---

Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3
(613) 995-8210, 1-800-282-1376
Fax (613) 947-6850
TDD (613) 992-9190
ɂ Minister of Public Works and Government Services Canada 2008
Cat. No. IP54-6/2008
ISBN 978-0-662-05731-4
This publication is also available on our website at www.privcom.gc.ca.

---

Message
When the Personal Information Protection and Electronic Documents Act, or PIPEDA,
received Royal Assent in 2000, the need for private sector privacy legislation at that time
was clear ɢ Canadians were demanding adequate privacy protection in a new digital
economy. In debates leading up to the adoption of the law, then-Industry Minister John
Manley told the House of Commons, “All of us, consumer, business and government alike,
need to feel confident about how our personal information is gathered, stored and used.
The protection of our personal privacy is a basic right which Canadians cherish.”
Since its inception, organizations have been adapting their business practices to comply
with PIPEDA and similar new provincial standards as their customers grow increasingly
concerned over the protection of their personal information. Meanwhile, the privacy
landscape continues to evolve. Advances in information technology and the desire among
business to compete globally have meant that the privacy challenges we face today are
more complex than ever before.
Our Office’s understanding of the interpretation and application of the Act continues
to evolve as well. In the last seven years, we have investigated over 2600 individual
complaints and have issued findings on many precedent-setting issues arising from the
Act. The complaint mechanism has provided us with a window into how PIPEDA works
in practice.
Leading by Example is meant to share the insights we have gained since the Act’s
inception by highlighting some of the leading case findings we’ve released on a number
of important issues. The issues profiled in this report reflect current and growing concerns
for businesses and their customers alike, such as the increasing surveillance phenomenon,
trans-border data flows, the prevalence of data breaches, and the proliferation of using
information collected for secondary marketing purposes. We hope this document will
help guide businesses in the development and application of their own privacy practices
through the experience of others.
Many of the case findings highlighted here were issued by former Assistant
Commissioner Heather Black, who retired last year. We owe her an enormous debt of
gratitude for the pioneering contribution she has made to the adoption, implementation
and evolution of PIPEDA in its initial critical years, first as General Counsel, then as
Assistant Commissioner responsible for PIPEDA. We wish to express our sincere thanks

---

Leading by Example: Key Developments in the First Seven Years of PIPEDA
to Heather and recognize her important contributions in advancing privacy rights in
Canada.
We also wish to thank Alex Cameron of Fasken Martineau, who we commissioned to
author earlier drafts of Leading by Example, as well as Patricia Kosseim, our Office’s
General Counsel, Ann Goldsmith, Policy Team Leader, and our Communications staff
who saw this project through from conception to completion.
Jennifer Stoddart
Elizabeth Denham
Privacy Commissioner of Canada
Assistant Privacy Commissioner of Canada

---

Table of ConTenTs
INTRODUCTION........................................................................................................................................... 1
1. SCOPE OF APPLICATION OF THE ACT ........................................................................................ 5
1.1 Personal information ............................................................................................................. 5
1.2 Commercial activity ............................................................................................................... 7
2. PIPEDA BEYOND CANADA ...........................................................................................................11
2.1 Outsourcing ............................................................................................................................11
2.2 PIPEDA’s application to foreign entities ........................................................................13
3. SURVEILLANCE PHENOMENA .....................................................................................................17
3.1 Security surveillance ............................................................................................................17
3.2 Employee surveillance ........................................................................................................20
4. EMERGING TECHNOLOGIES.........................................................................................................23
4.1 Biometrics ................................................................................................................................23
4.2 GPS .............................................................................................................................................25
5. DATA BREACHES AND SECURITY MEASURES ........................................................................27
5.1 Data security breaches ........................................................................................................27
5.2 Other cases on security measures ..................................................................................29
6. CARELESS DISCLOSURES AND NEED FOR ONGOING EMPLOYEE TRAINING .............35
6.1 Social engineering and pretexting .................................................................................35
6.2 Careless errors ........................................................................................................................37
7. COLLECTING TOO MUCH INFORMATION ...............................................................................41
7.1 Product returns and credit card usage ..........................................................................41
7.2 Opening accounts and related activities ......................................................................43
7.3 Collection of health information .....................................................................................43
8. MEANINGFUL ACCESS TO PERSONAL INFORMATION .......................................................45
8.1 General principles of access ..............................................................................................45
8.2 The impact of parallel litigation proceedings .............................................................46
8.3 Fees for access ........................................................................................................................47
9. SECONDARY MARKETING PURPOSES ......................................................................................51
9.1 Telecommunications ...........................................................................................................51
9.2 Banking .....................................................................................................................................53
9.3 Retail ..........................................................................................................................................55
9.4 Airlines ......................................................................................................................................56
Conclusion ..................................................................................................................................................57
Table of leading cases .............................................................................................................................59

---

---

InTRoDUCTIon
The Personal Information Protection and Electronic Documents Act (PIPEDA) was
implemented in phases over a three-year period that began on January 1, 2001.
PIPEDA applies to every organization in respect of personal information that the
organization collects, uses or discloses in the course of its commercial activities.1
PIPEDA also applies to federal works, undertakings and businesses in respect of
employee personal information that they collect, use or disclose in connection with their
operations, whether or not these involve commercial activity per se.2
PIPEDA does not apply to an organization in respect of personal information that the
organization collects, uses or discloses within Alberta, British Columbia or Quebec, (or
within Ontario, in respect of personal health information collected, used or disclosed
by health information custodians governed by Ontario’s Personal Health Information
Protection Act3) unless:
(1) the organization is a federal work, undertaking or business; or
(2) the personal information is disclosed outside of a province in the course of a
commercial activity.
These provinces have enacted privacy laws that have been declared substantially similar
to PIPEDA.4 As a result, the collection, use or disclosure of personal information by
organizations in the course of commercial activities in these provinces will be subject
to the applicable provincial laws, and not PIPEDA, except as provided above. PIPEDA
applies to organizations’ commercial activities in all other provinces.5
1 The concept of “commercial activity” is discussed in section 1 of this document.
2 See PIPEDA, s. 4(1)(b).
3 Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A [PHIPA].
4 Personal Information Protection Act, S.A. 2003, c. P-6.5; Personal Information Protection Act, S.B.C. 2003, c. 63; An Act
Respecting the Protection of Personal Information in the Private Sector R.S.Q., chapter P-39.1. Ontario’s PHIPA has
also been deemed substantially similar to PIPEDA.
5 Organizations in the Northwest Territories, Yukon and Nunavut are considered federal works, undertakings or
businesses and therefore are covered by PIPEDA in respect of their collection, use and disclosure of personal
information in the course of commercial activities, and in respect of employee personal information.
1

---

Leading by Example: Key Developments in the First Seven Years of PIPEDA
PIPEDA requires organizations to comply with a set of legal obligations that are based
on the following ten principles: (1) Accountability, (2) Identifying purposes, (3) Consent,
(4) Limiting collection, (5) Limiting Use, Disclosure, and Retention, (6) Accuracy, (7)
Safeguards, (8) Openness, (9) Individual access, and (10) Challenging compliance. Sub-
section 5(3) of PIPEDA contains the over-arching rule that organizations may only
collect, use or disclose personal information for purposes that a reasonable person would
consider appropriate in the circumstances.
Under PIPEDA, individuals may file with the Commissioner a written complaint
against an organization for contravening specified provisions of the Act.6 As well, the
Commissioner may initiate a complaint where the Commissioner is satisfied that there
are reasonable grounds to investigate a matter.
The role of the Office of the Privacy Commissioner of Canada (the “Commissioner”)
under PIPEDA is to investigate complaints, make findings and issue non-binding
recommendations where appropriate. The individual or the Commissioner may then
proceed to Federal Court to seek legal enforcement.
The Commissioner has issued hundreds of findings under the Act.7 Canadian courts have
also issued numerous decisions. Seven years into the operation of PIPEDA, this growing
body of case findings and court decisions provides practical insight into how some of the
provisions of PIPEDA should be interpreted.
This document provides businesses and individuals with an overview of leading findings
and court decisions under PIPEDA to date. Reflecting the organic manner in which
the cases have evolved through the complaint mechanism in PIPEDA, this document
organizes leading cases around several emerging themes:
1.
Scope of Application of the Act
Leading cases under PIPEDA have helped define “personal information”,
“commercial activity” and other essential concepts to help organizations determine
whether or not PIPEDA applies in a given situation.
2.
PIPEDA Beyond Canada
Landmark cases on outsourcing and other cross-border activities have interpreted
the boundaries of PIPEDA.
3.
Surveillance Phenomena
Surveillance cases are among the most contentious cases arising under the Act.
Key cases have established important guidance in this area to help organizations
distinguish between appropriate and inappropriate surveillance.
6 See PIPEDA, s. 11(1). An individual may file with the Commissioner a written complaint against an organization
for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1.
7 The Commissioner’s findings and related documents are available at http://www.privcom.gc.ca.
2

---

INTRODUCTION
4.
Emerging Technologies
At the frontiers of PIPEDA, several cases have addressed complex privacy
issues arising from the adoption and application of new technologies, including
biometrics and global positioning systems.
5.
Data Breaches and Security Measures
High-profile data breach cases have helped define the security safeguards and
procedures that organizations must put in place to protect personal information.
6.
Careless Disclosures and Need for Ongoing Employee Training
A number of cases have addressed situations involving careless or inadvertent
disclosures of personal information. These cases often emphasize the critical
importance of implementing employee training as an ongoing process, rather than
a simple one-time endeavour.
7.
Collecting Too Much Information
Leading cases in the retail and employment sectors have helped define how
organizations should limit the quantity and nature of personal information
collected for different purposes, thereby reducing the risk of inappropriate use and
disclosure down the line.
8.
Meaningful Access to Personal Information
Several cases have resolved important concerns about individuals’ right to access
their personal information, including cases involving parallel litigation proceedings
and those relating to fees for access.
9.
Secondary Marketing Purposes
Key cases have established a framework for determining when opt-in versus opt-
out consent is appropriate, as well as consent issues generally in the context of
improper uses and disclosures of information for secondary marketing purposes.
The Commissioner and the courts have together developed an essential body of
recommendations and case law over the first seven years of PIPEDA that can now better
assist organizations and individuals to understand their privacy rights and obligations in
Canada. Leading cases stand as powerful examples of PIPEDA in concrete action, and
help chart the course for the future, particularly as organizations deploy new technologies
to remain competitive in a global economy and struggle to establish responsible personal
information practices that balance individual privacy rights with legitimate business
needs. The key cases referred to in this document have been categorized in a table which
is annexed as Appendix 1 to this document for ease of reference.
3

---

---

Document Outline

• Leading by Example
  • Message
  • Table of Contents
    • INTRODUCTION
    • 1. SCOPE OF APPLICATION OF THE ACT
    • 2. PIPEDA BEYOND CANADA
    • 3. SURVEILLANCE PHENOMENA
    • 4. EMERGING TECHNOLOGIES
    • 5. DATA BREACHES AND SECURITY MEASURES
    • 6. CARELESS DISCLOSURES AND NEED FOR ONGOING EMPLOYEE TRAINING
    • 7. COLLECTING TOO MUCH INFORMATION
    • 8. MEANINGFUL ACCESS TO PERSONAL INFORMATION
    • 9. SECONDARY MARKETING PURPOSES
    • Conclusion
    • Table of leading cases

---