In today’s digital and AI-dependent world, privacy breaches are becoming more common. Some of these breach of privacy examples includes social media accounts getting hacked and personal data being leaked, which many of us have experienced or heard of. This article discusses some of the real-life breaches of privacy examples and what Canadian law says about them.
What is a breach of privacy in Canada?
A breach of privacy happens when personal information, handled by one entity, is accessed, collected, used, retained, or disclosed by another. Under the law, these acts must be done improperly or without authority to be considered as a breach.
One of the most recent examples of breach of privacy in Canada was the cybersecurity incident of Suncor Energy in 2023. In an undisclosed number, Petro-Points members’ basic information was accessed by hackers, including their mailing and email addresses, phone numbers, and dates of birth.
Here’s another example of a breach of privacy in Canada:
If you want to strengthen your business’ protection against privacy breaches, you can consult a Lexpert-ranked best data privacy lawyer in Canada. This directory can be filtered per province and city for a more thorough search.
Read more: Privacy breach lawyers: who they are and what they do
Canadian laws on privacy breaches
Whether the handling organization is a government body or a private one, Canada has many data privacy laws that protect an individual’s personal information from privacy breaches. These laws include:
- Privacy Act: regulates how federal government institutions collect, use, and disclose information about individuals
- Access to Information Act (AIA): establishes an individual’s right of access to information that are handled by federal government institutions
- Personal Information Protection and Electronic Documents Act (PIPEDA): governs the collection, use, and disclosure of personal information by private sector organizations
- Canada's anti-spam legislation (CASL): controls, among others, the conduct of businesses of commercially sending electronic messages by requiring prior consent from its receivers
What are some of the breach of privacy examples in Canada?
David Canton, a lawyer and trademark agent at Harrison Pensa LLP, gives some examples of how privacy breaches can happen in a number of ways.
“Hackers breaking into systems and stealing information or holding it for ransom is the first thing most people think of," he says. "That can happen because of weak security, stolen log-in credentials, simple or re-used passwords, or social engineering.”
Other examples, he adds, include mundane things like:
- faxes sent to the wrong number, or
- emails sent to the wrong person when the sender doesn’t pay attention to auto-filled email addresses
“The Office of the Privacy Commissioner of Canada (OPC) says half of unauthorized disclosure situations for health information are caused by misdirected faxes.”
Other breach of privacy examples
Federal government agencies, such as the OPC, provide other breach of privacy examples, such as:
- lost records: when hard or soft copies of files and documents, including equipment, are lost and obtained by another who are not authorized to do so
- unintended disclosure: for instance, when an email that contains sensitive information was sent to a non-intended recipient
- cyberattacks: includes hacking and snooping, which are deliberate acts of illegally accessing personal information held by another
What are some of the important cases on breaches of privacy in Canada?
Canton lists some recent and noteworthy cases as breach of privacy examples.
York Region District School Board v. Elementary Teachers’ Federation of Ontario, 2024 SCC 22
First in his list is the Supreme Court of Canada decision of York Region District School Board v. Elementary Teachers’ Federation of Ontario, 2024 SCC 22.
“[This case] decided that public school board teachers are protected from unreasonable search and seizure in the workplace. It relates to searches done by the principal on documents on a teacher’s computer and discussed the 'reasonable expectation of privacy' in this context.”
R. v. Bykovets, 2024 SCC 6
The next important case Canton highlighted is the Supreme Court of Canada decision of R. v. Bykovets, 2024 SCC 6, which decided that IP addresses are personal information.
“Many years ago, the Supreme Court decided that the name, address, and contact information of a subscriber associated with an IP address was personal information. This decision extended that to the IP address itself,” he says.
Brinks Home investigation
Lastly, Canton featured the OPC’s findings in the Brinks Home investigation. According to him, the PIPEDA requires entities that have suffered a privacy breach to notify:
- those whose personal information has been breached
- the Privacy Commissioner if the breach is a “Real Risk of Significant Harm” (RROSH)
“The RROSH test is spelled out in the legislation and guidance from the Commissioner," he says. "A Privacy Commissioner decision involving Brinks was helpful in that it applied the facts of the case to the RROSH test."
This complaint came about when a Brinks customer noticed that the personal information of several other customers was available after logging into his Brinks Home portal. It was only after his second notification to Brinks that it acted on the possible breach of privacy.
The OPC held that while “the personal information involved could be considered sensitive, the probability of its misuse in the specific circumstances of this incident was low.” As such, the incident did not pose a RROSH, and Brinks was not required to report it to OPC, as required under PIPEDA’s breach reporting and notification requirements.
How can a Canadian data privacy lawyer help in case of a breach of privacy?
“A privacy lawyer can advise entities on how to operate within privacy laws and have appropriate safeguards in place,” Canton says. “That reduces the risk of a breach in the first place, and if there is a breach, shows that the entity did its best to comply with the law and prevent the breach.”
If there is a breach, he adds, a privacy lawyer can assist:
- in determining whether breach notices are required or prudent
- with interactions in general with customers, other involved parties, and the Privacy Commissioner
Looking for law firms to help you understand more about these breach of privacy examples? You can use our directory of the best Canadian law firms for data privacy as ranked by Lexpert.