Canadian Privacy Decisions

This investigation concerned Microsoft's Windows 10 privacy settings, which were initially set to 'on' by default during installation. The Office of the Privacy Commissioner of Canada (OPC) investigated whether Microsoft obtained valid consent for the collection, use, and disclosure of users' personal information. While Microsoft made several updates to improve clarity and consent mechanisms, the OPC identified ongoing concerns regarding the meaningfulness of consent for certain settings, particularly regarding diagnostics, tailored experiences, and speech recognition. Microsoft committed to implementing further changes, including obtaining opt-in consent for all installation privacy settings, enhancing transparency, and improving data protection measures.

• Validity of consent for default privacy settings during Windows 10 installation.
• Clarity and completeness of privacy communications provided to users.
• Adequacy of measures to protect sensitive diagnostic data from being used for targeted marketing.
• Ensuring meaningful consent for cloud-based speech recognition services.

The Office of the Privacy Commissioner of Canada (OPC) investigated complaints against Profile Technology Ltd. (Profile Technology), a New Zealand-based company, for copying and using personal information from Facebook profiles without consent. The OPC found that Profile Technology's website was not merely a search engine but a social networking site, and that the information was not "publicly available" under PIPEDA. The company's practice of repurposing outdated Facebook data without consent or consideration for privacy settings was deemed inappropriate. Additionally, Profile Technology was found to be retaining help desk ticket information longer than necessary. The OPC concluded that Profile Technology contravened PIPEDA by using and disclosing personal information for purposes not appropriate in the circumstances and without consent.

• Jurisdiction over a foreign-based organization
• Definition of "publicly available" information under PIPEDA
• Requirement for consent for collection and use of personal information
• Appropriateness of purposes for using personal information

The Office of the Privacy Commissioner of Canada investigated a complaint against Facebook Inc. regarding a privacy breach where personal information of users and non-users was inadvertently disclosed through the 'Download Your Information' tool. The investigation found that while Facebook had safeguards in place, they were not adequate prior to the breach, leading to the unauthorized disclosure of contact information. Additionally, Facebook was not sufficiently open about its practice of matching contact information across address books. Facebook has since implemented corrective measures, including a new Privacy Framework and revised notices, resolving the issues.

• Adequacy of safeguards for personal information.
• Facebook's practice of matching contact information across address books and consent requirements.
• Openness and transparency of Facebook's policies and practices regarding contact information.
• Facebook's provision of access to and correction of personal information.

The complainant alleged that a courier company disclosed her personal information without consent by delivering a package addressed to her to her neighbour. The investigation found that the courier company had contravened PIPEDA's consent principle by not obtaining consent directly from the complainant for its practice of delivering packages to neighbours, nor by demonstrating due diligence to ensure the shipper had obtained such consent. In response to the OPC's recommendations, the courier company committed to ending the practice of delivering to neighbours, and this commitment was confirmed.

• Was personal information disclosed without consent by delivering a package to a neighbour?
• Did the courier company exercise due diligence to ensure the shipper obtained consent for the delivery to a neighbour practice?
• Is an unlisted telephone number on a package label sensitive personal information?

This investigation examined a breach of WADA's Anti-Doping Administration and Management System (ADAMS) database, which resulted in the public disclosure of athletes' personal information, including health details. The OPC found that WADA's security safeguards were insufficient, contravening PIPEDA principles. While WADA committed to implementing recommendations, including enhanced security measures, the matter was resolved conditionally pending compliance.

• Sufficiency of security safeguards for sensitive personal information
• Access controls and authentication mechanisms for the ADAMS database
• Monitoring, logging, and incident response capabilities
• Policies, procedures, and training related to information security

The OPC investigated a complaint against an online marketplace that sent an email to members inviting them to sign a petition without their explicit consent. The OPC found that the marketplace retained information appropriately but failed to obtain adequate consent for sending the petition email, which was beyond the scope of their services. The OPC also found that the marketplace did not handle the complainant's privacy concerns effectively. The matter was conditionally resolved when the marketplace committed to implementing recommendations, including obtaining opt-in consent for such emails and improving complaint handling. The issue was later resolved upon evidence of implementation.

• Adequacy of consent for using personal information for advocacy emails.
• Proper handling and escalation of customer privacy complaints.
• Appropriate retention of personal information.
• Clarity of purposes stated in the privacy policy.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint following a global data breach at VTech Holdings Limited, which potentially compromised the personal information of over 316,000 Canadian children and 237,000 Canadian adults. The investigation found significant deficiencies in VTech's information security safeguards, including a lack of testing, inadequate access controls, cryptographic issues, and absence of security monitoring. Although VTech contravened PIPEDA Principle 4.7, the OPC concluded the matter was resolved because VTech implemented timely and comprehensive measures to address the breach and improve its security.

• Adequacy of information security safeguards for children's data
• Failure to test for and mitigate known vulnerabilities
• Insufficient access controls and cryptographic protection
• Lack of comprehensive security management program