In February 2020, the Legislative Assembly of British Columbia appointed a Special Committee to review the Personal Information Protection Act (“PIPA”) of the province. The Committee has reviewed the law and released their recommendations for the modernization of the Personal Information Protection Act (PIPA). Read about Canada's newly proposed Consumer Privacy Protection Act - CPPA.
If you operate from British Columbia or have users from the province, you should be aware of these recommendations. They are not embedded into the law yet, but it will likely happen soon. It brings stricter requirements compared to the current data privacy laws applicable in Canada, so you must be aware and prepare accordingly.
The Data Protection Landscape in British Columbia and Canada
Due to the political and administrative organization of Canada, there are multiple data protection laws that businesses need to comply with.
Canada has a data protection law on a federal level called the Personal Information Protection and Electronic Documents Act (PIPEDA). Entities that are subject to PIPEDA, which process personal information must adhere to 10 fair information principles. Every business in Canada needs to comply with federal law, with some exceptions.
The provinces of Alberta, British Columbia and Quebec have their own private-sector privacy laws and are generally exempt from PIPEDA when it comes to the collection, use, or disclosure of personal information that occurs within their respective provinces. However, PIPEDA still applies to federally regulated organizations (such as banks, airlines, and telecom companies) in those provinces, and when data processing by businesses in those provinces crosses provincial or national borders.
Aside from PIPEDA, every province can pass its own data privacy law. The federal and provincial laws coexist and apply simultaneously.
Businesses that operate from Canada have to comply with federal law, as well as the law of the province where they operate from. In addition, they need to comply with all the provincial laws applicable to their customers.
If the business operates in a regulated industry, such as health or insurance, there may be some other industry-specific data privacy law that they need to comply with.
This makes the situation quite complicated. Fortunately, data protection laws at both the federal and provincial level are aligned with each other, which makes for easier compliance.
However, technology moves fast and laws do not. Laws are becoming outdated for the modern world, hence the need to be updated. The recommendations of the Committee aim to show legislators the way to the modernization and alignment of British Columbia law with new global trends in data protection regulations.
What Does the Committee Recommend?
The report contains a long list of recommendations; we will sum up the most important ones and explain them briefly.
The recommendations include:
Meaningful Consent
Since the consent requirements of the PIPA are outdated, the Committee recommends to:
- Update the requirements of explicit consent to include meaningful consent provisions,
- Align the exemptions to consent in PIPA with those of the GDPR, which would mean that businesses can process data without consent if it is necessary for the execution of a contract, legitimate interest, public interest, etc., and,
- Define new sensitive categories of information in PIPA which would require explicit consent from individuals, and specific data handling practices to include: biometric data, political views, religion, sexual orientation, medical information, and information related to children and the youth.
The Committee expresses its concern regarding “consent fatigue” and therefore does not recommend explicit consent requirements for every single case of processing data, as the GDPR requires. Businesses can still rely on implied consent in some situations, while they’ll have to obtain explicit consent in other situations.
Mandatory Breach Notifications
In the future, PIPA should require organizations to notify for every data breach, just like other data protection laws require so.
In addition, it should allow for easy communication of the breaches. This means that businesses should report in any way they find suitable at the moment. That could be over the phone, email, regular mail, text, or another method. There should be no constraints to the communication of breaches.
Disclosure of Personal Information
The Committee recommended that PIPA should be more similar to the GDPR in terms of transparency. PIPA currently allows businesses to refuse data subject requests on too many grounds. It also does not guarantee all the rights that data subjects enjoy in Europe.
The report also notes that the transparency obligations regarding third-party service providers are outdated and need to be changed to reflect the way data processing is being done nowadays.
Having said that, the recommendations are to:
- Strengthen the provisions regarding the right to access;
- Allow an organization to refuse an access request when the disclosure would include the confidential information of persons fleeing or having fled domestic violence or abuse;
- Provide individuals with the right to obtain their own personal information from an organization in a structured, commonly used, and machine-readable format at a cost no greater than the actual cost of fulfilling the access request;
- Define the general requirements of data destruction;
- Require organizations to clearly outline retention periods and methods of data destruction in their privacy policies;
- Require organizations to create privacy impact assessments before beginning a project that will require the processing of sensitive information;
- Allow for the collection, use, and disclosure of information without consent where a reasonable person would agree that the information is required for an investigation or prevention of fraud or criminal activity;
- Include international and interprovincial data transfers provisions in PIPA and require businesses to be transparent about it;
- Require data controllers to obtain explicit consent from individuals prior to the sale of their data.
Office of the Information and Privacy Commission Officer
The Privacy Commission Officer may be given powers for efficient enforcement of the PIPA. In practice this means that they could:
- Conduct audits to find systemic issues;
- Require organizations to produce relevant reports upon request;
- Levy administrative monetary penalties at an amount that is a sufficient deterrent to contraventions of the Act.
What Comes Next for PIPA Modernization?
As mentioned above, this report only contains the recommendations. These recommendations have been made after comprehensive reviews and consultations with relevant stakeholders, so it is reasonable to expect that most of them will be included in legislation updates in near future.
In the meantime, you can meet the requirements of PIPEDA and set your business on the easy track to compliance with the PIPA once the updates come into effect.
Secure Privacy can help you with compliance with cookie banners, website scanner, privacy policy generator, and other tools.
