTION DES RENSEIGNEMENTS PERSONNELS DANS LE SECTEUR PRIVÉ
[...]
Objet
3. La présente partie a pour objet de fixer, dans une ère où la technologie facilite de plus en plus la circulation et l'échange de renseignements, des règles régissant la collecte, l'utilisation et la communication de renseignements personnels d'une manière qui tient compte du droit des individus à la vie privée à l'égard des renseignements personnels qui les concernent et du besoin des organisations de recueillir, d'utiliser ou de communiquer des renseignements personnels à des fins qu'une personne raisonnable estimerait acceptables dans les circonstances.
Champ d'application
4. (1) La présente partie s'applique à toute organisation à l'égard des renseignements personnels :
a) soit qu'elle recueille, utilise ou communique dans le cadre d'activités commerciales;
b) soit qui concernent un de ses employés et qu'elle recueille, utilise ou communique dans le cadre d'une entreprise fédérale.
[...]
(3) Toute disposition de la présente partie s'applique malgré toute disposition - édictée après l'entrée en vigueur du présent paragraphe - d'une autre loi fédérale, sauf dérogation expresse de la disposition de l'autre loi.
SECTION 1
PROTECTION DES RENSEIGNEMENTS PERSONNELS
5. (1) Sous réserve des articles 6 à 9, toute organisation doit se conformer aux obligations énoncées dans l'annexe 1.
(2) L'emploi du conditionnel dans l'annexe 1 indique qu'il s'agit d'une recommandation et non d'une obligation.
(3) L'organisation ne peut recueillir, utiliser ou communiquer des renseignements personnels qu'à des fins qu'une personne raisonnable estimerait acceptables dans les circonstances.
[...]
7. (1) Pour l'application de l'article 4.3 de l'annexe 1 et malgré la note afférente, l'organisation ne peut recueillir de renseignement personnel à l'insu de l'intéressé et sans son consentement que dans les cas suivants :
[...]
d) il s'agit d'un renseignement réglementaire auquel le public a accès.
(2) Pour l'application de l'article 4.3 de l'annexe 1 et malgré la note afférente, l'organisation ne peut utiliser de renseignement personnel à l'insu de l'intéressé et sans son consentement que dans les cas suivants :
[...]
c.1) il s'agit d'un renseignement réglementaire auquel le public a accès;[...]
(3) Pour l'application de l'article 4.3 de l'annexe 1 et malgré la note afférente, l'organisation ne peut communiquer de renseignement personnel à l'insu de l'intéressé et sans son consentement que dans les cas suivants :
[...]
h.1) il s'agit d'un renseignement réglementaire auquel le public a accès;
[...]
SECTION 2
RECOURS
Dépôt des plaintes
11. (1) Tout intéressé peut déposer auprès du commissaire une plainte contre une organisation qui contrevient à l'une des dispositions de la section 1 ou qui omet de mettre en oeuvre une recommandation énoncée dans l'annexe 1.
[...]
Rapport du commissaire
13. (1) Dans l'année suivant, selon le cas, la date du dépôt de la plainte ou celle où il en a pris l'initiative, le commissaire dresse un rapport où :
a) il présente ses conclusions et recommandations;
[...]
(2) Il n'est toutefois pas tenu de dresser un rapport s'il est convaincu que, selon le cas :
a) le plaignant devrait d'abord épuiser les recours internes ou les procédures d'appel ou de règlement des griefs qui lui sont normalement ouverts;
b) la plainte pourrait avantageusement être instruite, dans un premier temps ou à toutes les étapes, selon des procédures prévues par le droit fédéral - à l'exception de la présente partie - ou le droit provincial;
c) le délai écoulé entre la date où l'objet de la plainte a pris naissance et celle du dépôt de celle-ci est tel que le rapport serait inutile;
d) la plainte est futile, vexatoire ou entachée de mauvaise foi.
Le cas échéant, il en informe le plaignant et l'organisation, motifs à l'appui.
[...]
Audience de la Cour
14. (1) Après avoir reçu le rapport du commissaire, le plaignant peut demander que la Cour entende toute question qui a fait l'objet de la plainte - ou qui est mentionnée dans le rapport - et qui est visée aux articles 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 ou 4.8 de l'annexe 1, aux articles 4.3, 4.5 ou 4.9 de cette annexe tels que modifiés ou clarifiés par la section 1, aux paragraphes 5(3) ou 8(6) ou (7) ou à l'article 10.
[...]
15. S'agissant d'une plainte dont il n'a pas pris l'initiative, le commissaire a qualité pour :
a) demander lui-même, dans le délai prévu à l'article 14, l'audition de toute question visée à cet article, avec le consentement du plaignant;
b) comparaître devant la Cour au nom du plaignant qui a demandé l'audition de la question;
c) comparaître, avec l'autorisation de la Cour, comme partie à la procédure.
16. La Cour peut, en sus de toute autre réparation qu'elle accorde :
a) ordonner à l'organisation de revoir ses pratiques de façon à se conformer aux articles 5 à 10;
b) lui ordonner de publier un avis énonçant les mesures prises ou envisagées pour corriger ses pratiques, que ces dernières aient ou non fait l'objet d'une ordonnance visée à l'alinéa a);
c) accorder au plaignant des dommages-intérêts, notamment en réparation de l'humiliation subie.
17. (1) Le recours prévu aux articles 14 ou 15 est entendu et jugé sans délai et selon une procédure sommaire, à moins que la Cour ne l'estime contre-indiqué.
[...]
SECTION 4
DISPOSITIONS GÉNÉRALES
27. (1) Toute personne qui a des motifs raisonnables de croire qu'une autre personne a contrevenu à l'une des dispositions de la section 1, ou a l'intention d'y contrevenir, peut notifier au commissaire des détails sur la question et exiger l'anonymat relativement à cette dénonciation.
|
The Model Code
SCHEDULE 1
(Section 5)
PRINCIPLES SET OUT IN THE NATIONAL STANDARD OF CANADA ENTITLED MODEL CODE FOR THE PROTECTION OF PERSONAL INFORMATION, CAN/CSA-Q830-96
4.1 Principle 1 - Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
...
4.1.4
Organizations shall implement policies and practices to give effect to the principles, including
(a) implementing procedures to protect personal information;
...
(d) developing information to explain the organization's policies and procedures.
4.2 Principle 2 - Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
...
4.2.2
Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfil these purposes. The Limiting Collection principle (Clause 4.4) requires an organization to collect only that information necessary for the purposes that have been identified.
4.2.3
The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.
4.2.4
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use.
...
4.3 Principle 3 - Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
[note omitted]
4.3.1
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).
4.3.2
The principle requires "knowledge and consent". Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
4.3.3
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
4.3.4
The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. ...
4.3.5
In obtaining consent, the reasonable expectations of the individual are also relevant. ...
4.3.6
The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. ...
4.3.7
Individuals can give consent in many ways. For example:
(a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
(c) consent may be given orally when information is collected over the telephone; or
(d) consent may be given at the time that individuals use a product or service.
|
ANNEXE 1
(article 5)
PRINCIPES ÉNONCÉS DANS LA NORME NATIONALE DU CANADA INTITULÉE CODE TYPE SUR LA PROTECTION DES RENSEIGNEMENTS PERSONNELS, CAN/CSA-Q830-96
4.1 Premier principe - Responsabilité
Une organisation est responsable des renseignements personnels dont elle a la gestion et doit désigner une ou des personnes qui devront s'assurer du respect des principes énoncés ci-dessous.
[...]
4.1.4
Les organisations doivent assurer la mise en oeuvre des politiques et des pratiques destinées à donner suite aux principes, y compris :
a) la mise en oeuvre des procédures pour protéger les renseignements personnels;
[...]
d) la rédaction des documents explicatifs concernant leurs politiques et procédures.
4.2 Deuxième principe - Détermination des fins de la collecte des renseignements
Les fins auxquelles des renseignements personnels sont recueillis doivent être déterminées par l'organisation avant la collecte ou au moment de celle-ci.
[...]
4.2.2
Le fait de préciser les fins de la collecte de renseignements personnels avant celle-ci ou au moment de celle-ci permet à l'organisation de déterminer les renseignements dont elle a besoin pour réaliser les fins mentionnées. Suivant le principe de la limitation en matière de collecte (article 4.4), l'organisation ne doit recueillir que les renseignements nécessaires aux fins mentionnées.
4.2.3
Il faudrait préciser à la personne auprès de laquelle on recueille des renseignements, avant la collecte ou au moment de celle-ci, les fins auxquelles ils sont destinés. Selon la façon dont se fait la collecte, cette précision peut être communiquée de vive voix ou par écrit. Par exemple, on peut indiquer ces fins sur un formulaire de demande de renseignements.
4.2.4
Avant de se servir de renseignements personnels à des fins non précisées antérieurement, les nouvelles fins doivent être précisées avant l'utilisation.
[...]
4.3 Troisième principe - Consentement
Toute personne doit être informée de toute collecte, utilisation ou communication de renseignements personnels qui la concernent et y consentir, à moins qu'il ne soit pas approprié de le faire.
[note omise]
4.3.1
Il faut obtenir le consentement de la personne concernée avant de recueillir des renseignements personnels à son sujet et d'utiliser ou de communiquer les renseignements recueillis. Généralement, une organisation obtient le consentement des personnes concernées relativement à l'utilisation et à la communication des renseignements personnels au moment de la collecte. Dans certains cas, une organisation peut obtenir le consentement concernant l'utilisation ou la communication des renseignements après avoir recueilli ces renseignements, mais avant de s'en servir, par exemple, quand elle veut les utiliser à des fins non précisées antérieurement.
4.3.2
Suivant ce principe, il faut informer la personne au sujet de laquelle on recueille des renseignements et obtenir son consentement. Les organisations doivent faire un effort raisonnable pour s'assurer que la personne est informée des fins auxquelles les renseignements seront utilisés. Pour que le consentement soit valable, les fins doivent être énoncées de façon que la personne puisse raisonnablement comprendre de quelle manière les renseignements seront utilisés ou communiqués.
4.3.3
Une organisation ne peut pas, pour le motif qu'elle fournit un bien ou un service, exiger d'une personne qu'elle consente à la collecte, à l'utilisation ou à la communication de renseignements autres que ceux qui sont nécessaires pour réaliser les fins légitimes et explicitement indiquées.
4.3.4
La forme du consentement que l'organisation cherche à obtenir peut varier selon les circonstances et la nature des renseignements. Pour déterminer la forme que prendra le consentement, les organisations doivent tenir compte de la sensibilité des renseignements. [...]
4.3.5
Dans l'obtention du consentement, les attentes raisonnables de la personne sont aussi pertinentes. [...]
4.3.6
La façon dont une organisation obtient le consentement peut varier selon les circonstances et la nature des renseignements recueillis. En général, l'organisation devrait chercher à obtenir un consentement explicite si les renseignements sont susceptibles d'être considérés comme sensibles. Lorsque les renseignements sont moins sensibles, un consentement implicite serait normalement jugé suffisant. [...]
4.3.7
Le consentement peut revêtir différentes formes, par exemple :
a) on peut se servir d'un formulaire de demande de renseignements pour obtenir le consentement, recueillir des renseignements et informer la personne de l'utilisation qui sera faite des renseignements. En remplissant le formulaire et en le signant, la personne donne son consentement à la collecte de renseignements et aux usages précisés;
b) on peut prévoir une case où la personne pourra indiquer en cochant qu'elle refuse que ses nom et adresse soient communiqués à d'autres organisations. Si la personne ne coche pas la case, il sera présumé qu'elle consent à ce que les renseignements soient communiqués à des tiers;
c) le consentement peut être donné de vive voix lorsque les renseignements sont recueillis par téléphone; ou
d) le consentement peut être donné au moment où le produit ou le service est utilisé.
|
The regulatory context of the Non-Published Number Service
[22] The Non-Published Number Service (NPNS) is a telecommunications service regulated by the CRTC. The tariff applicable in British Columbia is CRTC 1005, General Tariff Item 145. The monthly service charge for NPNS is $2.00 and there is a one-time set up fee of $9.50 (A.B. vol. 1, pp. 87, 88).
[23] On January 25, 1994, in Telecom Decision CRTC 94-1, the CRTC expressed the view "that the provision of directories form an essential part of, and significantly enhance the value of, the company's basic telephone service" (A.B. vol. 2, p. 393). On May 1, 1997, in Telecom Decision CRTC 97-8, the CRTC required that telephone directories be provided free of charge to customers (A.B. vol. 2, p. 309).
[24] On March 8, 1995, in Telecom Decision CRTC 95-3, the CRTC ordered various telephone companies, including TELUS, to send billing inserts to their customers informing them of the provision of non-confidential listing information to third parties and of the means available to have their names and related information excluded. In addition, the CRTC directed those companies that had not already done so to implement measures to inform customers calling to initiate service, or with privacy concerns, of the method by which their names could be removed from listings that are sold or rented to third parties (my emphasis) (A.B. vol. 1, p. 185).
[25] On June 25, 1996, by Order in Council P.C. 1996-1001, the Governor in Council required the CRTC to report "on the matter of directory subscriber listings, including the appropriate level of protection that should be accorded to subscriber listings and an evaluation of the unlisted number service" (A.B. vol. 1, p. 172). Two "whereas" are worth noting:
Whereas the Governor in Council has determined that the pricing of the unlisted number service may deter subscribers from de-listing their personal information from telephone companies' directories and that such a service should be made available to subscribers of other telecommunication services;
Whereas the Governor in Council has determined that privacy safeguards should be cost-effective and competitively neutral and should not unduly interfere with the introduction of new services;
[A.B. vol. 1, p. 171]
[26] The CRTC issued a public notice inviting submissions. The Privacy Commissioner accepted the invitation and recommended, inter alia, the following:
RECOMMENDATION 2. - When telephone companies collect information from new or existing subscribers, they should tell the subscribers about all primary and possible secondary uses of their personal information, who might use the information, and all means available to the subscriber to control or prohibit these uses.
RECOMMENDATION 3. - Service providers should always ask new subscribers whether they want their listings fully or partially listed, unpublished, or unlisted.
RECOMMENDATION 4. - Service providers should not charge for de-listing or not publishing listings.
[A.B. vol. 2, pp. 489-491]
The Commissioner's observations leading to his recommendation 4 read:
Subscribers must normally pay to have their listing unpublished or to keep it unlisted. In the United States, monthly de-listing charges range from $0.65 in California to $2.54 in New York. In Canada, monthly de-listing charges are on average 132% higher than in the United States, ranging from $1.55 in Manitoba to $5.75 in the Maritime provinces.
Both the Privacy Commissioner and the federal Cabinet agree that these high charges may discourage de-listing or non-publication, and thus prevent many subscribers from protecting their privacy. Between a quarter and a third of American subscribers have had their listings removed from directories and directory assistance. Figures for Canada are not available, but the Commissioner suspects that fewer Canadians take advantage of de-listing.
De-listing and not publishing listings affect both published directories and the level of directory assistance required from service providers or their affiliated publishers. The Commissioner, however, does not believe that this justifies infringing upon the privacy of subscribers. Indeed, revenues lost through de-listing would be offset by reduced printing costs (directories would be thinner). Furthermore, revenues from providing directory assistance would increase.
[A.B. vol. 2, p. 490-491]
[27] On December 23, 1996, the CRTC submitted its 25 page Report on Directory Subscriber Listings and on Unlisted Number Service (A.B. vol. 1, p. 182).
[28] The Report sets out a list of applicable principles established by Industry Canada which must be taken into account:
1) Canadians value their privacy. Personal privacy considerations must be addressed explicitly in the provision, use and regulation of telecommunications services.
2) Canadians need to know the implications of the use of telecommunications services for their personal privacy. All providers of telecommunications services and government have a responsibility to communicate this information in an understandable and accessible form.
3) When telecommunications services that compromise personal privacy are introduced, appropriate measures must be taken to maintain the consumer's privacy at no extra cost unless there are compelling reasons for not doing so.
4) It is fundamental to privacy that there be limits to the collection, use and disclosure of personal information obtained by service providers and generated by telecommunications networks. Except where clearly in the public interest, or as authorized by law, such information should be collected, used and disclosed only with the express and informed consent of the persons involved.
5) Fundamental to privacy is the right to be left alone. A balance should exist between the legitimate use of unsolicited telecommunications and their potential for intrusion into personal privacy. All parties have a responsibility to establish ground rules and methods of redress so that Canadians are able to protect themselves from unwanted and intrusive telecommunications.
6) Privacy expectations of Canadians may change over time. Methods of protecting telecommunications privacy must be reviewed from time to time to meet these changing expectations and to respond to changing technologies and services.
To these must be added the determination in Order in Council P.C. 1996-1001 that privacy safeguards should be cost-effective and competitively neutral and should not unduly interfere with the introduction of new services.
The Commission notes that the above principles may conflict with one another, and considers that any choice as to which should prevail in a given situation would depend on an assessment of the individual circumstances, taking into account such factors as the nature of the service, the nature of the information and any past practices that may have evolved.
[A.B. vol. 1, pp. 190-191; pp. 6 and 7 of the Report]
[29] The Report then finds that
the provision of primary exchange service by the telephone company has generally included a listing in the directory, the provision of White and Yellow Pages directories, and the availability of the subscriber's telephone number through directory assistance. The exception has been when the subscriber requested, at a fee, an unlisted telephone number. The Commission considers that, as a result of this long-established practice, subscribers currently expect that, unless they request an unlisted number, their telephone numbers will be published in the telephone companies' directories and will be available through directory assistance. In the Commission's view, subscribers can be considered to have consented to this use if they initiate service without requesting an unlisted number.
[A.B. vol. 1, p. 194]
[My emphasis]
[...] The Commission considers that [...] subscribers to primary exchange service are regarded as having consented to the publication of their information in independent directories.
[A.B. vol. 1, p. 195]
[30] With respect to unlisted number service, the Report states:
[...] In assessing the appropriate balance with respect to unlisted number service, the Commission considers that the factors noted by Stentor must be weighed against concerns as to privacy, which have become more acute as a result of increased accessibility of subscriber listing information, particularly in forms that are easily manipulated, and the fact that subscribing to the service may now be the only effective way for subscribers to control dissemination of their listing information. Given the current environment, it is increasingly important that unlisted number service not be priced beyond the financial reach of subscribers.
In the past, the Commission has set rates for unlisted number service to maximize revenues to the telephone companies. The Commission's preliminary view is that this policy is no longer appropriate in light of current regulatory circumstances. The Commission's initial view is that charges should not be entirely eliminated, and that the current circumstances are not sufficient to warrant offering the service below cost. Rather, the commission considers that a cost-based rate would provide an acceptable compromise, taking into account the potential revenue impact of a reduced rate and given that the use of the telecommunications system is enhanced by having subscriber listing information readily available. In light of the above, the Commission considers that rates for unlisted numbers should be re-examined with the aim of establishing rates based on current costs plus contribution.
[A.B. vol. 1, p. 201]
[My emphasis]
[31] On August 27, 1997, the CRTC invited submissions regarding the rates for unlisted number service and related issues (A.B. vol. 1, p. 210). Following the receipt of submissions, including that of the Privacy Commissioner (which was not put in evidence in the record before us), the CRTC issued Telecom Order CRTC 98-109 in which it concluded as follows:
31. Based on the information filed in this proceeding, the Commission considers that to set a cost-based rate would fail to take adequate account of considerations such as the usefulness of a reasonably complete directory and the revenue impact of reduced rates.
32. However, given increasing personal privacy concerns, the Commission also considers it inappropriate that monthly rates for unlisted number service for residence subscribers remain at levels that were established in the past with a view to maximizing revenues available to subsidize basic residential service.
33. Taking into account the increasing privacy concerns, as well as factors such as the revenue impact of reduced rates for unlisted number service and the contribution that readily available subscriber listing information makes to the usefulness of the network, the Commission considers it appropriate that the telephone companies provide an unlisted number service at a rate that does not exceed $2 per month for residence subscribers.
[A.B. vol. 1, pp. 229-230)
[My emphasis]
[32] Of interest is the submission made to the CRTC by the Information and Privacy Commissioner of Alberta:
It is my view that setting rates for unlisted number service to maximize revenue for the service provider is completely unacceptable. As I stated in my earlier submission, I am fundamentally opposed to the notion that individuals should have to pay for their right to control the use that is made of their personal information. Accordingly, I believe that the present system of maximizing revenue is completely unfair.
It is not appropriate to set rates for unlisted number service to discourage people from utilizing this service. There are a number of instances where people need this type of service to ensure that they are adequately protected from harmful circumstances. For example, if a spouse who is the victim of abuse requires to keep his or her telephone number unavailable, this should not be at an unreasonable cost. The cost for the service should be based on the actual cost with no mark-up, to the service provider and not based on potential lost revenues if this information is not available to the general public.
I strongly believe that people have a right to privacy. While this may not be without cost, the cost should be defensible and based on the actual cost of providing the service. If the actual cost is not reasonable, the service providers should be directed to reduce costs within a specific time period to an acceptable level. I am convinced that today's technology makes this possible.
[A.B. vol. 2, pp. 502-503]
[33] On December 13, 2000, the Governor in Council made the Regulations Specifying Publicly Available Information (P.C. 2000-1777, SOR/2001-7) (the Regulations), which were to come into force on January 1, 2001:
REGULATIONS SPECIFYING PUBLICLY AVAILABLE INFORMATION
Information
1. The following information and classes of information are specified for the purposes of paragraphs 7(1)(d), (2)(c.1) and (3)(h.1) of the Personal Information Protection and Electronic Documents Act:
(a) personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;
(b) personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice;
|
RÈGLEMENT PRÉCISANT LES RENSEIGNEMENTS AUXQUELS LE PUBLIC A ACCÈS
Renseignements
1. Les renseignements et catégories de renseignements ci-après sont précisés pour l'application des alinéas 7(1)d), (2)c.1) et (3)h.1) de la Loi sur la protection des renseignements personnels et les documents électroniques :
a) les renseignements personnels - nom, adresse et numéro de téléphone des abonnés - figurant dans un annuaire téléphonique accessible au public, si l'abonné peut refuser que ces renseignements y figurent;
b) les renseignements personnels, y compris les nom, titre, adresse et numéro de téléphone, qui figurent dans un répertoire, listage ou avis à caractère professionnel ou d'affaires qui est accessible au public, si la collecte, l'utilisation et la communication de ces renseignements sont directement liées à la raison pour laquelle ils figurent dans le répertoire, listage ou avis;
|
[34] In the Regulatory Impact Analysis Statement which accompanies (but is not part of) the Regulations, the following comments are worth noting:
REGULATORY IMPACT ANALYSIS STATEMENT
(This statement is not part of the Regulations.)
Description
...
Telephone Directories
One association pointed out that the exception for the telephone directory is based on the individual's ability to refuse to appear in the directory but that the refusal can only be exercised by paying for an unlisted number (this is a condition set by several of the telephone companies). They argued that this fee was an economic barrier to lower income people who may not wish to be listed but who cannot afford to exercise their right to refuse and suggested adding "without incurring any cost for such refusal". While this point may have validity from an access to services perspective, the use of fees is not specifically a protection of privacy issue.
|
RÉSUMÉ DE L'ÉTUDE D'IMPACT DE LA RÉGLEMENTATION
(Ce résumé ne fait pas partie du règlement.)
Description
[...]
Annuaires téléphoniques
Une association a souligné que dans le cas de l'annuaire téléphonique, l'exception s'appuie sur la possibilité pour une personne de refuser d'y être inscrite mais que ce refus ne pouvait s'exercer qu'en payant pour un numéro non inscrit (c'est une condition fixée par plusieurs sociétés de téléphone). L'association a fait valoir que ce tarif était une barrière économique pour les gens à faible revenu qui pourraient souhaiter ne pas être inscrits mais qui ne pourront pas exercer leur droit de refus et a suggéré d'ajouter « sans assumer de coût pour un tel refus » . Bien que cet argument soit valable sur le plan de l'égalité d'accès aux services, l'application de frais ne concerne pas spécifiquement la protection des renseignements personnels.
[My emphasis]
|
[35] On May 30, 2003, the CRTC issued Telecom Decision CRTC 2003-33 in which it found that implied consent is not an appropriate type of consent for the disclosure to affiliates of confidential customer information other than the customer's name, address and listed telephone number. It also found that it is appropriate to permit Canadian carriers to use other forms of express consent as alternatives to written consent, these alternatives being: oral confirmation verified by an independent third party; electronic confirmation through the use of a toll-free number; or electronic confirmation via the Internet. Of particular significance for the purpose of this appeal is the following comment made by the CRTC at paragraph 23 of its decision:
23. The Commission notes that the PIPED Act sets out regulations and standards relating to the privacy of personal information. However, the Commission also notes that its jurisdiction in this matter stems not from the PIPED Act, but from the Telecommunications Act, and that in exercising its discretionary powers pursuant to the Telecommunications Act, it may apply different standards than those contemplated by the PIPED Act.
Interpreting Part 1 and Schedule 1 of the Act
[36] One should not be hasty in applying to Part 1 and Schedule 1 of the PIPED Act principles and rules of interpretation developed in the context of the Privacy Act, if only because of the dissimilarity between their two "purpose" provisions:
PIPED Act
Purpose
3. The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
|
Loi sur la Protection des renseignements personnels et les documents électroniques
Objet
3. La présente partie a pour objet de fixer, dans une ère où la technologie facilite de plus en plus la circulation et l'échange de renseignements, des règles régissant la collecte, l'utilisation et la communication de renseignements personnels d'une manière qui tient compte du droit des individus à la vie privée à l'égard des renseignements personnels qui les concernent et du besoin des organisations de recueillir, d'utiliser ou de communiquer des renseignements personnels à des fins qu'une personne raisonnable estimerait acceptables dans les circonstances.
|
Privacy Act
Purpose of act
2. The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.
|
Loi sur la protection des renseignements personnels
Objet de la loi
2. La présente loi a pour objet de compléter la législation canadienne en matière de protection des renseignements personnels relevant des institutions fédérales et de droit d'accès des individus aux renseignements personnels qui les concernent.
|
[37] The purpose of the Privacy Act was described as being twofold by LaForest J. in Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403, at 434. First, it is to "protect the privacy of individuals with respect to personal information about themselves held by a government institution;" and, second, to "provide individuals with a right of access to that information."
[38] The purpose of the PIPED Act is altogether different. It is undoubtedly directed at the protection of an individual's privacy; but it is also directed at the collection, use and disclosure of personal information by commercial organizations. It seeks to ensure that such collection, use and disclosure are made in a manner that reconciles, to the best possible extent, an individual's privacy with the needs of the organization. There are, therefore, two competing interests within the purpose of the PIPED Act: an individual's right to privacy on the one hand, and the commercial need for access to personal information on the other. However, there is also an express recognition, by the use of the words "reasonable purpose," "appropriate" and "in the circumstances" (repeated in subsection 5(3)), that the right of privacy is not absolute.
[39] The PIPED Act is a compromise both as to substance and as to form.
[40] With respect to the compromise on substance, Michael Geist, in Internet Law in Canada, 3rd ed., Captus Press, 2002, at 303, puts it as follows:
[...] The subject of intense negotiation between business, consumer groups, and government in the early and mid-1990s, the Code represents a compromise between the need to protect individual privacy and the desire of organizations to collect personal data for marketing and other commercial purposes. This compromise remains intact in the new law, and is reflected in its purpose clause, which explicitly refers to the balance between the competing interests of individuals and business. (An early version of the bill referred only to personal privacy.)
[41] Five of the ten principles set out in Schedule 1 (accountability, accuracy, safeguards, individual access and challenging compliance) impose on organizations obligations pertaining essentially to their internal handling of personal information once it is in their possession. One principle (openness) relates to the public relations policy of organizations with respect to their management of personal information. The four other principles (identifying purposes, consent, limiting collection and limiting use, disclosure and retention) are of a more substantial nature, in the sense that they purport to ensure that individuals do not reveal their personal information unless they know for what specific purposes it will be used or disclosed, unless these purposes are legitimate and unless they consent to the use and disclosure that is intended to be made of that information. These are the four principles that are in play in these proceedings.
[42] It appears from a reading of principles 4.2 (identifying purposes), 4.3 (consent), 4.4 (limiting collection) and 4.5 (limiting use, disclosure and retention), that the focus of Schedule 1 is not so much on the prevention of collection, use and disclosure of personal information, which are almost taken for granted, as on the purposes for which the information is collected, used or disclosed. These purposes must be appropriate and legitimate, and reasonable efforts must have been made to ensure that the individual is advised of and understands them. Once these purposes are identified and once informed consent is expressly or implicitly obtained, the individual's information can be collected, used or disclosed.
[43] The PIPED Act is also a compromise as to form, as is amply demonstrated by the recital of its historical background. Schedule 1 is an exact replica of Part 4 of the CSA Standard adopted in 1995, which Standard in turn was based on the OECD Guidelines adopted in 1980 and to which Canada had adhered in 1984. Both the CSA Standard and the OECD Guidelines are the product of intense negotiations between competing interests, which proceeded on the basis of self-regulation and which did not use nor purport to use legal drafting.
[44] The authors of the Annotated Guide have set out a number of reasons which make it inherently difficult to incorporate in legislation a code that was written originally as a voluntary instrument:
First, the standard was a mix of recommendations and requirements, usually written as "shoulds" and "shalls." In the regime of voluntary standards, a "should" is often regarded as best practice and treated as a necessity unless there are strong reasons not to do so, but this kind of flexibility is not recognized in legal drafting.
Second, the definitions used in the standard do not follow legal drafting style, and in some cases (for instance, "consent"), they embodied policy decisions that would have been more appropriately addressed in the text of the code.
Third, there was a certain amount of repetition and cross-referencing in the code of practice that is problematic in legislation.
Fourth, two of the more difficult issues to decide were dealt with in the code as notes. There were the exceptions to the requirement for consent and the exceptions to the right of access. General statements using examples were incorporated as notes, partly because it was very difficult to reach agreement on text in the context of a voluntary exercise. These notes were too vague for the law, but since they contained very important exceptions, they had to be dealt with somehow. All these issues made the incorporation of the code in its totality an unattractive option from a legal drafting point of view.
[p. 6]
[45] The Court is sometimes left with little, if any guidance at all. Clause 4.3, for example, requires knowledge and consent "except where inappropriate." Clause 4.3.4 sets up a standard of "sensitivity of the information," only to add that "any information can be sensitive, depending on the context." Clause 4.3.5 then goes on to say that "[i]n obtaining consent, the reasonable expectations of the individual are also relevant."
[46] All of this to say that, even though Part 1 and Schedule 1 of the Act purport to protect the right of privacy, they also purport to facilitate the collection, use and disclosure of personal information by the private sector. In interpreting this legislation, the Court must strike a balance between two competing interests. Furthermore, because of its non-legal drafting, Schedule 1 does not lend itself to typical rigorous construction, In these circumstances, flexibility, common sense and pragmatism will best guide the Court.
The nature of the hearing and the deference owed
to the Commissioner's report
[47] Similar issues were recently examined by this Court in the context of the Official Languages Act (see Canadian Food Inspection Agency v. Forum des maires de la péninsule acadienne et al, 2004 FCA 263 (Forum des maires)). While the case dealt with a different statute, the provisions in the Official Languages Act with respect to the proceedings that may be commenced in the Federal Court are so similar to those found in the Personal Information Protection and Electronic Documents Act that the same reasoning can apply (see, also, Eastmond v. Canadian Pacific Railway, 2004 FC 852, Lemieux J., at paras. 118-120) . I find no difference on a procedural point of view between an application "for a remedy" ("former un recours") under subsection 77(1) of the Official Languages Act and an application "for a hearing" ("que la Cour entende") under subsection 14(1) of the Act. The investigations carried out pursuant to a complaint by the Official Languages Commissioner and the Privacy Commissioner basically follow the same pattern. The application to the Federal Court in both cases may be made by a complainant and is to be heard in a summary way. What is at issue in both proceedings is not the Commissioner's report, but the conduct of the party against whom the complaint is filed. And the remedial power of the Court in the PIPED Act, even though not drafted in Charter language, is remarkably broad.
[48] As found in Forum des maires, therefore, the hearing under subsection 14(1)of the Act is a proceeding de novo akin to an action and the report of the Commissioner, if put in evidence, may be challenged or contradicted like any other document adduced in evidence. I may add a further argument in support of this finding: according to section 15 of the Act, the Commissioner may appear as a "party" at the hearing. To show deference to the Commissioner's report would give a head start to the Commissioner when acting as a party and thus could compromise the fairness of the hearing. The Official Languages Act contains a similar provision, subsection 77(1).
The standing
[49] The appellant concedes that he has no personal interest in the consent issue to the extent that he does not allege that his privacy interests were infringed by TELUS' action. As a result, TELUS argues that the appellant lacks the common law interest to address the Court on the consent issue. There is no challenge to the appellant's standing in regard to the rate issue.
[50] We are dealing, here, with express statutory language where recourse is open to any "complainant" (ss. 14(1) of the Act). While a complainant is "an individual" who has filed a complaint with the Commissioner (ss. 11(1)), it flows from subsection 14(1) that only a complainant with respect to whose complaint a report was prepared by the Commissioner can apply to the Court. Where the Commissioner does not prepare a report for any of the reasons mentioned in subsection 13(2) (for example where the complaint is found by the Commissioner to be trivial, frivolous, vexatious or made in bad faith), the complainant cannot seek the benefit of a hearing under section 14 and hence must be satisfied with a judicial review proceeding under section 18 of the Federal Courts Act. (I note in passing that the recourse under section 14 appears to be open only to the complainant, and not to the organization against which the complaint was made, with the awkward result that the only avenue open to the organization could be that of judicial review.)
[51] TELUS argues, by reason of the words "tout intéressé" found in the French text of subsection 11(1), that an individual who has no personal interest may not file a complaint with the Commissioner and should be restricted to having a "whistle blowing" interest under section 27 of the Act. That may well be the case before the Commissioner and it may well be that the Commissioner could refuse to prepare a report where he finds that a complainant has no personal interest, but I express no opinion on either matter. However, in situations where the Commissioner has prepared a report, and where his decision to do so has not been challenged, the individual who has filed the complaint becomes a complainant for the purposes of an application to the Court pursuant to section 14 of the Act as soon as the report is sent to that individual, whether or not his own personal information is at stake. (Compare with Maheu v. IMS Health Canada, 2003 FCT 1, Lemieux J. at 59, aff'd 2003 FCA 462.)
[52] I recognize that the granting of standing in these circumstances is exceptional, but I cannot read the provisions of the Act otherwise, and even more so when one considers that the hearing before the Court is, pursuant to the very words of subsection 14(1), "in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner's report [...]". The recognition of standing to bring proceedings to the Court does not, however, affect the inherent jurisdiction of the Court to decline to hear a matter which no longer has any object or which is normally considered non-justiciable (see Canada v. Chiasson , 2003 FCA 155). Nor does it affect the duty of the Court not to grant a remedy which would lead it astray from its role as judicial arbiter (see Forum des Maires, supra).
The consent issue
[53] Much was said before us and in the reasons of the Federal Court about section 7 of the Act and para. 1(a) of the Regulations. On the one hand, they exempt an organization from the requirement under clause 4.3 of Schedule 1 of obtaining the knowledge and consent of the individual when the personal information is "publicly available." On the other hand, they deem to be publicly available personal information consisting of the name, address and telephone number of a subscriber that appears in a publicly available telephone directory (but only where the subscriber can refuse to have the information appear in the directory).
[54] With respect, I am of the view that section 7 of the Act and para. 1(a) of the Regulations are not applicable in the case at bar. The provisions apply when personal information consisting of the name, address and telephone number of a subscriber already appears in a publicly available telephone directory. They enable organizations to collect, use or disclose that existing information for their own purposes. But the provisions do not, and indeed cannot, apply to the very organization that initially collects the information for the purpose of publishing a telephone directory that will, once published, become publicly available.
[55] Indeed, the fact that the use of personal information contained in publicly available telephone directories can be so widespread because of these Regulations militates in favour of the Court exercising additional caution when determining issues pertaining to initial listings in telephone directories.
[56] Principles 2, "Identifying Purposes," and 3, "Consent," are at the heart of this appeal. Principle 3, I hasten to add, despite its name, "requires 'knowledge and consent' " (clause 4.3.2). In other words, Principle 3 requires informed consent.
[57] Principle 2 requires an organization to identify the purposes for which personal information is collected at or before the time the information is collected (clause 4.2). It also requires the organization to specify the identified purposes to the individual at or before the time of the collection (clause 4.2.3) and, where personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use and the consent of the individual is required before information can be used for that purpose (clause 4.2.4) (my emphasis).
[58] Clauses 4.2.3 and 4.2.4 are particularly relevant in the case at bar as they clearly impose on the organization the burden of making clear to the individual all the purposes for which the personal information is collected at or before the time of collection.
[59] Principle 3 requires "the knowledge and consent of the individual...for the collection, use or disclosure of personal information, except where inappropriate." Inappropriateness is not defined and I suspect that it may refer at least to section 7 of the Act which authorizes collection without knowledge or consent in some circumstances (see supra, para. 21). (I note that the English text of subsections 7(1), (2) and (3) refers to "knowledge or consent," while the French text refers to "à l'insu de l'intéressé et sans son consentement" (my emphasis). Nothing in my view turns on the difference as it appears clearly from clause 4.3 of Schedule 1 that the principle of consent requires knowledge and consent.)
[60] Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used (clause 4.3.2). Consent, and therefore knowledge, are required for the collection of personal information and the subsequent use or disclosure of this information and, typically, an organization will seek consent for the use or disclosure of the information at the time of collection (clause 4.3.1). The form of the consent sought by the organization, and the way in which the organization seeks consent, may vary, depending upon the circumstances and the type of information (clauses 4.3.4 and 4.3.6). In obtaining consent, the reasonable expectations of the individual are relevant (clause 4.3.5). Implied consent would generally be appropriate when the information is less sensitive (clause 4.3.6). Examples of ways in which individuals can give consent are: on application forms, on checkoff boxes, over the telephone, at the time of use, all of which imply that the consent is given at the time of collection and before use (my emphasis).
[61] Timing, therefore, as was the case with respect to Principle 2, is also of the essence with respect to Principle 3. In most instances, the requirement of knowledge and consent has to be met by the organization at the time of collection and prior to use. Brochures and tools which are made available to the individual after the time of collection and sometimes even after the time of use cannot be relied on to determine whether knowledge was acquired and consent given by an individual at the time of collection. These brochures and tools are made available by the organization in compliance with Principle 8, "Openness," which requires organizations to make readily available to individuals specific information about its policies and practices relating to the management of personal information. Compliance with Principle 8 will generally come too late for compliance with Principle 3. Openness can, of course, set the course for a finding of tacit consent should it be eventually demonstrated that first-time customers are aware of the brochures at the time they subscribe.
[62] It was found by the judge that TELUS and its affiliates use and disclose the names, addresses, and telephone numbers appearing in a telephone directory of TELUS customers (the "listing information") through the following services:
Printed telephone directories commonly known as the White Pages. There is one annual White Pages for the region described as "Metro Vancouver" and there are several others covering sub-regions or neighbourhoods within Vancouver. Each White Pages includes the listing information of TELUS' customers residing in the applicable region or sub-region who have not subscribed for NPNS.
When new customers subscribe for local residential service, they are automatically included in the directories unless they also subscribe for NPNS. If they subscribe for NPNS, their listing must be manually "flagged" to ensure that their listing information is not included with the information that is provided to directory assistance and for the purpose of printing the directory. NPNS accounts also require ongoing extra security and special handling. Thus, the provision of NPNS results in some additional costs to TELUS.
Dial-in directory assistance commonly known as "411", which TELUS offers to members of the general public, generally for a fee.
Internet directory assistance called "People Finder", also offered to members of the general public. It is a service provided by TELUS Advanced Services Inc., an affiliate of TELUS. This service also offers a reverse-lookup function, whereby a member of the general public can enter a telephone number and find out listing information associated with it. However, the listing information of TELUS customers who have subscribe for NPNS is not included in the database.
Through services called Directory File Service and Basic Listing Interchange File Service, TELUS discloses, for a fee, listing information of its customers. The CRTC requires TELUS to provide these services to independent directory publishers and certain other organizations, pursuant to Tariff Items 23 and 210 in British Columbia.
TELUS' directory publisher, Dominion Information Services Inc. [Dominion], provides selected listing information, for a fee, to selected organizations [List Services]. The listing information so provided excludes all information for TELUS customers who have subscribed for NPNS as well as for those who have requested to be "de-listed".
Dominion also provides listing information in a CD-ROM format that can be purchased as a retail product under licence to anyone who wishes to purchase it. The CD-ROM can be used for reference only, has limited printout availability, and is copy protected and encrypted to avoid misuse. The licences provide that it cannot be used to publish alternate directories or to print the entire contents.
[para. 15 of the Reasons]
[63] TELUS' practice with respect to seeking the consent of its first-time customers was summarized as follows by the judge:
[44] In his affidavit, Jim Brooks, TELUS Vice-President, Business Transformation, informs us of the procedure that is followed when a customer subscribes to a new telephone line. TELUS customer service representatives are instructed to indicate to customers that the telephone line includes a listing in TELUS directories; customers are asked how they would like their personal information to appear in the directories; and the representatives discuss privacy concerns and listing options with the customer if the customer expresses an interest in not being published. New customers also receive a welcoming letter with an accompanying brochure entitled "Our Privacy Commitment to You". The brochure sets out, inter alia, the purposes for which TELUS collects, uses, and discloses customers' personal information. It also advises customers of their right to be de-listed.
[45] The White Pages specifically detail how TELUS uses personal information and the various privacy oriented service options provided by TELUS. They also indicate to whom TELUS discloses information and how a customer's information can be used. There are also specific instructions on how customers can withdraw their consent, verify or change their personal information at any time.
[46] Furthermore, TELUS maintains a toll free number which is dedicated to providing information to customers who wish to discuss privacy issues. TELUS also maintains a website where customers can obtain information about its privacy practices. In addition to those services, TELUS employs a full-time Privacy Officer who is accountable for privacy policies and practices.
[64] The judge, before reaching his conclusion at para. 53 that TELUS had "valid consent under the PIPED Act to publish its customers' personal information in their directories," expressed the opinion that
It is a long-standing and well established practice of telephone companies to include directory listings as part of residential telephone services. Thus, in addition to being notified of the fact by TELUS, customers have a reasonable expectation that unless they subscribe to NPNS, their listing information will be published in the phone directory.
[para. 47]
and
[...] I believe that once a TELUS representative has asked a new subscriber how he or she would like his or her listing information to appear in the telephone directory, it is open to that subscriber to enquire on the options available to him or her. If the privacy of such information is fundamental or simply desired by a subscriber, it is his or her responsibility to educate him or herself, either by asking the representative or through the various tools which have been put at the public's disposal by TELUS.
[para. 52]
[65] I find, in the circumstances, that proper consent was not, and could not have been given, by TELUS first-time customers with respect to the use by TELUS of the personal information in its Internet directory assistance service, in its Directory File Service and Basic Listing Interchange File Service and its CD-ROM service. These services were not identified at the time of enrolment and there is no evidence that they were so connected with the primary purposes of telephone directories that a new customer would reasonably consider them as appropriate. There is no evidence that TELUS made any "effort," let alone a "reasonable" one, within the meaning of clause 4.3.2, to ensure that its first-time customers are advised of the secondary purposes at the time of collection. The judge makes no specific finding with respect to these services, which in itself is a reviewable error.
[66] With respect to the primary purposes, the judge found that reasonable first-time customers would be well aware of the established practice of telephone companies to include directory listings as part of their residential telephone services (I include here the 411 service as well) and that a reasonable person would consider such purposes to be appropriate. Such deemed knowledge would enable TELUS to assume that the first-time customers are aware of the primary purposes for which their personal information is collected and implicitly agree to their name, address and telephone number appearing in the directory listings unless they say otherwise at the time of enrolment. The judge's finding seems to be based on a short passage in the CRTC's Report on Directory Subscriber Listings and on Unlisted Number Service (see supra, para. 29).
[67] The judge's conclusion and the CRTC's finding that first-time customers can be considered to have consented to the primary uses if they do not, on their own initiative, request an unlisted number, are not compatible, in my respectful view, with the very exercise of seeking informed consent before or at the time of enrolment mandated by Part 1 of the Act and by Schedule 1. A consent is not informed if the person allegedly giving it is not aware at the time of giving it that he or she had the possibility to opt out. First-time customers have the right to know before their personal information becomes "publicly available" within the meaning of section 7 of the Act, with all the consequences that might flow from such publicity, that they can exercise their right to privacy and choose not to be listed. This, it seems to me, is a fair compromise between one's right to privacy and the industry's needs.
Whether the Court has jurisdiction to examine the legality of the rates
imposed by the CRTC with respect to the use of the Non-Published Number Service
[68] As I understand the appellant's argument, TELUS cannot be permitted to charge its customers merely for exercising their statutory right to privacy. This practice would infringe clause 4.3.3 of Schedule 1 which prescribes that "an organization shall not, as a condition of the supply of a...service, require an individual to consent to the collection...of information..." I will come back to this provision when I examine the merits of the rate issue. I merely quote it now to explain the type of jurisdiction we are talking about at this point.
[69] The judge at paragraph 65 of his reasons found that the Court had no jurisdiction over the rate issue, "as it is a matter within the exclusive jurisdiction of the CRTC." Counsel for the respondent, in support of that finding, relies on the line of reasoning stemming from the decision of the Supreme Court of Canada in St. Anne Nackawic Pulp & Paper Co. v. Canadian Paper Workers Union, Local 219, [1986] 1 S.C.R. 704, Weber v. Ontario Hydro, [1995] 2 S.C.R. 929, Regina Police Assn. Inc. v. Regina (City) Board of Police Commissioners, [2001] 1 S.C.R. 360 and, more recently, in 2004 SCC 40">Quebec (A.G.) v. Quebec (Human Rights Tribunal), 2004 SCC 40.
[70] I must say at the outset that I find this whole exercise somehow sterile. I do so for two reasons. First, the issue will ultimately and in any event be decided by the Federal Court of Appeal, either on appeal (as here) from a decision of the Federal Court made under the PIPED Act or on appeal on a question of law from a decision of the CRTC made under the Telecommunications Act. Second, the CRTC did not assert, let alone exercise, its jurisdiction on the issue and there is no risk, therefore, of conflicting decisions. At worst, as can be seen from the abstract quoted in paragraph 35, the CRTC appears to be of the view that its privacy standards may differ from those set out in the PIPED Act. This startling proposition may have to be examined when the occasion arises.
[71] The issue, here, is not whether the Privacy Commissioner, but whether the Federal Court has jurisdiction. The Commissioner, in any event, is not a tribunal and has no decision-making power under the PIPED Act. At best, the Commissioner can form an opinion on the issue and include it in his report. As the report is not a "decision," there can be no conflict with the decision of a court or tribunal found to have exclusive, concurrent or overlapping jurisdiction to determine the issue.
[72] The CRTC, on the other hand, is a decision-making tribunal. Section 25 of the Telecommunications Act prohibits any Canadian carrier from providing a telecommunications service except in accordance with a tariff filed and approved by the CRTC that specifies the rate. Section 27 ensures that every rate charged for a telecommunication service is "just and reasonable." Paragraph 7(i) includes in the list of objectives of the Canadian telecommunications policy that of "contribut[ing] to the protection of the privacy of persons."
[73] Paragraph 32(a) allows the CRTC, for the purposes of Part III, which is the one with which we are concerned, to "approve the establishment of classes of telecommunications services and permit different rates to be charged for different classes of services." Paragraph (g) goes on to give the CRTC the power, "in the absence of any applicable provision in this Part, [to] determine any matter and make any order relating to the rates, tariffs or telecommunications services of Canadian carriers."
[74] Section 47 orders the CRTC to exercise its powers with a view to implementing the Canadian telecommunications policy objectives and ensuring that carriers provide services and charge rates in accordance with section 27. Section 48 empowers the CRTC to "make a determination in respect of anything prohibited, required or permitted to be done under Part...III" (i.e. sections 25 to 46). Section 52 provides that the CRTC "may, in exercising its powers and performing its duties under this Act...determine any question of law or of fact..."
[75] It is therefore arguable, taking into account the relevant provisions and circumstances, that the CRTC has jurisdiction to determine the legality of the rates it otherwise approves (see Nova Scotia (Workers' Compensation Board) v. Martin, [2003] 2 S.C.R. 504, at 537). Since the CRTC did not intervene in these proceedings, I shall limit myself to assuming, without deciding, that it has jurisdiction.
[76] What remains to be decided is whether the CRTC's jurisdiction over the rate issue ousts the Federal Court's jurisdiction over the same issue.
[77] The PIPED Act provides a comprehensive complaint mechanism to the Privacy Commissioner, and ultimately, to the Federal Court. It also takes precedence, in the circumstances described in subsection 4(3) of the Act, over the Telecommunications Act.
[78] Complaints are made under section 11 "against an organization for contravening a provision of Division 1 [i.e. sections 5 to 10] or for not following a recommendation set out in Schedule 1." In order for the Federal Court, acting pursuant to section 14 of the Act, to determine whether an organization has failed, in violation of subsection 5(1), to comply with the obligations set out in Schedule 1, in this case clause 4.3.3, the Court must have the power to decide whether the imposition of a fee is permissible under that clause. This is a pure question of law which pertains to the very statute that the Court is being asked to enforce. It would take explicit wording in the Telecommunications Act to oust the jurisdiction of the Federal Court when acting under the PIPED Act. There is no such explicit wording. (See Eastmond, supra, para. 47, at paras. 92 to 117)
[79] I therefore reach the conclusion that there is either concurrent jurisdiction or overlapping jurisdiction, to use the words of the Supreme Court of Canada in Weber and in 2004 SCC 40">Quebec (A.G.) v. Quebec (Human Rights Tribunal), supra, para. 69. Should the Federal Court, or this Court in appeal, decide that fees cannot be charged, the CRTC would have to revise its tariff in the same way it would have had to revise its tariff had it decided on the merit that the fee could be legally imposed and its decision on that point had been reversed on an appeal to the Court made under the provisions of the Telecommunications Act.
Whether the imposition of a fee contravenes the requirements
of the PIPED Act
[80] The appellant submits that by conditioning an unlisted number on payment by the individual of a fee, TELUS contravenes clause 4.3.3 of the Schedule. It will be useful to reproduce the text of that clause again:
4.3.3
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
|
4.3.3
Une organisation ne peut pas, pour le motif qu'elle fournit un bien ou un service, exiger d'une personne qu'elle consente à la collecte, à l'utilisation ou à la communication de renseignements autres que ceux qui sont nécessaires pour réaliser les fins légitimes et explicitement indiquées.
|
[81] The appellant does not argue that fees can never be charged for the exercise of one's statutory right. He argues, rather, that a fee can only be charged if a statute provides for it.
[82] I take issue with the appellant's proposition that no statute or regulations allow imposition of a fee in the case at bar. Quite to the contrary, it appears from the clear wording of the Telecommunications Act that, when approving rates and services, the CRTC must take into consideration the objectives of the Canadian telecommunications policy, including that of contributing to the protection of the privacy of persons. Services may therefore be provided for the protection of privacy and rates may be imposed for the provision of those services. There could not be clearer indications that Parliament contemplated the imposition of fees for providing privacy services.
[83] The appellant contends, however, that the PIPED Act overrules the Telecommunications Act. That, however, would be so only if there were contradictory provisions in the two statutes. I find no provision in the PIPED Act which expressly prohibits the imposition of fees and clause 4.3.3 of Schedule 1, on which the appellant relies, can by no means be interpreted as he suggests. The "service" referred to in that clause is the telephone service and the clause prevents TELUS from seeking from its customers a consent wider than is necessary for the supply of that service.
[84] The appellant could not provide the Court with any authority directly on point to support his proposition. He referred to two decisions of the Supreme Court of Canada which deal with aboriginal rights. I am not prepared to adopt wholesale to typically administrative law issues principles developed in the context of aboriginal law. In any event, these decisions are not very helpful to the appellant. In R. v. Badger, [1996] 1 S.C.R. 771, it was found that the Treaty at issue and the Natural Resources Transfer Agreement did not permit the imposition of a licensing fee for exercising a treaty right. In R. v. Côté, [1996] 3 S.C.R. 139, where a regulation imposed the payment of a user fee to the state for the exercise of an aboriginal right connected to land, the Court found that a fee was permissible when it represented a tailored user fee directed at improving the means of transportation upon the tract of land. The Court even added that the access fee "effectively facilitates rather than restricts the constitutional rights of the appellant" (at 188).
[85] In the case at bar, as in Côté, the fee facilitates rather than restricts the appellant's right to privacy and there is no issue as to the financial burden it puts on the appellant. No evidence was led that the rate was such as to be unbearable. To the contrary, the evidence is that it had been a major concern of the Governor in Council, of the various interveners and eventually of the CRTC itself to set a rate that would not discourage non-listing and thus prevent many subscribers from protecting their privacy. Indeed the CRTC, in its Report on Directory Subscriber Listings and on Unlisted Number Service, expressed the view that "it is increasingly important that unlisted number service not be priced beyond the financial reach of subscribers" (supra, para. 30). A rate that does not exceed $2 per month for residence subscribers was approved. No one has argued before us that it was not a "just and reasonable rate" within the meaning of section 27 of the Telecommunications Act, an argument the Court would have in any event declined to hear because that issue is within the exclusive domain of the CRTC.
Whether the appellant is a public interest litigant
[86] The appellant seeks costs in any event of the cause on the basis that he is a public interest litigant.
[87] The appellant is self-represented. He is at best only entitled to be reimbursed the reasonable costs he has incurred. I will order that he be reimbursed his reasonable costs in the Federal Court and in this Court because he ends up being successful in part in his application. I need not decide if he would have been entitled to such reimbursement had he lost.
Disposition
[88] In the end, I would allow the appeal in part, set aside the decision of the Federal Court dated June 3, 2003 and find well-founded in part the complaint filed by the applicant against TELUS on January 1, 2001.
[89] I would find that TELUS has infringed section 5 of the Personal Information Protection and Electronic Documents Act in not informing its first-time customers, at the time of enrolment, of the primary and secondary purposes for which their personal information was collected and in not informing them at that time of the availability of the Non-Published Number Service.
[90] As the Court is not dealing here with a complainant who has been personally aggrieved, I am only prepared to order a remedy which will not comprise the payment of money and which will be future-oriented. I would therefore order TELUS to comply with the obligation set out in the above paragraph. Counsel for TELUS suggested at the hearing, and the Court agreed with her, that should a ruling go against her client, TELUS should have the opportunity to make written representations concerning the remedy. I would give TELUS four weeks from the date of this Order to serve and file representations with respect to the manner and the timetable of its implementation of the remedy described above. I would then give the appellant two weeks to reply. In the circumstances, judgment will only issue at a later date.
[91] As to costs, I would order TELUS to reimburse the appellant the reasonable costs he has incurred in the Federal Court and in this Court. I would also order TELUS to reimburse to the appellant the costs of $11,906.41 which were paid to it by the appellant as a result of the decision of the Federal Court.
"Robert Décary"
J.A.
"I agree.
M. Nadon, J.A."
"I agree.
B. Malone, J.A."
FEDERAL COURT OF APPEAL
NAMES OF COUNSEL AND SOLICITORS OF RECORD
DOCKET: A-388-03
STYLE OF CAUSE: Mathew Englander v. Telus Communications Inc.
PLACE OF HEARING: Vancouver, B.C.
DATE OF HEARING: October 7, 2004
REASONS FOR JUDGMENT: DÉCARY J.A.
CONCURRED IN BY: NADON, MALONE JJ.A.
DATED: November 17, 2004
APPEARANCES:
Mr. Mathew Englander FOR THE APPELLANT
(pro-se)
Ms. Lisa Warren FOR THE RESPONDENT
Mr. Sean McGee FOR THE INTERVENER
SOLICITORS OF RECORD:
FOR THE APPELLANT
Farris, Vaughan, Wills & Murphy FOR THE RESPONDENT
Vancouver, British Columbia
Nelligan O'Brien Payne LLP FOR THE INTERVENER
Ottawa, Ontario