Federal (Canada) Privacy Decisions

A joint investigation by the OPC and three provincial privacy authorities found that Tim Hortons collected granular location data from users of its mobile app without an appropriate purpose and without valid consent. The company tracked users' locations even when the app was closed, inferring details like home and work locations, ostensibly for targeted advertising, but ultimately did not use the data for this stated purpose. The investigation also raised concerns about contractual protections with a third-party vendor and Tim Hortons' overall accountability.

• Collection and use of granular location data for an appropriate purpose
• Obtaining valid consent for location data collection
• Adequacy of contractual protections for data processed by third parties
• Tim Hortons' accountability for privacy practices

This investigation concerned MGM Resorts International's handling of a 2019 data breach that affected millions of guests, including nearly two million Canadians. The OPC initiated a complaint after media reports indicated a breach and MGM had not reported it. The investigation found that MGM failed to promptly assess the risk of significant harm (RROSH) posed by the breach and did not report it to the OPC or notify affected Canadians as soon as feasible. MGM has committed to updating its privacy breach response framework to ensure timely RROSH assessments and reporting.

• Whether the personal information involved in the breach posed a real risk of significant harm (RROSH) to affected Canadians.
• Whether MGM adequately assessed the RROSH.
• Whether MGM reported the breach to the OPC and notified affected Canadians as soon as feasible.
• Whether MGM's delay in assessing the breach and notifying Canadians contravened PIPEDA's mandatory breach reporting obligations.

The Department of National Defence (DND) disclosed the identity of a workplace violence (WPV) complainant and the investigation report to a second investigator, who was conducting a separate administrative investigation into the complainant's conduct. The OPC found that while disclosing the report to labour relations was a consistent use, disclosing it to the second investigator was not, as it was not a reasonably expected use of the information given the confidentiality assurances provided to the complainant. This disclosure was therefore found to be a contravention of the Privacy Act.

• Was the disclosure of the WPV complainant's identity and report to a second investigator a 'consistent use' under paragraph 8(2)(a) of the Privacy Act?
• Did DND's consent form clearly communicate potential uses and disclosures of the complainant's identity?
• Did the disclosure align with the reasonable expectations of the complainant regarding confidentiality?
• What corrective actions are necessary to ensure future compliance with privacy principles in WPV investigations?

The Office of the Privacy Commissioner of Canada investigated a complaint that Rogers Communications Inc. improperly enrolled a customer in its voiceprint authentication program, Voice ID, without her consent. The OPC found that while the purpose of the program was appropriate, Rogers failed to obtain valid and meaningful consent for the collection and use of voiceprints, which are considered sensitive biometric information. Rogers also did not provide a clear opt-out mechanism and improperly retained voiceprints. Rogers committed to significant changes to its program, leading the OPC to find the consent and retention issues well-founded and conditionally resolved.

• Appropriate purpose for collecting voiceprints
• Obtaining valid and meaningful consent for voiceprints
• Adequacy of opt-out mechanisms
• Retention of voiceprints after opt-out

The Office of the Privacy Commissioner of Canada investigated the RCMP's collection of personal information from Clearview AI, a company that scraped billions of images from the internet for facial recognition. The OPC found that the RCMP contravened the Privacy Act by collecting this information, as Clearview had collected it unlawfully. While the RCMP disagreed with this finding, it agreed to implement the OPC's recommendations to improve its policies and systems for tracking and assessing novel collections of personal information.

• Whether the RCMP's collection of personal information from Clearview AI related directly to an operating program or activity of the institution.
• Whether the RCMP had adequate controls in place to prevent future contraventions of the Privacy Act.
• The lawfulness of Clearview AI's data collection practices.
• The adequacy of the RCMP's assessment of privacy risks associated with new technologies.

This report follows up on an earlier investigation into Statistics Canada's Financial Transactions Project and Credit Agency Data Project. While the initial investigation found no contraventions, it raised significant privacy concerns. This compliance monitoring report assesses whether Statistics Canada’s redesigned projects adequately incorporate the principles of necessity and proportionality. Although Statistics Canada has made progress in reducing the scope of data collection and implementing privacy-enhancing measures, the report concludes that the project plans still fall short in adequately describing public goals, demonstrating effectiveness, and analyzing privacy impacts.

• Adequacy of public goal descriptions for necessity and proportionality assessment.
• Demonstration of project effectiveness.
• Sufficiency of privacy impact analysis, including risk of harm.
• Alignment of Statistics Canada's necessity and proportionality framework with OPC criteria.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a charitable organization's donor list trading program. The OPC found that the charity required express opt-in consent, not opt-out, for sharing donor contact information, as this practice fell outside donors' reasonable expectations. The OPC also determined that the information provided to donors was insufficient to ensure meaningful consent, lacking details about what information would be shared with whom and for what purpose. The charity agreed to implement recommendations to obtain opt-in consent and provide clearer information.

• Requirement for opt-in versus opt-out consent for donor list trading.
• Sufficiency of information provided to donors for meaningful consent.
• Application of the 'reasonable expectations' principle under PIPEDA.
• Compliance with PIPEDA's requirements for consent for information sharing.

This investigation concerned a complaint that Fido Solutions Inc. failed to safeguard a customer's personal information, allowing fraudsters to access and alter account details. It was found that Fido's customer service representatives repeatedly failed to follow authentication protocols, leading to unauthorized access. Additionally, the complaint alleged Fido failed to provide a requested transcript in an understandable format. Fido has committed to implementing enhanced safeguards regarding authentication protocols and has since provided the requested transcripts.

• Adequacy of safeguards to protect customer personal information from unauthorized access.
• Effectiveness of authentication protocols and employee adherence.
• Proper response to customer requests for access to personal information.
• Provision of personal information in a generally understandable format.

The Office of the Privacy Commissioner of Canada (OPC) investigated CoreFour Inc. concerning its compliance with PIPEDA regarding its learning management system, Edsby. The OPC found that CoreFour's safeguards were not adequate due to vulnerabilities in password requirements and protection of student profile pictures, and a lack of an overarching information security framework. The OPC also found that CoreFour lacked a robust accountability framework, including written policies and adequate privacy training. However, the OPC found CoreFour to be in compliance with its breach reporting and notification obligations. CoreFour has accepted the recommendations and is implementing corrective measures.

• Adequacy of safeguards for personal information
• Breach reporting and notification obligations
• Accountability for privacy compliance
• Development of privacy management and information security frameworks

This investigation concerned Yahoo! Canada's "Stay signed in" feature for its email service, which defaulted to keeping users logged in. The OPC found this practice posed significant privacy risks, especially on public or shared computers, as emails can contain highly sensitive personal information. Yahoo was found to have inadequate safeguards and failed to obtain meaningful consent for the disclosure of personal information that could result from this default setting. Yahoo committed to changing the feature to an opt-in basis and providing clearer warnings to users.

• Adequacy of safeguards against unauthorized access to sensitive email content.
• Whether "Stay signed in" default setting constitutes meaningful consent for disclosure of personal information.
• Clarity and prominence of privacy warnings associated with the "Stay signed in" feature.

This investigation examined Desjardins' compliance with PIPEDA following a significant data breach that occurred between 2017 and 2019, affecting nearly 9.7 million individuals. The Office of the Privacy Commissioner of Canada (OPC) found that Desjardins contravened PIPEDA principles regarding accountability, data retention, and security safeguards. While Desjardins' mitigation measures for affected individuals were deemed adequate, the OPC issued recommendations to address the identified contraventions.

• Adequacy of security safeguards throughout the personal information lifecycle.
• Compliance with accountability principles, including implementing procedures and training staff.
• Appropriateness of data retention and destruction practices.
• Effectiveness of mitigation measures offered to individuals affected by the breach.

This report details a review of passport protection practices by four federal institutions: IRCC, ESDC, GAC, and CPC. While the institutions generally had reasonable measures to prevent unauthorized passport disclosures, the review identified areas for improvement in incident detection, remediation for affected individuals, and learning from past breaches. The institutions agreed to implement the OPC's recommendations to enhance these processes.

• Adequacy of measures to prevent unauthorized disclosure of passports
• Effectiveness of incident detection mechanisms
• Sufficiency of remediation measures for affected individuals
• Processes for learning from past passport breach incidents

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against CATSA concerning its practice of notifying police when cannabis was found in a traveller's possession. The OPC found that CATSA's collection and disclosure of personal information for this purpose contravened sections 4 and 8 of the Privacy Act, as its mandate is focused on aviation security, not general law enforcement. While CATSA agreed to cease collecting and disclosing such information when the cannabis possession is not clearly illegal, the record-keeping aspect of the complaint was found not well-founded.

• Whether CATSA's collection of personal information from travellers possessing cannabis was consistent with its mandate under the Privacy Act.
• Whether CATSA's disclosure of personal information to police regarding cannabis possession was consistent with the Privacy Act.
• Whether CATSA's record retention practices for this information complied with the Privacy Act.

Three individuals complained that the RCMP used non-conviction information in vulnerable sector (VS) checks without their informed consent. The OPC found that the RCMP contravened the Privacy Act in two of the three cases because the consent forms did not clearly explain what types of non-conviction information would be reported. The OPC also determined that the RCMP's policy of broadly reporting non-conviction information, including mental health incidents, was not proportional or minimally intrusive. The RCMP agreed to revise its consent forms and policies.

• Adequacy of informed consent for the use of non-conviction information in vulnerable sector checks.
• Proportionality and minimal intrusiveness of reporting non-conviction information, including mental health incidents, in vulnerable sector checks.
• Compliance with record retention requirements under the Privacy Act.
• Consistency of RCMP policies and practices across different provinces.

A dentist complained that RateMDs.com, a health practitioner rating website, used her personal information without consent and for lucrative purposes. The Office of the Privacy Commissioner of Canada (OPC) found that the dentist's business contact information was publicly available and did not require consent. However, the OPC found that RateMDs.com engaged in an inappropriate practice by charging a subscription fee for a service that allowed users to hide certain reviews, contravening PIPEDA's purpose provisions. RateMDs.com agreed to cease this practice, leading to a conditionally resolved outcome for that issue. The OPC also found RateMDs.com resolved issues related to openness regarding its policies on correcting inaccurate information.

• Consent for the collection, use, and disclosure of personal information.
• The appropriateness of using personal information for a business model.
• Transparency and openness regarding policies for correcting inaccurate information.
• The balance between privacy rights and public interest in online reviews.