Federal (Canada) Privacy Decisions

This joint investigation by privacy authorities across Canada found that OpenAI contravened privacy laws in its collection, use, and disclosure of personal information through its ChatGPT models GPT-3.5 and GPT-4. Specifically, the investigation found that OpenAI's collection of personal information from publicly accessible websites for training purposes was overbroad and inappropriate. The company also failed to obtain valid consent and be sufficiently transparent about its data practices. While OpenAI has since implemented new mitigation measures and committed to further improvements, some provincial authorities found the new measures insufficient to meet their specific legislative requirements.

• Appropriateness of purpose for data collection and use
• Validity of consent and transparency obligations
• Accuracy of generated information
• Individual rights to access, correction, and deletion

This compliance letter concerns a privacy breach at Nova Scotia Power that began around March 19, 2025. A malware attack allowed a threat actor to access and exfiltrate sensitive customer information, including names, contact details, financial information, and SINs, affecting approximately 375,000 current and 540,000 former customers. Nova Scotia Power has committed to specific actions, including deleting customer SINs and undergoing an external security assessment, to address the breach. Upon the Commissioner's satisfaction with these commitments, the investigation will be discontinued.

• Adequacy of security safeguards following a significant data breach.
• Timeliness and method of notification to affected individuals.
• Collection and retention of Social Insurance Numbers (SINs).
• Breach response and remediation efforts.

This case involves a compliance agreement between the Privacy Commissioner of Canada and the World Anti-Doping Agency (WADA) concerning WADA's collection, use, and disclosure of athletes' personal information through its Anti-Doping Administration and Management System (ADAMS). Following a complaint and an investigation, WADA agreed to implement remedial measures to ensure personal information in ADAMS is used solely for anti-doping purposes. The agreement resolves the Commissioner's investigation, with the understanding that WADA does not admit contravention of PIPEDA and preserves its jurisdictional defenses. The investigation will be discontinued upon WADA's satisfactory completion of the agreed-upon measures.

• WADA's jurisdiction under PIPEDA for its interprovincial or international activities
• WADA's practices regarding the collection, use, and disclosure of athletes' personal information in ADAMS
• Ensuring ADOs use personal information in ADAMS strictly for anti-doping purposes
• Compliance with privacy obligations concerning sensitive personal information

The OPC investigated Loblaw Companies Ltd. regarding complaints about the deletion of PC Optimum Loyalty Program accounts. The investigation found Loblaw contravened PIPEDA by taking an unreasonable amount of time to address deletion requests and by failing to ensure that retained purchase history data was sufficiently anonymized after account closures. Loblaw has agreed to take corrective actions, including a third-party assessment of its anonymization processes.

• Adequacy of Loblaw's processes for addressing individual privacy challenges regarding account deletion.
• Compliance with PIPEDA's retention principle regarding anonymization of purchase history data.
• Timeliness of Loblaw's response to customer deletion requests.
• Sufficiency of Loblaw's anonymization techniques for retained data.

The Office of the Privacy Commissioner of Canada (OPC) investigated Bell Canada after a complainant alleged Bell contravened PIPEDA by not responding to an access request within 30 days and denying access to cellphone logs. The OPC found Bell contravened PIPEDA by delaying its response to the access request and by denying the complainant access to his phone logs, which were determined to be his personal information. Bell also failed to be open about its policies regarding shared account information. Bell has agreed to provide the requested logs and implement recommendations to improve its procedures for handling shared account requests and its privacy communications.

• Timeliness of response to an access request
• Access to personal information held by a service provider on a shared account
• Definition of personal information in the context of phone logs
• Openness of an organization's privacy policies and practices