Federal (Canada) Privacy Decisions

The complainant requested information regarding legal fees for a specific litigation file from the Department of Justice Canada. The Department withheld expense details and disbursements under section 23 (legal advice and litigation privilege), citing solicitor-client privilege and a presumption of privilege for legal bills. The Information Commissioner found that while disbursements are generally presumed privileged, this presumption was rebutted in this case. The Commissioner concluded that the information was not subject to privilege as there was no reasonable possibility that it could be used to deduce protected communications, and recommended its disclosure. The Department of Justice Canada agreed to implement this recommendation.

• Whether section 23 (legal advice and litigation privilege) of the ATIA applied to the withheld expense details and disbursements.
• Whether the presumption of privilege for legal bills, as established in Maranda v. Richer, was rebutted.
• Whether the withheld information could be used by an assiduous inquirer to deduce privileged communications.

The complainant alleged that Public Safety Canada refused to process an access request for records related to various keywords. Public Safety argued parts of the request did not meet the Act's requirements and processing it would be overly burdensome. The Commissioner found the complaint well-founded, agreeing that some parts of the request were too vague but that Public Safety improperly refused to process the parts that did meet the criteria. Public Safety Canada committed to processing 5,000 pages per year of the relevant records.

• Adequacy of the request details under section 6 of the ATIA
• Institution's obligation to process requests in parts
• Institution's duty to assist requesters
• Timely processing of large volumes of records

The complainant alleged that the Royal Canadian Mounted Police (RCMP) improperly withheld information under subsection 19(1) of the Access to Information Act related to a follow-up investigation concerning a Code of Conduct decision against the complainant. The RCMP initially withheld information, but later released some of it, conceding it was not personal information. However, they continued to withhold other information under subsection 19(1). The OIC concluded that the remaining withheld information was indeed personal information concerning another individual and did not meet the exceptions in subsection 19(2), therefore the complaint was well founded.

• Application of subsection 19(1) (personal information) of the ATIA
• Whether withheld information constituted personal information of another individual
• Whether the exceptions in subsection 19(2) of the ATIA applied

The Office of the Privacy Commissioner of Canada (OPC) investigated a short-term lender, CashHere, after receiving an alert that it was collecting clients' online banking credentials (usernames, passwords, security questions and answers) as part of its payday loan application process. The OPC found that while the lender had a legitimate need to verify identity and income, collecting these highly sensitive credentials was not a purpose that a reasonable person would consider appropriate due to the significant privacy risks and the availability of less invasive alternatives. The investigation also uncovered a related entity, MoneyHome, engaging in similar practices.

• Appropriateness of collecting online banking credentials for loan applications
• Proportionality of privacy harms versus lender benefits
• Availability of less privacy-invasive means to verify identity and income
• Potential link between CashHere and MoneyHome

The Office of the Information Commissioner (OIC) received nine complaints concerning Global Affairs Canada's failure to meet deadlines or take unreasonable time extensions in responding to access requests. In four cases, the institution cited the COVID-19 pandemic as a significant factor. Global Affairs committed to finalizing all nine requests by October 15, 2021. The OIC found all nine complaints to be well founded.

• Timeliness of response to access to information requests
• Impact of COVID-19 on institution's ability to process requests
• Reasonableness of time extensions

A joint investigation by Canadian privacy authorities found that Clearview AI, Inc. contravened PIPEDA and provincial privacy laws by collecting, using, and disclosing personal information without consent and for inappropriate purposes. Clearview's facial recognition tool scraped billions of images from the internet to create biometric facial arrays, which were then provided to law enforcement and other clients. The authorities concluded that Clearview's mass collection and use of sensitive biometric data was not for an appropriate purpose, nor was it obtained with the requisite consent.

• Whether Clearview obtained requisite consent for the collection, use, and disclosure of personal information.
• Whether Clearview collected, used, and disclosed personal information for an appropriate purpose.
• Whether Clearview satisfied its biometric obligations in Quebec.
• Whether Canadian privacy authorities had jurisdiction over Clearview's activities.