This report is the culmination of public submissions from numerous stakeholders, such as regulators (including the OIPC, or the Office of the Information & Privacy Commissioner), advocacy groups, the legal profession, technology firms, and other interested parties.
PIPA first came into law in 2003 in British Columbia and has not been substantively updated since that time. Although section 59 of PIPA requires an update every six years, the reviews conducted by committees have resulted in no changes to the law. Although a committee was formed to perform updates in early 2020, the updates were suspended due to the introduction of Bill C-11, a proposed legislation intended to modernize PIPA’s Federal equivalent, PIPEDA. The 2021 Federal election resulted in Bill C-11 being halted, with the result that the modernization of PIPA has been revived.
Although Bill C-11 did not pass, the election did not stop Bill 64, a modernization of the Quebecois privacy legislation to receive Royal Assent. Bill 64 became law in September 2021. With the update of other provincial privacy legislation, B.C. is likely to follow suit, especially given that PIPA is dated and has not kept current with technological and socioeconomic developments.
At this time, the report is not law, but is a document summarizing the purpose of the modernization. Its overall goals are:
- To provide better privacy protection for the general public
- To harmonize PIPA with other domestic and international laws
- To ensure that the private sector continues to remain innovative and not be at a competitive disadvantage due to aging legislation
The report provides a preview of what may pass into law.
What does this mean for your business?
The following changes have been proposed in the report.
Curiously, there is no requirement on companies to report privacy breaches to affected stakeholders (such as customers) and to the OIPC, although such requirements are already present in every other Canadian privacy law. This is also present in the BC public-sector FIPPA (Freedom of Information & Protection of Privacy Act). The introduction of mandatory breach notification will ensure that companies are held accountable in reporting privacy breaches to their customers and to the regulator.
These are forms of AI that are intended to automate decision-making, and are often the flagship product or software solution of many a technology firm. These are powered by personal information provided by customers, which are then fed into an algorithm or SaaS solution that produces decisions related to the individual. Examples of automation using an “ADS” include insurance (including workers’ compensation) claim processing, credit card or loan approval, marketing messaging and campaigns, and eligibility for entry into academic programs.
However, the issue with ADS is that there are coded biases that may inadvertently produce results that may detrimentally affect customer’s rights and civil liberties. Rather than providing customer with an opt-out button to prevent automated decision-making, the recommendations in the report include introducing better regulations and technological steps to ensure that coded biases in algorithms are addressed and removed as much as possible. At this time, it is difficult to ascertain what those steps would look like, but the report calls for greater transparency by companies to explain how their ADS works, while also giving customers a greater right to access this information as it pertains to them.
There remains an imbalance between an entity and a customer in how the latter’s personal information is used by an organization. For instance, customers or even employees in an organization may provide their consent to the collection, use, disclosure, and retention of their personal data, but there may be instances where consent may be coerced and not freely given. Additionally, consent forms are becoming increasingly lengthier, and the language indecipherable or confusing to the public. Some consent forms include complex legal terms.
The report calls for requirements to make consent forms more easily understandable, with listing of the types of personal information collected and the ways in which an entity processes that data. Additionally, the report calls for the identification of sensitive data, with additional consents in place to safeguard the public. These classes of sensitive data include but are not limited to: biometric data, political views, sexual orientation, religion, medical and health information, and personal information pertaining to minors.
This gives customers the right to access a copy of their personal information, which entities must be prepared to provide in a common, machine-readable format. At this time, this right exists in European, American (e.g., California), and Quebecois law. Companies should have a process whereby they can easily retrieve customer data and provide same to the customer. This is in addition to any self-service modules where a customer can download their personal information they provide to an organization.
Although these are required in the BC public sector, they are not yet required in the private sector. PIAs are recommended for any systems that house sensitive personal information, to ensure that the risks of processing personal data are assessed properly by an entity prior to launching a particular software, product, or similar initiative. The PIA may be a prescriptive form with set questions established by the OIPC, or can be modified according to the ways in which a business collects, uses, and discloses personal information.
At this time, legislative penalties for violating PIPA are a maximum of $10,000 for individuals and $100,000 for entities. These are only enforceable through the BC court system, which is laborious and may take years to get to trial. The Covid-19 pandemic has made the court system even more strained due to delayed trials and court appearances. More importantly, the OIPC does not have the authority to levy these fines, meaning that violations may be tied up in court for years. The report calls for additional legislative powers to be given to the BC Privacy Commissioner to levy fines. It is uncertain if the fines will mirror those in other jurisdictions, but with Quebec introducing fines that mirror those in Europe, one can anticipate similar developments for PIPA.
How can Kobalt.io help?
We offer a number of privacy-related offerings that can help you achieve compliance, including the following:
- Privacy Gap Assessments: a review of your company’s privacy program, with recommendations for alignment and improvement to help you get compliant
- Privacy Impact Assessments: a completed PIA of your company’s product, with evaluation of risks and measures to mitigate
- Data Privacy Officer (DPO) as a Service: access to Kobalt’s privacy expert to assist you on privacy-related queries, including breach response
Rewatch our previous lunch and learn to understand more about the modernization of PIPA of BC.
If you have more questions about PIPA, chat with us anytime!
