British Columbia Personal Information Privacy Act To Be Modernized
The Special Committee appointed by the Legislative Assembly of British Columbia has reviewed the Personal Information Protection Act (PIPA) and released their recommendations for modernization. Read all about it here.
In February 2020, the Legislative Assembly of British Columbia appointed a Special Committee to review the Personal Information Protection Act (“PIPA”) of the province. The Committee has reviewed the law and released their recommendations for the modernization of the Personal Information Protection Act (PIPA). Read about Canada's newly proposed Consumer Privacy Protection Act - CPPA.
If you operate from British Columbia or have users from the province, you should be aware of these recommendations. They are not embedded into the law yet, but it will likely happen soon. It brings stricter requirements compared to the current data privacy laws applicable in Canada, so you must be aware and prepare accordingly.
The Data Protection Landscape in British Columbia and Canada
Due to the political and administrative organization of Canada, there are multiple data protection laws that businesses need to comply with.
Canada has a data protection law on a federal level called the Personal Information Protection and Electronic Documents Act (PIPEDA). Entities that are subject to PIPEDA, which process personal information must adhere to 10 fair information principles. Every business in Canada needs to comply with federal law, with some exceptions.
The provinces of Alberta, British Columbia and Quebec have their own private-sector privacy laws and are generally exempt from PIPEDA when it comes to the collection, use, or disclosure of personal information that occurs within their respective provinces. However, PIPEDA still applies to federally regulated organizations (such as banks, airlines, and telecom companies) in those provinces, and when data processing by businesses in those provinces crosses provincial or national borders.
Aside from PIPEDA, every province can pass its own data privacy law. The federal and provincial laws coexist and apply simultaneously.
Businesses that operate from Canada have to comply with federal law, as well as the law of the province where they operate from. In addition, they need to comply with all the provincial laws applicable to their customers.
If the business operates in a regulated industry, such as health or insurance, there may be some other industry-specific data privacy law that they need to comply with.
This makes the situation quite complicated. Fortunately, data protection laws at both the federal and provincial level are aligned with each other, which makes for easier compliance.
However, technology moves fast and laws do not. Laws are becoming outdated for the modern world, hence the need to be updated. The recommendations of the Committee aim to show legislators the way to the modernization and alignment of British Columbia law with new global trends in data protection regulations.
What Does the Committee Recommend?
The report contains a long list of recommendations; we will sum up the most important ones and explain them briefly.
The recommendations include:
Since the consent requirements of the PIPA are outdated, the Committee recommends to:
- Update the requirements of explicit consent to include meaningful consent provisions,
- Align the exemptions to consent in PIPA with those of the GDPR, which would mean that businesses can process data without consent if it is necessary for the execution of a contract, legitimate interest, public interest, etc., and,
- Define new sensitive categories of information in PIPA which would require explicit consent from individuals, and specific data handling practices to include: biometric data, political views, religion, sexual orientation, medical information, and information related to children and the youth.
The Committee expresses its concern regarding “consent fatigue” and therefore does not recommend explicit consent requirements for every single case of processing data, as the GDPR requires. Businesses can still rely on implied consent in some situations, while they’ll have to obtain explicit consent in other situations.
Mandatory Breach Notifications
In the future, PIPA should require organizations to notify for every data breach, just like other data protection laws require so.
In addition, it should allow for easy communication of the breaches. This means that businesses should report in any way they find suitable at the moment. That could be over the phone, email, regular mail, text, or another method. There should be no constraints to the communication of breaches.
Disclosure of Personal Information
The Committee recommended that PIPA should be more similar to the GDPR in terms of transparency. PIPA currently allows businesses to refuse data subject requests on too many grounds. It also does not guarantee all the rights that data subjects enjoy in Europe.
The report also notes that the transparency obligations regarding third-party service providers are outdated and need to be changed to reflect the way data processing is being done nowadays.
Having said that, the recommendations are to:
- Strengthen the provisions regarding the right to access;
- Allow an organization to refuse an access request when the disclosure would include the confidential information of persons fleeing or having fled domestic violence or abuse;
- Provide individuals with the right to obtain their own personal information from an organization in a structured, commonly used, and machine-readable format at a cost no greater than the actual cost of fulfilling the access request;
- Define the general requirements of data destruction;
- Require organizations to clearly outline retention periods and methods of data destruction in their privacy policies;
- Require organizations to create privacy impact assessments before beginning a project that will require the processing of sensitive information;
- Allow for the collection, use, and disclosure of information without consent where a reasonable person would agree that the information is required for an investigation or prevention of fraud or criminal activity;
- Include international and interprovincial data transfers provisions in PIPA and require businesses to be transparent about it;
- Require data controllers to obtain explicit consent from individuals prior to the sale of their data.
Office of the Information and Privacy Commission Officer
The Privacy Commission Officer may be given powers for efficient enforcement of the PIPA. In practice this means that they could:
- Conduct audits to find systemic issues;
- Require organizations to produce relevant reports upon request;
- Levy administrative monetary penalties at an amount that is a sufficient deterrent to contraventions of the Act.
What Comes Next for PIPA Modernization?
As mentioned above, this report only contains the recommendations. These recommendations have been made after comprehensive reviews and consultations with relevant stakeholders, so it is reasonable to expect that most of them will be included in legislation updates in near future.
In the meantime, you can meet the requirements of PIPEDA and set your business on the easy track to compliance with the PIPA once the updates come into effect.
Top GDPR-Compliant Analytics Tools: Safeguarding User Privacy in 2023
Learn about the complexities of using Google Analytics 4 in accordance with the EU's General Data Protection Regulation (GDPR). Explore the compliance issues, and steps to make GA4 GDPR compliant, and discover privacy-friendly alternatives that provide powerful website analytics while respecting user privacy and data protection laws.
- Europe GDPR
Understanding Compliance: Navigating CCPA Regulations with Google Analytics 4
Discover the compatibility of Google Analytics 4 with the California Consumer Privacy Act (CCPA). This article explores the CCPA compliance of GA4, outlines the obligations it imposes on businesses, and provides insights on how to handle CCPA requirements while using Google Analytics 4 for data collection and analysis. Learn about opt-out mechanisms, data retention periods, and consumer request obligations to ensure compliance with CCPA regulations.
10 Principles of PIPEDA Explained: A Comprehensive Guide to Privacy Compliance
Learn about the 10 principles of PIPEDA, the federal privacy law of Canada, and understand how to ensure privacy compliance for your organization. Discover key concepts such as accountability, consent, limiting collection, safeguards, and more. Get insights into the applicability of PIPEDA and how it compares to other data protection laws worldwide. Stay informed and protect personal data in accordance with Canadian privacy regulations.
- Canada PIPEDA