Fifth Session, 41st Parliament (2020)

Special Committee to Review the Personal Information Protection Act

Virtual Meeting

Wednesday, September 16, 2020

Issue No. 8

ISSN 1913-4754

The HTML transcript is provided for informational purposes only.
The PDF transcript remains the official digital version.


Membership

Chair:

Rachna Singh (Surrey–Green Timbers, NDP)

Deputy Chair:

Dan Ashton (Penticton, BC Liberal)

Members:

Mable Elmore (Vancouver-Kensington, NDP)


Adam Olsen (Saanich North and the Islands, BC Green Party)


Steve Thomson (Kelowna-Mission, BC Liberal)

Clerk:

Susan Sourial



Minutes

Wednesday, September 16, 2020

9:30 a.m.

Virtual Meeting

Present: Rachna Singh, MLA (Chair); Dan Ashton, MLA (Deputy Chair); Mable Elmore, MLA; Adam Olsen, MLA; Steve Thomson, MLA
1.
The Chair called the Committee to order at 9:32 a.m.
2.
Opening remarks by Rachna Singh, MLA, Chair.
3.
The following witnesses appeared before the Committee and answered questions related to the Committee’s review of the Personal Information Protection Act:

Ministry of Municipal Affairs and Housing:

• Doug Page, Director of Policy and Legislation, Housing Policy Branch

4.
The Committee recessed from 9:53 a.m. to 10:04 a.m.
5.
The following witnesses appeared before the Committee and answered questions related to the Committee’s review of the Personal Information Protection Act:

Ministry of Citizens’ Services:

• Kerry Pridmore, Assistant Deputy Minister and Chief Records Officer

• Matt Reed, Executive Director, Privacy, Compliance and Training Branch

Office of the Information and Privacy Commissioner for British Columbia:

• Michael McEvoy, Information and Privacy Commissioner

• oline Twiss, Deputy Commissioner

• Jeannette Van Den Bulk, Deputy Commissioner

• Michelle Mitchell, Senior Communications Officer

6.
The Committee adjourned to the call of the Chair at 11:19 a.m.
Rachna Singh, MLA
Chair
Susan Sourial
Clerk Assistant, Committees and Interparliamentary Relations

WEDNESDAY, SEPTEMBER 16, 2020

The committee met at 9:32 a.m.

[R. Singh in the chair.]

R. Singh (Chair): Good morning. I would like to welcome everyone to our meeting this morning. My name is Rachna Singh. I’m the MLA for Surrey–Green Timbers and the Chair of the Special Committee to Review the Personal Information Protection Act.

I would like to begin by recognizing that my constituency is on the traditional territory of the Coast Salish peoples, in particular the Kwantlen, Katzie, Semiahmoo and Tsawwassen First Nations and the Kwikwetlem and Qayqayt peoples.

We are an all-party parliamentary committee of the Legislative Assembly, with a mandate to review the Personal Information Protection Act. We began our review by receiving initial information from the Office of the Information and Privacy Commissioner and the Ministry of Citizens’ Services. We also undertook public consultations, which took place from May 4 to August 15, where committee members heard from presenters at virtual public hearings and received online submissions from a number of organizations and individuals. On behalf of the committee, I would like to thank everyone who took the time to participate in our consultations.

Our meeting today is focused on receiving follow-up information from the Office of the Information and Privacy Commissioner and the Ministry of Citizens’ Services in light of input we heard during the consultations. The committee also invited the Ministry of Municipal Affairs and Housing to be here today to provide information regarding the interplay between the Personal Information Protection Act and the Strata Property Act, as this matter was raised by stakeholders.

I’ll ask the members of the committee to introduce themselves.

D. Ashton (Deputy Chair): Good morning, everybody, and thank you very much for the opportunity to take your input today. I’m Dan Ashton. I represent the area from Naramata to Peachland and the south end of Okanagan Lake.

S. Thomson: Good morning, everybody. It’s great to see you all. I’m Steve Thomson, MLA for Kelowna-Mission.

M. Elmore: Good morning. Thank you for joining us. My name is Mable Elmore. I’m the MLA for Vancouver-Kensington.

R. Singh (Chair): We will be joined soon by Adam Olsen. He just needs a little bit of time to log in. He will be joining us shortly.

[9:35 a.m.]

Also assisting the committee today are Susan Sourial, Lisa Hill, Jesse Gordon and Stephanie Raymond from the Parliamentary Committees Office. Billy Young, Ian Battle and Simon DeLaat from Hansard Services are also here to record the proceedings.

To begin this morning, we are pleased to welcome Doug Page, who is the director of policy and legislation with the housing policy branch of the Ministry of Housing.

Just a reminder, Doug, that we have 30 minutes for the presentation, including time for questions from members. The floor is yours, Doug. Please go ahead.

Briefings on Statutory Review of
Personal Information Protection Act

MINISTRY OF MUNICIPAL AFFAIRS
AND HOUSING

D. Page: Thanks for the introduction there. I’ve been invited to provide the ministry perspective on privacy concerns related to the interplay between the Personal Information Protection Act and the Strata Property Act.

I’ve had a chance to look over the testimony from the Condominium Home Owners Association and the lawyer and board member they had with them as well as the letter from the commissioner that I think came after that testimony. That was helpful to provide me with background on what your interests are and the issues that have been raised. Particularly, it sounds like the issue was the disclosure of information by strata corporations of documents that may contain some personal information that it’s probably desirable to have some protections over.

Just to provide a bit of context on stratas in B.C., there are roughly one and a half million people living in stratas. We know there are at least 32,000 strata corporations in the province — not all of them residential, but the vast majority would be residential or partly residential. They’re governed by what I think government would call corporate legislation. It was originally modelled on the former Company Act. There are a lot of parallels between the two.

We like to call them the fourth level of government. They’re quasi-governmental organizations with elected strata councils and annual elections for those positions. They have the powers to make bylaws and to enforce them, impose fines. They can vote on and impose and collect strata fees, which is a form of taxation. Of course, they can collect and use information — a lot of personal information — for some of those purposes, and that’s what brings about the interest of the committee.

Just to summarize the information requirements in the Strata Property Act, section 35 lists the records that strata corporations have to prepare and retain and lists retention periods for those records. One in particular that’s worth noting is that that list of records includes correspondence sent or received by the strata corporation or the strata council.

Correspondence is quite broad and often includes sensitive information. There’s no real definition of it in the act, so it could include financial, medical and personal details sometimes provided by residents to justify requests for hardship exemptions from rental restriction bylaws or requests for accommodation under human rights legislation. Those are some examples you can well imagine might contain personal information that they wouldn’t want shared broadly.

Also, things like bids from contractors might fall under the definition of correspondence. If it comes in a letter or an email to the strata and they have to hold onto it, then they are likely to have to disclose it under section 35 if somebody comes requesting it.

Section 36, as I’ve started to allude to, allows certain people to inspect or get copies of those records. Primarily, it’s the owners in the strata corporation who would exercise that right.

[9:40 a.m.]

There’s another section that’s somewhat relevant. Section 135 requires the details of bylaw complaints to be provided to someone who’s alleged to have violated the bylaw. So if another owner has made a complaint, there may be personal information in that complaint that the act is saying you need to disclose as part of due process, I suppose, for the person who is accused of the violation and might get a fine or other penalty imposed by the strata, so they’d have a chance to defend themselves or know what the accusation was and say whether they were out of town on the date that occurred — something like that.

The Strata Property Act predates the Personal Information Protection Act and doesn’t make any reference to it. That act seems to have functioned to protect the privacy of personal information in stratas, largely in an appropriate manner from what I can tell, prior to the 2015 change in the commissioner’s guidelines for strata corporations. I think you’ve reviewed and heard testimony on that already. We have no basis to dispute the commissioner’s interpretation of the act — but just to note that these problems seem to have arisen since that change in 2015.

The Strata Property Act, I think, legitimately requires recordkeeping and access to information because owners have a right to know how their organization is being run. It’s similar to freedom-of-information legislation for the provincial government.

However, under that broad ability to request any correspondence with the strata corporation, we’ve also heard from the Condominium Home Owners Association in the last year about some of the concerns they have that sensitive personal information is being released in some cases. That possibility may also deter some strata owners from submitting it in the first place, if they know it could be released and they’d rather it be kept private. That deter­rence could hinder their ability to take advantage of some of the protections, provisions and rights under the Strata Property Act.

That being said, to the best of my knowledge, the ministry has not received any correspondence from the public on this topic, to date, so no doubt it’s a legitimate concern and CHOA has their ear to the ground and hears from a lot of owners that we don’t. But, like I say, we check through our correspondence and have not found it to be a significant source of complaints thus far.

If the Personal Information Protection Act doesn’t apply to requests for information made under the Strata Property Act, then I do think there is a gap in the privacy protection, because there aren’t statutory grounds for the strata corporation to withhold some of that most personal information.

Section 3 of that act says: “If a provision of this Act is inconsistent or in conflict with a provision of another enactment, the provision of this Act” — this act being PIPA — “prevails unless another Act expressly provides that the other enactment, or a provision of it, applies despite this Act.” Like I said, the Strata Property Act doesn’t expressly say anything on this point or reference that act.

Subsection 18(1) of PIPA says: “An organization may only disclose personal information about an individual without the consent of the individual if…the disclosure is required or authorized by law….” I think that’s the source of the interplay between the two acts. The Strata Property Act is saying that you must disclose it, and PIPA is saying that our protections don’t apply if another act directs you to disclose.

There’s a bit of confusion between those two provisions I’ve read out, I would say — one saying that if there’s conflict, then PIPA prevails. The other is saying that if another act says you must do it, then PIPA doesn’t apply. Like I say, no reason to dispute the interpretation of the commissioner on resolving that confusion.

[9:45 a.m.]

I think it’s possible that a balanced resolution can be found, and I do think that the status quo doesn’t ade­quately protect the privacy of strata residents. It isn’t really serving a totally useful purpose. I don’t think some of that information needs to be disclosed in order for the objectives of the Strata Property Act and good governance to be met. Likely, the resolution is somewhere toward reverting to something closer to what was in effect before the 2015 guidelines changed.

I do think it’s important to remember that these are volunteer-run strata corporations with volunteer strata council members. It’s important not to overburden them. People can always choose not to stand for election if they find things too onerous. There’s a matter of balance to be considered there.

So I’m certainly not an expert in the Personal Information Protection Act, and I’m not sure which act it would make more sense to amend, but we’re open to the committee’s recommendations and to having those discussions with the office of the commissioner.

I think that wraps it up. I’m happy to take any questions that the members might have.

R. Singh (Chair): Thank you so much, Doug, for this information.

Now I’ll open the floor for questions.

Members, any questions for Doug?

S. Thomson: I just wanted to add…. Thanks very much for the presentation. I think it clarified a number of things. Clearly, you agree, and I think that’s what we’ve heard as well — that there is a gap in the interplay between the two pieces of legislation. I think you said the status quo doesn’t adequately protect the privacy. So, clearly, it appears something needs to be done, and you said you’re not sure which piece of legislation is more appropriate to amend and that kind of thing.

I guess the question that I’d have is: has any policy work been done on this previously? I know it’s not a new issue, so within the policy and legislation branches or staff within the ministry, has there been any preliminary work done on what legislative amendments might be needed or might be most appropriate? Or is it something that’s kind of been percolating away — sitting there, not a lot of work being done — and waiting for a recommendation from the committee?

D. Page: Well, I would say that, for us, it was only raised about last October or November by CHOA, in a meeting with us. That was the first we’d really become aware of it, at least in my tenure, and that goes back about ten years with this piece of legislation in this branch.

We’ve recognized it as an issue worthy of further study. However, our last year sort of got taken over by not only work on the pandemic but the strata insurance issue became, sort of, top of mind for residents. So not a lot of policy work has been done. When we saw that the committee was looking into it — I think it’s useful for us to wait for those recommendations.

S. Thomson: I guess the question becomes, to us, as sort of from the consideration side of it: are there specific recommendations about what needs to be done? Which piece of legislation is most appropriate? How do you address this? Perhaps, at this point, it’s as simple as saying that this is an issue and that policy work needs to be done, needs to be addressed.

[9:50 a.m.]

The gap that’s being addressed here needs to be fixed, and then leave the policy experts to figure out which is the most appropriate way to do it.

That’s why I was asking the question whether there’s any work being done on it or not. If there was, then maybe a recommendation to say to fix it in this way by amending this piece of legislation in this way. I’m not sure we have enough information to be able to do that or not. But as I pointed out, you clearly pointed out — and I think that’s what we’ve heard as well — that there is an issue. There’s a gap in terms of the personal protection, and something needs to be done, it seems.

D. Page: Right. I think we’d certainly welcome any input or recommendations you have. I don’t know the extent to which you’ve studied it or if the committee has that capacity. But we would expect to do the policy work ourselves or with the commissioner. We just would welcome as much a head start as you felt appropriate to give us.

In my world, we deal with freedom-of-information and protection-of-privacy legislation or requests that come in to government, so we’re quite used to the need to scour documents before they’re sent out and do extensive severing, particularly on a range of things that are in that legislation. But I would think there’d be a lot of overlap with personal information that ought to be protected. That’s where my perspective is. I can see there might be a significant gap there if stratas were not doing a similar pass-through of things before disclosing them.

R. Singh (Chair): Thank you so much, Doug. We really appreciate you taking the time and explaining this all to us. I’m sure the committee will do more discussion on this and find out what to recommend to the ministry, because we did hear the concerns coming from the Condominium Owners Association. We’ll make the required recommendations.

Thank you for taking the time today. I don’t see any hands up, so thank you, Doug. I think the committee will take a recess now.

Members, we finished a little early, so now we can recess until five past ten. We’ll resume then with another presentation.

The committee recessed from 9:53 a.m. to 10:04 a.m.

[R. Singh in the chair.]

R. Singh (Chair): Thank you, Kerry and Matt, for joining us today. I’m Rachna Singh, MLA for Surrey–Green Timbers. I’m the Chair of this committee.

I would like to ask the members of the committee to introduce themselves again, starting with Dan Ashton.

D. Ashton (Deputy Chair): Morning. I’m Dan Ashton. I represent the area from Naramata to Peachland and the south end of Okanagan Lake.

S. Thomson: Steve Thomson, MLA for Kelowna-Mission.

[10:05 a.m.]

M. Elmore: Good morning. Thank you very much for joining us. I’m Mable Elmore, the MLA for Vancouver-Kensington.

A. Olsen: I’m Adam Olsen, MLA for Saanich North and the Islands.

R. Singh (Chair): Thank you so much.

Now the floor is yours, Kerry. Please go ahead. You have about 30 minutes for the presentation and also for the questions.

MINISTRY OF CITIZENS’ SERVICES

K. Pridmore: Thank you, Chair, and thank you, committee, for the opportunity to join you today. We have spent quite a bit of time reviewing the submissions that you, as the committee, have received. We’ve looked at those in quite a bit of detail and, obviously, with considerable interest. Our presentation today is made on behalf of the Ministry of Citizens’ Services. We will draw on many of the core themes that you have already heard.

As you will recall from our earlier presentation, our ministry is responsible for this legislation. We have a core team — the privacy, compliance and training team — within the ministry that provides critical services related to privacy across the broader public sector, in addition.

That team is led by Matt Reed, and Matt is going to lead the presentation that we’re going to deliver today. I’m going to hand it over to Matt, but we are both available to answer questions at the completion of the formal presentation and slides that are before you. With that, I’m going to invite Matt to speak.

M. Reed: What we have here is just a quick outline of what we’re going to cover today. I’ll provide an overview of what we heard as part of the submissions that were made to the special committee. I’ll talk through some proposals for consideration for the special committee, and then end, just very quickly, on looking forward to future analysis and next steps in light of the report from the special committee and other things that are happening globally.

Jumping right in. First, again, I’ll give an overview of the submissions that we heard and ones that we wanted to highlight and considerations we wanted to make sure that you had in light of what you heard. The first of the major things that we wanted to cover here was around consent. We heard very clearly that consent needs to be current and relevant and also clear and meaningful. It’s important that individuals know why their information is being collected and how it’s being used so that they can make informed choices. That’s a cornerstone of privacy as a concept.

The committee should consider what “clear and mean­ingful” means. What I mean by that is…. You know, a full page of very small type consent is perhaps very, very clear. Or perhaps it’s too long, really, to be meaningful, because nobody’s going to read it. There is a balance that needs to be considered to make sure that whatever the requirements are around consent, they do land in the way that we would intend them to land and that individuals are best served by how we’ve set organizations up to actually follow through on what’s required of them.

We also observed an interest in clarification regarding the rules on consent. I’ll use this as opportunity to highlight that, in some cases, the things that people are asking us to do are things that can be accomplished by means other than legislative means. What I mean by that is that there are a lot of existing resources around various concepts that you’ll hear, and consent is a big one.

For example, the province offers a modest PIPA training program. We have some online resources. The Office of the Information and Privacy Commissioner has a very robust PrivacyRight program, which helps small business and organizations in B.C. understand what their obligations are, under PIPA. The question is: does the requirement do the right thing but we’re not connecting people with the right resources, or is it that the requirement needs to be adjusted in order to encourage businesses or organizations to provide more meaningful consent?

[10:10 a.m.]

Again, just highlighting there that there are other policy mechanisms other than legislation that we can look to here.

I also thought it would be helpful to highlight that the federal government has outlined proposals to modernize PIPEDA, the Personal Information Protection and Electronic Documents Act, which includes ensuring that consent is meaningful. So there are other places that we can look to see how they are attacking the same problem. This isn’t a B.C. problem. This is a global problem, as individuals are struggling to understand how their information is being used globally with all of the different organizations that they’re interacting with — whether it’s social media, an online platform, a shopping website, whatever the case may be.

Changes to PIPEDA may be brought forward this fall. That was something that was mentioned by the federal minister in the media. For that reason, we would seek to understand what potential changes would happen at the federal level. We want to make sure that we are either aligned with them or we consider the implications of how the federal consent provisions could impact B.C. businesses if we are not aligned or what it means to align. Again, just highlighting a couple of considerations there.

We also heard fairly broadly from a lot of different folks that modernization and keeping up with modern technology was something that was quite important to them. We absolutely agree that PIPA needs to respond and be responsive to modern issues.

How PIPA is currently worded is what we refer to as “technology neutral,” in that it regulates activities related to technology — collecting, using, disclosing information — rather than regulating specific types of technology. In other words, being silent on specific technology in the act is not meant to exclude it but, rather, cover it more inclusively.

As an example, we could reasonably decide that there need to be additional rules around a big privacy issue like social media, but then we would have to consider: what does that look like in five years? What does that look like in one year? Or what does that even look like today? I think you all intuitively know what a social media platform is. But then we have to consider: is an online video game where participants can post profile pictures, chat with one another and post pictures…? Is that a social media? Does it pose the same risks? Potentially.

We go down this road of having to draw new lines out rather than doing what we have done in PIPA previously, which is to cover these broad, base-level principles that cover all of those things. Regardless of whether it is an online gaming site or a social media site or just a normal business practice in the paper-based world, those concepts around responsible collection, responsible use and disclosure of information — all of those still apply and really serve citizens, in terms of having their information handled in the right way.

Again, what I would say here is don’t take the silence on a specific very big issue as meaning that it doesn’t address it. I would encourage consideration of how we can achieve privacy-enhanced outcomes in those technology spaces.

For example, very similar to the previous issue, the commissioners’ offices of Canada and B.C. both have guidance around surveillance and social media, two issues that are not specifically referenced in the act. But the act does cover them and covers how those would be applied or implemented and how they would apply to individuals who are subject to either surveillance or who are engaging on social media.

If we look to Europe, the GDPR contemplates automated decision-making. This is kind of getting at what I’m speaking to, where they’re not talking about very specific artificial intelligence, but rather they’re getting at the base principle of where we have concern. Decision-making is a big focal point for us. We want to make sure that decisions about individuals are being made responsibly.

In Europe, they have covered automated decision-making as that base principle, as opposed to saying that if you’re going to have artificial intelligence, make sure that the algorithms do this specific thing or that specific thing. Those kinds of rules may become very quickly outdated, but if you get at that base principle, then they’re a little bit more future-proof and broad-spanning in how these technologies would be applied in the future.

There’s also work in other jurisdictions that we can learn from, including the recent public consultation by the Office of the Privacy Commissioner of Canada on AI regulation. There was a white paper published by the European Commission on AI, as well, and a consultation on that white paper that ended more fairly recently, this year. So there is a body of work that’s unfolding in the privacy community that we should be looking to.

[10:15 a.m.]

Again, these are still fairly nascent issues, so we should be tuned into all of the research that needs to be done in order to make sure that PIPA does properly contemplate these technologies in those principled rules that we have.

Then, finally, it is worth considering what are regulated specific technologies and how that may impact businesses generally in B.C. It is often, in the case of technologies, going to move faster than our ability to specifically regulate it. Again, though a rule that we come up with today might be perfect and right on the nose, that doesn’t necessarily mean that it’s going to age well. So, again, just an encouragement here to think on a principled basis, to make sure that we are protecting privacy not just for today but into the future as well.

Then on to the next slide, around harmonization. Another thing that we observed in the proposals was a need for harmonization with other privacy legislation. In this respect, consideration is required for how this landscape is evolving. The full impacts of the general data protection regulation, or GDPR, in Europe are really still subject to international analysis and interpretation. It is, legislatively speaking, still fairly new.

We should also consider that PIPEDA, the federal privacy act, may be subject to change, given the federal government has outlined proposals to modernize that act. So we want to make sure that if we are intending to harmonize, we don’t change it only to have the thing we changed it to also be changed. There’s a timing aspect there that we want to be sensitive to.

In addition, we should consider that businesses that operate in multiple jurisdictions will be subject to many different requirements. When we’re talking about harmonization, we are right now talking about privacy legislation. But there are a number of requirements that would apply, not just privacy requirements. It’s not the case that privacy is the one outlier where there are different rules in different jurisdictions. That’s the case for many places. So if we are making changes and we do want to harmonize things, we want to make sure that it is for the right reasons, and that is enhancing citizen privacy as opposed to simply harmonizing to be the same as other places.

A big part of that is that when you adopt the rules or you harmonize with another jurisdiction, you don’t only harmonize with their requirements; you also tend to harmonize with the issues they have as well. So, again, if we are going to line up with other jurisdictions, we want to make sure that it is something we truly believe is the right way to go.

Now, on the topic of adequacy with respect to the GDPR, in 2002, Canada’s PIPEDA was recognized by the EU as providing an adequate level of protection for personal data transferred from the EU. This helped Canadian private sector organizations work with EU-based organizations with respect to transferring information. But following implementation of the GDPR, Canada’s adequacy decision has become under review. There is a new assessment expected later this year. This process falls under the jurisdiction of the federal government in Canada, but, again, it’s worth being aware of this so that the timing piece is clear for you when making your recommendations.

Something else that we heard on the topic of ensuring privacy protection is around when data is transferred to a third party for processing for other services. I know this has also come up for other special committees, but I want to flag that there have been recent developments on this topic in international case law, so considerations around cross-border transfers should be informed by the implications of these developments.

Again, these are still fairly fresh. But when you consider that the EU has shown that there are jurisdictions which we do routinely do business with and their laws specific to privacy and surveillance are fundamentally different from ours and don’t offer the same protections, we can require similar protections to what we have in B.C. But we should consider whether doing so will result in the same thing that has happened in the EU, where we’re seeing lawsuits coming from people who don’t believe that other jurisdictions are capable of providing that same level of privacy protection.

If we are choosing to make these requirements pass with the data, regardless of where they go, we do have to think of the implications of what happens when that information goes to a country that is not believed to have the same level of protection built into their national laws. So, again, just highlighting that there are considerations there that are going to be very, very impactful.

[10:20 a.m.]

I know that the decisions are still fairly fresh in Europe. Again, it’s mostly a timing thing, but I want to make sure that that’s at least considered before a recommendation is made.

Now I will say that on all of these issues we are in very close contact with our federal government counterparts. This is something that we are monitoring, regardless, because I think it is fairly impactful to privacy communities. I know that we are at least paying very close attention to it now, for interest of our field.

Now if you flip to the next slide. This is a bit of a catch-all slide for a lot of things that we heard. We did hear a lot of things that are very sector specific. Sector-specific issues that don’t apply to all, most or a large number of the organizations that are subject to PIPA. A few examples that we heard of this was increased clarity when more than one act is involved. Like, as you discussed earlier today on the Strata Property Act, clear definitions for complex topics around, like, de-identification…. These are things that don’t necessarily impact all organizations but were obviously important to some.

One of the principles underlying the creation of PIPA was to have a straightforward, easy-to-understand set of rules that could be applied to a broad spectrum of organizations. That’s including small businesses, not-for-profit organizations, and larger-scale businesses that operate in B.C. Trying to address these issues through PIPA instead of through other mechanisms — whether that’s other legislation, guidance, training — may undermine the clarity of PIPA.

So again, what we’re looking for is…. You know, we want a mom-and-pop shop owner to be able to open up PIPA and read through it and understand the rules that apply to them. What we don’t want is for them to have to sort through a hundred pages of sector-specific guidance that doesn’t apply to him; he doesn’t know how to apply those rules or doesn’t know how that might impact him because it’s so far out of the realm of that person selling their wares.

We do believe that in order to avoid this, that some of the recommendations you may have heard may be best directed elsewhere for people to pick up that guidance and advisory piece to make sure that people do understand how these rules should be applied in very specific instances. Again, the strata situation is a great one, because we do hear a lot from this area, and having that specific guidance has been really useful.

As an example, the guidance that has been published by the Office of the Information and Privacy Commissioner is great because whenever my office receives an inquiry from a strata corporation, we direct them to that existing resource that specifically speaks to them. We don’t have to parse out “Here are the rules that apply to stratas” and “Here are the rules that apply to people that sell honey at the market” and “Here are the ones that apply to call centres.”

We have one set of rules under PIPA that we can point them to and then guidance that’s specific to strata corporations. On that front, the commissioner’s guidance has been really helpful for us to connect people with guidance that resonates with them and their business.

So if we click to the next slide. Another thing that we heard was around privacy management programs, or PMPs. This has been a key consideration noted in the past as well. The real takeaway here for us is understanding that these kind of requirements, if they are considered, need to be considered in scale. We want to make sure that if we are requiring something consistently of every organization, that it makes sense in the size that it is implemented for all of those organizations.

So in order to be meaningful, it has to make sense to them. What makes sense for a large-scale call centre is not necessarily the same thing that will make sense for a duplex strata corporation where two families have banded together, or somebody selling artisan soap at a market. So we want to make sure that whatever it is that we are requiring in the space of a privacy management program, which is, of course, a great exercise in diligence…. But that it’s done in such a way that makes sense.

I actually should take this opportunity to correct the record. When I was last speaking to you on PIPA, I had mentioned privacy policies, which are a requirement to organizations. I had said that written privacy policies are a requirement, and that’s not the case. Though it is often the case for people, but the requirement is not in writing. My apologies on that.

[10:25 a.m.]

It is a really good example of one place where the difference of the requirement between a very, very small organization and a very large organization can be proportionate and can be scaled to the appropriateness of the organization. Rather than saying “Everyone has to do the same thing” and we are requiring, say, a written privacy policy of, you know, a very small-scale vendor who…. If their privacy practices are, basically, “I’m a one-person show, and here’s how I’m going to manage your information,” requiring them to write a long privacy policy doesn’t necessarily serve in the same way that it would for a large-scale business where you actually want to know the ins and outs of how your information is being managed.

Again, just a call for proportionality and scalability in requirements if we’re considering privacy management programs.

If we click to the next slides…. We do have a couple of things that we wanted to flag for consideration to make sure that if you didn’t hear it from the submissions, you do hear it from us. So if we click to the next slide. This is an important one in terms of clarifying the powers of the OIPC. British Columbians need to know that their regulator is empowered to take action on their behalf and that their powers are necessary in proportion in order to carry out that goal.

Currently there is an inconsistency in the act with respect to, just as an example, order-making power. The commissioner can’t currently make orders following a commissioner-initiated investigation but which are a really important measure for that office. As the scope of personal information processing has increased over time, we don’t want to have to rely on complaint-driven processes, because that puts the onus on the individual to complain about a privacy issue before the OIPC can require improvements.

The commissioner’s office, the commissioner and his staff, are experts in this field, and they do know a lot about the issues that are important and that need to be addressed, so resolving this can help to prioritize a proactive resolution of privacy issues being driven by the commissioner’s office.

I want to make sure that I’m clear that this may sound like an extension of the commissioner’s powers, but we really just see this as improving consistency, because they do already have order-making powers, so we’re just making it more consistent across the board of the various actions that the commissioner’s office would take. And I understand that, in consultation with the OIPC, there are similar issues to address that may help to reduce unnecessary administrative burden in that office too. So we would encourage you to…. I’m sure you’ll hear that later on this morning, so I encourage you to listen to that intently.

Going to the next slide. We did hear in a number of proposals that PIPA should require mandatory breach reporting. Again, unreported privacy breaches are a major concern, not only on the privacy side of things, but they may lead to an unfair advantage for companies who choose not to report versus those who do choose to report, and it will set up a false sense that the ones that are not reporting have not had incidents. We would be actively driving people to businesses with lesser practices if that was to be the case.

We know that [audio interrupted] PIPEDA, Alberta’s version of PIPA, Quebec’s Bill 64, GDPR — they all contain terms related to breach reporting, so this is the direction that the community is headed generally. And the jurisdictions have scoped this requirement generally to where there is a real risk of significant harm.

Given that some businesses in B.C., many of them, do operate nationally or internationally, alignment on this topic really would help organizations understand and comply with their obligations, regardless of which set of rules they’re primarily looking at. However, I do want to flag that requirements that are either too complex or too burdensome may be difficult for smaller organizations, and consideration should be given for that implication and how we would address that.

I would also highlight that these recommendations around reporting should be considered in conjunction with any recommendations around financial penalties so as not to set up a chilling effect on one recommendation resulting from the other. That’s to say that we don’t want organizations to “risk-manage” the requirement of reporting because they’re scared to be significantly fined. Again, just a consideration there to keep in mind, but generally, this is the direction that the community is headed, so something that should be considered seriously.

The last slide on this theme is around a review of the act for inclusivity. Does the way that we protect privacy lead to negative outcomes for different groups of people for various reasons, including through the language that we use?

[10:30 a.m.]

As an example, PIPA includes 16 different references to binary gender terms like “him” or “his,” and this language does not account for non-binary gender expression — you know, people who don’t identify in that way. Cleaning up the language would be a minor change, administratively, and would maintain the intent of the law, but it represents a positive step towards ensuring that legislation reflects the inclusivity that we support and that is represented in British Columbia.

Another consideration under this theme would be around information-sharing in situations of domestic violence, which I think has been brought forward in the past. In PIPA, disclosure is allowed without consent in circumstances that affect the health or safety of an individual. However, there is a notice requirement, whereby a notice of disclosure has to be mailed to the last known address of that individual. This is the kind of thing that can be problematic in the context of domestic violence where the survivor and the abuser may live at the same address.

Again, my encouragement here is that we have this kind of lens on both the act and any more recommendations that are put forward to make sure that we are not only serving privacy but that we are also serving privacy in a way that is inclusive and respectful to all people whose information we’re trying to protect.

Just a final note on the domestic violence situation. Again, the notice pieces…. It feels like a small thing, but we really want to make sure that there are no barriers, even if it is just a perceived barrier, where the public interest goal that we’re looking to serve might be negatively impacted. We do want to make sure that the language in the act is clear and that we are serving that interest as well.

Clicking over to the next slide there, really this is just to highlight the action that government will be taking generally, and this is what we do. Obviously, we will be looking forward to the report that will come out of the special committee, but I can just…. As a matter of practice, we will be monitoring what’s happening with GDPR and PIPEDA to make sure that we understand what opportunities there are for alignment, what changes are happening, how implementation is going.

Again, we don’t want to change rules to what somebody else has done simply because somebody did it differently. We want to know that somebody did it differently and it worked better, so that we are improving the act rather than simply changing the act. So we’ll look to keep apprised of that, and of course we always monitor advancements in technology to make sure that our technology-neutral language still applies in the way that we would expect it to apply and that the act is still roughly current.

With that, again, we’ll look forward to the committee’s report. Thanks for the time to offer some thoughts. We’re happy, between Kerry and me, to take any questions that you might have.

R. Singh (Chair): Thank you so much, Matt and Kerry, for this detailed information that is so important. We had heard so many questions, especially about reharmonization, especially with PIPEDA and GDPR. You explaining it….

I’ll open the floor for questions. I’m sure members might have some questions, which we have discussed.

Members, the floor is yours. Any questions?

Susan, I’m not seeing any hands.

Matt, I have one question. We heard so much about aligning with GDPR from so many stakeholders. What kind of recommendation do you think, as a committee, we should be making? We heard it from the Information and Privacy Commissioner as well — aligning more with GDPR. I know there are changes happening within PIPEDA. Will the changes that happen in PIPEDA automatically affect people, or will we have to be proactive in making the changes?

[10:35 a.m.]

M. Reed: Those are great questions. In terms of recommendations, what I would suggest is, again, looking at not necessarily [audio interrupted] organization but looking at the issues that people are asking you to harmonize to.

There are a number of things that are in the GDPR that we don’t have either in PIPEDA or in PIPA around, say, the right to erasure — the ability for somebody to have their information removed or delisted, deindexed, what have you. That is the issue to look at, So again, not looking at harmonization for harmonization’s sake but rather looking at the issues that we want to harmonize to and whether that’s something that we think British Columbians should have a right to in B.C. That will put us either in alignment or out of sync with the federal government.

PIPEDA is important because that’s…. If somebody is doing business in B.C., it’s very likely that they are also doing business across Canada. So we want to make sure that that’s their primary audience. Again, a lot of organizations in B.C. do business outside of B.C., outside of Canada and into Europe, so as much as we can, we want to encourage businesses to operate on a big scale and not make it challenging for them.

I think the real issue is, again: what is the principle that we are trying to align to, and is that something that we specifically want?

R. Singh (Chair): Thank you so much, Matt. That is really helpful. After your presentation, we are going to hear again from the Information and Privacy Commissioner. So what you have told us today is going to be very helpful in that discussion.

Thank you so much, Kerry and Matt, for taking the time today. This was a really important discussion.

S. Thomson: Thanks, Matt and Kerry, for the presentation. I just had a question. Maybe not a question; maybe just ask for a little bit more comment and perspective from you, being so involved in this field, around the cross-border transfer of information and processing of information and things.

We know that there has been a special order put in place under the pandemic provisions and things like that for some enhanced processing in other jurisdictions, particularly with health records, and some issues there.

Can you give a little bit more perspective on all of this? You made the point that other countries don’t have the same level of protection, so there are the concerns. There’s the provision that all data has to be stored in Canada. But I’m getting the sense in your presentation or your discussion that you think there are opportunities for enhanced cross-border transfer of information for certain purposes, or are you saying we should be very, very careful in this area?

M. Reed: I think the latter is probably correct — that you do want to be very, very careful. There are a lot of…. There’s a balance of interests that you’re looking to accomplish there. To use the public sector legislation as an example, we currently have restrictions on data flows. In that instance, the interest was judged to be to our benefit to have some restrictions in place in some places where data can flow across borders.

But when you’re doing it for businesses, it’s a very different…. The scale of it is much bigger. Instead of 3,000 public bodies, we’re talking about 300,000 businesses. You would be potentially impacting their bottom line if you are putting in restrictions that they’re not able to meet and requiring them to keep data in Canada or attaching restrictions as it flows outside of the country.

Again, I think it’s just a much more diverse level of analysis that’s required on that kind of change, because it would be dramatic for organizations to suddenly be restricted in that way — restricted in any way with respect to cross-border data flows. But I think the best advice I can give is to really look at what’s happening in the EU and the GDPR, specifically with respect to the Schrems cases. There’s a recent order on Schrems, labelled as Schrems II. I think it’s going to be fairly instructive in terms of understanding the potential impacts that happen when you add restrictions on data when it flows across borders in a private sector use case.

Again, it’s a multi-pronged type of problem. There are absolutely benefits to adding restrictions, to removing restrictions. But kind of understanding all of those before deciding what the recommendation is going to be so that if you are potentially impinging on the ability of a business to operate, you are doing so because you knowingly do so and want to balance the privacy interests on the other side. It’s just a matter of knowingly balancing all of those separate interests.

[10:40 a.m.]

S. Thomson: Thanks. Maybe just a follow-up to that. You may have seen, or you’ve probably seen, the more detailed submission from the Office of the Privacy Commissioner and things around separate provisions or stand-alone provisions with respect to health records. Any comments at this point, or perspective on that?

M. Reed: Sure, yeah. The health sector is a really important sector of the province generally. It’s not quite as simple as simply pulling out all of the health data and subjecting it to a different set of regulations. There is certainly benefit to that, but in the same way, you do want to consider what the cost of doing that is.

While we do have doctors who work in a clinic and then move to a hospital, who suddenly become subject to two different sets of legislation in those two different venues, having separate health legislation may subject them to only one set of legislation with respect to health data but, then, a different set of legislation for administrative data like their employee information and the records around their clinic. You’re kind of solving one problem and then introducing another.

It’s not necessarily good or bad, but at the same time, there are major implications to doing that kind of thing. So we would want to do it in a way that makes sense and with eyes wide open as to what the ramifications of doing that kind of change would be — again, not strictly looking at the privacy lens but looking at the entire set of implications of that kind of change.

R. Singh (Chair): Steve, any other questions?

S. Thomson: No, that’s great.

Thanks, Matt. I appreciate your comments.

R. Singh (Chair): Matt and Kerry, thank you, once again, from the committee for all the time that you took and for the wonderful presentations. We really appreciate that. Thank you so much.

D. Ashton (Deputy Chair): Thank you, Kerry. Thank you, Matt.

K. Pridmore: Thank you to the committee as well for your work on this important topic.

R. Singh (Chair): Members, we are at 10:43. We were supposed to take a five-minute break, but my understanding is that the next presenters are waiting. So if you are okay with it, we can just do without the break — are we good with that? — and just go on. Okay.

We have the presenters from the Information and Privacy Commissioner.

Welcome, Michael, Michelle, oline and…. Do we have anybody else?

J. Van Den Bulk: Jeannette Van Den Bulk here as well.

R. Singh (Chair): Hi, Jeannette. Welcome. I know we met with you before we started our consultations, and since then a lot of other information has come on board. We really appreciate your taking out the time and coming to meet with the committee today.

I’m Rachna Singh. I’m Chair of the committee.

I’ll ask my committee members to introduce themselves.

D. Ashton (Deputy Chair): It’s always a pleasure to see you folks. Thank you very much. I represent the area from Naramata to Peachland and the south end of Okanagan Lake.

S. Thomson: Good morning, everybody. Good morning to the team from the office. I’m Steve Thompson, MLA for Kelowna-Mission.

M. Elmore: Thank you very much for joining us today. I’m Mable Elmore, MLA for Vancouver-Kensington.

A. Olsen: Hello. Thank you for joining us. Adam Olsen, MLA, Saanich North and the Islands.

R. Singh (Chair): We really appreciate you all taking the time to come in today. I’m looking forward to your presentation. The floor is yours.

[10:45 a.m.]

OFFICE OF THE INFORMATION
AND PRIVACY COMMISSIONER

M. McEvoy: Well, good morning, hon. Chair and members of the committee. I hope this finds you all well in this very challenging time. It is my honour, again, to appear before you to present my office’s recommendations for reform of the Personal Information Protection Act. As mentioned, with me today are Deputy Commissioners oline Twiss and Jeannette Van Den Bulk.

I want to begin with the acknowledgment that our offices are located on the traditional territories of the Ləkʷəŋinəŋ people, also known as the Songhees and Esquimalt First Nations. We, of course, also acknowledge the traditional territories of all First Nations across the province, which our office serves.

I begin by expressing, as well, my gratitude for this work that you as a committee have undertaken on behalf of British Columbians. The submissions you received in response to your broad and effective call for input highlight the urgency of this work. They clearly demonstrate that people and organizations in B.C. care deeply about privacy issues and the rules that govern them.

I think two themes can be discerned from the many submissions that you’ve received: first, that there is an urgent need to act on PIPA reform; and second, that those changes should be, to the greatest extent possible, harmonized with standards developing provincially, nationally and internationally. Those submissions you have solicited also contain the answer to the question of whether PIPA reform really matters. What can be distilled is that reform matters because citizens expect government to protect privacy through meaningful legislative protections.

Evidence of this is to be found in the public opinion survey, for example, cited by the B.C. Freedom of Information and Privacy Association submission. The survey shows that more than two-thirds of British Columbians feel they have little to no control over how their personal information is handled by organizations that they do business with, and only 43 percent of respondents felt that existing laws and organizational practices provide sufficient protection of their personal information.

Reform of PIPA also matters because modern privacy laws are key to maintaining B.C.’s flourishing digital economy. British Columbia’s technology sector generates revenues of $15.7 billion annually, accounting for 7 percent of our GDP and employing well over 100,000 people. A digital economy can only flourish if individuals trust that their personal information will be collected, used and disclosed within a framework of robust yet balanced privacy protections. If people lose confidence that their privacy will be meaningfully protected, they may well cease to allow their information to be used or be reluctant to use digital services at all.

That is why I think many digital entities, like Canada’s Digital Supercluster, which you heard from, support modernizing privacy laws — laws that strike the balance between use of digital technologies and privacy protections. Given that data knows no borders, it is also imperative that the recommendations you make to change PIPA recognize standards developing nationally and internationally.

Should the special committee choose to endorse reforms to PIPA, our submission to you recommends that those changes address three broad categories: first, the privacy obligations of organizations; second, the privacy rights of individuals; and finally, the oversight authority of the commissioner.

This morning I would like to highlight three of our recommendations that fit within these categories. The remainder of my office’s recommendations are contained in our written submission, which we have provided to you separately. We also, in that written submission, offer comments on selected stakeholder submissions, which we trust you will find of assistance.

I begin with what is the most important change the committee could recommend: mandatory breach notification. This was one of my key recommendations when I appeared before you in June. Neither public nor business interests are served by B.C.’s current inaction on this matter. Simply but strongly stated, B.C. and PIPA have become outliers on this issue, both domestically and internationally.

Once Quebec’s Bill 64 is enacted, PIPA will be the only one of Canada’s general private sector privacy laws that does not require organizations to notify individuals whose personal information has been compromised by a privacy breach. The GDPR across Europe requires it. The U.K.’s Data Protection Act requires it. Every single U.S. state now has a law requiring it.

Mandatory breach notification is especially important now. Organizations are increasingly deploying modern technologies to compile our personal information. This profiling can include very sensitive personal information, health information, information about ethnicity or race, information about opinions or political views and financial, education or employment status. All of this is often the product of AI or other data analytics.

[10:50 a.m.]

Given the growing sensitivity of these volumes of personal information, privacy breaches can have very serious and widespread consequences. They range from the financial harm to individuals, flowing from fraudulent misuse of someone’s banking details, for example, to threats to personal safety where information about a vulnerable person’s whereabouts is compromised.

Mandatory breach notification is universally recognized as having at least three main benefits. First, it permits individuals who are notified about a breach to take steps to protect themselves. This can include monitoring personal financial accounts and credit history and changing passwords for various personal accounts.

Second, mandatory breach notification gives organizations a real incentive to invest in information security technologies and policies to better protect personal information against compromise. Progressive B.C. organizations understand that mandatory breach notification will enhance consumer trust, particularly if their business operations extend beyond B.C.’s borders.

And third, breach notification can help a regulator stay up to date on transient risks to the security of personal information and, in turn, allow my office to focus our educational and guidance work.

I stress that it will be important to harmonize B.C.’s PIPA breach notification rules with PIPEDA and Alberta’s PIPA approach. Canadian businesses are often challenged by patchworks of rules across the country, and the cost of complying with different rules cannot be overstated. If the reforms we establish do not reach the benchmarks across the country, we also put our substantially similar designation at risk. Companies could be subject to two different laws, PIPEDA and PIPA, leading to an increased regulatory burden.

Individuals, too, will have an interest in harmonized breach notification rules. Many breaches affect Canadians across multiple jurisdictions. Regardless of where a breach originates in this country, individuals are entitled to be notified under similar rules.

I note that PIPA should not require organizations to give notice of all breaches. Only those where there is a real risk of significant harm to an individual should be the subject of notification. This is the approach taken by both Alberta and the federal government, and it is the one I recommend for B.C.’s PIPA.

Taking again from both of these jurisdictions, I am recommending that PIPA require organizations to notify both affected individuals and my office of a breach. PIPA should also authorize my office to require an organization to give notice to affected individuals if that has not happened, including where we learn of the breach other than from the affected organization.

My office has long recommended mandatory breach notification, beginning with the first statutory review of PIPA in 2008 and again in 2014. Both previous special committees recommended to the Legislative Assembly that PIPA be amended to include it. I strongly urge you to do the same and implore our legislators to act on your recommendations.

The second matter we draw to your attention today concerns the privacy rights of individuals. Individual privacy rights in PIPA are underpinned by the concept of consent. Many of the submissions you have received point to a pressing need to modernize consent requirements in the legislation. I share that view.

PIPA’s consent framework was born before Mark Zuckerberg dreamed up Facebook in his Harvard dorm room, before googling became a verb and before the introduction of the iPhone. Looking back, PIPA’s consent provisions seem quaintly naive in light of the ensuing avalanche of technological change.

Then and now, PIPA assumes that consent typically occurs in the context of a simple transaction between one organization and a single individual. For example, you willingly give your name, phone number and laundry to a dry cleaner with the understanding that your personal information is used for one purpose only: notification when your clothes are ready. If only all of our daily commercial interactions were still that simple. But, of course, they’re not.

Anyone who orders virtually anything online today will recognize this immediately. The concepts of consent are being contorted. It can be found on almost any website’s privacy notice. They are often detailed, legalistic and, in many instances, remarkably imprecise, leaving individuals in the dark about how their personal information will be used and often obscure complex flows of data between various businesses.

They also frequently fail to disclose what technologies, including AI, might be used to process an individual’s information and what might be done with the resulting personal profile.

[10:55 a.m.]

It is little wonder that we often click “I agree” without really knowing what we are agreeing to or having much, if any, ability to do anything about.

The complexity of these transactions highlights a need for legal reform that requires organizations to plainly state in writing — I stress “in writing” because PIPA still allows notice to be delivered verbally — the intended use of the personal information they collect.

Quebec’s Bill 64, I think, is a good model because it requires consent to be stated “in clear and simple language and separately from other information provided to the person concerned.” Bill 64 also obliges an organization, where asked, to provide assistance to help an individual to “understand the scope of the consent requested.”

The essence of these changes should be to make consent truly meaningful. However, even with clearly stated notice provisions, consent in today’s world can represent nothing more than an illusion. Where large technology companies hold a quasi-monopoly position, people are often left with no choice but to accept whatever privacy terms are put before them. Given the reality of the power imbalance between individuals and large corporate actors and the take-it-or-leave-it attitude of many technology service firms, PIPA must go beyond consent reforms.

For this reason, we make further recommendations to you, in our written submission, about automated decision-making, data analytics and profiling, data portability and the right to be forgotten. Many of these recommendations are designed to redress the challenges the current digital ecosystem poses to the citizenry. As I noted at the outset, our recommendations are aimed at modernizing organizational responsibilities so that PIPA will protect our citizens while creating a robust environment for innovative companies in B.C. to thrive.

It has also become clear to me, Madam Chair, that should the special committee advance recommendations to the Legislature along the lines that we propose, these will only be meaningful if they are appropriately backed up. I’ve been a privacy sector regulator inside and outside of British Columbia. It’s my considered view, and the opinion of many others, that PIPA is largely toothless when it comes to the enforcement of British Columbians’ privacy rights.

As I noted in my initial presentation in June, our joint investigations reports with the Office of the Privacy Commissioner of Canada, including one involving the social media giant Facebook, exposed the complete inadequacy of PIPA when it comes to protecting the public’s personal information. PIPA is toothless because the most I can do to sanction even a serious, wilful violation of our legislation is to order an organization to do what it should have done in the first place: fulfil its legal duty under the law.

For this reason, the third recommendation I bring to your attention this morning concerns a series of measures designed to strengthen the law’s enforcement provisions. The first of these is the implementation of administrative monetary penalties. British Columbians understand the evolving risk to their privacy flowing from technologies such as data analytics, AI, facial recognition and more. They rightly expect that their privacy will be taken seriously and be backstopped by the same kinds of robust enforcement powers that exist in other areas such as workplace health and safety and elections, but they would be disappointed to learn that this is not the case under PIPA.

As matters now stand, PIPA is devoid of any administrative financial penalties, even for the most egregious of offenders. My office has always emphasized an educational and remedial approach to compliance with the law, and we will continue to do so by working with organizations to secure compliance, but the reality is that some bad actors will simply not honour their obligations at law. This creates obvious harm for individuals whose privacy is at risk. It is also unfair to organizations that invest in the protection of personal information they hold and that comply with the law.

What is needed is a flexible system of legal enforcement that can, in appropriate cases, impose monetary penalties on organizations that refuse to protect people’s personal information. My office first called for this power to be included in PIPA in 2008.

Administrative penalties are already commonplace across a range of regulatory fields in British Columbia. In addition to my role as commissioner, I also serve as the province’s lobbyists registrar — which, in appropriate cases, authorizes me to levy monetary penalties under the Lobbyists Transparency Act. Other examples include my colleague the Chief Electoral Officer, who administers a fine system under the Election Act; the B.C. Securities Commission, which can levy penalties under the Securities Act; and WorkSafeBC, which has the authority to do the same under the Workers Compensation Act.

[11:00 a.m.]

Such powers are not new to privacy regulation in Canada. Ontario’s Information and Privacy Commissioner has that power under the Ontario Personal Health Information Protection Act. The federal government is considering giving the federal Privacy Commissioner that authority under PIPEDA, and as you know, Quebec’s Bill 64 proposes Quebec’s privacy regulator be given extensive powers to administer monetary penalties. All of this follows developments in the U.K., Europe and the United States.

As our written submission to you sets out, it is not just a matter of administrative penalties. It’s also important that my office’s order-making power be reinforced by B.C. courts in appropriate cases. This would bring PIPA into line with our freedom of information legislation, which authorizes the filing of commissioner orders with the Supreme Court of B.C.

Other specific measures that will both enhance and clarify investigations and enforcement mechanisms under PIPA can be found in our more detailed written submission to you. I remain firmly convinced that this modern suite of enforcement tools will be an indispensable instrument for protecting the personal information of British Columbians and serve as an incentive to organizations to make the appropriate investments in those same protections.

My message to you this morning is no more complicated than this: as lawmakers, as policy-makers and as regulators, we need to work in tandem to keep up with the times. PIPA was drafted almost 20 years ago under very different conditions from those which we live under today. Rapidly evolving digital technologies, business models and public attitudes towards privacy require us to respond in a way that is equal to the unique challenges we face. Inaction is not a viable option.

To that end, our recommendations to you focus on legislative amendments that promote both protecting privacy and the importance of fostering innovation and investment in British Columbia’s economic development — amendments that will allow us to keep pace with a rapidly expanding digital economy in harmony with other jurisdictions in Canada and around the globe.

I strongly believe that this time really is different. The recommendations you make in response to this, the Legislature’s third PIPA review, will point the way forward for the protection of our citizens and enhancing our economic future in today’s digital world. All British Columbians look forward to your report and to government’s rapid, positive response to your recommendations.

Before I conclude, I’ll pause for a moment just to pick up on a matter that you started the morning with, which was the Strata Property Act and the issues raised by the Condominium Home Owners Association.

I just want to clarify that the personal information that we’re talking about here, in many cases, is about people’s emails and other matters which may contain sensitive information. Personal information can only be disclosed by organizations for specific reasons. One of those is where the disclosure is required or authorized by law. In this case, the Strata Property Act — and I need to underline this — not just authorizes the disclosure of that correspondence that the committee had a discussion about but, in fact, requires it.

Concern has been expressed about that requirement, sometimes involving sensitive information of the strata property owners. I have to say that I share that concern. If I have to use a layperson’s term in this matter, the culprit here is the Strata Property Act. What is obviously required are amendments to the SPA to modify those disclosure requirements.

Should you choose to recommend this, that’s going to involve, I think, an in-depth policy and legal review, which we certainly commit to assisting government with, should they choose to do so. There’s a balancing of interests here to deal with under that act — the right of condo owners to know what’s going on with their council operations while, at the same time, respecting the privacy interest of condominium owners. To summarize, the fix required here is one with the SPA.

In conclusion, I’d like to thank you for the opportunity to present my office’s recommendations this morning. Now I’m happy to address any questions you may have and to also ask whether there’s anything further my office can do to assist you in the work that you have ahead.

[11:05 a.m.]

R. Singh (Chair): Thank you so much, Michael. This is very important information for us. We really appreciate all the input that you have given to the committee.

When we first started the process, we started with you. Today, as we are going to finish our task, we are again taking your support in drafting of recommendations. All that you have assisted us with we deeply, deeply appreciate.

I’ll open the floor for any questions that members might have.

D. Ashton (Deputy Chair): Michael and staff, thank you very much for the in-depth reports, not only now but before. I will be taking you up on maybe some guidance as we step forward here. So please, a heads-up on that one.

R. Singh (Chair): Any other questions, Members?

S. Thomson: Thanks, Michael, and to the team, for the presentation — again, a very comprehensive presentation. Appreciate the additional information.

The one question I had…. I’m not sure quite where it all comes, but you get a bit of theme through some of this and some of the presentations that have come to us around protection particularly related to health records. You’ve got this, and then you’ve got the electronic records act, the e-health personal protection act.

There’s a theme that seems to be through some of it that protection of health records needs separate, stand-alone privacy protection legislation and/or policy and regulations. I’d just appreciate your comments or your perspective on that.

M. McEvoy: Yes, thank you for the question. Our office has advocated for stand-alone health information legislation and supports that initiative. I think now we are pretty much alone in Canada in not having stand-alone health legislation.

As you’ve indicated, there is a series of legislative acts that attempt to address areas of health legislation. It has really created a patchwork and a confusion both, I would say, in the public sector and the private sector, where you have health care providers of various kinds. What is needed is an integrated approach to the matter. My understanding is that governments, over time, have looked at and reviewed this issue, and we would support whatever action government would want to take in this regard.

I think it will help to clarify matters for not just those who are engaged in the health care system from an organizational perspective — whether you’re a home care provider or a public service provider — but also from the public’s perspective, because there are two different kinds of regimes at work here. On the one hand, you have authorities to collect information at law for the public sector. The private sector, of course, is a consent-based system. That can often cause real challenges for those involved in the sector. So stand-alone health legislation is something that we definitely support.

S. Thomson: Thanks. One other follow-up question. This, I think, relates to the timing issues of all of this, in terms of recommendations — particularly around the harmonization and the linkages with initiatives in other jurisdictions and things. In discussions with your colleagues across the country, what’s your sense, at the federal level, of PIPEDA amendments?

Moving forward, I guess it all hinges around probably a crystal ball as to what’s going to happen federally, from an overall process around timing with the current situation and governments and things like that. But what’s your sense of the path for that federal initiative?

M. McEvoy: The federal government has clearly signalled that they desire reform in this area. The timing, of course, is something, as you indicated, that’s hard to predict.

I would suggest that…. Well, Quebec is going to almost certainly move ahead of all of us in the next short while, because their legislation is in front of them. It would seem that that legislation will be approved in the coming months. I think that will advance the reform agenda considerably. I think that’s something that Alberta, British Columbia and Canada will be looking at carefully.

[11:10 a.m.]

The federal government has certainly signalled that it wants to move, which of course makes the work that you do as a committee all the more important, because the requirement is, as you know, at law, that British Columbia…. It’s not just British Columbia; Alberta and Quebec have substantially similar legislation. That way, it’s a legal requirement, but it also ensures that there’s some degree of harmony across the country.

That said, as is the case with Quebec, I don’t think we should be followers here. I think we need to be leaders, as we were in 2004. We moved ahead of the federal government in that regard. We moved ahead of colleagues across the country. So I think there is an opportunity to be in a leadership position in the country when it comes to privacy law reform.

S. Thomson: So you’d recommend or you’d say that if it hasn’t proceeded federally and we have the opportunity to make the recommendation as legislators, whoever it is, it could move and harmonize with the proposed PIPEDA requirements even though they may not have proceeded through at a federal level?

M. McEvoy: Yes, I definitely believe so. Certainly, if we move in the ways that we have recommended as an office, we will be in sync with the province of Quebec. Our laws, when it comes to mandatory breach notification, will then have aligned themselves with Alberta and Canada. We may be ahead of, perhaps, the federal authority and Alberta to a minor degree, but there’s no danger in raising the benchmark, in raising standards. That would put us in accord not just with our colleagues across the country but internationally and I think will aid, ultimately, not just citizens but will assist businesses, as well, as they do business on a global level.

R. Singh (Chair): Thank you so much. That was really important.

Any other questions, Members?

D. Ashton (Deputy Chair): Michael, just a quick question. What you have proposed…. I was remiss earlier in saying “staff.” I’d like to say “team” because I know it’s a concerted effort by all in your department, so I do apologize for that.

What you’re proposing — is it saleable to your peers across the country? Is there opportunity for harmonization like what we see overseas?

M. McEvoy: Yes, I do believe so. I mean, the things that are happening overseas with GDPR…. Let me be clear. There are elements of GDPR that I think are unique to European culture that wouldn’t necessarily be appropriate here. But a lot of the common principles around more rigorous consent requirements, mandatory breach notifications, proper enforcement provisions — these are common elements, I think, in Europe.

You can see it now emerging in the United States, in California. You can see it happening now, again, across the country. These are conversations that I have and my office has with my colleagues across the country on a continuing basis. It’s the reason, together, as commissioners across the country, we have called for reform.

Keeping in mind…. When it was clear back in the early 2000s, where there was a recognition that civil and property rights are provincial jurisdiction matters and that British Columbia was well served by having its own privacy legislation, we didn’t jump into that alone. We worked in tandem with Alberta, which thought the same thing. Our acts are very similar in some respects.

This is something, I think, again…. This is a joint effort. This is regulators, you as legislators, working together to understand the importance of that harmony. I think certainly you as committee members will understand that, and I’m trusting governments will understand that as well and hoping to advance this agenda.

D. Ashton (Deputy Chair): I guess, Michael, what I was looking for…. Is that collaboration and cooperation possible? Because the previous presenter…. It was a collage of Canada, of colours of different privacy laws throughout. I’m just hoping that this could be sold so that we have that continuity that we do witness across the puddle.

[11:15 a.m.]

M. McEvoy: Yes, and to that point directly, you will recall that other commissioners actually in the country made submissions to you very much along the lines of what you were expressing. I think Commissioner Clayton in Alberta and Commissioner Therrien federally have expressed a view and encouraged the community to look at these matters of reform.

As you know, our office has worked very closely with other regulators in the country when it’s come to breaches, for example, or issues that affect British Columbians but also other Canadians — the LifeLabs investigation recently, working with Ontario; the federal commissioner in terms of looking at Facebook. There are ongoing investigations right now; I think these are public. Tim Hortons, for example, and some of the privacy apps that they’re using…. We really work closely together because we think that serves the interests of all of our citizens.

D. Ashton (Deputy Chair): Okay. Well, thank you again, Michael. And once again, thank you to the team that you have around you for the presentations that we’ve received from your office.

R. Singh (Chair): Thank you, once again, Michael and the team, for all the important work that you do and for the guidance that you have given this committee. We deeply, deeply appreciate that. We’ll do our consultations, and we’ll definitely reach out to you again if we need any other assistance.

We really appreciate your time and the efforts that you have made for this committee. Thank you so much.

M. McEvoy: Thank you for your work.

S. Sourial (Clerk Assistant, Committees and Interparliamentary Relations): Rachna, you just need a motion to adjourn, unless there’s any other…?

R. Singh (Chair): Okay. Members, any other issue that you want to discuss? I think that was our agenda today.

Other Business

R. Singh (Chair): Susan, before we adjourn, what is it…? Like, we are done with the presentations. Now we will be looking at recommendations coming from the committee, and we will be looking into those and finalizing that.

S. Sourial (Clerk Assistant): Correct. The committee’s next meeting, I believe, is September 29, at which point we will review. Lisa and Jesse have prepared a thematic summary of all the submissions. The committee will review those and start its deliberations on its report.

R. Singh (Chair): Wonderful. Thank you so much.

On behalf of the committee, I really want to thank you, Susan, and Lisa, Jesse and all the Hansard staff for all the important work that you do. I can say for myself that I could not do this committee, I wouldn’t be able to chair this committee, without your help. Thank you so much for all your great work.

Now I will need a motion to adjourn.

D. Ashton (Deputy Chair): Before we do, just a quick question. I direct this at Susan. Again, my accolades to each and every one of you. Thank you for an incredible job, as always, that comes out of that office on a continual basis.

Logistically, looking into the future and the possibility of an election, does this get put on hold during the time frame that you had said, or is there still participation on those dates?

S. Sourial (Clerk Assistant): Dan, once the election is called — if an election is called — the Legislature or this parliament is dissolved, so then these committees are also dissolved.

D. Ashton (Deputy Chair): Okay. I just wanted to make sure. Thanks again.

Thanks, Madam Chair. Great job.

And to all the members of the committee, thank you.

R. Singh (Chair): Thank you, everybody. Motion to adjourn?

The committee is adjourned.

The committee adjourned at 11:19 a.m.