Fifth Session, 41st Parliament (2020)

Special Committee to Review the Personal Information Protection Act

Virtual Meeting

Tuesday, June 16, 2020

Issue No. 5

ISSN 1913-4754

The HTML transcript is provided for informational purposes only.
The PDF transcript remains the official digital version.


Membership

Chair:

Rachna Singh (Surrey–Green Timbers, NDP)

Deputy Chair:

Dan Ashton (Penticton, BC Liberal)

Members:

Mable Elmore (Vancouver-Kensington, NDP)


Adam Olsen (Saanich North and the Islands, BC Green Party)


Steve Thomson (Kelowna-Mission, BC Liberal)

Clerk:

Jennifer Arril



Minutes

Tuesday, June 16, 2020

2:00 p.m.

Virtual Meeting

Present: Rachna Singh, MLA (Chair); Dan Ashton, MLA (Deputy Chair); Mable Elmore, MLA; Adam Olsen, MLA; Steve Thomson, MLA
1.
The Chair called the Committee to order at 2:04 p.m.
2.
Opening remarks by Rachna Singh, MLA, Chair.
3.
The following witnesses appeared before the Committee and answered questions related to the Committee’s review of the Personal Information Protection Act:

1)AggregateIQ

Jeff Silvester

2)Canadian Bar Association, B.C. Branch, FOI and Privacy Law Section

Sinziana Gutiu

Kelly Samuels

3)B.C. Government and Service Employees Union

Stefanie Ratjen

4.
The Committee recessed from 3:12 p.m. to 3:19 p.m.

4)Retail Action Network

Pamela Charron

Kaitlyn Matulewicz

Andreea Micu

5)MediaSmarts

Dr. Kara Brisson-Boivin

Matthew Johnson

6)B.C. Civil Liberties Association

Aisha Weaver

7)Quay Pacific Property Management,

Leslie Haycock

Professional Association of Managing Agents

5.
The Committee recessed from 4:29 p.m. to 4:47 p.m.
6.
The Committee adjourned to the call of the Chair at 4:48 p.m.
Rachna Singh, MLA
Chair
Jennifer Arril
Clerk to the Committee

TUESDAY, JUNE 16, 2020

The committee met at 2:04 p.m.

[R. Singh in the chair.]

R. Singh (Chair): Good afternoon. I would like to welcome everyone listening to and participating in the public hearing today. My name is Rachna Singh. I am the MLA for Surrey–Green Timbers and the Chair of the Special Committee to Review the Personal Information Protection Act.

I would like to begin by recognizing that my constituency is on the traditional territory of the Coast Salish peoples, in particular the Kwantlen, Katzie, Semiahmoo, Tsawwassen First Nation, Kwikwetlem and Qayqayt people.

We are an all-party parliamentary committee of the Legislative Assembly with a mandate to review the Personal Information Protection Act. Normally, the committee would have held its public hearings in person. However, due to the COVID-19 pandemic, public hearings are being held by video and teleconference.

[2:05 p.m.]

As part of our review, the committee is meeting today with individuals and representatives from various organizations to hear about how the act is working, along with any recommendations for improvement. British Columbians are invited to send us their thoughts in writing before August 14.

All the information we receive will be carefully considered as we prepare our report to the Legislative Assembly, which will be released in February 2021. More information is available on our website, www.leg.bc.ca/cmt/pipa.

I would just like to talk a little bit about our virtual meeting format. The presenters will have ten minutes for their presentations and ten minutes for the questions from members. For members who want to ask a question after the presentation, I ask that you raise your hand to indicate that you have a question, and we’ll keep a speaking list.

All meetings are recorded and transcribed by Hansard Services, and a complete transcript will be posted on the committee’s website. A live audiocast of this meeting is also available on our website.

I’ll now ask the members of the committee to introduce themselves. I’ll start with Dan Ashton, the Deputy Chair.

D. Ashton (Deputy Chair): Thank you, Madam Chair.

Jeff, my name’s Dan Ashton. I’m the MLA for Penticton to Peachland. Welcome.

S. Thomson: I’m Steve Thomson. I’m the MLA for Kelowna-Mission.

M. Elmore: Good afternoon. I’m Mable Elmore, MLA for Vancouver-Kensington.

R. Singh (Chair): Thank you so much. We are still waiting for Adam Olsen. He’ll be joining us very soon.

Also assisting the committee today are Jennifer Arril and Stephanie Raymond from the Parliamentary Committees Office. Amanda Heffelfinger from the Hansard Services is also here to record the proceedings.

Welcome, Jeff. We are really looking forward to hearing from you. I just want to tell you that you have ten minutes. After that, we’ll have some questions and answers.

Presentations on Statutory Review of
Personal Information Protection Act

AGGREGATEIQ

J. Silvester: Thank you for inviting me to come and speak with you today. As you mentioned, my name is Jeff Silvester. I’m the chief operating officer of AggregateIQ. We’re a Victoria-based technology company. We’ve had the privilege of having some experience working both here at home and around the world.

Some of you are, of course, aware that we had some recent high-profile dealings with the Office of the Information and Privacy Commissioner of British Columbia, having been the subject of a nearly two-year-long investigation. I come to you with a bit of a different perspective than most of the speakers so far. In particular, I come with a few ideas on how the process and the legislation could be improved, having seen it and lived it very recently.

To be clear, we were very happy to cooperate fully with the Commissioner, and indeed, we accepted and implemented all of their recommendations before the report was even finished. But nevertheless, there are always opportunities to improve.

I’d like to go quickly through a number of points where I feel that improvements could be made that would not only help businesses in B.C. to better understand and be able to follow the act but also help them just to remain competitive on a global scale. It also needs to be better for British Columbians by helping them protect themselves no matter where they go on the Internet — to companies’ websites that are here in British Columbia or to anyone around the world.

Quickly, because they're short on time.

Number 1, of course, is the relationship between the Information and Privacy Commissioner’s office and companies. From our experience, when our investigation started way back in December of 2017, it was letters back and forth. We had a couple of phone calls, but I could see that the communication was not clear. It seemed to me as though they didn’t really understand what we were doing, nor did I really understand what they were asking.

We suggested to meet. The immediate response from them was to issue an order to appear and testify under oath and have a transcript and everything created, which was fine. We did that. But it wasn’t really what I was looking for.

I was looking to really get together to try to find some understanding and to come to a common understanding about what we were really talking about. It was actually in the in-between times of answering their questions in transcripts when the real value — for my company, anyway — came in that investigation. Indeed, the recommendations that came out at the very end of this whole process…. Most of them I had already put into place, based on that very first conversation that we had in their offices with Bradley Weldon.

[2:10 p.m.]

I think that really, there’s an opportunity now to change the way that the OIPC works and to turn to something more akin to how the Competition Bureau here in Canada works or the FTC in the United States, where certainly they have an opportunity to levy fines and orders to produce records, but they go into a complaint and investigation with a goal of helping to fix the issue. Once they resolve the issue, they get the company to agree to follow those new changes and to make additional improvements. Only after that, if the company doesn’t meet those requirements, are they subject to fines and other issues.

That’s a way where you sort of fix the issues first, and then fine. The idea that you need to fine people straightaway, like under GDPR, is a little bit backward, I think, and it really doesn’t promote companies working with the OIPC openly. If they came in with a goal of helping to fix, then it would be a lot better.

Number 2 is time limits. Our case went on for two years. In that time, it’s very difficult for a small company to bring on new clients. When you’re going through the due diligence process, people ask: “Are you facing any lawsuits or under investigation?” And our answer had to be “yes.” So it was difficult for those companies, even if they wanted to work with us, to enter into a relationship.

For a two-year period, while we essentially waited…. We had provided them tons and tons of information. But essentially, they had other priorities. They had Facebooks and Googles and all sorts of things that the OIPC was looking into. At the federal level, there’s a time limit in PIPEDA. There should be a time limit for investigations here in British Columbia as well. There’s no reason why they couldn’t apply to a minister or someone like that if they needed an extension, but then there’s a level of accountability there that would help.

Number 3 is consistency for consent across multiple jurisdictions. Of course, we work all around the world, all across Canada, and laws are all very different. Within PIPA, there is the ability to rely on the consent obtained by another company somewhere else. We did that. But in our ruling, the commissioner said that our client abroad…. Even though, in all of the work that they were doing, they obtained consent consistent with their laws and everything that we did for them was allowed to be done in that jurisdiction…. Because we were coming from British Columbia, we also needed to ensure that those individuals’ personal information that was being used was collected in a way that was consistent with B.C. laws.

That places a big burden on companies that are working anywhere else in the world. To go in to a new client and say: “We’d love to do work for you, but we need to make sure all of your existing clients, all of your existing information, has been obtained in a way consistent with B.C. law.” It certainly puts a barrier up for B.C. businesses to work elsewhere, because they just won’t work with you if that is the case.

Number 4 is choosing between what sort of framework. I’ve heard, in other testimony that you’ve heard so far, people suggesting that we need to move to a GDPR-like situation. While GDPR certainly has some good points, it’s an incredibly cumbersome law, and it’s very difficult for small businesses to manage and to afford, quite honestly. It applies as well to small charities and churches and everything like this. So I think a better model is if you look at California.

California, of course…. Many of the states down in the U.S. are going to be adopting a law very similar if not exactly the same as California. So it really is incumbent upon us to look at the United States as both our largest trading partner and closest geographically, but more importantly are the real links between Victoria, Vancouver, the Interior and now growing into the north as well, in terms of IT, down to Silicon Valley, Microsoft down in Redmond and beyond. So the closer connections that way are a lot better for businesses here in B.C.

I apologize. These are very high level because there’s not a lot of time.

No. 5 is freedom of information. Currently the Office of the Information and Privacy Commissioner, though they’re responsible for freedom of information in British Columbia, are not subject to it themselves. I’m not suggesting that they have to have it completely open to inspect everything. Being able, for example, to find out for my own files who they were sharing our information with or even why it was taking so long, can help an individual with a file ongoing to find out what’s happening. It can give journalists and citizens some level of accountability and really just open things up to a little bit of public scrutiny.

[2:15 p.m.]

Finally, the last is…. The typical approach to privacy — how they’re doing it in the EU and even in California right now — is almost like closing the barn door after the animals have left. Largely, when people go browsing on the Internet, they’re going site to site. If they’re shopping, for example, it’s like they’re walking down Government Street here in Victoria, and they’re going to each store, shouting out, as they go, where they’re coming from, what their address is, what they’re looking for, how much they’re planning to spend and what they’ve looked at, at different stores. At each store, even if they just look in the window or if they go in, it’s like they leave behind a business card with all their information.

Then once all that happens, we’re saying to these companies: “Okay. Even though all those people leave all that information without you even asking, you can’t use it or you have to get consent from them in order to use it.” That’s fine if those companies are in British Columbia, but they’re browsing the Internet. They could be anywhere.

I think there’s an opportunity…. It might not be this committee, but certainly something to look at in terms of conversation, going forward, with the government and our telecommunications providers — the Teluses and Shaws and so on — is to provide options for British Columbians for private and secure Internet browsing. The technology is available.

I’m not saying it would be easy for them to do, but there’s certainly an opportunity there to provide some leadership where you can give customers options to know that when they’re browsing the Internet, they’re doing so in a more safe manner which is protecting their own privacy. You can do it from the providers. We’re lucky in British Columbia because there are very few, and it’s a regulated situation. They don’t have that same luck down in the United States.

So I think there’s opportunity there. If we did that, then while you still need to implement and make changes to our privacy laws to keep up with changing situations, you’re giving the assurance and protection to people in British Columbia who don’t know what goes on when they go on the Internet, what they need to do in order to stay safe.

Thank you very much for listening. I am happy to take as many questions as you like.

R. Singh (Chair): Thank you so much, Jeff. That was a really important contribution.

Now the floor is open for questions. Members, any questions?

S. Thomson: Thanks, Jeff, for your presentation and the perspective coming particularly from the experience you’ve had and things.

I just wanted to ask a question around the…. You talked about some of these changes being needed so that you could remain internationally and globally competitive. Just from your experience of things, just trying to get a bit of perspective on…. What is the balance, or what is the split, between companies that are operating in that global and competitive environment compared to companies or organizations that would be operating on a domestic level in this kind of space?

You talked about businesses having to manage the complexity of something like the EU set of regulation and things. What’s the kind of split — the structure of the business?

J. Silvester: Well, for our company, the vast majority of our business is outside of Canada. We have very few clients here in British Columbia. The bulk of the work is abroad — a few in Canada but mostly in the United States and in Europe.

But when you look at the realities of the companies working in British Columbia, there’s a huge amount of companies — some of the largest in the world that got started here — working in the advertising space. For those companies, it’s really just a question of clarity. To have barriers in place to working abroad will force companies to really re-evaluate where they’re locating their head office.

Obviously, I grew up here in British Columbia. We love it here, and our staff are mostly here in Victoria. So it’s important for us to be here. But for other companies, whether they’re located here or other places…. There’s a real risk that…. If our law becomes too restrictive too quickly as compared to the jurisdictions around us, it’s too easy to move, and thus, we’ve really accomplished nothing.

There is a balance in terms of making sure that companies can remain competitive while still being here in B.C. This is a great place to do business, but we don’t want to change that too much. And we still want to make sure that citizens are protected and that their personal information is being protected and kept safe.

R. Singh (Chair): Thank you so much, Jeff.

[2:20 p.m.]

M. Elmore: Thanks for your presentation. You referenced the law coming into California and looking to be taken up across the United States. It’s a contrast in terms of GDPR. Can you just talk about that a little bit and some of the main components in your mind with respect to what you think the advantages are of where they’re moving in California?

J. Silvester: My perspective comes from one of small business. The big difference between GDPR and the CCPA in California is that the huge penalties and the onerous regulations that apply really only apply once your business gets to a certain level. Really what they were targeting was the big, giant companies, like the Googles and the Facebooks and everything like that.

I don’t know that there’s a good way to really balance out a law applying to a small company like ours, which has less than ten employees, versus a Google, who have billions and billions in revenue. They can afford to have dedicated data protection officers. Quite honestly, when you look at Facebook, they can afford to flout the Canadian law. They’re fighting the OIPC and the Office of the Privacy Commissioner of Canada in federal court right now.

The law needs to be fit for purpose, and it needs to be reasonable that we can follow it and make gradual improvement and, at the same time, not be bogged down. Again, if it becomes too complicated for a small business to follow and too expensive, they just won’t. I don’t mean they won’t follow the rules. I mean they won’t go to the jurisdiction that forces them to do that when you could go to Alberta and have something less, or you could go down to Washington state. Then there’s the balance.

We’ve reformed everything that we’ve done in our company based on the recommendations that the Privacy Commissioner provided, so we do business a lot differently now. For us, whether it’s GDPR or CCPA or some made-in-B.C. solution, it’s fine with us. We’re happy with all of it. I just feel that for a lot of companies, especially when you look at the challenges that occurred in the EU, and in the U.K. in particular, with churches and charities, their emailing lists…. The pain that they went through in order to try to get compliant with GDPR was just enormous.

Whereas we’re not really trying to target a small company that emails their customers every month to encourage them to come in to buy something. You’re really trying to go against these bad actors who are taking advantage of this information and using it, selling it or whatever it is they’re doing. That’s the balance I think that the CCPA in California provides. It really targets those bigger companies to make sure they’re doing things right with both the requirements and, of course, the penalties.

R. Singh (Chair): Adam, welcome, first of all.

We were not able to introduce Adam Olsen. He’s here with us now, and he has a question as well.

A. Olsen: Thanks, Jeff, for your presentation. I guess one of the challenges in trying to balance the business aspect of this and then the personal information…. I can see a situation exist where the consent that’s given for how to use the information is not how the information ends up being used. I think that the fine balancing point that we have to come up with in all of this is just that. How do we make sure that what somebody is consenting to is actually what is happening on the other end of it?

I think that you’re absolutely right that those church groups and those other groups get people’s information and data for a reason, and then they use it for that letter, and perhaps that’s not what we’re trying to do. But those who are using data as a commodity, that is a completely different world that we’re operating in, and we have the responsibility to protect the citizens — and business. But I think primarily we have to be looking out for….

[2:25 p.m.]

It’s not just necessarily bad actors. This is kind of what caught me in your last response. It’s not necessarily bad actors. It’s just anybody that’s using that information for purposes other than what they initially told you that they were going to be using it for at the time that you gave them that information, right? That’s what we’re protecting as well. I mean, it could be a similar use but not the use that you consented to at the time.

J. Silvester: In B.C., the law, of course, has implied consent where they allow you to…. If someone is on your website and they sign up for email, they can reasonably expect that you’re going to send them an email. Then similarly, you could say: “Well, we’re using this information, and we’re going to use it to advertise to you.”

Then it really becomes a question of: does that mean that they understand you’re going to use it to ask Facebook to target this person for advertising? Do they understand that that means that you’re going to use it for Google to target them with advertising so they’ll come back to your store, or whatever it happens to be? Does that mean that they understand that you’ll use algorithms to process that information, compare it against other people and then use that to try to find other customers to come to your store, all because you’ve said we’re going to use it in advertising?

One of the components of GDPR — and it exists in the CCPA as well — is something I think B.C. should adopt, which is a requirement to have clear and plain English language about how people are collecting the information, what they’re collecting it for and what they’ll use it for, as well as giving them the information on how they can make inquiries about what you’re holding and correct it or delete, or whatever it happens to be. I think that’s a really easy, quick win, as well, where you can….

Right now, under British Columbia legislation, it’s very unclear. You are required to get consent, but there is a lot of wiggle room in that implied consent, and it has to really be narrowed down. To your point, there’s a difference between an algorithm sorting out who you want to advertise to…. Making decisions about a person and what they can do is another thing. There has to be some language around that as well.

I agree. It’s not necessarily bad actors. You’re right. There are people who…. We had it in our company. A programmer would come to us and say: “Oh, I’ve got this great idea. We can use this and do this, and then we can help make all of our advertising more efficient.” Then I say: “No, no. We can’t use that information. That’s just for this client. We can’t touch that.”

There’s a component there where it’s just people trying to solve problems and trying to be innovative. You’re very right. You’ve got to make sure that at the time that they provide it, they understand what you’re going to be doing with that information and that you hold your company to that and make sure that’s the case.

R. Singh (Chair): Any other questions?

Thank you so much, Jeff. That was really important information, and we really appreciate you taking the time and coming and meeting with us today, although it was virtual. Great information.

J. Silvester: My pleasure. Thank you very much for taking the time.

D. Ashton (Deputy Chair): Thanks, Jeff. Have a good day.

R. Singh (Chair): We have Kelly Samuels and Sinziana Gutiu from the Canadian Bar Association, FOI and privacy section.

We’re really looking to forward to hearing from you. You have ten minutes for the presentation, and then afterwards, we have ten minutes for questions and answers. We are ready whenever you are.

[2:30 p.m.]

CANADIAN BAR ASSOCIATION,
B.C. BRANCH, FOI AND PRIVACY LAW SECTION

S. Gutiu: Good afternoon, Chair, Deputy Chair and committee members. Thank you for the opportunity to address you today.

My name is Sinziana Gutiu, and with me is Kelly Samuels. We are the co-chairs of the Canadian Bar Association, B.C. branch, freedom of information and privacy law section, which we call the CBABC. CBABC has over 7,000 members who are lawyers, judges and law students. Its focus is protecting the rule of law and the independence of the judiciary and the bar and improving laws, the justice system and access to justice.

Our written submission will be filed by August 14. I should also mention that we are not here representing the views of our employers or other organizations that we’re affiliated with.

Today we’re going to address three topics. I will be speaking about mandatory privacy breach notification and maintaining consistency with developments in national and international privacy legislation. Ms. Samuels will be presenting on protecting solicitor-client privilege.

When it comes to privacy breaches, the saying is: “It’s not a matter of if they will happen but rather when they will happen.” The privacy breaches that make the front page of the news are really only the tip of the iceberg.

In keeping with past recommendations from the CBABC and other submissions in the past few days that you’ve heard, we recommend that the committee consider amending PIPA to include mandatory breach notification to both the Information and Privacy Commissioner for B.C. and affected individuals.

I have three points in support of this recommendation. The first is that PIPA is lagging behind other provincial, federal and international laws. Our written submissions will expand on this point, in the interests of time, but it’s worth mentioning that last week the Quebec government proposed amendments that include mandatory breach notification.

This gap in PIPA is putting the safety of British Columbians at risk. They have no legal right to be informed when their personal information is affected by a data breach, even if they could suffer serious harm as a result.

The second submission on breaches is that this current lack of a requirement in PIPA can actually create confusion and delay for organizations who want to do the right thing. The Privacy Commissioner of B.C. provides helpful guidance to organizations on voluntary reporting; however, guidance is not the same as law. Having express legal provisions in place helps clarify what’s required if a privacy breach happens and helps organizations make the right decisions quickly.

My last submission on this topic is that if mandatory breach notification is included in PIPA, the thresholds and legal requirements should be consistent with similar Canadian and international privacy laws. This allows businesses and other organizations with cross-border activities to have a streamlined, predictable and consistent response to data breaches.

This takes me to my second topic, on the importance of maintaining consistency between PIPA and other federal and international privacy laws.

PIPA has a sound legal framework. It is a principle-based, flexible and technology-neutral law. However, when it comes to adapting to certain evolving technologies, business practices and individual privacy expectations, it has failed to keep pace with important developments in Canadian and international privacy laws.

I’ll touch on two examples to illustrate some gaps. First, artificial intelligence, in particular, challenges the principles of consent and transparency in PIPA. PIPA recognizes that organizations have to get consent from individuals and requires those organizations to explain the purposes for collection before the personal information is actually collected. However, one of the key benefits of AI is that it can provide valuable insights that are not always known, or can be predicted, at the point of collection.

Now, the European Union General Data Privacy Regulation, also known as the GDPR, tries to address some of these challenges presented by AI. Examples include requiring a certain level of transparency and notice for automated decision-making, giving individuals the right to object to their data being used in automated decision-making and providing other legal authorities, besides consent, for processing personal information.

[2:35 p.m.]

My second example, to illustrate some of the gaps, is that PIPA does not provide individuals with the same robust privacy rights compared to other jurisdictions, like the GDPR. The GDPR gives individuals the right, among other rights, to delete their personal information and the right to port or move their data between competitors. These don’t exist in PIPA.

The federal government is now also contemplating adding similar rights to the federal PIPEDA. Since changes to PIPEDA are still being contemplated, keeping an eye on future amendments is key to ensuring that PIPA maintains a substantially similar status with PIPEDA. There are also commercial benefits to PIPA striving for what is called adequacy status with the EU GDPR.

Our recommendation. When the Legislature considers these reforms, we strongly recommend structuring consultations as widely as possible to fully understand the potential impact and application of such amendments on B.C. organizations and on British Columbians.

Now, I know I’ve covered a lot of information during my presentation. These points will also be addressed in our written submission.

I look forward to your questions today. For now, I will turn things over to Ms. Samuels to cover our last topic.

K. Samuels: Thank you, Ms. Gutiu. I’m going to be speaking on solicitor-client privilege as it relates to PIPA.

The debate surrounding the ability of a privacy regulator to compel privileged information has been ongoing at both the provincial and federal levels for a number of years now. Since coming into force in 2004, PIPA has recognized and protected solicitor-client privilege. PIPA expressly states that nothing in this act affects solicitor-client privilege. However, PIPA also provides that a copy of any document required by the Information and Privacy Commissioner must be provided to the commissioner despite any privilege afforded by the law of evidence.

In 2008 and 2014, this committee received evidence from the Law Society of British Columbia that the ability of the commissioner to require provision of documents, despite being privileged, is inconsistent with PIPA’s express statement that nothing in PIPA affects solicitor-client privilege. The Law Society submitted that the power of the commissioner to compel the production of a document, despite solicitor-client privilege, should be removed because it does not adequately and properly protect the public interest in the administration of justice.

The Law Society’s and CBABC’s submissions, since at least 2008, have been that if a question of privilege is being raised in connection with a document, the matter should be dealt with by the B.C. Supreme Court. Similar discussions about privilege are happening, also, at the federal level.

There are four key concerns that the legal community, such as the CBA national privacy and access law section, has with allowing privacy commissioners to review privileged material or make determinations on the validity of a solicitor-client privilege claim.

First, it erodes the confidence that clients have in the justice system. The foundation of solicitor-client privilege is that clients must feel confident telling their lawyers everything that is relevant about their cases. If clients cannot be confident about the protections of solicitor-client privilege, there will invariably be a chilling effect in seeking frank legal advice to the detriment of the proper functioning of the justice system.

Second, if organizations follow best practices for discovery of privileged records, disputes regarding solicitor-client privilege should be rare and constitute an appropriate use of judicial resources.

Third, there is no requirement that the person who holds the Office of the Information and Privacy Commissioner have particular legal expertise or specific expertise on solicitor-client privilege.

Fourth, unlike the courts, the commissioners are not impartial adjudicators. PIPA empowers the commissioner to exercise both adjudicative and investigatory functions. Consequently, a commissioner can become adverse in interest to an organization. These features of the commissioner’s powers further indicate the disclosure of privileged documents to the commissioner is, itself, an infringement on the purpose and spirit of solicitor-client privilege.

Compelled disclosure of privileged information to the commissioner, even for the limited purpose of verifying a privilege claim, is a serious intrusion on the privilege. Compelled disclosure to a potential adversary, such as a complainant, is all the more serious. For these reasons, the most effective way of preventing the weakening of solicitor-client privilege in the context of privacy complaints and litigation is to limit the review of solicitor-client privilege claims to the judiciary.

[2:40 p.m.]

Currently LifeLabs is being investigated by the B.C. commissioner over a cyberattack that it reported in November of 2019. As part of the investigation, the commissioner ordered LifeLabs, as permitted by PIPA, to disclose a report prepared by LifeLabs’ cybersecurity expert after the incident was discovered. LifeLabs claimed solicitor-client privilege over this report and refused to comply with the commissioner’s order. A petition has been filed by LifeLabs before the B.C. Supreme Court for a declaration that the report is protected by solicitor-client privilege and cannot be compelled. This matter is still ongoing.

I realize I am out of time. I just have a couple more points. Is it okay for me to finish? Yeah? Okay.

In the past, concerns have been raised that organizations will over-apply the exemption. However, due to the need to balance the importance of solicitor-client privilege, the complexity of the legal analysis in confirming privilege and the need for an impartial decision-maker to make the determination, this type of review must rest with the judiciary. The commissioner is both prosecutor and judge, and it is improper for them to make the determination.

For these reasons, it is our recommendation that the committee consider amending PIPA to ensure solicitor-client privilege is adequately protected.

That is the end of my submissions. I would like to thank you for the opportunity to speak with you today. We are pleased to answer any questions that you have.

R. Singh (Chair): Thank you so much. Thank you, both of you. Very important information. Some of the points that you have raised, we have already heard before, as well.

I’ll open the floor for questions. Mable Elmore is the first one.

M. Elmore: Thank you very much for your presentation. Both very complex areas — artificial intelligence and solicitor-client privilege. I have a question for both.

First of all, in terms of AI and the expansion of automated decision-making that is just really happening exponentially, how does GDPR deal with it? Are there any…? I don’t know if we’d characterize it as best practices, but maybe you could just highlight, either in GDPR or in the United States, in terms of decision-making around privacy protection in the context of automated decision-making.

Then, also, with respect to the solicitor-client privilege…. I may have missed it; excuse me. With respect to the Canadian…. Is there a trend? Like, would you characterize this as a global trend around privacy protection and negotiating the complexity of protecting solicitor-client privilege but also, in terms of access to that information, FOI?

S. Gutiu: Sure. Perhaps I can address the question related to artificial intelligence, and I will let Ms. Samuels answer the question about solicitor-client privilege.

AI is definitely a very challenging topic for privacy and kind of traditional understandings of privacy. The CBABC submissions are, at this point, limited in that regard. We will be happy to expand on some of the examples already provided in our written submission.

I can preface by saying this. These types of considerations…. Some of the ways that the EU GDPR deals with it is by, for example, providing other alternatives besides just consent — by providing for this type of right that’s called legitimate interest where, within the law, you’re able to balance the interests of the company to use information in certain ways with the interests of the individual. So that’s one way — by providing various options besides just consent. PIPA is very consent-heavy.

Another way to do it — the way that the GDPR does it — is by requiring organizations to be transparent about not necessarily the output, if they are not able to predict it, but about the process. What are the actual mechanics? How is the AI actually working? What’s it doing with the information? How are you ensuring against bias? Those types of things. So it’s more of an emphasis on transparency and giving notice and communicating those aspects to individuals.

[2:45 p.m.]

The other thing that the GDPR does, as I’ve mentioned, is provide additional rights. So if a person doesn’t want their information to be used for AI or for automated decision-making, in the EU, they actually have the right to object to their information being used in this process. None of these exist in PIPA.

Right now PIPA allows individuals to withdraw their consent. But again, at the front end, if you have issues with getting the consent to begin with and really being able to clearly communicate what it is you’re doing with the information, that poses problems to the individual’s ability to withdraw their consent in the first place.

I’ll leave that there, and I will yield the floor to my colleague Ms. Samuels to answer the solicitor-client privilege question.

K. Samuels: Thank you. If I understand the question, it’s whether there is a trend towards the way PIPA is currently structured, and that is to allow a commissioner to compel privileged documents.

I think that Bill C-58, which is at the federal level…. That was recently enacted, and it’s an act to amend the Access to Information Act and Privacy Act and to make consequential amendments to other acts. That bill did make amendments to the Access to Information Act and the Privacy Act to permit both the Canadian Information Commissioner and the Canadian Privacy Commissioner to review records withheld by the head of government institutions on the basis that they are protected by solicitor-client privilege, professional secrecy or litigation privilege.

I think that, at the federal level, there has been some movement in that direction. However, our national section made submissions to the Canadian Parliament on that bill that were essentially along the same lines that we are speaking of here. So our position is consistent with their position.

Ms. Gutiu, if you have anything to add on that point, I’d welcome your comments as well, if anything.

S. Gutiu: No, nothing to add.

R. Singh (Chair): Thank you so much, Mable.

Any other questions, Members?

S. Thomson: Just a quick question around the solicitor-client privilege. You mentioned the current situation with LifeLabs and the difference of opinion, or the process it’s under.

Are there other examples of where this has become an issue? Or is it really that the current situation brought this to the forefront around the solicitor-client privilege aspect of things? Are there previous legal decisions — case law or anything — that relate to this over the last number of years, last few years?

K. Samuels: This is an example. There have been other instances of decisions where organizations being requested to compel documents have withheld them on the basis of a privilege claim. I think quite often they do go to the courts for decisions, but I don’t have another specific example at this time.

I don’t know if you have anything, Sinziana.

S. Gutiu: I think we will be able to expand on that in our written submission when those are filed by the deadline. We’ll get into more details about cases and things like that there.

S. Thomson: I think what I was looking for was whether there is a solution here that doesn’t involve tying things up in the courts. In terms of the timing and the processes and everything, that makes it a complex, drawn-out process, whereas if there was some other way of addressing this, as opposed to simply removing the requirement in the legislation…. Is there a better dispute mechanism process that could deal with this? Obviously, in some cases, the information is important for adjudication on the specific issue.

K. Samuels: That is noted, and we will take that back to our section and see if there is a further submission that we can provide in our written submissions on that issue. Thank you.

R. Singh (Chair): Thank you so much.

Sinziana, I think you mentioned something about the changes that are coming in, in Quebec.

[2:50 p.m.]

According to you, is the legislation they are bringing in closer to GDPR, looking at all that? We would be very interested in what is happening in other jurisdictions. You mentioned Quebec. My interest would be: what are they doing that we can bring in as well?

S. Gutiu: Our CBABC section has not had the chance to look at it in detail. They were just proposed, I believe, on June 12. So they’re very, very new.

The spirit of it, based on my quick review, is in keeping with the GDPR. I saw administrative penalties, for example, which GDPR has, and additional rights. I did see the mandatory breach notification provisions as well.

Speaking broadly, it seems to have the spirit of GDPR in there. What’s interesting is that the Quebec government took the initiative and are proposing these amendments before seeing what the amendments in PIPEDA are.

We don’t have a position on that yet. I just wanted to highlight some of these considerations.

R. Singh (Chair): That’s very useful. This is what we have heard previously as well. I know there are federal changes that might come, but it is good to know that some jurisdictions are coming up with those changes beforehand. That’s really important. Thank you so much.

I don’t see any other questions. I really appreciate both of you taking the time and coming and presenting to us today. It’s very useful information. We’re really looking forward to your written response. Thank you so much.

Welcome, Stefanie. I know this is not the environment we were planning to meet in, but this is the new reality. We’re really looking forward to your presentation.

Before you start, I just want to let you know that you have ten minutes for the presentation. Once your time is up, then we will have about ten minutes for questions and answers.

We are ready whenever you are.

BCGEU

S. Ratjen: I am speaking today on behalf of the B.C. Government and Service Employees Union. I am Stefanie Ratjen, who works as a staff representative in the BCGEU’s advocacy department.

BCGEU is one of the largest and most diverse unions in British Columbia. The union represents over 80,000 members in 550 bargaining units in the private and public sectors.

About a third of the BCGEU’s membership works directly in the government service. Their jobs include protecting children, providing financial assistance, protecting the environment, managing our natural resources, staffing provincial correctional facilities, fighting forest fires and providing the government’s technical and clerical services.

We also have an equally large range of workers who are working in the private sector. We are proud to represent thousands of members in health care, community social services, education, highways maintenance, casinos, credit unions and local governments as well as many other employers.

Today I’m here to provide an overview of our submission on a review of the Personal Information Protection Act. We will be providing a more detailed submission in accordance with the August submission timeline. The references for our sources today will be provided alongside that submission.

[2:55 p.m.]

As a trade union, the BCGEU is uniquely positioned as both an advocacy organization as well as an organization that is subject to the requirements of PIPA. We are able to speak from a principle perspective on what changes are required to better protect the rights of our members as well as a practical perspective of what can be done to improve and allow organizations that respect the requirements of PIPA to better meet its requirements.

Today I’ll be highlighting four different issues. One is that I will be discussing privacy and consent under PIPA in today’s working environment and the changes that we are seeing in today’s economy.

I will be suggesting recommendations to improve how an individual’s or an employee’s ability to consent to the use of personal information can be used and applied.

I will also be endorsing the position that the office of the independent Privacy Commissioner should be able to initiate investigations into matters without a complaint and issue orders based on that investigation.

The BCGEU also supports mandatory reporting to the commissioner for privacy breaches in circumstances where it’s reasonable to believe that a privacy breach creates a real risk of significant harm to an individual.

Before elaborating on those four points, I wanted to bring us back to the basics and why the BCGEU cares about this. While the term “privacy” commonly brings to mind closed doors or no trespassing signs or even the need to open up a new web browser window, ultimately privacy is about relationships — when you communicate some information to another party that it stays within that relationship. Because of that relationship, privacy is also about trust, in that you expect that the party receiving the information that you’ve communicated will only use that information in the way that you have intended it.

Privacy is also about boundaries, and there might be some truth to that old saying that good fences make good neighbours. Boundaries are needed, as different relationships use different information in different ways.

For example, while the information collected by a trade union or an employer may have some overlap, such as collecting the names or addresses of a member, that information may be put to different uses. An employer may use an address to issue a paycheque, and a trade union may use an address to communicate with a member about a potential grievance. Recognizing how information can be used in different relationships and protecting those relationships is why PIPA is such an important act.

We recognize that consent plays a critical role in how personal information may be accessed and applied under the current version of the act. This means that in most circumstances, an organization must acquire the consent of the individual in order to collect, use or disclose their personal information for a particular purpose. We also acknowledge that consent is implied if an individual voluntarily provides that information for an obvious purpose.

However, in today’s economy, digital technologies have made it much easier for the private sector to collect, share, use and store personal information. The shift from paper-based to a digital format records-based environment has led to a dynamic overcollection. Further, with the technology we have today, information that would have historically been considered objective is now being linked to create individualized profiles that identify a person’s preferences, interests and even recently used search terms.

These conditions have resulted in a situation where the individuals are bearing a great deal of responsibility to inform themselves of an organization’s privacy management practices and understand the nature, purpose and consequences [audio interrupted].

In practical terms, the consent-based approach to protecting how personal information is being applied no longer has the significance it once had. The balance is now being tipped in favour of those who are collecting information and away from the people who this information is about.

We support the recommendation that the act should be amended to require that organizations provide the purpose of personal information collection to individuals at the time of collection in a manner that is specific, accessible and understandable, thus allowing them to provide actual and informed consent. I understand that this recommendation is [audio interrupted] already put forward to you by the Freedom of Information and Protection of Privacy Association.

J. Arril (Clerk to the Committee): Stefanie. Sorry, this is Jennifer, the Clerk. My apologies. Would you mind just maybe turning your video off. We’re going to see if that might help the bandwidth, because you’re cutting in and out just a little bit.

[3:00 p.m.]

S. Ratjen: I was just talking about consent. One of the issues that the BCGEU is particularly concerned about is the imbalance of power for employees when it comes to how an individual employee’s information is being used. We recognize that under section 13 of the current act, PIPA carves out a subset of personal information for employees, or employee personal information. Section 13 of the act establishes that “an organization may collect employee personal information without the consent of the individual.”

“Employee personal information” has a very broad definition under the act. It is “personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual’s employment.”

Now, that is a very broad purpose, and it raises significant concerns for employees. With the technology we have today, as I outlined previously, information that would have been considered objective in the past is now being linked to create individualized profiles that an employer may be able to track under the auspices of managing an employment relationship.

More recently, in light of the COVID pandemic, we are aware that employers are now collecting biomedical information about their employees, such as temperatures, in order to test whether they are allowed to show up for a shift. There need to be assurances for employees that any personal information collected by an employer will be managed appropriately. Particularly with sensitive information, there needs to be clarity over how that information will be used, even within that employment relationship, and it cannot be a one-way street.

There need to be stricter parameters over what types of information an employer is able to collect without consent. We will be providing examples of how this may be better achieved in our forthcoming written submission.

On the final two points that I’ll highlight today, we believe that the independent Office of the Privacy Commissioner should be able to initiate an investigation into matters without a complaint and to issue an order based on that investigation. We support that office, as well as organizations such as the B.C. Freedom of Information and Privacy Association — and, I understand, the B.C. Civil Liberties Association as well — on that point.

We also note that this was one of the recommendations of this special committee in the last review of PIPA, and the commissioner already has this authority in relation to public sector privacy regulations under the Freedom of Information and Protection of Privacy Act. We stand by the principle that independent investigations and orders coming from the commissioner are important in promoting accountability and are an important way to balance privacy and individual rights with accountability.

The BCGEU also supports mandatory reporting to the commissioner for privacy breaches in circumstances where it is reasonable to believe that the privacy breach creates a real risk of significant harm to the individual. We recognize that the federal private sector privacy laws were amended to require private sector organizations to notify the federal commissioner’s office of significant privacy breaches, and we call on this provincial government to do the same.

Our position is that the mandatory reporting provision in B.C. should be similar to that which came into effect in November 2018 under the federal PIPEDA. That would require notifying the Information and Privacy Commissioner of B.C. and the affected individuals, and for the organization to keep a record of the breach.

In summary, PIPA needs to be updated to reflect that digital technologies have made it much easier for the private sector to collect, share, use and store personal information. Our written submission will be provided, and the principles we are identifying today can be summarized.

There need to be stricter parameters with how employee personal information is collected, particularly as the current act does not require that an employee consent to the collection of such information by their employer. Secondly, the independent Office of the Privacy Commissioner should be able to initiate an investigation without a complaint and to issue an order based on that investigation.

We also support mandatory reporting to the commissioner for privacy breaches if it is reasonable, in the circumstances, to believe that the privacy breach creates a real risk of significant harm to an individual. We note that the recommendations to amend PIPA remain outstanding from the previous review, and we call on this government to ensure that a similar situation does not take place with this current review.

[3:05 p.m.]

On that note, thank you, on behalf of the BCGEU, for the opportunity to make a submission.

R. Singh (Chair): Thank you so much, Stefanie. Thank you for your presentation.

I’ll open the floor for questions now. Members, any questions?

Mable, do you have a question?

M. Elmore: Thanks for the presentation.

Are there specific additional examples that you can cite with respect to some of the points you made — just to help to concretize it? That just came to mind for me.

S. Ratjen: Yeah, absolutely. One of the issues that we’re most concerned about right now is the changing environment that we’re in, particularly in light of the COVID-19 pandemic. We’re seeing practices developed by employers — such as in the community services environment or even in the retail environment — where employers are requiring that employees provide biomedical information, such as temperatures, before showing up for work.

While we understand that there is a public health pandemic and that this is an unprecedented environment, we are concerned that the way PIPA currently reads is that employers are able to collect a large swath of personal information about their employees under the auspices of managing that relationship. We need to have better clarity as to how an individual will be able to control that information.

R. Singh (Chair): Thank you so much, Stefanie.

Mable, do you have another question?

M. Elmore: No, that was basically it. Yeah, it’s certainly unprecedented — the pandemic. Then, with respect to the collection of information on employees, it’s very concerning.

Can you speak to…? I don’t know if you have experience, also, in terms of…. Have you heard of these instances from your members, from the unionized members? In particular, if members are not unionized, they don’t quite know what their rights are or have an avenue to follow up and ask questions. There’s a disparity. Then also, with respect to precarious workers — marginalized workers, temporary foreign workers, this type of thing — this is also a concern. I don’t know if you can speak to that — just the precarious nature of workers.

S. Ratjen: Absolutely. I recognize that unionized workers do have more of a recourse to hold their employers to account than a lot of people who are working in a non-unionized environment. That particularly holds true for migrant workers.

With regard to personal information, again, one of the issues that we’re seeing is that there are so many ways in which, through technology, objective markers are now being linked together. If someone, for example, likes a particular group on Facebook, or maybe they show that they’re going to be attending on line through a different forum, employers are in a better position to be able to monitor those types of activities.

If there’s a situation where an employer is deeming that showing up at a particular event is, for whatever reason, impacting the employment relationship to the extent that they believe it to be unfavourable and warranting termination, they can now go ahead and do that. That type of access to information has not been as readily available for individuals. Particularly in an environment where we have a large number of non-unionized workers, as well as migrant workers, who are experiencing higher levels of precarity in terms of their employment, we want to ensure that there are protections in place for all workers.

M. Elmore: Yeah, thanks for that. I know that I’ve heard accounts of migrant workers on farms. They were fitted with tracking devices so that their employer could really monitor their production, how fast they were moving — monitor every moment, every second.

[3:10 p.m.]

S. Ratjen: Particularly in the context of workers who are in a live-in type of environment. Not all migrant workers are in that situation. A lot of times there are employers who are controlling not only the place of work or the worksite, but they’re also controlling the place where the individual has their leisure time and goes home, at least while they’re working.

Why we need to have better controls for employees in those situations is because…. What happens if the employer is monitoring an employee’s off-work conduct because of the sole purpose of them living, out of necessity, close to the farm, potentially, that they’re working on? There aren’t adequate protections in place for those migrant workers to hold their employers to account and, also, to be able to stand up to their employer and say: “Look, my web searches are not relevant to my ability to work for this employer.”

M. Elmore: Right. Thank you very much.

R. Singh (Chair): Thank you, Stefanie.

Dan, do you have a question?

D. Ashton (Deputy Chair): No, I’m fine. Thank you.

R. Singh (Chair): Thank you so much, Stefanie. You brought in really important points, especially the situation that we are going through — the pandemic and the use of technology and also how privacy can be breached so easily. Very important information. Thank you so much for your time. I’m hoping to hear from you and to get the detailed information, the written information, also, from you. Thank you so much.

D. Ashton (Deputy Chair): Thank you, Stefanie.

R. Singh (Chair): Let’s break now, so five minutes. At 3:17, we’ll be back.

The committee recessed from 3:12 p.m. to 3:19 p.m.

[R. Singh in the chair.]

R. Singh (Chair): Welcome, Andreea, Kaitlyn and Pamela. You have ten minutes for a presentation. After your presentation, the committee members will have the opportunity to talk to you.

We are ready whenever you are.

[3:20 p.m.]

RETAIL ACTION NETWORK

P. Charron: Well, first off, thank you for having me. The Retail Action Network is a community-based workers’ rights organization fighting for workplace justice, increased wages and better conditions for non-unionized retail, food service and hospitality workers in British Columbia. We provide this submission for consideration of the Office of the Information and Privacy Commissioner in supporting amendments to legislation, policies and procedures and hope to modernize privacy protections in the interest of improving fairness and equity in the workplace for workers.

Our knowledge of workplace conditions in respect to surveillance is that workplaces that are largely video-surveillanced are low-wage work, such as retail and hospitality, and the majority are women who work in these places. The current protections under PIPA have consequences on the lives and well-being of workers across the socioeconomic spectrum, and the deepest impact is felt by marginalized workers who are paycheque to paycheque from hunger, eviction and homelessness.

These consequences could be substantially mitigated if PIPA was adequately enforced and workers could depend on better protection under PIPA. Given the state of workers’ rights and protections in B.C. during the pandemic, we welcome the opportunity to provide this submission.

I’ll be talking about proactive enforcement. The suggestion that I have about proactive enforcement is the removal of the 30-day wait period. Currently employees need to let their employers know that they are in breach of PIPA, and once the employee approaches their employer, the employer has 30 days to respond to remedy the issue. If the employer does not respond within 30 days, then they can file a complaint under PIPA.

This is problematic because workers risk losing their employment by bringing up a privacy complaint to their employers. A remedy to the 30-day period for the Retail Action Network would be removal of this 30-day period. An example: the removal of a self-help kit from the employment standards branch in May 2019.

Secondly, a better balanced investigation practice. In our experience, the investigation holds more weight on the standpoint of the employer, leaving more room for the employer to explain themselves without investigating the perspective and experiences of the workers facing privacy issues at work. A remedy to this would be a proper document disclosure from all parties involved in the complaint.

Third, reasonable disclosure of information is ambiguous. Employers are in contravention of PIPA if the collection is unreasonable. An example, therefore…. If the employer turns off the cameras in the workplace, this would remedy…. The issue is to be reasonable. The Retail Action Network would like remedy to this as limitations on this ambiguity — for example, concrete protections and rules on how many cameras an employer can have per square foot in their establishment.

Lastly, under proactive enforcement, more defined penalties for employers that contravene the act. The Retail Action Network believes that said penalties should be fines given to employers that contravene the act. Though there are up to $10,000 in penalties possibly allocated to employers contravening the act, penalties don’t apply only if issues have been unreasonably resolved. Therefore, we’d like to see more proactive enforcement in terms of penalties for those who contravene the act.

Now I have Kaitlyn here.

K. Matulewicz: Hello. Thank you for having us.

I’m going to speak about the ways that the policies are outdated when it comes to technological advances and also provide a specific example of a case that Retail Action Network took on when filing a third-party complaint. On that note, I think that the third-party complaint feature of PIPA is a great way to make the rights under PIPA accessible to workers, because it allows for organizations to be that third party. So that is something that we think is working well.

Obviously, you know that the act hasn’t kept up with technological change, which is why you’re here and why we’re all here, among other reasons, for reviewing the act. The Office of the Privacy Commissioner has tried to address this through…. Or my understanding is that they’ve tried to address this through guidelines, so there’s a guideline document on the overt use of video surveillance. But these are guidelines only. It’s our understanding that these guidelines don’t have the same teeth as sections of the PIPA act do.

[3:25 p.m.]

In our experience, these guidelines — speaking to the ambiguity that Pam raised — are being interpreted in a way that is more favourable for employers and don’t take into account the inherent imbalance of power between employers and employees. I don’t know if this is because the act is trying to do too much by protecting individuals against the improper collection of personal information from organizations and trying to protect people, as employees, against organizational collection of data.

In our experience with filing a third-party complaint, it was against a small retail store with six employees. They were using seven cameras, and the cameras were on 24-7. We filed a third-party complaint, as I said, to keep their identities confidential. The complaint was substantiated. The officer found that there was in fact a violation and that six out of the seven cameras were not reasonable under the act. In response, the investigating officer believed that it was okay, as the employer suggested to simply turn off the cameras and stop recording and leave the cameras up in the workplace — and that that would remedy this breach of the act.

We appealed this decision, obviously, because we believed that…. Even though the employer wasn’t collecting personal information, which is what the officer said, we believed that having the cameras up and even turned off was, really, still an invasion of those workers’ rights when it comes to…. As far as the workers knew, those cameras were on and rolling. That’s still a very intimidating tactic to use in the workplace. That impacts the dignity of the workers. That’s a form of intimidation.

That’s an example of where these guidelines were interpreted in a really narrow way and in a way that I don’t think held the spirit of the act in terms of the broader privacy protections when it comes to privacy in the workplace, reasonable expectation of privacy and the need to uphold the dignity of workers. That’s kind of a concrete example.

In terms of workers’ rights and education, we also believe that there needs to be more outreach to let people know what their rights are in the workplace to begin with. Related to that, I’m going to turn it over to Andreea, our final speaker.

A. Micu: Hi, everybody. Thank you for having us. One of the things that we’ve noticed here at the Retail Action Network, in terms of video surveillance in the workplace — kind of what Kaitlyn began speaking about — is that retail and service workers are far more likely to have video surveillance at their work than other workers do, not only in public-facing areas of their workplace but also in staff break rooms or other places at work where they should reasonably be able to expect privacy.

Employers often state that it’s reasonable to do so in the interest of security or avoiding theft, for safety reasons. What we’ve noticed is that often it’s considered reasonable to do so in retail workplaces more so than others. What seems to be considered reasonable and appropriate in a lower-wage retail environment that primarily employs women, often younger women, seems to be different than what’s considered reasonable and appropriate in other types of workplaces.

That’s an example of how determining whether or not there’s a contravention based on what’s reasonable and appropriate can enforce existing biases and cause PIPA to work for some workers more than others and protect some workers more than others. We believe that there should be safeguards in place to make sure that all workers’ privacy rights are protected equally.

Overall, we’d like to see employers be far more limited in how they can use video surveillance in the workplace as well. In our experience speaking with workers, it’s actually fairly common to have the use of video surveillance in the workplace being kept purposely ambiguous, specifically to intimidate and control workers, and the fact that that is their purpose should already be in contravention to the act, even if they aren’t breaking the law in terms of who they’re sharing that information with and who has access to that information.

Separately, we are aware that there are guidelines in place for how surveillance can be used in the workplace, but in our experience, those guidelines are also often ignored. One thing that allows that to happen is that workers are not aware of their privacy rights at all, most of the time.

[3:30 p.m.]

One thing that would help with that is being required to have them posted in the workplace, requiring employers to have them posted in the workplace, much like employment standards or WorkSafeBC, in order for workers to know they have rights in the first place and when those rights are not being upheld.

Additionally to that, to have information for workers to know how PIPA applies to them as workers specifically rather than just a member of the public. Keeping in mind that they are in an especially vulnerable position and are affected in a different way. To have something specifically communicated to them about how the act applies to them as workers and how the complaint process would look like for them as well. So it’s not enough to know that they have rights, but what they can do about it as well.

Also additionally to that, the fact that currently PIPA doesn’t offer job protection for workers who are addressing their rights in the workplace. The first thing is that they have to confront their employer about it. We see, all the time, employers retaliating in the case of employment standards complaints, human rights complaints and WorkSafe complaints. There’s no reason that that wouldn’t be the same case with workers addressing privacy complaints in the workplace. So that’s going to lead to either workers not addressing their rights and PIPA not doing anything for them in the first place or to workers getting in trouble, losing their jobs, losing wages, and so on, because of that.

One thing that we would like to see is job protection and protection against retaliation, but more so than just having something saying that. In order to actually protect them against retaliation, they need to be able to be reinstated in their jobs if they do face retaliation or be able to be compensated appropriately in order to do that. That was all I had to say about that.

R. Singh (Chair): Thank you all three of you for the presentation. It is very important.

Just before you, we heard from BCGEU, and they brought some concerns as well. [Audio interrupted] especially for the vulnerable employees. That was brought up by my colleague as well. MLA Elmore also brought that up. You have described it really eloquently. Thank you so much.

I’ll open the floor for questions.

Mable, did you have a question?

M. Elmore: Yeah, I do. Thanks, Rachna.

Thanks, folks, from the Retail Action Network for your presentation and also for the great work you do advocating on behalf of workers who often experience precarity.

Rachna mentioned that this topic has come up previously, and certainly it’s of concern to us as we review the act and ensure that workers’ rights and, particularly, precarious workers’ rights are protected. So thanks for your recommendations.

I just wanted to clarify…. I think that it was Pam who made the initial presentation.

Pam, you mentioned the 30-day period. Are you recommending that…. It’s kind of tied to, you know, that it’s a complaint-driven versus a proactive process. So is your recommendation for the process to be proactive versus…? Maybe if you could just talk about that. I know it runs through the theme of your presentation, but just the specific recommendation around complaint-driven versus proactive and then the 30-day period.

P. Charron: Yeah. So the idea would be to remove the 30-day period in order for…. Workers shouldn’t have to address the person that may have violated their privacy, especially if it’s a precarious worker or if it could have been a really intense situation. And in so removing that 30-day period, it would remove that barrier of that worker coming forward to PIPA. In terms of proactive enforcement, it’s proactive in a sense where it’s not relying on the worker to do the work, but it’s up to PIPA to create, on their end, a more proactive enforcement rather than forcing the worker to do the work on their own.

I don’t know if Kaitlyn has anything to add, or Andreea?

[3:35 p.m.]

A. Micu: Yeah, for sure. One of the barriers to workers coming forward is specifically the fact that they would have to address their bosses or managers when their rights have been violated. Especially in the case of privacy rights, those are usually the very people that are violating their rights. So confronting somebody that has power over them about something that they did is usually either going to lead to retaliation or workers not coming forward.

Similarly to the way that the Employment Standards Act has changed from having a self-help kit to address complaints and it goes straight to investigation, we suggest that the same thing be done for privacy complaints. Then that also takes the pressure off of the worker in the period of time when they filed a complaint until the OIPC can address it. They don’t have to face that kind of tension or problems or stress in the workplace where the employer is aware of the complaint.

M. Elmore: Right, thanks. Yeah, that’s an important issue and a good parallel with respect to employment standards and the policy change of direction that’s taking place there.

If you guys could fill me in: are there investigators that are able to investigate, or who are the officers that would undertake these investigations? Are there any right now?

K. Matulewicz: Yeah. That’s a good question. Definitely navigating their website to find out how you even file a complaint, what that process is and what your rights are in terms of appealing that complaint — very difficult to find. But in our experience filing a complaint, there are officers that then go out and investigate that complaint.

I’ll say again that I think it is more one-sided, from our experience, in filing and drafting the third-party complaints. The investigation has consisted of going to the employer, asking for their story, basically, and then writing up their findings and sending them off without, for example, investigating or trying to speak with the workers or hear what their side of the complaint was. Then they send a written letter, and then you can appeal that written letter. We appealed that written letter, asking for reconsideration. It was denied.

Again, the letters that the officers send out don’t have a statement in there about what your procedural rights are when it comes to appealing their decisions. When it comes to issues of administrative law and procedural fairness, I think that that is something that’s missing and could be in there. Again, it’s really hard to navigate and find out what your rights are in asking for a reconsideration of the decisions that are written out by officers.

I think the commissioner’s office could learn from employment standards, because in that way, it’s clear on what your rights are around that.

M. Elmore: Great. Yeah, that’s helpful. Thank you.

R. Singh (Chair): Adam, did you have a question?

A. Olsen: Right up against the time here. I just want to thank you for your presentation. The advice with respect to posting workers’ rights, I think, is really good advice and one that we should take forward.

Just the assumption that everybody knows what their rights are is a wrong assumption. If we can make sure that our workplaces have the information available for employees that they need, I think that’s the very least we can do. So thank you for that presentation.

R. Singh (Chair): Thank you so much. That was really a wonderful presentation. The issues that you brought up, especially for our vulnerable retail sector, are very important.

What Adam has said — I just want to echo it. It is important that the employees don’t have to look out for the information when they are making the complaint. It should be readily available to them. I completely agree with you on that.

Thank you, all three of you, for taking the time and coming for this presentation.

We are ready with MediaSmarts.

Welcome, Kara and Matthew. Thank you for taking the time for your presentations.

[3:40 p.m.]

Both of you have ten minutes to present. Once you have finished, then there will be an opportunity for questions and answers.

We are ready whenever you are.

MEDIASMARTS

K. Brisson-Boivin: Good afternoon. Thank you for this opportunity to present to the Special Committee to Review the Personal Information Protection Act — or PIPA, as I will refer to it in this presentation.

My name is Kara Brisson-Boivin. I am the director of research at MediaSmarts. I am here with my colleague Matthew Johnson, the director of education.

MediaSmarts is Canada’s non-profit centre for digital media literacy. Our work falls into three main areas: education, public awareness, and research and policy. Since 1996, MediaSmarts has advanced digital and media literacy in Canadian schools, homes and communities to help children and youth develop the critical thinking and digital literacy skills they need to benefit from the digital economy and society.

We’ve been working on issues of online privacy and consent within the context of digital literacy and digital citizenship with young Canadians for over 20 years, with frequent support from the federal and provincial Privacy Commissioners. Our work includes both resources for teaching young Canadians and the adults in their lives about a wide range of privacy issues as well as research on youth attitudes, experiences and behaviours relating to privacy.

Our submission today is based on quantitative data from nationwide surveys of young Canadians as well as what they have told us in interviews and focus groups. Despite stereotypes to the contrary, our research shows that young Canadians care deeply about their privacy on line and how their information is collected and used. However, youth often express very different understandings of these primarily adult-conceived ideas, processes and policies.

In particular, while they have very clear social norms around expectations of privacy and consent among their peers, youth typically view data privacy through the same lens and expect the corporations whose platforms they use to respect those same norms. In fact, youth often do not see themselves as having given consent to businesses or online platforms at all, despite having agreed to the privacy policies and terms of service.

Instead, youth want organizations and platforms to take cues from their actions. For example, many feel that opting to make an account private should be taken to mean that they do not want the platform to share their profile or data with other businesses via data brokers, as well as limiting the ability of other users to see it.

What our research shows — particularly in the last five years as our public consciousness regarding online privacy, data breaches and information mismanagement has risen — is that youth envision a model of privacy and consent based on what they expect of their interpersonal relationships: that corporations will respect the wishes youth communicate by their actions and choices; that consent should be sensitive to context, rather than taken as blanket consent for all potential scenarios or engagements; and that youth be able to make decisions about privacy and consent each time they share something — so, for example, for every photo they post.

Further, our research shows that youth expect to be able to withdraw consent retroactively, asking for things to be deleted after they are posted, rather than giving consent before posting content. As early as 2013, and certainly in each of our last three major research projects covering privacy and consent, young people identified excessive corporate monitoring and also corporate data collection as “creepy,” “weird” and “stalkery.”

Motivated by their desire and, frankly, the necessity to remain on line, young Canadians are resigned to the notion that they must pay to play, and the currency is personal information. The choice they see in front of them is simple: give marketers what they want or give up access.

While legislation and regulation in some jurisdictions provide special protections for children under 13, our research indicates that youth feel strongly that all young people need a distinct consent process that would respect their developing understanding of the data economy and the increased risk of long-term consequences of data collection.

Young Canadians’ conceptualization of consent as relational, as ever-evolving, as retroactive and context-specific has important implications because the regulatory model depends on users consciously consenting to the use of their personal information by corporations following a corporate transactional model.

While our research shows that youth have little awareness of their rights under privacy legislation, when they are made aware of them, many young people conclude that their agreement to online terms of service and privacy policies does not meet the Office of the Privacy Commissioner’s definition of “meaningful consent.”

[3:45 p.m.]

To make consent meaningful, the youth we spoke to want more information, more control and more transparency from online platforms. They want clear and simple online privacy policies, and they have a desire to actively participate in the reimagining and redesigning of the processes behind the data collection that will affect their lives.

I’m going to finish by highlighting what youth have articulated as the three main issues of privacy and consent as well as the concrete solutions they’ve developed for making privacy and consent more accessible and more meaningful to them.

The first issue: too long, never read. Not surprisingly, the youth we spoke to said they don’t read the long and complicated terms of service documents that come with downloading a new app or using a new platform. Natasha, 15, says: “I get it. I scroll to the bottom. I click ‘accept’ and say ‘okay.’ It’s 13 pages long. No one wants to read 13 pages of lawyer stuff.”

I should point out that the same is true for parents as well. Participants in our survey of Canadian parents were especially outspoken about the need to create clear, concise and understandable terms of reference and conditions of use for digital devices, apps, social media platforms and online services. While youth frequently tell us they turn to their parents for guidance about privacy issues, reading and understanding terms of service and conditions of use was the aspect of digital parenting that participants were least confident in, with just over a quarter saying they felt confident in their ability to do so.

The second issue: unanticipated audiences and consequences. Some youth were shocked by the possible consequences of data collection, especially the fact that their data profile might impact future employment opportunities. They expressed a desire to have the ability to wipe their data slate clean, saying it wasn’t fair that something they do online when they are young could follow them for the rest of their lives.

Andrew, 16, says: “Barely anyone in this room actually knew that whether or not they got a job would be based on the websites we visit, so especially that point should be advertised more.” For years, youth have expressed their concerns with us about the permanence of the information contained in their data profiles and the context in which it can be used, expressing a wish for a right to be forgotten or right to erasure.

Third issue: sketchy and weird consent policies and practices. Again, youth use descriptors like these to describe how data is collected and brokered online. They question why companies do not have a mechanism to ensure that you’ve read the policies and, when given the opportunity to design alternate mechanisms for obtaining consent, frequently suggested that users be tested on their understanding of these policies before using a platform or service.

Location tracking was singled out as having the potential to be particularly creepy. Youth agreed location tracking could be useful in identifying general things like where to shop but said they should have to opt in to location settings rather than discover they’ve been tracked unknowingly.

Youth highlighted a need to avoid clickwrap consent processes, which hide information and discourage engagement in the consent process by allowing users to click “I accept” without having read any of the service agreement. They felt, as one participant said, “You have to consent to too much at once,” and would prefer to have the option to opt in to certain features and opt out of others.

Youth in our focus groups were not opposed to data collection in general and accepted its role in the business models of the platforms they used, despite our research suggesting many young Canadians do not understand this business model or its implications for their privacy. What they wanted, however, was more information, protection, control and engagement with privacy and consent processes and policies.

Here are some examples of best practices youth would like online tools and platforms to follow. Use clear, plain and simple language. Make use of headings and bullet points, and use bold, underlined and colourful text. Use visuals alongside text. Make sure users are actually reading, listening to or watching the privacy and consent features by using interactive components, like line-by-line checkmark boxes and timers.

Use a sandwich method, where the reader reads the documents before filling out personal info, then confirms again before finishing the sign-up process. Allow users to unbundle their consent options by using a toggle feature to choose which specific items they’re consenting to. Use pop-ups to remind users of the privacy and consent policies as they are interacting with different features within the platform so they can decide to turn it on or off on an ad hoc basis.

The young Canadians we have surveyed and interviewed think critically about and are concerned with the impacts of privacy policies and regulations such as PIPA on their lives and futures. We thank you for taking the time to consider their perspectives today, and we encourage you to engage with them directly in your deliberations.

R. Singh (Chair): Thank you so much, Kara.

Matthew, do you have anything to add?

M. Johnson: I do not. That’s our submission. But we’d be very glad to take any questions the committee may have.

[3:50 p.m.]

R. Singh (Chair): Wonderful, a very good presentation. I’m very happy to hear that our youth are very concerned about their privacy. We heard something similar last week from a presenter who was from UVic. It is a relief for me, having a young son who does a lot of transactions on line. It’s really good to know that youth are aware when they are doing that and that they want this process to be more simple.

I’ll open the floor for questions.

Adam, did you have a question?

A. Olsen: Just maybe a comment. I don’t know if there’s much of a question out of it other than to thank you for this really informative presentation. I think you’ve captured what our challenge is very clearly. Heeding the advice that you give in terms of the various options….

I think when we try to apply a law that was created before a lot of the harvesting of the data and has remained largely untouched since then, trying to make that work in the context of the situation that we have now, which is…. A lot of this is rolling over and changing monthly, daily — very, very quickly. The relationship between the company and the data and the individual has changed a whole bunch.

I’m doing a lot of reading now as part of being a member of this committee and trying to understand those relationships and how they’ve changed. I think it’s great advice from our constituents that are on the younger end of the demographics, because I think they’re the [audio interrupted] of the first generations to have been raised in this. I’m one of the last generations to have lived free of YouTube and free of cell phones and cameras on every phone. So thank you for that.

There is no question. I think you’ve encapsulated it, and they’ve encapsulated it very well. The challenge that we face is this: how do we create or amend a law that has to consider things that haven’t even been thought of yet? It’s a real challenge.

R. Singh (Chair): Thank you so much, Adam.

M. Johnson: If I could just say one thing to that. Certainly, I absolutely appreciate that, because we’re very much in the same boat. We have hundreds of educational resources, and we’re always trying to stay ahead of changes.

But I will say that one fundamental thing that has not changed, really, in the last decade is the business model of the platforms that youth use. Essentially, ever since Facebook started advertising, ever since they found a revenue source, behavioural advertising based on data collection has been the primary business model of all of the platforms that youth use. Some of them additionally make money by selling that data to data brokers, but more and more they’re bringing it back in-house as Facebook has done.

I would simply say that it is the disconnect between that business model, which is unlikely to go anywhere in the near future, and young people’s understanding of it — particularly, their understanding of how their data is collected and how that will be used in the future — that is the biggest issue that we see in our research on this topic.

R. Singh (Chair): Thank you so much.

S. Thomson: I’ll just follow up on that comment and ask the question, maybe. I think I got through your answer there that you don’t see the business model approach changing in the near future. That’s the business platform of so much of all of this.

How do you see creating understanding, then, with youth and the users, of what that business model is, how it operates and what it’s used for and that sort of thing, so that they have that understanding? I’m not sure legislation does that. It’s much more education — creating that awareness.

[3:55 p.m.]

Maybe, in some of the submissions you made around the processes of accepting privacy statements and things when they’re accessing the platforms and things…. Is the answer here legislative, or is the answer much more along the lines of plain language and education and those sorts of things as opposed to major changes in legislation that are required to do this?

M. Johnson: Well, first of all, obviously, we are an education organization, so we always see education as part of the solution. Certainly, the education program that we developed, in part with funding from the Office of the Information and Privacy Commissioner of British Columbia, was in part aimed at helping young people understand that business model.

There was a series of three lesson plans. One of them was entitled Know the Deal. It was focused very much on that topic. So from our point of view, certainly, education is a part of the solution. That goes beyond, obviously, making resources available.

British Columbia already is, I would say, ahead of the pack in terms of integrating privacy into its curriculum for K to 12. But there is more to be done there, in particular making digital literacy a core part of the curriculum rather than, essentially, an optional part of the curriculum as it is now, and making sure that the curriculum expectations relating to privacy include data privacy and not just reputational privacy.

I will say also that from the young people that we’ve spoken to and that we’ve surveyed, transparency was the key issue. They didn’t have strong feelings whether that should be done through legislation, through regulation, through best practices by the platforms. But they really did feel, and consistently felt, as though the platforms were not being transparent either about what data was being collected or what would be done with it in the new term and, of course, particularly in the long term.

K. Brisson-Boivin: I would just add to that as well that similarly, accountability was another theme that we continually hear from young people. They want to see platforms, businesses, organizations being held accountable. Again, they’re not particularly clear as to whether that’s through regulation and legislation, but they’re very clear that they don’t see it happening on various platforms that they engage in.

Part of that is…. They have these asks and suggestions, for example, around plain language, around being spoken to directly as a consumer or a particular demographic that is using these products. But I think they feel quite strongly that there’s no one really in their corner to help hold these platforms accountable.

As I mentioned, often we hear: “This is an adult world.” You know, they’re trying to break into a world that adults created. We do often kind of hear them say things like, “These are adult problems,” or an adult game they’re trying to play in. I do think we have a responsibility to take them seriously, to try to find ways to include them, like we’re doing right now, in these kinds of conversations.

I’ll just leave it at that but say that accountability, for sure, is on their mind.

M. Johnson: I’ll add that the one thing they did consistently ask for that probably would need to be enacted through legislation would be the ability to retroactively remove consent, to retroactively withhold consent, to change their minds about having consented to something, to actually permanently take down a photo from the servers of the platform or to have their data removed or withdrawn. I’m not a legal expert, but it’s hard to see any way of mandating that. Obviously, platforms can choose to offer it, but I can’t see any way of mandating it except through some kind of right-to-forget or right-to-be-forgotten legislation.

R. Singh (Chair): Thank you so much, Kara and Matthew. Really important information, especially for a segment of the population that is using the technology much more than most of us.

[4:00 p.m.]

I really want to mention this. MLA Olsen has been doing a lot of research, as he mentioned. He sent us something about mobile apps, which I’m sure that a lot of our youth are using, and how the privacy can be compromised in those, as well.

All these things and what you are doing as an organization — it is very important for us to know about it and what our youth are thinking. Thank you so much for this presentation. We really appreciate that.

D. Ashton (Deputy Chair): Thank you, Kara and Matthew, very much.

R. Singh (Chair): Our next is the B.C. Civil Liberties Association — Aisha Weaver.

Hello, Aisha. Welcome. We are really looking forward to your presentation. You have ten minutes. We are ready whenever you are.

B.C. CIVIL LIBERTIES ASSOCIATION

A. Weaver: Good afternoon. My name is Aisha Weaver. I am policy director at the B.C. Civil Liberties Association. The BCCLA is a non-partisan society with a mandate to promote, defend, sustain and extend civil liberties and human rights in B.C. and in Canada. We have a long-standing and extensive involvement in issues of privacy, and we thank you for the invitation to appear at this review of PIPA.

We concur with the many submissions, past and current, regarding the need for privacy breach notification and the desirability of a levelling up with Canadian jurisdictions that have introduced breach notification requirements.

Our association supports and echoes many of the concerns and recommendations that have already been made by the Information and Privacy Commissioner of B.C., the B.C. Freedom of Information and Privacy Association and other members of civil society. For example, we strongly support meaningful enforcement powers in PIPA, specifically, the commissioner’s order-making powers and the ability to administer financial penalties in appropriate circumstances.

In BCCLA’s forthcoming submissions, we will revisit the issue of privacy concerns associated with private sector community organizations being required to share information with public entities. In our 2014 submission, we urged the committee to safeguard the ability of private sector contractors to provide confidential services with appropriate privacy and security protections for clients. We recommended that PIPA be amended to expressly prohibit the downgrading of privacy rights protections by contractual agreement to be governed by FOIPPA, except where the organization is genuinely acting as an agent of the government. We intend to reiterate this concern.

For our remaining time today, we will focus on de-identification and the reasons it is necessary to expressly include a definition of de-identified information in PIPA and corresponding protections for such information.

This is an important issue because seemingly de-identified information that is actually identifiable may be treated as though it falls outside the scope of PIPA. PIPA only protects personal information, while non-identifying information remains unregulated. This binary approach is misleading in the current context, where there is a spectrum of de-identified information with varying degrees of identifiability. In a world of large data sets, personalized services, persistent tracking, data linking, data analytics and artificial intelligence, it is increasingly important to expressly regulate de-identified information.

Arguably, the definition of personal information is the most important definition in PIPA because it determines what is covered by the law and what is not. PIPA defines personal information as “information about an identifiable individual.”

Consistent with jurisdictions across Canada, the B.C. commissioner has concluded that in order to be personal information, the information must be reasonably capable of identifying a particular individual, either alone or when combined with information from other available sources.

[4:05 p.m.]

The commissioner has taken a broad interpretation of personal information and provided guidance on what falls within its scope through various orders. For example, the commissioner has found that encrypted information qualifies as personal information because the person “in possession of the encrypted information is capable of reverse engineering the encryption algorithm and accessing the information.”

By contrast, the commissioner has found that personal information subjected to tokenization loses its character as personal information because tokenized information cannot be deciphered without the possession of the law.

As is clear from these examples, and noted by the commissioner, the determination of what is truly non-identifying information is a complex and vexing question and is a specialized area of expertise. The analysis is highly specific depending on what type of data is being shared, the form and what it is combined with.

Although it is challenging to determine what is non-identifying, it is critical to ensuring that the privacy of British Columbians is protected. By PIPA remaining silent on the scope of non-identifying information, and without comprehensive guidance, it is highly likely that this legislative gap leads to companies sharing personal information that they deem non-identifying without implementing the protections required by PIPA.

I’ve used non-identifying and de-identification thus far in my presentation, and I’d like to take a moment to elaborate on what de-identification means. De-identification is the use of technical administrative processes to prevent an individual’s identity from being connected with other personal information. An outdated way of thinking about de-identification is that de-identified information cannot violate individuals’ privacy rights because the information cannot be linked to the individual. Thus, it should fall outside the scope of privacy legislation.

Companies may simply remove direct identifiers like name and date of birth and consider information de-identified. However, this information is unlikely to be truly de-identified. In recent years, several more advanced methods have been applied to de-identified information, including pseudonymization and tokenization. However, even these more sophisticated de-identification methods vary in effectiveness and often fail to protect the privacy of individuals.

Many examples exist where information claimed to be de-identified or anonymized were easily re-identifiable. For example, in a Netflix re-identification study, researchers were able to identify Netflix users from a data set that was supposed to be anonymized. All they needed to know was when and how the users rated as few as six movies. Medical records and location data have also proven difficult to de-identify.

The Australian government released a supposedly anonymized data set of medical billing records that included prescriptions and surgeries. Again, researchers found it surprisingly easy to identify individuals when additional data sets were cross-referenced.

In the U.S., New York City officials accidentally released a supposedly de-identified data set with the detailed whereabouts of individual taxi drivers. With as little as five random location data points, individual drivers were uniquely identifiable 95 percent of the time.

Therefore, although de-identification of personal information is promoted as an effective means to protect privacy while enabling research and big data initiatives, with the increasing amount of data collected from individuals and growing sophistication in data collection, data linking, data analytics and AI, there are serious risks of re-identification. This risk of re-identification may further increase over time as techniques become more sophisticated and more linkable data sets become available.

In addition to privacy concerns for individuals, the sharing of de-identified information with the public has the potential to impact groups of people as well. For example, Strava, a fitness data platform, created an aggregate heat map that ended up revealing the secret locations and movements of U.S. military service members in conflict zones.

Telecom and technology companies — like Telus, Bell, Uber, Google and Facebook — collect a significant amount of data about their customers. For example, Telus is sharing information with public and private sector partners to facilitate coronavirus research now. Since the information being shared is aggregate and de-identified, it falls outside of the scope of any data protection or privacy framework, and to our knowledge, no consent was obtained from individuals.

[4:10 p.m.]

To that end, we have three recommendations.

One, PIPA should include a clear definition of de-identified information, along with related terms such as pseudonymized information and aggregate information. De-identification should be treated as a relative concept that is evaluated contextually and takes into account a variety of factors, including but not limited to the nature of the data, the reasonable expectations of potentially affected individuals, the intended purposes and the likely incentives to re-identify the data, among others.

Any definitions proposed, however, should remain principle-based and technology-neutral, meaning that they do not include specific criteria for how personal information is to be de-identified. This will avoid the risk of the definition becoming obsolete over time as technologies change.

Second, PIPA should include privacy and security requirements for any de-identifiable information that is at risk of being linked to an individual or a group. First, assess de-identification methods as they evolve and shift to a risk-based framework for de-identification, where information that poses no serious risk of re-identification could remain outside of PIPA, while information with even a low risk of re-identification would be covered by PIPA. Further, require a more rigorous standard for any information shared or made available to the public.

Third, PIPA should require private sector entities to describe methods of de-identifying personal information and require that private sector entities that share personal information with other entities oversee those third parties’ use of the de-identified information.

Thank you very much. I realize I’m out of time.

R. Singh (Chair): That’s okay. Thank you so much.

Aisha, we really appreciate your presentation. You did bring some important issues, especially with the de-identification.

Just before I open the floor for questions…. For my own knowledge, do you think that PIPA already takes measures to de-identify the information? I know that in your recommendation you are talking about strengthening it. Is anything being done right now?

A. Weaver: In the actual legislation, there’s no definition of de-identified information, or an express addressing of the issue. How PIPA is currently responding to the use of de-identified information is through orders and guidance documents by the commissioner. Where such de-identified information may be considered to fall within the scope of the definition of “personal information,” then PIPA will apply.

My concern is that unless you’re reading those specific orders or guidance documents — and/or the type of de-identification that a company is using is one of the ones expressly addressed in an order or guidance document — there’s a lot of de-identified information that is being interpreted as outside the scope of the legislation.

R. Singh (Chair): I’ll open the floor for questions. Any questions?

M. Elmore: Thanks for your presentation. I have a question.

There has been discussion by the public about a request — from the Ministry of Health, our provincial health officer, and also more broadly — to collect race and ethnic disaggregated data. We currently don’t do that, with the exception of folks who identify as Indigenous — as Inuit or First Nations. Do you have any reflections on that issue?

A. Weaver: I am not as familiar with that issue. Could you tell me a bit more about the purpose under which the provincial health officer is requesting to collect this information?

M. Elmore: The city of Toronto has recently started to collect race and ethnic disaggregated data in the context of COVID, just to identify policy areas and to understand…. Certain communities have been more impacted by COVID. The United States, certainly, does collect race and ethnic data, and they have for years, for decades. It’s institutionalized at the state level.

[4:15 p.m.]

That’s the discussion. We’ve heard that at the provincial level. Specifically, it has gone to Dr. Bonnie Henry, with the explicit request…. Some communities have questions. Are they being more disproportionately impacted? They need the information so that policies can meet those challenges and ensure that all community members are protected. If we don’t have the information, we don’t know, so our public policy is not best informed.

They have indicated that they’re looking at that — the Ministry of Health and Dr. Bonnie Henry — in the context of COVID. That certainly, I think, has been an issue that has been percolating, but of course, like COVID, it has really come to the forefront, and we’re hearing more — certainly in British Columbia and across Canada as well.

A. Weaver: I don’t think that the BCCLA has developed an official position around that, given the competing interests of privacy but also of equity, diversity and inclusion. We have had preliminary discussions about it in the context of policing, for example — the fact that data is not being collected makes it hard to evaluate racial bias and discriminatory intent.

Personally, I would think that the collection of that information is important, so long as it is very much safeguarded, sufficiently protected and not linked to other information, because that is highly, highly sensitive information. But again, I don’t think that the BCCLA, as an organization, has officially contemplated that issue. I would have to come back to you on that.

R. Singh (Chair): Any other questions, Members? All good.

Thank you so much, Aisha. We really appreciate your taking the time for presenting today — and your really important information.

Members, we are a little behind. We were supposed to take a break at this point. What do you feel? Are you okay without a break? Or should we go for a five-minute break?

M. Elmore: Let’s continue.

R. Singh (Chair): Let’s continue? Okay. We have the next presenter ready.

Hello, Leslie. Welcome. Leslie is from Quay Pacific Property Management. We really appreciate you taking the time to present to the committee today. Leslie, after your presentation of ten minutes, the members will have an opportunity to do the questions and answers.

QUAY PACIFIC PROPERTY MANAGEMENT

L. Haycock: I’d like to thank you for the opportunity to speak. I’m the president of PAMA as well, and I’m here more representing PAMA, which is the Professional Association of Managing Agents. It’s the education arm of property management in B.C.

We did poll the members, and I’m going to hit on two topics that seem to be the biggest concerns. One is in the Strata Property Act, sections 35 and 36. It is mandatory to disclose information to owners who ask for the information.

The CRT made a decision, Ottens et al. v. the owners of Strata Plan LMS 2785, where the strata was required to provide medical information for an exemption to a bylaw. They based it on the publication entitled PIPA and Strata Corporations: Frequently Asked Questions.

[4:20 p.m.]

This is a huge concern to strata corporations and to management companies — that we’re being required to provide financial and medical information. We feel this is very, very sensitive. We’re having conflicting legislation. The Strata Property Act and PIPA don’t really work hand in hand.

I’m going to read something that one of the members said. He says it better than I can.

“I think amendments to the legislation — the Strata Property Act and/or PIPA individually or in conjunction with each other — to specifically state that the following documents be exempted from mandatory disclosure under section 36 of the Strata Property Act….

“(1) Banking records such as cheques, pre-authorized debit forms, bank statements or other banking and credit union records received by the strata corporation for the purpose of verifying account ownership and financial account number to collect amounts payable to the strata corporation by way of pre-authorized debit.

“(2) Banking, investment, employment and tax records such as account statements, tax returns or employment contracts given to the strata corporation as evidence supporting an application for an exemption from a rental restriction bylaw on the grounds that the bylaw causes a hardship under section 144 of the Strata Property Act.

“(3) Health records such as doctors’ notes, prescriptions or diagnoses given to the strata corporation as evidence supporting an application for an exemption from a bylaw or reasonable accommodation pursuant to the human rights code.

“In my view, the exceptions should be strictly limited to only those records produced by a third-party doctor, financial institution or employer. Letters received by the strata corporation which contain some personal information related to the above should remain disclosable. Any change to require redaction of sensitive personal information may create significant and untenable requirements on the strata corporation or may be subject to abuse by strata corporations who do not wish to disclose certain information.”

The concern here is that under sections 35 and 36 of the Strata Property Act, we’re required to provide unredacted correspondence with no limitation on the information that’s in the correspondence. It is, in my opinion, a huge breach of privacy, because we do deal with very sensitive information.

He also wants the Strata Property Act changed to give us more time than two weeks when there is sensitive information, but that’s probably not your thing.

The other thing that was mentioned to the PAMA board was cameras and doorbell cameras. This is a big issue in strata corporations, where it’s not really clear…. One lawyer says that if you pass a bylaw, and the purpose, as stated in section 2 of PIPA, is “…for purposes that a reasonable person would consider appropriate in the circumstances”…. One lawyer says that as long as the strata corporation passes bylaws that allow the cameras and what you’re going to do with the information and that type of thing, we’re not contravening PIPA. However, another lawyer says that you can’t do it. We would like some clarity.

Those are the two biggest things. The frustration is all the conflicting legislation. It’s not just PIPA and the Strata Property Act. We also have the HRT. We have quite a few different legislations that conflict with each other. A lot of times the Residential Tenancy Act conflicts with the Strata Property Act. We’re looking for maybe a little bit more of a joint effort where when a ruling is changed or laws are changed, it looks to see what the domino effect is with the other legislations.

Property managers are really put in the middle. You get a request for…. I can tell you that the person who supplied the Ottens v. LMS 2785 was not aware that I manage that building and am personally knowledgable about what’s going on there. It had to do with installing air conditioners. The people who were asking that a split air be allowed provided very sensitive information.

[4:25 p.m.]

I had another building where a rental restriction was involved. Somebody was applying for an exemption, and she gave us fertility information. That’s very sensitive. She was trying to show how much she needed this exemption.

If we’re required to provide this information to owners because PIPA doesn’t cover it, people are going to go to the HRT instead of going through their council to get the exemptions because they want to make sure that their information is protected.

I actually did it in less than ten minutes.

R. Singh (Chair): You did. Thank you so much. Very important information. We heard something very similar last week as well. What you mentioned is a concern, especially with all the information that people give out — it is very sensitive information — and how that information is being used. A lot of times I know people don’t even realize where that information is going. So thank you for that.

I’ll open the floor for questions.

A. Olsen: I’m just wondering, with respect to…. I think it was the last piece that you covered, with the video cameras and the doorbell cameras. Has your organization or have you gone to the office of the commissioner to ask how he would rule on that or to get a response from the commissioner on that?

L. Haycock: I know that other strata managers have, and the direction has not been very clear. We’re basing most of our decisions on what the lawyers tell us, and we’re taking our chances. That is the feeling that we have. I also think doorbell cameras are something that have only been as popular as they are in the last couple of years. It really wasn’t an issue three or four years ago. It’s now an issue because people feel like: “Well, if you put a camera in your doorbell and it looks at my door, you can see who is coming to visit me.”

R. Singh (Chair): Thank you so much.

S. Thomson: Thanks for the presentation. As was pointed out, this issue has come up before. So I appreciate some more submission on it.

My question was basically asked by Adam in his comments. I’ll just make one additional…. It’s not a question but just a comment.

You questioned whether the Strata Act amendments are really in our bailiwick or not, and things like that. I think just to give you the comfort that…. We need to consider in all of our recommendations and our reporting…. We need to make sure that we do those cross-references and those checks. Where we’re doing certain things and making recommendations, we have to recognize the linkages to other pieces of legislation.

I think you can be assured that that will be part of our deliberations as we look at the recommendations coming out of this process. We do have to understand both consequences and unintended consequences as we go forward.

L. Haycock: Thank you for that. So I’ll make another recommendation. The next time somebody wants to change the Strata Property Act, maybe get a couple of strata managers who actually do the job to be on the panel, versus developers and lawyers.

R. Singh (Chair): Thank you, Leslie. That is very important information.

Any other questions?

Seeing none, thank you to you for taking the time today. Very important information for all of us.

L. Haycock: I look forward to the outcome. Thanks so much.

D. Ashton (Deputy Chair): Thanks, Leslie.

R. Singh (Chair): My understanding is the next presenters are not ready yet. I think we should take a break, which we did not take before. So, friends, a five-minute break. We’ll be back at 4:35.

The committee recessed from 4:29 p.m. to 4:47 p.m.

[R. Singh in the chair.]

R. Singh (Chair): My understanding is that we don’t have any other presenters for today. We are meeting again tomorrow, and I’m looking forward to our conversations. Now, as we don’t have any presenters, I’ll need a motion to adjourn.

Motion approved.

The committee adjourned at 4:48 p.m.