Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.
Over recent months, Canadians consumers were targeted in numerous privacy breaches and cyberattacks against major corporations, such as MGM Resorts and Fitness Depot. Ensuing privacy class action lawsuits have been filed against these corporations for lack of security infrastructure. The most recent, and possibly the most important class action is against LifeLabs, one of the largest medical testing laboratory companies in the world. In this most recent case, a cyberattack against the company was alleged to be the largest cybersecurity privacy breach in Canadian history.
These privacy class action lawsuits centre on a pivotal claim: the companies were negligent in their protection of consumer data. Plaintiffs can assert such a claim because Canada has federal and provincial laws in place to ensure that businesses uphold a certain standard when it comes to data protection.
Canada’s chief private-sector privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). Throughout this article, we will examine PIPEDA’s privacy requirements for businesses in light of recent Canadian cases of consumer privacy breaches.
What is PIPEDA?
PIPEDA is Canada’s federal privacy legislation that applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity, such as your Amazon account information or your personal information associated with your gym membership.
Provinces that have a private-sector privacy legislation deemed substantially similar to PIPEDA, abide by provincial privacy rules. Among Canadian provinces exempt from PIPEDA in varying degrees are: Alberta, British Columbia, Quebec, Ontario, New Brunswick, Nova Scotia, Newfoundland and Labrador.
Businesses in Canada that operate and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based. This includes businesses based in provinces with substantially similar provincial privacy legislation.
What is Personal Information?
PIPEDA defines personal information as information “about an identifiable individual.” Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.
Personal information includes:
- Age, name, ID numbers, income, ethnic origin, or blood type;
- Opinions, evaluations, comments, social status, or disciplinary actions; and
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
PIPEDA Privacy Rules
PIPEDA sets out 10 fair information principles geared toward protecting personal information that Canadian businesses must follow:
- Accountability: Appointing someone to be responsible for PIPEDA compliance, developing and implementing personal information policies, etc.
- Identifying Purpose: Identify and document personal information collection purposes, tell customers why their information is needed and obtain consent again when a new purpose is identified.
- Consent: Obtain meaningful consent for the collection, use and disclosure of personal information.
- Limiting Collection: Only collect personal information required to fulfill a legitimate identified purpose, be honest about the reasons for collecting personal information and collect personal information by fair and lawful means.
- Limiting Use, Disclosure and Retention: Only use or disclose personal information for the identified purposes for which it was collected and keep personal information only as long as it is needed to serve those purposes.
- Accuracy: Minimize the possibility of using incorrect information when making a decision about an individual or when disclosing information to third parties.
- Safeguards: Protect personal information in a way that is appropriate to how sensitive it is.
- Openness: Have clear detailed personal information management practices that are easy to understand and readily available.
- Individual Access: When asked, explain to customers where their information was obtained, how that information is or has been used and to whom it has been disclosed, give customers access to their information at minimal or no cost, etc.
- Challenging Compliance: Provide recourse by developing simple complaint handling and investigation procedures.
Privacy and Online Behavioural Tracking
Online behavioural advertising, which involves tracking consumers’ online activities, is becoming a widespread privacy issue. A recent privacy class action lawsuit against Bell Mobility alleged that customers’ personal data was systematically sold to third party-advertisers without the express consent or even knowledge of their customers. Tim Hortons is also seeing its customer tracking practices backlash, as regulators are investigating claims that Tim Hortons breached privacy laws by tracking the locations of mobile ordering app users without the requisite consent.
Tracking practices have become a prominent strategic element of online behavioural advertising for big corporations. Consumer information has become a valuable tool for tailoring advertisements based on an individual’s browsing activities, which could include purchasing patterns and search queries. A key privacy concern raised by regulators and consumers alike is that given the scope and scale of information collected, the means available for analyzing data and the personalized nature of the activity, there is a serious possibility that the information could be linked to an individual.
Behavioural advertisers use sophisticated algorithms to analyze the collected data, build detailed personal profiles of users, and assign them to various interest categories, which is in turn, eventually used for targeted ads.
Online behavioural advertising is legal as long as collecting consumer data is considered a reasonable purpose under PIPEDA. However, PIPEDA requires that consumer tracking and behavioural advertising is carried out under certain parameters, and is not made a condition of service for accessing and using the Internet.
For example, PIPEDA requires an individual’s knowledge and consent for the collection, use, or disclosure of personal information. PIPEDA also requires that the purposes for which an individual’s information is to be collected, used or disclosed be explained in a clear and transparent manner. This means that Bell Mobility or Tim Hortons were required to inform consumers of their tracking practices and obtain the requisite consent. They were also bound to inform consumers about the reasons for which personal information would be collected and potentially sold, such as targeted advertising.
Importantly, PIPEDA recognizes that the form of consent can vary. For example, express consent (opt-in) should be used when dealing with sensitive information, such as health information. On the other hand, implied consent (opt-out) can be used when the information is less sensitive. It is important to note that the sensitivity of information depends on the nature of the information and the context in which it is being collected, used or disclosed.
Privacy and Cloud Computing
Cloud computing is the delivery of computing services over the Internet. Cloud services allow businesses to use software and hardware that are managed by third parties at remote locations, thus saving businesses money. Cloud services include online file storage, social networking sites, webmail, and online business applications. It also provides a shared pool of resources, such as data storage space, networks, computer processing power and specialized corporate or user applications.
While there are benefits to cloud computing, there are significant privacy and security concerns as well. A primary privacy concern is that consumer personal data travels over the Internet and is stored in remote locations. In addition, cloud providers often serve multiple customers simultaneously. This can potentially raise the scale of exposure to possible breaches, both accidental and deliberate. A recent privacy class action lawsuit against Capital One alleges this very data breach, which resulted in approximately 100 million American 6 million Canadian cyberattack victims.
The class action claims that Capital One collected massive amounts of personal customer data and stored the data on Amazon’s AWS public cloud. The plaintiffs in the privacy breach class action maintain that both Capital One and Amazon failed to adequately safeguard credit card holders’ personal data, thus opening the door to the massive 2019 data breach.
Another privacy concern is that cloud computing may lead to function creep, which refers to uses of data by cloud providers that were not anticipated when the data was originally collected and for which consent has not been obtained. This concern is reinforced by the fact that storing data in the cloud is inexpensive. There is therefore little incentive to remove the information from the cloud and more reasons to find other things to do with it, such as selling it to third party advertisers.
PIPEDA does not prevent Canadian businesses from transferring personal data to the cloud. As per PIPEDA, this practice is considered the transfer of personal information to an organization in another jurisdiction for processing.
However, PIPEDA establishes rules governing such transfers—particularly with respect to the following:
- Obtaining consent for the collection, use and disclosure of personal information;
- Securing the data; and
- Ensuring accountability for the information and transparency in terms of practices.
It is important to note that many non-Canadian based cloud providers may also be subject to PIPEDA, where they have a real and substantial connection to Canada, by collecting, using or disclosing personal information in the course of a commercial activity.
Have you had your personal information collected or sold without your consent by a Canadian business? Do you think Canada’s privacy laws are sufficient to prevent cyberattacks or other privacy breaches? Share your story with us in the comments below!
ATTORNEY ADVERTISING
Top Class Actions is a Proud Member of the American Bar Association
LEGAL INFORMATION IS NOT LEGAL ADVICE
Top Class Actions Legal Statement
©2008 – 2024 Top Class Actions® LLC
Various Trademarks held by their respective owners
This website is not intended for viewing or usage by European Union citizens.
