British Columbia Information and Privacy Commissioner calls for changes to Personal Information Protection Act

( Disponible en anglais seulement )

15 juin 2020 | David Krebs

As we’ve reported in past blog posts, Canada’s privacy regulators have been vocal about the need for change to the privacy and data protection laws that apply to the private, public and health sectors in Canada. Most recently, the British Columbia Information and Privacy Commissioner (“OIPC”) called for an overhaul of the Personal Information Protection Act of the province (“BC PIPA”) by proposing a number of recommended changes to the legislation.

The OIPC noted three main areas of concern that need to be addressed to “clarify, strengthen, and enhance” BC PIPA. Further recommendations will be made later in the Fall of 2020, with public submissions open until August 14, 2020 (see below). The three key aspects are:

Mandatory Data Breach Reporting

BC PIPA is “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) and therefore applies to all “organizations” with respect to the processing of personal information in in British Columbia (PIPEDA will still apply in some situations; for example, as it relates to “federal works, business, and undertakings” or inter-provincial and international data transfers).

Importantly for charities and other non-profit organizations, BC PIPA applies to all private entities and does not restrict application in the way PIPEDA or even the Alberta Personal Information Protection Act (“AB PIPA) does.[1]

Unsurprisingly, the OIPC noted the BC PIPA deficient and lagging behind other jurisdictions on the point of mandatory breach reporting in the private sector both in Canada (with PIPEDA at the federal level and provincially, with AB PIPA) and abroad, with all US States and in Europe under GDPR, having notification requirements. Last year, over 190 voluntary notifications were made in British Columbia. The OIPC noted breach notification as “an essential tool” to “exercise the proper oversight” and to assist organizations in their compliance as well as protect the public.

Enforcement – ability to levy fines

Citing the Facebook investigation, the OIPC noted that the Competition Bureau was able to levy a fine against Facebook for misleading practices regarding privacy to the tune of $9.5M, while, for the same investigation, the OIPC was not able to penalize the company for failing to implement appropriate safeguards to protect consumer information.

Investigations and Order-making powers

According to the Commissioner, due to the increasing “power imbalance” between consumers and organizations as well as the opacity of data processing, it is necessary to initiate investigations without complaints and make orders to protect individuals.

The Special Committee to Review the BC PIPA invites organizations to make submissions. The deadline for submissions is August 14, 2020. 

2020 and 2021 will surely bring about change to privacy and data protection laws in Canada but, at this point, we will have to wait and monitor closely what form this change will take.

If you have any questions about this or other privacy and technology topics, or are considering making a submission on this issue, please reach out David Krebs or another member of our privacy and cyber security team.


[1] Some types of non-profits are subject to AB PIPA like any for-profit organization while others are only subject to the legislation if the processing is during the course of “commercial activities”, which is more closely aligned with the way PIPEDA treats the subject-matter.

Avis de non-responsabilité

Cette publication est fournie à titre informatif uniquement. Elle peut contenir des éléments provenant d’autres sources et nous ne garantissons pas son exactitude. Cette publication n’est ni un avis ni un conseil juridique.

Miller Thomson S.E.N.C.R.L., s.r.l. utilise vos coordonnées dans le but de vous envoyer des communications électroniques portant sur des questions juridiques, des séminaires ou des événements susceptibles de vous intéresser. Si vous avez des questions concernant nos pratiques d’information ou nos obligations en vertu de la Loi canadienne anti-pourriel, veuillez faire parvenir un courriel à privacy@millerthomson.com.

© Miller Thomson S.E.N.C.R.L., s.r.l. Cette publication peut être reproduite et distribuée intégralement sous réserve qu’aucune modification n’y soit apportée, que ce soit dans sa forme ou son contenu. Toute autre forme de reproduction ou de distribution nécessite le consentement écrit préalable de Miller Thomson S.E.N.C.R.L., s.r.l. qui peut être obtenu en faisant parvenir un courriel à newsletters@millerthomson.com.