Review of the Personal Information Protection Act Issue Sheets

Mandatory Breach Reporting - OIPC Recommendation 1

Key Messages

• Breach Notification enhances transparency and accountability and ensures individuals are made aware when their information has been breached, so they can take steps to protect themselves.
• We are recommending that Bill C-11 be amended to require organizations to report breaches “without unreasonable delay” but within 7 days after they become aware of the incident.
• Organizations cannot be properly held to account when 40% of reports are submitted over 3 months after the breach occurred.
• The GDPR has similar requirements: controllers have to report breaches “without undue delay” and, where feasible, within 72 hours. Data subjects must be notified without undue delay when a breach is likely to result in a high risk to rights.

Background

• The BC OIPC is recommending that PIPA be amended to:
  • Require organizations to notify affected individuals and the Commissioner of any loss of, unauthorized access to, or disclosure of, personal information where it is reasonable to believe there is a real risk of significant harm.
  • Authorize the Commissioner to require an organization to notify affected individuals where the organization has not done so.
  • Contain requirements for the timing of notice, the contents of notices, supporting information that must be provided to the OIPC, and record-keeping duties.
• The OIPC emphasizes that the amendments should be crafted to harmonize as far as possible with provisions in Alberta’s PIPA and PIPEDA.
• Breach reporting became mandatory under PIPEDA in 2018. In the first year, reports to our office increased by almost 500%. It has also led to substantial investigations, such as Desjardins.

Prepared by: PRPA

---

Service Providers - OIPC Recommendation 2

Key Messages

• Bill C-11 requires that transferring organizations ensure, by contract or otherwise, “substantially the same protection” as that required under the Act. Overall, this scheme is reasonable.
• However, additional details or amendments would be beneficial.
  • For example, certain provisions only apply to information “transferred” for processing. Rules should also apply where service providers collect personal information on behalf of the controller.
• As well, we have recommended that Bill C-11 should distinguish between domestic and international service providers and that organizational requirements regarding trans-border data flows be set out explicitly and separately.

Background

• PIPA currently does not expressly hold organizations responsible for the personal information they transfer to a service provider.
• The OIPC supports the approach in C-11 and recommends that PIPA be amended to:
  • state that organizations are responsible for the personal information they transfer to a third party for processing or for providing services to or on behalf of the transferring organization; and,
  • that organizations must use contractual or other means to ensure compliance with PIPA, or to provide a comparable level of protection.
• Under the GDPR, controllers must only use processors that guarantee processing will meet GDPR requirements. They must have technical and organisational measures in place and processing must be governed by a contract or other legal act.

Prepared by: PRPA

---

Meaningful Consent - OIPC Recommendation 3

Key Messages

• Meaningful, informed consent is an essential element of PIPEDA.
• The law requires organizations to provide notice such that individuals would understand the nature, purpose and consequences of the collection, use or disclosure.
• The “understanding” requirement, which is key to the validity of consent, is notably absent from Bill C-11. Instead, the Bill attempts to give consumers more control by prescribing elements that must appear in a privacy notice, in plain language.
• By removing the understanding requirement, the CPPA does not achieve its goal of giving individuals more control over their personal information; it provides less.

Background

• PIPA currently requires organizations to provide “a notice, in a form the individual can reasonably be considered to understand, that it intends to collect, use or disclose the individual's personal information for [specified] purposes”.
• The OIPC is recommending that PIPA:
  • Require organizations to give notice in writing unless consent is implied.
  • Require organizations to provide comprehensive, specific, clear and plain notice of all purposes for which individuals’ personal information will be collected, used and disclosed, such that it is reasonable to expect that an individual would understand the nature, purpose and consequences of the collection, use or disclosure.
  • Require organizations to provide notice separate from other legal terms, and to assist any individual if the individual asks.
• PIPEDA, legislation in Alberta and Quebec, and the GDPR state that in order for consent to be valid, it must be reasonable to expect that individuals would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

Prepared by: PRPA

---

Exceptions to Consent - OIPC Recommendation 3

Key Messages

• Although several of the new exceptions to consent in Bill C-11 are reasonable, others are overly broad and fail to counterbalance greater flexibility with greater accountability.
• For example, some business activities for which there is an exception to consent are not clearly defined and would not fall within the reasonable expectations of an individual.
• A consent exception for undefined “commercial risks” opens the door to broad interpretation (such as loss of revenue). As well, an exception for situations when obtaining consent is impracticable should be repealed, as it is inappropriate.
• A “legitimate commercial interests” exception could be accompanied by a balancing test, similar to that found in the GDPR, to assess the measures’ purpose, necessity and proportionality, and consider the individuals’ interests and rights.

Background

• S.18(1) of the CPPA allows organizations to collect/use personal information without knowledge and consent for certain identified business activities. The provision specifies that these collections and uses should be reasonably expected and not for the purpose of influencing an individual’s behaviour or decisions.
• The OIPC urges the Committee not to recommend adoption of all of the CPPA’s consent exceptions. Rather, they recommend that the government monitor progress of this issue and that they also affirm that individuals’ control over their own personal information is, through consent, a core principle of PIPA.
• In our AI paper (Nov 2020) and C-11 submission we recommend an exception for “legitimate commercial interests”, that would need to be accompanied by a rights-based regime, and appropriate safeguards and monitoring.

Prepared by: PRPA

---

Automated Decision Making - OIPC Recommendation 4

Key Messages

• It is encouraging to see specific provisions in the CPPA addressing risks presented by automated decision-making.
• Bill C-11 includes some proposals from the OPC’s paper on regulating AI, such as defining automated decision-making, adopting flexibility for using de-identified information, and an ability to receive an explanation for automated decisions.
• However, modifications to C-11 are necessary to denote a clearer standard for such explanations, to create a right to contest automated decisions, and to strengthen accountability through privacy by design and algorithmic traceability.

Background

• The OIPC believes the provisions in Bill C-11 fall short of what is necessary, since they only require organizations to provide a “general account” in their policies and procedures, which runs the risk of important information being buried or lacking case-specific details that individuals reasonably need to protect their rights.
• The OIPC recommends that PIPA be amended to require organizations using automated processing to: (1) notify individuals that automated processing will be used to make a decision about them; (2) disclose the reasons and criteria used, on request; and (3) objections from individuals are received by someone in the organization with the authority to review and change the decision.
• In our C-11 submission, we indicate that in our view, the level of explanation required by the CPPA should be enhanced to include: the nature of the decision, the relevant personal information relied upon, the rules that define the processing and the decision’s principal characteristics. Where trade secrets prevent such an explanation, that at least the following be required: (i) the type of personal information collected or used, (ii) why the information is relevant, and (iii) its likely impact on the individual. These are factors suggested in guidance by the UK ICO.
• A right to contest the use of automated decision-making would be consistent with other jurisdictions, including the GDPR and Quebec’s Bill 64.

Prepared by: PRPA

---

Right to be Forgotten - OIPC Recommendation 5

Key Messages

• We support C-11’s right to request the deletion of one’s information. However, the limitation to information collected from an individual should be expanded to all information about the individual, in line with the approach adopted in the GDPR.
• C-11 does not address search engine de-indexing or individuals’ right to request deletion of harmful information posted by others.
• A clear and explicit right with respect to the de-indexing and/or removal of personal information from search results and other online sources is needed; Quebec’s Bill 64 is a useful model.

Background

• PIPA requires an organization to destroy personal information, or render it unidentifiable, “as soon as it is reasonable to assume that…the purpose for which that personal information was collected is no longer being served by” its retention (and retention is not necessary for legal or business purposes).
• The OIPC agrees with the CPPA’s creation of a right for individuals to require organizations to dispose of their personal information, and recommends that the BC government continue to monitor developments on the “right to be forgotten”.
• S 28.1 of Bill 64, creates a right to de-indexing or removal of online information where: the dissemination of the information causes serious injury to the individual’s reputation or privacy; the injury is clearly greater than the public interest in knowing the information or someone’s right to self-expression; and the removal or de-indexation is limited to what is necessary to prevent ongoing injury.
• The matter of the existence or not of a right to de-indexing is currently before the courts. The Ontario Superior Court in Caplan v Atas, states that “Regulation of speech carries with it the risk of over-regulation, even tyranny. Absence of regulation carries with it the risk of anarchy and the disintegration of order.”

Prepared by: PRPA

---

Right to Data Portability - OIPC Recommendation 6

Key Messages

• Bill C-11 provides for a right to data mobility which allows an individual to request an organization to disclose personal information it has collected from them to another designated organization if both are subject to a mobility framework.
• We recommend this right apply to all personal information about an individual, including derived or inferred information.
• We would also support the right being expanded to provide individuals, when technically feasible, the ability to receive this information in a structured, commonly used, machine-readable format, as recommended by my B.C. colleague.
• This would align C-11 with other international laws and help to maximize individual control over their personal information.

Background

• In Australia, the Consumer Data Right Act sets out a process by which the government designates which sectors are subject to data mobility. That Act sets out requirements for the Information Commissioner to be consulted on both the designation of, and design of rules for, sectors, as well as the ability to recommend sectors for designation. In addition, their law clarifies that derived data is subject to mobility obligations.
• The right to data portability under the GDPR (Article 20) and Bill 64 (s112) only covers data where the processing is carried out under automated means. Therefore, the right for individuals to receive this information in a machine-readable format is practicable given that the processing is electronic. Both also require the data to be made provided in a machine-readable format.
• The OIPC recommends that PIPA be amended to allow individuals to receive their personal information in a structured, commonly used, machine readable format. Given that the data mobility right under C-11 applies to any and all data collected, and not just data collected via electronic means, a similar approach to amending C-11 would align Canada with international norms for modern data rights.

Prepared by: PRPA

---

Administrative Monetary Penalties/Tribunal - OIPC Recommendation 7

Key Messages

• Bill C-11’s restrictions on directly issuing an administrative monetary penalty, and the addition of an administrative appeal tribunal, will curtail individuals’ access to quick and effective remedies.
• We have called for amendments to Bill C-11 to significantly broaden the range of violations for which AMPss may be imposed, potentially encompassing all violations under Part 1 of the Bill.
• With respect to a tribunal, the OPC has indicated that it welcomes accountability for its actions, but respectfully suggests a tribunal is both unnecessary to achieve greater accountability and fairness – a role already performed by the Courts.

Background

• The OIPC does not support Bill C-11’s approach to AMPss and a tribunal. The OIPC has recommended that PIPA enable the Commissioner to impose a monetary penalty and that such authority be accompanied by strong provisions for due process and judicial oversight.
  • With respect to tribunals they state in their submission: “[the] creation of a new body to discharge this role is unprecedented in the Canadian privacy oversight world and in the EU context… this model absolutely should not be followed in British Columbia.”
• The OIPC also recommends the Commissioner be able to issue AMPss under PIPA as it already has experience administering AMPss under B.C.’s Lobbyists Transparency Act. They have stated “there is no case to be made that such a step is necessary in terms of institutional design or necessity in this province”.
• No privacy specific (i.e. not privacy and access) administrative tribunal exists in Canada, Australia, New Zealand, the United Kingdom, or in the European Union.

Prepared by: PRPA

---

Order-making Powers - OIPC Recommendation 7

Key Messages

• While PIPA allows for order-making powers, PIPEDA does not.
• C-11 introduces new order-making powers for the OPC, however, the qualifier “to the extent that is reasonably necessary to ensure compliance with this Act” is exceptional and unnecessary.
• We have recommended that this qualifier be removed to align Bill C-11 with PIPA, and with other domestic and international privacy laws.

Background

• The OIPC currently has order-making powers under s.52 of PIPA. In their submission, the OIPC has suggested that their order making power is “inadequate” because they lack an ability to issue financial penalties, and British Columbians expect their privacy rights be protected “through meaningful sanctions”.
• Our Office is of the view that the specific order making powers found in ss. 92(2) of Bill C-11 are already sufficiently qualified.
• Bill C-11’s qualifier for order-making “to the extent that is reasonably necessary to ensure compliance with this Act” is not present in the domestic private sector privacy laws of Alberta, BC, or Quebec, or of the United Kingdom’s Data Protection Act 2018, the New Zealand Privacy Act 2020, and Ireland’s Data Protection Act 2018.
• It its submission, the OPC also calls for the ability to order an organization to “take measures which allow individuals to be compensated for damages suffered, financial or otherwise, stemming from a breach or violation of security safeguards required by law.”

Prepared by: PRPA

---

Compliance Agreements - OIPC Recommendation 8

Key Messages

• The OPC considers compliance agreements as an important means of efficiently resolving matters.
• That said, we believe compliance agreements under Bill C-11 require amending to improve their effectiveness.
• For instance, C-11 should allows for payment of an agreed Administrative Monetary Penalty and other negotiated compliance measures to be added to compliance agreements.
• We have also called for C-11 to allow for inquiries to be resolved through a compliance agreement or other negotiated settlement.

Background

• The OIPC has recommended that PIPA be amended to enable the Commissioner to enter into a compliance agreement with an organization on such terms as the Commissioner considers appropriate, with enforcement by the court in cases of non-compliance.
• While our Office already has the authority to enter into compliance agreements under PIPEDA, and it persists in Bill C-11, we have called for amendments in Bill C-11 to permit:
  • The resolution of inquiries through compliance agreements;
  • The registration of compliance agreements with the court, making them equivalent to an order of the court; and,
  • The addition of the payment of AMPss and all other negotiated measures as possible terms within compliance agreements.

Prepared by: PRPA

---

Improving Regulatory Information Sharing and Cooperation - OIPC Recommendation 9

Key Messages

• The ability to work and/or share information with other government authorities is essential given the cross-border and cross-sectoral nature of illegal uses of personal information.
• PIPEDA and Bill C-11 allow the OPC to enter into information-sharing agreements and cooperation agreements with foreign and domestic privacy regulators.
• C-11 would also allow the OPC to enter into arrangements with the CRTC and Competition Bureau to publish research and develop procedures for disclosing information.
• C-11 needs to be amended to allow the OPC to collaborate with a broader range of regulators and domestic partners, including allowing collaboration with the CRTC and Competition Bureau on formal matters including investigations and inquiries.

Background

• The OIPC recommends that PIPA be amended to explicitly enable the Commissioner to enter into information-sharing and cooperation agreements with foreign privacy regulators, as well as domestic regulators with overlapping jurisdictions.
• The OPC’s recommendations aim to enable us to enter into agreements with the Competition Bureau and Canadian Radio-television and Telecommunications Commission to collaborate on investigations, inquiries, or other formal matters.
• We have encountered situations in which collaboration with non-data protection authorities such as provincial human rights commissions, credit reporting regulators, or the Office of the Superintendent of Financial Institutions would have benefitted an OPC investigation.

Prepared by: PRPA

---

Enforcement Powers - OIPC Recommendation 10

Key Messages

• An effective regulator is one that can act proactively, and has the ability to rely on its expertise to target enforcement actions against business activities that pose the highest risk and inflict the greatest harm to the privacy rights of individuals.
• My Office is calling for Bill C-11 to be amended to give us the authority to proactively initiate complaints to “ensure compliance” with the law. As drafted, the Bill only allows the OPC to initiate investigations “if…there are reasonable grounds to investigate a matter”.
• Our call for revised audit thresholds in Bill C-11 (or for similar investigative tools) is consistent with other regimes such as Alberta, Quebec, the GDPR, Ireland, UK and Australia.

Background

• The OIPC recommends that the Commissioner’s enforcement powers be completely revamped align with BC’s Freedom of Information and Protection of Privacy Act. At a minimum, PIPA should be amended to:
  • remove the “reasonable grounds” threshold for Commissioner-initiated audits or investigations;
  • clarify the Commissioner’s order-making power in Commissioner-initiated investigations; and
  • enable the Commissioner to file orders in court.
• The OIPC states that the proposals in the CPPA will strengthen the federal oversight framework (with the noted exception of the creation of the Tribunal).

Prepared by: PRPA

---

Legal Privilege and Individual Access OIPC Recommendation 12

Key Messages

• The OPC believes that regulators should, at least in the case of access complaints where privilege is being claimed, be able to request and receive records protected by solicitor-client privilege, in order to assess claims of statutory exemptions.
• We have requested amendments to Bill C-11 to that effect.
• Similar powers currently exist under the BC PIPA, as well as in the Alberta PIPA and the federal Privacy Act.
• Where such abilities exist in law, they should remain.

Background

• The Canadian Bar Association (BC Branch) and the Law Society of British Columbia have called for amendments to how claims of solicitor-client privilege are made under PIPA:
  • The Law Society of British Columbia has asked that such claims be decided by the courts, not the Commissioner.
  • The CBA wants to see removed the Commissioner’s ability to compel and view records subject to a claim of solicitor client privilege.
• The OIPC’s September 2020 submission responded to these calls by indicating that there should not be amendments that:
  • Would oust the Commissioner’s role in deciding, under court oversight, if an organization’s claim of solicitor client privilege has been established or
  • Remove the Commissioner’s ability to view allegedly privilege records where undeniably necessary
• The OIPC states that the current PIPA provisions are appropriately robust protection for solicitor-client privilege and that their policies are suitably fair, rigorous and efficient.

Prepared by: PRPA

---

Scalability/Small and Medium-Sized Enterprises (SMEs)

Key Messages

• Modernized privacy laws will help SMEs by supporting innovation, alleviating the current trust deficit in the digital economy and facilitating SME participation in international trade.
• Bill C-11 requires the OPC to consider factors including size, revenue and volume of information in exercising its powers and duties. In conducting our work, we already give careful consideration to the realities and circumstances of organizations, including SMEs.
• Certain of our recommendations for C-11, including on Privacy by Design, PIAs and record keeping, would be scalable, which should assist SMEs engaged in low risk activities.

Background

• C-11 contains provisions that accommodate SMEs beyond that of s.108, such as
  • 9(2) - PMP requirements scale with the volume and sensitivity of information an organization controls.
  • 76-80 - Codes and certification programs (though not explicit in the Act).
  • 94(5)(b) - Tribunal must consider impacts on business and ability to pay when determining appropriate penalties.
  • 109(e) - OPC must provide guidance to organizations on their privacy management programs on request.
• A review of the 2020 World Intellectual Property Organization (WIPO) Global Innovation Index (GII) suggests that several of the top 10 innovative countries are subject to modern, recently updated privacy laws: 5 EU Member States (Sweden, Denmark, Finland, Netherlands and Germany), in addition to the UK, Singapore and South Korea. This shows that jurisdictions that have implemented modern privacy laws have not seen a drop in innovation.

Prepared by: PRPA

---