Privacy Commissioner of Canada’s Latest Findings Shed Light on the Requirements for Anonymizing Retained Data

Overview

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) allows organizations to retain data that is no longer required to fulfill its purpose – but in doing so, the data must be properly anonymized. The question then arises: what does anonymizing mean for the purpose of PIPEDA’s data retention principle?

The Office of the Privacy Commissioner of Canada (“OPC”) recently dealt with this issue in its findings following an investigation into the Loblaw Companies Ltd. (“Loblaw”) data retention practices. In particular, the OPC investigated Loblaw’s treatment of data retained from deleted accounts relating to the PC Optimum Loyalty Program (“PC Optimum Program”). The OPC found that Loblaw failed to sufficiently anonymize the retained data and mitigate the risk of re-identification of former members. Accordingly, the OPC concluded that Loblaw had retained personal information longer than needed. In response, Loblaw agreed to have a third-party assessment conducted of its anonymization process and to implement any recommendations. 

Background

Loblaw is a parent company under which includes Shoppers Drug Mart, and the supermarket chain, Loblaws. The PC Optimum Program is a subsidiary of Loblaw, which offers a rewards program to members who can earn and spend points on purchases. Individuals can voluntarily sign up online to become a member, which requires inputting one’s first name, email, and password. The account also tracks members’ purchase history, usage history, and other related data.

In May 2024, the OPC began receiving complaints against Loblaws relating to the deletion of PC Optimum accounts. In response, the OPC launched an investigation into Loblaw’s procedures for addressing privacy concerns and its data retention practices.

Issues

The OPC considered the following issues:

• Whether Loblaw adequately addressed privacy challenges raised by individuals. More specifically,
• Did Loblaw have mechanisms in place for members to raise privacy challenges?; and
• Did Loblaw respond to all privacy inquiries in a timely manner?
• Whether Loblaw retained personal information of PC Optimum members for only as long as necessary. More specifically,
  • Did Loblaw take sufficient steps to render the information it retained anonymous?

Outcome

Loblaw’s Response to Privacy Concerns

The OPC concluded that Loblaw did have mechanisms to allow members to delete their accounts and raise privacy concerns. However, the OPC found that Loblaw took an unreasonable amount of time in responding to deletion requests and some privacy inquiries. Accordingly, the OPC found Loblaw in violation of PIPEDA Principle 4.10 (Challenging Compliance).

Loblaw’s Data Retention Practices

The OPC concluded that Loblaw failed to demonstrate that it sufficiently anonymized the retained data associated with deleted PC Optimum accounts.  

PIPEDA Principle 4.5 (Limiting Use, Disclosure and Retention), specifically Principle 4.5.3, requires that personal information no longer needed to fulfill its purpose be destroyed, erased, or made anonymous. In its investigation, the OPC learned that Loblaw had chosen to anonymize the data associated with the deleted accounts. The question then became whether Loblaw sufficiently anonymized the data.

The OPC first clarified the meaning of “anonymized” as there being a “serious possibility that the information can be linked to identifiable individuals either by itself, or in combination with other available data”. As to whether there exists such a possibility, the OPC outlined various factors to consider, including:

• intrinsic data characteristics;
• de-identification techniques;
• the potential for human error in conducting de-identification;
• the availability of additional data for cross-checking;
• who has, or could have, access to the dataset and for what purposes, their motivation to re-identify data and their knowledge that a specific individual’s information is included in the dataset; and
• the expertise and resources used in re-identification.

The OPC found that Loblaw had retained data such as redeemed points, purchase history, browsing history, device information, and transaction history. In its efforts to anonymize the data, Loblaw had stripped the names and phone numbers associated with the accounts and replaced the associated email addresses with “dummy” emails. The OPC placed the onus on Loblaw to show that its practices sufficiently anonymized the data. The OPC found that Loblaw had not discharged this burden. In fact, the OPC found the following risks of re-identification of members:

• Loblaw retained IP addresses associated with accounts. The OPC was of the view that, in combination with other data associated with the same account, an IP address could be used to identify an individual.
• Loblaw’s “dummy” email addresses retained the original domain name. The OPC was of the view that a domain name that reflected, for example, an individual’s company name, could be used to identify the individual.
• Loblaw retained members’ purchase history, which remained linked to members’ browsing history and other data. The OPC was of the view that purchase history could be used to identify an individual, especially where, for example, an individual makes a large purchase for an event in a small community.

The OPC also found that Loblaw insufficiently mitigated the risk of re-identification such as by not “aggregating, scrambling, or perturbing” the data. Accordingly, Loblaw had not sufficiently anonymized the data, and therefore retained personal information longer than needed, in contravention of PIPEDA Principle 4.5.3.

Key Takeaways

The OPC’s findings provide insight for businesses into what it means for retained data to be properly anonymized. The findings also show that, should an organization face an investigation into its anonymization processes, the organization will bear the onus of demonstrating that its efforts in anonymization are sufficient. Accordingly, organizations that collect personal information and intend to retain such data should be especially diligent in properly anonymizing the data. Otherwise, organizations may be found in violation of PIPEDA, which may result in regulatory consequences.

For more information about AI and privacy compliance in Canada, please contact Laura Crimi  or Roland Hung of Torkin Manes' Technology and Privacy & Data Management Groups.

The authors would like to acknowledge Torkin Manes’ Articling Student Dena Sharafdin for her invaluable contribution in drafting this bulletin.