An interesting thing is playing out in Canada with Rogers Communications (a major Canadian ISP) and Verizon owned Yahoo-Oath services (Email service and chat apps).
Rogers-Yahoo-Oath recently sent out a notice to Rogers subscribers (provided below) which has raised many questions. The situation with Rogers, and only Rogers to my understanding, is currently before the Office of the Privacy Commissioner of Canada. Some of the situation is reported by Christine Dobby of The Globe & Mail, here:
Of note is that Rogers-Yahoo-Oath will be scooping up every possible bit of information possible from their subscribers Email. This includes attachments, email content, Address book contacts, email contacts, metadata, IPs, device identifiers, and more.
Part of the issue is that Rogers-Yahoo-Oath put the onus on the email user to collect consent from the people they communicate with for the Rogers-Yahoo-Oath data collection, data sharing, and ad/marketing business.
To be clear, an Email user of Rogers or Yahoo Canada is responsible for obtaining 3rd party consent for Yahoo Canada (and Verizon-Oath USA) to take, scan and use your private email content , attachments, metadata and email contact.
As I was reading this I thought, how is the GDPR applicable in all this, and is it? Do EU citizens have any reasonable expectation of communications privacy when communicating with a Canadian via Yahoo Canada? What about Yahoo USA?
Regardless of what happens to Rogers Communications in Canada, Yahoo Canada and Yahoo US (Oath) will still be doing this. Thus, it doesn’t matter what happens in the end with Rogers, the above scenario of 3rd party consent on your behalf will still play out.
My questions are:
-Do the EU GDPR and the EU ePrivacy Regulation still apply for EU citizens when they communicate with a Canadian?
-Is assumed (implied) 3rd party consent allowed under GDPR without any recording of said consent?
-Can others, such as a 13 year old Canadian child who is collecting no data about you, consent on behalf of Rogers-Yahoo-Oath to collect your EU private and sensitive data?
Below are the links to the terms and the original Email People received from their Rogers-Yahoo Email service.
Of interesting note:
Additionally, Rogers Communications terms state they will not collect information on children under the age of 16. Yet Yahoo-Oath state they will not collect information on children under the age of 13.
All links applicable that people supposedly read, understood and consented to (and supposedly know the errors in) in the above Email they received:
1. Oath Terms of Service:
4. Privacy Controls (Which many complained were not functional):
5. Oath FAQ:
6. Oath Approach to Privacy & Getting to know you:
Other applicable links:
7. Rogers-Yahoo Oath Terms of Service
8. Page 10, Section 5d of Rogers ToS (PDF):
9. That section above states this websites terms are applicable to you:
10. If interested to read how upset people are, check the Rogers forum:
How many pages is all that? Is it reasonable for the average 13 year old kid who is going to get consent on your behalf and actually understand the conflicting and error filled information?