Federal (Canada) Privacy Decisions

Browse privacy decisions from Federal (Canada) — with AI-generated plain-language summaries for every ruling.

2 decisions matching

Jurisdiction

Federal (Canada)Ontario British Columbia Alberta Saskatchewan Manitoba Quebec Nova Scotia New Brunswick Prince Edward Island Newfoundland and Labrador

Federal (Canada)Personal Information Protection and Electronic Documents ActResolved

Dec 27, 2017PIPEDA findings #2017-010· Indexed Apr 12, 2026

PIPEDA findings #2017-010: Reasons for retaining customer credit card data explained

A retail store

A complainant objected to a retail store retaining records of her credit card transactions after she requested their deletion. The store initially cited contractual obligations to credit card companies, but later informed the OPC that the Excise Tax Act also legally required data retention. The OPC relayed this explanation to the complainant, who found it satisfactory, and the matter was resolved.

Official ↗

Federal (Canada)Personal Information Protection and Electronic Documents ActResolved

Apr 26, 2017Incident case summary #2017-001· Indexed Apr 12, 2026

Incident case summary #2017-001: Multiple breach incidents as a result of password reuse

Office of the Privacy Commissioner of Canada

This report details three incidents in 2017 where Canadian organizations experienced data breaches due to password reuse by their customers. In each case, attackers used login credentials obtained from unrelated breaches to access customer accounts. The Office of the Privacy Commissioner of Canada found the organizations' responses to be appropriate, including actions like password resets, enhanced security measures, and customer notifications, and encouraged other organizations to adopt similar preventative strategies.

Official ↗

Outcome Notes

Federal rulings come from two regulators with different statutory authority — outcome filters cover both.

OIC Order (ATIA s.36.1, binding) — Since June 2019 (Bill C-58) the Information Commissioner can issue binding orders requiring disclosure or reconsideration. Enforceable after 31/41 business days unless reviewed by the Federal Court (s.41).

Well-Founded — finding that the complaint is well-founded. For OIC: ATIA s.37(1)(a) finding (may be paired with a s.36.1 order). For OPC: Privacy Act s.35(1) / PIPEDA s.13(1) advisory finding — recommendations only, no binding order-making power.

Not Well-Founded — no contravention found.

s.6.1 Application— the OIC's response to a head's application for authorization to refuse a frivolous, vexatious, or bad-faith access request. Granted = institution may refuse; Denied = institution must respond.

Settled / Resolved / Early-resolved — OPC matter resolved during or before formal findings without a contravention finding.

Declined to investigate / No jurisdiction — Procedural close (Privacy Act s.34, PIPEDA discretion, or scope outside the Acts).

References: ATIA s.36.1 · OPC disposition definitions

About This Archive

Breach of Privacy archives Canadian privacy decisions from federal, provincial, and territorial commissioners. Each decision includes an AI-generated plain-language summary. Always verify against the official source document.

Federal (Canada) Privacy Decisions

PIPEDA findings #2017-010: Reasons for retaining customer credit card data explained

Quick View

PIPEDA findings #2017-010: Reasons for retaining customer credit card data explained

Incident case summary #2017-001: Multiple breach incidents as a result of password reuse

Quick View

Incident case summary #2017-001: Multiple breach incidents as a result of password reuse

Filters