The committee met at 1:05 p.m.

[M. Elmore in the chair.]

M. Elmore (Chair): I’d like to start by recognizing that I am joining you virtually, and I am on the unceded territories of the Musqueam, Squamish and Tsleil-Waututh Nations.

Many of us are joining virtually from across the province. I ask you to reflect on the respective territories that you’re speaking from.

I’d like to review our agenda today for our meeting. First up, we will have a briefing from the Ministry of Citizens’ Services, followed by a question and answer period. We’ll have a short recess. Following that, we’ll have a briefing from the Office of the Information and Privacy Commissioner. That will be followed by a question and answer period. Then the committee will go in camera to discuss the draft workplan. We’ll come out of camera and address any other items on the agenda.

Unless anybody on the committee has anything to remark with respect to the agenda, I’ll carry on.

I’d like to welcome and thank for joining us…. We have Kerry Pridmore, assistant deputy minister in the chief records office from the Ministry of Citizens’ Services, and Matt Reed joining us, the executive director and assistant chief policy officer from the Ministry of Citizens’ Services as well.

Thank you very much for joining us today. I’ll hand it over to you.

Briefings on
Personal Information Protection Act

MINISTRY OF CITIZENS’ SERVICES

K. Pridmore: Thank you, Chair. I appreciate that.

Thank you to the committee for the opportunity to join you today. Both Matt and I appreciate this opportunity to rejoin you.

I just wanted to clarify our understanding in terms of the purpose of coming to present today. Our understanding is that we’re going to provide an introductory overview to the proposed changes to Bill C-11 and the General Data Protection Regulation, specifically highlighting new rights for individuals and obligations for organizations under GDPR and the impacts for individuals and for organizations under Bill C-11.

I did just want to stress that neither Matt, who’s our primary presenter today, nor I are subject matter experts in either of these pieces of legislation, but obviously, we do review these pieces of legislation and analyze them as it relates to their impact on legislation that we are accountable for, so PIPA. We will provide our best synopsis in terms of the key pieces of information that reflect our understanding.

With that, Susan, I’m going to hand it over to Matt to start on the second slide. We will jump straight in.

M. Reed: Thank you again for the opportunity to present.

Two different pieces of work that we’re going to talk about: the GDPR, or the General Data Protection Regulation, which came into effect May 2018. If you reflect back on that time, you may recall this particular date because you would have received a deluge of emails seeking to update and clarify the consents from the businesses that are subject to GDPR that you interact with. That was certainly something that I saw, and I’m sure many other people did as well.

GDPR was aiming to strengthen individuals’ fundamental rights in a digital age, really trying to update legislation to reflect where we were in kind of like modern technological times and give more control to citizens and residents over their own personal data. Similarly, it also tried to simplify the regulatory environments for international businesses by unifying the legislation within the EU, so it’s one act to dictate how business should be done across Europe.

[1:10 p.m.]

In Bill C-11, this is not yet passed. This is an act to enact the Consumer Privacy Protection Act as well as the Personal Information and Data Protection Tribunal Act, as well as making consequential and related amendments to other acts as well. The short title of it, really, is just Digital Charter Implementation Act.

Of the three major pieces of legislation that are falling under this, there is the Consumer Privacy Protection Act, which is where we’re going to be focused today. The intent here is to protect personal information of individuals, recognizing that businesses also have needs in order to collect, use and disclose personal information, just as a part of doing their regular commercial activities.

This also repeals part of the Personal Information Protection and Electronic Documents Act, or PIPEDA, which is the existing privacy framework for these organizations. That’s where privacy is dealt with from PIPEDA. Then the Electronic Documents Act, which is the second half of the PIPEDA acronym…. That’s being pulled out into its own stand-alone legislation. So that will exist just on its own.

Then the third piece, which is also new, is the Personal Information and Data Protection Tribunal Act. This establishes a new data tribunal, which is responsible for determining whether to assign administrative monetary penalties, as recommended by the Office of the Privacy Commissioner, or OPC, following one of their investigations. They can determine the amount of any penalties and also hear appeals of the OPC’s orders and decisions. We’ll jump into each of those parts in turn.

The way that we broke down this presentation is to talk about the rights of individuals as well as the obligations of businesses. I’ll say right now that it is roughly an arbitrary distinction. There are many obligations on businesses that provide rights to individuals. It’s just kind of a handy way to divide them up, and you’ll see that they kind of relate to each other a little bit in that way.

On the GDPR front…. I’m going to start with GDPR and move to Bill C-11 because GDPR kind of creates obligations that the federal government was looking to match. So it makes sense to start from the source.

This act does contain general privacy protections like the usual ones that you would expect to see in any jurisdiction’s privacy legislation around collection, use and disclosure of personal information. Not really going to get into those.

I think there’s a base-level understanding of a need to protect privacy. What we’re going to focus on is places where there’s maybe a big step above and beyond what we would normally expect or what we currently have or just places that are maybe of interest for you to dig into a little bit more in assessing what recommendations you might want to put forward with respect to B.C.’s Personal Information Protection Act.

The first is a right to erasure or the right to be forgotten. This is an ability for an individual to have their data erased without undue delay. Undue delay is generally understood to be about a month, and there are certain circumstances where an individual would not have the right to have that information deleted or erased.

An individual can have the right to their data being erased when it’s no longer necessary for the purpose for which it was collected; when the individual no longer consents to it being processed — so they want to cut their ties with that organization; or if their information is being processed unlawfully, creating a mechanism for, essentially, an individual to correct that error and make sure that their information isn’t subject to further risk by being held by that organization for longer.

There are conditions, though, where an individual wouldn’t be able to have that information destroyed or deleted. One instance would be if it’s necessary to comply with a legal ruling or an obligation. To use a more local example, we know that financial records are generally kept for about seven years. If there was a similar type of obligation on an organization to keep records for a certain amount of time, that would override an individual’s desire to have that information deleted or destroyed, but they could enact that after that legal obligation is over.

Another interesting element to the GDPR is the right to data portability. This is a right for an individual to transfer their personal information in some kind of structured, commonly used and machine-readable format in order to have that information transmitted to another data controller. A data controller is kind of like the organization that’s actually working with their information. What this allows them to do is to have the information moved from one organization to another.

[1:15 p.m.]

If you want to, say, switch banks or switch credit unions or switch some other sort of organization where there is another one very similar to it, you can have that information ported over and made useable to you elsewhere. This is also something that helps an individual to obtain the data that a data controller holds, because they have to be able to provide it in that structure. It’s a commonly used format. So again, there is kind of a hidden benefit to it there as well.

There are requirements around increased transparency in the GDPR. Transparency requirements exist around the collection, use and disclosure of information. What the GDPR is looking for here is easily accessible and easy-to-understand information using clear and transparent language.

One of the major complaints that you will hear from the privacy community internationally is the need to be informed of what’s happening with your information. Your needs around consent can’t truly be met if you don’t understand the information that is being put to you to tell you what’s happening with your information or to ask you whether you want something different to be happening with it.

The GDPR looks for individuals to be made aware of, say, risks, rules, safeguards and any other rights in relation to processing their personal information, and then how to exercise those rights. So it’s, again, trying to connect individuals with how to actually enact their privacy rights.

Following on that, of course, there are the updates to consents. Consent must be freely given. It has to be specific, informed and unambiguous. There is also a right to withdraw the consents. It needs to be about as easy to withdraw your consent as it is to give your consent. Again, we don’t want barriers being put up where you’re being discouraged from removing consent because it’s inconvenient to do so. In this instance, when the GDPR says “specific,” one of the things that they’re getting at is that you have to be specific to the things that you’re doing with the information.

Again, the behaviour that’s trying to be curbed here is this idea that you can put out a 13-page-long consent form where you consent once and you’re covering all of the different purposes that the information is being collected, used or disclosed for. What they want is that if you’re going to collect an IP address and information about your computer, they’re asking you certain questions. Then, if the marketing team of that organization is going to use it for different purposes, they’re separately and independently asking you questions around that use as well.

What this means is that when an organization is asking for your consent, they are truly asking you: “Do you want this? How about this? What about this other thing we’re doing?” You can say: “I’m fine with these three things but not this fourth thing.” In that way, you are truly exercising your rights over that information, because it’s not just: “Yes. I don’t like three of these things, but I guess I have to because I want that one thing.” It’s an interesting but really important modernization of how consent appears in this space.

We do have, in the GDPR, new obligations for organizations. Of course, as I said, all of the things that I just talked about are obligations for those organizations — that you have to extend those rights to individuals. But you’ll see these next few are a little bit different.

Around the idea of accountability, there is a requirement in the GDPR that data controllers demonstrate how they are GDPR-compliant. One of the ways to demonstrate compliance is to prepare data protection impact assessments for, say, high-risk data-processing activities. This would be very similar to privacy impact assessments, which is what we call them in B.C., in the public sector space.

Organizations are also required, in some instances, to designate a data protection officer. Again, we often use the term “privacy officer” in B.C. There are certain criteria where this would be required and then certain places where it would not be. If the data processing is being carried out by a public authority or a public body, there would generally be requirements for a data protection officer, although there are exceptions.

Similarly, for other organizations, depending on the scale and the characteristics of the organization’s activities or the specific type of personal information being involved, there may, on those bases, be a requirement for a data protection officer as well.

In terms of what a data protection officer would do, again, it is the kinds of things that you would generally expect. They would have overall accountability for privacy and data protection actions. They would be the ones to train an organization’s staff. They’d be a main contact for an individual outside the organization who’s wanting to ask about how their information is being processed. They’re like the centre point of contact on all of these kinds of matters.

[1:20 p.m.]

On this requirement generally, privacy can, in some instances, be a hard thing to prove that you are doing well. Aside from the places where you’re providing notice and being clear with an individual, your success in privacy is often that something bad does not happen. But sometimes something bad does not happen because you’ve just not been targeted.

It’s kind of hard to prove that negative in some instances. So these requirements around accountability, impact assessments and data protection officers are a way to positively demonstrate that you are taking measures and that if you haven’t had something bad happen, it’s because you planned for nothing bad to happen. You’ve taken the necessary precautions. You’ve thought ahead of time around what mitigation practices you’re going to take. So you’re planning to be privacy-compliant rather than just being privacy-compliant by happenstance because nothing bad has happened to you. It’s kind of an interesting space and an important one to be able to demonstrate to folks — that you have good intentions with their information.

Another requirement in the GDPR is around mandatory breach notification. This is…. Again, not surprisingly, it appears in many jurisdictions. Organizations are required to notify the supervisory authority in the EU of a personal data breach without undue delay and, where feasible, no later than 72 hours after they become aware of it. So the impetus is to act very quickly and definitively in terms of notifying the correct body there. And of course, as with other sections, there are exceptions to this kind of rule.

Another kind of interesting space that is fairly new is around automated decision-making. Under the GDPR, an individual has the right not to be subject to a decision based solely on automated processing. This is where…. A decision here could be something that produces some kind of legal effects, where your legal rights are impacted or where your circumstances are being significantly influenced, whether that’s your behaviour or your choices. One example of this would be if there is a decision to deny you an online credit application. Again, the intent here is that decisions that will significantly impact you are not being made without a human being involved in that decision-making process.

Of course, there are also exceptions to this. You can, as an example, give explicit consent to this kind of thing, but there are, again, requirements around what the organization would be required to do to your benefits in those cases. The intent there is to, again, be responsible and have as defaults a good, measured option. But again, understanding that circumstances are often very different and challenging, there are exceptions to those rules.

The last one that I want to speak to here is around administrative fines. GDPR really came out strong in terms of enhancing enforcement. This includes fines of up to 2 percent of the annual turnover of an organization or up to €10 million on the less severe infringements of the act. If it is a more significant infringement, then those numbers turn over to 4 percent of annual turnover or €20 million. In terms of how they judge what is significant and what is less significant, it’s based on the sections of the act that you’re offside of.

Again, a very interesting and very powerful administrative mechanism there for the protection authority in the EU.

We’re going to shift from the EU over to Canada. You’ll see, again, some similar themes touched on. Often it is a little bit different or there are different nuances to it. We can get into some of those, but some of them require a more close reading of this bill or of the GDPR.

One of the things that Bill C-11 does is that it advances the digital charter and its ten principles. This is a piece of work out of Canada that sort of creates a foundation of trust for Canadians in the digital sphere. I won’t get into all of the principles generally, but they include things like universal access, control and consent, safety and security. Again, a really good foundation for what we’re trying to do in trying to adapt things like privacy legislation to the more modern technological space where privacy legislation can often struggle.

[1:25 p.m.]

There are proposed updates to consents. Intent here is the same as with the EU. What the Canadian government is looking for is meaningful consent. So modernized consents would ensure that individuals have, again, plain-language information that they need to make a meaningful choice about the collection, use or disclosure of their personal information. However, it does not include, or it does not provide, meaningful privacy protection.

What the Canadians have tried to do here is remove the requirements for consent where it would be, essentially, really obvious what’s happening, where it’s a mandatory part of a business operation. As an example, if an organization has to process your credit card, what we don’t want is for you to have to consent for every interaction of your information that happens with that organization and remove from that conversation the places where it would be very obvious and necessary for the business, where you don’t actually have a choice and, rather, put forward consent options to you where you can influence how your information is impacted.

Again, we’re trying to adapt it in a different way than the GDPR by means of giving individuals a way to meaningfully influence their information — given, again, the technological space, which is fairly complicated in terms of how your information is being processed and what’s happening with it.

The other thing around consent is the withdrawal of consent — again, looking to give individuals the right to withdraw consent in specific cases. There are instances where it’s simply not going to be possible, but as much as possible, we’re trying to give individuals that right to basically cut ties or end a relationship with an organization and that organization having their personal information.

Data mobility. Again, this one and the disposal of personal information are similar, conceptually, to GDPR but have different nuances generally. Data mobility is the right for individuals to direct the transfer of their personal information from one organization to another. The bank example would be relevant here.

On the disposal of personal information, the legislation here, if passed, would allow individuals to request an organization to dispose of their personal information, with some exceptions. One example would be where disposing of the information would result in the disposal of personal information about another individual and the information is not severable or separatable from that other person’s information or, as with the GDPR, where other legal retention obligations exist.

Then the last piece that I wanted to touch on was around the deidentification of information — the practice of removing a direct identifier, something like your name or something that is directly tied to you as an individual. The practice of removing that kind of information from a broader set of personal information is becoming increasingly common. It is a great privacy practice, but the rules that govern how this information is then used are not necessarily clear.

The federal legislation is looking to clarify that this information must be protected but that it can be used without an individual’s consent, under certain circumstances. The intent here is to provide greater data sharing and access between the public and private sectors, which can help to solve some fairly important challenges in public health, infrastructure, environmental protection — like a number of instances where it is really helpful to have information, but the individuals’ names or direct identifiers are not necessary for those purposes.

Again here, it’s similar but different. In Bill C-11, there are provisions around algorithmic transparency. This is similar to the automated decision-making under GDPR. Bill C-11 here introduces new requirements that impact how an organization has to use systems like algorithms or artificial intelligence in order to make significant predictions, recommendations or decisions about an individual.

In this instance, under C-11, an individual would have the right to request that an organization explain how that prediction, recommendation or decision was made by that automated decision-making system and to be able to explain how the information was obtained. As you can see, it’s a little bit different from how the GDPR set that up.

[1:30 p.m.]

Bill C-11 also enhanced the enforcement provisions. They’ve given the federal OPC broad order-making powers. This includes the ability to force an organization to comply with the requirements under the acts — to, say, order a company to stop collecting data, to stop using personal information — or to recommend to the tribunal that I spoke to earlier to impose a fine.

The personal information and data tribunal. As I said, this is a new entity under the proposed legislation. They would be able to impose those administrative monetary penalties for privacy violations.

Now, the penalty there could be up to 3 percent of an organization’s global revenue, or $10 million, for any non-compliant organization. They do have maximum fines of up to 5 percent of global revenue, or $25 million, for serious contraventions of the act. So again, fairly strong powers there for that.

Some of the existing obligations — again, just raising this because it’ll be relevant in your review. The federal legislation does have mandatory breach reporting in the same way that the GDPR does as well. This is where organizations must report any breach of security safeguards to the commissioner and then also notify an individual whose information is subject to the breach if it’s reasonable in the circumstances to believe that that breach is going to result in a real risk of significant harm.

Again, if it’s like an internal email and it was sent to the wrong account within the organization, there’s not going to be a real risk of significant harm there, even though it was an unintended disclosure of that information. But if it has gone to a bad actor who we believe is potentially going to try to steal an individual’s identity, or if it’s published online and we don’t know who’s going to get it, those are the instances where I think it’s fairly clear that there would be a real risk of significant harm to that individual.

This is the last piece that I wanted to discuss before opening the floor. This is just things that we thought might be useful to highlight for you.

One is a clarification around monetary fines. I have talked about monetary fines in the context of both the GDPR and Bill C-11, but just to note that in some contexts, the fines that are being referred to are not necessarily the same. Sometimes it’s what we would call a fine, and sometimes it is what we would call a penalty, dependant on where it is being administered from. So when you as a committee are looking at these different jurisdictions and how they operate, just a caution to make sure that we’re talking about the same thing so that when you’re putting forward your recommendation, it’s being clearly put forward and clearly understood what exactly you mean by those words.

The other is around the impact for organizations. We’re talking about a number of different pieces of legislation here in the EU, proposed legislation in Canada, and of course, you have your minds set towards legislation in B.C. here. But the impacts for organizations are going to be different based on what those organizations do and how they operate.

For example, a B.C. business that also operates in Europe is likely already going to be required to meet the standard of GDPR. So again, if there are changes to align legislation, some of these businesses are already operating above the bar that we have set here in B.C. with PIPA because of where they’re doing business. It’s a consideration in terms of maybe how onerous a recommendation would be on a business based on how many businesses we would expect to be held to that higher standard somewhere else.

However, because in B.C. PIPA also applies to non-commercial entities like non-profits, we also have to consider how new requirements would apply to them, where they wouldn’t necessarily be subject to these requirements in other jurisdictions. So again, just a note to highlight that application and the standards that are being upheld by various businesses and organizations across B.C. are not necessarily the same given where they’re operating and what they’re looking to be doing.

[1:35 p.m.]

Then the last implication to note is around something substantially similar. This is something we touched on previously in our presentation to this committee. B.C. is one of the provinces that does have provincial privacy legislation, so we are required to remain substantially similar to the federal legislation. This means that in many circumstances, the provincial law is going to apply to these B.C. businesses. But those businesses that are, as I said before, working elsewhere in Canada, are likely going to be subject to the requirements elsewhere. Again, alignment is going to be to the benefit of those businesses — that they don’t need to keep track of separate requirements.

I’ll pause right there. If you can just click to the next slide, I’ll open the floor to questions.

M. Elmore (Chair): Terrific. Thank you very much, Matt and Kerry. Appreciate your efforts to give us an overview of both the GDPR and C-11, in terms of our deliberations.

Does anyone have a question?

Go ahead, Rick.

R. Glumac: I have a few questions. In your presentation, you had similar wording for some of the things, like data portability versus data mobility. I guess I don’t quite understand the difference between the two.

M. Reed: Great question. We’ve tried to give you the language that these different pieces of legislation use themselves, both in the proposed legislation as well as the resource materials.

As I said with the monetary fines and penalties, different words are going to mean different things. Not being an expert in either of these jurisdictions, legislation, I don’t want to presume something by using a word that might mean something else. But conceptually, you’re right. They are quite similar. Any differences on that data portability are going to come in the level of nuance. In broad terms, they are very similar.

R. Glumac: Maybe you can’t answer this. But has this data portability translated, in Europe, to any tangible improvements in, for example, communication between health authorities or anything like that? Certainly, a huge issue here in B.C., I think. Maybe you don’t know the answer to that, but I’m curious if you do.

M. Reed: I’ve not seen anything. But it may just be too early. The GDPR is still fairly fresh, so we’re not necessarily seeing all of the downstream impacts of how this has netted out for individuals. No, unfortunately, I’m not familiar with how that’s landed.

R. Glumac: Another question that you might not have the answer to. The right to have your data erased. Again, it’s slightly different wording for Bill C-11 — disposal of private data or something like that. Is there any tangible difference there?

Secondary question is: has there been any discussion on blockchain? You basically can’t erase that data. What happens with records that are held in blockchain?

M. Reed: That’s a great question. Same answer here as on the data portability. I’m not aware enough of the nuance between the two to sort of throw out any major differences.

In terms of the blockchain, it’s, again, a very, very interesting application that I think we need to collectively turn our minds to because of that immutability of that information. The idea, hopefully, would be that personal information wouldn’t necessarily, on its own, be put into the blockchain but rather the blockchain be managed such that you can show that a record or information has not been changed without actually putting that information in there. Again, I won’t drill down any further than that on blockchain, because that’s well outside of my area of expertise.

I think the interests of privacy and the benefits that would come from blockchain need to be balanced, such that you’re not sacrificing, permanently highlighting, somebody’s information for the benefit of what you’re doing on the blockchain.

[1:40 p.m.]

R. Glumac: One more question. I wasn’t quite clear on the de-identified information. You’re saying it’s protected, but it can be used without consent. What does this mean, exactly? How is it protected?

I’m very curious about how this translates to the things that you mentioned that can be benefits. Will this lead to increased availability of de-identified information publicly, or is this something that will still be kind of hard to get? I’m wondering about the word “protected,” what that means.

M. Reed: Great question. Part of the protection comes from even just talking about it in the legislation. Right now, in B.C. and federally, we don’t talk about de-identified information. The act is silent on it. So I suspect that there are a lot of organizations that would make a presumption — “Hey, I’m going to remove your name from this file, and then it’s not personal anymore” — and kind of operate under that presumption, which could prove to be dangerous.

What this is doing is setting very clear boundaries around it. If you’re removing the direct identifiers from the information, you can still use it — looking to still extract that benefit from the information but setting rules around what your interaction with that information needs to look like. So there’s a benefit in terms of ensuring that the information is shareable in a privacy-protective way and that there are clear rules around it. That’s what I would see as the main new protection there.

R. Glumac: Will it lead to more of this de-identified information being publicly available, or is it still owned by whoever has it? Can it be…? How does this change how things are now? Right now you could de-identify the information and put it out there. Maybe there isn’t…. It’s not clear, the rules around it. But will this legislation make it easier to get access to de-identified information for public universities, companies and things like that?

M. Reed: I don’t believe that it would be publicly available. It’s not the kind of thing you can just take a name off of and then publish it. It is tied to this idea of data sharing with either a public or private sector entity. But, no, I don’t believe it’s going to result in information being out there. But beyond that, again, I don’t have the experience with the proposal here to go much beyond that.

M. Elmore (Chair): Thanks. Anyone else for questions? Any other questions? I don’t see….

I’ve got a question, unless…. I’ll jump in, and you can indicate if you’ve got questions.

Matt, I’ve got some…. How does it work with respect to the right to withdraw consent? Certainly you referenced it in the GDPR and C-11 if organizations are not combined. So they’ve agreed, for whatever reason, they’ve consented, and then they want to withdraw it. What’s the mechanism in terms of…? I’ve been getting a number of inquiries about that.

M. Reed: I don’t have a lot of experience here, but what I do know is, certainly on the GDPR front, the intention is to make it so that, again, it’s as easy to withdraw your consent as it is to give the consent. It’s going to depend a lot on what the platform that you’re consenting is. So, again, if it’s an online business you’re operating with and you’ve got, say, a profile, and you’re checking your preferences in terms of how you want your information to be shared, it would be a matter of unchecking those preferences.

M. Elmore (Chair): Thanks. And if the organization didn’t comply with that, then I presume it would have to go through the adjudication process.

M. Reed: There is a mechanism there. The name is slipping by me. Essentially, the authority in that space — individuals have the right to complain to that body in the same way that they would here in B.C.

[1:45 p.m.]

M. Elmore (Chair): Okay, great. Thanks.

I had another question with respect to the automated decision-making process, artificial intelligence machine learning. You made the point that it needs to operate from a human rights perspective, and there’s an opportunity to challenge, I guess, decisions.

What provisions, either at the GDPR or in C-11, are in place with respect to the development of the algorithms and just ensuring that they don’t perpetuate…? That implicit bias is not replicated, that the perspective of…. I guess that to characterize it as a human rights perspective is integrated into the algorithm itself.

M. Reed: Yeah. Great question. I’m not sure that there is anything to that effect. We can follow up on that. I’m not aware of any further protections on that front.

M. Elmore (Chair): Right. Yeah. I’m just interested — I think I referenced it — in a report that was submitted to…. Ontario is undergoing consultations as well. That was one of the questions. I guess we’ll continue our inquiries on that and the whole expansion challenges posed to us with artificial intelligence.

Those are my questions. Anyone else have, while we’ve got Matt and Kerry here…? Jump in. Anything come to mind?

Thanks for the overview. That really helps us, Matt, in terms of laying out the clear themes around GDPR and C-11. Thanks for your insights with respect to points for us to consider with PIPA here.

Last call for questions here. We’ve got Matt and Kerry. I don’t see anyone.

Susan, have I missed anyone?

Okay. I want to thank Matt and Kerry. Thank you very much for taking the time and giving us the presentation on behalf of the Ministry of Citizens’ Services. We appreciate it greatly. It’s a big assistance to us as we go through with our proceedings. So thank you very much.

K. Pridmore: Thank you for your time.

M. Reed: Thank you.

M. Elmore (Chair): Okay. We are a little bit ahead of schedule. We have, on our agenda, a recess for five minutes.

What is the committee…? What would you like to do? Do you want to take a five-minute break and come back?

A. Wilkinson: Is Michael McEvoy available earlier, or should we just plan to reconvene at two o’clock?

S. Sourial (Clerk Assistant, Committees and Interparliamentary Relations): He’s not in the waiting room. I have Michelle and oline, but Michael isn’t available yet. I would suggest we reconvene at two.

M. Elmore (Chair): Okay. There you go.

Andrew, good suggestion.

Everybody, you’ve got seven more minutes. See you back here at 2 p.m.

The committee recessed from 1:48 p.m. to 2:01 p.m.

[M. Elmore in the chair.]

M. Elmore (Chair): I’m very pleased to reconvene the Special Committee to Review the Personal Information Protection Act.

I continue to join from the First Nations territories of the Musqueam, Squamish and Tsleil-Waututh.

I’m very pleased to welcome with us to make a presentation, a briefing from the Office of the Information and Privacy Commissioner. We have with us Michael McEvoy, the Information and Privacy Commissioner. He’s joined by oline Twiss, the deputy commissioner, as well as Jeannette Van Den Bulk, also a deputy commissioner, and Michelle Mitchell, senior communications manager.

I’ll hand it over to you. Following your presentation, we’ll have questions and answers.

Over to you, Michael.

OFFICE OF THE INFORMATION
AND PRIVACY COMMISSIONER

M. McEvoy: Thank you, Chair and members of the committee.

It’s important for me to respectfully acknowledge that I’m coming to you today on the traditional territories of the Lək̓ʷəŋin̓əŋ people, also known here as the Songhees and Esquimalt First Nations.

It is again my honour to appear before you to provide an update on a very important development since our last meeting in September. As you’ve learned, the federal government recently introduced Bill C-11 that proposes new federal privacy legislation. The essence of it is that the Consumer Privacy Protection Act — I’m going to refer to it as the CPPA — will replace the Personal Information Protection and Electronic Documents Act — PIPEDA, for short. This development has a significant bearing on your deliberations and, as I will explain, adds greater urgency to reform of British Columbia’s privacy legislation.

This afternoon I will focus on key provisions of the CPPA that impact British Columbia’s Personal Information Protection Act. I will do that in the context of recommendations I made to you last September — recommendations, I would add, that are even more relevant today. I’m also going to address questions that, I understand from the committee Clerk, you have about Europe’s General Data Protection Regulation, the GDPR, and its relation to PIPA reform.

When I last spoke to the special committee I observed that PIPA, drafted nearly two decades ago, requires urgent reform to meaningfully address the growth in digital economic activity and the challenges posed by new technologies. Artificial intelligence, data analytics, facial recognition and social media are just some of those challenges.

The federal government launched its legislative response to these issues late last year with the introduction of the CPPA. All eyes now turn to B.C.’s government to see whether it will meet this moment.

What I also emphasized in our last meeting was the need for PIPA, our law, to be harmonized, to the greatest extent possible, with laws developing nationally and internationally. As my supplementary submission explains, enactment of the CPPA will leave PIPA status up in the air unless it is declared substantially similar to the CPPA. This greatly underscores the need to act now to update PIPA.

[2:05 p.m.]

To be clear, I am not advocating for a simple copy and paste of the proposed federal legislation. There are a number of provisions in the CPPA that are not fundamental to substantial similarity and do not further the privacy rights of British Columbians and therefore should be left out of B.C.’s PIPA. This special committee has the unique opportunity to recommend refinement of the positive aspects of the CPPA to suit the needs of British Columbia while maintaining harmonization and leading-edge legislation.

When PIPA was first introduced in 2003, the then minister responsible observed that by retaining provincial jurisdiction over this important aspect of provincial commercial activity, PIPA “will reduce the regulatory burden for the B.C. private sector, fill in significant gaps left by the federal act and provide provincial oversight instead of oversight by a federal commissioner located in Ottawa.”

Chair and special committee members, these observations remain true. PIPA was, in part, a response to the then newly minted federal government’s PIPEDA. British Columbia’s policy-makers set out to fashion a law that reflected the province’s needs while enabling B.C. enterprises to do business domestically and internationally. They also sought to create a law that enables individuals to trust that their privacy is appropriately protected. These policy imperatives, I would respectfully submit to you, should remain central in your deliberations.

I have mentioned international developments and the need for our laws to keep pace with them. I canvassed this more fully in my supplementary submission. But it is sufficient to say here that the CPPA, Ottawa’s legislation, is, to a significant degree, a response to international developments, specifically the European Union’s GDPR.

The GDPR’s enactment in 2018 was an absolute game-changer internationally. It dramatically raised privacy standards, and its reverberations have been felt well beyond Europe’s borders. Companies, including those in Canada, expecting to do business in Europe or with European companies where personal information is involved are required to meet the GDPR standards.

The need to meet European standards is, in fact, not new. This was the case under the GDPR’s predecessor, the data protection directive. That directive greatly influenced Canada’s original decision to enact PIPEDA and how that law was framed. In the result, Canada received adequacy status — very important, because it allowed the free flow of personal data between businesses in Canada and the European Union.

Maintaining adequacy is crucial to Canadian and European trade. It would be astonishing to believe that the CPPA’s recent introduction was not, in large measure, prompted by the GDPR and a desire to ensure Canada’s new law is seen to be adequate in the eyes of the European Commission.

You may be sensing something of a domino effect going on here. Europe sets off change in Canada’s federal privacy law, which in turn sets in motion an imperative to amend B.C.’s privacy law. Why? Because federal law requires provincial privacy law to be substantially similar in order to be valid. It is quite clear that, in light of the GDPR and the proposed CPPA, British Columbia is now obligated to step up to the plate.

While we seek to reform PIPA so that it is substantially similar to the CPPA and, in fact, aligned with global benchmark GDPR, the dynamic here is one in which jurisdictions try to move in step harmoniously, though not identically. Being at the tail end of this process, as we are, has certain advantages. You, as legislators or policy-makers, can adopt the best-of-breed in what is found elsewhere that is both suited to British Columbia and harmonious with other laws.

I want to now turn to the proposed CPPA in more detail. The CPPA will be enacted by the Digital Charter Implementation Act, 2020. It’s part of the federal government’s digital charter initiative, which began some five years ago. The recent legislation is referred to in shorthand as Bill C-11, which is the bill the government tabled last November. Before tabling Bill C-11, the federal government conducted consultations on privacy laws and the digital economy.

In 2019, the government released a report on those consultations. The report concluded: “The current privacy legislation, PIPEDA, needs to be modernized and streamlined. However, the government must ensure that updates both support innovation and protect Canadians. Rules must be supported by clear guidance on implementation and applicability and must consider effective and appropriate enforcement measures to hold players accountable and ensure Canadians have confidence and trust in these protections.”

[2:10 p.m.]

The CPPA will retain some features of PIPEDA while significantly strengthening protections for individuals and ensuring that those rules remain balanced and are not a barrier to economic activity.

What do the proposed new federal rules mean for modernization of PIPA, our own almost-20-year-old privacy law? What do the proposals mean for the recommendations I provided you last autumn? When compared to the CPPA’s key features, our earlier recommendations to you illustrate how there is a core consensus on what is needed to update Canada’s private sector privacy laws.

Fully ten of my 12 recommendations to the committee last fall are found in some measure in the CPPA. The detailed written submission I have provided you addresses each of these ten recommendations in relation to the CPPA proposals. Today I will simply highlight some of the key ones, describing how they align with or, in some cases, differ somewhat from the CPPA. I will explain how B.C. can implement the CPPA’s core concept while improving upon Bill C-11.

I begin with what is one of the most important changes the committee could recommend: mandatory breach notification. The CPPA will essentially replicate PIPEDA’s existing breach notification requirements. This aligns completely with the previous recommendations I have made to you on this issue. I will stress once again the importance of harmonizing PIPA’s breach notification rules with the CPPA and with comparable Canadian laws, including Alberta’s Personal Information Protection Act, which has had breach notification rules now for over a decade.

To recap, I am recommending that PIPA should require organizations to notify both affected individuals and my office of privacy breaches that meet a threshold of risk of harm to affected individuals. PIPA should also authorize my office to require an organization to give notice to affected individuals if the organization has failed to do so, including where we learn of the breach from a source other than the affected organization.

How important is this breach notification fix for PIPA? PIPA is far behind comparable Canadian privacy laws, but it is also behind internationally. The EU, the U.K. and all 50 U.S. states — yes, all 50 states — now have some form of mandatory breach notification law. Further, reforming PIPA on this issue is, in my view, likely to be of considerable importance in the federal government’s assessment of whether PIPA is substantially similar to the CPPA.

The second matter I want to highlight today is something I spoke about in detail in my September submission to the committee — namely, the right of individuals to consent to the collection, use and disclosure of their personal information. The overarching aim of modern privacy laws is to give individuals appropriate control over their own personal information, and consent is at the heart of that concept. As other laws do, PIPA ensures that individual privacy rights are at the forefront by requiring organizations to obtain consent, unless an exception applies.

One of the challenges of PIPA is its now inadequate bilateral approach to consent — the assumption that there is a straightforward, simple transaction between one business and one customer. We all know that while there are situations where this works, in fact, it is an increasingly unrealistic assumption in our modern digital age. This challenge is not unique to B.C., and it is something policy-makers have grappled with for years.

Under the heading of my third recommendation to the committee last autumn, I made three specific recommendations for an improved approach to consent to better protect individuals without imposing undue burdens on businesses.

Those recommendations require an organization to put in writing the purposes for collection, use and disclosure of an individual’s personal information, unless there’s a good reason to allow the organization to rely on implied consent. They also stress that it is important that an organization use plain language in describing these purposes. Finally, when it comes to privacy, such written notices must stand out on their own and not be wrapped in dozens of pages of legalese.

The CPPA also proposes to update consent requirements found in PIPEDA. However, as you will read in my written submission, I have serious — in fact, very serious — reservations about elements of the proposed CPPA consent provisions. Specifically, the CPPA would introduce new exceptions to consent that are very broad or ambiguous or would reduce, even eliminate, transparency for individuals. To offer one example, the CPPA would enable organizations to, in some cases, secretly collect, use and disclose our personal information without having to tell us what they’re up to.

This is inconsistent with long-accepted internationally recognized data protection principles. I’m not alone in expressing these concerns, and it will be interesting to see what this might mean for the CPPA’s and Canada’s adequacy when it is measured against the GDPR.

[2:15 p.m.]

I urge the committee to reject the proposed CPPA consent exceptions as a model for PIPA. To be clear, exceptions to consent are appropriate, and PIPA already has consent exceptions. Modern privacy laws remain consent-based by default, and exceptions should be limited, narrow and clearly justified. What I would urge the committee to do is to affirm that the concept of an individual’s control over their own personal information is, through consent, a core principle of PIPA.

I’d like to move on to another key recommendation from my previous submission. It was recommendation 4, which concerns automated decision-making. Information technologies are evolving in ways and at rates that can raise very serious risks for individual rights and interests. Advances in data analytics and artificial intelligence can, undoubtedly, help improve services to individuals and communities. However, they can also create serious risks for privacy rights.

Consider the example of an individual who fails to screen in for a job opportunity based on the decision of a machine. The information used in that process may be outdated, false, incomplete or otherwise defective, yet the outcome has a significant impact on that individual. The algorithm used to make that decision may have built-in, if unconscious, biases, a fault already discovered in decision-making algorithms.

Critically, under the proposed CPPA, there is no obligation on the organization’s part to accompany the decision about an individual with an explanation that it was made by a machine. Thus, the individual has no opportunity to know about, let alone challenge, it.

The GDPR, by contrast, contains significant protections for individuals, giving them the right, with some exceptions, to prohibit an organization from making decisions about them based solely on automated processing of their personal information. Amendments to Quebec’s pending bill, privacy law, also provide some protection in this area.

Without mincing words, the proposed CPPA falls short of what I believe is necessary to protect citizens from the use of opaque and otherwise unregulated automated decision-making technologies. The CPPA would merely require an organization to provide a general account of its use of any automated decision system to make predictions, recommendations or decisions about individuals.

The CPPA says this general account should be written into the organization’s policies and procedures. What does this mean practically? It almost certainly means that a description of a general nature, whatever that is, of an organization’s automated decision-making will be buried in lengthy legalese, along with many other matters.

In light of this, I affirm my initial recommendations to the committee last fall — which would require an organization using automated processing of personal information to offer specific transparency disclosure, to disclose the reasons and criteria used, and to receive any objections an individual might make.

I now want to turn to the matter of oversight and enforcement powers under PIPA. The question is: what kinds of powers are required in order to ensure that rights and obligations set out in our legislation are actually met?

The first issue I want to discuss with you relates to my authority to enter into information-sharing and cooperation agreements with other authorities. The proposed CPPA will carry forward the existing PIPEDA authority for the federal Privacy Commissioner to enter into information-sharing and cooperation agreements with domestic and foreign privacy regulators. It also allows for such agreements with domestic regulators who have overlapping jurisdiction. Our laws should mirror these provisions. I can’t overstate the benefits of having a framework in place that supports collaboration between privacy regulators, both domestically and internationally.

At present, PIPA supports our domestic enforcement cooperation with other Canadian privacy regulators. We rely heavily on federal-provincial sharing and cooperation agreements, as can be seen by recent joint Privacy Commissioner reports into Clearview AI, Cadillac Fairview and LifeLabs. However, PIPA does not explicitly extend these sharing arrangements to international partners, which is a problem at a time when many privacy issues are transborder in nature.

I’ve encountered situations in recent years where it has been challenging to work together with privacy regulator colleagues outside Canada who wish to cooperate with us. You can assist greatly in these efforts by recommending language for our legislation that explicitly permits this. Similar explicit language would be also used to better support my cooperation with domestic regulators — such as the Ombudsperson, Auditor General and Chief Electoral Officer — with whom I have worked in the past on matters involving personal information practices. Again, these recommended changes will help align PIPA with the federal law and global trends.

[2:20 p.m.]

Finally, I would like to turn to the recommendation that has come before the committee a number of times: the authority for my office to issue monetary penalties. There is little doubt that if PIPA is to be considered substantially similar to the CPPA, PIPA’s enforcement framework will have to be significantly strengthened. This includes authorizing my office to impose monetary penalties on organizations for breaches of the law. The CPPA will do this by enabling the imposition of significant monetary penalties.

Financial penalty provisions also align with the GDPR, the United Kingdom’s Data Protection Act and Quebec’s Bill 64.

As I noted in my briefing to the committee last June, our joint investigation reports with the Office of the Privacy Commissioner of Canada, including one involving the social media giant Facebook, exposed the complete inadequacy of PIPA when it comes to protecting the public’s personal information.

PIPA is, in many respects, toothless, because the most I can do to sanction even a serious, wilful violation of our legislation is to order an organization to do what it should have done in the first place, fulfil its legal duty under the law.

My office has always emphasized an educational and remedial approach to compliance with the law, and we will continue to do so. But it is clear that there are bad actors out there who do not respect their duty to operate within legal boundaries and should, therefore, face monetary sanction. These kinds of penalties are always a last resort.

The need for these measures is widely acknowledged, as is illustrated by submissions made to the special committee last year. Among those supporting such measures were the Insurance Bureau of Canada and the Canadian Bankers Association, as well as civil society groups, such as the Canadian Civil Liberties Association, the B.C. Civil Liberties Association and the B.C. Freedom of Information and Privacy Association.

While the CPPA’s powers to impose monetary penalties is welcome, I do not support the adoption in B.C. of the CPPA’s mechanism for doing that. In short, the CPPA would create a new statutory tribunal, separate from the Privacy Commissioner’s office, that will have exclusive authority to impose penalties, leaving the federal Privacy Commissioner to only recommend them.

Creation of a new body to discharge this role is unprecedented in the Canadian privacy oversight world and in the EU context as well. It would also run counter to the B.C. approach in other areas. As the registrar of lobbyists, for example, I have, for some time, had the authority to impose monetary penalties under the Lobbyists Transparency Act. This authority extends to other regulators in the province as well.

There is no legitimate case, in my view, to be made that the step proposed by the federal government is necessary in terms of institutional design in B.C. The creation of a new tribunal would introduce unnecessary complexity, delay and uncertainty for individuals and organizations alike. It would also impose significant costs on the public purse and those involved in disputes before my office. Therefore, I continue to recommend that PIPA should enable the commissioner to impose monetary penalties on organizations for non-compliance with PIPA and that such authority be accompanied by strong provisions for due process and judicial oversight.

In concluding my remarks this afternoon, I can do no better than restate the message I gave to the special committee last fall. As lawmakers, as policy-makers and as regulators, we needed to work in tandem to keep up with the times. PIPA was drafted almost 20 years ago under very different conditions from those which we live under today. Rapidly evolving digital technologies, business models and public attitudes towards privacy require us to respond in a way that is equal to the unique challenges we face. Inaction is not a viable option. It is simply not.

Economies of the world are interlinked and so, too, is the flow of personal data that attaches to global trade. As a prolific trading jurisdiction, it’s critical that we ensure that our personal information and privacy laws are leading-edge and, to the greatest extent possible, harmonized nationally and internationally.

I hope that through my submission and this presentation today I’ve shown how the GDPR, through its adequacy standard, has moved the Canadian government to propose enhanced privacy protection rules. This, in turn, reinforces the need for us in B.C. to do the same to ensure we maintain substantial similarity with the federal legislation.

The recommendations my office made to the special committee in 2020 in many ways foreshadow what the CPPA now proposes, and while PIPA and the CPPA need not be identical, it is in the interest of economic growth in the province and citizens’ privacy for our laws to be modern, robust and balanced while harmonizing with the federal law and international developments.

I want to thank you again for the work that you are doing on behalf of our citizens and for the opportunity to appear before you today. I welcome your questions.

[2:25 p.m.]

M. Elmore (Chair): Thank you very much, Commissioner McEvoy. I appreciate your clear presentation and also clear recommendations in the context of the developments happening with C-11 and, also, with respect to GDPR.

Now, opportunity for questions from committee members. You can jump in, as well, in terms of any clarifications you’d like to make while we have the commissioner here with us.

A. Wilkinson: It seems we have a pretty dramatic chicken-and-the-egg problem here. We know that the federal legislation is on second reading. We don’t know if there will be a federal election. That’s an unknown. We don’t know what changes will happen, and I suspect there will be some, to the federal legislation. So for us to be proposing and drafting in parallel could just be a formula for trouble, because the federal legislation will go through its process pretty much regardless of what we do.

It would seem our timing is rather unfortunate. If Bill C-11 had received royal assent already, we’d have a pretty clear landscape. But as it is, we’re working with the unknown and trying to harmonize with the unknown.

Your comment would be welcome if it would be more fortuitous if the federal legislation had reached a completion stage before we went much farther. Then it would be rather straightforward for you and our community and the legislative draftspeople to work to fill in any perceived gaps or missed opportunities in the federal legislation. But as it is, we’re drafting in a void. Not that we’d be drafting, but it’s very hard for us to comment on something that’s still in progress.

M. McEvoy: That’s a very good question and certainly one that we have thought about. I think it is fair to say that this is not an unknown void that the committee is venturing into. The global trends are clear. The federal government has obviously recognized that.

I don’t think there is any harm. In fact, I think it would be an advance for the country if British Columbia took leadership in this area, knowing where the direction is going, improving upon the CPPA and moving in that direction. That’s something, actually, that the government of British Columbia did in 2003 when they basically advanced ahead of PIPEDA.

The provisions that were put in place by the government of the day then broadened the scope of the privacy legislation here, and, in many respects, improved upon what had gone on in Ottawa. Interestingly enough, some of those changes that appeared in 2003 have found themselves now put into the new federal legislation.

In fact, in some ways, I think being out front, clearly seeing where the direction of the world jurisdictions are heading…. I don’t think there’s any danger in the committee recommending the recommendations made and the government’s advancing that agenda. When the federal government acts, as it surely will — and, I think, must, given what’s happened with GDPR — we will already have met those standards. There won’t be a matter of catching up for British Columbia. We will have been leaders.

A. Wilkinson: Isn’t the concern, though, that we could end up with a slightly different kettle of fish from the federal government? They will pay some minimal attention to our efforts but not a lot.

If we end up with inconsistencies in legislation because they have gone down their own path, ignoring our efforts, then those poor old small- and medium-sized businesses are left with two conflicting regimens that they then have to struggle through. As I’ve heard from a couple of software companies in British Columbia, they may just think about leaving because it’s too much stress and bother to work with two competing regimes.

M. McEvoy: I think what you’ve seen, in terms of major investigations in this country, are provincial authorities and federal authorities working always very closely together for the very reason that you’ve identified. We don’t want that for two reasons. On the one hand, we don’t want companies playing regulators off against one another. Nor do we want businesses having to deal with three or four jurisdictions.

[2:30 p.m.]

In some ways, I would argue, what has developed in Canada is actually superior to what has gone on in Europe with their so-called one-stop shop, which has a lot of issues. I think Canadian regulators have worked well in tandem.

Our laws will never be identical — let’s be clear about that — nor should they necessarily be identical. The core concepts, however, I think are in line at this point and will continue to be. So we can see…. As Wayne Gretzky would say back in the day, it’s not where the puck is, it’s where it’s going. I think we can all see where the puck is going. So I think there’s an objective there that we’re all working towards.

Again, we’ll never be completely identical, but there’s more than enough known there to come to a solution, I think, that will be good for British Columbia and allow us to work harmoniously.

A. Wilkinson: Just to wrap up and come back to where we started, the ideal scenario would be if the feds had already dealt with C-11, and then we could deal with gaps and oversights and local priorities.

M. McEvoy: Yes, true in the sense that they haven’t actually passed the bill yet, but I think we now — because, again, we’re sort of at the end of this project, so to speak — are able to pick up the best of what’s there. I expect that some of the criticisms that are made of the bill as well — including the ones I’ve expressed, I think — the government may want to address, federally.

M. Elmore (Chair): Is that it, Andrew?

A. Wilkinson: Yeah. We could have a lengthy conversation over dinner. Michael and I have known each other for a few years. We’re playing tennis now.

M. Elmore (Chair): Okay, good. This conversation to be continued, certainly, through our deliberations.

R. Singh: Thank you, Mr. McEvoy. So good to see you again. We heard your presentation in the fall. I think what you said that time and what you are saying today makes real sense to me.

At that time, you also recommended making our legislation much stronger so that the federal partners…. At that time, also, we know that the PIPEDA — at that time, it was called that — was under review. So the recommendations that you are bringing in, especially the mandatory reporting and also the penalties, I think, are very strong recommendations. You really emphasize that, and that’s what we have heard from other stakeholders as well.

I’m really happy to have you here again to reiterate the same things that you did last fall. I really agree, and I’m sure the committee will go in camera and talk more about the workplan. But the recommendations that you have made — making our legislation stronger so that the federal partners, when they are looking at B.C., are looking at very strong legislation. Thank you so much for that.

M. McEvoy: You’re very welcome.

R. Glumac: I appreciate your recommendations in the context of C-11. I get the sense very strongly that we can lead the country even if C-11 doesn’t move forward or if there are some changes that could be informed by the recommendations we’re putting forward. I guess my question is…. All provinces would be in this situation. I’m not sure exactly, but I think all provinces have privacy commissioners. Is that correct?

M. McEvoy: No. There are only four jurisdictions in Canada. You’ve got the federal authority, and the federal authority extends everywhere in the country except where a province has put in place substantially similar legislation judged to be so by the federal government. That’s happened in three other provinces: Alberta, British Columbia and, finally, Quebec.

I should note, by the way, that as we are speaking here, the Quebec legislature is now working through what is, in their place, Bill 64, which has considerable advances in privacy legislation there, I think more akin to the GDPR than the federal initiative is. So Quebec is out there advancing its agenda as well.

[2:35 p.m.]

I should also mention that Ontario is now reviewing whether it wants to have a private sector privacy law. I should have prefaced this by saying that we’re talking about private sector privacy law here — three provinces and the federal authority. Ontario is now looking at whether it wants to develop its own laws, like Alberta, B.C. and Quebec have. That’s a question that’s under review.

Privacy, as concerns the public sector…. Yes, there are commissioners in place right across the country. Of course, the matter at hand here is the private sector privacy legislation that you’re dealing with.

R. Glumac: I’m curious. How do the recommendations or the changes that are being proposed in Quebec…? I don’t know if there’s anything happening in Alberta. Have you engaged with your counterparts in those provinces, and is there alignment on those changes? Do you see differences there as well?

M. McEvoy: Yes, I’ve had conversations with both my federal colleague and my provincial colleagues on these issues. I would say that in Alberta, at this point, there is nothing being advanced, but of course, if the CPPA occurs, they’re going to have to move as well. Again, Quebec is moving out front.

The proposals that we have recommended to you are, I think, roughly in alignment with what is happening in Quebec.

M. Elmore (Chair): Okay, thanks. Anybody else on the committee?

Go ahead, Dan.

D. Ashton (Deputy Chair): Mr. McEvoy, nice to see you and your staff again. Thank you and your staff, those that are on screen and those that aren’t, for bringing all this forward. Greatly appreciate it.

I guess my issue is…. Probably not the best analogy, but I come from the Okanagan, well known for our wine. We can have a heck of a time putting it across the country. I just hope…. I look for some form of standardization or pulling it all together. If you have these different rules and regulations in different provinces — and whether they succeed over the new legislation that’s coming forward, possibly, from the federal government — I would just hope that we all work together on this somehow, without having any anomalies.

It’s tough enough these days being in business and having to follow regulations that are ever, ever, ever increasing. Private business is the backbone of this country, and I want to see people protected. I really want to see information protected, but I don’t want to make it difficult for people that have been fortunate enough to have business across the country in different jurisdictions. That’s why the similarity, to me, is incredibly important.

I’ll just plant the seed for the future, and we’ll discuss it, I’m sure, in our debate. So thank you again for bringing this forward. It’s nice to see everybody on the screen again. Thank you.

M. McEvoy: By way of comment, I would say that I completely agree with what you’ve just expressed. I do believe that what we are working here towards…. The core concepts, I think, that are central to these laws are fundamental — mandatory breach notification, proper administrative enforcement provisions. Those are some of the key elements, and some of the other ones we’ve outlined.

It is coming together, and certainly as privacy regulators — and I will say this again — we talk weekly, if not daily. We share files where there are issues that extend to, as you say, many of the businesses that don’t just operate in British Columbia — they operate across provincial borders — to ensure that they are facing not a multiplicity of different kinds of rules and regulations so that a uniform approach is taken.

I think the proposals that we made to you are, again, in line with Quebec. They’re in line with CPPA. Alberta is going to have to pull up its boots, I think, shortly. But it’s coming together, and again, we continue to cooperate on all major matters that go across provincial boundaries.

D. Ashton (Deputy Chair): Michael, do you have any inside information, which maybe is repeatable, that you may think that federal legislation might be adopted by?

[2:40 p.m.]

M. McEvoy: I do not. I do know that, as one of the members mentioned, Member Wilkinson, it is in second reading now. I think that they are dealing with pandemic issues going towards the March break.

It’s speculation, but I think that if they’re going to tackle this issue, it would be after the March break. There are rumours about other things, dealing with parliamentary dissolution, and so forth, but there’s not much we can do to control those things. It is working its way through the process, and the government seems to be committed to move on the legislation.

D. Ashton (Deputy Chair): Okay. I would just like to echo Andrew. If we have the federal umbrella, that we all fit underneath that umbrella and that we’re all working together. As that time frame moves forward….

I don’t want to be ahead of the pack. I don’t want to be behind the pack. I want to be all together to make that…. It’s all a variation of the right word — to make it just easier for everyone in Canada and anybody having to deal with Canada.

I’ll just leave my comments there. Once again, thank you to each and every one of you that brought this information forward from your office.

A. Olsen: I appreciate the updated information. What wasn’t updated is the consistency with which you have approached this committee and the former committee and the recommendations that you’ve made.

I would say that I’ve heard your recommendations and your requests loud and clear. You make a very compelling case. I think that these are powers that need to be strongly considered in this province. So they will be, I’m sure, part of our deliberation, central to our deliberation. I just wanted to thank you for bringing these forward consistently and being clear on what you need in order to be able to do your job better.

Thanks, Mr. McEvoy. I appreciate it.

M. McEvoy: You’re welcome. Thank you for those comments.

M. Elmore (Chair): Michael, did you want to respond to that?

M. McEvoy: I was just going to say if we could have the committee all over for dinner and talk about some of these things….

It’s fascinating. We are very lucky to live in the confederation that we do. At some point in our history…. It’s replete with examples where it’s the provinces that nudged the federal authorities to do things. Health care is one of those fields that you think of. It was the tiny jurisdiction of Saskatchewan that moved this country in that field.

It’s a little bit of a yin and a yang here. I think the efforts of this committee to move forward in a leadership role will help to move this process along. More than being in any way out of step, I think it will be a help to the process across the country to ensure being, while not identical, substantially similar.

M. Elmore (Chair): No other committee members have questions here? I’m going to jump in unless I see…. I think we’ve had a good canvass of questions.

Appreciate that, Commissioner McEvoy. I’ve got some questions. I appreciate…. History is repeating itself. British Columbia — we find ourselves in a position similar to 2003, when we brought in PIPA to lead the national efforts, to give them some good ideas when they brought in PIPEDA. So we’re back with that and look forward to our deliberations.

My questions are just specific. Now, with respect to your recommendation around the enforcement piece and the mechanism…. I hear your recommendation not to go the route of setting up a separate tribunal. If an individual has a complaint with respect to consent and not being able to opt out, is that…? It’s kind of a…. I wouldn’t say minor, but it’s on an individual level with an organization. That would be an example of something that could be…. They would have to complain to your office, for example, to adjudicate that. Is that correct?

M. McEvoy: Yes, that is absolutely right. We deal with those kinds of issues on a regular basis and attend to those. Most of them, I should say, are settled. When it’s drawn to an organization’s attention what their obligations are, most want to do the right thing. On the odd occasion, these things end up before a formal adjudication, but most of the issues, probably well over 90 percent, are resolved when the complainant and the organization are able to sit down together.

[2:45 p.m.]

M. Elmore (Chair): Thanks. I appreciate your comments with respect to automated decision-making. Certainly, we’ve just seen a rapid expansion of that, and it’s currently unregulated.

Now, I’ve heard the recommendation for a process to contest or to appeal decisions once they’ve come out. What are your thoughts? Are there best practices addressing the algorithm itself — considerations around not repeating implicit bias around gender, race and other stereotypes — from that end?

M. McEvoy: Yeah, that is a very, very good question. What we see in Europe is that actually individuals have the right to object to a machine solely making a decision that relates significantly to their rights. One of the things that has to be kept in mind about the European framework is that the GDPR is within the context of Convention 108, the human rights provisions. That’s kind of the overlay in which privacy is set in Europe.

It’s one of the reasons, I will just say as an aside, that my federal colleague, Commissioner Therrien, wants the federal government to adopt statements of human rights in the context of legislation federally for the very kinds of reasons that you talk about. For Europe, in terms of being able to file the objection and to stop that processing, that’s considered to be a pretty dramatic remedy.

Our recommendation, as you know, doesn’t extend as far as that. But it does give an individual…. First of all, the individual has to know that the decision is being made about them. That is a weakness of the federal legislation now. The decision about an individual through AI may never be known to an individual the way that legislation is set up.

What we’re recommending in British Columbia is that if a decision is being made about you solely by a machine, you have a right to know that. Also, the organization has an obligation to receive any complaints about that. It’s complicated, because there are issues around…. An organization surely has to explain some of the logic behind the machines, but then there is intellectual property, sometimes, associated with the actual algorithm and how it works.

It’s another reason why, in my view, regulators such as myself should have the legal right to do audits of businesses without necessarily having reasonable grounds, because it’s an opaque situation. People wouldn’t know what to complain about, because they don’t know what’s in the black box. I think the right of regulators to go in to do audits — under reasonable circumstances that would allow us to judge whether this is being done fairly in an individual context — is important.

It’s also, if I may, a reason why further explicit authority to my office to work with others — such as the Human Rights Commissioner, such as the Ombudsperson — on issues like this, jointly, is really important. Right now I am working with the Ombudsperson to discuss AI in the public sector and looking at guidance and guidelines around how that can be done fairly — in a roundabout way, I think, answering some elements of your questions.

It’s, for sure, a complex matter but one that I think has to be addressed, because it is surely going to become more and more prevalent as we move in time.

M. Elmore (Chair): It’s certainly not an easy issue, and I agree with you in terms of the need to be proactive as we see more AI come into the field. So thank you. That’s helpful.

Okay. Last call for questions here that are sparked from anyone. I think we’ve had an excellent canvass of this.

R. Glumac: I just have one more question. I recognize that you are probably the foremost expert in this area. I had a question in the last presentation, and I’m wondering if you might be able to help answer it.

[2:50 p.m.]

I sit on another committee, on reforming the Police Act, and several stakeholders have brought up access to depersonalized information as being helpful to see if there’s any systemic racism and things like that. They’ve called for changes to legislation to allow for this kind of thing. I’m just curious. Do these changes that are being proposed in C-11 and in the recommendations that you’re making, would it make access to that kind of information more readily available, or would it have any impact at all?

M. McEvoy: That is a very good question. Bill C-11, I think, does open the door. I wouldn’t say broadly, at this point. What it allows an organization to do is de-identify your information. Here’s the problem: they don’t have to tell you that. If it’s gone amiss or it’s not de-identified properly, you wouldn’t know what to complain about because they don’t have to tell you that it’s being de-identified.

Bill C-11 allows an organization to use that de-identified information about, obviously, a range of individuals. But it can use it for internal research purposes. Beyond that, it can also share that information with governmental authorities and others for what are called socially beneficial purposes. But it doesn’t allow a willy-nilly sharing of that information out to others.

You can understand why there is great debate about the whole term de-identified information in the modern age, because as that so-called de-identified information gets out in the broader world, it can be linked with other databases, which can then quickly lead to the re-identification of individuals. So we have to be very, very careful around this whole concept of de-identification and how it’s done.

Certainly, for research purposes, it can be very important, and it can be done in a secure environment where you’ve got properly administered programs, where you’ve had ethics boards looking at issues and so forth. Pop Data B.C., as some of you may know, housed at the University of British Columbia, has an outstanding facility to do exactly that, to take databases, to de-identify them, to link them together for research purposes — all done in a secure environment and for socially beneficial purposes.

We just have to be very, very careful, though, when we begin allowing de-identification by organizations without the obligation on those organizations to tell individuals. Then what happens to that information afterwards?

R. Glumac: You mentioned this organization that does this work right now, to aggregate this information in a proper way. Would this legislation…? How does any of that change? How would…? The legislation would just basically notify, or it wouldn’t notify, but you’re proposing that they should be notified?

M. McEvoy: The legislation, as we propose, doesn’t really change the provisions of PIPA, which allows the disclosure, actually, of personal information for research purposes. Now the legislation allows for that. Research purposes being health and so forth — that is permitted. For example, Pop Data, as I mentioned, would use that data for that purpose and to link things together for socially beneficial research. None of that is altered in the recommendations that have been made here.

Again, what we need to be incredibly careful about is the ability of organizations to de-identify people’s personal information and to allow that to be set into the wild, as it were, where, again, it could be re-identified.

Bill C-11 opens the door slightly because what it allows businesses to do is to de-identify our information without telling us and use it for internal research purposes.

M. Elmore (Chair): Is that everything, Rick?

R. Glumac: Yes, thanks.

M. Elmore (Chair): Okay. Terrific. I think that’s everybody. I don’t see anyone else.

[2:55 p.m.]

I want to thank you very much, Michael McEvoy, Information and Privacy Commissioner, and your team, Michelle Mitchell, oline Twiss, Jeannette Van Den Bulk and all of you. Thank you. Appreciate your presentation. It really helps to lay out the groundwork in front of us and will inform us in our deliberations. Thank you very much for your time today.

M. McEvoy: As always, we remain ready to assist the committee in whatever…. If there are follow-up questions or anything else, my team and I will be there to assist.

M. Elmore (Chair): Appreciate that. We’ll be in touch.

Okay, so that was helpful and I hope got a lot of questions answered.

Committee Workplan

M. Elmore (Chair): Next on our agenda we have our draft workplan. I’ll need a motion to go in camera.

Dan is moving a motion to go in camera.

Motion approved.

The committee continued in camera from 2:56 p.m. to 3:50 p.m.

[M. Elmore in the chair.]

M. Elmore (Chair): We are now reconvening the Special Committee to Review the Personal Information Protection Act.

I will ask for a motion to adjourn.

Moved and seconded.

Motion approved.

The committee adjourned at 3:50 p.m.