Federal (Canada) Privacy Decisions

The complainant alleged that Trans Union disclosed his credit file information to Statistics Canada without consent, and that this information was subsequently used to initiate debt collection efforts against him. The Office of the Privacy Commissioner of Canada (OPC) found that Trans Union was authorized to disclose the information under PIPEDA, as Statistics Canada had requested it under the authority of the Statistics Act. The OPC also found no evidence that Statistics Canada disclosed the complainant's information to other institutions for debt collection purposes.

• Whether Trans Union disclosed personal information without consent contrary to PIPEDA.
• Whether Statistics Canada used disclosed information for debt collection.
• Whether the disclosure was authorized by law under PIPEDA.
• Whether Statistics Canada contravened the Privacy Act in its data collection.

This joint investigation by the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found that AggregateIQ Data Services Ltd. (AIQ) contravened Canadian privacy laws (PIPEDA and PIPA) in its handling of personal information for political campaigns. AIQ failed to ensure adequate consent for the collection, use, and disclosure of personal information, particularly when sharing data with platforms like Facebook for targeted advertising and analytics. Additionally, AIQ's inadequate security measures led to a data breach involving the personal information of millions of individuals.

• AIQ's collection, use, and disclosure of personal information for political campaigns.
• AIQ's compliance with consent requirements for personal information.
• AIQ's implementation of reasonable security measures to protect personal information.
• Cross-jurisdictional data handling and privacy obligations.

This investigation examined Loblaw's practices in its gift card program, which was established to compensate customers affected by a bread price-fixing scandal. The complainant argued Loblaw collected more personal information than necessary and was concerned about data transfers to the United States. The OPC found that while Loblaw initially collected more information than needed by requesting full identification documents, they subsequently clarified their requirements, resolving this issue. The OPC also found Loblaw's measures to protect personal information transferred to a third-party administrator in the US were sufficient and that Loblaw was transparent about cross-border data transfers.

• Collection of personal information beyond what is necessary for the stated purpose.
• Adequacy of safeguards for personal information transferred to a third-party processor in the United States.
• Sufficiency of transparency regarding cross-border data transfers.
• Requirement for additional consent for cross-border data transfers.

This joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) examined Facebook's compliance with privacy laws concerning the disclosure of user data to third-party apps, specifically the "thisisyourdigitallife" (TYDL) app. The investigation found that Facebook failed to obtain valid and meaningful consent from users whose information was disclosed, had inadequate safeguards to protect user data, and lacked accountability for the information under its control. These failures are particularly concerning given similar findings by the OPC in a 2009 investigation, indicating a lack of substantive improvement in Facebook's privacy practices.

• Meaningful consent from installing users
• Meaningful consent from affected users (friends of installing users)
• Adequacy of safeguards to protect user data from third-party apps
• Facebook's accountability for user data

The Office of the Privacy Commissioner of Canada (OPC) investigated Equifax Inc. and Equifax Canada Co. following a 2017 data breach that compromised the personal information of approximately 19,000 Canadians. The OPC found that both Equifax Inc. and Equifax Canada contravened PIPEDA concerning inadequate safeguards, data retention, accountability, and consent for the disclosure of personal information. The investigation also found Equifax Canada's post-breach safeguards to be inadequate for protecting affected Canadians. Equifax Canada has committed to corrective measures, and the matters are conditionally resolved.

• Adequacy of security safeguards for Canadian personal information held by Equifax Inc.
• Equifax Inc.'s data retention and destruction practices for Canadian personal information.
• Equifax Canada's accountability for Canadian personal information handled by Equifax Inc.
• Adequacy of consent obtained for the collection and disclosure of Canadian personal information to Equifax Inc.
• Adequacy of safeguards and post-breach measures for Canadian personal information held by Equifax Canada.

The complainant alleged that Grey House Publishing Canada (Grey House) collected, used, and disclosed his personal information without his knowledge or consent. Grey House collected the complainant's contact information from a non-profit association's webpage and included it in its print directory and database. Grey House then sold an email distribution list containing this information to Economic and Social Development Canada (ESDC), which used it to send emails promoting a federal program. The OPC found that Grey House contravened PIPEDA by collecting and using the complainant's personal information without adequate consent, as the information was not considered business contact information and did not fall under the exceptions for publicly available information. The OPC also found that Grey House contravened PIPEDA's openness principle by having an inadequate privacy statement.

• Whether the complainant's contact information constituted personal information or business contact information under PIPEDA
• Whether Grey House was conducting commercial activity under PIPEDA
• Whether Grey House obtained adequate consent to collect and use the complainant's personal information
• Whether Grey House's privacy statement adequately reflected its practices

The Office of the Privacy Commissioner of Canada (OPC) investigated 411Numbers, a website operator that provided free access to telephone numbers and associated information. A complainant alleged that 411Numbers collected, used, and disclosed his personal information without consent, used it for an inappropriate purpose (paid removal service), over-collected information for removal services, and was unresponsive to privacy concerns. The OPC found that 411Numbers contravened PIPEDA by publishing unlisted telephone numbers without consent, and that its previous practice of requiring extensive identification for removal services was an over-collection. The paid removal service was also deemed inappropriate. However, 411Numbers has since ceased its paid removal service and implemented new practices for information removal and data collection.

• Jurisdiction over a non-Canadian company with a real and substantial connection to Canada
• Collection, use, and disclosure of unlisted telephone numbers without consent
• Appropriateness of using personal information for a paid removal service
• Over-collection of personal information for identity verification during removal requests