1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Office of the Privacy Commissioner announces first investigation under the address harvesting provisions

Today, the Office of the Privacy Commissioner (OPC) announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses.

The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices.

This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016.  The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies.

The CRTC’s proceedings against Compu-Finder are still on going.

You can read the full report of findings and compliance agreement online  here.

Office of the Privacy Commissioner announces first investigation under the address harvesting provisions

Supreme Court rules technical statutory violations do not establish standing without actual injury

In a decision that will impact a consumer’s standing to bring a claim under a number of federal statutes that allow for significant statutory penalties, such as the Video Privacy Protection Act, the Stored Communications Act, and others, the Supreme Court held in Spokeo v. Robins, 578 U.S. ___, 2016 WL 2842447 (May 16, 2016), that “Article III standing requires a concrete injury even in the context of a statutory violation.”  Accordingly, the Court found that the plaintiff “could not, for example, allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.”

The plaintiff had alleged that Spokeo, a “people search engine,” had violated the Fair Credit Reporting Act (“FCRA”) by including false facts about him in its search results, and brought a putative class action in the Central District of California.  The district court found that Robins had not pled an injury-in-fact as required by Article III.  The Court of Appeals for the Ninth Circuit disagreed, finding that the “violation of a statutory right is usually sufficient injury in fact to confer standing.”

But the Supreme Court reversed, finding that the Ninth Circuit “elided” the “concreteness” requirement of injury in fact, which requires analysis of the nature of the violation – not the bald assertion that a violation occurred. The Court explained that  “[a] ‘concrete’ injury must be ‘de facto’; that is, it must actually exist. . . . When we have used the adjective ‘concrete,’ we have meant to convey the usual meaning of the term—‘real,’ and not ‘abstract.’” The Court emphasized that a plaintiff does not “automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right” and that a plaintiff “cannot satisfy the demands of Article III by alleging a bare procedural violation.”

The Supreme Court then remanded for determination of whether the falsities alleged in the case “entail a degree of risk” of harm “sufficient to meet the concreteness requirement.”  In dicta, the Court noted that dissemination of certain false information, like an incorrect zip code, for example, would clearly not satisfy the test for a concrete injury.

The decision will be particularly impactful to class actions brought under statutes like the FCRA, as it will make class certification difficult in the absence of uniform violations that would clearly create harm.

Supreme Court rules technical statutory violations do not establish standing without actual injury


The General Data Protection Regulation (GDPR) has been approved by the European Parliament today. The Parliament did not make any amendments or proposals to the European Council’s final text which was published last week.

A very happy Jan Philipp Albrecht declared this vote as a “huge step forward” for the fundamental rights of individuals in the new digital economy.

So what’s next: There is one final (small) hurdle of administration before the GDPR is in effect. The text of the GDPR needs to be published in the Official Journal and will then take effect twenty days from this publication. The two year “transition” period will then be triggered, which means that the new law will enter into force around mid 2018.

The final text can be found here.


Why less means more for PPPs & data – Keys to collecting the right information in Canada

PPP projects have the potential to generate huge amounts of data. In the context of a tolled highway project, for instance, a PPP contract may require the private operator to collect, in real time, information regarding weather and traffic conditions, toll collections, vehicle types, license plate information, and power usage, to name but a few. Depending on the PPP contract, some or all of this information will end up in one or more reports that the private operator will be required to deliver to the public authority periodically.

The effect, if any, of this information on the PPP contract entered into between the public authority and the private operator will vary between projects and jurisdictions.

Some of this information will have a direct and relatively straightforward impact on the obligations of the public authority and private operator. For instance, in circumstances where demand risk is allocated to the private sector, payments to the private operator can be linked with the number of project users. A private operator can also be placed in default where reports are not delivered on time or do not contain required information and/or analysis.

In this article, Dentons’ Lampros Stougiannos and Maria Kourelis address certain issues surrounding data within PPP contracts. They will examine this from the perspective of the public authority involved in the procurement of a PPP project which must, prior to tendering a project, consider the type of information that is required to be collected and the effect this information will have on the project being procured.

Read the complete article Why less means more for PPPs & data, as originally printed in Handshake, with permission from the World Bank Group.

Why less means more for PPPs & data – Keys to collecting the right information in Canada

The Connected Retail Store

In the battle for consumer engagement, brick-and-mortar retailers and shopping centres are investing in new technologies to gather data on their customers and offer new shopping centre experiences. According to the Toronto Star, retailers are finding that millennials have a different approach to luxury than previous generations. No surprise – it is a more social and experiential understanding of luxury. Retailers are not stopping with social listening. Recent articles in the National Post and on the CBC describes technologies, such as those offered by Eyeris, that retailers can use to analyze and track emotions and engagement levels using in-store cameras. Another technology, offered by Stefanka, allows for 3D body scans to assist salespersons to find apparel that will fit the customer’s body.

Dentons, with special guests from Deloitte, will be tackling the legal issues pertinent to a successful Connected Retail Store in a half-day program to be held in Toronto on April 14, 2016. Dentons and Deloitte will address:

  • Omnichannel marketing issues and trends
  • Bringing eyeballs to the screens and feet to the stores
  • Privacy issues in tracking shoppers in stores
  • Negotiating percentage rent when dealing with online sales
  • Supply chain challenges and cross-border fulfillment

Learn more at http://www.dentons.com/en/whats-different-about-dentons/connecting-you-to-talented-lawyers-around-the-globe/events/2016/april/14/the-connected-retail-store

The Connected Retail Store