• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer
nNovation LLP

nNovation LLP

Small Canadian regulatory law firm with a big presence

  • Home
  • About Us
  • Our Team
    • Kim D.G. Alexander-Cook
    • Timothy M. Banks
    • Shaun Brown
    • Anne-Marie Hayden
    • Constantine Karbaliotis
    • Kris Klein
    • Dustin Moores
    • Florence So
  • Blog

Posted By: Kris Klein October 21, 2019Category: PIPEDA

Loblaw’s errors are overblown

The Office of the Privacy Commissioner of Canada (OPC) released its Report of Findings into the Loblaw’s gift card matter this week.  This case was first reported in the news several months ago when people complained that they had to provide a fair amount of personal information in order to authenticate themselves if they wanted to receive a compensatory gift card as part of the bread price-fixing fiasco. So, suffice it to say they were an already-irritated bunch.

It turns out that, after all the hoopla, Loblaw didn’t really do too much wrong in this case. I cannot say I am surprised. In a few instances, they did ask for people to provide their driver’s license as part of the authentication process and failed to adequately inform them that they could redact all the information on the license except for the name and address.  As they got better with their communications (isn’t it almost always about better communications?), people were informed of other ways they could prove  they lived where they claimed to be living.

So, the news amounts to an over collection of information – namely the driver’s license number – but for me, there are other nuggets in the OPC’s Report that are worth focusing on.

First, the OPC quotes from the Loblaw’s privacy statements and endorses the language used to explain how the personal information was being processed in other countries. It’s one of the first instances that I can think of where the OPC has provided an example of language for these messages that it considers adequate. I’m particularly glad with this because if the OPC reports more often in this manner, we’ll be able to learn what language meets requirements and what language fails to meet the test.

Similarly, the OPC examined the contracts that were in place between Loblaw and its processors. While the specific contractual language is not repeated, the OPC does provide a shopping list of clauses that were contained in the contracts.  Paragraph 41 of the Report says:

The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.

Moreover, the OPC endorses these clauses as having met the accountability requirements in PIPEDA.  The European DPAs have long provided input on what specifically needs to be in a contract and it’s good to see the OPC providing an example in this case.  

I guess, in a perfect world, they might even go a step further and provide a precedent contract for us privacy pros to use when negotiating with our processors.  But, regardless, this is definitely a step in the right direction and I hope for more of this type of guidance in future Reports of Findings.  On that note, I can’t help but notice that the Loblaw case summary is numbered 2019-003.  If that means we have only had 3 reported cases this entire year, I’m disappointed because, in my mind, they can be a really excellent way of getting meaningful guidance out there. 

Share this article:

Previous Post OPC guidance on data transfers: status quo (for now)
Next Post Court agrees class actions necessary to enforce PIPEDA

Related Posts

February16

Limitation of liability in B2B contracts valid under Quebec civil law

January28

Maturing the Privacy Impact Assessment

January07

10 crisis communications tips for privacy breaches

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Adequacy
  • CASL
  • Class Actions
  • Communications
  • Competition Act
  • Genetic Privacy
  • IT Contracts
  • Legislation
  • Ontario
  • PIPEDA
  • Privacy
  • Privacy Breach
  • Privacy Commissioner of Canada
  • Privacy Impact Assessment
  • Privacy Reform
  • Privacy Shield
  • Quebec
  • Right to be forgotten
  • Smart Cities
  • Supreme Court
  • Transborder Data Flows
  • Uncategorized

Recent Posts

Limitation of liability in B2B contracts valid under Quebec civil law

February 16, 2022

Maturing the Privacy Impact Assessment

January 28, 2022

10 crisis communications tips for privacy breaches

January 7, 2022

Tag Cloud

Access to Information Act CASL Class Actions CompuFinder Constitutionality CRTC Cybersecurity Equifax data breach Federal Court of Appeal google National Security OPC Consultation PIPEDA Privacy Privacy Commissioner of Canada Smart Cities spam Transborder Data Flows

Footer

EXPERT LEGAL SERVICES

135 Laurier Avenue West, Suite 100 Ottawa Ontario K1P 5J2
  • Home
  • About Us
  • Our Team
  • Blog
  • Privacy

Copyright © 2020 nNovation LLP. All Rights Reserved