Federal (Canada) Privacy Decisions

This investigation examined Desjardins' compliance with PIPEDA following a significant data breach that occurred between 2017 and 2019, affecting nearly 9.7 million individuals. The Office of the Privacy Commissioner of Canada (OPC) found that Desjardins contravened PIPEDA principles regarding accountability, data retention, and security safeguards. While Desjardins' mitigation measures for affected individuals were deemed adequate, the OPC issued recommendations to address the identified contraventions.

• Adequacy of security safeguards throughout the personal information lifecycle.
• Compliance with accountability principles, including implementing procedures and training staff.
• Appropriateness of data retention and destruction practices.
• Effectiveness of mitigation measures offered to individuals affected by the breach.

This joint investigation by federal, Alberta, and British Columbia privacy commissioners examined Cadillac Fairview's (CFCL) use of Anonymous Video Analytics (AVA) in mall directories and mobile device geolocation tracking. CFCL collected and used personal biometric information via AVA without valid consent, and improperly retained this data. While CFCL stated it had ceased using AVA, it disagreed with findings and refused to commit to express opt-in consent for future use. Regarding geolocation, CFCL's "Anonymous Shopper Journey" did not collect personal information, and while its "Logged In Shopper Journey" collected personal information, it did not combine it with geolocation data as initially suspected. Therefore, the geolocation aspect was found not well-founded.

• Collection, use, and disclosure of personal information via AVA technology
• Adequacy of consent and notice for AVA technology
• Appropriate retention of personal information collected via AVA
• Collection, use, and disclosure of personal information via geolocation tracking

A former employee of TD Canada Trust (TD) complained that TD had outsourced fraud claims processing to a third-party provider in India without customer consent or an opt-out option. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that TD was not required to obtain additional consent as the personal information was used for the original purpose of fraud claims management. The OPC also found TD was sufficiently open about its outsourcing practices and remained accountable by ensuring comparable protection through contractual and monitoring measures.

• Requirement for consent to transfer personal information to a third-party processor for the same purpose
• Sufficiency of openness regarding outsourcing of personal information to foreign jurisdictions
• Accountability for personal information transferred to a third-party processor and ensuring comparable protection

Following complaints from two customers who were victims of tech support scams, the OPC investigated Dell's security safeguards and complaint handling practices. Dell discovered that two employees of its service provider in India had sold customer information on two separate occasions, leading to personal information breaches affecting thousands of Canadians. The OPC found that Dell's safeguards, including access controls and breach investigation procedures, were insufficient given the sensitivity of the data and the risk environment.

• Adequacy of security safeguards for personal information transferred to a service provider
• Effectiveness of access controls and monitoring for preventing insider theft of data
• Sufficiency of investigation into customer complaints alleging privacy breaches
• Appropriateness of breach notification and response

A dentist complained that RateMDs.com, a health practitioner rating website, used her personal information without consent and for lucrative purposes. The Office of the Privacy Commissioner of Canada (OPC) found that the dentist's business contact information was publicly available and did not require consent. However, the OPC found that RateMDs.com engaged in an inappropriate practice by charging a subscription fee for a service that allowed users to hide certain reviews, contravening PIPEDA's purpose provisions. RateMDs.com agreed to cease this practice, leading to a conditionally resolved outcome for that issue. The OPC also found RateMDs.com resolved issues related to openness regarding its policies on correcting inaccurate information.

• Consent for the collection, use, and disclosure of personal information.
• The appropriateness of using personal information for a business model.
• Transparency and openness regarding policies for correcting inaccurate information.
• The balance between privacy rights and public interest in online reviews.