Privacy Commissioner of Canada Rules on Loblaw Gift Card Program
Scope of Information Collected Offside
In late 2017, Loblaw publicly acknowledged its participation in a bread price-fixing scheme between 2001 and 2015 and announced that it would offer $25 gift cards to affected customers. To receive a gift card, customers needed to register online. In about 10% of cases, Loblaw asked for backup identification documentation showing the individual’s name and address, such as a utility bill or driver’s licence, to authenticate the individual. A complainant alleged Loblaw was collecting more personal information than was necessary to carry out the gift card program.
Loblaw maintained that the utility bill and driver’s licence information was meant to ensure the gift cards were issued only to identifiable, eligible individuals and to safeguard against fraud; once the information was verified, it was immediately destroyed. Loblaw later clarified in the media, on its website and in its form of request for backup documentation, that it was only seeking to confirm that an individual resided at the address provided on the registration form and that other sensitive information (such as a driver’s licence number) could be redacted from the backup documentation.
The Commissioner determined that, while the request by Loblaw for documentation confirming name and address would, in certain identified circumstances, have been necessary to ensure that only eligible individuals received a gift card and to prevent fraudulent requests for multiple cards, Loblaw was collecting, at least initially, more information than necessary to fulfil these purposes by asking for full copies of the identification, when it only needed proof of name and address. As Loblaw had already taken steps to clarify the scope of its collection of identification, the Commissioner determined that, although Loblaw’s actions contravened the applicable privacy legislation, the matter had already been resolved by Loblaw.
1. Scope & Interpretation
… The Loblaw Card Program is administered by JND Legal Administration (the “Program Administrator”) on behalf of Loblaw. Blackhawk Network (Canada) Ltd. (“Blackhawk”) will be fulfilling and distributing the cards as well as tracking their activation and use on behalf of Loblaw, and Peoples Trust Company (“Peoples”) will act as the card issuer on behalf of Loblaw”…
4. How Your Personal Information Will Be Used and Shared
Your Personal Information will be used to verify your eligibility to receive a $25 Loblaw Card, communicate with you, fulfill and distribute cards, process card transactions, verify your identity, provide customer service, process claims for lost or stolen cards, reduce the risk of fraud, track and prove card activation and use, and for any other purpose authorized or permitted by law. The Personal Information submitted by you may be shared amongst Loblaw, the Program Administrator, Blackhawk and Peoples for the purposes referred to above… [Emphasis added.]
5. Retention and Cross-border Transfer
Personal Information may be stored, accessed, or used in a country outside of Canada by Loblaw, the Program Administrator, Blackhawk and/or Peoples, or by service providers engaged by any of them, for any of the purposes identified in Section 4 above including the United States and El Salvador. Where Personal Information is located outside of Canada, it is subject to the laws of that jurisdiction which may differ from those in your jurisdiction and any Personal Information transferred to another jurisdiction will be subject to law enforcement and national security authorities in that jurisdiction. Subject to these laws, Loblaw, the Program Administrator, Blackhawk and Peoples will use reasonable measures to maintain protections of your Personal Information that are equivalent to those that apply in Canada. You herebygive your consent to such cross-border transfers (including to El Salvador and to the United States) of such Personal Information for any of the purposes set out in Section 4, above. [Emphasis added.]
The Commissioner also examined the contracts between Loblaw and two of its third party service providers, noting the safeguards in place:
The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.
Loblaw confirmed that its contract with another third party provider included similar safeguards to those required under its contracts described above. These, in turn, included a requirement for the provider to ensure contractual protections that are at a minimum equivalent to those provided for by its own contract with Loblaw when sub-contracting.
There are several takeaways from the Commissioner’s finding:
- During a complaint investigation, the Commissioner will look at the underlying agreements with respect to the protection of personal information.
- The list of protective measures accepted by the Commissioner is a useful guide when drafting third party processing agreements. The Commissioner appeared to approve of there being “detailed contractual requirements”.
- Unlike in the Equifax finding earlier this year, discussed in our April 15, 2019 Update, Privacy Commissioner Reverses its Position on Cross-Border Transfers of Personal Information, the transfer of personal information to a third party, even to a party located outside Canada, does not require consent: only reasonable and adequate notice is required. This is consistent with the Commissioner’s 2009 Guidelines for processing personal data across borders, which it recently reconfirmed as discussed in our September 24, 2019 Update, Privacy Commissioner Retains Original Policy on Cross-Border Transfers of Personal Information.
Force Majeure and COVID-19 – Appeal Decision in Niagara Falls Shopping Centre Inc. v. LAF Canada CompanyAlthough it has been three years since the COVID-19 pandemic hit Canada with full force in March 2020, the courts continue to address the fallout. In November 2022, we published a case update about a…
2023 Annual Reporting and Proxy Season – Key Areas of FocusReporting issuers in Canada are subject to governance standards and continuous disclosure obligations under securities laws and stock exchange rules.From time to time, securities regulators, including…
Climate Change Suits Against the Government: The Limits of Court ActionIn recent years, governments in Canada have been sued in various ways in respect of climate change. Invariably, the government will seek to have the claim dismissed because it is not “justiciable…
Force Majeure and COVID-19 – Porter Airlines v. Nieuport Aviation Trial DecisionThe COVID-19 pandemic presented businesses with unprecedented challenges. It was inevitable that litigation would follow, and that the courts would be required to interpret familiar contract terms in…
Privacy and Data Protection
B.C. Court Rules Facebook Liable for Privacy Violations in Class ActionAnother chapter in the now decade-long saga of Douez v. Facebook was penned earlier this month as a British Columbia Court found Facebook liable for providing advertisers access to users…
Neutral Diversity in OntarioArbitrators and mediators (“Neutrals”) hired in Ontario do not generally reflect the gender or racial diversity of the demographics of the province or the legal profession. Through this report the…
Construction and Infrastructure
HB Construction Co. v. Potash Corp. of Saskatchewan Inc. et alGoodmans LLP acted for HB Construction Co. in respect of the construction of a mine in New Brunswick. The litigation relates to a claim in respect of the installation of mechanical and electrical…
Mergers and Acquisitions
McCain Capital Partners Acquisition of Forest City Fire ProtectionGoodmans LLP acted for McCain Capital Partners in connection with its acquisition of Forest City Fire Protection. Forest City Fire Protection will now unite with Classic Fire Protection (another…
Cirque du Soleil RestructuringGoodmans LLP acted for the Ad Hoc Committee of Lenders of Cirque du Soleil Entertainment Group in connection with the successful closing of a sale transaction and its emergence from creditor…
Mergers and Acquisitions
Harvest One Completes Acquisition of DelviraGoodmans LLP represented Delivra Corp. in connection with its arrangement transaction with Harvest One Cannabis Inc., pursuant to which Harvest One acquired all of the issued and outstanding shares of…
Mergers and Acquisitions
Newmont and Goldcorp Combine to Create World's Leading Gold CompanyGoodmans LLP acted for Newmont Mining Corporation (NYSE: NEM) (Newmont or the Company) in connection with its agreement to acquire all of the outstanding common shares of Goldcorp Inc. (NYSE: GG, TSX…
Algoma Steel Completes Restructuring Transaction and Emerges from CCAA ProtectionAlgoma sought and obtained CCAA protection on November 9, 2015 and carried out a sale and investment solicitation process to identify sale and/or investment opportunities in respect of its business…
News & Events
- 01:00 PM Corporate Governance and Stakeholder Litigation
Goodmans ePresents: The Future of Corporate Governance in Canada: Practical InsightsIf you are on a board of directors, or advise one, please join us for a practical discussion on meeting new and evolving governance challenges in Canada.On April 18th, we will welcome Rahul Bhardwaj…
Banking and Financial Services
The Canadian Legal Lexpert Directory 2023 Continues to Recognize GoodmansWe are proud to announce we have once again been recognized in The Canadian Legal Lexpert Directory 2023.85 Goodmans lawyers have been recognized as top-tier in their fields and leaders across…
Goodmans Partners Recognized in the Lexpert Special Edition: Litigation 2022We are delighted to announce the Lexpert Special Edition: Litigation 2022 once again features Goodmans partners among Canada's experts in litigation.Congratulations to our 13 featured partners:Andrew…