The committee met at 2:02 p.m.

[R. Singh in the chair.]

R. Singh (Chair): Good afternoon. I would like to welcome everyone listening to and participating in the public hearing today. My name is Rachna Singh. I’m the MLA for Surrey–Green Timbers and the Chair of the Special Committee to Review the Personal Information Protection Act.

I would like to begin by recognizing that my constituency is on the traditional territory of the Coast Salish people, in particular the Kwantlen, Katzie, Semiahmoo, Tsawwassen First Nation, Kwikwetlem and Qayqayt people.

We are an all-party parliamentary committee of the Legislative Assembly, with a mandate to review the Personal Information Protection Act. Normally, the committee would have held its public hearings in person. However, due to the COVID-19 pandemic, public hearings are being held by video and teleconference.

As part of our review, the committee is meeting today with individuals and representatives from various organizations to hear about how the act is working, along with any recommendations for improvement. British Columbians are also invited to send us their thoughts in writing before August 14.

All the information we receive will be carefully considered as we prepare our report to the Legislative Assembly, which will be released in February 2021. More information is available on our website at www.leg.bc.ca/cmt/pipa.

For the virtual meeting format, the presenters will have ten minutes for their presentation and ten minutes for questions from members.

All meetings are recorded and transcribed by Hansard Services, and a complete transcript will be posted on the committee’s website. A live audiocast of this meeting is also available on our website.

I will now ask the members of the committee to introduce themselves, starting with Dan Ashton, the Deputy Chair.

D. Ashton (Deputy Chair): Dan Ashton. I represent the area from Penticton to Peachland.

[2:05 p.m.]

S. Thomson: Good afternoon. It’s Steve Thomson, MLA for Kelowna-Mission, up in the Okanagan as well. Thanks for joining us. I look forward to your presentation.

M. Elmore: Good afternoon. This is Mable Elmore. I’m the MLA for Vancouver-Kensington.

R. Singh (Chair): We are still waiting for Adam Olsen. He’ll be joining us, hopefully, very soon.

Also assisting the committee today are Susan Sourial and Stephanie Raymond from the Parliamentary Committees Office. Billy Young from Hansard Services is also here to record the proceedings.

Welcome again, Liz. As I mentioned, usually the presenters have about ten minutes to present. But for you we are doing an exception. The timer will be for 30 minutes. That will also include some feedback from the members.

E. Denham: Very good. I have, I think, about 18, 20 minutes to present and then happy to ask any questions. But if the members get tired of my voice, you can cut me off, and we can have a good Q and A.

R. Singh (Chair): Wonderful. No, please go ahead. And we’ll let you finish and then go for the questions and answers.

Presentations on Statutory Review of
Personal Information Protection Act

INFORMATION COMMISSIONER’S OFFICE (U.K.)

E. Denham: Thanks very much, Chair, Deputy Chair and members for the invitation to speak to you today. As we were chit-chatting before the formal session started, it’s very good to be back home in British Columbia, albeit I’m speaking to you from quarantine at home. I’ve got a fortnight of quarantine that will prevent me from seeing my friends and family, but I’m really looking forward to the end of two weeks.

I know that these are very trying times for everyone. I hope that all of you on the committee are doing well. What I thought might be most useful to the committee in its important work is to offer an international perspective on privacy regulations. I think that would help the committee frame cutting-edge and practical, pragmatic recommendations to improve B.C.’s Personal Information Protection Act.

I think all of you on the committee know that all legislation really struggles to keep pace with dynamic changes in technology, with massive changes in business models. And privacy laws are no exception. Privacy used to be a sleepy little area of law. But I think what we all know now in 2020 is that privacy and data protection really sit at the intersection of society, technology and the digital economy. Privacy issues have really revealed themselves in the current pandemic, where we grapple with exponential uses of personal data in order to come out of this public health crisis.

I wanted to say — and leave you with the idea — that if B.C. wishes to develop its digital economy, if it wishes to build on its growing international reputation as a hub for innovative and growing digital businesses, it must ensure that its privacy law keeps pace with legislation elsewhere around the world.

I say that because sound privacy law is a key plank of the trust assurance framework that businesses dealing in personal information need in order to reassure customers, and reassure other businesses in the chain of providers, that they can trust a business model and a business’ operation. It’s not just about regulators peering over the shoulder of businesses, but it really is about trust in the digital economy.

[2:10 p.m.]

To highlight some of my Canadian and my international experience — I’m getting kind of long in the tooth for people that have been in this regulatory world — I’m coming up to 15 years as a regulator. I was Assistant Privacy Commissioner of Canada, 2007 to 2010, and in that role, I was responsible for enforcing the private sector law, PIPEDA. During that time, there were many strides made in setting standards for what good looks like. Highlights of my time in Ottawa included the first investigation of Facebook as a social media site.

Back then in 2007-2008, people hadn’t even heard what an app was. That was early days for social media companies. As you know — and as friends around the table today know — I was B.C.’s Information and Privacy Commissioner for six years. That was 2010 to 2016. In that time period, again, we saw huge advances in technology. Under my leadership, the office was able, I think, to give sound guidance and to investigate those cases that were of harm and concern to B.C. citizens and consumers.

Switch now to my U.K. and my international experience. I was appointed the Information Commissioner in 2016. Since that time, I have overseen the implementation of the GDPR — I know you’ve heard quite a lot about the GDPR, the General Data Privacy Regulation — and also the U.K.’s new law, the Data Protection Act 2018. I know that when Commissioner Michael McEvoy appeared before you recently, he told you the story of Cambridge Analytica and Facebook, because I seconded him to assist with that investigation in the U.K. before he became commissioner in B.C.

Now, Cambridge Analytica is a British company. Because of the powers under my act and the powers in law, I was able to prosecute Cambridge Analytica. Also, we were able to levy the highest possible fine to Facebook in regard to their role in the Cambridge Analytica scandal. That was, at the time, the highest monetary penalty in U.K. law — £500,000. You know now, with the reform of the law, the maximum fine for egregious contraventions is 4 percent of global turnover.

My international credentials include a seat at the table of the European Data Protection Board — at least until January of this year, when the U.K. left the European Union. Since 2018, I have been the chair of the Global Privacy Assembly, which is an assembly of my counterparts from 130 jurisdictions around the world.

The ICO, my office, also chairs the OECD’s privacy and security committee. I just spoke to the OECD last Friday on the intersection between competition law and data protection law. Maybe because of my B.C. credentials, I’ve managed to hold on to links in the APPA world, the Asia Pacific Privacy Authorities. They’ve let me in the door even though the U.K. is not an Asia-Pacific economy.

This is the third statutory PIPA review, and now is the time, with the support of your recommendations, for government to finally enhance the Personal Information Protection Act to keep it relevant, to ensure that it continues to work and to help B.C. continue to build its digital economy.

In my experience, innovative, globally ambitious businesses don’t fear sound, pragmatic regulation. They actually welcome it. It sets certainty for business, and it sets sensible ground rules for doing businesses with their customers and doing business with each other.

[2:15 p.m.]

This is why we’ve heard Mark Zuckerberg of Facebook and others calling for U.S. federal privacy regulation and also why we’ve heard from other tech leaders in the U.S. — Microsoft, Apple and others — who recognize the benefits flowing from the trust assurance that a modern privacy law offers.

I’ll just give you some high-level, general observations about the context for this review. We all know that there have been significant, radical developments in the 16 years since PIPA came into force. Arguably, PIPA was drafted for a largely analog or paper-based consumer era. If we just think about how privacy-related tech changes have seen the light of day since PIPA was enacted, the first smartphone was the iPhone 2007. With it came applications that really vacuum up data about everything we do: enabling geolocation from your purses and your pocket, conveying medical information, tracking your purchases and tracking your political affiliations.

We’ve seen the rise of social media. Facebook, as we know, was born in 2006; Twitter, the same year. There have been privacy-related business changes since PIPA was enacted — and, I guess, at the highest level, globalization of commerce — including personal data flows that fuel the modern information economy.

We’ve also seen — this was the Cambridge Analytica–Facebook investigation — privacy-related political uses of personal information since PIPA was enacted. Many of these involve the trends I’ve just talked about — notably, social media and tech. We’ve seen the rise of disinformation and opinion manipulation. Around the world, we’ve seen political-party adoption of digital business techniques. That is really about using personal information to microtarget ads and messages to smaller and smaller groups, possibly further fragmenting political discourse.

What I want to say to you today is that without important reforms, notably the three that I’m going to speak about next, B.C.’s privacy law will not keep pace with the privacy challenges that confront society today. This won’t be good for B.C.’s business environment or consumers, and it will stymie B.C.’s efforts to digitize its economies.

We’ve seen, and we know, that previous special committees have made excellent recommendations, as have stakeholders in submissions to these committees. Today I only want to focus on a few key recommendations. The reason I chose these recommendations is that I believe they’re the minimum necessary to keep B.C.’s laws current. These recommendations really flow from my international and my U.K. experience.

Starting with number one — I don’t think this will surprise anyone on the committee — is mandatory breach notification. I know that the current B.C. commissioner has already tabled this recommendation in his general briefing to you. It was also a recommendation that I made in 2014 to the last special committee, which took up that recommendation — I think Dan Ashton will remember that well — yet nothing has been done over the intervening six years. During that time, jurisdictions everywhere have long had breach notification rules, including in the U.S., in the EU and in many Canadian jurisdictions.

[2:20 p.m.]

I can’t emphasize enough to you how important it is for B.C.’s law to include obligations to notify affected individuals and the commissioner of significant privacy breaches. Mandatory breach notification is important really because it helps individuals help themselves. Informing individuals of a significant breach of their personal information then equips them to protect themselves against ID theft or fraud by monitoring their accounts or their credit score or putting a freeze on any borrowing, getting new credit cards, etc.

In a more serious vein, informing people of a breach can also have safety implications. People who are vulnerable to abuse or attack can then act to protect themselves against being tracked down using their personal information.

I’m not suggesting that each and every minor incident should have to be reported. No Canadian laws require that. My experience in the U.K. and elsewhere is the same. Not all breaches have to be reported, but those that are materially significant or serious are the ones that should be.

What’s really positive for the committee, in its deliberations, is that there are sensible, practical models that exist elsewhere. This is a well-trod path. You can just look to Alberta, where its Personal Information Protection Act has had mandatory breach notification for almost a decade, and under the federal law, PIPEDA.

I just wanted to say that in my experience in the U.K. when mandatory breach notification came in, particularly in the private sector, the very positive change, a massive change, went into the investment of security safeguards for personal information. It took a breach notification regime for boards and company executives to take information security seriously.

My second recommendation to you is about enforcement. It’s about enhancing PIPA’s now very spare, very poorly stocked enforcement toolkit to ensure that a breach of the law can be met, where appropriate, with significant sanctions. And I underline “where appropriate.” I’m referring to administrative monetary penalties, which I’m going to call AMPs. These sanctions have long been vitally important. They’ve been flexible and a fair tool in the U.K. and the EU to deter the worst behaviour by organizations.

The U.K.’s law authorizes me to impose a monetary penalty on an organization for violation of the law. But my regulatory action policy, which is a document that has to be filed with the U.K. parliament, underscores how this tool is used for only the most egregious wrongdoing. My policy is to reserve administrative monetary penalties for the most serious cases, representing the most severe breaches of information rights.

Typically, those AMPs are applied in situations that involve willful, deliberate or negligent acts or repeated breaches of information rights, causing harm and damage to individuals. I don’t issue AMPs unless there’s a failure in the system and a failure in the organization to protect data.

What I think about that approach is that it’s transparent. Our policy is open for all to see. Parliament in the U.K. has oversight. I think what that does is it reassures businesses and the public that enforcement of the law is driven by proportionality. The most serious offenses deserve the most serious consequences, while a lot of my regulatory treatment for less worrisome violations really focuses on remedial or even just educational responses.

[2:25 p.m.]

I think the B.C. office, the OIPC, has always emphasized a remedial, educational approach to privacy regulation. But even in B.C., there will be cases of serious wilful abuse or of wilful violations that have serious privacy consequences. In those cases, I submit to you that education and persuasion are not enough.

B.C.’s law is weak when it comes to tools to address those serious privacy violations. That’s why I and also my predecessor, David Loukidelis, each asked the previous special committees to recommend significant reforms to PIPA’s enforcement power.

Let me close this second recommendation on the point by underscoring that this tool would be subject to meaningful controls. So as always, there would be the need for some sort of fact-finding process to confirm that a violation has occurred, and then a notice to the organization of a possible penalty, then hearing from the organization and an assessment of an appropriate penalty, with ultimate oversight by the courts.

AMPs are flexible and effective, and most importantly, they deter bad actors and punish them where appropriate. PIPA’s weak enforcement tools mean that some organizations can just flout the law without fear of real consequences, which is unfair to organizations that take their obligations seriously and diligently comply with the law. So real consequences can make bad actors behave as they should.

I’m going to talk now about my third area of recommendation. This is something that I saw that Dan Ashton issued a press release about, and that is AI — the use of artificial intelligence to generate knowledge or information about individuals using their personal information. I think we’re all now aware of the sophistication and power of machine learning, or AI, and those methods have increased exponentially in recent years.

When PIPA was enacted, data analytics that mine personal data existed, but these methods were very crude compared to what can be done now.

R. Singh (Chair): Liz, I just wanted to let you know that you are past the 20-minute mark.

E. Denham: Okay. Well, I will close on suggesting that there needs to be consideration of the effect on artificial intelligence, on personal information and on citizens. I would suggest to you that the GDPR has provisions in article 21 that I think would be of value to the committee to consider.

I urge the special committee to also recommend a profiling provision, like the GDPR. B.C. wouldn’t be alone in moving in that direction, because earlier this month the Quebec government tabled Bill 64 — and I know you’re all nodding — which would amend the province’s private sector law to include profiling controls, similar to the GDPR.

I think there’s more needed, though. I would urge the special committee to recommend that the provincial government strike a broadly based expert committee to conduct an in-depth study of AI as it affects personal information and individual interest. That study could involve public participation and also make further recommendations for balanced measures to prevent dystopian outcomes of AI.

Thank you very much for the invitation to speak with you today. I’m sorry I didn’t speak a bit faster. I look forward to questions about my remarks.

R. Singh (Chair): Thank you so much, Liz. We understand that you have such experience and to complete that, give that presentation, in just 20 minutes is a really hard task. We have a number of presentations today. I’m sorry for interrupting you, but that’s what we….

E. Denham: No worries.

[2:30 p.m.]

R. Singh (Chair): I really, really appreciate it. I think it’s our honour to have you on this committee with, especially, all the experience that you bring — experience that you had in Canada and now the experience that you have in England.

As you mentioned, Liz, we have heard a lot about GDPR. Since last week, this is what we are hearing. The recommendations that you bring in have been resonated by many presenters. With your experience, the way you explain it so well, we really want to thank you for that.

Now I’ll open the floor for questions. Members, please go ahead, if you have any questions.

S. Thomson: Thanks for the presentation. I really appreciate the perspective. As the Chair mentioned, you bring an incredible amount of experience to the process and to the recommendations you’re making.

The one thing I wanted to ask…. You made a comment around businesses being comfortable with and not being afraid of sound, pragmatic regulation. I think they were the words that you used. Obviously, as we develop the digital economy and things, you want to ensure that B.C. businesses remain competitive in the process. So would your view be that the GDPR is sound and pragmatic? Is it the regulatory approach that has that endorsement or signing off from the business side of the equation here?

E. Denham: I would say, Steve, that the GDPR is not a perfect law. The GDPR was drafted for jurisdictions in the EU that have a fundamental rights approach to the right of privacy. So it’s a different context. But there are principles in the GDPR that are sound and that reflect the OECD’s standard. The GDPR is not a gold-plated law, but it’s the most modern law when you look at legislation around the world.

I think that the B.C. special committee reviewing PIPA could look for the best of the GDPR and not take the more prescriptive requirements, because I don’t think that reflects the law both in B.C. and in Canada. And I don’t think the need for prescriptive details in the law needs to be adopted for a provincially regulated private sector.

You don’t have a lot of these big platforms that are operating. In B.C., you’re really dealing with SMEs, dealing with the insurance sector, but you’re not dealing with social media companies and large international firms. So I would say the scope of the GDPR is not perfect for B.C., but the principles in it are sound.

S. Thomson: Thanks. I appreciate that perspective.

The one other question I might just ask quickly is…. You’ve mentioned some things around the mandatory breach provisions. We’ve heard that consistently in presentations and the fact that it was made previously. Do you have a perspective of what the arguments against it might be in moving forward with that and maybe why over successive years and recommendations it hasn’t been moved forward at this time? Was it simply a matter of timing? Have things changed now from a technology perspective, and everything like that, where this is much more of a requirement now than it might have been in the past?

E. Denham: I believe that’s right. I think that reluctance to bring in a mandatory breach regime in British Columbia…. Again, I wasn’t, obviously, part of these discussions. But I think one of the reasons might have been concern of overreporting, so companies reporting every little breach, every lost email, every missent envelope.

[2:35 p.m.]

There would be concerns about the pressure on the BC OIPC. Others talked about consumers experiencing breach fatigue, so having so many reports that they would throw up their hands and say: “Well, this is just the way everyone is doing business.” Neither of those have proven the case in the U.K. or elsewhere. I think the trick is to set the threshold for reporting high enough so that you don’t get those minor types of reports and that the regime actually rewards good players and their investment in security and safeguarding.

I think that’s what it is. But in reality, most businesses are doing business across borders. With most of the U.S. states and all of Europe and so many Canadian jurisdictions having mandatory breach notification, I think it’s just an expected minimum.

S. Thomson: Yeah. It really comes down to determining what’s significant and what isn’t.

E. Denham: Yes. The devil is in the details for getting that right.

S. Thomson: Thanks.

R. Singh (Chair): Thank you, Steve. Thank you, Liz.

Mable, you are next.

M. Elmore: Liz, thank you for your presentation. I had a question with respect to proactive investigations and just the role that that plays, if you could talk about that a little bit.

E. Denham: Yeah, I really appreciate that question, because one of the recommendations, if I had had more time, would be to provide the commissioner with the ability to undertake own-motion investigations. So investigations on his own motion, rather than waiting until a complaint comes in the door.

I find, in the U.K., my most significant, important investigations didn’t wait until a complaint came in. We undertook them because we believed there was a real risk of significant harm to individuals.

Cambridge Analytica and Facebook is a really good example. We didn’t receive a complaint in that case. But we knew from media reports and other issues that there was something that was not quite right about the way this company was processing voters’ data. If not for the power to conduct investigations on my own motion, we wouldn’t have got to the bottom. We wouldn’t have been able to pull back the curtain on how data analytics is actually working in the political ecosystem.

So I think that is important. And in the day and age when consumers can’t understand, don’t necessarily understand, how their data is being processed, you need a regulator to have their backs.

R. Singh (Chair): Thank you, Liz.

D. Ashton (Deputy Chair): Liz, again, thank you for your presentation. The last item that you spoke about — that is included or will be included in your report coming to us?

E. Denham: Yes. I didn’t thank you….

D. Ashton (Deputy Chair): About proactivity? Sorry.

E. Denham: Yes. I could include the proactivity commentary, if that would be helpful to the committee, and also outline in more detail where I was going with the recommendation on artificial intelligence, transparency and individual’s right to challenge, if that’s useful to the committee.

D. Ashton (Deputy Chair): I think it would be greatly appreciated if you would. Thank you.

Just one quick question, and it may be outside of the box. With PIPA being reviewed every six years and the way information and technology is being forthwith at exponential rates, is that term too long, or should it be shorter?

E. Denham: Because of the massive acceleration of new technologies and new business models, I think reviewing the legislation every six years is a very long time. I’ve seen other review periods of every three years, every five years. But PIPA is a really important statute for the businesses, as you know, in British Columbia — of keeping up with the Joneses around the world. With the law and with regulation changing so much, a more frequent review period, I think, would be positive.

One example is just last week the U.K. Parliament approved a new kids code, as I call it — an age-appropriate design code which flows from U.K. law but which will actually better protect children on line. There are a lot of jurisdictions that are really interested in the U.K.’s approach to age-appropriate design. I can see that being quite leading edge in the years to come.

[2:40 p.m.]

I think changes around the world…. Obviously, the Legislature in B.C. wants to keep current.

D. Ashton (Deputy Chair): Okay, thank you. There’s a very cute ad put out by Australia about certain adult entertainment and kids. I just saw it actually. It was put on line. It’s actually very cute and very well done by the Australian government to bring attention to it.

Thank you again.

R. Singh (Chair): Thank you so much, Liz. That was really important information. All of the recommendations that you are making…. We really appreciate that. And we also really look forward to your report.

E. Denham: Okay.

R. Singh (Chair): Yes. We hope that your jet lag is over soon, and you’re able to enjoy your time with family and friends.

E. Denham: Yeah. It’s lovely to be home. Thank you very much. And I will submit a report.

D. Ashton (Deputy Chair): Thank you. Welcome back to B.C., Liz.

R. Singh (Chair): Good afternoon, Zelda and Kristi. Welcome. We really appreciate…. I’m Rachna Singh. I’m Chair of this committee. Along with members of this committee, we want to welcome you to the committee. We are really looking forward to your presentation.

Before you start, I just wanted to let you know that you have ten minutes to do the presentation. And after that, we will have about ten minutes for question-and-answer.

We are ready whenever you are.

CHARTERED PROFESSIONALS
IN HUMAN RESOURCES OF B.C.

K. Searle: First of all, good afternoon. We’d really like to thank you for the opportunity to speak with you today. Alongside me, we’ve got Zelda Craig, and we’re hoping that Anthony will be able to join the call.

[2:45 p.m.]

A. Ariganello: Thank you. Hi, everyone. My apologies for being slightly late.

As Kristi was saying, I’m Anthony Ariganello, the CPHR president and chief executive officer for CPHR B.C. Alongside me is Kristi Searle, who you’ve just met. She’s the proprietor of her long-standing firm Peoplebiz Consulting Inc. Kristi is also a member of our organization’s board of directors and is a certified human resource business strategist, as well as a chartered professional in human resources. In addition, we have Zelda Craig, who is an HR consultant and a member of faculty at the College of New Caledonia’s post-diploma program in human resource management.

We are just three of over 6,600 professionals who belong to CPHR B.C. We were founded in 1942. CPHR B.C. is a professional, not-for-profit association incorporated in British Columbia. We are governed by a 12-member volunteer board of directors, who are elected by our members. CPHR B.C. is funded primarily through membership dues, professional development courses, and sponsorships, and we do not receive any funding from any level of government. We also issue the designation that our members possess, which is the chartered professional in human resource designation, or CPHR.

Our purpose today is to raise awareness of the increasing importance of the HR profession in British Columbia and across Canada, as well as to share with you the recommendations for the Personal Information Protection Act. We are proud of both our profession and CPHR B.C., and we’re delighted that a new strategic priority for us is to take public positions on relevant policy matters, such as this one.

I now turn to my colleagues, Kristi Searle and Zelda Craig. Kristi, please.

K. Searle: Thank you. CPHR B.C. and Yukon supports the following recommendations, formulated by the Personal Information Protection Act.

The first recommendation is…. We see maintaining the current language regarding the consent, currently parts three and four of the regulation. We would like to see striking a balance between protecting individuals’ privacy and allowing organizations to have some flexibility in how consent is secured that is proportional and appropriate to the context and the sensitivity of the personal information. Some of the concerns raised by privacy advocates regarding the unreasonable collection of information is best regulated through the complaint to the Privacy Commissioner process and case law, which has the ability to consider all of the contextual factors.

Another point that we’d like to see is maintaining the current language around acknowledging the special relationship between an employer and an employee, which entails slightly broader, implied rights to collect, use and disclose employee personal information. Any modification to the act or regulations should continue to acknowledge this special relationship and the need for flexibility, within reason, or the part of employers.

In particular, performance management and discipline rely heavily on an employer’s ability to gather information during an investigation or reasonable monitoring of a performance, as long as the collection of information is reasonable and the employer minimizes the intrusion into the employee’s privacy.

I’m going to pass it over to Zelda.

Z. Craig: We would also like to add a provision explicitly acknowledging an employer’s right to monitor their brand or company name in social media platforms, by scanning and collecting — if found — problematic public social media and other content that could be published by employees. This is to safeguard their brand and the reputation of their business. In this modern online world, many employers do monitor the Internet for adverse content, such as defamatory or disparaging posts about the employer or wrongful disclosures of confidential or private work-related data.

For example, in one case, a care home employer discovered an employee was posting unflattering pictures of ill patients on her social media. Currently, employers are expected to justify how they came to discover that an employee has undermined a company’s brand reputation by publishing wrongful or inappropriate Internet content — for example, Lougheed Imports, which is better known as the West Coast Mazda case.

[2:50 p.m.]

Employers should have the right to monitor for, collect and use information to protect their business interests around content and public-facing communications.

We would also ask that a similar defined, explicit right for an employer to collect publicly available information, including on the Internet, about a job applicant, provided that the scope of the information collected is reasonably related to the hiring decision; reasonable care is taken in collecting and verifying that information — for instance, there’s more than one John Smith in the world, and we need to be sure we’re collecting the right information; and the information is kept available, as with all applicant personal information, for one year after it was used to make a hire or non-hire decision. That would allow an unsuccessful applicant to access and challenge that information.

This would recognize the reality that there’s a wealth of information available that is being accessed while also providing a container or structure around how it can be used in hiring responsibly.

I’m going to pass the floor back to Kristi.

K. Searle: The next point we’d like to see is an update in the regulations to include a section on the reasonable retention and/or deindexing of personal information available on the Internet or website or elimination of the use of full names in online publications or websites.

Another point we’d like to see would be promoting privacy literacy compliance by establishing a robust education enforcement rule for the Privacy Commissioner, a similar structure to the tools and educational resources and templates provided by WorkSafeBC.

In the discussion, we really felt that…. Not to give a plug for WorkSafeBC, but when we looked back over the years at how WorkSafeBC has really strengthened and become a great advocate for employees and employers, we felt that they had really nailed it in terms of the resources available on their website, their educational tools, the different various things that they have available. So we actually felt that they were a really good model to look at.

For example, the Privacy Commissioner’s website…. We found that it hasn’t been updated since 2013. In this day and age, that’s an eternity. We definitely feel that we need to have more current tools for how fast technology is changing, which has a huge impact on the privacy part. So make the tools searchable and easy to download or modify.

Provide an e-learning program for employers and an e-learning program for employees on their rights and responsibilities to safeguard the privacy of their colleagues and customers.

I’ll pass it back over to Zelda.

Z. Craig: In the modern world, we’re also seeing employees more and more using their personal devices for work-related purposes, whether that’s a laptop, an iPad or a smartphone. So we believe that part 9 of the regulations, which is “Care of Personal Information,” needs to be updated to provide additional guidance on the storage and retention of personal information that is stored on an employee’s personal device.

This could be the electronic device, but it could be as simple as the physical desktop for employees such as myself working from home right now. There should be an associated toolkit available, with template policies, agreements and training required for employers who have officially or unofficially adopted a bring-your-own-device policy or allow employees to use their own devices from home or personal email addresses for business purposes.

We need to acknowledge the need for data partitioning, data security when employees travel across borders to other countries and also remote wipe protocols and the implications for personal data that might be held on that same device — the employee’s personal device versus a customer’s personal device, I should say.

Currently many employees are working from home and may not have explicit agreements or supports to ensure that customer and employee data is properly protected from casual observations, which could include family and friends who are inhabiting the new modern workplace or more malicious intrusions, which could include hackers or viruses.

[2:55 p.m.]

We’d also like the Office of the Information and Privacy Commissioner to create an audit, education and enforcement role. Again to draw on what Kristi was saying…. WorkSafeBC — we really do regard as a model of providing these toolkits in this enforcement role where we’ve seen worker safety just go up and up and up as a result of their efforts. In an era of technology, we really need to have something similar around privacy, I think — a parallel.

We know that health and safety is a priority and concern for B.C. employers because there’s this infrastructure around it. What we would like to see is that privacy be given the same thought, consideration and level of importance by people who it may not be top of mind, honestly.

So B.C. employers. There is an audit function that WorkSafeBC does have. Sometimes, there’s a stick that’s used to try to ensure compliance. If the Office of the Information and Privacy Commissioner would be funded to conduct proactive compliance monitoring and complaint initiation were warranted, penalties for non-compliance should also be considered to be increased.

R. Singh (Chair): Zelda, I just want to interrupt for a minute that your ten-minute presentation time has expired. We need some time for the question and answer, but you can take one minute to finish everything off.

Z. Craig: In addition to enforcement audit, we also suggested that there could be an optional privacy certification program developed similar to CARF or Ocean Wise where an employer could go through a particular process and get a stamp of approval to say that they had achieved this. That would be more of a voluntary, incentivized way of creating top of mind.

R. Singh (Chair): Thank you so much, Kristi, Zelda and Anthony, for your presentation. We really appreciate you taking out the time to come and meet with the committee today.

Now I’ll open the floor for questions. Members, any questions? Dan?

D. Ashton (Deputy Chair): No. I’m fine. Thank you.

R. Singh (Chair): Okay, all good?

Mable, do you have a question?

M. Elmore: No. I’m good. Thanks, Rachna.

R. Singh (Chair): Thank you. We really appreciate…. Wonderful information. We are hearing a lot about the changes that need to be made and the recommendations. Are you also going to submit a written report as well?

A. Ariganello: We have already.

R. Singh (Chair): You have. Okay. Wonderful. We’ll also take that into consideration, but we really appreciate your time to meet with us today. Thank you so much.

A. Ariganello: Well, thank you very much for your time. Sincerely appreciate it.

S. Sourial (Clerk Assistant, Committees and Interparliamentary Relations): Madam Chair, we may want to recess.

R. Singh (Chair): Yes. See you at 3:10.

The committee recessed from 2:58 p.m. to 3:11 p.m.

[R. Singh in the chair.]

R. Singh (Chair): Welcome, Donald, to the committee. We are really looking forward to your presentation. You have ten minutes to present. After your ten minutes are over, we will have about ten minutes for questions and answers from the members.

DONALD R. McLEOD LAW CORP.

D. McLeod: Thank you very much, Madam Chair and members of the committee. Thank you very much for taking the time to listen to me today. I did send a précis of my remarks earlier. I don’t know if it’s been circulated or not. But let me just very briefly speak about me and what I use the Personal Information Protection Act for.

I’m a lawyer. I have been practising in British Columbia since 1980. As a lawyer, I’m a litigator. I practise primarily personal injury law and family law. I use the act probably on a weekly basis.

First of all, let me say that my comments having to do with the act are in no way really critical of it; more on the lines of fine tuning. Overall, the act, I think, is an extremely good act. It works, or its intention is very good, but there are a few things that bring difficulty. Those few things really are that there is nothing to compel individuals who hold private information about others — by individuals, I mean companies as well — to comply with the act, short of going to the Information and Privacy Commissioner and asking for an investigation, and a hearing if it’s necessary.

What I run into most of all — and it’s usually with other professionals; it’s usually physicians, dentists, quasi-medical people and accountants — is that when I have a client who makes a request for a copy of their own file, they are met with either an outright refusal, or they are met with the attitude of: “Well, we charge according to our fee schedule,” usually quite a lot of money, “and we won’t provide information.”

For example, just this morning I was dealing with a physician in Duncan who has had a request from a particular client for several months now, and his attitude is: “I don’t provide my file to anyone.” So I am left with making a complaint to the Information and Privacy Commissioner at quite a serious expense to my client.

[3:15 p.m.]

The Information and Privacy Commissioner then has to begin an investigation. That investigation almost always ends up with the investigator, the person assigned by the commissioner, to contact the information holder and essentially read them the riot act, I guess is the best way of putting it — tell them that the act is an act of the Legislature of the province, and they have no choice but to comply.

I’ve never actually had a full formal hearing, but when we get to the point of me having to make a complaint, then representations, and I get the reply from the record holder concerned and then make a reply to that, it can easily cost my client $2,000 or $3,000. It shouldn’t cost any more than my clerk’s time to draft up the request — there’s no charge for that — mail it off to the record holder and then to receive the records. In other words, it should be extraordinarily cheap.

The act provides that the record holder can charge a minimal fee. In the material in my submission that I submitted in writing, there are commissioners’ decisions which show that the charges that a record holder may make are very, very modest. I’ve pointed out that $25 is the charge for a few pages up to some 17 or 20 pages. I think it’s $51 for about 295 pages, in one instance, instead of the over $500 that was sought by the record holder. But there is nothing that compels a record holder to comply with the act save and except for a commissioner’s order if it gets that far, and it should never, ever get that far.

That brings me to the second issue: the lack of sanctions. As I say, the record holder can simply say, “No, I’m not going to provide the records,” even though the legislation requires it. If there has to be an actual hearing — and as I say, I’ve never actually had a hearing in front of the commissioner; it’s always been resolved before that — then we are probably looking at a $5,000 fee.

There is no way such an extensive fee should ever come to pass to compel someone to comply with the legislation. But the only other way we have to get records is to make an application to the Supreme Court or the Provincial Court for a production order, and that involves making an application, affidavits, a notice of application, service on the record holder and attendance in court, which is about the same cost. I think that one of the reasons that the Personal Information Protection Act was passed was to avoid such a problem in the context of litigation and to avoid litigation entirely when a client or any individual simply wants a copy of their records.

So what can be done about it? I think, in my respectful view, that the act should contain some form of sanctions for not complying. If it was made plain in an application form to the record holder that there would be sanctions for non-compliance, I think that would probably end the problem right away.

The third issue is that while the legislation does not provide that the request must be made in any particular format…. I think that’s quite deliberate. It would be very, very bureaucratic to force someone to make the application in a particularly required form, which would then lead to a recalcitrant record holder being able to say: “Oh, no. You didn’t cross all your i’s or dot your t’s. We’re not supplying the record.” I think the act was very deliberately passed so that all that has to be done is that an individual has to make an application, in whatever form they see fit to make it, as long as it’s plain that it’s their own personal information they are seeking.

What I run into, and it’s all the time, is organizations saying you have to make the application in our particular format. Every organization has a different format. For example, I’m involved in a case right now with the University of Victoria, trying to get a former employee’s records. The university is incredibly difficult to deal with, so it’s in the hands of the Information and the Privacy Commissioner right now.

[3:20 p.m.]

If someone is able to simply request their records and it was made plain in the legislation that that person who is requesting their records simply has to request them, and there is something like — as I’ve suggested in my written presentation — that the request by an individual for personal information need not be made in any particular format or on any particular form, nor may an organization require the request to be made on any particular form, then that would get rid of that problem. It’s a very easy thing to do.

The other and final point is that I do run into organizations that won’t supply the record without an undertaking from the individual requesting it to not sue them if anything is discovered as a result of the disclosure of information — for example, if a breach of privacy is discovered. That’s not something that’s contemplated in the legislation, nor should it be.

I think, in my respectful view, that these are tweaks for the statute. They’re not difficult tweaks. But they would, if adopted, make it very, very much…. It would make it much easier for an individual to acquire their own records. I might say that when I run into it, and when I use the statute, the records are always requested by the person who is the subject of the records in their own handwriting — it’s their own signature on the forms that I use — so that we don’t run into the problem of whether or not this is a third-party request, because that creates even more difficulties.

I think that my position and my submissions are very clear. I see I have 30 seconds left.

So to you, Madam Chair, and the members of the committee, thank you very kindly for listening to me.

R. Singh (Chair): Donald, thank you so much. You have been very precise, letting us know what your recommendations are.

I will open the floor for questions. Just before that, you want…. Some clarification. I haven’t gone through the written presentation yet, which I will definitely go through. But I just wanted to check where it is in the legislation that you mentioned that the person who has the records has to give them. So what kind of…? It is not clearly mentioned, or people are not getting it — what is it that is creating so many problems?

D. McLeod: Without opening the legislation, I think it’s section 35. I could be wrong. It simply says an individual has a right, on request — I’m paraphrasing, obviously — to have a copy of the personal information that the organization holds on them. It’s a very clear and really simple statement.

R. Singh (Chair): Okay. Thank you.

Any questions, Members?

A. Olsen: I’m just trying to, I think, look at this from the…. Is there a good reason why this…? I’m just trying to understand. I mean, I think there’s a great inequity here. Those who have the capacity to be able to enforce this and chase it down and hire lawyers and go through the process are able to get it. Those who don’t will just likely give up and walk away and not be able to get the information that an organization holds.

Maybe I’m asking an unfair question here. But is there any reason why it would be the way it is currently now that we should consider in this as well? Was this an oversight in the original drafting that said that we don’t have a way to enforce this section? Or is there a reason why we might want to consider this to stay the same way?

D. McLeod: Well, I think that there are two answers to that. As to the enforcement, if someone is denied access to their records, there is an enforcement mechanism, but it’s complex. For most laypeople who are not used to dealing with legislation, it does require them to hire a lawyer, unfortunately. I think you’re very correct that when people don’t have the resources to go and hire a lawyer, they give up and go away. I think that happens a lot. That’s not fair.

Of course, I wasn’t involved in drafting the legislation, naturally. But I think that the intent of the legislation comes through quite clearly.

[3:25 p.m.]

Someone — any member, any citizen in the province — has a right to their own information, and they should be able to get it quickly and simply and at minimal cost. That’s not what’s happening in many cases.

R. Singh (Chair): Any other questions?

S. Thomson: In your submission…. Really, the remedy in this is some form of sanction or compliance for not providing that, because I think, as you pointed out, the principle is quite clear. So it doesn’t necessarily need a change in legislation to cement the principle that’s been put in place in place in the legislation.

I think I’m hearing from you that you — and probably we — agree with that principle. It’s really around: how do you incent the holder to provide that information other than some form of significant sanction that will have them do it as a matter of course as opposed to resisting it for whatever reason?

D. McLeod: I think that’s a correct statement, sir. I think that if, on the initial request…. It should be in the legislation, I think around section 33, 34, 35, somewhere around there. The requester put in that if you don’t comply, the Information and Privacy Commissioner can impose a sanction of so many dollars for the time, trouble and effort of having to go further and ask for an investigation and an order.

Then that would probably be sufficient to bring the seriousness of the matter to the record holder, because now they’re faced with the possibility of paying money, and if they are faced with that possibility, then they might take it a lot more seriously. Of course, if they don’t, then, in my submission, I think that the Information and Privacy Commissioner — if it does have to go further — should have the ability to impose and enforce such a sanction.

R. Singh (Chair): Thank you. Dan, did you have a question? Mable? I think we are good. Adam, you had…?

A. Olsen: Sorry, I was just trying to get to the section. The way that it’s written right now, it suggests that anybody has the right to request information. What if the language…. Of course, legal drafters are the people that write these, not MLAs, and probably for good reason. But I’m just thinking. Rather than a sanction, what about language around: when a person asks for it, the holder of that information is compelled to provide it?

D. McLeod: Well, essentially, the legislation does say that. It says that a person has the right and the organization…. It even goes as far to say the record-holder organization has an obligation to assist them with getting the information. But that’s simply not happening.

A. Olsen: Okay. Thank you for the clarification. I appreciate that.

R. Singh (Chair): Thank you so much. We really appreciate you coming in today and bringing this aspect that a lot of people, as you have seen in your experience, have gone through — the barriers they are facing. Definitely we’ll look into how to rectify it in our recommendations.

Susan, we have the next presenter here, and we are ready for her.

Welcome, Jade. Thank you for taking out the time to come to meet with the committee. We are really looking forward to your presentation.

[3:30 p.m.]

You have ten minutes to present. After your ten minutes are over, then we will have ten minutes for question and answer. We are ready whenever you are.

JADE BUCHANAN

J. Buchanan: I’ll start with the usual introduction. I’m Jade Buchanan. I’m a lawyer with the law firm of McCarthy Tétrault. I’m a certified information privacy professional. I’m not representing my firm or any other organization. I’m speaking as somebody who knows about privacy laws from helping organizations in B.C. and around the world comply with privacy laws in Canada.

I only wanted to use your time today if I thought that I could add something distinct to the discussion, so to that end, my comments are going to be about three topics. First, I’m going to talk about B.C.’s role in improving the consistency of privacy laws across Canada. Second, I’ll speak about making it easier for organizations to understand their obligations under privacy laws. And third, assuming that at least some major changes are coming, I’ll be talking about how I think we can make the transition as smooth as possible.

I’ve seen some of the materials that were submitted to the committee, so I know you’re all up on all this new privacy law jargon. But if I say something that’s confusing or a little too jargony, please feel free to cut in and have me clarify.

I’ll start with the topic of consistency of legislation across Canada. A business operating across Canada needs to comply with up to four different privacy statutes, each with a different privacy commissioner. That’s B.C., Alberta, Quebec and federal. It gets quite a bit more complicated and that number goes up when we’re dealing with organizations that handle personal health information or private sector organizations that work as service providers to public bodies.

In the case of B.C., we have both PIPEDA at the federal level and PIPA in B.C., which can have a disproportionate regulatory burden on B.C. organizations that, in my view, does not have a corresponding benefit to consumers. For example, if you operate an online business in B.C., you need to comply with both PIPA and PIPEDA. PIPEDA comes in if you have customers in, say, Manitoba or Ontario. You need to comply with both laws, even if it’s just a single customer in Ontario or Manitoba. Conversely, if you operated an online business out of Ontario, you only need to comply with PIPEDA, even if you have customers in Ontario, Atlantic Canada and the Prairies — I wouldn’t include Alberta in there.

Things get a little more murky for both businesses, particularly the Ontario business, if they have customers in B.C., Alberta or Quebec, where there is private sector privacy legislation. That murkiness actually gets into what law actually applies to certain situations. It’s quite a weedsy issue as to what law applies in cross-border issues internal to Canada, so I’m not going to get too much into that. Interestingly, though, if you’re an individual in B.C. and you’re trying to decide whether to give your business to a business in B.C. or a business in Ontario and you’re concerned about making sure you’re notified if your personal information’s subject to a data breach, you’re better off giving your business to the Ontario company, not in your home province of B.C.

When it comes to similarity in this patchwork of laws, B.C.’s PIPA, Alberta’s PIPA and the federal PIPEDA are not that different, but they’ve kind of drifted apart — although really, what has happened is we’ve remained stationary while Alberta has drifted in one direction and PIPEDA has drifted in a somewhat similar but slightly different direction as well. There are more disparities than there were previously. Now, Quebec is always different, and you may have heard that, on Friday, the National Assembly of Quebec proposed new privacy legislation that’s going to make Quebec very different.

My hope in this kind of brief canvassing of the patchwork of Canadian legislation is to help you see that this complex patchwork doesn’t really serve anyone except lawyers. Getting harmony across Canada would take…. If you want to get some harmony, it’s going to take cooperation — it’s cooperative federalism — because of the jurisdictional overlaps. It will require cooperation with the federal government, of course, B.C., Alberta and Quebec.

At least two of those jurisdictions are currently considering overhauls to their legislation. Quebec has a proposal. The federal government is constantly talking about it with things like the digital charter. Ideally, there’d be just one single law with a single regulator across Canada. Appreciating that that’s maybe not politically possible, having a model statute that at least looks the same would be quite a bit clearer and more consistent across the country.

[3:35 p.m.]

To that point, it would also be helpful if Privacy Commissioners across Canada collaborated more. Now, they do work together, but it would be great if they had a unified process on the important issue of mandatory breach notification, so you’re not reporting to a bunch of different commissioners with a bunch of different forms. And when it comes to issuing joint guidance, when they do it and they do it well, it’s very useful. I’ll talk about that in my next topic, which is the issue of guidance from Privacy Commissioners.

If we think that cross-Canada privacy legislation is not on the table, in my questions I’m happy to talk about some ways that I think we could simplify B.C.’s legislation if there’s sort of no coordination.

But I’ll jump to my next point of helping organizations understand their obligations through good guidance from the Privacy Commissioner, the Information and Privacy Commissioner for B.C. in our case. As you may know, Privacy Commissioners release non-binding guidance documents that flesh out the details of the legislation as they interpret it. It can be really useful when it’s done well. It clears up a lot of grey areas and helps organizations understand what they’re doing. For me, it helps explain to my clients what the law is.

Conversely, guidance done wrong can be really confusing, and it puts you in a situation sometimes where you think the Privacy Commissioner is not actually interpreting the law correctly, and there’s sort of no redress. I have a couple suggestions on commissioner-issued guidance going forward.

I think that there should be a legislated process by which the commissioner produces official guidance that includes a mandatory public comment period. The federal Privacy Commissioner has recently done this on some guidance and — rightly, in my view — admirably actually changed his view on a few issues after getting public feedback. Not only did it improve the guidance, but it improved the trust that organizations have in the Privacy Commissioner, at least in my view.

In addition to having that process that includes a public comment phase, I think there should be a means by which the commissioner should be required to issue formal guidance when there’s a critical topic. Now, I’ll use an example coming from the COVID-19 pandemic. Despite knowing it’s an issue…. There are two big issues we hear about: contact tracing and temperature screening. Privacy Commissioners have known that temperature screening is a big issue, but in my view, there hasn’t been any really useful guidance on it.

What we need is clear guidance that says: “Yes, you can do it in these situations” or “No, you can’t do it at all,” and “When you do it, here are the steps you should take to protect individuals.” There’s been some guidance, but it’s really just pointed back to the legislation with no useful fleshing out of details or clarification of grey areas.

Those are my thoughts on getting good-quality guidance to help organizations comply with their obligations. I’ll move to talking about smooth transitions. I’ve got about two minutes, so apologies if I start to talk fast.

Now, I don’t think the goal of this exercise is for British Columbians to have their in-boxes filled with those emails that say: “We’ve updated our privacy policies.” I also don’t think it’s a goal to have organizations scrambling to comply. To that end, I think there are a couple tools that are worth considering before bringing in new privacy legislation.

The first is a grandparenting of consents that have been obtained under the existing legislation if there’s a change in the standard of consent under PIPA. Essentially, what I’m saying is that if an organization has collected personal information from an individual with that individual’s consent and that consent complied with PIPA as it exists today, they should be permitted to continue using the personal information on a go-forward basis, subject to any new rights that you bring in, such as a right of erasure, a right of individuals to have that personal information deleted.

The second thing is that I think transition periods are a really good idea, particularly because there can be back-end technological changes that organizations need to implement in order to comply with the law.

A couple of examples of rights that you may have heard about that may require technological changes are the right of erasure and the right of data portability. Those are going to require some back-end tweaks on the part of organizations to their back-end systems that handle personal information. Giving them a significant amount of time to get that in place can help them ensure there’s compliance. So those are a couple of tools.

Getting back to my earlier points on having good public consultation on what the law is going to include so that we can provide feedback to provide useful tweaks. Having good guidance from the commissioner…. Ideally, as part of the transition, that good guidance from the commissioner would come out before the legislation comes into place, when it’s on those critical issues, so that there can be a cycle of feedback and then clear guidance.

[3:40 p.m.]

Then when the legislation does come into play, it’s not just the legislation on its own, but it’s fleshed out with some really useful guidance to help organizations comply.

Five seconds left.

Thanks so much. I really appreciate you taking the time to hear me out. I’m happy to answer questions about my remarks or any other questions that you might have.

R. Singh (Chair): Thank you so much, Jade, and you were right on time, so thank you for doing that as well. Really good information.

I’m going to open the floor for questions.

I just wanted to have a clarification on the points that you brought in, especially when you talked about different jurisdictions and different privacy laws. In a lot of the presentations, we have heard a lot about GDPR and how we should adopt some of the things that GDPR has.

Going back to the legislation. We haven’t seen it yet, but we have just heard about it — the legislation that has come in, in Quebec. They’re trying to bring in changes to make it compliant with GDPR. Are you looking at something similar with PIPA and with PIPEDA, something like that, with GDPR? Or do you just want some more similar…? I know that you want some kind of…. That the laws are similar to each other. But is it in relation to GDPR or no?

J. Buchanan: I think that there is a GDPR aspect to it. I don’t have strong opinions on whether or not our legislation should look more like GDPR from a substantive perspective. But you have probably seen from the OIPC submissions and maybe other submissions that it’s important for PIPEDA to maintain its adequacy finding under GDPR so that data can be transferred from the European Union to Canada without additional protections such as the standard contractual clauses or something like the U.S. Privacy Shield.

In order to maintain our adequacy finding, it’s likely that we’ll need changes to the legislation. But I think it’s important to note a couple of things. One is that Quebec’s legislation as it stands was previously considered for an adequacy finding, under the previous EU legislation that was pre-GDPR. It didn’t get that adequacy finding.

It’s actually put things up in the air, in my view, as to whether or not organizations in B.C., Alberta and Quebec actually benefit from the adequacy finding or if it’s only permitted under GDPR to transfer information to provinces where PIPEDA applies. But I stress that this is kind of an academic up-in-the-air thing that I haven’t seen. I think it is important that we maintain adequacy, and maybe more importantly, I think it’s important that there’s cooperation across Canada and that we have a unified effort to getting adequacy.

Just the sheer fact that we might ask the European Union to consider four different jurisdictions, three provinces federal, in order to get an adequacy finding seems like it just increases our risk that we’re going to get a no — and further, if there are territorial spats over it.

One of the reasons that Quebec was denied is because there was an inconsistency in the way the Quebec commissioner viewed the cross-border transfer of personal information.

R. Singh (Chair): Thank you so much.

Adam, you have a question?

A. Olsen: Yeah. I’d just like to hear a little bit more on the last piece, because I got a bit distracted. I’m just wanting to get a little bit more background on that last point that you made, if you could flesh it out a little bit more.

There were a couple questions that I had, but I’d just like to hear you go back at it again, if I could. Sorry.

J. Buchanan: Sure. On the GDPR adequacy finding?

A. Olsen: No, in your presentation, on your third point.

J. Buchanan: Oh, transitional provisions. Sure.

A. Olsen: Yeah.

J. Buchanan: The grandparenting of consent is…. I appreciate that’s kind of a nuanced issue. Basically, what I think is that if we bring in new legislation, it’s likely to change the threshold on consent, at least in certain situations. Previously, you could rely on implied consent, where essentially you make your policies known. You make it obvious to individuals how you’re going to use their personal information, and provided it’s within the confines of the law, including for a reasonable purpose, you’re free to continue doing so.

For example, if I’ve collected information about one of my customer’s regular purchases, and I have told them, “I’m going to use this information to suggest new products to you” — that I’d be able to continue doing so without going back and getting a fresh consent from them, provided that I continue to comply with the law as I do that.

[3:45 p.m.]

I think a right of erasure is likely to be on the table, but right now you can withdraw your consent. So if the law allows that, then it’s not a disruption to organizations, in that they’re allowed to keep using personal information that they’ve collected in compliance with the law as it is today, provided that they continue to comply. And individuals can revoke their consent still. Individuals have that protection if they want to withdraw their consent.

A. Olsen: Am I getting this right? I think it was GDPR. Everybody who had lists had to go back and make sure that people were reconsenting to being on a list that they were already on, in order to comply with…. Was it GDPR? Am I getting that right?

J. Buchanan: There was a bit of that under the GDPR, but maybe I’ll speak about our anti-spam law, because that’s one I understand really well, and in my view, there were real issues with transition there.

CASL is really prescriptive in what’s required for consent to send somebody an email. It includes things you wouldn’t necessarily expect, like that there needs to be a physical mailing address present, which disadvantages small businesses. There also needs to be a statement saying that the individual can unsubscribe at any time.

In theory, if you don’t meet those fairly prescriptive requirements, your consent is not valid. I still see a lot of organizations — not my clients, of course, but a lot of organizations — who aren’t meeting those prescriptive requirements. If the requirements around consent are very prescriptive, I think it’s useful to say if you’ve got consent that was valid in the law as it was before it came into force, you should be able to rely on that.

I also think that ideally, if there are immaterial deficiencies in the consent you’ve obtained going forward, that shouldn’t be the deal-breaker. You should be able to remedy that. For example, if it is that requirement for a mailing address, you send folks an email saying, “By the way, we realized we didn’t send you our mailing address. Here it is now,” and are able to remedy it, rather than making somebody go through the process and lose customer information that the customer voluntarily consented to providing under the law as it was.

A. Olsen: Thank you for that clarification. That’s right. That was the anti-spam law that forced us all to go back and reconsent to the lists that we were all on. Thankfully, a lot of those lists, I didn’t reconsent to.

J. Buchanan: You and apparently 90 percent of other people.

A. Olsen: Thank you for that clarification. I think it’s kind of the shifting sands of some of these agreements. I think I was concerned that the ability to change language that does materially change what you’ve agreed to…. That’s not what you’re saying here. You’re saying that we should try to create as smooth a transition to the change as possible.

J. Buchanan: Yes.

R. Singh (Chair): Any other questions, Members?

Seeing none, thank you so much, Jade. We really appreciate your time with the committee today and thank you for all of your input. When we do the deliberations, definitely we’ll look into this.

The committee recessed from 3:48 p.m. to 4:16 p.m.

[R. Singh in the chair.]

R. Singh (Chair): Good afternoon, Gabriel. We really appreciate you taking the time to come and present to the committee today. We are really looking forward to hearing from you.

Before you start, I just want to let you know that you have ten minutes for the presentation. After the ten minutes, the committee members will have some time to ask questions as well.

We are ready whenever you are.

BLOCK WATCH SOCIETY OF B.C.

G. Pelletier: Perfect. Just to introduce myself, it’s Gabriel Pelletier. I’m on the Block Watch Society of B.C.’s board of directors as treasurer, and I act in different capacities, including advising on the website, helping with the grants — the money is generously given by the province and then distributed to Block Watch captains across the province — and also on just any communications issue that comes up.

I also work for the city of Surrey in the capacity of helping Block Watch in community programs, community policing. I have also a real hands-on understanding of how the society’s overall view and policy is affected by what occurs on the ground in the actual Block Watch building blocks.

Having more so the hat of being a Block Watch director, in this case, I think that’s the important position to come from for this purpose. I think it’s important for you all to understand that as a society that puts forward guidelines for the municipalities and the different policing organizations that have Block Watch in their communities, we are there for guidance mostly. We do not take very much private information in terms of the actual participants’ information, the captains’ and co-captains’ information.

From time to time, they will reach out to us for further guidance if they have questions. If they’re looking to start a Block Watch in their neighbourhood, they will contact our office, and we will do our best to set them up.

One of the key parts of Block Watch is that we help guide, so it’s a uniform policy across the province, and we have good practices in place. But like I say, a key part of how this works and functions properly is that we have a coordinator hired by the policing office or hired by the city who actually runs the Block Watch program at the municipal level. So it is in effect they who have the bulk of the private information that I think we’ll be talking about today.

Then we deal more so with the members. A member, for all intents and purposes, is really the professional relationship that we share with that connection point at the municipal level.

In your questions to me, we can try to maybe narrow down what private information we might have.

[4:20 p.m.]

We certainly have a secure website that we deal through, so any private information that’s kept on that is secure. The email system that goes through the website is also secure. I’ve reached out to the person that we hire for our website and email system, and he has assured me that all traffic to and from is secured. For the email system, we use secure technology to ensure all email traffic that is handled is also secure.

But one thing that we do want to benefit from here today is to have the best guidelines in place so that we can pass this on to our coordinators across the province. When I say “our coordinators,” they’re hired by the cities and the police forces across the province. It’s very important, because we’re an organized, operational crime prevention organization, that we have uniform rules across the province. If they’re not living up to our standards, then we have to reinforce the message.

Whatever we can do and however we can tighten up our wording…. Now is a good time for me to just mention that we produce something I can give to you at the committee. It is our policy manual for Block Watch captains, co-captains and participants. In this policy manual, we have an entire page dedicated to PIPA so that they’re aware of what they should be doing with the private information.

Now just to let you know, something I haven’t mentioned is that also when the original source…. The original intake of this personal information is actually happening at the neighbourhood level. So a captain and a co-captain are literally going door-to-door — in non-COVID times — to actually sign people up on their block or in their building. We have also…. What this page would look like is a sample sign-up sheet. There’s a disclaimer at the top about how the personal information that’s shared can be removed at any time and that it follows PIPA guidelines.

In the one-page description of PIPA rules, provincial rules, we explain to the captains and co-captains, in this case, how important it is for them to manage personal information correctly. So it starts at the co-captain and captain level. I think we have an even greater amount of influence at that point as well because quite often the cities will take our manual. Once they get a Block Watch group started, they will give them these manuals to distribute all across their little neighbourhoods. They rely on these for direction.

Things can go wrong if they’re not educated in this as well. So that’s why we have made sure that it’s printed in very good detail to use as guidance points.

I hope that covers the main amounts of how we’re involved. Probably the best way to explore that more is to leave it up to questions.

R. Singh (Chair): Thank you so much. We really appreciate your presentation. I’m really glad that there’s coordination happening with all of the Block Watches in the province.

I’m going to open the floor for questions. But I just wanted to check with you, Gabriel. I understand that you are taking care of the privacy, and you have everybody getting their information following the rules. One of the things that we are trying to find out through our presentation are any barriers or anything that needs to be changed in PIPA.

In your experience with the Block Watch, have you encountered anything that you think needs to be changed — that this act needs to change?

G. Pelletier: Okay. I think that anything to help explain explicitly to community-level groups would help us out. Because right now, when I say we have to collect signatures from people, there is a lot of leeway there because you’re dealing with neighbours here. You’re dealing with people who may know each other very intimately, or they might at least pass by each other and recognize their faces and give a wave. Or they might live in an apartment complex and not know very well who they are, but they sign up.

Now sign-ups can also occur verbally, especially right now with COVID. We’re not having anyone sign anything, although it’s a very good time to start Block Watch groups because people are at home and they might have a little time to connect. So we’re encouraging people to sign up verbally with the connections that they already have in place.

[4:25 p.m.]

If PIPA has any kind of guidance for us for how the sharing of information occurs, what kind of paper trail is adequate…. Now, if we’re dealing with people’s individual habits, whether it’s handwritten, on computers, email, verbal agreement, and say: “Okay, I’m signing you up, and I will use your email to create a mailing list. And of course, I know your address because you’re my neighbour, but primarily we’ll connect based on telephone and email.” Now what happens with that information? How can you prove that you gave your consent to sign up for a mailing list?

We have it in very stark terms that they can be removed at any time. So perhaps that is a good…. Maybe that’s a blanket explanation or instruction for people. If they can be removed, then there’s no problem. But if you think that there’s any way to tighten that up, then that would help us out. Right now, we think we’re operating in the right way, but I hope it is.

R. Singh (Chair): Thank you so much. Steve, you have a question?

S. Thomson: Thanks for your presentation, Gabriel. Certainly appreciate and value the work that the Block Watch organization does in our communities and our neighbourhoods. We have one in our own neighbourhood that is very, very helpful up here in Kelowna.

I think the Chair asked…. Kind of the question was: do you feel that there’s any significant important changes that need to be made to the legislation? But I also hear just the need for, as we do our deliberations and make some potential changes or our recommendations may result in some potential changes in the legislation and policy and approach, you want to ensure, as organizations work in our communities, that that is well-explained to you, that you get the guidance documents that clearly explain any changes that might come forward as a result of this process.

The one thing I wanted to ask is: do you liaise directly with the Office of the Information and Privacy Commissioner and their guidance documents and information that they put out? They put out a lot. Do you find it valuable and useful information? Do you access the resources there in your work? Or are there some improvements that could be made there on how you could access those documents or the awareness of those documents and the information that they have.

G. Pelletier: I understand. I think that the best way to receive communication would be just directly to our general email account at blockwatch@blockwatch.com. But interacting with that agency that you mentioned would be basically informing and creating the pages that we have in our handbook. That’s when we would have put the research into putting that forward. But it would not be a frequent interaction. More so at the municipal level, I think, just in knowing the day-to-day handling of the flow of information, if there are any questions.

I know in my role in Surrey, I think I would have had more questions during the course of my work there in knowing if I’m handling information properly. And then in that case, I would be interacting not with that agency, but with the…. We have a certain process in place to obtain a PIA in order to know if we’re making substantial changes to a program or not and if it complies with PIPA or FOIPPA. In that case, I would not be interacting directly with the agency.

What I’m trying to say, just to go back to the beginning, is I think it would be of most value if you send any updates through to the blockwatch@blockwatch.com so that we can review that information as it comes in, rather than us reaching out and looking for changes.

R. Singh (Chair): Thank you. That is a really good point that you have made. Being a smaller organization, you would like, if there are any changes that are coming, that you receive them rather than you asking for them. So that makes sense.

G. Pelletier: That’s right.

R. Singh (Chair): Any other questions? Mable, do you have a question?

M. Elmore: No, I don’t. I’m good, Rachna.

R. Singh (Chair): Gabriel, that’s it. We don’t have any other questions, but we really appreciate you coming in. It was also good to know that you are from Surrey. That’s where I am from. So thank you for your time.

G. Pelletier: Thank you very much for your interest, and I hope you make some good changes.

R. Singh (Chair): Thank you. Have a good evening.

So we are done for today, Susan?

[4:30 p.m.]

S. Sourial (Clerk Assistant): Yes, no more presenters today.

R. Singh (Chair): That finishes our presentations, right?

S. Sourial (Clerk Assistant): Yes.

R. Singh (Chair): We still have till August 14 for the written submissions. After that, we will do the deliberations. We’ll go through them, right?

S. Sourial (Clerk Assistant): Yes.

S. Thomson: I just had a question around the process of written submissions that are coming in. Are those going to be sent to us on an updated, ongoing basis as they come in so that we can start to review and read through them? Or are they logged on the website where we can go in and access them? What’s the process there?

S. Sourial (Clerk Assistant): Thanks for the question.

Our researchers will prepare a database that members can access, and all the submissions will be logged in there, as well as the summaries. I will circle back to research to find out when that database might be accessible to members. Typically, we wait until we’ve received a number of submissions and have started summarizing them, but I’ll circle back and I’ll let members know when that’ll be available.

S. Thomson: Okay. Great.

R. Singh (Chair): Thank you. I think that brings us to the end of our meeting today. I need a motion to adjourn.

The committee adjourned at 4:32 p.m.