Apr 232018
 
 April 23, 2018  Posted by  Business, Laws, Non-U.S., U.S.

An interesting thing is playing out in Canada with Rogers Communications (a major Canadian ISP) and Verizon owned Yahoo-Oath services (Email service and chat apps).

Rogers-Yahoo-Oath recently sent out a notice to Rogers subscribers (provided below) which has raised many questions. The situation with Rogers, and only Rogers to my understanding, is currently before the Office of the Privacy Commissioner of Canada. Some of the situation is reported by Christine Dobby of The Globe & Mail, here:

https://www.theglobeandmail.com/business/article-rogers-terms-of-service-asks-e-mail-users-to-share-friends-personal/

Of note is that Rogers-Yahoo-Oath will be scooping up every possible bit of information possible from their subscribers Email. This includes attachments, email content, Address book contacts, email contacts, metadata, IPs, device identifiers, and more.

Part of the issue is that Rogers-Yahoo-Oath put the onus on the email user to collect consent from the people they communicate with for the Rogers-Yahoo-Oath data collection, data sharing, and ad/marketing business.

To be clear, an Email user of Rogers or Yahoo Canada is responsible for obtaining 3rd party consent for Yahoo Canada (and Verizon-Oath USA) to take, scan and use your private email content , attachments, metadata and email contact.

As I was reading this I thought, how is the GDPR applicable in all this, and is it? Do EU citizens have any reasonable expectation of communications privacy when communicating with a Canadian via Yahoo Canada? What about Yahoo USA?

Regardless of what happens to Rogers Communications in Canada, Yahoo Canada and Yahoo US (Oath) will still be doing this. Thus, it doesn’t matter what happens in the end with Rogers, the above scenario of 3rd party consent on your behalf will still play out.

My questions are:

-Do the EU GDPR and the EU ePrivacy Regulation still apply for EU citizens when they communicate with a Canadian?

-Is assumed (implied) 3rd party consent allowed under GDPR without any recording of said consent?

-Can others, such as a 13 year old Canadian child who is collecting no data about you, consent on behalf of Rogers-Yahoo-Oath to collect your EU private and sensitive data?

Below are the links to the terms and the original Email People received from their Rogers-Yahoo Email service.

Rogers

Of interesting note:

What’s interesting about this email is that it conflicts with the Terms of Use. For example, arbitration clauses are not enforceable in Ontario & Quebec. The law and forum provisions state it is New York, yet the Terms of Use state it’s Ontario, Canada. So what people are consenting to in that Email isn’t even correct and conflicts with Rogers-Yahoo other terms.

Additionally, Rogers Communications terms state they will not collect information on children under the age of 16. Yet Yahoo-Oath state they will not collect information on children under the age of 13.

All links applicable that people supposedly read, understood and consented to (and supposedly know the errors in) in the above Email they received:

1. Oath Terms of Service:
https://policies.oath.com/ca/en/rogers/terms/otos/index.html

2. Rogers Yahoo Internet Services Privacy Policy:
https://policies.oath.com/ca/en/rogers/privacy/index.html

3. Verizon Privacy Policy>
https://www.verizon.com/about/privacy/privacy-policy-summary

4. Privacy Controls (Which many complained were not functional):
https://policies.oath.com/ca/en/oath/privacy/controls/index.html

5. Oath FAQ:
https://policies.oath.com/ca/en/oath/privacy/guce/faq/index.html

6. Oath Approach to Privacy & Getting to know you:
https://www.oath.com/my-data/

Other applicable links:

7. Rogers-Yahoo Oath Terms of Service
https://policies.oath.com/ca/en/rogers/terms/otos/index.html

8. Page 10, Section 5d of Rogers ToS (PDF):
https://www.rogers.com/cms/pdf/en/Rogers-Terms-of-Service-Acceptable-Use-Policy-and-Privacy-Policy-en.pdf

9. That section above states this websites terms are applicable to you:
https://policies.oath.com/ca/en/rogers/privacy/index.html

10. If interested to read how upset people are, check the Rogers forum:
http://communityforums.rogers.com/t5/Internet/Change-to-Email-Terms-of-Sevice/m-p/420164

How many pages is all that? Is it reasonable for the average 13 year old kid who is going to get consent on your behalf and actually understand the conflicting and error filled information?

Sorry, the comment form is closed at this time.