Letter to Committee on PIPA Review

July 30, 2020

Ms. Rachna Singh, MLA, Chair
Mr. Dan Ashton, MLA, Deputy Chair
Special Committee to Review the Personal Information Protection Act
c/o Parliamentary Committees Office
Room 224, Parliament Buildings
Victoria, BC V8V 1X4

Dear Ms. Singh and Mr. Ashton:

I would like to thank you for your invitation to participate in the public consultation being conducted by the Special Committee to Review the Personal Information Protection Act of British Columbia.

As the Privacy Commissioner of Canada, I am charged with overseeing compliance with Canada’s federal public and private-sector privacy laws. The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. PIPEDA also applies to federal works, undertakings and businesses in respect of employee and applicant’s personal information.

In general, PIPEDA applies to organizations’ commercial activities in all provinces and territories, except organizations that collect, use or disclose personal information entirely within provinces that have their own privacy laws which have been declared substantially similar to the federal law. In such cases, as with the British Columbia Personal Information Protection Act (PIPA), it is the substantially similar provincial law that will apply instead of PIPEDA, although PIPEDA continues to apply to federal works, undertakings or businesses and to interprovincial or international transfers of personal information.

Protecting privacy in today’s digital economy requires coordination at the domestic and international level. The Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) and my office have worked together on a number of issues, including the recent joint investigation against Facebook and Aggregate IQ made possible by a standing Memorandum of Understanding (MOU) between our two offices.^{Footnote 1}

As well, our offices, along with our provincial and territorial counterparts, recently issued a joint statement calling on governments to ensure that COVID-19 contact tracing applications respect key privacy principles.^{Footnote 2}

My colleague, Commissioner Michael McEvoy, has shared his experience and views on PIPA reform with your Committee on June 2, 2020 and I understand he will be providing additional comments this fall. I am writing to note my support for the recommendations put forth by Commissioner McEvoy, and to offer my Office’s experiences and perspective with the key legislative measures he outlined.

Keeping Pace

In our last Annual Report to Parliament, my Office highlighted the serious weaknesses with our current legislative framework for privacy.^{Footnote 3} While Canada used to be a leader in privacy protection, unfortunately the world is now passing us by. Countless jurisdictions worldwide have taken steps to enhance their privacy laws to better protect their citizens. The EU General Data Protection Regulation is the most notable example of legislative modernization in recent years that has raised the “privacy bar” worldwide.

In the United States, the California Consumer Privacy Act and recent legislative proposals for a comprehensive federal data privacy law all signal a move away from corporate self-regulation, containing actionable rights for individuals and penalties for companies that fail to adhere to the law. It is unclear why Canadians would not have similar protections of their rights and Canadian businesses not face similar consequences for failing to comply with the law.

Canada, at both the provincial and federal levels, should take meaningful action to enhance its privacy laws and gain back its reputation as a global privacy leader. This would have the benefit of not only enhancing protection of individuals’ rights and promoting trust in commercial activities but it would also help promote interoperability between jurisdictions, providing predictability and potential cost savings to Canadian businesses. Quebec has recently acted to amend its privacy laws with the introduction of Bill 64, and we hope this serves as inspiration for other Canadian jurisdictions to take similar action.

As noted by Commissioner McEvoy, the COVID-19 health crisis has made the need for robust privacy laws fit for purpose in the digital even more apparent. The current health crisis has made clear that technology can help serve legitimate public interest purposes, but it can also pose serious risks to privacy rights. We need laws that set explicit limits on permissible uses of data and provide for effective enforcement mechanisms, rather than be left to rely on the good will of companies to act responsibly. This would provide the necessary conditions to allow for responsible innovation and foster trust in government and business, giving individuals the confidence to fully participate in the digital age.

Mandatory Breach Reporting

Mandatory breach reporting is a fundamental element of modern global privacy laws, enhancing transparency and accountability in the way private sector organizations manage personal information. Under PIPEDA, breach notification and reporting obligations were made mandatory in 2018. Mandatory breach notification to individuals ensures people are made aware of instances where there is a risk or harm with respect to their personal information. Recordkeeping requirements and an obligation to report breaches to a privacy commissioner ensures accountability and oversight as to how breaches are managed and further prevented by organizations.

Since these obligations came in force under PIPEDA we have seen a large increase in breaches reported to our office This is positive. Awareness of these breaches, many of which would be unknown to our Office or individuals prior to these requirements coming into force, allows us better understand the nature of breaches under PIPEDA, and helps us to identify systemic issues, trends, and solutions. We are also better prepared to develop outreach and educational tools to help inform Canadians and to help businesses mitigate future risks as a result.

Our experience to date has shown that PIPEDA’s breach provisions could be improved if they were amended to require organizations to include an assessment of the risks of the harms to an individual and a description of security safeguards in their breach reports to our Office. Furthermore, we have found that breach recordkeeping provisions must require organizations to retain information such as the date of incident, a general description of the circumstances surrounding the breach, the nature of the personal information involved, and a summary of the organization’s overall risk assessment. In our view, this information is essential to the regulator’s ability to verify compliance with related reporting and notification requirements.

Administrative Monetary Penalties

Similar to Commissioner McEvoy, my Office has recommended that it is essential to have the authority to issue administrative monetary penalties for transgressions of the law. There needs to be real consequences for businesses that break the law, and incentives to comply. We have seen that businesses are not always interested in responding to our investigative findings, particularly when there are no real consequences for doing so.

Until recently, no Canadian privacy commissioner had the authority to impose administrative monetary penalties. Ontario’s Personal Health Information Protection Act (PHIPA) has changed this and Quebec’s Bill 64 may give our Quebec counterpart even broader powers in this regard. Privacy regulators across Canada have called on their respective governments to include these powers in modernized privacy legislation.

In most other jurisdictions, notably the European Union and the United States, laws provide for significant administrative monetary penalties imposed by the regulator.

Enforcement mechanisms should result in quick and effective remedies for individuals, and broad and ongoing compliance by organizations and institutions. Order-making powers combined with fines would change the dynamic of discussions with companies during investigations, leading to quicker resolutions for Canadians. As we have seen in our Facebook investigation conducted jointly with BC, currently an organization found in contravention of the law currently can simply ignore our recommendations and “wait it out”.

Order Making Power

While my Office does not currently have order making powers, we have long advocated for the need for such powers. Order-making powers would lead to quicker resolution of privacy complaints for Canadians. The time and effort our Office spends negotiating with organizations to implement non-binding recommendations results in significant delays in resolution times. Justice delayed is justice denied.

The ability for a Commissioner’s office to initiate an investigation without a complaint is a key measure for protecting privacy rights. In a world where business models are opaque and information flows are increasingly complex, individuals are unlikely to file a complaint when they are unaware of a practice that may harm them. The inability to issue orders in these instances results in an imbalance in enforcement of the law, and creates a gap in the effective protection of privacy rights. The ability to issue an order at the conclusion of an investigation where warranted should extend to all investigations that may be conducted by a privacy commissioner.

Conclusion

Thank you again for the opportunity to participate in this important consultation. I look forward to the results of the Committee’s review.

Sincerely,