Fifth Session, 41st Parliament (2020)

Special Committee to Review the Personal Information Protection Act

Virtual Meeting

Tuesday, June 9, 2020

Issue No. 4

The HTML transcript is provided for informational purposes only.
The PDF transcript remains the official digital version.


Membership

Chair:

Rachna Singh (Surrey–Green Timbers, NDP)

Deputy Chair:

Dan Ashton (Penticton, BC Liberal)

Members:

Mable Elmore (Vancouver-Kensington, NDP)


Adam Olsen (Saanich North and the Islands, BC Green Party)


Steve Thomson (Kelowna-Mission, BC Liberal)

Clerk:

Susan Sourial



Minutes

Tuesday, June 9, 2020

2:00 p.m.

Virtual Meeting

Present: Rachna Singh, MLA (Chair); Dan Ashton, MLA (Deputy Chair); Mable Elmore, MLA; Adam Olsen, MLA; Steve Thomson, MLA
1.
The Chair called the Committee to order at 2:01 p.m.
2.
Opening remarks by Rachna Singh, MLA, Chair.
3.
The following witnesses appeared before the Committee and answered questions related to the Committee’s review of the Personal Information Protection Act:

1)IPP Consulting

Marilyn Sing

2)Condominium Home Owners Association of B.C.

Allyson Baker

Tony Gioventu

3)Gary Raddysh

4)Dr. Colin Bennett

5)Speech and Hearing B.C.

Anna Krueger

6)B.C. Freedom of Information and Privacy Association

Jason Woywada

7)Digital Discretion

Stephanie Perrin

4.
The Committee adjourned to the call of the Chair at 4:12 p.m.
Rachna Singh, MLA
Chair
Susan Sourial
Clerk Assistant, Committees and Interparliamentary Relations

TUESDAY, JUNE 9, 2020

The committee met at 2:01 p.m.

[R. Singh in the chair.]

R. Singh (Chair): Good afternoon. I would like to welcome everyone listening to and participating in the public hearing today. My name is Rachna Singh. I am the MLA for Surrey–Green Timbers and the Chair for the Special Committee to Review the Personal Information Protection Act.

I would like to begin by recognizing that my constituency is on the traditional territory of the Coast Salish peoples, in particular the Kwantlen, Katzie, Semiahmoo and Tsawwassen First Nations, Kwikwetlem and Qayqayt people.

We are an all-party parliamentary committee of the Legislative Assembly with a mandate to review the Personal Information Protection Act. Normally, the committee would have held its public hearings in person. However, due to the COVID-19 pandemic, public hearings are being held by video and teleconference.

As part of our review, the committee is meeting today with individuals and presenters from various organizations to hear about how the act is working, along with any recommendations for improvements. British Columbians are also invited to send us their thoughts, in writing, before August 14.

All the information we receive will be carefully considered, as we prepare our report to the Legislative Assembly, which will be released in February 2021. More information is available on our website at www.leg.bc.ca/cmt/pipa.

I would just like to tell you a little bit about our virtual meeting format. Presenters will have ten minutes for their presentation and ten minutes for questions from members. For members who want to ask a question after the presentation, I ask that you raise your hand to indicate you have a question, and we will keep a speaking list.

All meetings are recorded and transcribed by Hansard Services, and a complete transcript will be posted on the committee’s website. A live audiocast of this meeting is also available on our website.

I will now ask the members of the committee to introduce themselves. I will start with Dan Ashton, the Deputy Chair.

D. Ashton (Deputy Chair): My name is Dan Ashton. I’m proud to represent the area of Penticton to Peachland. Thank you very much for attending our meeting today. Your information that you’re bringing forward will be incredibly important for the decisions that government will make in the future. So thank you again.

S. Thomson: Good afternoon. Steve Thomson. I’m the MLA for Kelowna-Mission, up in the Okanagan. I look forward to the presentations this afternoon. Thank you for joining us.

M. Elmore: Hello, everybody. This is Mable Elmore. I’m the Member of the Legislative Assembly for Vancouver-Kensington. I’m very pleased to join you.

R. Singh (Chair): Thank you, Members.

Also assisting the committee today are Susan Sourial and Stephanie Raymond from the Parliamentary Committees Office. Amanda Heffelfinger from Hansard Services is also here to record the proceedings.

Now we will start with our first presenter.

Presentations on Statutory Review of
Personal Information Protection Act

IPP CONSULTING

M. Sing: Good afternoon and thank you for providing this opportunity to present to the special committee on the Personal Information Protection Act, which I will refer to as PIPA throughout my presentation. My name is Marilyn Sing, and I am the principal consultant at IPP Consulting, a Victoria-based company….

[2:05 p.m.]

R. Singh (Chair): I want to just interrupt you. We have a timer here. Your time is for ten minutes. Your time just started. I’ll give you a warning when only two minutes are left.

M. Sing: Yes, that’s fine. Thank you very much.

My name is Marilyn Sing, and I am the principal consultant at IPP Consulting, a Victoria-based company focused on helping organizations meet their obligations to comply with British Columbia’s and any other applicable privacy laws.

I am a member of the International Association of Privacy Professionals. I received my designation as a certified information privacy professional in 2015. I keep myself up to date on Canadian and international privacy law changes to help my clients become or remain compliant and to prepare for the future. I maintain my certification through ongoing professional development.

Prior to becoming a privacy consultant, I worked for public, private and non-profit organizations in an operations business development risk management, marketing and communications role. I utilized my business background to implement privacy program controls that complement IT security and support business continuity.

I help my clients develop and implement a privacy management program by using the framework and component as outlined in the guidance document Getting Account­ability Right with a Privacy Management Program. This document was developed by the federal, B.C. and Alberta privacy offices working together to provide consistent guidance on their expectations for the private sector.

From my work and perspective, there are five current problems with PIPA. The first problem is that when this law was enacted in 2004, we were leaders in privacy law, but now we are lagging behind. Privacy law in other countries has kept up with the digital transformation of our world and the increasing risk related to the protection of personal information. They have addressed this by implementing more robust individual rights, restricting the transfer of data across borders, requiring businesses to have data protection officers for large-scale processing and increasing sanctions with higher fines. Our law needs to change to be equivalent with the higher standards set by the European Union’s general data protection regulation.

The second problem is that provincial privacy law needs to remain substantially similar to federal privacy law. We always seem to be playing cat and mouse between federal law and provincial law, with one part updating before the other. So since federal law now includes meaningful consent and breach notification and this is not yet part of provincial law, we still have to follow the federal lead on these two new initiatives added to the law. I think what we need to do is incorporate federal law changes into provincial law more quickly.

The third problem is that we need specific legislation for protecting sensitive health information for both the public and private sector to follow. The current COVID-19 situation has put health information at risk, as the private sector does not have the requirement to use privacy impact assessments to evaluate online tools before using them or use tools that store sensitive personal information only in Canada.

The fourth problem is that the current soft approach to compliance with private sector organizations has led to an overall lack of awareness and education about PIPA, and the result is that the protection of personal information is a very low business priority.

I spend a significant amount of my time increasing awareness of PIPA compliance requirements and the risks related to non-compliance through business community presentations, and what I have found is this. The majority of businesses don’t know that they need to have a designated privacy officer responsible for ensuring compliance with PIPA through a privacy management program which includes privacy policy, privacy practices, protocols for breach management, safeguards and staff training.

They also don’t know that there are time limits attached to responding to requests for access and corrections to personal information and for questions, concerns and complaints about privacy practices, and they don’t know that they are responsible for ensuring that their service providers are protecting any personal information that they have access to.

It is quite common for people attending my presentations to feel overwhelmed by finding out what they should be doing and what they aren’t doing. Even though I provide them with some simple steps for them to start taking to become compliant, a lot of them leave a little bit confused and overwhelmed.

[2:10 p.m.]

Privacy is still under the radar instead of being front and centre. When I approach associations or business support groups and offer them free presentations about privacy compliance for their membership clients, they are often not quick to jump on this kind of opportunity. Most of the time, it seems barriers are due to lack of awareness and knowledge that non-compliance is a business risk, and sometimes it’s because I’m not a member of that group or association.

The fifth problem is that review of PIPA every six years is too long. Because of this time period, we are falling further behind. I do have some thoughts about what I think would improve compliance with PIPA.

The first thing is that the private sector operates very differently from the public sector. Simply, money talks. Sanctions and fines, if incorporated into PIPA, will actually work towards ensuring compliance. Accountability often needs to be more concrete.

I think there is a little bit of confusion in regard to just the guidance, which is loosely interpreted, I think, to meet the business need. I think specific rules that are provided would be easier and better for them to follow. I also think that designating a privacy officer is not enough. The role isn’t taken seriously or given the time and support it needs when it simply lands as an off the side of the desk responsibility with low priority.

I’ve been thinking about how the new registration requirement under the Lobbyists Transparency Act might work well for PIPA. If businesses were required to register their privacy officer, this could greatly improve compliance, because it would ensure that there was a designated privacy officer. Having an email address for that privacy officer would allow for privacy-related communication for the private sector to be directly sent to the business.

Potentially, the Office of the Information and Privacy Commissioner could use the list to do a few random review audits every year to check that there is actually a privacy management program in place and could attach a fine when a company is found to be non-compliant, which could cover the cost of those audits and reviews.

There’s also practical application missing. I’ve been asked whether there are courses for privacy officers to take and if there are template tools that are available to make developing and implementing a privacy management program easier.

So that’s the conclusion of what I wanted to present today. If anyone has questions, I’d be happy to answer them.

R. Singh (Chair): Thank you so much, Marilyn. You did not even take your ten minutes, so I did not even have to give you the warning. Thank you so much for your presentation. I’ll ask the members to raise their hands if they have any questions.

Steve, please go ahead.

S. Thomson: Thank you, Marilyn, for your presentation. Very interesting. I certainly can tell from your presentation that you’ve had a lot of experience in the whole area. Thanks for all the work you’re doing in continuing to promote the current requirements and things and dealing with the businesses and organizations.

I just wanted to go back to part of your opening comments early on in your presentation. You talked about the protection of information across borders and the fact that you saw that as one of the current challenges in the existing legislation.

Do you have concerns around some of the recent changes that have been made that allow some of the processing of information across borders? I know there’s been recent legislative change that has provided that. Currently, under the COVID pandemic situation, we’ve got special provisions in place, a special order that allows some of the processing across borders and using infrastructure and tools that exist that may be outside of Canada.

Could you just elaborate a little bit more on your concerns there and what you were specifically alluding to in your comments there?

M. Sing: Sure. I’d be happy to do that.

In terms of cross-border data, my concern is really mostly around sensitive personal information, so taking, for example, health information….

[2:15 p.m.]

I know that a lot of people, for example, have been utilizing Zoom for online connections. Sometimes that kind of tool can be used, for example, maybe in a situation where a clinical counsellor is actually speaking to one of their clients.

My concern would be if that session was recorded and that was actually saved on a server in the U.S., where it would be under U.S. jurisdiction, which doesn’t have the same kinds of privacy controls that we have in Canada. So that’s my main concern.

I think, really, overall, my recommendation to most of my clients is to use tools that have storage in Canada because it just helps to ensure that there wouldn’t be any sort of cross-jurisdictional access.

S. Thomson: Okay, thanks. That clarifies the comments because the current provisions are for “storage must remain in Canada.” That’s the current provisions. What has been provided is to allow some of the processing to take place outside and then storage to remain in Canada. I just wanted to clarify your concerns there that you were referencing. So thanks for doing that.

M. Sing: Okay.

R. Singh (Chair): Thank you so much, Marilyn.

We have Mable Elmore. She has a question.

M. Elmore: Thank you very much for your presentation.

You mentioned that you thought that six years was too long a time period in terms of reviewing the act. Certainly, I can appreciate that, just with the pace of technological changes and developments. Did you have a time frame that you thought would be more responsive?

M. Sing: I think three years would be a better time period. But as you mentioned, with things changing so quickly, three years may in some cases even almost be too long. I know that the privacy commissioners do actually try to make changes to privacy law, and they don’t seem to happen very quickly. I’m not sure how the process works on that end, but I think three years as a maximum makes a lot more sense than six years.

M. Elmore: This may or may not be a question for you, but are you familiar with other jurisdictions in terms of the frequency of the revisions that they make to their privacy acts?

M. Sing: Actually, I’m not. I couldn’t answer that question.

M. Elmore: Right. Maybe I can follow up on that outside. Thank you.

R. Singh (Chair): Thank you so much, Mable.

Any other questions from members?

Welcome, Adam. Do you have any questions?

A. Olsen: No, sorry. I’m sorry I missed the presentation. I came in right as Steve was asking the question there. So I’ll hang out for this one and be fully engaged going forward here. Sorry about that.

R. Singh (Chair): Thank you so much.

Thank you, Marilyn. Thank you for the wonderful presentation. I think we are going to hear from a number of stakeholders, but the information that you have provided will really help us develop the recommendations that this committee will be looking into. Thank you so much for taking out the time and meeting with the committee.

Our next presenters are Condominium Home Owners Association of B.C.

Welcome.

[2:20 p.m.]

I believe we are ready, and I would request you to begin, please.

CONDOMINIUM HOME OWNERS
ASSOCIATION OF B.C.

T. Gioventu: Thank you very much for the opportunity to speak to you, and thank you very much for the opportunity to provide some feedback on the privacy legislation. As an organization that deals with strata corporations across B.C., we cross several pieces of legislation, many of which intersect.

There’s one significant concern that arises that relates to PIPA, the Strata Property Act and the B.C. human rights code. Under the guidelines produced by the Privacy Commissioner’s office and the requirements of sections 35 and 135 of the Strata Property Act, there’s an obligation for a strata corporation to disclose information relating to bylaw complaints and documentation provided by an owner or tenant in respect to a request for special accommodation under the B.C. human rights code or a financial hardship claim for an exemption from a rental restriction.

While the disclosure to the strata council is essential to verify the claims exist, permitting a strata council the ability to exempt or accommodate a person, the personal information being disclosed is, in part, protected under the B.C. human rights code. The difficulty is that individuals are using the back door of the Strata Property Act and the privacy legislation to try and access the confidential information of individual owners and tenants.

This is creating a challenge, of course, for personal information that may be medical in nature, that may be financial in nature. While it is necessary for the strata councils to be able to use the information to justify an exemption from a hardship from a rental bylaw, for example, or to justify accommodating a person under the human rights code, documents such as personal medical records, which otherwise in the public realm wouldn’t be accessible, are being accessed through this loophole, in the back door, with this little combination problem in the legislation between PIPA and the Strata Property Act.

The exclusion has some opportunities for some refinement, either within the PIPA legislation or within the Strata Property Act, to deal with this.

I’ll hand over to my colleague Allyson, who deals with this from a legal perspective. She’s one of our board members of the association as well, and she can speak to this more succinctly from the protection of the privacy of individuals.

A. Baker: Hello, everyone. Thank you very much for the opportunity to speak to the committee.

I’ve been advising strata corporations in British Columbia for over 20 years as part of my practice. Advising strata corporations is a significant part of my practice. It has become more challenging to advise strata corporations about the disclosure of information since the guidelines that have been issued by the Office of the Information and Privacy Commissioner were amended in 2015.

I have a little bit of an excerpt that I wanted to read, just as a comparison. In 2009, the Office of the Privacy Commissioner issued the first set of guidelines to strata corporations and to strata managers. They were incredibly helpful in understanding what a strata corporation’s obligations were in terms of collecting, using and disclosing personal information.

In the 2009 guidelines, in the context of section 35 of the act — and, in particular, correspondence, which is where our issues seem to arise these days — the guidelines stated:

“The requirement to provide access to complaint records found in section 35 of SPA does not mean that a strata corporation must disclose the personal information of the complainant and/or other third parties set out in the complaint letter. If, after receiving the particulars of a complaint, an owner or tenant requests a copy of the actual complaint letter, the strata corporation should first consult with the author of the complaint letter to seek his or her consent to release the entire letter or portions of it.”

A little further ahead:

“The person making the request is only entitled to access their own personal information, not the personal information of others…. If there is a request for the complaint letter, the strata corporation has a duty to sever, black out, the personal information of anyone other than the requester.”

[2:25 p.m.]

This was the regime that was in place for many years. If someone made a request for a record of the strata corporation and the record contained personal information that could not be obtained by other means, such as financial information that an owner might disclose in order to make a request for permission to rent on the basis of hardship….

As an example, an owner may be asked to provide information such as their income tax returns, to disclose their personal assets and their liabilities, to provide employment information. In the context of a request for an accommodation to deal with a disability under the human rights code, an owner may produce a report from their doctor setting out their medical condition, their symptoms, the kind of accommodation that they require.

Even going back to the financial, given the current state of affairs with the pandemic, we know that strata corporations are receiving more requests from owners for some relief in terms of timely payment of strata fees and special levies. As part of that, they will be disclosing financial information in order to justify their request for some dispensation.

The reality now is that…. Under the 2009 guidelines, our advice to strata corporations would have been to redact the personal information of the requesting owner or tenant or occupant, depending on the circumstances. But with the amendments to the guidelines in 2015….

It’s interesting to note. If you go back and compare them — we’ve actually run a black line to compare — there were very, very few changes made in those guidelines. The only significant change was to do a complete 180 on the position and to say: “Well, the Personal Information Protection Act does not provide a legal basis for removing personal information from documents that are being disclosed pursuant to section 35 of the Strata Property Act.”

Initially, again, not much happened. Strata corporations often just ignored those requests. But in the last couple of years, this change in the guidelines has had some teeth because of the introduction of the civil resolution tribunal.

Now we are seeing more complaints being brought by owners or tenants, depending on the situation, who are asking for disclosure of documents under section 35 of the act. The civil resolution tribunal, following the guidelines, has said: “The Personal Information Protection Act does not provide a legal basis for redacting that personal information. Therefore, the complaint letter is producible.”

We are aware of at least one instance in which the tribunal did order the disclosure of personal medical information in a dispute over whether the strata corporation had properly allowed an exemption from a bylaw. In that case, it was a no-air-conditioning bylaw.

We can also see that with the position being that there is no basis for redacting personal information, it’s fairly easy for owners and tenants now to request, depending on the circumstances, financial information of owners, medical information of owners and perhaps other, similar personal information, such as: what if someone is going through a divorce or has some other difficult event going on in their lives?

It also puts at risk, and Tony hasn’t alluded to this, employee information. A number of strata corporations have employees, which means that they have employee records, including things like contracts and communications with the employees. If the strata corporation isn’t permitted to redact employee information under PIPA, that means owners now have access to employee information.

This essentially, I would suggest, almost guts the Personal Information Protection Act when it comes to strata corporations, because the list of records that are set out in section 35 of the act is so broad.

T. Gioventu: Thank you, Allyson.

Just in closing, I think we were looking at possible solutions. An amendment to PIPA that would basically clarify the guideline, that would give it specific legal standing — that personal information that may be financial in nature or medical in nature or that may relate to employment relationships may be specifically protected and redacted — might be an appropriate solution to this.

[2:30 p.m.]

It would solve the problems with employment standards, with human rights and with the Strata Property Act. It would streamline the legislation and make it much clearer without any interpretation.

R. Singh (Chair): Thank you so much, Tony and Allyson. That was very important information that you gave out to the committee. It’s very serious too.

A lot of times…. I’ve owned a condominium, never realizing what kind of information I’m giving out. I can understand that a lot of people, when they give out that information, don’t even realize where that is going. So really important information from you and, I think, a very important recommendation too.

I would ask the members if they have any questions. Please raise your hand if you have a question.

A. Olsen: Just a really quick question about the rationale for the change. I think I got one in your presentation. But has there ever been a rationale for the change from the 2009 practice to the 2015 guideline as to why that changed? Were there court decisions? I’m just trying to understand why we went from something that seemed to function pretty well to something that is now needing to be fixed.

A. Baker: I think Tony can speak to this a bit more as well. The guidelines did not follow any particular decisions of the Office of the Privacy Commissioner. There were no court decisions. My understanding, as well, was that there was no consultation at the time that the guidelines were made. It was a decision of the Office of the Privacy Commissioner. While, certainly, I recognize they have the ability to issue amended guidelines, it was somewhat surprising when they were released without any industry consultation.

The 2009 guidelines had a lot of industry input from organizations like CHOA, other industry organizations and lawyers who worked in the privacy area who could make comments on trying to balance an owner’s right to know, which I certainly accept. I, myself, live in a strata corporation and I’m on the strata council, so I deal with it not only as part of my practice but as part of my job.

I think the pendulum kind of swung a little too far in terms of transparency to the point, as I said earlier, that one almost gives up one’s right to privacy or one’s protection of personal information by living in a strata corporation.

T. Gioventu: Just to reiterate, I was on the original committee for the 2009 guidelines, and there was over 50 hours of consultation and ten organizations on that. There was no public consultation whatsoever on the second series of amendments.

A. Olsen: If I may continue….

And Allyson, you must be very valuable to your strata corporation, a very valuable asset to them.

A. Baker: I don’t know if they think that.

A. Olsen: This was a decision in 2015 as to how the commissioner at the time applied the legislation then, essentially. Essentially what you’re asking for here is for us to amend the PIPA legislation so there’s just absolute clarity on this.

A. Baker: Yeah.

T. Gioventu: In addition, we need to be mindful that strata corporations, because of direct-deposit banking, collect a substantial amount of personal financial information which, without the clarity, also makes us vulnerable as well.

A. Olsen: To follow up on that, you highlighted in your presentation some specific areas that you think should be looked at in the definition.

Just your advice on whether or not we should recommend specific changes to the specific areas that we should be protecting or redacting, or if it’s better to…. I guess you’re wanting us to be clear on this so that then there aren’t grey areas in the future. So those specific areas are important as well — financial and medical.

T. Gioventu: Financial and medical predominantly, but I think the focus should be on protecting the personal information of individuals. The name of an individual is part of the record of strata corporations. But beyond that, their personal medical information, their personal financial information, even court documents….

[2:35 p.m.]

In some cases, we have circumstances in large developments where we have restraining orders between parties with sealed documents as a result of circumstances. Even those types of circumstances would be personal information that should be protected that could otherwise jeopardize individuals.

A. Baker: If I might just jump in a bit. Under the standard bylaws, there are provisions dealing with council meetings. Under the standard bylaws, an owner is entitled to attend a council meeting as an observer, but there are exceptions to that. The exceptions are bylaw contravention hearings under section 135 of the act, rental restriction bylaw exemption hearings and also “any other matters if the presence of observers would, in the council’s opinion, unreasonably interfere with an individual’s privacy.”

Before the 2015 amendments to the guidelines, as a lawyer, that often informed the kind of advice that I would give to my clients, saying: “Well, if it’s something that somebody would not be entitled to see as part of a hearing or as part of an owner’s right to attend as an observer, why should they have any greater right to see it just because it happens to be in writing?” I think we’ve kind of gotten a disconnect happening because of the focus on the list of documents that one is entitled to.

Now, there was abuse before 2015. That’s why I said I think the pendulum has swung a bit too far. There were some strata corporations that wanted redact everything, even things like owners’ lists, even though the record of an owner is something that you can pull from the land title office. It’s not personal information.

I think there is a middle ground here that respects transparency and privacy. I think part of that may, to some degree, come back to the guidelines themselves. In 2015, the statement was simply that PIPA doesn’t override the Strata Property Act. Therefore, because it’s information or documentation that is available by statute, our hands are kind of tied, and PIPA doesn’t provide a legal basis for a strata corporation to redact. I’d kind of like to move back to that same direction.

A. Olsen: Thank you for that. I’ll just say that I think you’ve captured our attention on this. It’s something that I think, from my perspective, I’d like to learn more about as we go through this process. But I recognize that we’ve got a number of people on here. So thank you for that, Allyson. I appreciate it.

S. Thomson: Adam asked the basic question I was going to ask around this. I just had a follow-up point on it.

You’ve recommended that the fix here needs an amendment to the PIPA legislation. Would there be any requirement, in addressing this issue, to do any legislative change to the Strata Corporation Act, or is it just the one side of the equation that needs to be potentially addressed to deal with this?

T. Gioventu: It could be dealt with through the PIPA legislation in as much as it deals with personal information. Ideally, it would be coordinated and harmonized, both through PIPA and the Strata Property Act, so whatever amendments would occur within one piece of legislation would be concurrent in the other so that we wouldn’t run into these cross-misinterpretation problems. That’s the difficulty. We have two pieces of legislation that are not concurrent.

Part of that also goes to timing. Our technology always seems to be five years ahead of our legislation. So we run into some of these cross-sections sometimes. Ideally, both pieces of legislation should be addressed so that they essentially speak the same language and give the same legal direction. But as this is a PIPA consultation, this is the focus at this point.

S. Thomson: Thanks. That clarifies that. I just wanted to see whether this was a simple fix in one piece of legislation or something that’s a little bit more complicated because you’re dealing with two pieces of legislation. I think the answer is that it’s a little more complicated.

T. Gioventu: It is, potentially. But it can also be easily remedied, as Allyson pointed out, simply by adjusting, immediately, the guidelines. The problem with the guide­lines is that they’re being used by the tribunals in jurisdictions for reference when there’s decision-making taking place. That’s part of the challenge. But if the authority to impose the non-disclosure of personal information was bestowed within the privacy legislation, that quickly resolves a great problem that we’re faced with.

[2:40 p.m.]

R. Singh (Chair): Members, any other questions?

Seeing none, thank you so much Tony and Allyson for that important information. We really appreciate your time that you gave to the committee today. Thank you so much.

D. Ashton (Deputy Chair): Thank you, Allyson.

Thank you, Tony.

R. Singh (Chair): Adam, you have a question?

A. Olsen: Is there an opportunity for us to maybe get a…? I guess I’d just like to plant a flag here and note that we should maybe get a response from the Privacy Commissioner as to why the guidelines are being applied the way that they’re being applied. I mean, I’d like to hear the response to that. I have some interest in seeing that these get addressed.

R. Singh (Chair): Susan, please go ahead.

S. Sourial (Clerk Assistant, Committees and Interparliamentary Relations): We are inviting the Information and Privacy Commissioner to return in September to do a follow-up presentation and to respond to some of the recommendations that the committee receives.

R. Singh (Chair): When we are in the deliberation stage?

S. Sourial (Clerk Assistant): Before the deliberations, so before we get to the deliberation stage, once all the public hearings are over and the deadline for written submissions is concluded. When we follow up to schedule that, we can flag this one as one of the questions the committee had.

R. Singh (Chair): Thank you.

Welcome, Mr. Raddysh. How are you doing today?

G. Raddysh: Thank you very much for letting me speak.

R. Singh (Chair): You have ten minutes for the presentation, so please go ahead, sir.

GARY RADDYSH

G. Raddysh: All right. Thank you very much.

Emergency measures that have been proposed and methodically installed to keep us safe are part of a slow but systematic move towards complete surveillance and control of all Canadians. Media spokespeople don’t even bat an eye as they describe the surveillance grid that underpins the new normal for Canadians’ daily lives. We have grown complaisant, even accepting, of the fact that telecom communications record and store every speck of our communication data. We are being watched like potential terrorists by our own governments.

I am told the surveillance can now extend to our daily activities in real time, through the tracking of our personal communication devices. And what about online personal assistants? It’s pretty clear that Siri, Alexa and Google are spying on us in our own homes.

I’m not a lawyer, but I know we have current laws that make it illegal to harvest personal information without our permission. Yet it’s almost accepted by the public, and even the lawmakers, that these laws are routinely ignored. As I read government documents on data gathered by government street cameras, I found statements such as “the use of cameras has become more prevalent and is generally accepted,” as if this passive acceptance approves further illegal data collection.

I know we have privacy laws, but for some reason, our law enforcement is lacking the will to enforce them. I contacted ICBC about their sneaky 2009 setup of facial recognition technology, as they converted our driver’s licence photos to identity-verifying quality. No public hearing such as this was held.

[2:45 p.m.]

And though [audio interrupted] claimed there was a mass publicity campaign to inform voters, I still can’t find anyone that knows our driver photos have been stored in an FRT database for over ten years. That’s enough time for me to renew my licence two times. Even my MLA didn’t know this.

The B.C. Privacy Commissioner says ICBC’s FRT is okay. It’s not a violation of privacy because it really can only be used to verify the person applying for a new driver’s licence. It’s an excellent tool against fraud. He can’t see any other reason for this massive database of private personal information, yet shortly after the FRT was set up, ICBC approached the Vancouver city police department with an offer to use ICBC’s FRT database to identify disruptive people at the hockey riots in 2011.

Looking more closely at this incident…. ICBC’s mandate to use FRT data was for one purpose: fraud prevention. They immediately ignored that massive restriction and began pedalling my personal data when they knew they shouldn’t. I asked reps of ICBC many times if anyone was reprimanded for this unethical, or even criminal, behaviour. They seemed to think I was overstating my case.

A 2013 report presents a long list of instances where FRT is in common use. My recent use of the federal online system to access Revenue Canada information required the use of FRT as they compared my digital photo to government-issued ID cards. There seem to be many more uses for the ICBC FRT data than the B.C. Privacy Commissioner is willing to mention.

Toronto police have recently been criticized for their use of FRT in conjunction with social media scanning software. I’ve asked continuously about where the police agencies are getting the FRT data. It’s quite clear that our government-sanctioned agencies collect it in databases and make it available, not just to police agencies but, I fear, to international surveillance groups.

Now we’ve moved into a time of ultimate fear. The media has sold the danger, and everyone is locked down thinking there will be massive loss of life. Government has to know every place you go and every person you see to be able to protect us. Are we really going to submit to carrying immunity passports so we can leave our homes to be out in our free, democratic society? Will Canadians only be saved if everyone is identified by an RFID chip?

Real-time tracking of my movements through cell phone data and facial recognition technology, border checks and police or military on the street checking papers are elements of a technological takeover of Canadians’ rights and freedoms. These are not tools of protection. They are tools of enslavement.

All it takes is [audio interrupted] even a pandemic. [Audio interrupted] tools used to suppress my freedom, my freedom of association, my freedom to gather and my freedom of speech.

What should be done with the current personal information act? I say use it to enforce privacy laws. Telecom companies should no longer be mandated to store three months of my communication data. Tell them to erase it now and never store it again.

Those who find it necessary to break privacy laws should be prosecuted. For example, when it becomes clear that electronic devices are set up to track and spy on the users, the creators of these devices and those who gather the data must be prosecuted. It would take just a couple of high-profile cases to send the message that B.C. is a private data zone.

Possibly, the greatest offender when it comes to the inappropriate use of personal information is our own government. It’s almost as if elected public servants have come to believe that the people they represent do not trust them. Whatever the case, people can be directed and controlled through the use of personal information. These are not the traits of a free and democratic society.

The truth of this information has become blatantly obvious to everyone. We are relying on you to follow our current laws. We are law-abiding people, not criminals. I urge government to back away from the controlling of every detail in the lives of citizens. It will encourage everyone to take responsibility for their own actions, for their own health, for their own finances and for their own personal well-being.

R. Singh (Chair): Thank you for taking the time to come and talk to the committee.

Now I’ll ask the committee members if they have any questions. Anybody?

[2:50 p.m.]

Seeing none, thank you so much, sir. We really appreciate your time today. Whatever you have recommended…. We’ll definitely look into it. The committee will look into it while we do our deliberations.

G. Raddysh: I have references for the statements I made. I will send them to you if you want.

R. Singh (Chair): Please do — I think to the Clerk’s office. You can be in touch with them and send any information you have. Thank you.

Members, just before we go to the next presenter, are we okay with this, or do you want to take a break?

Good to go? Okay.

Welcome, Dr. Bennett. I believe we are ready to go.

COLIN BENNETT

C. Bennett: Thank you very much for listening to me today. My name is Colin Bennett, from the University of Victoria. For over 30 years, I’ve been researching and writing about the issue of privacy protection in Canada and overseas, the spread of surveillance, the nature and extent of public concern and the content and effectiveness of the privacy protection policies in Canada internationally. I’ve written a number of reports, both in Canada and overseas, including for the European Commission.

I’ve also been a complainant, both under PIPA and under PIPEDA, so I have the perspective of somebody who has used this legislation. I teach courses on these issues at UVic, so I have a bit of a perspective on what I think young people are thinking about privacy these days. I’m also a member of the external advisory board of the Office of the Information and Privacy Commissioner. Over the years, I’ve got to know that office intimately and the challenges that they’re facing.

I listened to the testimony last week, and I don’t want to repeat what you heard from Michael McEvoy. I believe that PIPA is dated. There have been two statutory reviews, and nothing has been done to update the law, as you know. Despite what you hear from others about this being a practical statute that balances the rights of the individual with the needs of business on the basis of reasonable expectations, I have to say that I don’t think the law is working particularly well. It’s difficult to evaluate privacy laws and what standards you use, but I see a lot of non-compliance in my daily interactions with businesses in B.C.

You will have received a poll from the Freedom of Information and Privacy Association. I’m on the advisory board of that organization. Only 33 percent of those polled believe that organizations are open and transparent about how they collect and use personal data. Only 32 percent were aware of the existence of PIPA. We’re living in a world of far greater awareness about privacy as a social and political issue, as well as far higher levels of concern over the lack of individual control over our personal data.

Now, I intend to submit a more detailed submission later, and I don’t want to get into the weeds of the law at this point, but I thought what I would do is offer some reflections on what has changed. The social, political, technological and legal environment has changed since PIPA came into force in 2004. The COVID pandemic has brought home to all of us how dependent we are on global digital platforms. We’re increasingly reliant on those — our businesses are — and we need to trust those platforms. A critical component of trust is that of privacy security.

[2:55 p.m.]

Secondly, privacy is a far more important political issue today than it was back in 2004. What I mean by that is that personal data is now a resource of the information economy — what is sometimes called surveillance capitalism. Personal data privacy protection goes to the heart of the way wealth is created. So laws like PIPA are not just consumer protection statutes anymore. They perform critical functions in the regulation of the global informational economy. That is why, frankly, big tech companies around the world have spent millions of dollars lobbying against them in different parts of the world.

Thirdly, and despite that lobbying, information privacy and data protection laws have proliferated. When PIPA first came into force in 2004, there were only around 30 jurisdictions in the world with such legislation. Now the count is around 130.

Legal reform has been triggered, yes, by growing concerns about privacy protection, but it’s also motivated by trade-related concerns and the perceived need to provide safe harbours for domestic businesses to freely import personal data from overseas without having to negotiate detailed and costly individual contracts. So strong privacy law places jurisdictions in that club of countries around which personal data can flow more freely.

Fourthly, you’ll have heard that the global process of raising standards has generally been triggered by the European Union. PIPA was passed in response to PIPEDA, which was, in part, passed in reaction to a 1995 data protection directive which stipulated that under most circumstances, individual data could only flow out of the European Union if the receiving jurisdiction had an adequate level of protection.

PIPEDA was judged adequate in terms of those European standards back in 2002, and PIPA was judged substantially similar to PIPEDA. So there was a process in place, a process of harmonization. Now, as you know, we have the General Data Protection Regulation, just four years old and widely regarded as setting the standard for privacy protection around the world.

Now, the GDPR not only revises that European directive, but it produces a single and harmonized regulation for the entire European Union. It’s a more complex instrument. It’s a more multifaceted instrument, and it embraces and embodies a whole number of ideas that have circulated around the world, including from Canada, when it was passed. European law now requires a standard essential equivalence, requiring the basic privacy principles, good levels of enforcement and compliance, and effective methods of individual redress.

Unlike in 2004, data protection standards are not just being driven by the EU. The more countries that belong to the data protection club, the greater the pressure on those without laws to join. So some countries, particularly in the Asia-Pacific — Japan, for example — have passed similar pieces of legislation, saying that data should only flow out of those countries to countries that have got adequate levels of protection. That has implications for B.C., in terms of the Asia-Pacific.

The next point is this. Back in 2004, businesses could credibly worry that their competitive positions would be put in danger by lower standards in the United States. That’s no longer true. American laws are being revised — I pointed out to you the California Consumer Protection Act — and there are certain aspects of American law in the States which are, in fact, stronger than those in British Columbia. So businesses can’t say that they’re going to be losing business to competitors south of the border.

Data breach notification is critical. We don’t have data breach notification in PIPA. It has become an important requirement of privacy protection all around the world now. It is included in PIPEDA, so if PIPA is to be substantially similar to PIPEDA, we need to include those rules about mandatory data breach notification so that businesses that are responsible for significant data breaches that affect the rights and interests of citizens should be mandated to report those breaches to the commissioner and, under certain circumstances, to individuals themselves.

[3:00 p.m.]

My final point is this. Statutes that are based on complaints — on individuals finding out how data is processed about them and complaining to the commissioner, complaining to the organization, getting redress, getting investigations, commissioner making an order — simply don’t cut it anymore.

In many cases, we don’t even know the entities that capture data about us in this complex digital environment. In many instances, we’re not even aware of how we’re being identified and by whom. Judgments about us are often made without human intervention but by artificial intelligence and by machine learning.

Now, complaints resolution, investigation and individual address and redress are important, but the more crucial powers are those that are more general and anticipatory than more specific and remedial. The law has to give the commissioner more powers to act proactively, as well as to address the systemic issues, using the entire repertoire of tools at his disposal. Those are educational, technological and regulatory.

I fully support the commissioner’s call for the power to issue administrative monetary penalties when necessary, as well as his request to issue orders in the absence of complaints. Three decades of experience and research have demonstrated that the presence of the regulatory stick often assists the exercise of those softer instruments of persuasion.

Advocates and experts are looking to you to modernize the law, which will strengthen consumer privacy rights and also protect our businesses, particularly those in the high-tech sector. There’s some urgency. I will give you a more detailed submission later on, and I look forward to any questions you have and, indeed, to assisting you further, using my expertise over the course of your important deliberations.

R. Singh (Chair): Thank you so much, Dr. Bennett. Thank you for the time and the research that you have done on this important issue and also for taking the time today to present to the committee.

I’ll open the floor for any questions.

S. Thomson: Dr. Bennett, thank you very much for your presentation — very comprehensive. We look forward to the more detailed submission, as you mentioned, as we continue to deliberate.

I just wanted to ask for your perspective on why you think we may have fallen behind in terms of the timing of it — the linkages between our legislation and the PIPEDA legislation federally. As you probably know, given your background and experience, they’ve gone through a pretty significant process of updating and modernizing as well. Would you say, if we took the steps to synchronize or to bring our legislation up to where PIPEDA currently is, that that would meet a significant part of the concerns that you have in the submissions that you’ve made?

C. Bennett: It would meet some of them, yeah. To be clear, PIPEDA was amended back in 2017 in a piece of legislation called the Digital Privacy Act. There were a few bits of that, but the principal thing was that it did include mandatory data breach notification. To that extent, we do know that PIPA would not be consistent with the federal legislation.

Now, subsequent to that, we’ve had the digital privacy charter, which the government has introduced, and we know that the government is intending to give the federal Privacy Commissioner greater powers, particularly fining powers. They’ve said that. We don’t know the details yet. We don’t know when it’s going to occur.

You ask a very good question about the timing and the sequence here, because back in the 1990s when PIPEDA was produced, there was a sequence that B.C. kind of followed to make sure that its laws were consistent with PIPEDA. That certainly has to happen, but I don’t necessarily think that we should wait on that. I would say the really necessary stuff is the powers of the commissioner and data breach notification — there are few other more minor things we could talk about later — but at the same time, keeping an eye on what the feds are doing with PIPEDA.

[3:05 p.m.]

I think there are plenty of reasons for us to revise PIPA, clearly keeping in mind what is happening at the federal level but provincial reasons for revising PIPA and making it fit for purpose for British Columbians. I hope that answers your question.

S. Thomson: Thank you. I appreciate those comments.

R. Singh (Chair): Thank you so much, Dr. Bennett.

Members, any other questions?

A. Olsen: I think I’d just like to thank Dr. Bennett for the presentation and just acknowledge Mr. Raddysh’s presentation. I think what was highlighted in the presentation before yourself, Dr. Bennett, was a lot of concern from the consumer side with respect to what those companies are doing with the data and, as you talked about, the commodification of our data and the economic imperative that we have here.

What we’ve done in our caucus — and, I think, in all caucuses — is to talk about technology and innovation and the opportunity that it has for the B.C. economy going forward, recognizing that there is a really important balance that needs to be made here. I’d be very interested to hear the perspective of your students on this as well, just in terms of the relationship and the agreement that’s made with people, their data and the companies that they’re choosing to…. In some cases, they’re not even getting much of a choice, but in order to get a service, you have to sign that user agreement.

Anyway, I just wanted to pull these together, because I think what we heard [audio interrupted] many people in our society have — legitimate concerns that we in government have a responsibility to ensure that we’re dealing with in the legislation. Specifically, if we are going to push our jurisdiction forward in innovation and technology, then being at the front end of this is where the expectation should be, not making minor adjustments to a law but on the leading edge of that law.

C. Bennett: Yes, I would agree with that. We have been at the leading edge.

Let me just respond to two things you said. Firstly, young people. There is a bit of a myth these days that young people are not concerned about their privacy, I think. We see the level of transparency, the level of the postings on Facebook, and so on. It’s sort of felt amongst people that young people really don’t care, because of what they’re doing.

I think there has been a change there. I see in my students — which may not be typical, admittedly — a deeper concern about privacy, more suspicion of companies like Facebook and Google, more awareness of how their personal data is being captured. They, too, are very, very concerned about their privacy, perhaps not in the same way that the older generations are. They’re concerned about their privacy in relation to their parents, their teachers and their professors — and not so much their friends. But there is a deep set of concerns.

On the question of innovation, let me just say this. I alluded to it in my written remarks. The statutes that are being produced around the world now try to blend different policy tools together. They’re not just legal instruments anymore. Over the last 30 years — I’ve written about this in a number of places — it has been discovered that you need not only the law, but you also need educational tools. You need technological tools. You need instruments like privacy impact assessments.

You see in the GDPR — which, quite frankly, is a very, very cumbersome piece of legislation — a combination of different instruments that have been devised around the world and which have been brought together in this one document which gives regulators the choice as to what kind of instrument is appropriate to use given the circumstances, given the level of intrusion that’s seen and given the sensitivity of the data.

[3:10 p.m.]

I guess my central point to you is that the commissioner needs all the tools in the toolbox, because that’s what is going to be necessary going forward, so that he can, when he needs to, use the appropriate tool, the appropriate instrument for the problem he’s seeing.

At the moment, PIPA doesn’t include that. It doesn’t include data breach notification. It doesn’t have anything in it about privacy by design or privacy by default. I could say more about this. One of the things that other legislation says is: “If you don’t need personal data, don’t collect it. If you can fulfil your services, fulfil your business, without capturing personal data, then do so, all right? Build privacy by design into your systems before you generate a service.”

Now, Michael McEvoy gives that advice, and other commissioners have as well, but it would be good to see that more explicitly stated in the legislation. I’m of the view that a lot of businesses can, in fact, operate today, make a profit and be commercially successful without capturing the level of personally identifiable data that they, in fact, do. Then you get into sort of complex issues about anonymization of data and encryption and so on which you don’t want to get into now, probably.

But that’s my point. There are regulatory tools. There are educational tools. There are technological tools. All of these need be reflected in the modern privacy data protection statute. I think that’s what the feds are thinking of with respect to PIPEDA, to the extent that I know what’s going on there, which I probably…. Who does? But I’d like to see PIPA reflect the realities more of the contemporary high-tech digital economy. I think we have an opportunity to do that and, frankly, to send a message to the rest of the world, to the rest of Canada, to our friends south of the border, that we take this issue very, very seriously and we’re on the cutting edge of privacy reform.

I think globally, Canadians have been looked to for leadership for a very long time on this issue. We have had some very strong commissioners. We’ve had some very strong civil liberties advocacy organizations. There’s a network of advocates and so on, but somehow our laws have just not kept up to pace for a variety of reasons.

A. Olsen: The problem is, though, just to follow up very quickly, that the design and the reward have been in collecting data that you may never even need. Or you don’t know that you have a need for it until you…. “Oh, hey, we can look at this database this way or sell it that way,” right?

C. Bennett: That’s right.

A. Olsen: The design is to collect as much data as you possibly can get, build as close a profile as you can get to that individual, because there are great financial rewards for those who can innovate that. Is there any way you can change that culture?

C. Bennett: Well, hopefully, yes. That is the logic of what is often called big data. Collect it all and then see what you want to do with it.

Now, there has been a lot of pushback on that logic in the last few years. For one, it’s obvious that the data can be used in ways that promote the interests of the business as well as promote good public service, the COVID pandemic being a great example. It suggests that, in fact, you don’t need so much personal…. You don’t need so much data. At least, you don’t need much that is personally identifiable. That’s the key.

If it’s not personally identifiable, if it can be anonymized, if it can be de-identified, if you can use other identifiers that don’t put individuals at risk so much, then you can still have the innovation. You can still use the data in ways that allow companies to make a profit.

But you’re dead right. The pendulum has swung too far the other way, and we’re now seeing that pushback. We’re seeing the pushback by civil liberties organizations, by advocates, but also, of course, in the legal reform that’s happening. This is also hurting corporate reputations.

[3:15 p.m.]

That’s another thing I would point to. Corporations can’t get away anymore with being seen to be instruments of monitoring and surveillance. They are hurt in the media reputationally if it’s seen that they’re not being privacy protective. I think there’s a shift in that direction.

R. Singh (Chair): Thank you so much, Adam.

Thank you so much, Dr. Bennett. A lot of great information. I was really happy to hear that the younger generation is also very serious about their privacy.

C. Bennett: I’m talking about my students, and they may not be a representative sample. I think there is public opinion evidence to suggest that attitudes are shifting amongst the millennial generation.

R. Singh (Chair): My son goes to UVic, so I’m going to check with him how serious he is.

C. Bennett: Good idea. Get him to take my class.

R. Singh (Chair): Adam, did you have any other questions?

A. Olsen: I was just going to say that there is a nuance between people’s level of interest and people’s level of understanding, which is something we should be talking about too. I don’t know that anybody is interested in their personal space being violated in any way. I think that there is an understanding — certainly a generational understanding, perhaps — around the way information and data is being used. So just to click the consumer agreement — that, yeah, you can use that — there are a lot of ramifications to that, and it’s the easy thing to do.

C. Bennett: Yeah. If I’ve got a little time left, I’ll just quickly respond to that.

The Canadian public, as well as most publics, can generally be split up into three different groups. One is those people who really don’t care about this issue and never will. Those are a minority, and they’re getting a smaller minority. At the other end of the spectrum, there are those who are more privacy advocates, who fundamentally believe in the subject. Those are the people who do not sign the end-user agreements.

The vast majority of Canadians and British Columbians are in the middle, and they take a pragmatic view of this issue. They see that if there is an important public benefit at stake, if there is an important service being delivered, then they’re willing to give up their personal data. They make those judgments on a pragmatic level, and they balance what they see as their privacy interests against what they see as the legitimate needs of the organization.

That is the balance that these laws have got to try and strike and what balance the PIPA tried to strike 20 years ago but which now needs to be modernized and brought up into the contemporary digital environment.

R. Singh (Chair): Thank you so much, Dr. Bennett. We are looking forward to your detailed information that you’re going to send. Thank you so much for your time for the committee today.

S. Sourial: Madam Chair, our next presenter is ready if the committee is ready.

R. Singh (Chair): Yes, we are. Thank you, Susan.

Welcome, Anna. How are you doing? As I mentioned, you have ten minutes. So we are ready to go.

SPEECH AND HEARING B.C.

A. Krueger: Okay. Awesome. You heard my name. I’m Anna Krueger. Thank you very much to all of you. You’re all in different settings, it looks like.

R. Singh (Chair): We are not in the Legislature. This meeting usually happens in person, and we are in one location, but because of the pandemic we have to do it virtually, and everybody is at different places.

A. Krueger: Sure. Okay.

I’m a member of Speech and Hearing B.C., and their office received an invitation to participate. I’m a volunteer who has been providing some leadership regarding compliance with privacy protection laws for professionals doing telepractice.

[3:20 p.m.]

So why am I talking to you today? I actually have no specific criticism or revisions to recommend. My purpose is to help the committee see the big picture for professionals who struggle to understand their legal obligations.

I sent you a longer document called Compliance with Privacy Protection for Telepractice. Have you received that?

R. Singh (Chair): We have.

A. Krueger: Okay. I wrote that for my colleagues, and I’m actually hoping to use it as a basis for an online course. It’s a pretty easy read, because it’s just questions and answers for professionals. For today’s presentation, I’ve got two infographics that I wanted to walk you through. If we could go to the first one.

Can I store data about my clients outside of Canada? Which privacy compliance laws do I need to follow? I’m saying to my colleagues the answer is: it depends, especially in B.C.

Health care professionals in Canada face a lot of confusion around this question of data on global servers versus data within Canada. When people go searching on line, they find things about HIPAA, which is of course a U.S. law, and some will find information about PIPEDA, the Personal Information Protection and Electronic Documents Act, which is for all of Canada.

We know that PIPEDA is a lot like the European GDPR because it’s for personal information, not only health care information, so it’s broader. When we’ve got professionals searching on line, they’re finding marketing and advice about HIPAA, especially if they’re looking on line for telepractice advice. Those messages are aimed at health care in the U.S., and Canadians really wonder if they need to pick tools that are HIPAA-compliant.

The other thing they find when they’re looking on line is marketing that is aimed at Ontario’s health care providers. Ontario has…. I think it’s called PHIPA, the Personal Health Information Protection Act. That is, of course, only health care, and it applies to private and public sectors in health care.

What people find is very heavy-handed marketing telling them that if they’re a health care professional in Canada, they have to use this piece of software or this platform. That’s really aimed at Ontario, not at the whole country.

Professionals in Ontario face a lot of legal risks if there is a data breach. So they can actually gain peace of mind by choosing things that are HIPAA-compliant, because the security is robust or, potentially, by keeping their data in Canada. But people get confused because there is actually no law saying you have to keep your data in Canada — in terms of a federal law.

Health care professionals in B.C. face even more confusion. Why? This is because so many of us work in public sector jobs and also have a part-time private practice. The law that your group is looking at — PIPA B.C., the Personal Information Protection Act — is for private bodies, for businesses, and it’s not specifically for health care.

Then we also have FOIPPA, the Freedom of Information and Protection of Privacy Act. That, of course, is for public bodies, specifically any agency that carries out the functions of government. This applies to schools, health authorities, ICBC, the provincial courts, and so on. Again, it is not specifically for health care.

Public employers inform their employees of the expectations of FOIPPA. Staff in public bodies are expected to keep personal information in Canada, and there are a lot of restrictions around email or cloud programs or cloud data storage. So what happens is the professionals in these jobs tell their friends who are in private practice that they are in trouble, that they’re failing to comply with the law because they’re using Gmail, Google Drive and other cloud-based programs. The person who has a private practice often does not know about PIPA.

My own experience was that from 2014 to 2018, I had no idea that PIPA existed or that FOIPPA existed. I was just on my own, doing a home-based business and doing telepractice. My growing awareness is motivating me to educate my colleagues so that there’s less conflict between professionals.

[3:25 p.m.]

So the scenario you have is, potentially, a speech-language pathologist who works for a school district and has a private practice on Saturdays and is supposed to follow PIPEDA, the Canadian law, all the time; FOIPPA Monday to Friday; and then PIPA B.C. on Saturdays.

There’s one more twist, and that is that FOIPPA really applies to the data collected by the B.C. government. That’s the one that says it has to stay in Canada. Nova Scotia has a similar law. Other provinces, not so much.

For example, we have private SLPs, occupational therapists and physios who are contracted as service providers for a government body. For example, WorkSafeBC and the community brain injury program have a case manager who gives out contracts, and those contracts spell out the obligation to keep the data in Canada.

So now you’ve got a private company that has to comply with FOIPPA for clients where the data was acquired from the provincial government, and the same private company does not have to comply with FOIPPA if the clients were acquired from other sources. This creates a lot of stress and conflict, especially around telepractice.

Let’s switch over to the next infographic, around Zoom. And how cool that we’re doing this on Zoom. A lot of us are asking: “Is it legal for me to use the free version of Zoom for telepractice?”

Why is Zoom so popular? Because it really does outshine the other platforms if you’re a speech-language pathologist trying to do therapy. It’s the only one that lets you hear the audio of the client’s computer. You can have a client using a software program, and the therapist can hear everything. And it actually downloads part of the program to the local computer. You probably know this. There’s less demand for bandwidth. It’s stable. It just works.

We’ve got private practice professionals really stressed about paying for the HIPAA-compliant version of Zoom, which costs $200 a month. Some of them don’t realize that the HIPAA-compliant feature does not mean that the data will be stored in Canada. It just means that the security is more robust. The features can be controlled at the admin level for all users. But the bottom line is that the HIPAA-compliant version of Zoom gives you encrypted chat, and it still stores those messages on global servers.

As I’m talking with colleagues, I’m saying: “You know, a solo private practitioner can use the free version of Zoom for telepractice and can comply with the laws at all the different levels — federal, FOIPPA, PIPA. It’s got encryption and password protection just like the paid versions. You can avoid creating user accounts, so you’re not storing contact data in the cloud. You can download recordings instead of putting those in the cloud. You can just basically not use the chat feature.”

Whereas, as you can see on the graphic, we’ve got the “it depends.” So if you’ve got a workplace with multiple staff, those staff might be accustomed to using Zoom with colleagues, where it’s common to create user accounts. They might ask clients to create accounts, though staff might not be aware that they shouldn’t be doing cloud recordings, and they might use the chat feature and store messages on global servers. In that scenario, a public agency in B.C. like a school district might want admin control of the settings. So as you can see, the answer is: it depends.

Hey, I’ve got 30 seconds to spare, so let’s open it up for questions.

R. Singh (Chair): Thank you so much, Anna. That was really important information that you gave out. I know that with this pandemic and a lot of service providers working from home, they’re looking for ways to provide services as well as provide privacy for their clients. That’s really important information you brought up.

I will open the floor for questions now. Members, any questions?

Dan?

D. Ashton (Deputy Chair): No, thank you.

Thank you for the presentation.

R. Singh (Chair): Steve, please go ahead.

S. Thomson: Thanks for the presentation, very interesting. I just want to check, mostly just for my understanding…. For the telepractice and things like that, there’s also another piece of legislation that links into this as well, I think. It’s around the electronic records legislation. Does that have a linkage in this as well?

[3:30 p.m.]

A. Krueger: We looked at it. I think it’s specifically electronic records that are government electronic records. Is that correct?

S. Thomson: I don’t know. It’s probably something that I need to look into just to get myself educated on it. I was just trying to pick your brain on it, if there was a linkage here, because you didn’t reference that specifically in your comments.

A. Krueger: Yes, I think it is. Health authorities, for example, have the ability to allow people into the health authority’s records. A physician might have access to scans that somebody has had at a hospital. I think that law is very much about public data that is then potentially shared and the rules around that.

I’m kind of narrow in my focus. I’m very much trying to help my colleagues who are doing telepractice. I would say that most of us who are entrepreneurs are not…. That’s not a question we’re really facing — being able to get data sets or see electronic records that are with a health authority or with the government.

R. Singh (Chair): I just have one question. You talked about…. A lot of service providers are working in a public setting most of the week, and on the weekends, they have private practice. We know that with this pandemic, it has created more awareness about the privacy issues.

For those service providers, were they having issues with the data protection even before this pandemic, or is this something new that they are dealing with?

A. Krueger: I mean, certainly we’ve had people that are not informed, right? If you look in Facebook groups, it’s like…. One of the spinoffs of the pandemic is that people are in these private Facebook groups asking for advice yesterday, like: “I’m in a school, and I have to see my caseload on a webcam type of platform. What do I do?”

I think the routine recommendations that we have, like to get consent — all of that is really working when you’ve got face-to-face clients. Now it’s way more complicated when people can’t usually give you a signature, or they can’t give you a piece of paper.

That’s actually why I also gave the committee that long document. If you read through that, it kind of takes the flow. It starts with what happens when you’re trying to advertise. How do you find your target clients? How do you go through the free consult or consent process? That could apply to lots of different professions. Dentists do that. All of us…. In a way, that document takes a step back from telepractice and just says what the whole flow is when you’re managing a caseload.

There are so many steps in there that people get wrong around consent. Because there’s so much social media, people are doing stuff on Instagram with clients or on different platforms that are just not robust or not meant for caseload management.

A. Olsen: I think if we’ve got a Facebook page…. We’ve probably all had this, where someone will hit Messenger and put their entire story of their whole situation in a Messenger message. It’s not like…. I’ll say to them: “Look, you need to go through my constituency staff so that we can make sure confidentiality is maintained. We don’t know where that message is being stored.” There are all sorts of dynamic ways.

For people to get a hold of us and, also, not necessarily to protect the confidentiality in the whole process…. I’m wondering. Is there a place where professionals can go to get trained? This is just my ignorance, but is there a place where we can go get trained on these pieces of legislation and how they apply and when they apply to make sure, as a practitioner in any field, you can have a level of confidence that you know the legal environment you’re working in?

A. Krueger: I guess the short answer is no. My son is actually a lawyer, so I’ve asked him too. That’s what’s motivating me to create an online course around this specifically, for other therapists. It’s a broad problem.

[3:35 p.m.]

The fact that we have FOIPPA in B.C. and the fact that places like WorkSafeBC and the community brain injury program have case managers who are giving out government data…. It’s so many wrinkles. It’s so confusing for people.

We also have the autism list. The government keeps a list of people who are service providers for autism treatment. That is nice and clean because there are no case managers. Personal information — the person’s address and phone number; the basic contact — is not protected government information. That does not belong to the provincial government. When I do kids with autism, I get a billing authorization number from the government. I am allowed to email those families. I am allowed to have cloud storage of my case notes, because those are all falling under PIPA. The difference is that the government is not giving me case information. It’s not the government’s data.

A private physician who has an MSP billing number — they’re getting clients in the door. They’re doing interactions with the people. They’re collecting their own data, so they can use email. They don’t have to have all their referrals by fax. They can use those cloud systems because they’re a private business. They’re a physician’s private office, and they fall under PIPA. But as soon as they want to get into the health authority scans and records, then they have to follow FOIPPA.

It is hard in B.C., and I think FOIPPA makes it really hard. If I could persuade you guys to get rid of FOIPPA, that would make a lot of us really happy. But that’s not your job, right? It’s unique to B.C. I’m not sure what the history is in Nova Scotia. I’m not sure why they have a similar law. We’ve got Alberta, we’ve got Quebec that have some restrictions around public data. But B.C. is super strong on this whole idea of keeping the data in Canada.

R. Singh (Chair): Thank you so much, Adam.

Thank you so much, Anna.

Any other questions, Members?

Seeing none, I would like to thank you, Anna, for your time and for the important information that you gave to the committee. Thank you so much.

A. Krueger: You’re very welcome.

S. Sourial (Clerk Assistant): Madam Chair, only one of our next three presenters is here.

R. Singh (Chair): Is it B.C. Freedom of Information? Okay, wonderful. We are ready, then. He can go ahead.

Hello. Welcome. Thank you so much for joining the committee today.

Ten minutes is allotted for your presentation. We are ready. Thank you so much.

B.C. FREEDOM OF INFORMATION
AND PRIVACY ASSOCIATION

J. Woywada: Great. Good afternoon. I’m Jason Woywada, executive director of the B.C. Freedom of Information and Privacy Protection Association.

I want to start by acknowledging and respecting that I’m presenting from the unceded Coast Salish territory of the Lək̓ʷəŋin̓əŋ, amongst the Songhees, Esquimalt and W̱SÁNEĆ people, whose historic relationship with the land continues to this day.

BCFIPA is a non-profit advocacy organization that has worked in areas of access to information, transparency and privacy for over 30 years. Our work predates both the public and private sector privacy legislation — FOIPPA and PIPA, respectively.

[3:40 p.m.]

I want to thank the committee for complying with the legislation in holding these PIPA consultations.

Our first few slides will be spoken to briefly, as they provide reference material for our presentation. Slide 2 details our table of contents for our oral presentation. This highlights our initial findings and recommendations. A detailed written submission will follow prior to the August deadline.

Slide 3 outlines our work to inform our submission. This includes public polling, consultations with various stakeholders and an extensive review of provincial, national and international privacy legislation.

Turning to public opinion, slides 4 and 5 identify relevant public opinion results that we will be referring to throughout our presentation. With that in mind, we can move to slide 6 to look at the current legislation and the changes required to meet the public’s privacy expectations.

Compared to other provinces and federally, B.C. PIPA has undergone zero substantive amendments in the last 17 years. This is concerning, especially at a time where extensive amendments within Canada and around the world have been made to privacy legislation. B.C.’s current legislation has been out of date for over a decade and requires reform to keep pace with best practice. A tweak isn’t going to fix this. It will not address British Columbians’ concerns and expectations.

Slide 7 highlights that British Columbians feel that current privacy laws are insufficient to protect their personal information. Inaction is not reflective of the public’s expectations and prior committees’ recommendations, which reached consensus on the need for change.

The committee and government both have real opportunities for change in today’s growing digital economy. Public consultation is a vital part of the legislative process, and we make the submission with the hope that the much-needed change will occur this time around. Changes are needed for two fundamental reasons: citizens expect increased privacy protection and education, and businesses face a real risk, which could impact the B.C. economy if the province is inadequate to the global data protection standard.

Slide 8 outlines the largest recent global change. The General Data Protection Regulation from the European Union has become the de facto global standard for data protection. It is a standard because it is modern, progressive and takes a rights-based approach to privacy. The adequacy status of Canada with the GDPR expires on May 25 and is under review.

Adequacy is not just a national consideration. Quebec sought adequacy as a subjurisdiction in June of 2014 and was delayed until it made the necessary amendments to its privacy legislation. Provincial subjurisdictions are subject to adequacy scrutiny, and the economic impacts of a non-adequacy assessment were discussed in detail by Dr. Colin Bennett.

With several discrepancies between the GDPR and current PIPA, the provincial government will need to take action to amend PIPA to ensure continued adequacy with GDPR. With all those considerations in mind, we move to our recommendations on slide 9.

First, reporting of data breaches should be mandatory, reflecting PIPEDA, Alberta’s PIPA, the GDPR and prior recommendations from special committees.

Next, we feel there needs to be steps taken to increase accountability and transparency by organizations, because Canadians and British Columbians don’t believe that organizations are open and transparent about how they collect and use personal information.

PIPA should be amended to require organizations to provide the purpose of collection in a manner that is specific, accessible and understandable. “Specific” means that where possible, separate, granular consent options, instead of blanket consent, should be required. “Accessible” means that an organization must take reasonable steps to bring relevant documents to the attention of the individual. “Understandable” means the information must be concise and intelligible, using clear and plain language like the GDPR.

We recommend PIPA be amended to require an organization’s privacy policies be publicly available, accessible and understandable. This is consistent with the GDPR and California consumer protection laws and benefits both consumers and businesses, as 69 percent of Canadians are more willing to do business with companies who provide easy-to-understand information about privacy practices.

We recommend PIPA mandate privacy impact assessments. PIAs promote transparency and accountability by organizations. This is similar to the GDPR and FOIPPA and enables the commissioner to take action against non-compliant organizations.

We’re also calling for professional standards through accreditation. We recommend that where an organization processes highly sensitive or large-scale personal information, PIPA should require those in charge of data protection in that organization to receive professional training, certification and registration similar to the GDPR.

Our next recommendation is regarding interjurisdictional transfers. Seventy-five percent of British Columbians are concerned about an organization transferring their personal information from B.C. to organizations outside of Canada. We recommend that organizations use contractual or other means with third parties outside of Canada to ensure personal information is adequately protected. This is similar to PIPEDA and the GDPR.

[3:45 p.m.]

We recommend that those contracts include certain mandatory components to reflect the GDPR. This should include auditing powers to the original data controller, clauses limiting the third party’s use and disclosure of information and the commissioner’s ability to review and audit those contracts for compliance. And to provide individuals control over their personal information, we recommend PIPA should specify that consent is required before interjurisdictional transfers, similar to GDPR.

Slide 10 highlights that access delayed is access denied. PIPA should be amended to explicitly state that failure by an organization to respond to requests for personal information after 30 days be deemed refusal of that request. This is to ensure enforceability for non-response and harmonization with other jurisdictions.

Next, specific to enforceability, there needs to be an expansion of the commissioner’s powers. Here we have three specific recommendations. We recommend the commissioner have the ability to levy extensive fines, and we support his requests and his recommendations. Importantly, seven in ten Canadians are more willing to do business with a company if it faces strict financial penalties for non-compliance. A U.K. study concluded that civil monetary penalties improve data protection and compliance, as organizations take data protection more seriously and increase staff privacy training.

The U.K. adopted the GDPR after the Cambridge Analytica scandal due to inadequacies in its monetary penalties. B.C. would be a leader in implementing these measures, because no Canadian jurisdiction has administrative monetary penalties yet, but this is expected to change.

We recommend that where the commissioner conducts investigations without a complaint, they have order-making powers for non-compliant organizations. Non-compliance is non-compliance and should be corrected, whether discovered by complaints or auditing.

We recommend that the commissioner should have the power to order organizations to undergo mandatory external audits and reviews to produce relevant reports upon request. This would ensure that non-compliant organizations receive training to correct their current privacy practices and build more secure privacy protection programs.

Additionally, we recommend PIPA should be amended to require that where organizations obtain personal information about individuals from third parties, the source must be noted in the individual’s file. This would be similar to recent changes enacted to section 7 of Quebec’s privacy act and reflective of GDPR.

Next we shift to recommendations that intersect other civil society groups and broader research. Slide 11 speaks to labour concerns mirrored in the general public regarding algorithmic transparency. Similar to the GDPR, PIPA should be amended to give individuals who are subject to automated decision-making a right to know about the logic involved in such decisions.

Under section 10 of PIPA, individuals have the right to know about how their information is being used by an organization, and new technologies shouldn’t undermine that right. BCGEU will be focusing on these details to greater extent, and we support their recommendations.

Next we move to blurred lines of public and private entities, on slide 12. We recommend the B.C. Legislature address the legislative gap which enables private entities to exercise public functions via public resources while displaying a lack of transparency and access to information. There’s a legislative gap that intersects PIPA and FIPPA in instances where private companies provide a public service through contract or funding. We’ve also raised this issue in our prior FOIPPA submissions.

Concerns have been raised regarding the actions of several private companies, including Bar Watch, LifeLabs and the real estate divisions in post-secondary institutions. This necessitates reform. As part of this, the BCCLA will be focusing on the privacy implications of private sector contractors or private sector community organizations sharing information with public entities. We support their recommendations.

Slide 13 speaks to the need for public education on privacy rights and protections for PIPA to be effective. We recommend an increase in resources to public education campaigns regarding PIPA so that the OIPC can maintain a balance of resources in education and enforcement.

As identified by the Canadian Bar Association, public education initiatives by the OIPC for B.C. have compromised the effectiveness of processing and adjudicating complaints. The vast majority of British Columbians strongly support increasing public education about privacy rights and protection, as well as changing educational curriculum to include privacy rights awareness.

Now before we wrap up, in slide 14, we want to highlight one important area where B.C. continues to lead. We want to recognize that B.C. protects personal information in the political domain and is a national leader for others to follow. This is also consistent with the GDPR. We strongly support the OIPC report and recommendations on this topic and urge B.C. to continue leading in this important respect.

To conclude, with slide 15, we have provided a list of recommendations for amendments to PIPA given that today, more than ever, personal information is being collected and stored in exponential amounts, being subject to advanced analytics and highly prone to being compromised. B.C. has an opportunity to regain leadership and amend its legislation to offer its citizens the protection they deserve, as well as be leaders for others to follow.

[3:50 p.m.]

Thank you for your time, and a big thank-you to FIPA staff Jiwan Sangha and Joyce Yan, who compiled and reviewed the submission. I look forward to any questions from the committee. I’ll take a breath now.

R. Singh (Chair): Thank you so much, Jason. Thank you for that very informative presentation.

I will open the floor for questions. Members, any questions?

S. Thomson: Thanks for the very comprehensive presentation. I’ll have a chance to go through your slides in more detail.

Maybe just for background for me, can you explain to me — you’re an association — how you’re structured and who your members of the association are?

J. Woywada: Sure. FIPA has a membership comprised of the general population, largely people involved in data and information. We receive our primary funding from the Law Foundation of British Columbia as well as from a community gaming grant from the province.

We work to make sure that we fulfil our mandate within the B.C. Societies Act. Largely, it’s based on transparency, access to information and privacy. We make sure that our members are informed about our actions and that they support what we’re doing in this regard. We also make sure that we’re complying with the program areas that we receive our grant funding for.

S. Thomson: Great. Thank you.

R. Singh (Chair): Thank you so much.

Any other questions?

Seeing none, thank you so much, Jason. That was very informative, as I mentioned before. When we do our deliberations, we’ll definitely consider your presentation as well. So thank you so much.

J. Woywada: Thank you very much.

D. Ashton (Deputy Chair): Thank you, Jason.

R. Singh (Chair): Welcome, Stephanie. I’m Rachna Singh. I’m Chair of this committee. We are really looking forward to your presentation.

We are ready whenever you are.

DIGITAL DISCRETION

S. Perrin: Thank you very much. I’m going to go through my written brief, which I believe you have. I’m not going to go through every detail in the biographical note.

That was a very comprehensive presentation that I just listened to from FIPA, who I’ve known for years. I am much less of an expert in what PIPA needs and more focused on international work.

As I say in the bio, I worked for the Departments of Communication and Industry for 30 years, and I spent ten years working on the development of PIPEDA. The intersection between PIPEDA and PIPA and the leadership of British Columbia in actually following that legislative regime and acting in the areas that the federal government cannot cover and that it’s up to the provinces to cover is kind of a focus of some of my remarks.

Now, thank you very much for inviting me to speak to you. As I say, British Columbia and Alberta have been leaders in complying with the legislative regime. Unfortunately — and I think you will see this in some of the presentations to you — public awareness of where we are in the information society in terms of an understanding of privacy, privacy rights, the balance between privacy and access to information is not quite there yet.

[3:55 p.m.]

I’m not saying that it is better in the leading regions, such as Europe, where the GDPR is easily the most progressive privacy legislation. However, we’ve got a long way to go in improving education for students so that they can participate in the information society with a knowledge of their rights and of the perils and risks. My longer paper will explore some of these aspects.

We tried to cover this in the Canadian standard model code on personal information, on which PIPEDA is based and on which the determination of equivalency in Canada is based, but those were early days. That was back in the second wave of privacy legislation. There’s work that needs to be done to improve some of the specificity here.

Now, I’ve written on what worked and what didn’t work in our efforts with the federal law. It was groundbreaking at the time because, frankly, we didn’t even have legislation at the provincial level for government-held personal information. This would have been…. PIPEDA was tabled in ’98, and PIPA came along in 2003, 2004. We’ve moved along since then, but the legislation has not.

The fact that British Columbia is one of only four jurisdictions that have had data protection standards under their powers indicates that federal efforts at harmonization have only borne modest fruit. I mean, Ontario has not passed privacy legislation for the private sector. Yes, PIPEDA flows around and covers what it can cover, but there are a lot of NGOs, not-for-profits and associations that are not covered because they’re not engaged in commercial activity. Unfortunately, I have no connection with what’s going on at the federal level in terms of modernizing its legislation.

I guess my message to you in British Columbia is: you showed leadership in the past, and you can certainly show it now. Post-COVID, I imagine there are quite a few things that the federal government is going to be focusing on, such as reimagining the economy, and there may not be the changes in PIPEDA that need to be done in order to ensure adequacy. That’s a fear that I have. I think that’s probably enough to say on that. I’m probably not going to get through my brief if I don’t hurry up.

In terms of the things that the GDPR has done right, the situation for the past 20 years in data protection law has been that companies have passed along, in contract, obligations to outsourced organizations — “processors,” they say in the European language — to look after information. However, that has often looked like boilerplate and has not actually been enforced. On the GDPR, they have moved ahead and insisted that organizations specify their splitting of liability. A company that outsources just about everything — that’s the way many large and even small companies have to operate in an online world — will use Amazon Services, for instance, for their platforms.

It is not realistic to think that those contracts can actually be fair dealing. So the GDPR moves forward and specifies the division of liability. Now, when we’re talking about division of liability, that assumes that there are significant fines in place. I echo the previous speaker — and no doubt Colin Bennett said the same thing: there really need to be fines in the modern world, or companies will risk-manage, as we used to say in government. You will see that on page 2 of my brief.

An enduring problem is transborder data flow, and the previous two speakers have talked about transborder data flow in the context of not letting the data of British Columbians leave the province. Unfortunately, in the trade agreements that we are negotiating — certainly with the United States and, I believe, with every other major power — there is an attempt to stop countries from keeping their data within the jurisdiction. We had an exemption away back in the free trade days, but those days appear to be over.

[4:00 p.m.]

It is difficult to insist on keeping data local, but citizens need to be aware that they lose their constitutional rights. They lose a lot of the protection from unjust harassment and persecution — particularly of concern, of course, for landed immigrants and new Canadians. And of course, enforcement of data protection rights is very difficult across borders. Not only do we not find out what’s happening — I have some examples in the paper — but how can our data commissioners chase it down and get redress for citizens? How to do this? It’s a conundrum. I hope we figure it out, because the trends tend to be for more and more transborder data flow.

It’s worth noting that the federal Privacy Commissioner released a brief in 2019 suggesting consent. Now, he later withdrew that paper. I think, personally, that trying to get consent from individuals every time that their data flows — when you’re talking about, possibly, ten different transactions in obtaining a service, ten different companies that might be exporting the data — is a bit problematic. But at least being aware of which companies are keeping your data in British Columbia and which companies are not — that might be helpful. Again, it goes to the education piece.

On this, I have to say that B.C. took leadership. The former Information and Privacy Commissioner, David Loukidelis, issued a call for comments way back in 2004. That prompted a complete review, at the federal level, of what we were doing with our outsourcing contracts, and it resulted in much better policy. I think we’re sliding downhill. I’m not in government anymore, obviously, but I think you could show leadership again by highlighting this in your review of the acts. It seems to me it’s a problem.

We do need enforceable standards. I have gone on here to explain our efforts to get enforceable standards. One of the things we tried to do was to take the Canadian standard attached to PIPEDA — which is the basis for the determination of equivalency, as I said — to ISO and make it an international quality standard. In that case, then, if you exported data, you could get an independent quality auditor to audit how the other country and the other company were handling your data.

I would say that we still need that. There hasn’t been any work done on it recently. Unfortunately, transborder data flow is just one of those issues that we’ve been working on for 40, 50 years. It might even be longer, but let’s say 50 years. It’s a hard problem.

I have recently been working on a couple of projects, funded by the Office of the Privacy Commissioner, on the concept of data trusts. We are very interested in this, quite frankly, in complex multi-stakeholder relationships where there’s data coming from all over.

We have a good example of a data trust — it’s not called that, but it’s been working for years: the Canadian Institute for Health Information. It doesn’t belong to any particular government; it is a separate agency. It gets health data from all the provinces; it puts that together. It has an ethics review before researchers can get access to it. There are many stakeholders there, and there are ethical rules, privacy rules, competitive rules and funding rules to ensure that that kind of data is available for good purposes.

That’s kind of an example of one model. We’ve been working on several other models. With some of the smart cities applications that we see and with some of the vertical integration that we see in big companies like Google and Facebook, we see a role to play here for a broader kind of functioning with more players involved. This is not to take away from the importance of the role of a very strong Privacy Commissioner with an education mandate and more resources, but we’re now in an information society. That’s not the only tool in the toolbox. We need new tools, and we need more civic engagement in these kinds of acti­vities.

[4:05 p.m.]

The example I cite in the paper here is the recent — I would call it a fiasco, although perhaps the companies involved wouldn’t — harbourfront Sidewalk Labs effort in Toronto. Lots of benefit can be gained from the data that was being gathered. But figuring out who to trust and how to manage it — that involves a new kind of consortium.

Thank you. I’m out of time.

R. Singh (Chair): Thank you so much for that important information. Also, it’s good to know that B.C. has been a leader in privacy; we really need to keep it up. This committee could not come at a better time. When we’re dealing with the pandemic, privacy issues are at the forefront, and this committee is getting together, listening to people like you and the suggestions that are coming. We really appreciate that. Thank you so much for all of your time, effort and all the research that you have done into this important issue.

I will open the floor to questions now.

Members, any questions?

A. Olsen: Just really a comment. Thank you for your presentation. Kind of casting back to a comment that I made earlier, I just want to, I guess, make a note on the recommendation that you make about educating students.

I think, as we’re talking about how we can all become more informed and what these laws and the various laws…. We’re quick to move to introduce curriculum around coding and getting kids interested in jobs that are at the end of a computer and that develop tech and innovation. But I think that there’s also a really good opportunity to make sure that graduating [audio interrupted]. They’re very well informed on what the privacy laws are.

Just maybe a note for our friends in the Ministry of Education, that’s all.

R. Singh (Chair): Thank you so much, Adam.

Any other questions, Members?

Seeing none, I would really like to thank you on behalf of the committee. This has been a very useful presentation. Thank you so much for your time today.

D. Ashton (Deputy Chair): Thank you, Stephanie.

S. Sourial (Clerk Assistant): We don’t have any further presenters today.

R. Singh (Chair): So we don’t have anything? We don’t have Ending Violence?

S. Sourial (Clerk Assistant): No. Natalie Dunbar will be presenting on the 17th.

R. Singh (Chair): Okay. We are done earlier than expected.

S. Thomson: Just a suggestion. I was reflecting back to the presentation from the condominium owners association on the issue there. There was a suggestion to have the Privacy Commissioner come in and talk to us about the guidance document and legislation side of it.

We may at some point want to also think about having leg. counsel come in and talk to us about it as well — from the respective ministry, either Citizens’ Services or wherever the Strata Property Act falls as well — because of the crossover between the two pieces of legislation. It’s so we fully understand the legislative side of it. If we’re going to make some recommendations around change and the fact that it probably involves two pieces of legislation as opposed to one specifically, we may want to get a bit of leg. counsel advice in framing that recommendation. Just a suggestion as we plan ahead.

R. Singh (Chair): I agree with you, Steve.

D. Ashton (Deputy Chair): I also concur, and I’ll make you a bet that before this is over, we’ll see some cross-connection between other ministries and privacy.

R. Singh (Chair): I completely agree. Definitely we’d like the Privacy Commissioner to come back. Also, if we feel that any other ministry that we feel needs to present before the committee, Members, feel free. We’ll take the help of the Clerk’s office to arrange that.

[4:10 p.m.]

A. Olsen: I recognize that…. In the context of innovation and tech…. I know that we [audio interrupted] no longer. I was looking for another innovation commissioner. I just think, as this process goes, that perhaps for a new person to spin up might be a bit difficult. But recognizing the links between where the economy is moving towards, innovation, the innovation commissioner’s report that was just released and the emerging economy task force, as well as in agriculture…. There was an agritech report that was just released as well.

These are all really important foundational documents for government, but it would be really great to get that perspective if the incoming innovation commissioner, whenever that might be, has the opportunity to present. Just footnote that.

R. Singh (Chair): For sure. Thank you.

Any other comments, Members?

Susan, do you want to add anything?

S. Sourial (Clerk Assistant): No, Madam Chair. Our next hearing is next Tuesday.

R. Singh (Chair): Yeah, it’s Tuesday.

S. Sourial (Clerk Assistant): The 16th — yes, next Tuesday. I will send out the information for that hearing later this week.

R. Singh (Chair): Then we have one on Wednesday as well.

S. Sourial (Clerk Assistant): Yes. Correct.

R. Singh (Chair): Okay. Now, thank you, Members. I really enjoyed listening to all the presentations, as I am sure you did. And I really appreciate all your feedback and the questions that you had. This is definitely one of the most interesting committees I have ever sat on, and the timing of it is…. I would say that it’s perfect timing to do it. But thank you.

I would really like to thank Susan and Stephanie and also Lisa for all of their great work. Thank you to all of you.

Also Hansard, thank you so much for…. I know that this is a really different way to do it — the way you are trying to present it to the public. Thank you so much for your efforts. I’m really looking forward to seeing you again next Tuesday.

Do we need a motion to adjourn? Okay, I would need a motion to adjourn.

Dan, seconded by Adam.

Motion approved.

The committee adjourned at 4:12 p.m.