Canadian Privacy Decisions

The Office of the Privacy Commissioner of Canada investigated the RCMP's collection of personal information from Clearview AI, a company that scraped billions of images from the internet for facial recognition. The OPC found that the RCMP contravened the Privacy Act by collecting this information, as Clearview had collected it unlawfully. While the RCMP disagreed with this finding, it agreed to implement the OPC's recommendations to improve its policies and systems for tracking and assessing novel collections of personal information.

• Whether the RCMP's collection of personal information from Clearview AI related directly to an operating program or activity of the institution.
• Whether the RCMP had adequate controls in place to prevent future contraventions of the Privacy Act.
• The lawfulness of Clearview AI's data collection practices.
• The adequacy of the RCMP's assessment of privacy risks associated with new technologies.

This report follows up on an earlier investigation into Statistics Canada's Financial Transactions Project and Credit Agency Data Project. While the initial investigation found no contraventions, it raised significant privacy concerns. This compliance monitoring report assesses whether Statistics Canada’s redesigned projects adequately incorporate the principles of necessity and proportionality. Although Statistics Canada has made progress in reducing the scope of data collection and implementing privacy-enhancing measures, the report concludes that the project plans still fall short in adequately describing public goals, demonstrating effectiveness, and analyzing privacy impacts.

• Adequacy of public goal descriptions for necessity and proportionality assessment.
• Demonstration of project effectiveness.
• Sufficiency of privacy impact analysis, including risk of harm.
• Alignment of Statistics Canada's necessity and proportionality framework with OPC criteria.

This investigation concerned a complaint that Fido Solutions Inc. failed to safeguard a customer's personal information, allowing fraudsters to access and alter account details. It was found that Fido's customer service representatives repeatedly failed to follow authentication protocols, leading to unauthorized access. Additionally, the complaint alleged Fido failed to provide a requested transcript in an understandable format. Fido has committed to implementing enhanced safeguards regarding authentication protocols and has since provided the requested transcripts.

• Adequacy of safeguards to protect customer personal information from unauthorized access.
• Effectiveness of authentication protocols and employee adherence.
• Proper response to customer requests for access to personal information.
• Provision of personal information in a generally understandable format.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a charitable organization's donor list trading program. The OPC found that the charity required express opt-in consent, not opt-out, for sharing donor contact information, as this practice fell outside donors' reasonable expectations. The OPC also determined that the information provided to donors was insufficient to ensure meaningful consent, lacking details about what information would be shared with whom and for what purpose. The charity agreed to implement recommendations to obtain opt-in consent and provide clearer information.

• Requirement for opt-in versus opt-out consent for donor list trading.
• Sufficiency of information provided to donors for meaningful consent.
• Application of the 'reasonable expectations' principle under PIPEDA.
• Compliance with PIPEDA's requirements for consent for information sharing.

The Office of the Privacy Commissioner of Canada (OPC) investigated CoreFour Inc. concerning its compliance with PIPEDA regarding its learning management system, Edsby. The OPC found that CoreFour's safeguards were not adequate due to vulnerabilities in password requirements and protection of student profile pictures, and a lack of an overarching information security framework. The OPC also found that CoreFour lacked a robust accountability framework, including written policies and adequate privacy training. However, the OPC found CoreFour to be in compliance with its breach reporting and notification obligations. CoreFour has accepted the recommendations and is implementing corrective measures.

• Adequacy of safeguards for personal information
• Breach reporting and notification obligations
• Accountability for privacy compliance
• Development of privacy management and information security frameworks

This investigation concerned Yahoo! Canada's "Stay signed in" feature for its email service, which defaulted to keeping users logged in. The OPC found this practice posed significant privacy risks, especially on public or shared computers, as emails can contain highly sensitive personal information. Yahoo was found to have inadequate safeguards and failed to obtain meaningful consent for the disclosure of personal information that could result from this default setting. Yahoo committed to changing the feature to an opt-in basis and providing clearer warnings to users.

• Adequacy of safeguards against unauthorized access to sensitive email content.
• Whether "Stay signed in" default setting constitutes meaningful consent for disclosure of personal information.
• Clarity and prominence of privacy warnings associated with the "Stay signed in" feature.