Canadian Privacy Decisions

This joint investigation by the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found that AggregateIQ Data Services Ltd. (AIQ) contravened Canadian privacy laws (PIPEDA and PIPA) in its handling of personal information for political campaigns. AIQ failed to ensure adequate consent for the collection, use, and disclosure of personal information, particularly when sharing data with platforms like Facebook for targeted advertising and analytics. Additionally, AIQ's inadequate security measures led to a data breach involving the personal information of millions of individuals.

• AIQ's collection, use, and disclosure of personal information for political campaigns.
• AIQ's compliance with consent requirements for personal information.
• AIQ's implementation of reasonable security measures to protect personal information.
• Cross-jurisdictional data handling and privacy obligations.

The Office of the Privacy Commissioner of Canada (OPC) investigated Equifax Inc. and Equifax Canada Co. following a 2017 data breach that compromised the personal information of approximately 19,000 Canadians. The OPC found that both Equifax Inc. and Equifax Canada contravened PIPEDA concerning inadequate safeguards, data retention, accountability, and consent for the disclosure of personal information. The investigation also found Equifax Canada's post-breach safeguards to be inadequate for protecting affected Canadians. Equifax Canada has committed to corrective measures, and the matters are conditionally resolved.

• Adequacy of security safeguards for Canadian personal information held by Equifax Inc.
• Equifax Inc.'s data retention and destruction practices for Canadian personal information.
• Equifax Canada's accountability for Canadian personal information handled by Equifax Inc.
• Adequacy of consent obtained for the collection and disclosure of Canadian personal information to Equifax Inc.
• Adequacy of safeguards and post-breach measures for Canadian personal information held by Equifax Canada.

The complainant alleged that Grey House Publishing Canada (Grey House) collected, used, and disclosed his personal information without his knowledge or consent. Grey House collected the complainant's contact information from a non-profit association's webpage and included it in its print directory and database. Grey House then sold an email distribution list containing this information to Economic and Social Development Canada (ESDC), which used it to send emails promoting a federal program. The OPC found that Grey House contravened PIPEDA by collecting and using the complainant's personal information without adequate consent, as the information was not considered business contact information and did not fall under the exceptions for publicly available information. The OPC also found that Grey House contravened PIPEDA's openness principle by having an inadequate privacy statement.

• Whether the complainant's contact information constituted personal information or business contact information under PIPEDA
• Whether Grey House was conducting commercial activity under PIPEDA
• Whether Grey House obtained adequate consent to collect and use the complainant's personal information
• Whether Grey House's privacy statement adequately reflected its practices

The Office of the Privacy Commissioner of Canada (OPC) investigated 411Numbers, a website operator that provided free access to telephone numbers and associated information. A complainant alleged that 411Numbers collected, used, and disclosed his personal information without consent, used it for an inappropriate purpose (paid removal service), over-collected information for removal services, and was unresponsive to privacy concerns. The OPC found that 411Numbers contravened PIPEDA by publishing unlisted telephone numbers without consent, and that its previous practice of requiring extensive identification for removal services was an over-collection. The paid removal service was also deemed inappropriate. However, 411Numbers has since ceased its paid removal service and implemented new practices for information removal and data collection.

• Jurisdiction over a non-Canadian company with a real and substantial connection to Canada
• Collection, use, and disclosure of unlisted telephone numbers without consent
• Appropriateness of using personal information for a paid removal service
• Over-collection of personal information for identity verification during removal requests