Canadian Privacy Decisions

This investigation examined Staples Canada's practices concerning the removal of personal information from returned laptops resold through its Openbox program. The Office of the Privacy Commissioner of Canada (OPC) found that Staples had deficiencies in its policies, procedures, and employee training regarding data wiping. Specifically, the OPC determined that Staples did not consistently ensure full data sanitization according to manufacturer guidelines, leading to residual personal information being found on some devices. Staples agreed to implement corrective measures, including updating procedures, enhancing training, and engaging third-party spot checks.

• Adequacy of safeguards for personal information on returned electronic devices
• Sufficiency of Staples' policies and procedures for data wiping
• Effectiveness of employee training on data sanitization
• Compliance with PIPEDA Principles 4.7.1 and 4.7.3

This investigation concerned a privately owned swimming pool's policy requiring parents to consent to the use of photos and videos of their children for promotional purposes as a condition of enrolling them in swimming lessons. The OPC found that this requirement contravened PIPEDA principles regarding consent for the collection, use, and disclosure of personal information. The swimming pool has agreed to implement an opt-in photo policy, resolving the complaint.

• Whether requiring consent for promotional photos/videos as a condition of service violates PIPEDA.
• Whether photos/videos of children in swim attire are sensitive personal information.
• Whether the swimming pool's stated business needs justified the mandatory consent policy.
• Whether consent was sought appropriately for staff training purposes.

This joint investigation by Canadian privacy authorities found that TikTok's collection and use of personal information, particularly from children, for ad targeting and content personalization was inappropriate and lacked valid consent. TikTok failed to implement adequate age verification measures, leading to the collection of data from underage users without a legitimate purpose. The investigation also found that TikTok's privacy communications were unclear, not easily accessible, and not available in French, failing to provide meaningful consent from adult and youth users for its data practices.

• Appropriate purpose for collecting and using children's personal information.
• Obtaining valid and meaningful consent for tracking, profiling, and targeted advertising.
• Transparency obligations regarding collection and use of personal information for user profiling.
• Adequacy of age assurance measures to prevent underage users from accessing the platform.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against Google's search engine service. The complainant alleged that Google was violating PIPEDA by displaying links to old media articles about their arrest and criminal charge. While the OPC found that Google complied with accuracy requirements, it determined that the continued display of these sensitive articles, which caused significant harm to the complainant, outweighed the limited public interest. The OPC recommended Google de-list the articles, but Google refused, stating the matter should be decided by the courts.

• Whether Google contravened PIPEDA's accuracy requirements by displaying links to outdated articles.
• Whether Google contravened PIPEDA's "appropriate purposes" provision by displaying sensitive personal information linked to an individual's name.
• Balancing individual privacy rights against freedom of expression in the context of search engine results.
• Determining the public interest in accessing historical, sensitive information via search engine results.

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

• Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
• Timeliness and completeness of breach notifications to regulators and affected individuals.
• Risk of harm to individuals due to the sensitive nature of compromised personal information.
• 23andMe's assessment of and response to the identified security deficiencies.