Phone records at risk

I was reading about the practice of online data brokers that sold Canadian and US phone records to individuals/companies. A recent example occurred when Macleans were able to purchase the phone logs online from a U.S. data broker of the Canadian Privacy Commissioner without any questions asked. According to the newspaper report, 'online data brokers have been selling Canadian and U.S. phone records for at least three years, and haven't been shy about advertising the fact. By the count of one American privacy group, there are more than 40 websites like Locatecell vying for your snooping business. But that's not something that anyone in the highly competitive telecom industry has been warning their customers about. Or apparently doing much to stop.'

If this incident had occurred in any country within the EU, the Directive on Privacy and Electronic Communications 2002/58/EC (or national legislation implementing this Directive) would apply which requires consent from individuals before data of this nature can be disclosed. See Art. 6 and Art. 9 on traffic data and location data respectively. In addition, it is arguable that such a disclosure constitutes unfair and unlawful processing under Art. 6 of the Data Protection Directive 95/46/EC - unlawful because it was obtained without the consent of the user and subsequently disclosed to third parties.

On a separate note, there was a paper (pdf) issued on location data issued by the Data Protection Working Party. In addition, see details about wireless location privacy published by the Center for Democracy and Technology.