The British Columbia government is currently reviewing the province’s Personal Information Protection Act (“PIPA“), which governs how private sector organizations must collect and manage personal information. A Special Committee of the Legislative Assembly was struck in February 2020 and has concluded public hearings and accepted written submissions, but its recommendations are not expected until early 2021. What can organizations expect?
What is PIPA?
First of all, let’s talk about what PIPA does and how it fits into Canada’s privacy landscape. In Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private organizations handle personal information, unless a province enacts its own substantially similar legislation. BC (along with Alberta and Quebec) is one of the provinces that has done so.
The basic principles of PIPA are that organizations may only collect, use or disclose personal information about an individual for a reasonable purpose and with the individual’s informed consent. The organization must ensure adequate protections for the information in its care and individuals have a right to access and correct the information held by the organization.
Keep in mind that PIPA does not apply to public bodies, which are governed by the Freedom of Information and Protection of Privacy Act, or when information is collected, used or disclosed for cross-border commercial purposes, in which case PIPEDA steps in. PIPA applies to private sector organizations within BC.
Why are Canadian privacy laws changing?
The Special Committee’s mandate is not limited to any specific issues – it is a statutory review required pursuant to s. 59 of PIPA. However, the review is happening in the context of recent changes to PIPEDA and the implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018, which, along with the consultation submissions, give us some clues about the issues that are likely to be front of mind for the committee.
The GDPR is influential because (a) it is representative of global trends in personal information regulation and (b) it permits transfers of EU personal information to jurisdictions with privacy legislation determined by the EU to be “adequate” . PIPEDA has long enjoyed adequacy status, but Article 45(4) of the GDPR requires periodic review of such adequacy decisions and such review is expected to begin this year. It will be important for Canada to keep up.
A similar regime exists for Canadian provincial private-sector privacy laws – where provincial privacy laws have been determined to be adequate, PIPEDA will not apply. Hence, changes reflected in a revised PIPEDA will need to reflected in provincial privacy laws to preserve their adequacy status.
What can we expect?
We have reviewed the written submissions to the Special Committee and, while by no means exhaustive, there are some common themes that, coupled with changes in other provinces and federally, may indicate where things are going:
- Mandatory Breach Reporting: The most commonly brought up change is mandatory reporting of personal information breaches to the Privacy Commissioner. Breach reporting has been mandatory in Alberta for a decade and came to PIPEDA in 2018. Under PIPA as it stands, there is no affirmative requirement for organizations to report breaches of the personal information in their care. Harmonization within Canada is a common theme in submissions before the special committee and, given the trends, mandatory reporting is likely to be coming to BC.
- Role of the Privacy Commissioner: GDPR created significant enforcement measures and penalties for non-compliance. The Privacy Commissioners of Canada, Alberta and Ontario each advocated for the BC Privacy Commissioner to have enhanced order-making powers and the ability to issue administrative monetary penalties for PIPA breaches (although it is worth noting that none of those commissioners themselves have such powers, with the exception of the Ontario Commissioner’s coming power to issue administrative monetary penalties under its personal health information legislation). The UK Information Commissioner also advocated for enhanced penalties, which is notable as she is the former Privacy Commissioner of BC.
- Big Data: PIPA is principles-based and is intended to be technology-neutral, but the massive changes in the value of personal information and the ability of organizations to process and analyze since PIPA was last reviewed are undeniable. The GDPR reflects this shift in its provisions about the right to data portability, the right to personal information erasure and clearer guidance about data de-identification and anonymization. It will be interesting to see the extent to which the special committee grapples with these issues.
- Privilege: This is a hotly contested issue, with lawyers, Bar Associations and others (supported by a few court decisions) advocating that in the course of an investigation where privilege over information is claimed, it is the courts which should review and determine the bona fides of such claim. On the other side of the debate are the privacy commissioners, which believe they should be the ones to adjudicate privilege claims. This issue has significant consequences for organizations, ranging from the potential production of privileged IT forensics reports, as well as their potential exposure under Freedom of Information regimes, which apply to information in the custody and control of privacy commissioners.
The privacy landscape is changing. With the rise of big data and the potentially seismic shift to remote working, schooling and other areas of our lives, legislators and regulators will need to figure out how to adapt in meaningful ways to balance the privacy rights of individuals and the increased incorporation of personal information into the products and services those individuals are using. For the time being in British Columbia, we will have to wait and see.
Organizations subject to BC PIPA can start taking steps now to understand their risk and exposure, based on what is likely to appear in in the revised legislation.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information.