As we’ve reported in past blog posts, Canada’s privacy regulators have been vocal about the need for change to the privacy and data protection laws that apply to the private, public and health sectors in Canada. Most recently, the British Columbia Information and Privacy Commissioner (“OIPC”) called for an overhaul of the Personal Information Protection Act of the province (“BC PIPA”) by proposing a number of recommended changes to the legislation.
The OIPC noted three main areas of concern that need to be addressed to “clarify, strengthen, and enhance” BC PIPA. Further recommendations will be made later in the Fall of 2020, with public submissions open until August 14, 2020 (see below). The three key aspects are:
Mandatory Data Breach Reporting
BC PIPA is “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) and therefore applies to all “organizations” with respect to the processing of personal information in in British Columbia (PIPEDA will still apply in some situations; for example, as it relates to “federal works, business, and undertakings” or inter-provincial and international data transfers).
Importantly for charities and other non-profit organizations, BC PIPA applies to all private entities and does not restrict application in the way PIPEDA or even the Alberta Personal Information Protection Act (“AB PIPA”) does.[1]
Unsurprisingly, the OIPC noted the BC PIPA deficient and lagging behind other jurisdictions on the point of mandatory breach reporting in the private sector both in Canada (with PIPEDA at the federal level and provincially, with AB PIPA) and abroad, with all US States and in Europe under GDPR, having notification requirements. Last year, over 190 voluntary notifications were made in British Columbia. The OIPC noted breach notification as “an essential tool” to “exercise the proper oversight” and to assist organizations in their compliance as well as protect the public.
Enforcement – ability to levy fines
Citing the Facebook investigation, the OIPC noted that the Competition Bureau was able to levy a fine against Facebook for misleading practices regarding privacy to the tune of $9.5M, while, for the same investigation, the OIPC was not able to penalize the company for failing to implement appropriate safeguards to protect consumer information.
Investigations and Order-making powers
According to the Commissioner, due to the increasing “power imbalance” between consumers and organizations as well as the opacity of data processing, it is necessary to initiate investigations without complaints and make orders to protect individuals.
The Special Committee to Review the BC PIPA invites organizations to make submissions. The deadline for submissions is August 14, 2020.
2020 and 2021 will surely bring about change to privacy and data protection laws in Canada but, at this point, we will have to wait and monitor closely what form this change will take.
If you have any questions about this or other privacy and technology topics, or are considering making a submission on this issue, please reach out David Krebs or another member of our privacy and cyber security team.
[1] Some types of non-profits are subject to AB PIPA like any for-profit organization while others are only subject to the legislation if the processing is during the course of “commercial activities”, which is more closely aligned with the way PIPEDA treats the subject-matter.