PIPEDA Complaints

Law Reform

CIPPIC appeared today before the House of Commons Standing Committee on Access to Information, Privacy & Ethics (ETHI) in its ongoing review of Canada's aging Privacy Act. The Act regulates the federal government's handling of personal information, comprising a central component of Canada's privacy framework. However, it has not received any substantial updates since its introduction in the early 1980s, despite tectonic shifts in the incentives animating government data-related objectives as well as in the technological capability to achieve these objectives. In addition, the government has introduced numerous laws designed to update and expand its ability to collect, use and share private data since the 1980s, including laws specifically designed to address technological developments. In the face of this one-sided expansion of state capabilities, the Privacy Act has simply not kept pace, and is in serious need of modernization if it is to continue to effectively meet its objectives to protect individual privacy rights, facilitate government accountability and safeguard public trust.

CIPPIC's recommendations sought to address key gaps in the Privacy Act, while adding principled protections that will help the Act stay relevant in the future. This includes the addition of principled limits on how long data can be reasonably kept by the government. There is currently no such explicit obligation in the Privacy Act, despite the fact that retention limitations are a hallmark of data protection regimes. An over-riding reasonableness obligation is also necessary, as it would ensure government data practices remain proportionate and in alignment with Charter values. CIPPIC also called for addressing central shortages in the Act's transparency framework, including the incorporation of statistical reporting obligations attaching to all law enforcement electronic surveillance powers, and a general 'openness' obligation compelling the government to proactively explain its privacy practices. Additional recommendations addressed the need for mandating reasonable technical safeguards, a mandatory data breach notification regime and formalizing privacy impact assessment requirements.

CIPPIC's application for leave to intervene has been granted in Douez v Facebook Inc, SCC File No 36616, an appeal that raises fundamental questions regarding the nature of online jurisdiction, e-consumer protection and privacy. Specifically at issue is a forum selection clause imposed by Facebook onto all of its customers, on a take it or leave it basis, mandating that all disputes be brought against it in California. On the basis of this clause, it was held that a class action launched against Facebook in BC and alleging violations of BC privacy laws cannot proceed.

Managing online jurisdiction-where services can have significant global presence and impact on a largely virtual basis-has strained digital policy since the early days of the world wide web. However, CIPPIC's proposed intervention intends to argue that forum selection clauses are ill-suited as a means of navigating the challenges posed by global online services. A mandatory, non-negotiable forum selection clause effectively opts a service provider out of Canadian standards and laws as foreign courts tend to apply their own rules and standards. As forum selection clauses are ubiquitous and non-negotiable in online services, their universal enforcement could effectively deprive Canadians from domestic protections in relation to digital activities that are increasingly critical to their daily lives. In addition, it could force any Canadian individual embroiled in a dispute with a global online platform to undertake the expense and inconvenience of suing in a foreign court.

CIPPIC has joined over 65 civil society organizations from around the world in an open letter to Mark Zuckerberg regarding its initiative. is Facebook's portal for mobile Internet access in developing countries. The portal is essentially a mobile app through which individuals can access other Internet sites, after first passing through Facebook's servers. The portal is zero rated, meaning that Facebook has entered into deals with wireless providers around the world that exclude usage from data charges. While Facebook presents this as an altruistic initiative designed to get the next 3 billion Internet users connected, many have questioned whether it is truly altruistic or simply an attempt to place Facebook at the centre of the future Internet, establishing it as gatekeeper to downstream content and innovation. Meanwhile, the initiative detracts from other charitable efforts designed to provide true connectivity capacity in developing countries and, as domestic telcos are forced to shoulder the costs of the initiative, it is not clear what benefit Facebook provides to developing countries at all.

Regardless of its motivation, Facebook's leaves much to be desired. Where it is active, individuals already think of Facebook as 'the Internet'. However, the Internet provided by Facebook is a highly curated environment, which only allows sites pre-approved by Facebook that operate on Facebook's terms. In this sense, it threatens the expressive and innovative force of the Internet, which has always relied on the capacity to innovate and express without permission. It is, indeed, this 'innovation without permission' model that allowed Facebook itself to supplant MySpace as the world's leading social networking site - Facebook's ability to reach its audience was not dependent on MySpace's (or anyone else's) permission. Additionally, all traffic passes through Facebook's servers, raising concerns it will in time feed into Facebook's broader profiling activities while acting as a one-stop hub for state censorship initiatives. simply comes with too many strings attached.

Bill S-4, the Digital Privacy bill, introduces amendments to PIPEDA, Canada's federal commercial sector privacy law. The Bill, a result of PIPEDA's first five year review conducted in 2006, introduces some far overdue improvements to Canada's privacy protection toolset at a time when privacy has never faced greater challenges. These include the adoption of a breach notification regime which would obligate companies to notify customers (as well as the Privacy Commissioner) whenever a privacy breach can place affected individuals at risk of significant harm, and the adoption of more robust consent obligations. However, as CIPPIC pointed out in its testimony and response to follow-up questions, the framework adopted by Bill S-4 in addressing these issues is flawed. The data breach notification regime in particular will fail to instill incentives for better security safeguards as it only applies to breaches that pose a significant threat of harm to affected individuals. Yet the reality of security breaches is that it will often be highly uncertain whether data was even exposed, meaning many serious breaches will go unreported. Moreover, even trivial breaches that do not pose a specific risk to individuals are often indicative of a general laxity in technical safeguards. These too will remain unreported.

Of greater concern, the Bill also includes a number of troubling exceptions that would expand the conditions under which organizations can hand over sensitive customer information to third parties. One exception would allow ISPs, online blogging discussion fora, social media sites and others to help companies trying to sue their customers by handing over sensitive customer information. It also allows for nigh unlimited information-sharing in the context of a cybersecurity breach. Such breaches often implicate immense amounts of sensitive data. The PIPEDA amendments fail to impose any obligations for companies dealing with a breach to minimize privacy impact when handing over these data troves. Additionally, our national security agencies are increasingly implicated in domestic security breaches, yet Bill S-4 does nothing to prevent them from repurposing the data troves they receive for security breaches into general security information and keeping it indefinitely. As such, there is serious concern that the emails, financial/banking information, health data, and other sensitive information that is commonly implicated in data breaches will simply be rolled in to these security agencies general profiling activities and ultimately used against the individuals who the data breach notification regimes is supposed to protect. Indeed, Bill C-51, currently being rushed through both houses of parliament at once, will make it even easier by removing barriers to 'all of government' information sharing for cybersecurity purposes.

Data Privacy Day (a.k.a. Data Protection Day) 2015 marked a range of developments - some good, some bad, all significant. Data Privacy Day is celebrated annually to commemorate the world's first data protection treaty: the Council of Europe's Convention 108. This year, the day began with a series of startling revelations from CBC, which released documents acquired through former NSA Analyst Edward Snowden detailing a comprehensive electronic surveillance program that monitored various file upload sites around the world. The program, implemented by Canada's foreign intelligence agency, CSEC, involved combing through its comprehensive meta-data-bases in order to identify individuals uploading or accessing 'questionable' documents on sites such as MegaUpload and Rapidshare. Visitors to such documents are then subjected to intense meta-data-scrutiny in order to find their identity through such things as Facebook and email login cookies. Aside from the millions of documents tracked by the program daily, the program demonstrates an immensely invasive capacity that can emerge from mere analysis of the metadata held by CSEC and its Five EYEs partners. Far from acknowledging these concerns, we expect more of the same, with State promises to introduce expanded lone wolf surveillance powers this Friday.

Some tentatively promising developments from APEC also came this week. CIPPIC had endorsed a letter sent by a number of privacy groups in late December pointing to several issues with APEC's certification of TRUSTe as an accountability agent capable of overseeing compliance with APEC obligations for the purpose of receiving personal data transfers from other APEC member states such as Canada. This week, APEC and TRUSTe addressed a number of the concerns, but left a few (particularly those relating to conflicts of interest between TRUSTe board members and some of the commercial organizations it is tasked with overseeing) outstanding. In brighter news, the Mexican data protection authority announced it would be officially signing the International Principles on the Application of Human Rights to Communications Surveillance (IPAHRCS-es for short!), designed to provide comprehensive suggestions on how to conduct electronic surveillance in a targeted and privacy respective manner. The IPAHRCS have now been endorsed by over 480 international organizations, experts and government officials. An eventful data privacy day, for better or worse!

CIPPIC testified today before the House of Commons Standing Committee on Access to Information, Privacy & Ethics on the growing problem of identity theft. As CIPPIC highlighted in its testimony, identity theft is, in many ways, the crime of the digital age. It exploits the immense amounts of information about individuals that is available on digital networks in order to exploit them through an increasingly profitable range of fraudulent activities. The cost, time and trauma inherent in the identity recovery process make identity theft a serious social problem. CIPPIC's testimony highlighted the need for stronger privacy laws as a means of minimizing identity theft. PIPEDA, Canada's data protection law, is the primary mechanism for empowering individuals to better control their personal information. It also obligates organizations to properly safeguard their customers' personal information. However, PIPEDA lacks the most basic features of any effective regulatory regime -- enforceability and compliance incentives. These shortcomings must be addressed as part of any meaningful attempt to address the problems of identity theft. In addition, attention entities such as the Canadian Identity Theft Support Centre, which play a crucial role in the victim recovery process, need to be fostered and developed further. Overall, CIPPIC called for the development and adoption of a national strategy on identity theft that would adopt these and other measures in a comprehensive response to this growing problem.

Office of the Privacy Commissioner's Office, 2010 Consultation on Online Privacy

The CIPPIC ID Theft research project aims to develop well-informed and well-reasoned recommendations for law and policy reform designed to prevent, detect, and mitigate the effects of ID theft.

On July 25, 2007, CIPPIC filed a complaint with the Privacy Commissioner of Canada under s.29 of the federal Privacy Act about two federal tribunals that post full decisions online without redacting often highly sensitive personal information.  In its letter, CIPPIC asked the Privacy Commissioner to establish guidelines for federal agencies regarding the online posting of decisions and other documents that contain personal data about individual applicants, appellants, or complainants.  CIPPIC argued that openness and accountability do not require the identification of individual applicants/appellants/complainants.

CIPPIC actively participated in a multidisciplinary research project funded by the Social Sciences and Humanities Research Council (SSHRC) Initiatives on the New Economy (INE) Program that focuses on issues of anonymity and authentication.

In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes.  As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.

Privacy in domain name registration (CIRA & ICANN)

FAQ on privacy and copyright issues raised by photography-related activities.

Social networking websites allow individuals to form online social communities. To begin, individuals create profiles that describe themselves. Individuals often include personal information such as their contact information, gender, political and religious beliefs, relationship status, and interests.

Behavioural targeting has become a significant concern to privacy advocates. In the past, the ability of marketers to track, profile, and target individual consumers with specific advertising has been limited by marketers need for those consumers to browse to specific websites or use specific web services. Beginning in 2007, web marketing businesses began to introduce technologies that target the traffic streams of Internet Service Providers (ISPs) as a source of data for building profiles of individual ISP customers.

The workplace presents particular challenges to individual privacy for a number of reasons, including the power imbalance between employer and employee, the increasing technological capabilities of employers to monitor employee activity, and the strong incentives for employers to collect and use employee personal information for employment-related purposes, enhanced productivity, and reduced liability.

Resources on RFID technologies and their privacy implications.
The use of public video surveillance for policing, although common in the UK since the 1980s, has until recently not been politically palatable in other countries. The notion of the state being able to watch one while one is walking down the street conjures up comparisons with Nineteen Eighty-Four's telescreens.

With the continued growth of the internet and the ever increasing ability of online services to track and 'mine' personal information, the protection of personal information has become a hot topic.

The Internet has provided the public with an unprecedented ability to communicate and share ideas while keeping their identities private. Anonymity, or the ability to conceal one's identity, has opened the door to much freer communication than would otherwise be the case. Those who fear persecution, ostracism or embarrassment are able to communicate about topics and in ways they would not risk otherwise.

National ID cards are a hot topic in Canada and other countries thinking about introducing a nationwide uniform identification document. Especially since the terrorist attacks in Washington and New York and the ongoing 'fight against terrorism', national ID cards have risen to the top of the agenda in immigration and security departments all over the world.

Biometrics, or the use of biological properties (e.g., fingerprints, retina scans, voice recognition) to identify individuals, are increasingly popular methods of identification. They are no longer confined to criminal law enforcement and the imagination of science fiction writers dreaming of hand-recognition as an automatic door opener and remote eye-scanning while entering a shopping mall.

Regulators provide guidance on mobile privacy, tracking & advertising

Voltage v. Doe, Federal Court, 2013

A.B. v. Bragg Communications, 2012 SCC 46, SCC File No. 34240, Anonymity in judicial proceedings

Warman v. Fournier, 2010 ONSC 2126, [2010] 100 O.R. (3d) 648, 319 D.L.R. (4th) 268 (Ont. Div. Ct.)

CIPPIC has filed an objection to the proposed Canadian settlement to the Sony BMG rootkit class action. Sony BMG offers Canadian consumers far less than it offered American consumers in the US class action settlement, and offered no rational explanation for the different treatment. CIPPIC will appear at the class proceeding's fairness hearing, currently scheduled for 9:00 a.m., 21 September, at 361 University Avenue, in Toronto.

On December 19, 2005, CIPPIC filed an application for judicial review in the Federal Court of Canada, challenging the Privacy Commissioner's determination that she lacks jurisdiction to investigate This finding was in response to CIPPIC's complaint against

Royal Bank of Canada - Refusal to deal for secondary purposes

CIPPIC's comprehensive complaint against the privacy practices of Facebook, Inc.

PIPEDA Complaints against Bell, Rogers, Shaw and Eastlink's use of DPI

CIPPIC asks the Privacy Commissioner to Audit Google to investigate the implicatios of its merger with online ad network DoubleClick

PIPEDA complaint that's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.

Winners/Homesense (collection minimization & disclosure for secondary purposes)

Sony/BMG Rootkit

Canadian Banks and SWIFT

Ticketmaster (November 2005)

CIPPIC filed a formal complaint under PIPEDA against Ticketmaster on November 17, 2005. The complaint alleges that Ticketmaster's information management practices violate PIPEDA's requirements for openness, accountability, consent , and access to information. Specifically, CIPPIC alleges failures on the part of Ticketmaster to clearly identify what it does with personal information once collected, to protect information transferred to third parties for processing, to obtain proper consent from customers for secondary uses and disclosures, and to respond adequately to access to information requests.

We received the report of findings by the Office of the Privacy Commissioner on February 12, 2008. The OPC found that our complaints about lack of openness and consent to be well-founded, but resolved as Ticketmaster agreed to change its policies and practices accordingly.


CIPPIC's letter, Nov.17,2005.


InfoCanada (July 2005)

On July 15, 2005, CIPPIC filed a complaint with the Privacy Commissioner of Canada against InfoCanada, a Canadian company that sells lists of information about Canadian businesses and consumers.

In the complaint, CIPPIC alleged that InfoCanada combines publicly available personal information from telephone books with aggregated demographic data from Statistics Canada, to create lists of "personal demographic information" for sale to marketers, thus invoking PIPEDA. PIPEDA requires organizations to obtain consent before using and disclosing personal information. CIPPIC argued that InfoCanada violates PIPEDA by failing to obtain consent to its use and disclosure of this personal information, inaccurate as it may be. CIPPIC also alleged that InfoCanada violates PIPEDA by failing to be open about its personal information management practices and by using personal information for inappropriate purposes.

Although CIPPIC chose to investigate InfoCanada, CIPPIC has reason to believe that many other data-brokers in Canada use similar data matching techniques to create and enhance marketing lists. CIPPIC anticipates that a finding from the Privacy Commissioner will clarify the appropriateness of these data matching activities for all companies in this industry. and National Locator Services (June 2004)

In June and July, 2004, CIPPIC filed complaints with the Privacy Commissioner of Canada about two U.S.-based companies, and National Locator Services, that offer online background checks and other search services about individuals, including Canadians, for a fee. In its complaints, CIPPIC alleged that these services breach federal data protection legislation by routinely collecting, using and disclosing personal information about Canadians, for unlimited purposes, without the knowledge or consent of the individuals in question. As well, CIPPIC noted that its testing of the "psychological profile" service suggested serious inaccuracies in the personal information provided, thus further contravening the legislation. The Office of the Privacy Commissioner responded by way of a letter dated November 30, 2004, stating that "While the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA."

Bank's wrongful access to and disclosure of individual's credit report (May 2004)

CIPPIC assisted an individual in his efforts to obtain fair compensation for a significant violation to his privacy. The violation occurred when a ScotiaBank employee accessed and disclosed his credit bureau report to his fiancee without his knowledge or consent. Banks and other credit grantors are under a legal obligation in Canada to obtain individual consent before accessing, using or disclosing that individual's credit report. In this case, the bank employee failed to obtain the individual's consent before pulling up his credit report and disclosing it to his fiancee, who was seeking information on mortgage rates.

CIPPIC assisted the individual in his dealings first with the Scotiabank Ombudsman, then with the Canadian Bank Ombudsman, then with the Privacy Commissioner, and finally with Scotiabank's legal department. The Privacy Commissioner found, after investigating, that Scotiabank had violated the consent requirement in Principle 4.3 of the PIPED Act. Scotiabank admitted the error, but was unwilling to pay the individual more than $500 in compensation. The individual ultimately settled with Scotiabank.


Privacy Commissioner, letter, July 13,2005.


MBNA Mastercard (Blanket consent to unlimited & unnecessary use/disclosure)

Houst of Commons ETHI Committee Study: Privacy & Social Media Sites

Industry Canada: Questionnaire on Updating OECD Privacy Guidelines

Modernizing Convention 108: the Council of Europe's Privacy Framework

OPC Consultations on Online Tracking, Behavioural Targeting & Cloud Computing

In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.

The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.

Canada's 2010 Digital Economy Consultation

Data Breach Notification

The Privacy Act is a federal statute governing the federal government's treatment of personal information.  It was passed in 1983, before the revolutionizing effects of computer technology on information processing and privacy. Despite repeated calls by Privacy Commissioners, the Act has not yet been updated to take into account new privacy threats.  The House of Commons Standing Committee on Access to Information, Privacy and Ethics began a review of the Privacy Act in the spring of 2008.

PIPEDA is Canada's federal private sector data protection legislation. It applies to all federally regulated works and undertakings, as well as provincially regulated private sector organizations in provinces and territories other than Quebec, Alberta, and B.C. (that have their own, similar, laws).

APEC Cross Border Privacy Rules

In the summer of 2005, the Prime Minister appointed retired Supreme Court Justice Gerard LaForest to assess the merits of merging the currently separate Offices of the Information and Privacy Commissioners of Canada. The rationale for such a merger was not made clear. Along with other privacy advocates, CIPPIC opposes the merger on the grounds that it would weaken privacy protection in Canada at a time when stronger privacy protection is needed. CIPPIC sent a letter to Justice LaForest in October 2005, opposing the merger.