Canadian Privacy Decisions

A woman complained that the Canadian Human Rights Commission (CHRC) improperly collected and used her personal information by accessing her wireless Internet connection to post messages to a website during an investigation. The Office found no evidence that the CHRC accessed the complainant's connection or collected any of her personal information. Technological experts suggested the association of the complainant's IP address to the CHRC was likely a mismatch by a third party.

• Whether the CHRC improperly collected and used the complainant's personal information by accessing her Internet connection.
• Whether an IP address constitutes personal information.
• Evidence of unauthorized access to personal information.

An individual complained that the Canadian Human Rights Commission (CHRC) improperly collected and used her personal information, alleging the CHRC accessed her wireless internet connection to post messages on a website. The investigation examined whether the CHRC contravened sections 4 to 8 of the Privacy Act. Ultimately, the OPC found no evidence that the CHRC collected or used the complainant's personal information, concluding the complaint was not well-founded.

• Whether the IP address constitutes personal information under the Privacy Act.
• Whether the CHRC collected and used the complainant's personal information during its investigations.
• Whether the CHRC improperly disclosed or retained the complainant's personal information.

This investigation concerned SWIFT's disclosure of personal information originating from Canadian financial institutions to the US Department of the Treasury in response to administrative subpoenas. The OPC found that PIPEDA applied to SWIFT's commercial activities in Canada. However, the Commissioner concluded that SWIFT's disclosure of information to comply with valid US subpoenas was permissible under PIPEDA, interpreting subsection 7(3)(c) to allow compliance with lawful orders from foreign jurisdictions where the organization operates. The Commissioner recommended that US authorities use existing information-sharing mechanisms rather than subpoenas to obtain Canadian financial data.

• Does PIPEDA apply to SWIFT's collection, use, and disclosure of personal information in its Canadian operations?
• Was personal information disclosed to US authorities in accordance with PIPEDA?
• Interpretation of subsection 7(3)(c) regarding compliance with foreign subpoenas.
• Balancing privacy protection with counter-terrorism financing efforts.

This investigation concerned allegations that SWIFT inappropriately disclosed personal information from Canadian financial institutions to the US Department of the Treasury (UST) via administrative subpoenas. The Privacy Commissioner of Canada determined that SWIFT was subject to PIPEDA due to its operations in Canada and its commercial activities involving Canadian banks. While SWIFT disclosed data held in the US to the UST in response to a subpoena, the Commissioner found this disclosure was permissible under the Act's exceptions to consent.

• Whether SWIFT is subject to PIPEDA
• Whether SWIFT inappropriately disclosed personal information to the UST
• Applicability of PIPEDA exceptions to disclosure in response to a subpoena

An individual complained that a telecommunications company failed to obtain adequate consent for the secondary marketing use and disclosure of customer data. The investigation found that the company's privacy code, policy, and customer activation process sufficiently informed customers of its marketing practices and their right to opt-out. The company also complied with CRTC restrictions on disclosing customer information. As a result, the Assistant Privacy Commissioner concluded that the company was in compliance with PIPEDA.

• Adequacy of consent for secondary marketing purposes
• Clarity and accessibility of privacy policies
• Company's process for informing customers of data use and opt-out options

An individual complained that a bank failed to obtain adequate consent for using and sharing customer data with affiliates for secondary marketing purposes, arguing the bank did not clearly inform customers or provide an easy opt-out mechanism. The Office of the Privacy Commissioner of Canada (OPC) investigated and found the bank's practices and materials, including informing customers of privacy policies and providing an opt-out process, constituted a reasonable effort to ensure customer knowledge and consent. The OPC concluded the bank was in compliance with PIPEDA principles regarding secondary marketing.

• Adequacy of consent for secondary marketing purposes
• Clarity of information provided to customers about data use and sharing
• Availability and ease of the opt-out process
• Bank's compliance with PIPEDA principles on knowledge and consent