Privacy Commish on Staples & eHarmony: Why Keep Investigations & Audit Results Under Wraps?

The Privacy Commissioner of Canada released her PIPEDA annual report yesterday with a clear emphasis on the Internet (Google Buzz & Wifi, Facebook, eHarmony, etc.). The headline grabbing stories included an audit of Staples that found the company had frequently failed to wipe customer information from computers and other devices being resold in the stores and an investigation of eHarmony, the online dating site, that had led to changes to its customer data deletion practices.

While these are important privacy developments, the release of this information weeks or months after the investigation or audit was concluded points to a significant flaw in the current reporting approach. I recognize that that is how the system currently functions – the OPC reports to Parliament on audit findings and only occasionally publicly reports on PIPEDA investigations – yet there is something fundamentally flawed with a system that keeps consumers in the dark for months about privacy risks. This is particularly ironic given the OPC’s emphasis on data breaches and the need for the private sector to disclose breaches as quickly as possible. The same should be true for audits and investigations to allow the public to react to newly identified privacy risks. 


  1. Apparently for Staples, this is the THIRD time. How many times does one have to be told of a problem? The law (PIPEDA) has no teeth.

  2. Mr. Nerdly says:

    Staples not at fault for their customers’ failures
    1. Customer buys electronic device featuring data storage medium from Staples.
    2. Customer puts their personal, private info on data storage medium.
    3. Customer returns the electronic device to Staples WITHOUT FIRST removing THEIR OWN personal, private information form data storage medium THEMSELVES.
    4. Staples accepts the return, presumably determines it’s not actually defective, and puts it back on the shelf to be sold again.

    Never at any point in this process did the customer give Staples their private information for safe-keeping. Staples SHOULD NOT have any obligation here whatsoever to protect customer information (aside from any credit/debit/payment card details and any associated info related to the purchase), because their customer haven’t provided them with any. These customers whose info was found on devices on Staples’ shelves PUT THAT INFO ON DEVICES WHICH THEY OWNED! Then they failed to remove that info from DEVICE WHICH THEY OWNED before they LET SOMEONE ELSE OWN THE DEVICE.


  3. While I agree with you that there are a lot of “morons” with purchasing power, I don’t agree that Staples could not do anything about it.

    Although strictly speaking they shouldn’t be “responsible” for morons, they can implement some measures to help mitigate their lack of actions. Even a simple checkbox question on the return form, that asks “have you removed all personal information from this device?” would go a long way towards being proactive. If the answer is “no” (or unknown), then Staples staff would know they may need to take further actions.

    If this is the 3rd time Staples has been cited, I am surprised they haven’t already implemented something like this.

  4. David Hitesman says:

    Lawyer (retired)
    Interesting paradox. We live in a digital world where information is transmitted and distributed almost instantly. Yet, investigations and audits such as we have here, drag on for months and months, and in other cases, for years. It doesn’t have to be that way, but a lot of people justify their phony boloney jobs ensuring that it will continue.