This report is the culmination of public submissions from numerous stakeholders, such as regulators (including the OIPC, or the Office of the Information & Privacy Commissioner), advocacy groups, the legal profession, technology firms, and other interested parties.
PIPA first came into law in 2003 in British Columbia and has not been substantively updated since that time. Although section 59 of PIPA requires an update every six years, the reviews conducted by committees have resulted in no changes to the law. Although a committee was formed to perform updates in early 2020, the updates were suspended due to the introduction of Bill C-11, a proposed legislation intended to modernize PIPA’s Federal equivalent, PIPEDA. The 2021 Federal election resulted in Bill C-11 being halted, with the result that the modernization of PIPA has been revived.
Although Bill C-11 did not pass, the election did not stop Bill 64, a modernization of the Quebecois privacy legislation to receive Royal Assent. Bill 64 became law in September 2021. With the update of other provincial privacy legislation, B.C. is likely to follow suit, especially given that PIPA is dated and has not kept current with technological and socioeconomic developments.
At this time, the report is not law, but is a document summarizing the purpose of the modernization. Its overall goals are:
- To provide better privacy protection for the general public
- To harmonize PIPA with other domestic and international laws
- To ensure that the private sector continues to remain innovative and not be at a competitive disadvantage due to aging legislation
The report provides a preview of what may pass into law.
What does this mean for your business?
The following changes have been proposed in the report.
Curiously, there is no requirement on companies to report privacy breaches to affected stakeholders (such as customers) and to the OIPC, although such requirements are already present in every other Canadian privacy law. This is also present in the BC public-sector FIPPA (Freedom of Information & Protection of Privacy Act). The introduction of mandatory breach notification will ensure that companies are held accountable in reporting privacy breaches to their customers and to the regulator.
This gives customers the right to access a copy of their personal information, which entities must be prepared to provide in a common, machine-readable format. At this time, this right exists in European, American (e.g., California), and Quebecois law. Companies should have a process whereby they can easily retrieve customer data and provide same to the customer. This is in addition to any self-service modules where a customer can download their personal information they provide to an organization.
How can Kobalt.io help?
We offer a number of privacy-related offerings that can help you achieve compliance, including the following:
- Privacy Gap Assessments: a review of your company’s privacy program, with recommendations for alignment and improvement to help you get compliant
- Privacy Impact Assessments: a completed PIA of your company’s product, with evaluation of risks and measures to mitigate
- Data Privacy Officer (DPO) as a Service: access to Kobalt’s privacy expert to assist you on privacy-related queries, including breach response
Rewatch our previous lunch and learn to understand more about the modernization of PIPA of BC.
If you have more questions about PIPA, chat with us anytime!