CIPP/C CASES EXAM QUESTIONS WITH
CORRECT ANSWERS
"SWIFT" OPC-initiated Complaint v. SWIFT - Answer-OPC
PIPEDA applied: SWIFT had a "significant presence" in Canada; Vast majority of
international transfers of PI utilized the SWIFT network.
Orgs like SWIFT are allowed, via PIPEDA, to disclose w/out consent - legitimate laws of
other countries. 2006
"SWIFT" Individual Complaint v. 6 Canadian FIs - Answer-OPC
PIPEDA applied: SWIFT had a "significant presence" in Canada; Vast majority of
international transfers of PI utilized the SWIFT network.
SWIFT clearly disclosed their practices - consent.
TJX - Answer-OPC and IPC Alberta
US-based retail corp (FI and Identifiers crossborder)
PIPEDA and Albert PIPA applied: Reasonable Safeguards were not met; Driver's
License collection was unreasonable; Storing of PI indefinitely is not compliant. 2006
Facebook 2008 - Students at University of Ontario (CIPPIC) - Answer-OPC
PIPEDA applied: FB provided PI to 3rd-party app developers without meaningful
consent and did not meet notice obligations
OPC issued a report in 2009 with recommendations for FB and its 3rd-party developers,
in re: knowledge and consent obligations.
OPC Facebook Report - Answer-OPC 2009
FB was not meeting the "knowledge and consent" obligations under PIPEDA.
OPC issued recommendations: Data collection must be limited to operational necessity;
Provide sufficient notice (re: collection and purpose); Meaningful consent necessary for
PI transfer
Facebook 2019 - Privacy Commissioners of Canada and Alberta Report - Answer-
thisisyourdigitallife investigation, post-Cambridge Analytica.
Privacy Commissioners revisited FB's "implementation" of 2009 recommendations and
made further recommendations for tydl violations: consent was neither valid nor
meaningful for FB users or user's friends, safeguards were inadequate, accountability
was shifted to the 3rd parties.
Nexopia - Answer-OPC (via various complaints)
re: social networking site for 13-18 yr. olds, default privacy settings, indefinite data
retention, etc.
PIPEDA applied: notice, consent, retention, reasonable expectation of use violations.
24 recommendations, including a delete request.
A disclosure of PI to the general public was not a reasonable expectation of use.
, Non-users' PI cannot be retained without consent.
Meaningful, valid consent to collect PI must be obtained before registration.
Google 2010 - Answer-OPC
Google was collecting data from unsecured WiFi networks as Google cars recorded info
for Google Maps.
PIPEDA applied: Excessive data gathering was beyond the scope of purposeful. Google
failed to garner meaningful consent.
Google 2014 - Answer-OPC
Search App update required consent to gather additional PI that was beyond what was
necessary.
PIPEDA did not apply: Google was encouraged to give more meaningful messaging
Google 2013 - Answer-OPC and FTC
PIPEDA and Section 5 applied: Identified several shortcomings and policy compliance
failures. Google Ads were using sensitive info about online activities (through cookies)
to target with health-related ads. Privacy Policy said cookies would NOT be associated
with PHI.
Ganz - Answer-OPC
Web-enabled toys and website aimed at children 6-13
PIPEDA applied: provide clarity during registration; obtain parental consent;
communicate to children the need to involve parents; use age-appropriate language;
update the site's privacy policy (don't rest on the global)
Ganz ceased collection of PI, during registration 2012
Apple - Answer-OPC
UDIDs were assigned to each device. Apple didn't consider the UDID "PI."
PIPEDA applied: UDID was PI (it could identify the user); disclosures of UDIDs with 3rd-
party app developers were "sensitive PI" disclosures
Apple replaced UDIDs with Ad IDs and included a reset/opt-out functionality 2013
Globe24hr.com OPC - Answer-OPC
Republished Canadian court decisions, charged a fee for removal, allowed it to be
indexed
PIPEDA applied: a reasonable person would not see this purpose as appropriate; OPC
recommended deletion from servers & removal from search engine caches 2013
AT v. Globe24hr.com Federal Court - Answer-PIPEDA applied: underlying purpose is
important (not journalistic, as claimed) this was generating revenue; purpose was not
"appropriate from the perspective of a reasonable person - PIPEDA 5/3; indexing was
not directly related to the purpose connected to the original public share of the PI
Bell - Answer-OPC
CORRECT ANSWERS
"SWIFT" OPC-initiated Complaint v. SWIFT - Answer-OPC
PIPEDA applied: SWIFT had a "significant presence" in Canada; Vast majority of
international transfers of PI utilized the SWIFT network.
Orgs like SWIFT are allowed, via PIPEDA, to disclose w/out consent - legitimate laws of
other countries. 2006
"SWIFT" Individual Complaint v. 6 Canadian FIs - Answer-OPC
PIPEDA applied: SWIFT had a "significant presence" in Canada; Vast majority of
international transfers of PI utilized the SWIFT network.
SWIFT clearly disclosed their practices - consent.
TJX - Answer-OPC and IPC Alberta
US-based retail corp (FI and Identifiers crossborder)
PIPEDA and Albert PIPA applied: Reasonable Safeguards were not met; Driver's
License collection was unreasonable; Storing of PI indefinitely is not compliant. 2006
Facebook 2008 - Students at University of Ontario (CIPPIC) - Answer-OPC
PIPEDA applied: FB provided PI to 3rd-party app developers without meaningful
consent and did not meet notice obligations
OPC issued a report in 2009 with recommendations for FB and its 3rd-party developers,
in re: knowledge and consent obligations.
OPC Facebook Report - Answer-OPC 2009
FB was not meeting the "knowledge and consent" obligations under PIPEDA.
OPC issued recommendations: Data collection must be limited to operational necessity;
Provide sufficient notice (re: collection and purpose); Meaningful consent necessary for
PI transfer
Facebook 2019 - Privacy Commissioners of Canada and Alberta Report - Answer-
thisisyourdigitallife investigation, post-Cambridge Analytica.
Privacy Commissioners revisited FB's "implementation" of 2009 recommendations and
made further recommendations for tydl violations: consent was neither valid nor
meaningful for FB users or user's friends, safeguards were inadequate, accountability
was shifted to the 3rd parties.
Nexopia - Answer-OPC (via various complaints)
re: social networking site for 13-18 yr. olds, default privacy settings, indefinite data
retention, etc.
PIPEDA applied: notice, consent, retention, reasonable expectation of use violations.
24 recommendations, including a delete request.
A disclosure of PI to the general public was not a reasonable expectation of use.
, Non-users' PI cannot be retained without consent.
Meaningful, valid consent to collect PI must be obtained before registration.
Google 2010 - Answer-OPC
Google was collecting data from unsecured WiFi networks as Google cars recorded info
for Google Maps.
PIPEDA applied: Excessive data gathering was beyond the scope of purposeful. Google
failed to garner meaningful consent.
Google 2014 - Answer-OPC
Search App update required consent to gather additional PI that was beyond what was
necessary.
PIPEDA did not apply: Google was encouraged to give more meaningful messaging
Google 2013 - Answer-OPC and FTC
PIPEDA and Section 5 applied: Identified several shortcomings and policy compliance
failures. Google Ads were using sensitive info about online activities (through cookies)
to target with health-related ads. Privacy Policy said cookies would NOT be associated
with PHI.
Ganz - Answer-OPC
Web-enabled toys and website aimed at children 6-13
PIPEDA applied: provide clarity during registration; obtain parental consent;
communicate to children the need to involve parents; use age-appropriate language;
update the site's privacy policy (don't rest on the global)
Ganz ceased collection of PI, during registration 2012
Apple - Answer-OPC
UDIDs were assigned to each device. Apple didn't consider the UDID "PI."
PIPEDA applied: UDID was PI (it could identify the user); disclosures of UDIDs with 3rd-
party app developers were "sensitive PI" disclosures
Apple replaced UDIDs with Ad IDs and included a reset/opt-out functionality 2013
Globe24hr.com OPC - Answer-OPC
Republished Canadian court decisions, charged a fee for removal, allowed it to be
indexed
PIPEDA applied: a reasonable person would not see this purpose as appropriate; OPC
recommended deletion from servers & removal from search engine caches 2013
AT v. Globe24hr.com Federal Court - Answer-PIPEDA applied: underlying purpose is
important (not journalistic, as claimed) this was generating revenue; purpose was not
"appropriate from the perspective of a reasonable person - PIPEDA 5/3; indexing was
not directly related to the purpose connected to the original public share of the PI
Bell - Answer-OPC
