OPC Loblaws Decision – Important Learnings for Businesses in Canada

OPC Loblaws Decision – Important Learnings for Businesses in Canada

A reoccurring concern I come across when working with businesses on privacy assessments is the collection of personal information above and beyond what is needed by the business. There is usually some legitimate interest in the data, but the organization just hasn’t given enough thought to getting specific about exactly what personal information they need to provide their services, and if consumers have alternatives to providing the data being requested.

The recent finding from the Office of the Privacy Commissioner of Canada (OPC) against Loblaws is a great example. The investigation resulted due to complaints from Loblaws’ customers who objected to being asked to hand over sensitive personal data for a $25 gift card. Loblaws offered the cards to customers in 2018 in the aftermath of the bread price-fixing scandal. To collect their gift cards, customers had to fill in an on-line form providing details including their name and address. 10% of these customers were told in March 2018 that in order to receive the gift card, they needed either to mail or send electronically a copy of their driver’s licence or a utility bill to Loblaws. Loblaws took this step to weed out fraudulent claims.

Upon hearing from the OPC, Loblaws revised its communications to customers that same month to making it clear that the grocer was only seeking information that would confirm name and address. Loblaws also indicated on its website that customers could redact sensitive information – such as their photo or driver’s licence number – when they sent in ID. Thus, after its six-month investigation, this issue was ‘resolved’ according to PIPEDA Report of Findings #2019-003.

The OPC also investigated Loblaws’ transfer of sensitive personal information outside of Canada for its gift card program. Loblaws’ privacy policy stated that personal information may be stored, accessed or used in a country outside of Canada, including in the U.S. and El Salvador, where privacy laws may differ. The OPC concluded that the complaint was not “well-founded,” because limited information was shared with third parties and Loblaws was transparent about the process.

The OPC quotes from Loblaws’ privacy policy and sanctioned the language used as being sufficiently transparent about its cross border transfers. In adding emphasis to a mention of consent by Loblaws, it looks like it would be a good idea for businesses to make specific reference to consent: “You hereby give your consent to such cross-border transfers (including El Salvador and to the United States) of such Personal Information for any of the purposes set out in Section 4…”. Burying deemed consent in a privacy policy artificially pays heed to the concept, but I can only hope that PIPEDA will be amended in the future (as is foreshadowed by Canada’s Digital Charter) to clarify when consent is needed and when it is not. Although the OPC recently re-confirmed its Guidelines for Processing Personal Data Across Borders, the Equifax decision resulted in a great deal of confusion regarding whether consent is needed for third party processing. The concept of consent is proving to be buckling under pressure.

Regardless, such an endorsement of what would be considered adequate transparency is welcoming after all the recent concerns about transborder data flows. The OPC also examined the contracts that were in place between Loblaws and its processors and specifically lists the types of clauses that leads to a finding that the accountability requirements in PIPEDA have been met. The list of protective measures accepted by the Commissioner is a useful guide when drafting third party processing agreements. As stated in the decision:

“The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.”

Thus, in finding the language used by Loblaws in its policy and contracts to be appropriate, this decision should provide some comfort to organizations.

Just as the Ashley Madison decision provided valuable advice and insights on safeguarding personal information, I consider the Loblaws decision to offer useful tips on transfers for processing with transparency. The OPC’s investigative reports become extremely valuable for businesses when they offer guidance and insight into how the regulator is interpreting PIPEDA with respect to issues faced by many Canadian organizations.

For assistance with your privacy policy, service provider agreements or other matters regarding PIPEDA compliance, contact PRIVATECH.