Privacy Update

By Esther Shainblum and Martin U. Wissmath

Sep 2023 Charity & NFP Law Update
Published on September 28, 2023



Federal Privacy Commissioner Promotes Privacy as ‘Fundamental Right’ in Annual Report

Protecting children’s privacy and online safety, keeping up with the impact of artificial intelligence on privacy, and preparing for potential privacy law reform are three strategic priorities identified by Canada’s privacy commissioner in the Office of the Privacy Commissioner of Canada’s (“OPC”) 2022–23 annual report to Parliament (the “Annual Report”) that will be of interest to charities and not-for-profits. The OPC’s Annual Report, Protecting and promoting privacy in a digital world, published on the OPC website on September 19, 2023, reports on privacy issues  arising under the federal Privacy Act, which applies to federal government institutions, and under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which applies to federal works, undertakings or businesses and to the collection, use and disclosure of personal information in the course of a commercial activity and across borders.

In the opening message of the Annual Report, Privacy Commissioner Philippe Dufresne promoted his “vision of privacy based on 3 key pillars”:

  • First, privacy is a fundamental right, which means that it must be treated as a priority. It also means that in clear cases of conflict with private and public interests, privacy should prevail.
  • Second, privacy supports both the public interest and Canada’s innovation and competitiveness. It is not a zero-sum game between privacy rights and public and private interests; we can have both, and Canadians deserve nothing less.
  • Third, privacy accelerates the trust that Canadians have in their institutions and in their participation as digital citizens. Creating a culture of privacy, and being seen to be doing so, generates trust and engagement with our public institutions, which is good for the public interest, and also sustains trust and loyalty from clients and customers, which is good for innovation and economic success.

The Privacy Commissioner also outlined three “strategic priorities”:

  1. keeping up with and staying ahead of technological advancements and their impact on privacy, particularly with respect to artificial intelligence (AI) and generative AI;
  2. protecting children’s privacy so that they can benefit from technology and be active online safely and free from fear that they may be targeted, manipulated, or harmed as a result; and
  3. preparing for potential law reform should Bill C-27, the Digital Charter Implementation Act, be adopted by Parliament.

The Annual Report includes a Year in Review of the investigations that the OPC had undertaken under PIPEDA. The OPC’s focus for investigations as stated in the Annual Report “remains on the need to protect Canadians’ fundamental right to privacy and to foster increased trust in the Canadian digital economy by helping private-sector organizations comply with privacy law.” The OPC received and accepted 454 complaints under PIPEDA, an increase of 6% over the previous year, according to the Annual Report, including two complaints against not-for-profit organizations.

Data breach reports also increased by 6% over the previous year, with 681 breach reports under PIPEDA, according to the Annual Report, while the OPC suspects that many breaches go unreported, or even undetected. The majority of breaches related to unauthorized access to personal information, more than half of which were attributed to cyber attacks using phishing, malware or compromised credentials to access organizations’ systems. The OPC advises organizations to make security a priority in order to protect against such attacks, and to deploy enhanced safety measures such as enhancing protections for employee credentials, applying security patches as they become available, and requiring two-factor or multi-factor authentication. The not-for-profit sector is not immune to data breaches, as 36 reports – 5% of the total detach breach notifications – were related to not-for-profit organizations, according to the Annual Report’s statistical tables.

In addition, the Annual Report also highlighted a 2021 OPC report of findings relating to a complaint about a charity that relied on opt-out, implied, consent to enlist donors in a donor list trading program. A donor on the list complained that the opt-out check box on the charity’s mail-in donation form was inadequate. The OPC found that sharing donors’ names and addresses with third parties fell “outside the donors’ reasonable expectations”, that the donor’s name and address was sensitive information when combined with the information that they had donated to the respondent charity, that the information given to donors about the fact that their donation history and mailing address would be shared with third parties was “not sufficient to support meaningful consent”, that express opt-in consent was required to share such information and that the charity did not obtain meaningful consent for its disclosure of donor information to other not-for-profit organizations . The charity agreed to implement the OPC’s recommendation to seek opt-in, express, consent, “and later elected to exit the donor list sharing program.”

The Annual Report provides very useful information for charities and not-for-profits, which should be looking to PIPEDA as setting out privacy best practices, and learning from the examples of the breach investigations carried out by the OPC over the year.


Read the Sept 2023 Charity & NFP Law Update