The public consultation phase on whether to reform British Columbia’s Personal Information Protection Act (PIPA) concluded on September 19. The consultation was part of a review of PIPA by a special committee comprised of representatives of all political parties and appointed by the legislature. The special committee is likely to recommend updating BC’s private sector privacy legislation. Below is a synopsis of the committee hearings and the issues surrounding PIPA reform.
Why Now?
The last time PIPA was reviewed was in 2008. Section 59 of PIPA requires that a review of PIPA be conducted every 6 years; however, there are other reasons that make a review of PIPA timely. Last year, a similar Alberta statute was declared unconstitutional for failing to appropriately balance privacy protections with the right to the collection, use and disclosure of personal information in connection with lawful picketing activities. This will certainly be addressed by the special committee.
In addition, at the federal level, Canada’s Parliament is considering significant reforms to the Personal Information Protection and Electronic Documents Act (PIPEDA). As discussed below, the mandatory data breach reporting proposed for PIPEDA was also a focus of discussion in submissions received so far during the special committee’s consultation.
The committee will take some time to review the results of the public consultation; however, we know some of the main issues on the table from the hearings held so far. On September 8, several interest groups made presentations and filed submissions. The interest groups that made submissions were:
- The Freedom of Information and Privacy Association (FIPA): a non-profit organization established to advance open government and privacy rights in Canada.
- OpenMedia.ca: a community-based organization working to safeguard an open Internet.
- The Private Investigators’ Association of British Columbia (PIAC): an association of professional licensed private investigators and security consultants.
- Central 1: the trade association for all credit unions in British Columbia and member credit unions in Ontario.
In addition, the special committee received a briefing by Elizabeth Denham, the BC information and privacy commissioner (IPC) on May 28.
Here are some highlights from the special committee’s activities so far.
Mandatory Breach Reporting
Commissioner Denham and FIPA argued for amending PIPA to include provisions for mandatory breach reporting. Central 1 also supports such an amendment. Although a significant number of data breaches are voluntarily reported to the IPC, Denham believes that mandatory breach reporting is critical to the protection of privacy of BC residents. Denham offers three main arguments for mandatory breach reporting:
- Organizations should be required to determine whether to report breaches based on whether there is a real risk of significant harm to individuals. The IPC raised concerns that organizations may decide whether to report based on business objectives rather than the interests of individuals.
- BC residents should not have fewer protections than those in other Canadian jurisdictions. As noted above, PIPEDA may be reformed to include mandatory breach reporting. This would leave BC and Québec as the only jurisdictions in Canada where mandatory breach reporting was not required.
- PIPA should be harmonized with the growing trend toward mandatory breach reporting. This trend is evident in the U.S. with the vast majority of states having some form of mandatory breach reporting law. Moreover, the European Parliament is considering introducing mandatory breach reporting in connection with a review and reform of European data protection laws.
New Enforcement Tools
Denham also wants order-making powers to give teeth to Commissioner-led investigations. Currently, the IPC can only make an order in connection with the investigation of a complaint. However, Denham is concerned that some issues may be systemic and transcend an individual complaint or consumers may not know enough to be able to bring a complaint.
Curbing Warrantless Disclosures
The IPC, FIPA and OpenMedia.ca have called for the PIPA Committee to review PIPA’s provisions permitting organizations to voluntarily provide information to law enforcement in order to assist in an investigation. FIPA recommends an amendment to require the law enforcement agency to provide evidence of lawful authority to compel production of the information it has requested.
However, if warrantless disclosure provisions remain in PIPA, Denham and OpenMedia.ca want organizations to document warrantless disclosures. Denham would like to see transparency reports posted on organizations’ websites containing information that is prescribed by regulation. OpenMedia.ca wants to ensure that affected individuals are notified.
Gatekeeping Function for Professional Private Investigators
Section 12 of PIPA permits an organization to collect personal information about an individual without the consent of an individual or from a source other than the individual if it is reasonable for an investigation and it is reasonable to expect that seeking the consent if the individual would compromise the availability or the accuracy of the personal information. PIABC recommends that investigations under section 12 of PIPA be conducted by licensed private investigators. There are two advantages for using licensed private investigators, according to PIABC. First, licensed private investigators would be subject to codes of professional conduct and privacy awareness training. Second, the approach would bring PIPA into greater harmony with PIPEDA.
To illustrate the issues, PIABC provides an interesting example of their concerns. PIABC reports that investigators are increasingly being called to assist parents in investigating the activity of their children on the Internet. PIAC notes that in some cases children may simply be exploring an aspect of their identity in private. In other cases, the child may be at risk or there may be evidence of illegal activity. PIAC suggests that mandating that these types of investigations be conducted by licensed investigators is more likely to ensure the privacy concerns of the minor are understood and respected.
Requiring Express Consent to Continuous Monitoring
FIPA reiterated its 2008 proposal to outlaw continuous monitoring of individuals without express, opt-in consent. FIPA is concerned that the “internet of things” and the pervasiveness of geolocation monitoring in mobile applications means that individuals are at risk of being under constant surveillance. FIPA argues that “opt-out” consent is inappropriate for continuous monitoring.
Practical Changes for Disclosure without Consent
Meanwhile, Central 1 would like to see a loosening of restrictions on disclosure without consent. In particular, Central 1 would like to permit the disclosure of personal information to family members and others without consent where a financial institution believes that a person may be at risk of financial abuse or other harm. Central 1 would also like to broaden the exceptions for disclosure in the case of a deceased individual and no nearest relative or personal representative can be identified.
More information on the PIPA Committee hearings can be found here.