Canada’s Privacy Commissioner Cracks Down on Privacy Compliance

12 Jun Canada’s Privacy Commissioner Cracks Down on Privacy Compliance

Kelly Harris and Jane Huang

On June 10, 2024, Canada’s Office of the Privacy Commissioner (OPC) announced that it would that it would be investigating a privacy breach at the global direct-to-consumer genetic testing company 23andMe. The 23andMe investigation will be jointly conducted with the UK Information Commissioner to collaboratively safeguard individuals’ privacy across jurisdictions by examining the extent of the exposed information, assessing 23andMe’s protective measures, and evaluating the adequacy of the breach notifications provided to regulators and affected individuals.

The OPC is the federal privacy regulator conducting investigations into privacy complaints and incidents, with jurisdiction over both private and public sector privacy law compliance under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act. Below are some notable investigations conducted by the OPC over the past year, as outlined further in the OPC’s recent annual report:

1. OpenAI’s ChatGPT. In May 2023, the OPC announced a joint investigation between the privacy authorities of Canada, Québec, British Columbia, and Alberta into OpenAI. This ongoing investigation aims to assess whether OpenAI has obtained meaningful consent, upheld transparency and accountability standards, and limited data collection to necessary purposes.
2. Home Depot of Canada Inc. The OPC initiated an investigation into Home Depot after receiving a complaint from a consumer that their personal information had been disclosed to Meta without their knowledge and consent. Consumers opting for e-receipts were unaware that their personal information was used to Home Depot’s online advertising campaigns and shared with Meta for unrelated business purposes. The OPC found that Home Depot’s Privacy Statement was insufficient to obtain implied consent for its disclosure to Meta of the personal information of in-store customers.
3. Cyber Breach at CRA and ESDC. The OPC investigated a cyber breach at the Canada Revenue Agency (CRA) and at Employment and Social Development Canada (ESDC) that took place from July to August 2020, where hackers exploited weaknesses in security systems and compromised the sensitive financial, banking, and employment data of tens of thousands of Canadians. The OPC found that both organizations had under-assessed the level of identity authentication that was warranted for these online services given the sensitivity of personal information that was involved. 
4. Royal Canadian Mounted Police (RCMP)’s Project Wide Awake. The OPC investigated the RCMP’s Project Wide Awake, which used third-party service providers to collect personal information from a range of sources, including social media, the dark web, location-based services, and fee-for-access private databases. The OPC recommended that the RCMP should thoroughly assess third-party services for privacy law compliance before procurement and increase transparency with Canadians regarding the collection and use of their personal information from open-source intelligence gather.
5. Brinks Home. The OPC investigated a data breach caused by an employee error, which exposed the names, phone numbers, addresses, emergency contact details, and alarm system information of over 3,000 customers. The OPC found that Brinks had not adequately protected customers’ personal information and recommended the implementation of organizational safeguards, such as (i) protocols for protecting personal information and for responding to a suspected breach, (ii) employee training, and (iii) monitoring to ensure safeguard protocols are followed.

These investigations highlight the OPC’s commitment to protecting and promoting privacy, advocating for privacy during technological change, and championing children’s privacy rights. As well, the OPC’s signal to businesses the importance of ensuring compliance with privacy laws. While no fines currently apply to breaches of federal privacy laws, proposed reforms would create administrative monetary penalties up to $10 million or 3% of global revenue, criminal charges that include fines and imprisonment, enforcement action by the OPC, and a private right of action that would allow individuals to sue organizations for damages resulting from violations of their privacy rights.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Companies are encouraged to seek legal counsel to ensure compliance with applicable laws.