Canada: British Columbia Privacy Czar Recommends Reforms To Privacy Legislation

British Columbia's Office of the Information and Privacy Commissioner (OIPC) recently recommended that B.C.'s Personal Information Protection Act (PIPA) be reformed to align it more closely with provincial, federal and international standards.

What you need to know

• The OIPC submitted its reform recommendations to the Special Committee, convened by the provincial legislature, to review PIPA as part of the statutory requirement to evaluate PIPA every six years.
• Among the OIPC's 12 recommendations are:
  • mandatory breach notification;
  • reforms to consent requirements;
  • enhanced data subject rights, including introducing data portability and automated decision-making requirements; and
  • increased enforcement powers, including giving the OIPC the ability to impose administrative monetary penalties and enter into compliance agreements with organizations.
• OIPC's recommendations are similar to the federal PIPEDA reform proposals and those outlined in the recent Ontario private sector privacy consultation document.
• The OIPC's recommendations, along with the recommendations from other stakeholders, were to be considered by the Special Committee in a report to the B.C. Legislative Assembly in February 2021. However, it is unclear how long the recent snap election in B.C. will delay the Special Committee's report.

Recommendations made by OIPC

The OIPC's recommendations can be broken down into three groups: a) new privacy obligations for organizations; b) enhanced data subject rights; and c) expanded OIPC powers. These groups are described in further detail below.

A) New privacy obligations for organizations

The OIPC proposes requiring mandatory breach notification and protections for information being processed by a third party. On breach notification, the OIPC recommends that organizations notify individuals and the OIPC where there is a "real risk of significant harm" to an individual. This is the same standard employed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) as well as Alberta's Personal Information Protection Act (Alberta PIPA). Legislated requirements for the contents of breach notifications (also aligned with PIPEDA and Alberta PIPA) are also recommended.

With respect to third-party processing, the OIPC recommends that PIPA be amended to explicitly state that organizations are responsible for personal information transferred to a third party for processing, and to require organizations to use contractual clauses to ensure the transferred personal information is given a comparable level of protection as given by PIPA. This recommendation is less prescriptive than the GDPR's and Québec's Bill 64's adequacy-based approach to cross-border data transfers.

B) Enhanced data subject rights

Among the recommendations included in the OIPC's submission was an updated consent requirement. The OIPC recommends mandating that privacy disclosures clearly and plainly describe all purposes for which personal information is being collected, used and disclosed. Moreover, individuals must be reasonably expected to understand the nature, purpose and consequences of these activities. Similar recommendations have been proposed in relation to PIPEDA and Québec's Bill 64, as well as in a discussion paper recently released by the Ontario government on a private sector privacy law.

The OIPC makes two more notable recommendations to enhance data subject rights. First, the OIPC recommends introducing a right to data portability, which would allow individuals to electronically receive and transfer their data on request (and within reason). Second, in cases of automated decision-making, the OIPC recommends providing individuals with a right to transparency with respect to how an automated decision might be made, as well a right to object to the decision.

C) Expanded OIPC authority

The OIPC recommends that it be given two new powers. The OIPC requests the power to enter into compliance agreements with non-compliant organizations for concerns that it views as less serious¹, and the power to impose administrative monetary penalties (AMPs) on organizations for more serious breaches of PIPA provisions. The OIPC stops short of recommending which provisions should carry with them the risk of an AMP or a specific range of penalty amounts.

The OIPC also recommends removing some barriers to its investigation and audit functions. Currently, the OIPC is permitted to initiate an audit or investigation of an organization without a complaint from an individual. To do so, the OIPC must have "reasonable grounds" to believe than an organization is not complying with PIPA. The OIPC recommends removing the "reasonable grounds" threshold.

Footnote

1. The OIPC recommends that its power to enter into compliance agreements be modeled after PIPEDA section 17.1.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.