Canadian Internet Policy and Public Interest Clinic (CIPPIC)

Search

• 2.1: About Us
• 2.2: CIPPIC Publications
• 2.4: Events & Presentations
• Projects and Cases
  • 2.5.1: Consumer Protection Online
  • 2.5.2: Copyright law reform
  • 2.5.4: File-Sharing Lawsuits
  • 2.5.5: Identity Theft
  • 2.5.6: Lawful Access
  • 2.5.7: On the Identity Trail Project
  • 2.5.8: Other
  • 2.5.9: Privacy
  • 2.5.10: Spyware
  • 2.5.11: Telecom Policy
• FAQs & Resources
  • 2.6.1: Access to Information Laws
  • 2.6.2: ACTA
  • 2.6.3: Behavioural targeting
  • 2.6.4: Bill C-60: Copyright Bill 2005
  • 2.6.5: Bill C-61: Copyright Bill 2008
  • 2.6.7: Biometrics
  • 2.6.8: Broadcast Flag
  • 2.6.9: Copyright Law
  • 2.6.10: Defamation and SLAPPs
  • 2.6.11: Digital Rights Management
  • 2.6.12: Domain Name Disputes
  • 2.6.13: Domain Names
  • 2.6.15: File Sharing
  • 2.6.16: Internet Accessibility
  • 2.6.17: Identity Theft
  • 2.6.18: Internet Censorship in Public Libraries
  • 2.6.19: Lawful Access
  • 2.6.20: National ID Cards
  • 2.6.21: Net Neutrality
  • 2.6.22: Online Anonymity and John Doe lawsuits
  • 2.6.23: Open Source
  • 2.6.24: Podcasting Legal Guide
  • 2.6.25: Privacy
  • 2.6.26: Public Video Surveillance
  • 2.6.27: RFIDs
  • 2.6.28: Social Networking
  • 2.6.29: Spam
  • 2.6.30: Spyware
  • 2.6.31: Workplace Privacy
  • 2.6.32: Trusted Computing
• 2.7: For Students
• 2.8: Links
• 2.9: Support CIPPIC
• 2.10: uOttawa Law & Technology Program
• 2.11: Contact Us
• 2.12: Privacy Policy
• 2.13: Test Page

PIPEDA Complaints

RBC - invalid consent to secondary uses (August 2008)

By way of a formal complaint filed August 1, 2008, CIPPIC challenged the legality of bank policies that require clients to allow the bank to use their personal information for such purposes as "to determine your eligibility for products and services we offer". CIPPIC also argued that banks must obtain the express consent of clients to any such secondary uses of personal financial information; opt-out consent is not sufficient.

In response to a request by the Office of the Privacy Commissioner, CIPPIC agreed to put its complaint on hold while it pursues resolution of the issues with the Canadian Bankers' Association and the Investment Industry Regulatory Organization of Canada.

ISP use of personal information for behavioural targeting purposes (July 2008)

In a letter sent July 25, 2008, CIPPIC asked the federal Office of the Privacy Commissioner ("OPC") to investigate the internet service provider (ISP) industry's controversial new practice of profiling users online to target them with advertising. The OPC responded by way of a letter dated August 8, 2008, noting that because these issues "involve an entire industry, they are more appropriately dealt with through research and consultation with stakeholders", and stated that it would undertake research into the use of DPI by Canadian ISPs "over the coming months".  In a subsequent letter dated Sept.9/08, the Privacy Commissioner herself noted that the office was researching the issue and consulting with experts. The results of some of that consultation are available on a website hosted by the OPC and collecting an expansive number of submissions on the uses and potentials of DPI.

CIPPIC Media Release
Request for investigation into ISP use of DPI for behavioural targeting
Privacy Commissioner's Website on DPI

Facebook (May 2008-Present)

On May 30, 2008, CIPPIC filed a 35-page student-driven Complaint under PIPEDA against Facebook, alleging 22 separate violations of the Act by the popular social networking site. The complaint focused upon improving knowledge and control over how user information is being collected, used and disclosed on the site. It additionally set out to establish a set of norms governing the increasing concentrations of personal information seen online in social networking sites such as Facebook. On July 16, 2009, the OPC released PIPEDA Case Summary #2009-008, CIPPIC v. Facebook, its comprehensive report of findings on CIPPIC's complaints.  In this finding, the Assistant Privacy Commissioner found that the majority of CIPPIC's complaints were well-founded.  She additionally provided Facebook with 30 days to agree to comply with the rulings she had made in the finding. On August 25, 2009, the OPC released a Letter of Resolution outlining Facebook's willingness to comply with its initial finding. This resolution established a one year timeline for Facebook to bring itself into compliance. On December 9, 2009, Facebook made sweeping changes to its privacy settings, purportedly in an attempt to bring itself in compliance with the the OPC's finding. As part of this transition, Facebook defaulted many of its user's privacy settings so as to better align these with its recommendations. These changes, however, have raised serious privacy concerns and, in CIPPIC's view, failed to meet the standards set out in that finding, as well as the requirements of PIPEDA. On February 20, 2010, CIPPIC provided Facebook with a comprehensive Statement of Concerns with respect to the nature of new changes on its site. In this statement, CIPPIC has asked Facebook to indicate its willingness to respond to its concerns within 30 days.

Core issues raised by social networking sites relate to the degree of knowledge and control users are given over how their personal information will be collected, used and further disclosed. This is particularly the case with respect to information designated as 'public' by default and with respect to the unbridled degree of access Facebook provides any application or website developer to the personal information of its users.  In addition, there are concerns surrounding the extent to which personal information is retained on the site once Facebook no longer has any reasonable use for it. With respect to the December transition in particular, CIPPIC has suggested that Facebook failed to meet clear standards set out in PIPEDA, and as such did not have the informed, meaningful consent of its users for the changes it recommended to them. CIPPIC has asked in its statement of concern that Facebook commit, among other things, to undue any changes that resulted therefrom as well as to provide users with greater control over information it now forces them to make 'public'.  On February 24, 2010, CIPPIC received, in reponse to an Access to Information request, correspondence between the OPC and Facebook indicating that the Privacy Commissioner's office had similar concerns.

In changes made to its site in April and May of 2010, Facebook responded to some of CIPPIC's concerns, as stated in its Statement.  In particular, and to its credit, Facebook has improved ease of access to privacy settings on its site.  In addition, Facebook has somewhat improved transparency surrounding what user information application and website advertisers/developers can access when a user interacts with their services.  As outlined in a letter sent to Facebook on May 28, 2010, CIPPIC believes Facebook has failed to address the core concerns raised by the operation of its site and as such remains in violation of PIPEDA.  In particular, Facebook continues to pre-select default settings for its users that do not reflect reasonable expectations or the sensitivity of the informatoin in question.  Also, it does not appear that Facebook intends to provide granular control over data provided to advertiser/developers.

• Initial Complaint
  • Appendix 1 - Facebook Privacy Policy
  • Appendix 2 - Facebook Terms of Use
  • Appendix 3 - Facebook Privacy Settings
• PIPEDA Case Summary #2009-008, CIPPIC v. Facebook
• Letter of Resolution Between Facebook and the OPC
• CIPPIC's Statement of Concerns
• Correspondence from the OPC to Facebook:
  • Letter of November 13, 2009
  • Letter of December 7, 2009
• CIPPIC: Letter to Facebook re: attempt at privacy

ISP use of Deep Packet Inspection (May/July 2008)

On May 9, 2008, CIPPIC asked the Privacy Commissioner to investigate the use by Bell Canada and other ISPs of "deep packet inspection" technology. DPI allows ISPs to view and make decisions based on the contents of internet traffic flowing over their networks. It is being increasingly used by ISPs to "manage" internet traffic (especially P2P traffic), but can also be used to profile individual subscribers for marketing or other purposes. CIPPIC filed a supplementary submission on May 26th, asking the OPC to investigate possible Bell uses of DPI for behavioural targeting purposes as well as for traffic-shaping purposes. On June 24th, CIPPIC filed a further submission with additional evidence, urging the OPC to consult with independent experts as well as Bell in its investigation of this matter.

On July 25, 2008, CIPPIC filed complaints against ISPs Rogers, Shaw and Eastlink for their alleged use of DPI for traffic-shaping purposes. These complaints parallel that filed earlier against Bell.

On July 25, 2008, CIPPIC also filed a formal request to the Privacy Commissioner for an industry-wide investigation of ISP practices involving the use of DPI technology for behavioural marketing purposes, with a view to developing industry guidelines (see above).

Google-DoubleClick (September 2007)

On Sept.17, 2007, CIPPIC filed a formal request asking the Privacy Commissioner to exercise her audit powers under s.18 of PIPEDA to investigate a number of alleged violations of PIPEDA by Google and DoubleClick, and to assess the privacy implications of their planned merger. This request followed upon similar filings by public interest groups in the US and Europe.

By way of a letter dated Aug.28, 2008, the OPC stated noted that it had conducted a thorough review of the issues, concluding that our "concerns regarding Google's online transparency with respect to their privacy practices were well-founded", but that "the scope of the issue of behavioural marketing is larger than the ramifications of a merger and what may be posted online regarding privacy policy information.  We determined that the best way forward at this time would not be through an audit of one particular entity but rather by adopting a more broad approach", via its Research, Education and Outreach branch.

Canada.com (July, 2007)

On July 25, 2007, CIPPIC asked the Privacy Commissioner to investigate and report on canada.com's compliance with PIPEDA, and in so doing to clarify legal requirements for notice and consent in situations involving outsourcing of core business operations to a US-based company. In early 2007, canada.com notified its email customers that it had outsourced its email service operations to US-based Velocity Services Inc. This raised concerns among some customers about the consequent increased risk of surreptitious US government access to the email communications of canada.com subscribers. CIPPIC asked the Privacy Commissioner to investigate and report on whether Canadian subscribers of canada.com email services receive a "comparable level of protection" of their personal data from US-based providers as compared to Canadian providers.

In a letter dated August 7, 2008, the OPC concluded that CIPPIC's complaints were not well-founded since "the risk of a US-based service provider being ordered to disclose personal information to US authorities is not a risk unique to US organizations", and since canada.com had provided adequate notice of its outsourcing and had ensured that all customers consented to it. In so finding, the OPC reiterated its position:
a) "that the sharing of information with a third-party service provider consitutes a "use" for the purposes of the Act, and that an individual's consent must be obtained fro the uses of her or his personal information"; and that
b) "organizations that outsource the processing of personal information mustprovide sufficient notice with respect to the existence of service-providerarrangements, including notice that any foreign-based service provider may berequired by the applicable laws of that country to disclose personal information inthe custody of such service provider to the country's government or agencies."

Winners/HomeSense (January, 2007)

CIPPIC filed a formal complaint on Jan.24, 2007 with the Privacy Commissioner, requesting a formal investigation into the widely-reported security breach suffered by the Winners group of companies and affecting consumers who shop at any Winners or HomeSense store in Canada. CIPPIC is concerned that Winners/HomeSense may be collecting customer information that they don't need, storing it for longer than they need to, and sharing it with other companies for secondary marketing purposes without the customers' full and informed consent. At the same time, the Commissioner initiated a joint investigation with the Privacy Commissioner of Alberta. A joint finding was issued in September 2007, finding the retailer in breach of PIPEDA in a number of respects.

Sony BMG Rootkit (September 2006)

After discovering that Sony BMG refused to provide Canadians with the same protections against privacy-invasive practices as it agreed to in the USA (as part of a class action settlement), CIPPIC lodged formal complaints about the company's data collection practices with the Privacy Commissioners of Canada, Alberta and B.C.

• Complaint to Privacy Commissioner of Canada
• Complaint to Privacy Commissioner of Alberta
• Complaint to Privacy Commissioner of B.C.

Canadian banks and SWIFT (July 2006)

Together with Privacy International, CIPPIC filed a formal complaint with the Privacy Commissioner of Canada against the "Big Six" Canadian banks, regarding allegedly unlawful disclosures of personal banking information to the U.S. government by SWIFT, a Belgium-based clearinghouse for international bank transfers. Under federal data protection law, banks are responsible for personal information that they outsource for processing purposes. The federal Privacy Commissioner subsequently launched an investigation of SWIFT itself.

In a report released September 28, 2006, the Belgian Privacy Commissioner found that SWIFT had violated Belgian law in systematically transferring "massive amounts of personal data [to the US Treasury] for surveillance without effective and clear legal basis and independent controls in line with Belgian and European law".

The Privacy Commissioner released a summary of her findings on CIPPIC's complaints, as well as her finding on SWIFT's own liability under PIPEDA, on April 2nd, 2007. In brief, she found that neither SWIFT nor Canadian banks are violating PIPEDA when they disclose personal information about Canadians to foreign authorities in response to subpoenas by those authorities, even if such subpoenas would not be valid under Canadian law. Detailed letter findings below:

• Finding re: BMO
• Finding re: BNS (Scotiabank)
• Finding re: CIBC
• Finding re: National Bank
• Finding re: RBC
• Finding re: TD Bank
• CIPPIC News Release

Ticketmaster (November 2005)

CIPPIC filed a formal complaint under PIPEDA against Ticketmaster on November 17, 2005. The complaint alleges that Ticketmaster's information management practices violate PIPEDA's requirements for openness, accountability, consent , and access to information. Specifically, CIPPIC alleges failures on the part of Ticketmaster to clearly identify what it does with personal information once collected, to protect information transferred to third parties for processing, to obtain proper consent from customers for secondary uses and disclosures, and to respond adequately to access to information requests.

We received the report of findings by the Office of the Privacy Commissioner on February 12, 2008. The OPC found that our complaints about lack of openness and consent to be well-founded, but resolved as Ticketmaster agreed to change its policies and practices accordingly.

InfoCanada (July 2005)

On July 15, 2005, CIPPIC filed a complaint with the Privacy Commissioner of Canada against InfoCanada, a Canadian company that sells lists of information about Canadian businesses and consumers.

In the complaint, CIPPIC alleged that InfoCanada combines publicly available personal information from telephone books with aggregated demographic data from Statistics Canada, to create lists of "personal demographic information" for sale to marketers, thus invoking PIPEDA. PIPEDA requires organizations to obtain consent before using and disclosing personal information. CIPPIC argued that InfoCanada violates PIPEDA by failing to obtain consent to its use and disclosure of this personal information, inaccurate as it may be. CIPPIC also alleged that InfoCanada violates PIPEDA by failing to be open about its personal information management practices and by using personal information for inappropriate purposes.

Although CIPPIC chose to investigate InfoCanada, CIPPIC has reason to believe that many other data-brokers in Canada use similar data matching techniques to create and enhance marketing lists. CIPPIC anticipates that a finding from the Privacy Commissioner will clarify the appropriateness of these data matching activities for all companies in this industry.

In a preliminary report dated August 15, 2008, the OPC finds that there is no PIPEDA violation because "the fact that a person lives in a neighbourhood with certain characteristics....is information about the neighbourhood, not about the individual."  CIPPIC has until October 15th to respond to this preliminary conclusion.  CIPPIC explains, in its response, why this finding is flawed.

MBNA Mastercard (February 2004)

In February 2004, CIPPIC filed a complaint with the Privacy Commissioner on behalf of a consumer against MBNA Mastercard, pointing out that MBNA required its Mastercard applicants to consent to a virtually unlimited range of uses and disclosures of their personal credit and other information, far beyond what is necessary for the provision of credit card services. This was so despite previous findings of the Privacy Commissioner that such broad consent was inappropriate and contrary to law. In light of MBNA's blatant and continuing disregard for the law, including two previous Commissioners' findings, CIPPIC asked the Privacy Commissioner to take enforcement action against MBNA.

Rather than publicize the breach or take enforcement action, the Privacy Commissioner decided to negotiate with MBNA. In March, 2005, the Privacy Commissioner informed us that MBNA had completed a comprehensive review of the consent language used in its application form and Privacy Notice, in consultation with staff of the Privacy Commissioner's office. MBNA's revised application form and Privacy Notice, now in use, set out in detail the types of information collected, the sources from which they are collected, and the uses to which they are put. MBNA names its affiliates, sets out its secondary uses of personal information, and now provides an easy and immediate opt-out to the proposed secondary uses. Provision of SINs is now clearly optional. The Privacy Commissioner considers that MBNA has now met the expectations of her office.

Abika.com and National Locator Services (June 2004)

In June and July, 2004, CIPPIC filed complaints with the Privacy Commissioner of Canada about two U.S.-based companies, Abika.com and National Locator Services, that offer online background checks and other search services about individuals, including Canadians, for a fee. In its complaints, CIPPIC alleged that these services breach federal data protection legislation by routinely collecting, using and disclosing personal information about Canadians, for unlimited purposes, without the knowledge or consent of the individuals in question. As well, CIPPIC noted that its testing of the Abika.com "psychological profile" service suggested serious inaccuracies in the personal information provided, thus further contravening the legislation. The Office of the Privacy Commissioner responded by way of a letter dated November 30, 2004, stating that "While the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA."

On December 14, 2004, CIPPIC sent a formal complaint about Abika.com to the Federal Trade Commission in the United States, alleging violations of US law. We also responded to the Privacy Commissioner of Canada by way of a letter encouraging her to reconsider her staff's determination that they could not investigate companies located wholly in the USA. After discussions with the Office of the Privacy Commissioner, we filed another complaint against Abika.com under PIPEDA on December 20, 2004.

In a letter dated November 18, 2005, the Assistant Privacy Commissioner determined that "we cannot proceed with your complaint as we lack jurisdiction to compel U.S. organizations to produce the evidence necessary for us to conduct the investigation". Interestingly, however, the Privacy Commissioner's office recently launched an investigation in respect of Locatecell.com, using the information provided by a journalist who purchased the Privacy Commissioner's cell phone records and published a cover story on the issue. It's not clear what is stopping the Privacy Commissioner's office from simply ordering a few searches from abika.com and other online investigators in order to get the evidence it needs.

On December 19, 2005, CIPPIC filed an application for judicial review in the Federal Court of Canada challenging the Privacy Commissioner's determination that she lacks jurisdiction to investigate Abika.com. The court hearing was held in January 2007, and the court released its decision Feb.5, 2007, finding that the Privacy Commissioner indeed has jurisdiction under PIPEDA to investigate transborder data flows.

Following the Federal Court’s ruling, the Privacy Commissioner re-opended her investigation of Abika.com.  In a finding released May 20, 2009, the Privacy Commissioner upheld CIPPIC’s complaint, stating that Abika.com’s collection of personal information of Canadians, as well as its disclosure of information for often ‘questionable’ and unreasonable purposes violated PIPEDA.  On a third ground, the Privacy Commissioner found that, although she seriously doubted their veracity, psychological profiles of Canadians sold by Abika.com were ‘opinions’ and so difficult to disprove.  The complaint sparked cooperation between the Privacy Commissioner and the US Federal Trade Commission, as well as an additional investigation of Abika by the latter.

Bank's wrongful access to and disclosure of individual's credit report (May 2004)

CIPPIC assisted an individual in his efforts to obtain fair compensation for a significant violation to his privacy. The violation occurred when a ScotiaBank employee accessed and disclosed his credit bureau report to his fiancee without his knowledge or consent. Banks and other credit grantors are under a legal obligation in Canada to obtain individual consent before accessing, using or disclosing that individual's credit report. In this case, the bank employee failed to obtain the individual's consent before pulling up his credit report and disclosing it to his fiancee, who was seeking information on mortgage rates.

CIPPIC assisted the individual in his dealings first with the Scotiabank Ombudsman, then with the Canadian Bank Ombudsman, then with the Privacy Commissioner, and finally with Scotiabank's legal department. The Privacy Commissioner found, after investigating, that Scotiabank had violated the consent requirement in Principle 4.3 of the PIPED Act. Scotiabank admitted the error, but was unwilling to pay the individual more than $500 in compensation. The individual ultimately settled with Scotiabank.

Back to top

This page last updated: July 17, 2008