The 3+3 Project: Bell

This is the Bell report for The 3+3 Project: Evaluating Canada’s Wireless Carriers’ Data Privacy Transparency. The 10 criteria used to evaluate carriers and the scoring rubric used for each are included in the chart below. A carrier could earn a full star, half star, or no star on each criterion. The criteria and rubric (with minor alterations as noted) are reproduced from the criteria document prepared by the IXmaps research project for the annual Keeping Internet Users In the Know or In the Dark: Data Privacy Transparency of Canadian Internet Service Providers, by Andrew Clement (Professor, Faculty of Information, University of Toronto) and Jonathan A. Obar (Assistant Professor, Faculty of Social Science and Humanities, University of Ontario Institute of Technology).  The Keeping Internet Users In the Know of In the Dark report is available here. For a fuller explanation of the criteria and the rubric used for each, please consult the full criteria document.

These criteria were originally developed by the IXmaps research project for their 2013 Keeping Internet Users in the Know or in the Dark report.[1] The Centre for Innovation Law and Policy (CILP) assisted with updating them for the 2014-2015 project, including developing the scoring rubric. Where we are aware of any difference in how we have applied these criteria compared to how IXmaps applies these criteria, this is indicated in the chart. For more information about IXmaps, as well as other significant projects engaging with data privacy, please see the project overview.

This report frequently makes reference to PIPEDA, the Personal Information Protection and Electronic Documents Act. This is Canadian legislation dealing with the treatment of personal information by companies while carrying on commercial activities. For more on PIPEDA, please see the project overview.

Notes:

  • The Bell Mobility Terms of Service were consulted (as of December 24, 2014, January 3, 2015, and February 13, 2015) but did not count towards Bell’s final score. Part of the evaluation was related to transparency about privacy practices. Therefore, carriers only received credit for information in their privacy materials, on the theory that this was where privacy-minded users would look for privacy-related information. In any event, the Bell Mobility Terms of Service, while including a privacy section, do not contain information not otherwise discussed in the Bell Privacy Policy. It incorporates by reference or directs the user to the privacy policy. The Bell Mobility Terms of Service apply to Bell Mobility Inc.
  • Virgin is one of the “Bell companies”.
    • Although Bell’s privacy materials do not provide a list of the “Bell companies” to which they apply, the Bell Mobility Terms of Service includes a “Bell Commitment to Privacy” which states that “The Bell Privacy Policy applies to the Bell companies offering wireless, Internet, satellite and IP television, TV, local and long distance wireline services as well as radio, television and digital media services and our various retail locations. The Bell companies include Bell Canada, Bell Mobility Inc., the Ontario and Quebec operations of Bell Aliant Regional Communications L.P. , Bell ExpressVu L.P., Virgin Mobile, Solo Mobile, The Source (Bell) Electronics Inc. and Bell Media Inc.” (per “Who and what does the Bell Privacy Policy apply to?”, emphasis added).
    • Virgin states in the Virgin Mobile Canada Terms and Conditions of Service that it is “a division of Bell Mobility Inc.” (including in the “Privacy Policy” section of the Virgin Mobile Canada Terms and Conditions of Service). However, Virgin does not explicitly indicate, in either its privacy materials or the Virgin Mobile Canada Terms and Conditions of Service, that Virgin users should consult Bell’s materials.
    • Virgin also states in the Virgin Mobile Canada Terms and Conditions of Service that “[w]hen it comes to your preferences for privacy and marketing, ‘Virgin Mobile and its affiliates’ refers to the following companies:
      • Bell Canada
      • Bell Mobility Inc.
      • Bell Aliant Regional Communications Inc.
      • Bell ExpressVu L.P.
      • The Source (Bell) Electronics Inc.
      • Bell Media Inc.
  • (per “What Does “Virgin Mobile And Its Affiliates” Mean?”). However, neither the phrase “Virgin Mobile and its affiliates” nor the term “affiliates” occur elsewhere in the document, so it does not appear that the Virgin Mobile Canada Privacy Policy covers Virgin’s affiliates. In addition, this also does not constitute a clear indication that Virgin users should consult Bell’s materials.
  • Part of the evaluation was how transparent privacy practices are to a carrier’s users. Therefore, Virgin received no credit for provisions and statements in Bell materials since Virgin users would not know to consult Bell’s materials for information relevant to them. Likewise, Bell received no credit for provisions and statements in Virgin materials, since Bell users would not know to consult Virgin’s materials for information relevant to them (if such materials are indeed relevant to Bell users).

1. A public commitment to PIPEDA compliance

Full Star: The carrier explicitly indicates that it complies with PIPEDA, or similar applicable legislation, and provides substantive details of its privacy obligations, including that it only transfers personal information to third parties that provide an equivalent level of protection.

Half Star: The carrier only vaguely states that it operates according to applicable legislation or doesn’t mention third party PIPEDA-equivalent protection.

No Star: The carrier makes no indication that it complies with PIPEDA or substantially equivalent privacy legislation.

Score: Full Star

Explanation:

  • The Bell Privacy Policy explicitly states that it reflects and is subject to the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).
  • The Bell Privacy Policy also states that it is subject to regulations made under PIPEDA and “any other applicable legislation, regulations, tariffs or agreements”, and that it incorporates the 10 principles of the Canadian Standards Association Model Code for the protection of Personal Information published in 1996 as a National Standard of Canada.
  • Although it does not make explicit reference to third-party PIPEDA-equivalent protection, Bell’s language in Principles 1.3 and 7.2 of the Bell Privacy Policy is sufficient when compared with the language of the PIPEDA principle underlying this criterion (Principle 1 – Accountability) to earn a full star. In fact, Bell should be recognized for doing the best on this criterion: it was the only carrier which specified in detail what would be “stipulat[ed]” in the contractual agreements with third parties used to protect information shared with those parties.

Provisions:

“In March 1996, the new Canadian Standards Association Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 (the “CSA Code”), was published as a National Standard of Canada. In August 2000, the Bell companies revised the Bell Privacy Policy (formerly, the Bell Code of Fair Information Practices), to describe in detail how we subscribe to the principles of the CSA Code and the requirements of the Personal Information Protection and Electronic Documents Act, which came into force in 2001.”

– Bell Privacy Policy (“Introduction”) (Accessed Jan 3, 2015).

“The application of the Bell Privacy Policy is subject to the requirements or provisions of the Personal Information Protection and Electronic Documents Act, the Regulations made there under, and any other applicable legislation, regulations, tariffs or agreements (such as collective agreements), or the order of any court or other lawful request.” – Bell Privacy Policy (“Scope and Application”) (Accessed Jan 3, 2015).

“1.3 The Bell companies are responsible for personal information in their possession or control, including information that has been transferred to a third party for processing. The Bell companies shall use appropriate means to provide a comparable level of protection while information is being processed by a third party (see Principle 7).” – Bell Privacy Policy (Accessed Jan 3, 2015).

“7.2 The Bell companies shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information, the purposes for which it is to be used, limits on the number of persons whose job function requires access to the information, and the physical and procedural security measures required to safeguard that information.” – Bell Privacy Policy (Accessed Jan 3, 2015).

2. A public commitment to inform users of all third party data requests

Full Star: The carrier clearly indicates that it will notify a user when it has received a third party request for the user’s information, unless explicitly prohibited from doing so by law.

Half Star: A carrier does not indicate that it will notify users when it receives requests, however it indicates that users may send an inquiry in order to acquire such information.*

*Note: This criterion was applied generously: carriers who indicated users could learn about disclosures of their information were scored a half star.

No Star: The carrier makes no mention of how users may learn of third party requests for their personal information.

Score: Half Star

Explanation:

  • Bell does not indicate that it notifies users when it receives third party data requests, however it indicates that users may send an inquiry to acquire such information.
  • Bell further notes that, in the event of a request, where it cannot identify organizations to which personal information has been disclosed, it will “provide a list of organizations to which it may have disclosed personal information” (see Principle 9 below).

Provisions:

“Principle 9 - Customer and Employee Access to Personal Information

The Bell companies shall inform a customer or employee of the existence, use and disclosure of his or her personal information upon request and shall give the individual access to that information. A customer or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate....

9.3 Upon request, the Bell companies shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, the Bell companies shall provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.”

– Bell Privacy Policy (Accessed Jan 3, 2015). (Note that the Bell Privacy Policy numbers two clauses as 9.3. This is the first of them.)

3. Transparency about frequency of third party requests and disclosures

Full Star: The carrier has published, in an annual or semi-annual report or in some other form, statistics regarding:
  • The number of requests from third parties, broken down by government (law enforcement, etc.), commercial and non-commercial entities.
  • How many requests it complied with.
  • How many accounts the requests applied to.
  • How many disclosures of information there were.

Half Star: The carrier has published SOME information but leaves many important statistics out.

No Star: The carrier has published no information relating to these types of statistics.

Note: This criterion was edited for ease of use and clarity in presentation here. In highlighting the absence of specific important statistics, we may have applied this criterion more strictly than IXmaps. However, we are not aware of any divergence with IXmaps as to the final score awarded to any carrier.

Score: No Star

Explanation:

  • Unlike some other Canadian wireless service providers, Bell has not published a transparency report revealing statistics regarding third party data requests and information disclosure to third parties.

Provisions and other sources:

“BCE Inc. and Shaw Communications Inc. have not released [transparency] reports; nor have they shared plans to do so. BCE, owner of Bell Canada, will say only that it complies with the law; Shaw has not responded to requests for comment.” – Christine Dobby, “Telus joins transparency push by sharing demands for customer info”, The Globe and Mail (18 September 2014), online: The Globe and Mail <http://www.theglobeandmail.com>.[2]

4. Transparency about conditions for third party data disclosures

Full Star:
(1) The carrier explicitly states the circumstances under which personal information will be disclosed to third parties.(2) It must make clear what standard must be met by the third party in order for this disclosure to be made (e.g. whether a warrant is required).(3) It must be clear whether or not a subscriber/user will be notified in the case that his or her information is disclosed to a third party and especially the specific conditions under which such information will be disclosed without consent.Half Star: The carrier refers to some but not all of (1), (2) and (3) or is vague about them.**Note: In order to achieve consistency, this criterion was applied generously: carriers that had some discussion of when disclosure of user information could occur received a half star. A carrier would have had to fail entirely to discuss disclosure to receive no star, which none did. This criterion is likely to be revised and simplified in future years to improve consistent application and permit more meaningful distinctions between carriers.No Star: The carrier fails to indicate any of (1), (2), or (3).Note: Our evaluation of this criterion looked at discussion of disclosure to any third party, including sharing with affiliated companies, while IXmaps focused on disclosure when compelled by law. However, both approaches yielded the same score on this criterion.
Score: Half Star

Explanation:

  • Bell’s privacy materials list a number of circumstances in which personal information may be disclosed to third parties.
  • Principle 3.1 in the Bell Privacy Policy and “Legal and emergency exceptions” in “How does Bell respect my privacy?” give examples of when information may be disclosed without a user’s consent.
  • The privacy materials do not make clear what standard must be met by a third party for disclosure to occur, or make it clear whether users will be notified of disclosures (although it is implied they generally will not be).

Provisions:

“Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information

The knowledge and consent of a customer or employee are required for the collection, use or disclosure of personal information, except where inappropriate.

3.1 In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. For example, the Bell companies may collect or use personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is a minor, seriously ill or mentally incapacitated.

The Bell companies may also collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law.

The Bell companies may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened.

– Bell Privacy Policy (Accessed Dec 24, 2014).

The Bell companies may disclose personal information without knowledge or consent to a lawyer representing the companies, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required by law.“

– Bell Privacy Policy (Accessed Dec 24, 2014).

“Principle 5 - Limiting Use, Disclosure and Retention of Personal Information

The Bell companies shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. The Bell companies shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.

5.1 In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. (see Principle 3.1)

5.2 In addition, the Bell companies may disclose a customer’s personal information to:

a) another telecommunications company for the efficient and effective provision of telecommunications services;

b) a company involved in supplying the customer with communications or communications directory related services;

c) another person for the development, enhancement, marketing or provision of any of the products or services of the Bell Companies;

d) an agent retained by the Bell companies to evaluate the customer’s creditworthiness or to collect a customer's account;

e) credit grantors and reporting agencies;

f) a person who, in the reasonable judgment of the Bell companies, is seeking the information as an agent of the customer; and

g) a third party or parties, where the customer consents to such disclosure or disclosure is required by law.”

– Bell Privacy Policy (Accessed Dec 24, 2014).

“Principle 2 - Identifying Purposes for Collection of Personal Information

The Bell companies shall identify the purposes for which personal information is collected at or before the time the information is collected.

2.1 The Bell companies collect personal information only for the following purposes:

a) to establish and maintain responsible commercial relations with customers and to provide ongoing service;

b) to understand customer needs and preferences, and determine eligibility for products and services;

c) to recommend particular products & services to meet customer needs;

d) to develop, enhance, market or provide products and services;

e) to manage and develop their business and operations, including personnel and employment matters; and

f) to meet legal and regulatory requirements. …

2.3 Unless required by law, the Bell companies shall not use or disclose, for any new purpose, personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the customer or employee.”

– Bell Privacy Policy (Accessed Dec 24, 2014).

“We collect information to:

  • Establish and maintain a responsible commercial relationship with you. For example, we may collect information to confirm your identity or to establish credit worthiness.
  • Understand your needs and preferences to recommend relevant offers, products, services and bundled discounts on behalf of Bell and its affiliates.
  • Understand who the people are that use our products and services, how they use them, and how we can improve them.
  • Manage and develop Bell's business and operations. For example, we monitor usage volumes in order to plan and provision our communications networks. We also track product sales to determine the success of features, promotions and pricing.
  • Meet legal and regulatory requirements. For example, we may be required to collect information by a court order or to demonstrate compliance with a CRTC requirement.

Your personal information will not be used for any other purpose without your consent.”

– “How does Bell respect my privacy?” (“Your personal information: How and why does Bell collect personal information?”) (Accessed Jan 16, 2015).

“Does Bell share personal client information with outside organizations?

We do not provide personal information to any party outside of the Bell companies except in limited circumstances in which it is necessary for us to do so. These third parties may include:

  • An agent acting on behalf of Bell, such as a company hired to perform installation work on our behalf.
  • Another communications service provider, in order to offer efficient and effective communications services (e.g., to provide mobile service while roaming in another company's coverage area) or as required by law.
  • A collection agency, for the express purpose of the collection of past due bills.

When we provide personal information to third parties, we give only the information that is required under the specific circumstances. That information is used only for the purpose stated and is subject to strict terms of confidentiality. The employees of the companies that we share this information with must meet and respect our privacy standards.”

Directory listing information

Please note that, pursuant to federal legislation, publicly available information, including a directory listing of your name, address and telephone number, may be collected, used and disclosed by organizations without your consent.

If you prefer not to have your listing information provided to select organizations, please contact us.

Sharing information among the Bell companies

Occasionally we may share information between the Bell companies to help understand your information, communication and entertainment needs, and to provide you with relevant information to meet those needs.

Option to opt out

If you don't want your information shared among the Bell companies, please contact us.

Legal and emergency exceptions

It' s important to note that in certain circumstances, we may collect, use or disclose personal information without your knowledge or consent. For example:

  • During the investigation of a breach of an agreement or the breaking of provincial or federal laws.
  • If we' re asked to comply with a subpoena, warrant, court order or other lawful request.
  • If there is an emergency where someone's life, health or security is threatened.

– “How does Bell respect my privacy?” (“Does Bell share personal client information?”) (Accessed Jan 16, 2015).

5. An explicitly inclusive definition of ‘personal information’

Full Star: The carrier explicitly states all forms of data that fall under ‘personal information’. This should include subscribers/users’ IP addresses, IMSI/IMEI numbers, or MAC addresses, as well as their userIDs, meta-data (e.g. who subscriber communicated with, when and where this communication occurred), browser history (pages accessed, date of access, location when accessed), personal account information, credit card information etc.Half Star: The carrier only implicitly states forms of data included in a definition of ‘personal information’, and/or provides a definition which (a) incorporates a closed list of what constitutes personal information that (b) excludes one or more of IP addresses, IMSI/IMSEI numbers, MAC addresses, userIDs, meta-data, browser history, personal account information, or credit card information.No Star: The carrier gives no definition of ‘personal information’.Note: IP addresses, IMSI/IMEI numbers and MAC addresses are all used to identify individual devices connected to the Internet. This information could be used to identify individuals and track their locations. For more information, click here. Score: Half Star

Explanation:

  • Bell provides a definition of “personal information” in the Bell Privacy Policy and in “How does Bell respect my privacy?” which includes some examples.
  • Although the examples are not a closed list, many of the key elements required to do well on this criterion are not included. For example, there is no reference to IP addresses.
  • Although Bell’s definitions are lacking, its inclusion of “service usage such as cellular call records, long distance usage or Internet surfing habits” puts it ahead of other carriers who earned a half star but included only very obvious examples of what constituted personal information, such as name and address.

Provisions:

Personal information - information about an identifiable individual but not aggregated information that cannot be associated with a specific individual.

  • For a customer, such information includes a customer's credit information, billing records, service and equipment records, and any recorded complaints.
  • For an employee, such information includes information found in personal employment files, performance appraisals and medical and benefits information.”

– Bell Privacy Policy (“Definitions”) (Accessed Dec 24, 2014).

“What is “personal” information?

Personal information can include:

  • Your name, address and phone number(s).
  • Other information about the Bell product(s) that you subscribe to, such as calling features or Bell TV programming.
  • Your service usage such as cellular call records, long distance usage or Internet surfing habits.
  • Account information such as the status of your account or your method of payment.”

– “How does Bell respect my privacy?” (“Your personal information”) (Accessed Jan 16, 2015).

6. The normal retention periods for personal information

Full Star: The carrier discloses how long personal information is routinely retained for, specifying retention time periods for each data type.Half Star: The carrier only states the retention period for limited types of information. For example, a company may state that it retains consumers’ browsing history for 2 weeks, but provides no information on call log retention.No Star: The carrier either provides no information on data retention periods OR provides a statement so vague as to not inform the consumer beyond what PIPEDA requires. For instance, “[Our company] shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.” (Example wording is from Bell’s privacy policy.) Score: No Star

Explanation:

  • Bell provides a statement so vague as to not inform the consumer beyond what PIPEDA requires. It merely restates PIPEDA’s Principle 5 - Limiting Use, Disclosure, and Retention.

Provisions:

“5.6 The Bell companies shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a customer or employee, the Bell companies shall retain, for a period of time that is reasonably sufficient to allow for access by the customer or employee, either the actual information or the rationale for making the decision.

5.7 The Bell companies shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.”

– Bell Privacy Policy (Accessed Dec 24, 2014).

7. Transparency about where personal information is stored and/or processed

Full Star: The carrier clearly indicates the storage and/or processing locations of user’s data and whether data storage and/or processing has been outsourced to a foreign company. This should include whether data may be stored in, or otherwise subject to other jurisdictions, what those jurisdictions are, and what sort of disclosure such data may be subject to.Half Star: The carrier only indicates that there is a possibility that data may be stored and/or processed subject to a foreign jurisdiction. No jurisdiction is noted or details are not provided.No Star: The carrier fails to clearly indicate whether or not data may be stored and/or processed such that it may be subject to a foreign jurisdiction. Score: Half Star

Explanation:

  • Bell only indicates that there is a possibility that personal information may be stored or processed outside Canada and “may therefore be subject to the legal jurisdiction of [other] countries.”
  • Which jurisdictions information may be stored in is not provided, nor are types of disclosure it may be subject to.

Provisions:

“5.3 In some cases personal information collected by the Bell companies may be stored or processed outside of Canada to provide you with service or to support Bell operations, and may therefore be subject to the legal jurisdiction of these countries. The information is provided only after detailed contracts are set out with the companies that provide us with these services. Moreover, the information may only be used for the purposes of providing the services in question. When outsourcing certain functions, the Bell companies strive to minimize the personal information stored or processed outside of Canada. Wherever possible, the Bell Companies anonymize any personal information stored or processed outside Canada, such that the data cannot be associated with identifiable individuals. (See Principle 7 Security Safeguards)” – Bell Privacy Policy (Accessed Dec 24, 2014).

Principle 7 does not directly relate to criterion or refer to the anonymization of data. For complete Principle 7 text, see Appendix A.

“Does Bell store customer information outside of Canada?

In some cases, personal information collected by the Bell companies may be stored and processed outside of Canada to provide you with service or to support Bell operations.

While the information may be subject to the legal jurisdictions of these countries, the companies that provide us with these services have obligations to protect such information. For example, the information is typically provided only after detailed contracts are set out with the companies that provide us with these services. Moreover, the information may only be used for the purposes of providing the services in question.”

– “How does Bell respect my privacy?” (“Your personal information”) (Accessed Jan 16, 2015).

8. Transparency about where personal information is routed

Full Star: The carrier clearly indicates whether Canadians’ personal domestic communication data might be routed through the United States or otherwise subject to foreign jurisdiction while in transit. It clearly indicates the geographical locations where domestic communication is routed and what jurisdictions it is subject to. Similarly, it indicates whether or not communications with third countries is subject to U.S. jurisdiction.Half Star: The carrier is vague about the geographical locations or jurisdictional exposure of personal data routing.No Star: The carrier gives no indication of the geographical locations or jurisdictions where personal data is routed. Score: No Star

Explanation:

  • Bell gives no indication of the geographical locations or jurisdictions through which personal data is routed.

Provisions: None

9. Domestic Canadian routing when possible

Full Star: The carrier clearly states on its privacy pages a policy of domestic Canadian routing when possible, and indicates the concrete measures it takes to achieve this goal. A carrier that verifiably peers openly at all the Canadian IXPs in its service region(s) will also receive a full star. Only Canadian carriers are eligible for a full star, as foreign carriers by definition subject the data they carry to non-Canadian jurisdictions.Half Star: The carrier is vague about its policies for ensuring Canadian routing of domestic traffic and the measures it takes to ensure this. In the absence of a clear policy statement, a carrier (whether Canadian or foreign) that peers openly at some but not all Canadian public IXPs in its operating regions will earn a half star.No Star: The carrier gives no indication of any policy or concrete measures to promote domestic routing when possible, nor does it peer openly at any Canadian public IXPs. Score: No Star

Explanation:

  • Bell gives no indication that it promotes domestic routing where possible.
  • Bell Aliant, Bell’s Atlantic regional carrier, was listed on only one Canadian IXP (TorIX), where it was a conditional peer only.
  • Open peering by Bell at TorIX might have merited a half star, as might conditional peering at a significant number of IXPs. Conditional peering by a regional carrier at one IXP, however, merits no stars.
  • Bell does not peer openly at any Canadian public IXPs as of January 9, 2015. In addition to TorIX (http://www.torix.ca/), the IXPs reviewed were:

Provisions: None

For an explanation of IXPs and open and conditional peering, see the project overview.

10. Open advocacy for user privacy rights

Full Star: The carrier makes clear reference on its privacy pages to its support for user privacy rights via at least one of the following:
  • Involvement in public debates over mass state surveillance;
  • Involvement in privacy or surveillance related legislative initiatives (e.g. the current Bill C-13 on lawful access);
  • Defending user privacy rights in court; or
  • Ties to advocacy organizations or initiatives promoting user privacy rights.

Half Star: The carrier has defended user privacy rights politically, in court or legislatively, but there is no reference to this in its privacy pages.

No Star: There is no readily available public evidence that the carrier has taken a positive pro-privacy position in any of the above areas.

Note: While this criterion was edited for ease of use and clarity in presentation here, we are not aware of any divergence with IXmaps with regard to application.

Score: No Star

Explanation:

  • Bell makes no reference on its privacy pages to public support for user privacy rights.
  • Online searches turned up an article from IT World Canada indicating that Bell made a statement regarding Bill C-30 (the “Protecting Children from Internet Predators Act” that included controversial lawful access provisions and failed to pass in 2012):

“Few service providers want to talk on the record about the law, but BCE Inc.’s Bell Canada issued this statement:

“While we’ll obviously have to study the proposed legislation, our primary concern in this area has always been the capacity of industry to implement any new requirements and who bears the cost. Bell has a long history of working effectively with law enforcement agencies as required under existing legislation. However, it is important that there be a clear justification for any changes to the lawful access framework and that the privacy rights of all Canadians are taken into consideration.””

While Bell is to be commended for speaking on the record when other carriers evidently did not, it was decided that this was not sufficient to grant Bell a half star:

  • First, this is not a strong statement. It describes cost and industry capacity as Bell’s “primary concern”, and, more importantly, does not take a strong position regarding what should be done about privacy concerns. It was decided this did not constitute “defend[ing] user privacy rights politically, in court or legislatively.”
  • Second, well before Bill C-30 was tabled in Parliament, Bell led a working group through which the government and telecommunications companies met frequently regarding the legislation. Again, the primary concern of the group appears to have been the costs of implementing the new legislation, not its privacy implications. The group’s existence and activities were criticized by privacy advocates. Bell was not the only company involved in this group and should not necessarily be singled out for censure. Nonetheless, it is relevant for this criterion as these actions regarding Bill C-30 cut against Bell being awarded a half star for its statement about Bill C-30.
  • Searches also turned up ongoing privacy concerns over Bell’s Relevant Advertising Program:
    • An October 2013 CBC News article details Bell’s plan to launch targeted advertising on the basis of, among other things, GPS location, “app usage, and “calling patterns.”
    • An October 2013 Toronto Star article indicates that the Privacy Commissioner was investigating the targeted advertising program after receiving several complaints. (The results of the investigation – which the commissioner may decide to make public – could not be located.)
    • In early 2014, two consumer groups challenged this program before the Canadian Radio-Telecommunications Commission. (It does not appear any decision has yet been rendered.)
    • However, it should be noted that Bell is adjusting the program in response to concerns. For example, opting-out of the program now means data will not be sorted into ad-relevant categories and retained – originally the case even for those who opted out.
  • A search of legal databases for “Bell privacy” did not turn up any case law where Bell defended user privacy rights in Canadian courts. (In 2014, Bell was a defendant in a civil action arising from breach of PIPEDA. Bell did not dispute the breach, but argued the case on quantum of damages.)

Provisions and Other Sources:

Henry v. Bell Mobility, 2014 FC 555 (available on CanLII): A 2014 civil case against Bell arising from breach of PIPEDA. Bell did not dispute the breach, but argued the case on quantum of damages.

Regarding the Bill C-30 Statement and Working Group:

“Few service providers want to talk on the record about [Bill C-30], but BCE Inc.’s Bell Canada issued this statement:

“While we’ll obviously have to study the proposed legislation, our primary concern in this area has always been the capacity of industry to implement any new requirements and who bears the cost. Bell has a long history of working effectively with law enforcement agencies as required under existing legislation. However, it is important that there be a clear justification for any changes to the lawful access framework and that the privacy rights of all Canadians are taken into consideration.” One area of concern for wireless carriers was additional information outlined in the earlier version of the law that only cellphone companies would have had to hand over to police, said Keith McIntosh, senior director of policy and regulatory affairs for the Canadian Wireless Telecommunications Association (CWTA), which represents most of the wireless carriers in the country.”

– Howard Solomon, “Government unveils new lawful access legislation” IT World Canada (14 February 2012), online: IT World Canada <http://www.itworldcanada.com>[3]

“Public Safety Canada has been in close consultation with telecommunication companies over the logistics of Ottawa's so-called Internet "snoop and spy" legislation – talks that dealt with who will shoulder the costs of pricey "intercept capabilities," and whether it will even be feasible to monitor user behaviour in an increasingly complex "cloud-computing" environment.

The reams of e-mails, meeting and teleconference agendas, obtained by The Globe and Mail through an access to information request, indicate the talks extended more than a year prior to the government tabling its online surveillance bill in February.

Internet providers noted that any costs incurred by extra surveillance infrastructure and the resources to staff it 24/7 – a figure that for some private firms may run into the millions – would likely be passed down to their Canadian customers.”

Anna Mehler Paperny, “Telcos in talks with Ottawa to shape Internet 'spy' bill: documents” The Globe and Mail (29 June 2012), online: The Globe and Mail http://www.theglobeandmail.com[4]

“[I]n the months leading up to the introduction of Bill C-30, Canadian telecom companies formed a secret working group designed to create an open channel for talks between telecom providers and government. Rather than focusing on customer privacy, those meetings included discussions on developing a compensation formula for the costs associated with disclosing subscriber information.”

– Michael Geist, “Shelving Bill C-30 Didn't Save Your Privacy” TheTyee.ca (26 February 2013), online: TheTyee.ca <http://thetyee.ca>[5]

“…In the months leading up to the introduction Bill C-30, Canada’s telecom companies worked actively with government officials to identify key issues and to develop a secret industry-government collaborative forum on lawful access.

The working group includes virtually all the major telecom and cable companies, whose representatives have signed nondisclosure agreements and been granted secret-level security clearance. The group is led by Bell Canada on the industry side and Public Safety for the government.…

The secret working group is designed to create an open channel for discussion between telecom providers and government. As the uproar over Bill C-30 was generating front- page news across the country, Bell reached out to government to indicate that “it was working its way through C-30 with great interest” and expressed desire for a meeting to discuss disclosure of subscriber information. A few weeks later, it sent another request seeking details on equipment obligations to assist in its costing exercises.

Months before the January 2012 meeting, officials worked with the telecom companies to identify many concerns and provide guidance on the government’s intent on Internet surveillance regulations, information that has never been publicly released.…

The close co-operation between the government and telecom providers has created a two-tier approach to Internet surveillance policy, granting privileged access and information for telecom providers. Meanwhile, privacy and civil society groups, opposition MPs and millions of interested Canadians are kept in the dark about the full extent of the government’s plans.”

– Michael Geist, “How Canada’s telecoms quietly backed Internet surveillance bill” The Toronto Star (21 May 2012), online: The Toronto Star http://www.thestar.com[6]

"The close co-operation between the government and telecom providers has created a two-tier approach to Internet surveillance policy, granting privileged access and information for telecom providers. Meanwhile, privacy and civil society groups, opposition MPs and millions of interested Canadians are kept in the dark about the full extent of the government’s plans."

Michael Geist, “How Canada’s telecoms quietly backed Internet surveillance bill” The Toronto Star (21 May 2012), online: <http://www.thestar.com>

“Most shocking of all Bell Canada appears to have started making plans to adhere to Bill C-30 (http://stopspying.ca) provisions that would mandate access to the private data of law-abiding Canadians without a warrant while the bill was only just being tabled in parliament. This also took place while a massive public outcry (http://openmedia.ca/blog/stop-online-spying-hits-100k-canadians-are-insp...) against the costly online spying plan grew across the country.”

– Steve Anderson, “Big Telecom Companies and Government Officials Held Secret Online Spying (C-30) Forum” OpenMedia.ca (22 May 2012), online: OpenMedia.ca <https://openmedia.ca>[7]

Please note: this OpenMedia.ca blog post relies on the Geist “How Canada’s telecoms quietly backed Internet surveillance bill” article in the Toronto Star quoted above.

Regarding Bell’s Relevant Advertising Program:

Note: Bell’s own news release announcing this program (“Bell to deliver online advertising relevant to customers while protecting their data”, 23 October 2013) can be found online at http://www.bce.ca/news-and-media/releases/show/bell-to-deliver-online-advertising-relevant-to-customers-while-protecting-their-data?page=1&month=10&year=2013.

“After receiving several complaints, the federal privacy commissioner’s office is launching an investigation into Bell Canada’s attempt to collect data on users’ TV and web habits and telephone patterns….

The program is designed to deliver “online advertising that’s most relevant to” customers, according to Wade Oosterman, president of Bell Mobility and Residential Services….

“Bell is absolutely committed to our customers’ privacy and we strictly adhered to Canadian privacy laws in developing our initiative,” Oosterman said. “Bell would never identify individual users or release customer-specific data to advertisers or any other third party.”…

Once the investigation is completed, the privacy commissioner’s office may choose to publish its findings if they meet the public interest criterion provided in [PIPEDA]….

Bell’s opt-out policy is drawing concern. Customers can opt out of having their data used for personalized advertising and marketing reports, but critics suggest people should be asked to opt in, rather than offered a chance opt out.

Philippe Viel of the Montreal-based consumer protection group Union des consommateurs said that the only option is to not receive the relevant ads; Bell will still collect that data.”

– Curtis Rush, “Privacy commissioner launches probe into Bell's new data collection” The Toronto Star (23 October 2013), online: The Toronto Star <http://www.thestar.com>[8]

“Bell Canada’s recently announced plan to collect and analyze data from millions of customers is prompting public complaints, warnings from privacy advocates and has caught the attention of both the federal privacy commissioner and the CRTC….

Bell, which boasts close to eight million wireless subscribers, has said that on Nov. 16 it will begin compiling and analyzing GPS location information, which websites customers visit, the apps they use, what they search for online, the TV programs they watch, and their “calling patterns.”…

Bell has said that information collected under the program will be “audience-based” and that individual customer information won't be released to advertisers….

“We’re looking to make online advertising that mobile customers already see more relevant to them. No customer is required to participate – you can opt out at any time,” a company spokesman said in an emailed response [to a CBC inquiry].

“Like any wireless carrier, Bell tracks customer usage information for practical purposes – network optimization and expansion, new services, billing purposes, and other business reasons,” the statement said. “But we never share this information externally. We’re committed to protecting customer privacy, and this initiative is fully compliant with Canadian privacy regulations.””

– Ian Munroe, “Bell data collection part of ‘disturbing trend’”, CBC News (30 October 2013), online: CBC <http://www.cbc.ca>[9]

“The Public Interest Advocacy Centre (PIAC) and the Consumers’ Association of Canada (CAC) today filed an application challenging Bell Canada’s collection, use and disclosure of customer information gathered from its own wireless customers for behavioural and other marketing.

The application, which was filed with the Canadian Radio-television and Telecommunication Commission (CRTC), argues that Bell’s unprecedented collection, use and disclosure of customer information for marketing is contrary to Canadian telecommunications policy – rules intended to protect Canadians’ privacy.

“Bell is trying to ‘double-dip’ by taking your subscription fees and then selling information based on your use of the services you just paid for”, said Bruce Cran, President of CAC. “It’s inappropriate – and asking that Canadians “opt-out” of this program they never asked for is wrong.” [said John Lawford, PIAC’s Executive Director and General Counsel.]”

– “CRTC asked to stop Bell Mobility’s “Relevant Ads” Program”, Public Interest Advocacy Centre (undated), online: Public Interest Advocacy Centre <http://www.piac.ca>.[10]

“[BCE] said it is simply using information it already collects to improve its customers’ experience and will not target individual users but serve ads across “broad audience segments.”

“We followed every guideline that they have,” Wade Oosterman, president of Bell Mobility and residential services, said in an interview in October. “I believe we’re completely on side with any guideline that they’ve published ever and we’re actually doing something that consumers generally are in favour of and want.””

– Christine Dobby, “Public interest groups file CRTC complaint over BCE’s customer tracking policy”, The Financial Post (27 January 2014), online: The Financial Post <http://www.financialpost.com>.[11]

“Bell says in CRTC filings that it tracks browsing activity on mobile devices and filters the traffic into "categories" - allowing it to later show related ads to users that fit those categories.

But the company insists the program does not pass along confidential personal information about its users to advertisers, noting "the advertiser receives only high-level statistics on the number of times their ad was served to the group that fits the characteristics they selected."…

Bell said in a submission published Thursday that it used to continue to categorize browsing activity even after users opted out, the rationale being if they opted back in, the company would have "an accurate reflection of an individual's interests."

Now, it says, it has "changed its opt-out process so that an opt-out will terminate all use of personal information for the RAP [relevant ads program] and the deletion of any browsing, interest and category information from existing profiles."

Bell said the change was made retroactive to cover anyone who had opted out since the beginning of the program.”

– Christine Dobby, “Bell agrees to stop tracking data from users who opt out”, Globe Advisor (18 February 2015), online: Globe Advisor <https://secure.globeadvisor.com>.[12]

Google searches used in seeking public evidence of a pro-privacy position (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.)

“Bell privacy” (December 24, 2014).

Bell privacy (February 24, 2015).

Bell transparency (February 24, 2015).

Bell “personal information” (February 24, 2015).

Bell “customer information” (February 24, 2015).

Bell “subscriber information” (February 24, 2015).

Bell disclosure (February 24, 2015).

Bell “lawful access” (February 24, 2015).

Bell “warrant” (February 24, 2015).

Bell “legal authority” (February 24, 2015).

Bell “Bill C-13” (February 24, 2015).

Searches used in seeking case law where Bell defended user privacy rights in Canadian courts (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.)

Westlaw Canada: “Bell privacy” (December 24 2014).

Quicklaw: “Bell privacy” (January 23, 2015).

CanLii: “Bell privacy” (January 23, 2015).

Note: “Privacy” was added as a search term because of the high volume of results produced by searching “Bell” alone.

Appendix A: Bell Privacy Policy Principle 7

“Principle 7 - Security Safeguards

The Bell companies shall protect personal information by security safeguards appropriate to the sensitivity of the information.7.1 The Bell companies shall protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures. The Bell companies shall protect the information regardless of the format in which it is held.

7.2 The Bell companies shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information, the purposes for which it is to be used, limits on the number of persons whose job function requires access to the information, and the physical and procedural security measures required to safeguard that information.

7.3 All employees of the Bell companies with access to personal information shall be required as a condition of employment to respect the confidentiality of personal information.”

Accessed Jan 3 2015. This Principle is referenced by the provisions relevant to Criterion #7 (Transparency about where personal information is stored and/or processed) but does not in fact provide relevant information.

Appendix B: Sources

Bell Privacy Policy

  • Applies to: “the various Bell companies offering communications services including wireless, high-speed internet, satellite and IP television, local and long distance wireline services as well as radio, television and digital media services, and our various retail locations (and any successor company or companies of the above, as a result of corporate reorganization or restructuring). The Bell Privacy Policy also applies to the Ontario and Québec operations of Bell Aliant.” (per “Scope and application”).
    • The Bell Privacy Policy itself does not provide a list of “Bell companies”. However, the Bell Mobility Terms of Service includes a “Bell Commitment to Privacy” which states that “The Bell Privacy Policy applies to the Bell companies offering wireless, Internet, satellite and IP television, TV, local and long distance wireline services as well as radio, television and digital media services and our various retail locations. The Bell companies include Bell Canada, Bell Mobility Inc., the Ontario and Quebec operations of Bell Aliant Regional Communications L.P. , Bell ExpressVu L.P., Virgin Mobile, Solo Mobile, The Source (Bell) Electronics Inc. and Bell Media Inc.” (per “Who and what does the Bell Privacy Policy apply to?”, emphasis added).
  • “The Bell Privacy Policy does not apply to customers that are not individuals, such as corporate customers; however, information collected from such customers is protected by other Bell policies and practices and by applicable contractual terms.” (per “Scope and application”).
  • The dates on which the provisions relied on were accessed are reproduced alongside each provision.

“How does Bell respect my privacy?”

  • This document does not specify its application. However, it states that “The Bell Privacy Policy applies to the Bell companies offering communications services including wireless, Internet, satellite and IP television, TV, local and long distance wireline services as well as radio, television and digital media services and our various retail locations. It also applies to the Ontario and Québec operations of Bell Aliant.” It is thus implied though not stated that “How does Bell respect my privacy?” applies to the same entities, and has the same limitation with regard to corporate customers, as the Bell Privacy Policy.
  • The dates on which the provisions relied on were accessed are reproduced alongside each provision.

News releases on the BCE Inc. website back to 2009: http://www.bce.ca/news-and-media/releases

  • Last consulted February 24, 2015.

News articles and one relevant court case (see Criterion #10 [Open advocacy for user privacy rights]).

[1] Andrew Clement & Jonathan A. Obar, “Keeping Internet Users in the Know or in the Dark: Data Privacy Transparency of Canadian Internet Service Providers” (27 March 2014), online: IXmaps & New Transparency Projects <http://ixmaps.ca/>. The report is available online at <http://ixmaps.ca/transparency/img/DataPrivacyTransparencyofCanadianISPs.....

[2] http://www.theglobeandmail.com/report-on-business/telus-joins-transparen...

[3] http://www.itworldcanada.com/article/government-unveils-new-lawful-acces...

[4] http://www.theglobeandmail.com/technology/tech-news/telcos-in-talks-with...

[5] http://thetyee.ca/Mediacheck/2013/02/26/Shelving-Bill-Did-Not-Save-Privacy/

[6] http://www.thestar.com/business/2012/05/21/how_canadas_telecoms_quietly_...

[7] https://openmedia.ca/blog/big-telecom-companies-and-government-officials...

[8] http://www.thestar.com/business/tech_news/2013/10/23/privacy_commissione...

[9] http://www.cbc.ca/news/technology/bell-data-collection-part-of-disturbin...

[10] http://www.piac.ca/our-specialities/crtc-asked-to-stop-bell-mobilitys-re...

[11] http://business.financialpost.com/2014/01/27/public-interest-groups-file...

[12] https://secure.globeadvisor.com/servlet/ArticleNews/story/gam/20150218/R...