Add a bookmark to get started

17 December 20214 minute read

Special Committee publishes report on the modernization of BC private-sector privacy law

British Columbia’s private-sector privacy legislation, the Personal Information Protection Act (PIPA), was enacted in 2003. Since then, PIPA has been subject to legislative reviews every six years. The Special Committee appointed to conduct the most recent review released its report on December 6, 2021. According to its report, the Committee’s guiding values for the review were: maintaining privacy as a right for all British Columbians; promoting consistency with provincial, federal and international legislation; ensuring adaptability with new technologies; and supporting BC’s innovators.

The report makes 34 separate recommendations to amend PIPA. The recommendations focus on the following areas:

  • Alignment with other privacy legislation
    The Committee recommends bringing PIPA up to the high standards established by the European Union’s General Data Protection Regulation (GDPR) and the anticipated federal adequacy requirements (similar wide-ranging amendments to bring the federal Personal Information Protection and Electronic Documents Act closer to the GDPR died on the order paper before the recent federal election, but are expected to return).
  • New and emerging technologies
    The Committee recommends reflecting modern information practices, including data de-identification, automated decision-making systems, and biometrics, and addressing their affect on privacy. Since regulation in these areas could have far-reaching economic and social consequences, the Committee recommends public consultation to study the long-term impacts of these emerging technologies.
  • Meaningful consent
    The Committee recommends including new provisions to ensure that individuals understand how their personal information is being used so that they can give meaningful consent (as discussed generally in the “Guidelines for obtaining meaningful consent” released by the federal, BC and Alberta privacy commissioners in 2018). Sensitive information (e.g., biometric data, information about children and youth, political views, religion, etc.) should require explicit consent and data handling practices. The Committee also recommends developing guidance explaining the importance and benefits of implementing the “privacy by design” principle.
  • Mandatory breach notification
    PIPA is Canada’s only private-sector legislation without mandatory privacy breach notification requirements (PIPEDA and Alberta’s PIPA have breach notification provisions, as does Quebec’s new privacy legislation that is coming into force over 2022 and 2023). Similarly, the Committee recommends that PIPA require organizations to notify affected individuals and the Office of the Information and Privacy Commissioner of significant privacy breaches.
  • Access to personal information
    The Committee recommends strengthening PIPA’s provisions around access requests.‎
  • Employer accountability
    The Committee recommends adding a distinct section related to employee privacy that includes: ‎protections for employees who make privacy complaints against their employer; limits on the ‎collection of employee data; and a requirement to post information about employment privacy ‎rights and responsibilities in workplaces ‎. Similar protections would be extended to ‎employees and others who witness a privacy violation or complaint. The Committee also recommends addressing the increased use of employee personal devices in the workplace and the potential risks involved in those activities.
  • Health information
    BC health practitioners are subject to various privacy requirements, including under PIPA, FIPPA, PIPEDA, and BC’s E-Health Act. This patchwork approach can make it difficult for health practitioners to know and understand their privacy obligations. The Committee therefore recommends creating separate legislation governing the collection, use and disclosure of health information in the public and private sectors.
  • Office of the Information and Privacy Commissioner
    It is well-known that Canadian privacy regulators generally have limited enforcement powers ‎‎(especially compared to the GDPR’s significant penalty scheme). Similar to Quebec’s new ‎privacy legislation, the Committee recommends enhancing the Commissioner’s ability to conduct ‎audits, identify and investigate systemic issues, enforce PIPA through audits and compliance ‎agreements, and (perhaps most significantly) levy administrative monetary penalties that are “set ‎at an amount that is a sufficient deterrent” to PIPA violations.‎

The Committee’s report contains many other detailed recommendations. Overall, the report envisions extensive changes to modernize PIPA and bring it in line with more recent privacy regimes like the GDPR. However, we will have to wait and see which recommendations, if any, actually make their way into PIPA.

This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.

Print