Canadian Privacy Decisions

This joint investigation by privacy authorities across Canada found that OpenAI contravened privacy laws in its collection, use, and disclosure of personal information through its ChatGPT models GPT-3.5 and GPT-4. Specifically, the investigation found that OpenAI's collection of personal information from publicly accessible websites for training purposes was overbroad and inappropriate. The company also failed to obtain valid consent and be sufficiently transparent about its data practices. While OpenAI has since implemented new mitigation measures and committed to further improvements, some provincial authorities found the new measures insufficient to meet their specific legislative requirements.

• Appropriateness of purpose for data collection and use
• Validity of consent and transparency obligations
• Accuracy of generated information
• Individual rights to access, correction, and deletion

This joint investigation by Canadian privacy authorities found that TikTok's collection and use of personal information, particularly from children, for ad targeting and content personalization was inappropriate and lacked valid consent. TikTok failed to implement adequate age verification measures, leading to the collection of data from underage users without a legitimate purpose. The investigation also found that TikTok's privacy communications were unclear, not easily accessible, and not available in French, failing to provide meaningful consent from adult and youth users for its data practices.

• Appropriate purpose for collecting and using children's personal information.
• Obtaining valid and meaningful consent for tracking, profiling, and targeted advertising.
• Transparency obligations regarding collection and use of personal information for user profiling.
• Adequacy of age assurance measures to prevent underage users from accessing the platform.

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

• Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
• Timeliness and completeness of breach notifications to regulators and affected individuals.
• Risk of harm to individuals due to the sensitive nature of compromised personal information.
• 23andMe's assessment of and response to the identified security deficiencies.

A joint investigation by the OPC and three provincial privacy authorities found that Tim Hortons collected granular location data from users of its mobile app without an appropriate purpose and without valid consent. The company tracked users' locations even when the app was closed, inferring details like home and work locations, ostensibly for targeted advertising, but ultimately did not use the data for this stated purpose. The investigation also raised concerns about contractual protections with a third-party vendor and Tim Hortons' overall accountability.

• Collection and use of granular location data for an appropriate purpose
• Obtaining valid consent for location data collection
• Adequacy of contractual protections for data processed by third parties
• Tim Hortons' accountability for privacy practices

A joint investigation by Canadian privacy authorities found that Clearview AI, Inc. contravened PIPEDA and provincial privacy laws by collecting, using, and disclosing personal information without consent and for inappropriate purposes. Clearview's facial recognition tool scraped billions of images from the internet to create biometric facial arrays, which were then provided to law enforcement and other clients. The authorities concluded that Clearview's mass collection and use of sensitive biometric data was not for an appropriate purpose, nor was it obtained with the requisite consent.

• Whether Clearview obtained requisite consent for the collection, use, and disclosure of personal information.
• Whether Clearview collected, used, and disclosed personal information for an appropriate purpose.
• Whether Clearview satisfied its biometric obligations in Quebec.
• Whether Canadian privacy authorities had jurisdiction over Clearview's activities.

This investigation examined Desjardins' compliance with PIPEDA following a significant data breach that occurred between 2017 and 2019, affecting nearly 9.7 million individuals. The Office of the Privacy Commissioner of Canada (OPC) found that Desjardins contravened PIPEDA principles regarding accountability, data retention, and security safeguards. While Desjardins' mitigation measures for affected individuals were deemed adequate, the OPC issued recommendations to address the identified contraventions.

• Adequacy of security safeguards throughout the personal information lifecycle.
• Compliance with accountability principles, including implementing procedures and training staff.
• Appropriateness of data retention and destruction practices.
• Effectiveness of mitigation measures offered to individuals affected by the breach.

This joint investigation by the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found that AggregateIQ Data Services Ltd. (AIQ) contravened Canadian privacy laws (PIPEDA and PIPA) in its handling of personal information for political campaigns. AIQ failed to ensure adequate consent for the collection, use, and disclosure of personal information, particularly when sharing data with platforms like Facebook for targeted advertising and analytics. Additionally, AIQ's inadequate security measures led to a data breach involving the personal information of millions of individuals.

• AIQ's collection, use, and disclosure of personal information for political campaigns.
• AIQ's compliance with consent requirements for personal information.
• AIQ's implementation of reasonable security measures to protect personal information.
• Cross-jurisdictional data handling and privacy obligations.

The Office of the Privacy Commissioner of Canada (OPC) investigated Equifax Inc. and Equifax Canada Co. following a 2017 data breach that compromised the personal information of approximately 19,000 Canadians. The OPC found that both Equifax Inc. and Equifax Canada contravened PIPEDA concerning inadequate safeguards, data retention, accountability, and consent for the disclosure of personal information. The investigation also found Equifax Canada's post-breach safeguards to be inadequate for protecting affected Canadians. Equifax Canada has committed to corrective measures, and the matters are conditionally resolved.

• Adequacy of security safeguards for Canadian personal information held by Equifax Inc.
• Equifax Inc.'s data retention and destruction practices for Canadian personal information.
• Equifax Canada's accountability for Canadian personal information handled by Equifax Inc.
• Adequacy of consent obtained for the collection and disclosure of Canadian personal information to Equifax Inc.
• Adequacy of safeguards and post-breach measures for Canadian personal information held by Equifax Canada.

This report details three incidents in 2017 where Canadian organizations experienced data breaches due to password reuse by their customers. In each case, attackers used login credentials obtained from unrelated breaches to access customer accounts. The Office of the Privacy Commissioner of Canada found the organizations' responses to be appropriate, including actions like password resets, enhanced security measures, and customer notifications, and encouraged other organizations to adopt similar preventative strategies.

• Impact of password reuse on personal information security
• Adequacy of organizational responses to data breaches
• Effectiveness of safeguards against unauthorized access
• Communication and notification obligations to individuals

This report details a joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Australian Office of the Information Commissioner (OAIC) into Avid Life Media Inc. (ALM), the operator of Ashley Madison. The investigation followed a significant data breach where personal information of millions of users was exposed. The OPC found that ALM contravened PIPEDA regarding information security, indefinite retention of user data, accuracy of email addresses, and transparency with users. ALM has entered into a compliance agreement with the OPC to address these issues.

• Adequacy of information security safeguards
• Indefinite retention of user data
• Accuracy of collected email addresses
• Transparency and user consent regarding data handling practices

This report details an incident where a fraudster impersonated an unknown individual to trick a financial institution's employees into revealing customer contact information. The fraudster then used this information to extract further personal details from approximately 100 customers, increasing their risk of identity theft. The financial institution took immediate steps to mitigate the breach, including offering credit monitoring and enhancing staff training.

• Effectiveness of internal controls to prevent unauthorized disclosure of personal information
• Adequacy of breach response and mitigation measures
• Risks of identity theft and fraud due to personal information disclosure

The Office of the Privacy Commissioner of Canada investigated two separate incidents involving misdirected faxes containing personal information at two banks. In both cases, the banks failed to adequately safeguard personal information, leading to its disclosure to unintended recipients. While both banks took corrective actions, including revising policies and procedures, the OPC recommended further improvements in customer notification and information recovery.

• Adequacy of safeguards for personal information transmitted by fax
• Effectiveness of privacy policies and employee awareness
• Timeliness and scope of customer notification following a privacy breach
• Procedures for recovering erroneously transmitted personal information

This report details an investigation into CIBC's handling of misdirected faxes containing customer personal information, which occurred between 2001 and 2004. The investigation found that CIBC's privacy practices failed to adequately address these incidents, resulting in breaches of customer data and trust. The bank has since implemented significant remedial measures to enhance its privacy safeguards.

• Adequacy of CIBC's privacy policies and procedures
• Effectiveness of CIBC's response to misdirected fax incidents
• Timeliness and appropriateness of customer notification following a privacy breach
• Organizational awareness and adherence to privacy obligations