Privacy Update
By Esther Shainblum and Martin U. Wissmath Jan 2025 Charity & NFP Law Update
Published on January 30, 2025
1.1. Privacy Breaches at the CRA Highlight Need for Modernized Safeguards and AccountabilityThe Privacy Commissioner of Canada, Philippe Dufresne, appeared before the Standing Committee on Access to Information, Privacy and Ethics on December 5, 2024, to address privacy breaches at the Canada Revenue Agency (CRA). These incidents, including over 31,000 breaches reported between 2020 and 2023, underscore critical vulnerabilities in safeguarding personal data within federal institutions. In the opening statement published on the Office of the Privacy Commissioner (OPC) of Canada’s website, Dufresne detailed the findings of a February 2024 Special Report to Parliament, which investigated a 2020 credential-stuffing attack affecting the CRA and Employment and Social Development Canada. Subsequently, additional breaches linked to Canada Emergency Response Benefit (CERB) fraud were identified, impacting up to 15,000 individuals. A credential-stuffing attack involves cybercriminals using stolen username-password combinations, often obtained from data breaches, to gain unauthorized access to accounts. These attacks exploit the common practice of reusing passwords across multiple sites and can compromise sensitive information at scale. The CRA’s retrospective reports revealed a broader pattern of unauthorized data use, necessitating significant reform in breach notification and incident response protocols, according to the privacy commissioner. Key recommendations from the OPC include enhanced breach response frameworks, timely reporting obligations, and comprehensive support for affected individuals. While the CRA has taken steps toward compliance, Dufresne emphasized the necessity of embedding privacy safeguards within government programs and modernizing Canada’s outdated Privacy Act to reflect contemporary digital challenges. Amid escalating cyber threats, Dufresne called for permanent funding to address systemic risks and reaffirmed the OPC’s commitment to advancing privacy protections across federal institutions. Charities and not-for-profits, often entrusted with sensitive donor and beneficiary data, can draw valuable lessons from the privacy commissioner’s emphasis on robust safeguards and accountability, highlighting the need for vigilance and transparency in their own data protection practices. 1.1. B.C. Court Upholds Privacy Order Against U.S. Company’s Facial Recognition SoftwareClearview AI Inc. v. Information and Privacy Commissioner for British Columbia is a case in which the Supreme Court of British Columbia dismissed a petition for judicial review by Clearview AI Inc. (“Clearview”), a U.S.-based company that provides facial recognition services. The court, in its December 18, 2024 judgment, upheld a decision by the B.C. Office of the Information and Privacy Commissioner, which found that Clearview was in violation of B.C.’s Personal Information Protection Act (PIPA). Clearview operates a facial recognition search engine that collects images of faces from the internet. The company provides its services to third parties, including law enforcement. A joint investigation was launched by the privacy commissioners of British Columbia, Alberta, Quebec, and the federal privacy commissioner, which determined that Clearview was collecting personal information without consent and for improper purposes under privacy laws. In a December 2021 order, The B.C. Information and Privacy Commissioner (the “Commissioner”) ordered Clearview to stop offering its services in British Columbia, make best efforts to stop collecting “(i) images and (ii) biometric facial arrays” from individuals without their consent, and delete the data already collected. Clearview then sought judicial review of the Commissioner’s decision. In its review, the court addressed three issues: whether PIPA applied to Clearview, whether the Commissioner erred in interpreting “publicly available” information or “reasonable purpose” under PIPA, and whether the Commissioner’s order was unnecessary, unenforceable, or overbroad. The court applied a correctness standard of review to the jurisdictional question of whether PIPA applied to Clearview, and a reasonableness standard to the Commissioner’s statutory interpretations and the order. For the first issue, the court found that PIPA applied to Clearview, as the company’s activities had a “real and substantial connection” to British Columbia, given that the database included images of individuals in the province. The court held that the Commissioner reasonably interpreted the definition of “publicly available” information in the PIPA Regulations. The court agreed that social media content, unlike the listed examples of directories, registries, and publications, is dynamic and users maintain a level of control over their privacy settings. The Commissioner’s finding that Clearview’s use of publicly available images for biometric purposes did not constitute a reasonable purpose under PIPA was also upheld. Further, the court ruled that the order was necessary and enforceable, highlighting that Clearview had the technical means to comply, and the “best efforts” standard allowed for flexibility. Finally, the court held that the order was not overbroad, as PIPA protects the personal information of individuals within the province, not just residents. The court dismissed Clearview’s petition, upholding the Commissioner’s decision. The judgment affirms that provincial privacy laws apply to organizations that collect personal information from the internet, even when those organizations are located outside of the province. The decision emphasizes the need to obtain consent for the collection and use of personal information and the importance of protecting individual privacy. The court also found that it is not enough for a company to rely on the public availability of information, particularly given the harms that may result from mass collection and use of such data. This decision underscores the importance of compliance with Canadian privacy laws, which applies to organizations based outside Canada. For charities and not-for-profits in Ontario and across the country, the ruling serves as a reminder to prioritize transparency and consent when handling personal data. Organizations should review their practices to ensure alignment with evolving privacy standards and mitigate risks of non-compliance. |