Fifth Session, 41st Parliament (2020)
Special Committee to Review the Personal Information Protection Act
Virtual Meeting
Tuesday, June 2, 2020
Issue No. 3
The HTML transcript is provided for informational purposes only.
The
PDF transcript remains the official digital version.
Membership
Chair: |
Rachna Singh (Surrey–Green Timbers, NDP) |
Deputy Chair: |
Dan Ashton (Penticton, BC Liberal) |
Members: |
Mable Elmore (Vancouver-Kensington, NDP) |
|
Adam Olsen (Saanich North and the Islands, BC Green Party) |
|
Steve Thomson (Kelowna-Mission, BC Liberal) |
Clerk: |
Susan Sourial |
Minutes
Tuesday, June 2, 2020
2:00 p.m.
Virtual Meeting
Ministry of Citizens’ Services:
• Kerry Pridmore, Assistant Deputy Minister and Chief Records Officer
• Matt Reed, Executive Director, Privacy Compliance and Training
Office of the Information and Privacy Commissioner:
• Michael McEvoy, Information and Privacy Commissioner
• oline Twiss, Deputy Commissioner
• Jeannette Van Den Bulk, Deputy Commissioner
Chair
Clerk Assistant, Committees and Interparliamentary Relations
TUESDAY, JUNE 2, 2020
The committee met at 2:05 p.m.
[R. Singh in the chair.]
R. Singh (Chair): Good afternoon. I would like to welcome everyone to our meeting today. My name is Rachna Singh. I’m the MLA for Surrey–Green Timbers and Chair of the Special Committee to Review the Personal Information Protection Act.
I would like to begin by recognizing that my constituency is on the traditional territory of the Coast Salish peoples — in particular, the Kwantlen, Katzie, Semiahmoo and Tsawwassen First Nations people.
We are an all-party parliamentary committee of the Legislative Assembly with a mandate to review the Personal Information Protection Act. We are beginning our review by meeting today with the Ministry of Citizens’ Services and the Office of the Information and Privacy Commissioner for British Columbia. We have one hour set aside to hear from the ministry this afternoon, including approximately 40 minutes for the presentation and 20 minutes for questions from the members.
Just a reminder, Members, that if you have a question you would like to ask after the briefing, please raise your hand. We will keep a speakers list.
Now I’ll ask the members of the committee to introduce themselves. I’ll start with Dan Ashton, who’s the Deputy Chair of the committee.
D. Ashton (Deputy Chair): I’m Dan Ashton. I’m the MLA for Penticton to Peachland.
Kerry and Matt, nice to see you. I look forward to hearing the presentation.
S. Thomson: Steve Thomson. I’m the MLA for Kelowna-Mission. Thanks for coming in today to present to us. Look forward to the presentation and the work of the committee.
A. Olsen: Adam Olsen, MLA for Saanich North and the Islands and the territory of the W̱SÁNEĆ people. Nice to see you today. Thank you for this presentation.
R. Singh (Chair): Thank you so much. We are still waiting for Mable Elmore. Hopefully, she will join us very soon.
Also assisting the committee today are Susan Sourial and Stephanie Raymond from the Parliamentary Committees Office. Billy Young from Hansard Services is also here to record the proceedings.
We are pleased to welcome Kerry Pridmore, who is an assistant deputy minister with the Ministry of Citizens’ Services, and Matt Reed, who is the executive director for privacy, compliance and training, who are joining us virtually today. Thank you so much.
Kerry, please proceed.
Briefings on Statutory Review of
Personal Information
Protection Act
MINISTRY OF CITIZENS’ SERVICES
K. Pridmore: I just wanted to say thank you to the committee for inviting us to join you today.
I will do some introductory remarks. The primary presenter will be Matt, who is our privacy expert, I would say, representing the province. We work closely with all ministries and public post-secondary institutions and, obviously, external to that.
We, too, would like to acknowledge that we’re joining you today on the traditional territory of the Lək̓ʷəŋin̓əŋ-speaking people.
The purpose of our presentation today is to provide some overview and background information on the Personal Information Protection Act. Our hope is to provide you with some understanding — I’m going to use either the term “PIPA” or “the act,” just to keep it short — to outline the primary principles that underpin PIPA and to provide some context around the implication of potential recommendations. So ideally, it’s to set the stage a little bit for you as you begin the process that you have in front of you.
It is not listed there, but of course, we’re here to answer any questions that you might have. We’ll be pleased to do so at the end.
With that, Matt is going to take the lead on the slide, please.
M. Reed: All right. First, I’ll say that I’ve done a lot of presentations on privacy and privacy legislation, and it is or can get quite complex, so I’ll take no offence at all if you want to chime in with a question mid-stream and not wait until the designated question period at the end. If something will help you understand it as I’m going through, then by all means, you can indicate that you have a question to ask in the tool there.
The first thing I think we need to talk about in terms of understanding the tasks that you have ahead of you with this special committee is understanding the placement of the act that you’re looking at amongst other pieces of privacy legislation. It isn’t the only piece of privacy legislation here in B.C. or in Canada. So it’s important for you to be able to differentiate between the others.
Obviously, the Personal Information Protection Act, or PIPA, is the one that you are most primarily concerned about, but another one that is important for you to know about is the Personal Information Protection and Electronic Documents Act. I will refer to this as PIPEDA. You’ll often hear many other iterations of the same thing. But this is the federal private sector privacy legislation. This applies to federal works or undertakings — so things like banks, airlines, telecommunication companies, businesses that are federally regulated across Canada. They will fall under the federal piece of legislation. That is not what we’ll be talking about today.
The other one that’s important to know and I’m sure you’re a little bit more familiar with is the Freedom of Information and Protection of Privacy Act, or FOIPPA or FIPPA. This is the public sector privacy access legislation. This is the one that applies to public bodies in B.C. You’ll see some similarities. A lot of the principles are going to be the same, but they are fundamentally different acts that apply to different spaces. So it’s, again, good to have a sense of when one applies and when one doesn’t apply.
If you want to click to the next slide. Also important to know is the role of different organizations with respect to PIPA. As I said, FOIPPA is maybe a little bit closer to a lot of the work that you do generally, but with PIPA, it’s important to know that the role of government is a little bit different because it doesn’t apply to government. We are the ones who set the rules. We drafted the legislation and passed it, but it is actually the commissioner that has a much larger role because they are the ones that have to uphold and administer the act.
You’ll hear a lot more on-the-ground information from the commissioner’s office, as they are the ones who more actively push out guidance with respect to the act. You’ll see that they do investigations under the act. So they’re much more involved in the day-to-day of PIPA.
Then, of course, businesses and organizations have a role to play as well, which is actually following the act that we as government pass and the commissioner administrates or adjudicates. You know, everybody is kind of playing their part, playing their role, and, again, it’s important to understand as you’re thinking through the act and its effectiveness.
If you flip to the next slide. What is it exactly that we’re talking about? As I’ve said already, it is a privacy-based act. The intent is to protect the personal information of citizens. What you’ll hear a lot about this act is that it is a commonsense set of rules that’s applied, really, to the collection, use, disclosure, retention or security of personal information. You know, the way that we often frame this for businesses in B.C. is if you would think about how you would want your information handled and you do that, you’re probably on the right track. It’s not a super complex piece of legislation. We try to make sure that it is something that will resonate with businesses so that they understand how to follow it.
Another important aspect of it is it seeks to balance an individual’s right to privacy — that individuals shouldn’t have to give up their privacy to do various things but a recognition that businesses and organizations need to collect, use and disclose personal information in order to do their business, in order to work, to operate. So there is kind of a balance of interest that we are seeking to serve here, that businesses can do what businesses need to do but individuals aren’t in a vulnerable position because of that.
Another thing that you’ll see a lot is, as we talk through the act and if you have a read through it, there are a lot of aspects of it that are based on a reasonable person test. Again, fairly intuitive. Would a reasonable person in normal circumstances think that this is a reasonable thing to do? If that’s the case, then, again, you’ll have a good sense of where you’re landing with respect to that particular part of the law.
Again, trying to connect this piece of legislation in a meaningful way to individuals as they’re reading it so they don’t have to go through decades or centuries of legal precedent in order to make sense of it. They look at it and say: “Well, I think that would be reasonable.” That’s going to get them pretty close to the right spot.
You will see that it does provide individuals with the right of access and correction to their own personal information and that there is a place for oversight set out for the Office of the Information and Privacy Commissioner. As I mentioned, in terms of giving the legislative context, B.C.’s PIPA was a response to the federal PIPEDA act that was passed and also to things that were happening in the European Union as well.
One thing to note is that PIPA is not a broad set of access rights to information within the private sector, so it is very different from FOIPPA. Where FOIPPA would allow people to gain access and transparency into things that public bodies are doing, you don’t get that same visibility into what businesses are doing. You have access to your own information but not broadly to everything that they hold. And as I said, it is certainly not a complex set of rules that’s going to somehow prevent businesses from collecting and using personal information if it’s for legitimate business purposes. That is the intent: to enable businesses to operate respectfully.
We jump to the next slide, a very quick history lesson here. In 1984, the OECD produced guidelines around the protection of privacy, and these were followed a little bit later, in ’96, by the Canadian Standards Association, or CSA, that issued a model code around privacy. You know, it wasn’t too long after that that the European Union passed a directive on data protection. What we see in a lot of different places are the same principles coming up, the same basic premise of what we’ve built privacy legislation on.
There’s an important note here that PIPEDA was a response to what was happening in Europe, because there was a concern by the European Union that Canadian law was not sufficient to adequately protect Europeans whose information was held in Canada. There was a desire to make sure that there are roughly similar frameworks in place to protect the information of people that are, say, having their information go back and forth between the two jurisdictions. Again, understanding how PIPEDA connects to and ties to the European Union will then help you understand why it’s important for B.C. and the context between B.C. and the federal government.
If you click to the next slide. When PIPEDA was introduced, it included a clause that said if individual provinces wanted to develop their own similar legislation, the federal act wouldn’t apply to businesses that are operating within that province. This kind of spurred B.C. to look at developing such legislation, which we have here in front of us, for B.C.
The year before PIPEDA was actually passed, B.C. struck an all-party special legislative committee to look at information privacy in the private sector. In their report, they had recommended that B.C. enact legislation to protect the privacy of individuals whose information is held in B.C. in the private sector. That was one of the factors that supported us developing PIPA.
In addition, businesses found that PIPEDA was quite complex, and if you have read through it, I am sure you will agree with them. They found it a little bit difficult to interpret and, generally speaking, found that they kind of needed to go to lawyers in order to support them understanding whether they were doing something correctly.
It was felt that in the provincial private sector, because a lot of the businesses are going to be smaller businesses, the regulatory structure should be something that’s workable and easy to apply. We don’t want every business in B.C. to have to see a lawyer every time they want to roll out a new service or talk to a new person.
Another important note here is that the federal government had to use its trade and commerce powers in order to implement PIPEDA, which means that it could not cover the non-profit sector. So in B.C., this was seen as something of a gap, because there are a lot of non-profit organizations that cover youth organizations or health and counselling groups who would have sensitive information. We saw this as something of a gap that needed to be covered and included in a B.C.-specific solution around privacy.
Lastly, under PIPEDA, the province would have been subject to the federal Privacy Commissioner, who has less power or authority than the Information and Privacy Commissioner for B.C. So the B.C. commissioner has order-making power while the federal commissioner really only has the power to make recommendations, more of an ombuds-type role. So we saw that as a benefit of having B.C.-specific privacy legislation for the private and non-profit sectors.
Generally speaking, the stakeholder support was there. Again, they wanted something that was easy to understand and easy to work, and we did a number of sessions at the time to validate that this was the case and what this sector wanted to see.
Generally speaking, what we heard was that it reflected generally good privacy practices. Businesses want to be able to demonstrate that they’re doing the right thing, and demonstrating it needs to be easy in the same way that understanding the rules needs to be easy as well. So there was a lot of support in terms of rolling this legislation out.
If you jump to the next slide, we’ll talk a little bit more about the nuts and bolts of the act itself. So as I said, this is privacy legislation. But in order to understand how it applies, you kind of need to understand what it applies to, and understanding the definition of personal information is a key part to that.
The definition of personal information in PIPA is very similar to what it is for the public sector, which is information about an identifiable individual. It can be a lot of different things. It can be your age, your marital status, a photo or an image of you. It could be your personal opinions, amongst many, many other things.
Some things that it does not include, however, are your business contact information — so the information on your business card, if you’re handing out your business card for business reasons — or your work product information. Work product information is what you’re generating as part of doing your work. So maybe an information note. You’re signing a contract. You’re doing work for a business. You’re creating something.
The reason this was carved out was to, again, balance the needs of individuals versus businesses. So you have a business that wants to protect, say, a patent or work that you were working on for them, but you want to be able to give individuals their own information. So you want to make sure that they can get what they need but that businesses are able to protect what they need as well.
If you jump to the next slide here…. I’ve kind of implied some of this, but in terms of the application of PIPA, a lot of different types of organizations that it applies to…. So business are obviously one of the bigger groups, but there are a lot of other groups, like societies, non-profits, strata corporations, religious organizations, unions. A lot of organizations are covered by PIPA. Again, because we were passing this as a provincial statute and not, like PIPEDA was, under their commercial portfolio, we were able to apply it to a lot of other organizations that PIPEDA doesn’t apply to.
The goal here is, again, that any organization that is handling the information of British Columbians is doing so in responsible ways so we’re not creating gaps where there might otherwise have been.
If you jump to the next slide, a couple of organizations or groups that are not covered by PIPA…. It does not apply to personal or domestic uses. So you as an individual in your home or sort of walking about the street don’t need to worry about how this might apply to you. But once you arrive at your workplace, that’s when you are wanting to think about it.
Journalistic, artistic or literary uses are also not covered. So media, a print artist or a writer — it wouldn’t apply to them in terms of what names they’re including in their book or that kind of thing. Public bodies, who are obviously covered under FOIPPA, the courts, are also excluded from PIPA, as well as information that would be captured by that federal act.
As I said, the banks, the telcos — all of those would not be captured by PIPA because they’re covered under another act. Otherwise, virtually every other organization in B.C. would be covered by PIPA, so it is fairly broad-spanning.
If we click through to the next slide, I’ve mentioned this before that the Canadian Standards Association and the OECD having privacy principles or standards…. What we have here are ten different privacy principles, or the fair information practices. You’ll see these fairly commonly across the globe, really. These principles are fairly widely adopted. I won’t say that they’re universal, but they’re quite broad. Sometimes you’ll see eight principles. Sometimes they’re ten. They cover the same things. They’re just sometimes grouped differently. But these are essentially the principles that underpin the legislation.
We’ve always found that talking through the principles is a much more effective way of learning what the legislation actually covers and requires than a line-by-line review of the legislation itself. So that’s what we’ll do here. We’ll do a quick walkthrough of the principles, and that’ll be about it for me.
In terms of the first principle, it’s around accountability. This is a big one, which is why we put it first. What we’re looking for here is for organizations to appoint somebody as their privacy officer — somebody to be responsible for privacy in their organization and the information that is held for their organization.
For some very large organizations, you’re going to have a dedicated privacy officer. That is going to be their title. For smaller businesses, this is probably going to be a part of their work that they do off the side of their desks. If it’s a mom-and-pop business, it’s going to be mom or pop that’s going to be the privacy officer and may not have that in their title. Really, what we’re looking for is that somebody understands that privacy is their responsibility and responds to complaints or issues that may come in.
Jumping to the second principle, which is identifying purpose, this is a very important part around privacy, because it helps to inform an individual as to what is happening with their information. It allows them to make choices about what to do in that interaction.
If they understand…. If somebody tells them, “I need information so that I can open an account for you,” they can say: “Oh yeah, okay. I get that. Well, here’s the information that you need.” Or they could say: “I’m not really comfortable with that. Can you do without it — yes or no?” Then they can decide, “Okay, I will still give that to you,” or: “No, I’m going to leave this interaction. I don’t want to do business with you.”
They can make choices based on how they are informed of how their information is going to be used. This can be done verbally or in writing, but what we want to see is that it is reasonable and appropriate. Just because you’ve identified a purpose for somebody, it doesn’t mean that you can collect it. There are limitations on that collection. But we want to make sure that individuals are informed of what that is. As I said, opening an account could be one, or program enrolment.
Sometimes if you go to a store to buy, say, a shirt, they will ask for your postal code. If you ask them why, they need to be able to say: “Okay, well, it is for marketing purposes. We want to know where our customers are coming from.” They need to be able to give you a reason so you can say: “Oh, that seems reasonable.” You can give them your postal code or say: “I’m not really interested in supporting your marketing. I’m going to buy the shirt, and that’s enough for me.”
On the next slide there, consent is probably a fairly familiar concept — and one that is, again, fairly important to privacy. It supports collection, use and disclosure across the board, but it can come in many different forms. It can be express consent, where you’re saying, “Do you consent to this?” whether it’s in writing or verbally.
There can be also implied consent or deemed consent, where what’s happening with the information is obvious. If you go, again, to buy a shirt and they ask for your credit card, that it is your personal information, but the purpose for them using it and the understanding of consent is applied there, because you are handing over your credit card so that you can pay for the thing. You know what your credit card is being used for. You know that you’re going to get it back after they’ve swiped the card or tapped the card. That would be deemed consent there.
It can also be opt-out consent, where you are given an opportunity to be told what’s happening with your information, and you can say: “No, I don’t like that.” But if you don’t say anything, then they will assume that you do consent to that. Sometimes you’ll see this around agreeing to get a newsletter from a company that you’re buying something on line from, say.
There are some instances where consent is not required, but they are fairly limited and, again, common sense. If there’s a medical emergency, obviously, we don’t want someone to come to harm because we’re tapping them on the shoulder waiting for them to give us consent. We want to make sure that the medical treatment is given quickly, if needed. If it’s necessary to collect a debt, say, that’s another example where it wouldn’t be needed. If I owed money, and they were asking for consent to collect information about me, I probably wouldn’t want to give that information so that I didn’t have to pay that debt. Again, in commonsense places where it makes sense, we wouldn’t require consent.
However, in the instances where we do require consents, there are rules around that. We can’t deceive people and tell them it’s for one thing and then use it for another. We also can’t require consent beyond what is necessary. We can’t prohibit a withdrawal. If someone wants to withdraw their consent down the road, they can do that. We just would need to inform them of what’s going to happen. So if they say, “No, I don’t want you to have that information anymore,” you can say: “Well, this is how our ability to provide you services would be impacted.”
If we could go to the next slide there, another important difference here between PIPA and PIPEDA is its application to employees. We want to make sure that the employees’ information is protected, but understanding that employees’ relationship with a business is very different from a customer’s. They can’t decide, “Oh, I don’t like this. I’m going to go buy a shirt at another store,” because this is where they work. The dynamic between the business and the individual is fundamentally different.
That’s not a consent-based relationship, but we want to make sure that anything that is being collected, used or disclosed from or about employees is done for a reasonable purpose that is necessary for managing employment relationships. Again, a nice limitation that makes sure that it is balancing the need of the business with the right of the individual. We want to make sure that employees are informed of the collection, use or disclosure, except, again, some commonsense exceptions where it would make sense not to do so, like in investigations.
On the next slide here, for convenience, I’ve combined a couple of different principles that are around the same thing, which is, again, limiting what you’re doing with someone’s information. Whether limiting collection or limiting use, disclosure, retention, the idea here is that we’re not doing more with someone’s information than is necessary to do what we’re trying to do or do what is reasonable. We want to make sure that if you don’t need to use information, you don’t collect it in the first place.
It’s not the case that we want to just collect information and then maybe we’ll have a use for it down the road. You should have an intent to use information and have that use be reasonable. Disclosure, the same way. We don’t want people sharing information beyond what is required to provide an individual with whatever service they’re getting from that particular organization or business. Retention is kind of trying to limit the risk. So the longer you hold information, the longer you have to do something bad with it or for something bad to happen with it.
If you don’t need the information, if it’s not useful for your business, you don’t need to…. There’s a requirement that if you’re making a decision, you keep it at least for a year, so an individual has time to get to it. But generally speaking, if you don’t need it anymore, then you should be getting rid of it. If you are a travel agent, and you had a client who took a cruise 25 years ago and has never been back since, that’s somebody who should be thinking about getting rid of that information, because it’s only going to come at more risk by hanging on to it longer than you need.
Again, trying to balance this idea that if you do have a need for it, and you’re actively using the information to provide services or provide information — say you send out a monthly newsletter to all of your cruise ship customers — that’s fine. You can use that information and have that information for that purpose. But once you stop using it, you really should think about getting rid of it.
If we go to the next slide here, this is something that is very similar between the private sector and the public sector, which is accuracy of information. Organizations must ensure accuracy and completeness of information to a reasonable effort. This is around when you’re making a decision that is going to affect an individual. If you’re going to, say, hire somebody, you’re going to give somebody a job….
Maybe we’re talking about an animal shelter, and you’re going to vet whether somebody is a good home for an animal. You’re making a decision about an individual. You want to make sure that that is based on accurate information, that you’re not making a decision that impacts an individual based on someone else with the same name or based on your guess of who that person might be. You want a reasonable effort, again, to make sure you’re making decisions on good information. This is especially the case when you’re disclosing to another organization as well.
Another requirement here that is fairly similar across the public and private sectors is around security. Security and privacy go hand in hand. In order to keep information private, you have to make sure that it is secure. Reasonable security is a really good way to make sure that if the personal information we’re talking about is low sensitivity — perhaps somebody’s lunch order — the security requirements aren’t going to outweigh the benefit of actually providing a service like giving somebody lunch. But if what we’re talking about is counselling information, and this is about their mental health, we want to make sure that that information is very secure.
Having it be reasonable means that it is appropriate given the sensitivity or volume of the information. When we’re talking about security, that appropriateness or proportionality will apply to the physical, technical and organizational procedural controls.
Is it locked away in a cabinet? Is it password protected? Do you have rules for your employees not going into locked cabinets without reason to do so? So a lot of different ways that you can protect information, but we want to make sure that individuals or businesses or organizations are protecting individuals’ information that they have.
Going to the next slide here around openness, transparency — again, another important facet of privacy generally. We do want organizations to be open and transparent so that individuals can understand what their information practices are. Businesses need to have written policies around privacy and access, and we want those policies to address their obligations around collection, use and disclosure, and to be able to provide those.
Most often this is the kind of thing you will see at the bottom of a business’s website, where they will tell you how they are going to treat your information. The larger the organization or the more complex their operations, the more likely they are to have multiple policies or directives or procedures around how somebody’s information is handled in a particular way. Again, important in terms of demonstrating compliance, demonstrating accountability to the act and to the requirements that you have.
There are other practices that businesses can take, again, to be open. Not necessarily required in the same way, but if a collection notice, or the reason why you’re collecting information, is written down, that is far better than simply doing it verbally. Anything written down that you can subject to more scrutiny is more positive for the individual to make their own decisions around that business.
The ninth principle that we have here is around right of access and correction, as well. For individuals, this is somewhat similar to what we have in the public sector, where an individual does have a right to access their own personal information. They can also be afforded an explanation as to how it’s being used or how it was used, who it was disclosed to.
For some businesses, this is a task that might take a little bit of work, so there is an ability to charge a fee based on what it would actually cost to produce that information. But we often encourage businesses to not charge a fee if they don’t need to, because individuals should have a right to access their own information.
If we jump to the next slide here, there are exceptions to this rule. It isn’t just an outright rule. So if, in giving you your information, it would reveal the identity of another individual, that would be a place where your ability to access that information would be somewhat limited.
An example here would be a reference check. If I’ve applied for a job with a B.C. business, and I maybe haven’t gotten the job, I can ask for the information they have about me, which would include things like references. But if that’s going to reveal the identity of somebody who maybe gave me a negative reference, then that’s a situation that needs to be balanced so that we’re protecting the privacy of the referee without denying me access to the information that’s about me.
This provides privileges and other sorts of limitations. If there’s confidential business information tied to that personal information, or if it’s related to an ongoing investigation — again, commonsense places where a normal, reasonable person would say: “Yeah, I think that makes sense that an individual wouldn’t necessarily have the same rights to that information as they would normally have.”
The other half of the coin around access to information is actually correcting information when it is incorrect. So an individual has a right to ask an organization to correct their personal information. This isn’t a right of appeal. This isn’t: “I want you to reconsider a decision.” This is: “You have information about me, and that information is wrong.”
Maybe I’ve been denied a benefit or a job or something. If that information is factually incorrect, then I can have that information corrected. If the information can’t be corrected or it would be inappropriate to do so, then the organization is obliged to annotate or note somehow on the file or on my information that I have asked for that correction or what the correction I’ve asked for is.
You know, if a doctor’s diagnosis, say…. The doctor is not going to change their diagnosis if they believe that they’re correct. But if I’m asking for them to change that diagnosis or I think they’ve made it based on wrong information, they should be adding that to my file as well. If they do correct information, then they should be notifying anyone else that they’ve provided that information to as well. So carrying through that system, where my information goes incorrectly, it should be corrected as well.
Then the last principle here is around being able to challenge compliance. So we want individuals who feel like the organization is not upholding the privacy principles, not meeting the letter of the law, to have an ability to say: “I don’t think what you’re doing is correct, and I think you need to fix that. You need to correct what you’re doing with my information or treat it differently or what have you.”
Organizations have to have a process in place to respond to complaints. It should be simple, it should be accessible, and they should be looking into all complaints and taking corrective measures where possible. The OIPC may ask them how that process went or what that process is. So it’s, again, important in terms of giving individuals a right to feel like they can have their information managed correctly if they disagree with where the organization has landed on that reasonableness test.
Of course, if they disagree with the business, then they can always go to the Office of the Information and Privacy Commissioner and file a complaint with the OIPC to say: “We disagree about how my information was handled.”
Again, lots of avenues for individuals to feel like they have a say and that their interests are being balanced against the organization.
Just one last slide here. Now that I’ve given you an overview of the act itself, giving a sense of just the privacy landscape generally. Privacy is a bit of a hot-button issue on any given day. That’s not necessarily always been the case. There’s a growing trend around awareness. Individuals and businesses, organizations, are much more aware of the fact that privacy is not only a concept but is an important concept.
A lot of different factors at a societal level have influenced people to change their opinions or change how they prioritize privacy in their life. Technology has been a really big one. The conversations we are having around privacy post–social media are much more than the conversations we were having prior to that. The online space has dramatically changed how people feel and think about privacy generally.
Various tools that we see…. A lot of protests happening right now. There’s a lot of conversation around the technological tools that could potentially challenge somebody’s privacy, particularly when they’re doing something that’s…. They might want to protect that information.
The magnitude of privacy breaches has also changed. When you think of many businesses that operate, say, internationally, they’re holding a lot more information than they would have pre-Internet or pre-social-media age. There’s a consolidation of information, which makes any given breach that much bigger.
The breaches that we’ve seen, say, in the news — Facebook, Equifax, Home Depot — in the last five years or so are very, very big incidences involving huge corporations that hold huge amounts of our information. This is kind of feeding into this idea of increased awareness, because maybe you didn’t think about privacy, but maybe you will now after a random store that you were shopping at has experienced this very large-scale breach.
The scrutiny has also gone way up, whether that’s from the media, from individuals, competitive businesses. If one business disagrees with what their competitors are doing with somebody’s information, I’m sure that you would hear that in the industry journals or in the media in some form. People are interested in privacy, which means there’s more space for conversation about privacy, say, in the papers and journals or on line generally.
Then the last big piece here that I want to make sure I mention is changes in other regulatory environments around privacy. The GDPR in Europe and the California consumer protection and privacy act are two quite big new pieces of legislation in different stages. What we’re seeing is large jurisdictions jumping into this space in a very different way than maybe they have before. GDPR is still a fairly new but very progressive piece of legislation.
We want to look to and understand things before making any changes to our specific legislation so we’re understanding whether we’re in sync with where other people are going or whether we need to move away from there because of the impact of what they’ve done. Given a little time and space, we can see how effective these pieces of legislation are and make decisions based on more data, which is always great.
Then the last piece here is around changes to PIPEDA. Making changes to PIPEDA was outlined for the federal ministers — of Innovation, Science and of Economic Development — in their mandate letters. So we do have an understanding that there are changes happening here.
There have been recent changes, just a few years back, in PIPEDA as well. Because we have a need to stay substantially similar to that act, in order to take up the space in B.C. with our own provincial privacy legislation, we need to keep a very close watch on what the federal government is doing to make sure that we are still in line with them and not challenging our status as being substantially similar so that we can retain that privacy legislation.
I’ll pause right there. You are all very patient with your questions, I’m sure. If you have any questions, I’m happy to take them now.
R. Singh (Chair): Thanks so much for the presentation.
We’ll start with you, Steve. I understand you have a question.
S. Thomson: Thanks, Matt and team and Kerry, for the presentation — very comprehensive and gives us a good background.
I just had sort of general questions, maybe just to get your perspective, primarily around the current landscape. You mentioned covering off the gaps, things like that. I’ve got three questions that I noted as you were going through the presentation.
One is: do you think there are still some gaps, or is there anywhere where the legislation doesn’t apply that you think maybe it should?
The other is: my sense is that the test…. A lot of this is based on the test of reasonableness all the way through, when you look at what’s reasonable — what’s reasonable; what’s reasonable in terms of security? — and whether you have a perception that people’s perceptions of the test of reasonableness is changing and whether the legislation is deficient in any way in that area or whether that’s something that needs to be addressed more through guidance, documents and the oversight of the Privacy Commissioner and things or whether there’s something there.
The other one was just around the reporting of breaches and the number of significant breaches we’ve seen. I know there has been an issue around whether or not businesses, organizations and agencies should be required to report those breaches. My understanding is the current legislation doesn’t require them to do that.
Maybe those are my three quick questions. If some of it’s more of a political response, that’s fine. Just say so. But I just wanted to get — you guys are the experts in this — your perception of those.
M. Reed: In terms of gaps, I’ll say: not in my experience. For the most part, what we hear in B.C. is that we are covering things that other places don’t.
In B.C., our political parties are captured by PIPA, which is not necessarily the case everywhere else. This is a place where B.C. is hitting a gap that other jurisdictions aren’t. So it may just be that it’s more visible where we’re covering things that other places aren’t. But I haven’t seen, in my experience, any places where it was like: “Oh wow. That’s a gap, and we definitely need to cover that area.”
In terms of the reasonableness test, one of the reasons why I really like the reasonable person test is because it does shift with the norms of the day. Whereas maybe 15 years ago data encryption was the biggest and best thing you could technically do to information, now it is base level expected. Things that were maybe out of reach five or ten years ago suddenly become the thing that we consider to be reasonable today.
The expectations of privacy are going up. What a reasonable person is expecting is probably a little bit higher than it would have been generally.
Again, in my experience, I’ve found that that reasonable test is tracking well. It’s not like people are giving up on privacy and don’t care about it. Because they do care about it, that test has worked well for us.
In terms of the reporting of breaches, I think what you’ll see generally is the larger businesses that have more mature privacy practices…. When they do have a breach they will notify people of the breach or they’ll notify the commissioner of their jurisdiction of the breach.
I don’t think anybody is saying: “Hey, Equifax, with all of your people in this space, I can’t believe you went against the trends.” What they’re saying is: “Good for you. You notified all of the people that you should have notified.”
I think it’s probably the case that businesses should be moving to where the more mature organizations are. A breach at a barbershop is very different than a breach at Equifax. So there’s a scale there. But generally speaking, I don’t think anybody is going to fight a requirement to notify either individuals or the commissioner’s office. They know that if they don’t notify people and people find out, which they often do, it would be so, so much worse. Being transparent, being open is always the best way to go in this space.
S. Thomson: Thanks.
R. Singh (Chair): Dan, did you have a question?
D. Ashton (Deputy Chair): Rachna, just quickly.
Matt, thanks for the presentation, but we need to bring it forward to today. In my area, there are numerous businesses that are closing because of what has transpired. A lot of them…. Some I know do retain consumer inputs to their various organizations. My understanding is that for the federal government, seven years tax information must be maintained.
What about personal information when the business closes? Should it be destroyed at that point in time?
M. Reed: That’s an interesting question. The base-level requirements that we have in PIPA are that if you are making a decision about an individual, you need to keep it for at least a year. But there’s an acknowledgment that other requirements may apply to that same information. So information that needs to be kept for a year, under PIPA, maybe needs to be kept for seven years under a tax statute.
What we’re looking to do in PIPA is set the bare minimum to make sure that an individual has an ability to get to the information if they need to — say, to, again, correct a decision that has been made about them or some way that they’ve been impacted.
Again, if my local barber keeps a picture of how I like my hair, and then that barbershop closes down, I don’t think he has a need for that information anymore. So I would expect him to get rid of that information, because I don’t want my haircut information to be suddenly stolen from his home because he’s not securing it like he would in his business.
Essentially, the protection of privacy should extend beyond the termination of the business itself. You still have an obligation to the people who were your customers. Sometimes the most privacy-protective thing to do is to get rid of that information, as long as you don’t have any other legal requirements hanging on, hanging to that information.
D. Ashton (Deputy Chair): Okay. Thanks, Matt. I appreciate that.
R. Singh (Chair): Adam?
A. Olsen: Thank you, Matt, for the presentation, and thank you for this opportunity.
When Steve asked the question with respect to maybe some of the gaps that need to be filled…. I don’t know how this lines up — we’re going to be hearing from the commissioner in the next little bit — but there is some advice that he gives us in his report with respect to three specific areas that a previous committee had found that might need to be addressed. In his recommendation, he said: “Well, a detailed report is coming in the fall presentation.”
Have you had a chance to see his submission to the committee with respect to a couple of areas, specifically — I just want to make sure that I get this — in terms of the recommendations that he makes to us around mandatory breach reporting, the ability to levy administrative monetary penalties and the ability to conduct investigations? Some of these have been around since the last time that this has been investigated. Do you have any thoughts on that?
K. Pridmore: I can answer that question, just to say that we’re certainly aware of those three recommendations coming from the OIPC. I haven’t seen if there’s a more recent report that you’re suggesting is going to be produced as a part of this process. It might come as part of a submission. We have not seen that.
Those three things are consistent things that the commissioner has raised with us in both the past two special committees that ran. He has raised them with us outside of that process as well. So that would not be a surprise to us.
A. Olsen: Just from the perspective of the ministry, then, those are not…. I guess I just want clarification in the response that the legislation or the status of where we’re at is good and that British Columbia remains an area that people look to. I think I’m just trying to reconcile that with these areas that the commissioner has raised. Are these areas that we need to be looking at moving forward? What is the position of the ministry on that?
K. Pridmore: I think most of those areas we would be supportive of, looking at those three areas….
I welcome Matt to add anything specific to any of the three, any critiques on the three, that you would like to.
M. Reed: I think that covers it. Their recommendations are not out of sync with what we’ve heard and seen before. So it’s certainly not a crazy idea that’s right out of left field. It’s something that we’ve heard consistently.
R. Singh (Chair): My understanding is that we have MLA Elmore joining us by phone.
Mable, do you have any questions?
M. Elmore: No, thanks, Rachna. I’m good. I’ve been on line. It’s just that the video wasn’t working.
R. Singh (Chair): Okay. Good to have you.
I would like to thank Matt and Kerry. Thank you so much. That was a really good presentation. Especially, it will really help us with our process as we start talking with the stakeholders. Thank you so much for joining us. We really appreciate your time.
K. Pridmore: Thank you.
M. Reed: Thank you.
R. Singh (Chair): Members, we will take….
Susan, say about a five-minute break?
S. Sourial (Clerk Assistant, Committees and Interparliamentary Relations): Sure.
R. Singh (Chair): Okay. We’ll take a five-minute break, and then we’ll come up with the second presentation.
The committee recessed from 2:57 p.m. to 3:02 p.m.
[R. Singh in the chair.]
R. Singh (Chair): Welcome back, Members. We are pleased to welcome Michael McEvoy, Information and Privacy Commissioner for B.C. Along with Michael, we have oline Twiss and Jeannette Van Den Bulk, who are both deputy commissioners.
We are in a virtual meeting format. We have one hour set aside to hear from the OIPC, including approximately 40 minutes for the presentation and 20 minutes for questions from committee members.
I will ask the members of the committee to introduce themselves….
S. Sourial (Clerk Assistant): It’s a glitch. We’re trying to address the issue.
R. Singh (Chair): That’s okay. Let’s take a recess for five minutes.
The committee recessed from 3:04 p.m. to 3:05 p.m.
[R. Singh in the chair.]
R. Singh (Chair): Welcome back, Members. Sorry for that glitch.
We are going to start with the introductions of the committee members. I’ll start with myself. I’m Rachna Singh, MLA for Surrey–Green Timbers, and I’m Chair of the committee.
We’ll start with Dan Ashton, who’s the Deputy Chair.
D. Ashton (Deputy Chair): Good afternoon. Always nice to see Michael and your team again. I represent the area of Peachland and Penticton. So thank you, and welcome.
S. Thomson: Good afternoon, everybody. Good to see everybody again. Steve Thomson, MLA for Kelowna-Mission.
A. Olsen: Good afternoon. Nice to see you all. Adam Olsen, MLA for Saanich North and the Islands. Happy to be here this afternoon.
M. Elmore: This is Mable Elmore, MLA for Vancouver-Kensington.
R. Singh (Chair): Michael, please go ahead.
OFFICE OF THE INFORMATION
AND PRIVACY
COMMISSIONER
M. McEvoy: Good afternoon, Chair, Deputy Chair and committee members. Thank you for the invitation to address you this afternoon.
First, it is important to respectfully acknowledge that we are located on the traditional territories of the Lək̓ʷəŋin̓əŋ people, also known as the Songhees and Esquimalt First Nations. Of course, we acknowledge all First Nations across the province who our office serves.
Joining me today are Deputy Commissioners Jeannette Van Den Bulk and oline Twiss.
Chair and committee members, as your province’s access and privacy commissioner, I have one task to accomplish this afternoon as you begin your important work to review the province’s Personal Information Protection Act. That task is to make clear that now is the time to reform B.C.’s private sector privacy law. The B.C. government needs to clarify, strengthen and enhance privacy protection to benefit both B.C. citizens and businesses.
The Personal Information Protection Act was once considered cutting edge. While its foundation remains strong, PIPA requires additions to bring it into line with modern standards of privacy protection.
Chair, as you observed in your statements opening this review, the COVID-19 pandemic has significantly changed how many of us work and communicate. The spread of the virus has also changed the way businesses operate, schools run and people practise their faith. We are by necessity full participants in a digital world. As more of our personal information finds its way on line, we need to know we can trust organizations to properly handle that information, but the way personal information is collected and processed today is often outside the plain view of the individual or regulator.
As the Deputy Chair noted, artificial intelligence, a technology sustained by the harvesting of personal information, is advancing on a scale that could not have been imagined in 2003 when PIPA was enacted. AI operates in the shadows and includes algorithmic decision-making machines, data mining, data matching and facial recognition. Its use is pervasive and often opaque. How can we, as citizens, trust these technologies and the companies that operate them to properly handle our personal information? It turns out that, without proper regulation, we can’t.
Most recently a single event with sweeping global implications drove that point home both for citizens and regulators. It is an event with which I am intimately familiar because I was there, and I helped to lead an investigation into it.
Just over two years ago I found myself in a cramped lawyer’s office in London, England. I had been seconded from my role here in B.C. as the OIPC’s deputy commissioner to the Information Commissioner’s office in the United Kingdom to help lead an investigation into how Britain’s political parties handled the personal information of voters. That project took a very different turn in that London law office.
The U.K. commissioner and I were invited to meet, under a veil of confidentiality, with a person we were told had worked for a certain company, then little-known, called Cambridge Analytica. I’m not sure what I expected to hear on that grey January day, but what transpired was truly shocking. This individual told a story of appalling abuse of personal data by Cambridge Analytica, aided by personal information supplied to it by tech giant Facebook.
We learned, among other things, how Cambridge Analytica extracted the psychological profiles of millions of Facebook users to weaponize targeted political messages. The whistle-blower who disclosed all of this to us is now well known to the world. His name is Christopher Wylie.
Our team at the ICO was the first regulatory or law enforcement authority to question Christopher Wylie. Weeks later we were to discover the full extent of one of the world’s most notorious data breaches. We learned that an app had been developed called This is Your Digital Life that allowed Cambridge Analytica to harvest the data of some 85 million global Facebook users, including 600,000 in Canada and 87,000 in British Columbia.
The explosive story appeared two months later in the New York Times and Guardian newspapers. It would have seismic implications for privacy around the world, including British Columbia. Suddenly people everywhere began to understand how their personal information could be exploited. The words “Facebook–Cambridge Analytica” became synonymous with what could go wrong when you share personal information on a platform like Facebook.
These intertwined names seared themselves in the public’s consciousness, exposing what can happen with personal information when automated digital technologies rule. The public began to ask: how could this happen? Were companies allowed to do this? What was government doing about it? And what were regulators doing about it?
When I returned home in late March 2018 to accept my appointment as B.C.’s fourth Information and Privacy Commissioner, there was no escaping the fallout from the issues I investigated in the U.K. As it turns out, there was a deep connection to Canada and B.C. In a strange twist of fate, the whistle-blower, Christopher Wylie, hailed from Victoria. And there was another B.C. connection. AggregateIQ Data Services, the company that helped weaponize the Facebook data on behalf of Cambridge Analytica’s parent company, SCL Elections, was also based here in Victoria.
It became immediately clear to me and my federal counterpart, Privacy Commissioner Daniel Therrien, that coordinated regulatory action on the Canadian front would be required. We joined forces to look at both Facebook–Cambridge Analytica and the activities of AIQ. We found that Facebook did little to ensure that its data of its Canadian users was properly protected. Its privacy protection program was, in our words, an empty shell. We also found that Facebook failed to properly audit many of the apps that were given access to its user data.
In the case of AIQ, we found, among other things, the company had developed Project Ripon, an architecture designed to make usable all of the personal data harvested by Cambridge Analytica. None of the people whose data was taken and manipulated had given their consent.
Our joint investigation reports on Facebook and AIQ determined that the two companies’ actions were contrary to B.C. and Canadian privacy laws. Both Commissioner Therrien and I were asked, in the wake of our findings, what penalties could be imposed on these companies. The answer exposed the complete inadequacy of Canadian and British Columbia privacy laws when it comes to protecting the public’s personal information. The total administrative penalty I could issue was zero. The same held true for the federal Privacy Commissioner, whose authority extends to provinces outside of B.C., Alberta and Quebec.
How can this be acceptable today when the public expects us to hold organizations accountable for the collection and use of their personal information? Meanwhile, we cannot ignore the fact that the rest of the world has moved ahead of B.C. and Canada. In 2018, the British parliament, recognizing the inadequacy of its own administrative monetary penalty system in the wake of the Facebook investigation, adopted the General Data Privacy Regulation, otherwise known as GDPR. The GDPR’s fining authority allows for a penalty of up to 4 percent of a company’s annual turnover. That includes global turnover.
The GDPR sets out a standard that it’s not just about fines. It provides a much higher level of privacy protection than existed previously. It has gained recognition as the gold standard globally and has become the model of a number of national laws outside of the European Union.
We in B.C. must be cognizant of these higher protections because our trade, for example, with European countries is closely tied to whether Canada’s personal data protection laws meet the adequacy requirements under the GDPR. Without an adequacy determination, B.C. businesses are at a competitive disadvantage.
PIPA was a somewhat state-of-the-art piece of legislation upon its enactment in 2003, but in 2020, that is no longer the case. We must get our house in order.
To put matters into perspective, when PIPA was enacted almost 20 years ago, Mark Zuckerberg had not even started to write the computer code for what would become Facebook. Since then, the world of personal information and collection, and use of it, has exploded. If there was any doubt about the digital world’s impact on everyday society, we need to look no further — as you have said, Chair — than the events that have transpired during the COVID-19 epidemic.
How does the Personal Information Protection Act confront the challenges we have in front of us? I referred a moment ago to putting our house in order. Building on that metaphor, the house that is PIPA is of relatively new construction. It has a sound foundation and a good basic structure, but over the past 17 years, its interior has experienced a lot of activity by individuals and organizations alike. What may also not be so obvious from curbside is that the original builders left several major rooms unfinished. Time moves on, but you never quite get to finishing those rooms. Day after day you realize the limits of the dwelling’s functionality.
This, I submit to you, Chair and committee, is your challenge: to complete the parts of PIPA that are incomplete. PIPA’s foundation, which is strong, rests on two pillars.
The first pillar is consent. With limited exceptions, organizations require and should continue to require consent of individuals before collecting and using their data. Ensuring that consent is meaningful is a challenge, especially in the digital world. I expect that over the course of your deliberations, you may hear more about this and the need to enhance the consent provisions of the act.
PIPA’s principle-based approach of consent, modified in part by employment situations and a handful of other exceptions, means its structure is flexible, and it can be adapted to changing technologies. This is certainly one of PIPA’s strengths. It does not have to be amended every time a new kind of technology is developed.
The other foundational pillar of PIPA is its recognition that organizations need to collect, use and disclose personal information for purposes, as the statute states, a reasonable person would consider appropriate in the circumstances. This, in my view, gives plenty of room for B.C. businesses to collect and use personal information in ways that can drive innovation in B.C.’s economy, and in particular the tech sector.
We are fortunate in this province to have a burgeoning tech sector. It is spreading its wings not only in the Lower Mainland and on southern Vancouver Island but also in places like Kamloops and Kelowna. I have spoken with a number of businesses and entrepreneurs who understand the important value of privacy and the bond of trust it creates with customers and clients. They want to do the right thing when it comes to privacy, and our office continues to provide guidance wherever we are able to assist organizations to implement scalable privacy management programs.
To that point, when the GDPR passed into law in Europe in May 2018, a number of B.C. and Canadian businesses revised their privacy policies to more closely align with what is considered to be the world’s benchmark for data protection.
Businesses and citizens are ready for change. They want and deserve laws that better protect personal information, legislative changes that will give greater confidence for consumers and organizations in everything from digital commerce and bricks and mortar services to social media and charitable gift giving.
So what work does this unfinished house of PIPA require? I expect your consultations will generate a number of proposals, and we will provide our own detailed work plan in the weeks to come. For now, I will focus on two matters: how one room can be finished, and the other is a proposal to solidify PIPA’s foundation.
The unfinished work that most desperately needs your consideration is mandatory breach notification. Privacy breaches happen when the security safeguards that an organization puts in place to protect the personal information in its custody and control are violated. Breaches expose British Columbians to identity theft, financial harm and reputational harm. Yet in B.C. in 2020, there is no legal requirement that an organization report a significant breach to my office or to those individuals exposed to a significant risk of harm. This is not acceptable.
Further context, I think, is of assistance. We are witnessing a dramatic increase in the number and magnitude of privacy breaches in the private sector in this country. Based on his examination of this issue, my colleague the federal Privacy Commissioner estimates that 28 million Canadians were affected by a privacy breach in 2018 — approximately 70 percent of our population.
When our office last appeared before the committee to review PIPA in 2014, we told members about a breach of highly sensitive personal health information by a testing laboratory in Kamloops. That breach affected more than 16,000 British Columbians. Five years later, in December of 2019, the very same company revealed that its computer system had suffered a cyberattack involving the personal health information of 15 million Canadians, including five million British Columbians. That company was LifeLabs. LifeLabs is now the subject of a complex investigation by my office.
Chair and committee members, my office has reached the limits of what we can do to tackle this critical issue. We have stressed the importance of privacy management programs for organizations. We have provided timely guidance documents. We have targeted organizations with a year-long educational campaign called PrivacyRight. And we have made scores of presentations to organizations, including small and large businesses, not-for-profits, political parties and more. Our efforts at education and outreach are not enough to protect British Columbians, especially as the digital economy expands.
PIPA stands almost alone in North America in its lack of mandatory breach notification provisions. Both Alberta and federal private sector privacy laws were amended to require organizations to notify commissioners of significant breaches. Mandatory breach notification exists in almost every state in the U.S. It is also included in the GDPR and many other jurisdictions across the globe.
It is absolutely critical that organizations be required to tell individuals and regulators when a privacy breach could cause a real risk of significant harm. We now receive voluntary reports of breaches both by public bodies and private organizations. That is a good practice, but it represents only the tip of the privacy breach iceberg.
When those breach reports come to us, we see our main task as helping the organization — helping them stop the breach and notify affected individuals when necessary. We also look at the organization’s privacy management programs to see where they can be improved. In some cases, we see privacy and security policies that are, to be blunt, appalling. But what are the consequences for an organization failing to report a breach or failing to invest in the protection of the personal information it holds? Beyond an admonition from my office, effectively there are none.
We must create an incentive for companies to invest in the privacy and security of people’s personal information. It is, for this reason, necessary to legislate more than mandatory breach notification alone. Simply naming and shaming organizations will not bring compliance.
Mandatory breach notification without penalties is like installing a state-of-the-art alarm system in your home, but no one in authority is there to respond. To be effective, mandatory breach notification must be backed by the ability to levy administrative monetary penalties. Fines are needed to incentivize compliance. Administrative Monetary Penalties, or AMPs, change the calculus of how organizations think about their investments in proper security and privacy programs.
AMPs pair reputational damage with serious financial penalty. Or framed in a more positive light, AMPs create incentive to do the right thing. A recent survey by the federal Privacy Commissioner’s office found that seven in ten Canadians would be more willing to do business with a company if it faced the threat of heavy fines for misusing their data. It is clear that a fair and robust regulatory regime is good for citizens and for business confidence.
Trust is the currency that underlies all transactions involving personal information between people and organizations. The changes proposed to PIPA that we have touched on today and will further detail in the weeks to come will help build that trust. They will ultimately serve the public interest and that of all B.C. organizations.
When the Legislature built PIPA from the ground up in 2003, we were recognized as a Canadian leader in personal information and protection. With your guidance, we can lead again. We hope that your work will not end with the issuance of your report. Should you conclude that PIPA requires reform, we would submit that you are expertly placed to champion your blueprint for change with the executive branch of B.C.’s government.
This committee’s work could not have come at a more critical juncture. The serious need for privacy reform has only been amplified by the pandemic we are all living through.
We have provided our initial written submission to you, and we look forward to participating in the entire consultation process and providing additional submissions as the committee’s work unfolds.
Thank you again for undertaking the task that you are embarked on. Thank you again for the opportunity to appear before you. I would now be happy to respond to any questions that you may have.
R. Singh (Chair): Thank you so much, Michael. That was really good information that you gave us and also a lot of questions for the committee members to think about as we get into our meetings with the stakeholders, especially recognizing the gaps that you have mentioned, especially about the breach reporting and also about the penalties.
I’ll ask my other members if they have any questions.
S. Thomson: Thanks, Michael, for the presentation and the passionate approach to the issues that you’re raising here.
A couple of questions. We’re aware — or I think we’re aware — of some of the cross-jurisdictional work that’s being done, of the changes that they’re working at, at the PIPEDA, at the federal level. Are those changes primarily in response to meeting the standards of the GDPR — to bring it up to that? Is that what’s driving the federal initiative?
M. McEvoy: I think it’s twofold. Yes, GDPR absolutely, for certain, is a driving reason why the federal government would want to move and progress their legislation.
The adequacy requirements…. We talk about adequacy. It’s a term, really, which means that business between Europe and Canada can happen. Data can go back and forth without any particular special arrangement because each jurisdiction is satisfied that the privacy protections in place in each other’s jurisdictions are good.
What’s happening now, because Europe has raised its standards, is there is a question. Are Canada’s standards sufficient? That is an open question. You think about all of the things in GDPR that exist, including fine-making power, the right to understand how an algorithm is dealing with an individual and making decisions about them. That’s a couple of examples.
It’s forced Canada to look at its laws. But as much as anything, I also think it has raised awareness on the part of the public and the concerns that the public now has. I think the landscape has undoubtedly changed.
I mentioned my experience with the Cambridge Analytica and Facebook investigation. I was astonished about the ramifications of that. I think it brought home to the public an understanding of what can go very wrong when data is misused, and it raised a lot of questions. The public is a lot more aware.
It’s GDPR, but I also think there’s more of a political imperative now on the part of governments to move, keeping in mind, of course, that in British Columbia, it’s not PIPEDA which rules; it’s PIPA. It’s the legislation that you’re entrusted with. So when we look at fining, for example, a company like Facebook, that responsibility vis-à-vis B.C. citizens rests with my office, not the Canadian commissioner. So that’s why we have to be looking at these things carefully.
The other thing I want to say just about that is that while Canada, hopefully, will move forward, British Columbia should not wait. We did not wait in 2003 on a couple of matters. The Legislature in British Columbia saw fit to, first of all, provide the office I am now commissioner of with order-making power. It didn’t exist in Canada federally; it doesn’t exist now.
Also, the scope of the legislation. I think you asked the question of Mr. Reed earlier about gaps. I took his answer about gaps or the lack of gaps to actually be about the scope of the legislation. We have very broad scope in British Columbia, including political parties, as you probably know, whom I recently — our office — investigated.
B.C. didn’t wait for Canada in 2003. We sketched out a broad scope for the legislation and gave order-making authority. Nor should we wait this time either.
S. Thomson: Okay, thanks. My second point, or question, I guess, is….
The issue of mandatory reporting, as you pointed out, has been part of previous committees’ recommendations over quite a number of years. I guess I’d ask the question: what’s your sense of, maybe, why it hasn’t been moved forward on up till now? Overall, there’s the time frame when the committee recommended it, and obviously, governments have had a chance to consider it and haven’t moved forward to this point yet. Do you think it’s because there just wasn’t the buildup and awareness of the risks and things over that time? It wasn’t seen as necessary but maybe now it is?
Just your comments on maybe why you think it hasn’t been done up to date, even though it’s been recommended a number of times.
M. McEvoy: Well, I didn’t have any special eavesdropping equipment to give me an awareness of how those decisions were made about whether to proceed or not, but I do think your observation about…. Greater public awareness is changing the landscape, and I think it will create a much greater — not just awareness on the part of government — imperative for government to now move, understanding people’s expectations.
It is interesting. At so many places I speak at and talk about this issue, people are actually surprised. Members of the public are often surprised that breach reporting does not exist now. It’s because, I guess, it’s so much in the news, and I think there is an expectation there. But it’s really something that has to happen.
You know, the vast majority of businesses want to do the right thing. That’s been my experience. They will come to our office. We’ll give them assistance. But to be frank, there are bad actors out there, and frankly, there’s not a lot of incentive for them, at this point, or disincentive for them, to change their ways. I think what it’s going to do is it’s going to put the good guys on a level playing field with some of the less than savory actors in this field.
There are a whole bunch of advantages as to why we would want to proceed with mandatory breach reporting with fine-making power that goes in line with it. I do think there’s more of a basis, a public attitude now, for pushing ahead.
S. Thomson: Thanks for that answer. You’re right. You’re not privy to all of those discussions, I guess, and things.
I think it may also be a factor that good companies and organizations and agencies that had those breaches over that period of time, by and large, generally have been reporting as a good business practice. But maybe now we’re seeing, as you say, some other examples and things that create greater awareness of it. So maybe there wasn’t the driving need for that during some period of that time, but things have changed.
M. McEvoy: Yes. Agreed.
R. Singh (Chair): Thank you, Steve.
Adam, you had a question?
A. Olsen: Yeah. Thank you, and thank you for that presentation. I want to also thank you for the previous conversations that we’ve had — just you briefing me and briefing me on behalf of the B.C. Green caucus as we’ve gone forward. I’ve really appreciated it.
As Matt pointed out, it’s complex in how it all works. I think there are assumptions that the public makes that the government is protecting them and that the legislation that is directing that has all of the gaps covered. That’s not always the case.
I think so much has changed in this since 2014. I start to think back to a few events that I’ve been at recently. One was at the South Island Prosperity Partnership event, where they were talking about privacy and data. What’s actually changed a lot is how companies view data. Many of them are creating these big general baskets. “We’re going to use your data for….” These big general statements, because even they have no idea how they might use your data in the future.
I’m trying to think of…. Our relationship to natural resources is a pretty clear one in this province. You can see the tree. You can see the mineral that we’re extracting. There’s a certain number of aspects of it. But there are also scientists that are looking at finding different ways to tear that mineral apart or that tree apart and recreate it into other products. I think of viewing data that way, and our privacy and our information — just to know there are computer scientists that are looking at ways to utilize that data for profit. A lot of this, the legislation, needs to be able to recognize that this relationship changes.
I think, as you pointed out, we have a broad enough piece of legislation that allows that. But I think we also have to, as a jurisdiction, be at the forefront on this. We’re not going to be, I think, using less…. Data is not going to have a less important role in our society going forward. In fact, it’s going to be, probably, the number one resource that’s extracted from us — our personal information. How that’s used and how that shows up in our lives is going to be ever changing and more and more sophisticated.
Just think of the tracking apps that follow you around everywhere you go to remind you that you were shopping at an online store somewhere and looking at certain products. Just in how that happens, I think, is important to acknowledge.
Really, I don’t have a question at this point. I just want to acknowledge the importance of this and the sincerity of your plea to have us pushing this and taking these recommendations and encouraging our colleagues when we come up with recommendations coming out of this to actually do something with them this time. For whatever reason, it hasn’t happened in the past. But we have to make it happen going forward, I think, to make sure that we’re giving the commissioner and the commission — the office — the ability to actually do the work so that British Columbians can be secure that their information is secure.
I’m going to leave it at that. I just want you to know that I’ve heard what you’ve said, and I’m going to be taking that very seriously as we go forward here with our deliberations.
R. Singh (Chair): Thank you so much, Adam.
Any other questions? Dan?
D. Ashton (Deputy Chair): No, I’m fine. Thank you.
R. Singh (Chair): Thank you so much, Michael. I just had one question. You talked about your federal counterpart also looking for some changes. Looking at other jurisdictions, other provinces, do we have mandatory breach reporting in any other province, or penalties?
M. McEvoy: We have mandatory breach reporting in Alberta. In terms of planning forward — so if we are going to bring that reporting into British Columbia — it gives us a very good idea of the kind of resources that would be needed in order to meet those requirements. I talk frequently with my Alberta counterpart.
Canada has mandatory breach reporting requirements as well. As I mentioned, the federal commissioner has no order-making authority to back that up. Neither does Alberta. In fact, no privacy jurisdiction in Canada has administrative monetary penalties that they could levy. So British Columbia would be a leader again, I think, if our office was entrusted with that responsibility.
I should say, by the way, that this is something that is not new to my office. With my other hat…. Most of you will know I’m also the registrar for lobbyists in the province. We have an administrative monetary penalty system under that legislation, and I do levy fines for lobbyists who transgress the Lobbyists Transparency Act.
It’s something that you do in a measured way. Obviously, the first way to go is through education and guiding the people, because, for the most part, people want to do the right thing. Where that doesn’t work, there’s a system of progressive penalties. But it’s done in a reasonable manner, with education that comes first. Again, we’re well aware of how to administer that kind of system in our office.
R. Singh (Chair): Thank you so much. That was really important information. I really appreciate the time that you have given to us, and also your other members who are joining us.
I don’t think we have any other questions, but I will take this moment to thank you. Definitely this information will be very useful for us in the coming meetings.
M. McEvoy: Thank you very much.
D. Ashton (Deputy Chair): Michael, I just want to also say thank you. I look forward to working with you and your team to make sure that the proper changes and the required changes are put in place for the future protection of all British Columbians.
M. McEvoy: Thank you, Dan. I appreciate that.
Everybody take care and keep well at this time.
R. Singh (Chair): Any other questions, Members? Now I need a motion to adjourn.
Motion approved.
R. Singh (Chair): The meeting is adjourned. We’ll see you soon. I think next week. We are meeting next week. Thank you.
The committee adjourned at 3:46 p.m.