Investigations
Royal Canadian Mounted Police’s “Project Wide Awake”
Lead Directorate: Privacy Act Compliance Directorate
Background
- Following news articles published in late 2020, Member of Parliament Charlie Angus asked the OPC to investigate the Royal Canadian Mounted Police’s (RCMP) use of social media monitoring technology under “Project Wide Awake”. The OPC subsequently began an investigation into whether the RCMP’s use of social media and open source information collection software is consistent with the collection, use and personal information bank index provisions of the Privacy Act.
- [Redacted]
- [Redacted]
- [Redacted]
Current status
- [Redacted]
- [Redacted]
Strategic considerations
- [Redacted]
- [Redacted]
Next steps
- [Redacted]
Further reading
- The Tyee, ‘You Have Zero Privacy’ Says an Internal RCMP Presentation. Inside the Force’s Web Spying Program, November 16, 2020.
- The Tyee, RCMP Confirms It Bought a Tool that ‘Unlocks’ Hidden Facebook Friends, November 23, 2020.
COVID-19-Related Investigations
Lead Sector: Compliance Sector
Background
- (Privacy Act) Handling of Personal Information under the Emergencies Act: After receipt of a letter from Member of Paliament Michelle Rempel Garner, the OPC is engaging with [redacted] on how emergency measures under the Emergencies Act were implemented with respect to personal financial information and how that information collected will now be handled. The OPC is not investigating at this time. [Redacted]
- (Privacy Act) Mobility Data and the Public Health Agency of Canada (PHAC): The OPC is investigating six complaints received regarding the collection and use of cell phone data by PHAC and Health Canada, to assess the effectiveness of COVID-19 public health measures. [Redacted] The House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) released a report on this matter, which has also received media attention, in May 2022 (Collection and Use of Mobility Data by the Government of Canada and Related Issues).
- (Privacy Act) Collection of Vaccination status information for domestic and international travel: [Redacted]
- (Privacy Act) Collection of vaccination status and accommodation information for Government of Canada (GC) Employees: [Redacted]
- (PIPEDA) Biron Groupe Santé: Biron conducts COVID-19 testing at the Montréal-Pierre Elliot Trudeau International Airport, and was alleged to have sent marketing emails to arriving passengers, without their consent. Biron ultimately ceased this problematic practice, and the OPC considers the matter resolved. A joint announcement and case summary with the Commission d’Accès à l’Information du Québec (CAI) is planned to be released soon, highlighting that arriving passengers to Canada who are required to submit to a COVID-19 test would not reasonably expect to have their email addresses used to send unsolicited advertising emails.
- (PIPEDA) [Redacted]
- (PIPEDA) Breach of GiveSendGo (GSG): In February 2022, GSG suffered a breach, resulting in the exfiltration and dissemination of the personal information of tens of thousands of donors to the Canadian “Freedom Convoy”. The breached information appears to include names, e-mail addresses, zip or postal code, identity documents and donation amounts. This information was further disseminated by a variety of third parties. In March 2022, the OPC received [redacted] complaints related to the breach. The OPC has commenced an investigation into one complaint, from Member of Parliament James Bezan in relation to the breach itself, including mandatory breach reporting. The OPC has received media inquiries regarding these cases. [Redacted] See: CTV News, GiveSendGo tells court it is refunding convoy donations amid freezing order, March 9, 2022.
MindGeek
Lead Directorate: PIPEDA Compliance Directorate
Background
- PIPEDA Compliance is investigating the privacy practices of MindGeek, a Montreal-based company that is one of the largest operators of pornographic websites in the world.
- MindGeek owns several pornographic websites including Pornhub, one of the most popular websites worldwide by number of visits in 2021.
- An intimate video of the complainant [redacted] was uploaded to MindGeek websites, including Pornhub, without [redacted] knowledge or consent. [Redacted]
- [Redacted]
- [Redacted]
- [Redacted]
- [Redacted]
Current status
- [Redacted]
- [Redacted]
Strategic considerations
- Concerns about MindGeek’s consent practices first came to public attention through media coverage December 2020; See the New York Times’ The Children of Pornhub, December 4, 2020. Responses included:
- VISA and Mastercard announced they would no longer process payments on Pornhub, MindGeek’s flagship site, due to their ongoing investigations finding that Pornhub hosted illegal material; and
- The House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) conducted a study in June 2021 into the allegations raised in article (Ensuring the Protection of Privacy and Reputation on Platforms such as Pornhub).
- ETHI recommended that the Government of Canada consult with the OPC concerning the duty of content-holding platforms – such as MindGeek’s pornographic tube sites – to verify age and consent of all persons depicted in pornographic content, before it can be uploaded.
Next steps
- [Redacted]
Other Key Upcoming Investigations
Lead Sector: Compliance Sector
Background
- (Privacy Act) Commissioner-Initiated Investigation into GCKey and Canada Revenue Agency (CRA) My Account Breaches: The OPC is currently investigating GCKey and CRA MyAccount credential stuffing breaches that occurred in 2020 and exposed personal information to attackers.
- Credential stuffing involves the injection of stolen or captured username and password pairs (i.e. “credentials”) into login forms on websites, in order to fraudulently gain access to user accounts.
- GCKey is an authentication service provided by Shared Services Canada (SSC), which is used by more than 20 federal institutions to enable individuals and organizations to have online access to various services. [Redacted]
- [Redacted]
- (Privacy Act) [Redacted]
- (Privacy Act) [Redacted]
- (PIPEDA) [Redacted]
- Date modified: