Office of the Privacy Commissioner of Canada discusses its investigation against Compu-Finder

Dentons
Contact

The Office of the Privacy Commissioner of Canada (OPC) recently hosted a knowledge session to stakeholders to discuss its recent investigation against Compu-Finder. This was the first investigation by the OPC involving the address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). See our post summarizing the findings and the OPC’s full report here.

While the OPC could not disclose details of its investigation, the OPC provided attendees with information about its interpretation of its investigative powers, its approach to the investigation and tips for organizations.

The Investigation

Unlike its complaint-driven investigations, this investigation was an intelligence-driven case under the address harvesting provisions that were added to PIPEDA by Canada’s Anti-Spam Legislation (CASL). After significant intelligence gathering to meet its reasonable grounds burden, a Commissioner-initiated investigation was commenced allowing the OPC to collect further intelligence from Compu-Finder, affected individuals and third parties, including by affidavits. The OPC highlighted it applied a cross-functional investigation, using numerous departments and tools, including extensive use of the OPC technology LAB.

It is important to note that unlike the Canadian Radio-television and Telecommunications Commission (CRTC), which is the regulator with main responsibility for enforcement of CASL, the OPC must have reasonable grounds to start an investigation that has not been filed by an individual. The CRTC does not have to discharge that burden before commencing an investigation.

Key Takeaways

“The truth is in your records”. The OPC stressed the importance of record keeping. This has become a consistent theme regarding PIPEDA and CASL. (See our post on the CRTC’s guidance here.) The OPC highlighted that record-keeping was a fundamental issue in its investigation. Organizations must be able to meet their due diligence obligations and prove they have consent for the personal information they collect and use, and for every e-mail they send under CASL. The OPC found that Compu-Finder’s records were inadequate or in some cases may have contradicted their position.

Other lessons offered were:

  • Exercise care when crafting responses to the OPC during investigation
  • An established privacy compliance program can greatly assist you in demonstrating accountability
  • Part of due diligence involves following up, double checking and auditing your policies and procedures

Stakeholders undoubtedly appreciated the OPC’s proactive gesture in providing this opportunity to learn more.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:

Dentons
Contact
more
less

Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.