B.C.’s privacy laws are out of date, out of step with international legislation and in need of reform, the B.C. Freedom of Information and Privacy Association (FIPA) and BC Civil Liberties Association (BCCLA) have told lawmakers.
“More than ever, personal information is being collected and stored in exponential amounts, processed in advanced analytics, and highly prone to being compromised. B.C. has an opportunity to regain leadership and amend its legislation to offer its citizens the protections they expect and deserve,” the submission said.
And, said FIPA executive director Jason Woywada, the COVID-19 pandemic has highlighted the need for increased privacy protections in the technological realm.
“COVID-19 has meant more digitization in our work and personal lives as organizations and people turn to digital platforms for solutions,” Woywada said. “It means more people working remotely and accessing goods and services through digital platforms.
“The gaps in protection offered through legislation are always important to highlight and address. Now, every new account and interaction increases the amount of information in the cloud and the risk to the individual,” Woywada said. “While personal responsibility is important, improvements in government protection through regulation and legislation need to address the increasing risk and changing landscape.”
And that, he said, provides a greater rationale than ever for B.C. “to proactively address the shortcomings of PIPA [Personal Information Protection Act] to ensure that we are keeping pace with the rapidly changing local and global privacy protection standards.”
Indeed, the groups said in submissions to the Legislature’s Special Committee to Review PIPA, if Quebec passes amendments for mandatory notifications of data breaches, B.C. would be the only North American jurisdiction without such a rule.
“PIPA must be amended because its privacy protections are inadequate based on its own stated objectives and in comparison to other jurisdictions,” the submissions said. “Public opinion surveys indicate that the public expects increased privacy protections and education, and B.C. businesses face a real economic risk in light of global privacy standards.”
The submissions point to the European Union’s General Data Protection Regulation (GDPR) as an example of good law, legislation B.C.’s Information and Privacy Commissioner Michael McEvoy has referred to as the gold standard.
British Columbians might also suffer if the province’s laws are not found to be adequate under a European assessment on data transfers.
“As the GDPR imposes highly stringent data protection requirements for transfer of personal information to countries without adequacy status, a non-adequacy assessment with the GDPR could have ‘far ranging implications for Canada’s trade relationship with the E.U.,” says (federal) Privacy Commissioner Daniel Therrien,” the submission said.
Such a finding might also affect B.C. trade with Asian Pacific countries, particularly Japan.
PIPA should be amended to expressly prohibit the downgrading of privacy rights protections by contractual agreement between public and private entities.
FIPA and the BCCLA made numerous recommendations of PIPA reform, including:
- making breach notifications mandatory;
- enhancing accountability and transparency by organizations
- mandating notification of people whose data is being collected at time of collection;
- mandating organizations to seek consent from individuals before transferring their personal information outside of Canada;
- mandating organizations’ privacy policies be accessible and understandable;
- mandating organization’s privacy policies be publicly available, rather than available on request;
- mandating organizations to perform privacy impact assessments of policies;
- designating those organizations that process highly sensitive or large-scale personal information to ensure compliance with PIPA with “expert knowledge of data protection law and practices”;
- mandating organizations’ responsibility for using contractual or other means with third parties to ensure that adequate privacy protections are in place when a third-party has access to British Columbians’ personal information;
- mandating organizations to undergo third-party external audits and compliance programs;
- ensuring B.C.’s privacy commissioner can conduct investigations or audits without a complaint and has order-making powers for non-compliant organizations;
- mandating description of private-sector entities’ methods for de-identifying personal information and ensuring that private-sector entities sharing personal information with another entity are responsible for overseeing the third parties use of the de-identified information; and
- ensuring individuals subject to automated decisions have a right to know about the logic involved in such decisions, including the factors considered and their weight.
The groups also suggest creating public information campaigns to educate people on privacy issues.