The committee met at 9:02 a.m.

[M. Elmore in the chair.]

M. Elmore (Chair): Good morning. I’d like to welcome everyone participating in and listening today to our public hearing. My name is Mable Elmore. I’m the MLA for Vancouver-Kensington and the Chair of the Special Committee to Review the Personal Information Protection Act.

I’m pleased to be joining you from the traditional territory of the Musqueam, Squamish and Tsleil-Waututh Nations.

We are an all-parliamentary committee of the Legislative Assembly with a mandate to review the Personal Information Protection Act. In support of this, the committee is holding public hearings to gather input from British Columbians.

In addition to the public hearings, the committee is also inviting British Columbians to send us their thoughts in writing before July 30. All the information we receive will be carefully considered as we prepare our report to the Legislative Assembly, which will be released in December this year.

I encourage anyone who’s interested in the consultation or wants to learn more about the work of the committee to visit our website at www.leg.bc.ca/cmt/pipa.

The committee is looking forward to hearing from a number of presenters today, which is our last public hearing. I’ll now ask the members of the committee to introduce themselves, starting with vice-Chair Dan.

Go ahead, please.

D. Ashton (Deputy Chair): Good morning, Brenda. Welcome. I’m proud to represent the people from Penticton to Peachland, in the Okanagan. Thank you for coming.

A. Wilkinson: I’m Andrew Wilkinson, and I represent Vancouver-Quilchena.

K. Greene: I’m Kelly Greene, MLA for Richmond-Steveston.

Today I’m coming to you from the traditional territories of the Musqueam people.

G. Begg: Morning, everyone. I’m Garry Begg. I’m the MLA for Surrey-Guildford.

I’m proud today to be on the traditional territories of the Coast Salish people, including the Kwantlen, Semiahmoo and Katzie First Nations.

M. Elmore (Chair): And we have Rick. Go ahead, Rick.

R. Glumac: My name is Rick Glumac. I’m the MLA for Port Moody–Coquitlam on the traditional territory of the Coast Salish.

M. Elmore (Chair): All right. Thanks. We got that. Assisting the committee today and also joining us are Susan Sourial, Lisa Hill and Mai Nguyen, from the Parliamentary Committees Office. Bill Young from Hansard Services is also here to record proceedings.

[9:05 a.m.]

Our first presenter this morning is Dr. Brenda McPhail, who is the director of the privacy, technology and surveillance program at the Canadian Civil Liberties Association.

Brenda, you have up to 15 minutes for your presentation. Hansard Services has provided a timer, which will be visible on your screen if you use gallery view. All right. Everybody has been introduced, so Brenda, go ahead.

Presentations on
Personal Information Protection Act

CANADIAN CIVIL LIBERTIES ASSOCIATION
PRIVACY, TECHNOLOGY
AND SURVEILLANCE PROGRAM

B. McPhail: Thank you very much for the opportunity to join you today.

I’m on the land which was the territory of the Huron-Wendat First Nation, the Seneca and the Mississauga of the Credit River.

I’m grateful to be invited, on behalf of the Canadian Civil Liberties Association, to make submissions before your committee today. As you probably know, the CCLA is an independent, non-partisan charity founded in 1964 to promote fundamental human rights and civil liberties across Canada.

My comments today supplement the written submissions that CCLA made previously to this committee in August of 2020, which included 16 recommendations directed towards mitigating evolving risks to privacy and encouraging a principle-based approach to enhancing privacy protections in our big-data, big-tech world.

Since those submissions, the Canadian privacy landscape has changed yet again. Bill C-11 was tabled last fall, and more recently, Ontario has released a white paper laying out principles for a made-in-Ontario private sector privacy act, where they, arguably, are seeking to set a new bar for provincial data protections.

Today I will focus in particular on three aspects of Bill C-11 that the committee may wish to consider during your deliberations, given the necessity of alignment with the federal private sector act. Of course, though it’s presently unclear whether C-11 will ever pass in its current form, certainly many critics, including the CCLA, believe it requires significant improvement to be fit for purpose.

I’ve identified those parts of the bill dealing with de-identification, publicly available information and automated decision-making, which will almost certainly persist in some form in whatever the next version of PIPEDA may be and I believe are of core importance in contemporary privacy conversations.

I’d also like to speak, time permitting, to two significant omissions in Bill C-51. The first is the advisability of recognizing privacy explicitly as a human right, and the second is considering enhanced protections for particularly sensitive information, specifically biometric information. I’ll actually go in reverse order. I’ll begin with the gaps and then move on to the alignment issues.

Privacy as a human right is something that the CCLA has advocated for, for a long time. The Supreme Court of Canada has affirmed the quasi-constitutional status of both the federal and provincial privacy legislation and recognized that we need privacy in order to fulfil the other rights that are protected by our Charter of Rights and Freedoms, including freedom of expression and equality rights.

While CCLA acknowledges that there are clear benefits to an innovative, data-driven economy, we contend we cannot ignore the rapidly growing power imbalance between individuals, residents and organizations. That makes our rights-based statute more important than ever. And we gain support from the fact that one of the foundational features of the general data protection regulation in the EU, to which Canadian laws require equivalency status, is in fact an approach which recognizes the right to privacy as a human right.

While the drafters of C-11 failed to heed the advice of the federal Privacy Commissioner and a wide variety of civil society actors to include privacy as a human right in that bill, Ontario is in fact considering whether or not to do so in its legislation. Their suggested language for a preamble, which I commend to you, is: “Privacy is a foundational value in society. Every individual is entitled to a fundamental right to privacy and the protection of their personal information.”

The second gap in existing privacy legislation is around protecting sensitive biometric information. In our previous submissions, CCLA recommended that this committee might wish to grapple with the difficult issue of protecting that kind of information. And since then, there have been two sets of findings released by privacy regulators: the first regarding Clearview AI’s data collection practice under private sector privacy laws, in which B.C.’s commissioner, of course, took place; and then the federal investigation into the use of that same company’s facial recognition software by the RCMP under the Privacy Act.

[9:10 a.m.]

Both of those investigations highlighted the need for better protections for this particularly sensitive category of information that is increasingly possible to collect behind the scenes in ways that are not transparent, that are not accountable and that fundamentally raise the spectre of plug-and-play mass surveillance.

There are laws in other jurisdictions that appropriately address the sensitivity of this information. The CCLA would suggest that the committee may wish to consider the California Consumer Protection Act and their appropriately broad definition of “biometric information,” which includes an individual’s physiological, biological or behavioural characteristics, including an individual’s DNA, “that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.”

That same act explicitly excludes biometric information from the definition of information that can be considered publicly available, which is a very important protection because it assures that when residents of British Columbia would be walking through their streets or browsing online, that information couldn’t be gathered by a company without notice.

Turning now to the categories identified in Bill C-11 as necessary for a modern privacy law, if not dealt with entirely well, the first is de-identified personal information. CCLA would recommend the explicit inclusion of de-identified information within the scope of B.C. PIPA. It’s our position that de-identified information, because it requires the processing of personal information, is and should remain in scope of privacy legislation. That’s not to say that such processes don’t provide safeguards to privacy, simply that they shouldn’t take personal information subject to such processing outside the core protections of the act.

The reason that we have this concern is there is public debate regarding this position. There are industry players who would argue that PIPA’s coverage of personal information, because it is about an identifiable individual, might leave de-identified information without legal protection. C-11 attempts, but perhaps doesn’t quite succeed, to make it clear that de-identified data is appropriately within the scope of that law.

A paper by Lisa Austin and David Lie that I commend to the committee argues convincingly that it’s very problematic to try and draw a bright line between what is identifiable and what is not identifiable for the purposes of determining what should be regulated and what is not. Regulation requires consideration of the spectrum of risk rather than a binary distinction. Of course, that continuum-of-identifiability approach is consistent with the approach taken by the GDPR.

When it comes to de-identified information, we strongly encourage this committee to consider including meaningful definitions for the various identity obfuscation techniques, including de-identification, pseudonymization, anonymization and aggregate information, to ensure that those techniques are applied in ways that are covered under PIPA, that meet transparency and openness requirements and that have accountability requirements, consent requirements and purpose specification requirements subject to a proportionality analysis. And of course, reidentification should be prohibited, with appropriate penalties.

Moving to publicly available information, CCLA would suggest that private sector privacy laws really need to protect individuals from collection, use or disclosure of their personal information without their consent by organizations engaged in commercial activity. That is the core goal of a private sector privacy law. It’s important to address the potential slippage of that protection if definitions or regulations relevant to publicly available information are insufficiently narrow.

Bill C-11 allows for organizations to collect, use or disclose an individual’s personal information without their knowledge or consent if that information is publicly available and specified by regulations. That’s not dissimilar to the current state of the art in B.C. PIPA, in section 15(1)(e). The concern comes from what we’ve seen of corporations either ignoring those regulations or advocating to expand the categories of information, specifically to include social media sites.

[9:15 a.m.]

But as our federal Privacy Commissioner has noted in his submissions on Bill C-11, a fit-for-purpose definition of publicly available information in the social media age should include considerations of whether an individual has a reasonable expectation of privacy in that information.

Again, the Clearview case argues why this is important or demonstrates why this is important. They tried to argue in that investigation that scraping three billion images of people from the Internet was legitimate because the information was public, online, completely ignoring the fact that no reasonable person would expect the photos that they posted of themselves or their kids to share with Grandma would result in putting them or their children in some sort of global, perpetual police lineup.

So we strongly encourage the committee to consider that any amendments to the regulations to broaden or modernize the categories of information that are included in the definition of “publicly available” should include the criterion of reasonable expectations of privacy in such information, regardless of its availability in an online platform.

Lastly, I would address the issue of automated decision-making, which is also covered under Bill C-11. We all know, of course, that automated processing used for making decisions about people can have negative affects because algorithms aren’t neutral. We’ve all heard the stories, read the news articles about the ways that the biases of their designers can be imported, the ways that existing discrimination can be further embedded by the use of algorithmic tools.

Of course, the lack of transparency in automated processing further complicates matters. AI decision-making is often described as a black box that even the designers of the program can struggle to explain. So given that opacity and the potential for discriminatory impacts, CCLA supports a legal right to object to automated decision-making and to be freed from such decision-making subject to limited exceptions.

Bill C-11 addresses this by including openness provisions that require organizations to make a general account of the organization’s use of an automated decision system to make predictions, recommendations or decisions about individuals that would have significant impacts on them. It also includes access provisions, which entitle an individual to an explanation of how their personal information was used to make such a decision. However, it fails to provide any recourse for the affected individual should they wish to contest the use of their information for such a purpose.

CCLA would argue that all persons should be granted the right to object to automated decision-making, and that right should include the right to request human intervention to contest automated decisions that have been taken and to express the objector’s point of view about that decision.

We further believe there should be a legal right to be free of automated processing, including profile, without having to actively object. Of course, exceptions to that right could include situations where explicit consent has been obtained, where an automated decision is necessary for a freely-entered-into contract or when such decision-making is prescribed by law. These proposals are in alignment with the new EU proposals on algorithmic processing in addition to being in alignment with articles 21 and 22 of the General Data Protection Regulation.

Thank you for the opportunity to speak before you today. I look forward to your questions.

M. Elmore (Chair): Thank you very much for your presentation, Dr. McPhail. I’ll open it up to questions or comments from committee members.

Kelly, go ahead.

K. Greene: Thank you, Dr. McPhail. That was a fantastic presentation.

I just wondered if you had specific comments. You had touched on minors having their images captured. Do you have any specific recommendations on how minors’ information would be treated differently than perhaps adults?

B. McPhail: Yes. We did address that in our August presentations. Broadly speaking, many of the concerns that we have about processing of sensitive information includes information about children, whether or not it’s biometric, because young people are potentially vulnerable.

[9:20 a.m.]

There are many ways in which they can operate online outside of the knowledge or understanding of their parents, and they are a very productive marketing target for private sector organizations, both in and of themselves, because they are easily influenced, potentially, by marketing but also as influencers in their household.

There’s a lot of data that suggests that private sector companies are very anxious to find effective ways of marketing to young people. As a consequence, protecting their personal information — particularly information that can be fed into algorithmic decision-making that would allow them to be targeted in a granular way for particular kinds of products — is extremely important.

M. Elmore (Chair): Any other committee members for questions?

A. Wilkinson: A quick question.

M. Elmore (Chair): Go ahead, Andrew.

A. Wilkinson: This is very thoughtful and helpful. We tend, in this space, to deal in fairly theoretical terms, but your presentation has made me think. Most of us, the vast majority of us, have come to appreciate Revenue Canada’s online tax filing systems. There’s generally no great love for Revenue Canada in this country, but it actually works very well. One would assume that they have automated processing to get through 25 million tax returns as quickly as they do.

If the option is given for people to say, “No, I want human processing,” and 20 million taxpayers take it, is it overkill…? It may be quite innocuous what Revenue Canada is doing, but the skepticism leads people to make a rash decision that completely bogs down a very effective system.

It’s just a practical point. I’m not arguing with you. I’m just saying: “Your thoughts, please.”

B. McPhail: I mean, I think there are two ways to answer that question. One is that I’m specifically concerned, in this presentation, with private sector users of automated decision-making that would not be prescribed by law. In the case of the CRA, it’s a public sector activity mandated by our publicly accountable, democratically elected representatives and conducted by a federal body that’s responsible to those representatives, rather than a private sector organization.

It’s possible to consider that there may be different safeguards and a different right line in terms of what rights people should have in relation to objecting to processing in that context.

The other sort of principled point — principled but pragmatic point — in that regard is that it would be very unlikely that the vast majority of people would object to that processing, particularly when it results in the demonstrated benefit of getting their refunds more promptly. So a limited exception or right to object that required appropriate documenting of the concerns that the individual had might be a sufficient threshold to limit the number of objections but still require that sort of fundamental right to having a human in the loop in a decision process to be respected.

A. Wilkinson: All very valid and thoughtful points. I suppose the obvious corollary is too many of us have become quite happy with rapid delivery times from Amazon and appropriate pricing, and a lot of our personal information is going down to Washington state to feed the algorithm.

It takes an extraordinarily informed population to be able, on a theoretical menu of Amazon approaches two years from now, to say: “I, Andrew Wilkinson, choose to have human processing of my orders without retention of data.” I suppose Amazon would be canny enough to put up on the screen: “Well, then your order is going to take three weeks, not three days.”

B. McPhail: I think that’s true.

A. Wilkinson: I suppose the point is that we have…. In this electronic world, our data is not going into very competitive environments. It’s going into utilities. Whether you call it B.C. Hydro or Revenue Canada or Amazon or Apple, they are becoming so pervasive in the marketplace that they behave more like utilities with monopoly pricing and monopolistic behaviour.

The concern is that their behaviour will be like a utility: “Well, if you don’t want electricity, then cut yourself off. Have a nice day.”

[9:25 a.m.]

B. McPhail: It’s true. I mean, there’s also the practical consideration that a threshold regarding these rules can be put in place. So people can appeal decisions that have a significant impact on them, and then it would be debatable whether or not the Amazon delivery example would qualify under that threshold.

Of course, one of the reasons for all of these recommendations is that in a big data world, we are increasingly facing an asymmetrical power relationship between individuals and the increasingly large data-collecting Goliaths that are aggregating and accumulating information about us, both information about the transactions that we know we’re conducting and information from what Shoshana Zuboff, in her book Surveillance Capitalism, calls our “data exhaust,” which is just the bits and pieces of information that we scatter about the Internet just in the course of functioning online.

A modern privacy law needs to recognize that risk to residents of British Columbia and to try and find ways to mitigate it.

M. Elmore (Chair): Any further questions from other committee members?

Dr. McPhail, I’d like to thank you very much for your presentation. It’s been very helpful for us. Thank you for taking the time. We really appreciate it. Have a great day.

B. McPhail: Thank you. We very much appreciate the opportunity. Bye-bye.

M. Elmore (Chair): Okay. We’ve got our next presenter coming online now. We see here…. All right, Jonny, nice to see you. Great we’ve got you here.

Our next presenter is Jonny Morris, CEO of the Canadian Mental Health Association, B.C. division.

Welcome, Jonny. You’ll have up to 15 minutes for your presentation. Before you begin, I’ll ask members to introduce themselves.

My name is Mable Elmore. I’m the MLA for Vancouver-Kensington and the Chair of the Special Committee to Review the Personal Information Protection Act. Next I will have our vice-Chair, Dan.

D. Ashton (Deputy Chair): Thanks, Mable.

Mr. Morris, welcome. Good to see you. I have the honour of representing the people from Penticton to Peachland in the Okanagan, and I’ll pass it over to Andrew.

A. Wilkinson: Thanks. I’m the MLA for Vancouver-Quilchena.

K. Greene: I’m Kelly Greene, MLA for Richmond-Steveston.

I’m coming to you today from the traditional territory of the Musqueam people. Welcome.

G. Begg: Morning, Jonathan. I’m Garry Begg. I’m the MLA for Surrey-Guildford.

I’m coming to you today from the traditional territories of the Coast Salish people, including the Kwantlen, Semiahmoo and Katzie First Nations.

R. Glumac: I’m Rick Glumac, MLA for Port Moody–Coquitlam.

I’m on the traditional territory of the Coast Salish peoples.

M. Elmore (Chair): Thank you, Members.

I’m joining from the traditional territories of the Musqueam, Squamish and Tsleil-Waututh nations.

Go ahead and begin when you’re ready, Jonny.

CANADIAN MENTAL HEALTH ASSOCIATION
B.C. DIVISION

J. Morris: Well, thank you so much, MLA Elmore, committee Chair, and committee members. It’s a pleasure to be joining you this morning. Before I get going with an acknowledgment of the territory, thank you for all of the work that you’re doing to review this important piece of legislation. It’s a significant undertaking. On behalf of the association, significant appreciation and deep respect for the work that you’re doing with your review right now.

I trust that the committee team have…. I’ve shared some slides with you to walk through. Hopefully, they’re there with you. Otherwise, I’ll be as descriptive as I can be as I walk through some material on behalf of the Canadian Mental Health Association this morning.

Before I get underway, I do want to acknowledge — this would be slide 3 in my deck — that I am joining you as an uninvited settler today from the unceded ancestral and traditional Coast Salish territories of the Lək̓ʷəŋin̓əŋ-speaking and W̱SÁNEĆ nations particularly and also the chartered community of the Métis Nation of Greater Victoria.

By way of a quick orientation to CMHA B.C. — this would be slide 4 — I’ve met many of you before at other committees pertaining to mental health and substance use care in this province. It’s a pleasure to see familiar faces and new faces. We’ve been incorporated in Canada for about 103 years — one of the most established mental health charities — and here in B.C. since 1952. We have four pillars of work that govern our activities, particularly in the areas of promotion of mental health education and training. We’re undertaking significant work in those areas — right now a real focus on workplace mental health.

[9:30 a.m.]

We do individual and systemic policy work and advocacy. Hence, being here today to shine a light on this legislation and its implications for mental health and substance use care is very much part of our remit. We offer a range of direct and indirect provincial services, with some of our services reaching millions of people, actually, sometimes worldwide, in service of people’s mental health and substance use care. We have a network of 14 branches around the province.

On slide five, we paid particular attention to making sure that the commentary aligned with the guidance that your committee team, your committee Clerks, have put forward. We spent some time looking at the OIPC recommendations that have been advanced to your committee, Chair and members. I would say, looking at the ten major areas that the OIPC have advanced with the link to the CPPA, item No. 3 is probably the closest aligned — the issue related to consent, whether it be for the collection or the disclosure of personal information.

I’ll get into that in a second. I’m going to align my comments very specifically to that piece, rather than a general overview of the implications of the act.

The other piece I would say at this point, committee members and Chair, is that we’re very excited that a parallel review of FIPPA is happening. We have care and concern around PIPA because of its jurisdiction over private sector agencies, including agencies like mine. We recognize that the interface between public and private sectors is becoming inherently more complex and intricate, particularly between physicians within the context of integrated primary care. I know, MLA Wilkinson, this will be familiar to you as a former physician.

There are lots of those interfaces that we’re wanting to kind of grapple with and offer advice to you as a committee. My hope is to seek permission to present to the FIPPA committee as well, to provide a parallel bit of commentary on its implications that public [audio interrupted] of people with lived experience of mental health problems and also their family members and people who serve them — clinicians, doctors, physicians, etc.

On the screen, on slide six, you’ll see four reports sitting in front of you that are germane to your current review. A report released in 2008 really called upon folks in the public sector — so less relevant for your PIPA review — to exercise discretion in the disclosure of information that can often be life-saving. One of the challenges we’ve seen over the years is the comfort and confidence that people have with disclosure, particularly in life-threatening circumstances.

A colleague of mine, David Loukidelis, who I spoke with earlier, and he’s offered some good advice with my presentation this morning….

Are we back online, Susan?

Are we good, Chair Elmore?

M. Elmore (Chair): Yeah. Continue. I think it was Susan who was bumped out, so we’ve been able to follow you the whole time.

J. Morris: Okay, great.

I was mentioning earlier that historically there have been challenges and questions around the sharing of information. There was good provincial guidance offered by David and Ann Cavoukian, both Information and Privacy Commissioners at the time, in ’08. That guidance is still germane today in the sense of, I think, a need for clarity and robustness in the area of statute. Often when you’re in the middle of these situations there isn’t time to leaf through the intersecting pieces of statute and legislation to make a decision.

You’ll see other reports there, including the prescription for legislative reform released in 2014. I re-reference one of their recommendations later on in my slides. The third report is work we did, actually, to try and lend some clarity to the sector around mental health and information-sharing. Then, finally, a toolkit that was released very recently, a very long toolkit, by physicians who are also trying to clarify.

I guess, as a bit of a teaser for my recommendations, I would be urging the committee to leverage your influence, in your recommendations, to be in service of clarifying what arguably can be quite a complex framework.

The key ideas underpinning the recommendations I’m bringing forward today really focus on five things. Fundamentally, the right to privacy and confidentiality is inalienable. It’s fundamental for mental health care to work. We absolutely need to protect that as much as we can.

[9:35 a.m.]

We’ve also heard from family members. There are some of these themes, actually, in the B.C. Schizophrenia submission you released prior to the last session, where family members…. The sharing of information is also critical. Sometimes these frameworks aren’t flexible enough to allow for sometimes life-saving information to be transmitted to family members and also for information to be gathered from family members. So I reference that as a key idea to hopefully animate your deliberations.

Third, we’ve heard time and time again from clinicians and physicians and others who work in the area of mental health and substance use that there’s sometimes a desperation — at least, a profound hunger — for clarity around what information can be shared under what circumstances. When you think of two pieces of legislation, FIPPA and PIPA, plus the Mental Health Act and other pieces — the E-Health Act — there’s a range of legislation that isn’t in a coherent framework that’s easily discernable for decisions that sometimes have to be made in the moment.

Four, I think of Loukidelis and Cavoukian. This phrase of “life trumps privacy” is key. We want to protect that inalienable right in mental health care; otherwise, care wouldn’t exist. It’s a sacrosanct thing we need to protect, but not at the expense of life. There have been incidents over the years where privacy has prevailed and life has been lost. That’s an unacceptable outcome, arguably. Thinking through reform or review of legislation with that principle in mind, I think, is very important.

I hearken back to the OIPC recommendation in 2014: there is an opportunity for government to “enact new comprehensive health information privacy law at the earliest opportunity.” That was in 2014, so it’s seven years later. There is, I think, a real appetite, at least in my sector, for that kind of coherent framework to be realized.

Within PIPA, the particular section, with…. The balance of time I have left with you, presenting, really does focus on section 18 of PIPA. This would be slide No. 8, and there’s also a linkage to section 15. I’m appreciative of advice from David Loukidelis in thinking through our submission and our thoughts. The section here — and I won’t read through it; it’s very familiar to you, likely, as committee members — speaks to the use of personal information without consent and, particularly in this case, the disclosure of personal information without consent.

These here, again, arguably are quite, quite good in some ways in providing some clarity to a private sector — so an employer, for example, who might be concerned about an employee who’s experiencing a mental health crisis, who’s deteriorating, but doesn’t know if they can disclose that information to a trusted family member or a professional. There is some robustness here, but arguably, there is still risk within the context of these provisions for a private sector entity who could act failing to act because they think they might be breaching the law.

One of the pieces that we would be encouraging is reflection upon these provisions. If health privacy legislation isn’t forthcoming, are there ways to lend some clarity in these provisions and in parallel in FIPPA to enable actors, both in the public and private sectors and third sector, to act with confidence in disclosure and use of information if they’re concerned? Often, as you know, committee members, it isn’t as clear-cut as imminent threat to self or to others. There’s often a grey zone where a disclosure without consent could be the most prudent thing to do to get someone help whilst being respectful and protective of someone’s rights to privacy and confidentiality.

I think, from a scenario perspective, you could imagine an employer who’s worried about an employee. There may be concerns about their mental health and well-being. The relationship might not be there for the employee to be forthcoming with their employer about what’s happening.

We want to ensure that employers don’t go fishing for personal health information when they shouldn’t, and there may be occasions when that person is getting to a point where reaching out to a spouse or a partner or a professional might be the right thing to do to get that person connected to care and help. Sometimes I think the legislation could be improved with its clarity to support that work, going forward.

Recognizing that I’ve got about 3½ minutes left with you, the three recommendations that we’re bringing forward respectfully to the committee to consider, Chair and committee members, focus on three things. I think this will echo some of your submissions received during the last session of parliament and also most recently, as your deliberations continue.

[9:40 a.m.]

First, we would be encouraging the committee to consider ways of ensuring that provisions in PIPA that allow disclosure of someone’s personal information without consent are more robust and clear to ensure protection of both privacy and health — so that has to be a governing principle, absolutely — and also provide the requisite clarity for private sector organizations so that they know when they can disclose if they believe someone is in crisis or in need of care. Often the tricky parts are assessing for capacity — that’s a very a tricky thing to do — understanding what best interests might be, and who would be an appropriate disclosure to, which leads me to recommendation No. 2.

The OIPC has been strong in previous years in issuing guidance for the sector in this area, and I think we see an opportunity to leverage guidance in the context of mental health and substance use care specifically, particularly given the layers of stigma and discrimination that are still replete in the world of mental health and substance use.

The second recommendation — and this may be beyond the remit or mandate of this committee; I’m not sure — would encourage you to consider recommending the development of updated guidance by the OIPC on privacy and information-sharing in the context of mental health and substance use care in ways that align with any reform you might be entertaining with the act or if the development of health privacy legislation is on the horizon.

Finally, No. 3. I think you’ve heard this from the current Information Commissioner here in the province. I know you’ve heard it from previous commissioners — Liz Denham and others. I think others have come forward to speak to, arguably, the imperative, or the opportunity, to improve coherence in the legislative framework between FIPPA, PIPA and other statutes that cover health privacy and disclosure.

I’ve read in your submissions that of course with the advent of digital technology, shared medical records, integrated primary care, all of these things speak to a need for collaboration, circles of care around people. So often the need for a comprehensive, coherent, circle of care with express written consent, or sometimes without, is so critical for someone in distress, whilst protecting their rights and enabling sometimes life-saving information to be shared in a responsible way around a care team around someone.

Arguably, the current legislative framework, at the very least, from what we’ve heard over the years, can be mystifying for people in the sector, leading to undersharing — an absence of information-sharing — or oversharing — problematic sharing that could be resolved with a coherent framework and guidance.

I’ll end there, committee Chair.

M. Elmore (Chair): Perfect timing. Thank you for your presentation. I’ll open it up to questions to committee members.

A. Wilkinson: Mable, something that didn’t come up is this GDPR concept of the right to be forgotten and how that might manifest in the world of mental health care, where someone, whether in an ill state or a well state, asks that their entire record be abolished. Has that been considered? It’s a very problematic thing. There’s no clear answer.

J. Morris: Committee Chair, if I may?

Thank you so much, MLA Wilkinson, for that question. It’s actually a consideration I hadn’t thought through, but as your question just sits with me, interestingly, the issue has come up in kind of a divergent way in the past decade with regard to the presence of health information in the context of police information checks.

Elizabeth Denham, at the time, wrote a report that signalled significant concern about, for example, a 19-year-old who had been in crisis, a suicidal crisis. Police attend, and then it shows up on their vulnerable sector check when they’re applying for a practicum in their undergraduate education. It has a huge chilling effect on securing volunteer opportunities, crossing the border and what have you.

I think, MLA Wilkinson, your question is a very important one around where that might show up. There was a significant campaign, and police bodies nationally and provincially were progressive in addressing this issue and responding to the commissioner’s recommendations.

[9:45 a.m.]

Efforts were made to remove particular kinds of mental health information from police databases — so in some ways, a right to be forgotten — about an incident that happened six years ago. I think that’s a good example of the application of that GDPR principle. I think there are other spaces that could be examined and looked at so that your mental health history doesn’t lead to a loss of life chances later on in your life.

M. Elmore (Chair): Any other further questions?

G. Begg: Just a follow-up to what Jonathan has said. I have some practical experience, from a policing point of view, where there is a conflict between the information that is available to a psychiatric nurse, for example, who is sitting in the same police car with a police officer. It is appropriate, in my view, that the psychiatric nurse guards zealously the medical information about a client. However, I think it’s fairly apparent that the conflict can be detrimental to the health and well-being of the client.

I know it’s a constant struggle. I know it was. I was in Surrey, for example, when we started the Car 67 program. It’s an interesting issue. You have given the proviso that I think is important, which is that if there is imminent threat to health or well-being, then we must allow for that to happen. It’s really an interesting scenario.

Hopefully, wherever we end up, we will end up erring on the side of caution — that’s not the word — but erring on the side of the health and well-being of the subject involved. It’s a very interesting phenomenon that I suspect will increase over the coming years.

J. Morris: Chair Elmore, just responding to the committee member.

Thank you so much, MLA Begg. I appreciated the opportunity to interact with you at the Special Committee on Reforming the Police Act. I think you’re situating a very live and active concern. I think, particularly given the current government’s mandate around situation tables and a desire for free-flowing information at those situation tables between health professionals and public safety professions, the question you’re raising is going to have to be tackled and probably advanced further than where it currently is.

We at the association would absolutely take the principle that health information shouldn’t be sitting in police databases. I think that’s a key distinction we need to track. When you’ve got integrated models like Car 87 — and I know we’re in a bit of the public space now with this line — there are ways, I think, to firm up rigorous information-sharing agreements. I think some of this work has been done that governs the use, the sharing and the collection of that information, because it can be sharing.

I think of the situation of dispatch, right? Again, public sector. You’ve got a dispatching team who is sending a police officer to someone where there is a history of perhaps hearing voices or living with schizophrenia. For the dispatching officer to know that shouting a command, “Put down your weapon,” may not be readily registered because of the health condition of the person could be life-saving, right?

So how do we balance…? It’s a tricky conundrum how we balance the right of that person to not have their information trafficked around police databases, much like the example I gave previously, but also to allow deliberate, intentional, thoughtful, caring responses with information so that the right use of force can be used in those situations. Incredibly complex, but I think the advent of a comprehensive health privacy sharing framework with those case scenarios in mind would go a long way, MLA Begg, in tackling that conundrum. I appreciate you raising it.

M. Elmore (Chair): Perfect.

Any further questions from committee members?

Jonny, I’d like to thank you very much for your presentation. You’ve really given us a lot to think about, certainly in terms of balancing these important issues that you bring forward. Thank you very much for taking the time and providing the submission to us today. We really appreciate it and hope you have a great day.

[9:50 a.m.]

J. Morris: Thank you very much indeed.

M. Elmore (Chair): Okay. We’ve got our next presenter here, I see.

Our next presenter this morning is Jill Tipping, president and CEO of the B.C. Tech Association.

Thank you for joining us today, Jill. You’ll have up to 15 minutes for your presentation. Hansard Services has provided a timer, which will be visible on your screen if you’re using gallery view. Before you begin, I’ll ask members to introduce themselves.

My name is Mable Elmore. I’m the MLA for Vancouver-Kensington and the Chair of the Special Committee to Review the Personal Information Protection Act. I’m joining you today from the traditional territories of the Musqueam, Squamish and Tsleil-Waututh Nations.

Next, we’ll hand it off to our vice-Chair, Dan.

D. Ashton (Deputy Chair): Thanks, Mable.

Good morning, Jill. I’m Dan Ashton. I represent the people from Penticton to Peachland. I’ll pass you over to Andrew.

A. Wilkinson: I’m Andrew Wilkinson, representing Vancouver-Quilchena.

K. Greene: I’m Kelly Greene, MLA for Richmond-Steveston.

I’m coming to you from the traditional territory of the Musqueam First People.

G. Begg: Hi, Jill. I’m Garry Begg. I’m the MLA for Surrey-Guildford.

I’m joining you today from the traditional territories of the Coast Salish peoples, including the Kwantlen, Semiahmoo and Katzie First Nations.

R. Glumac: I’m Rick Glumac, MLA for Port Moody–​Coquitlam.

I’m on the traditional territory of the Coast Salish peoples.

M. Elmore (Chair): Thank you, Members.

Jill, please begin when you’re ready.

B.C. TECH ASSOCIATION

J. Tipping: Wonderful. Thank you so much. I’m joining you from my home in North Vancouver today.

This is on the traditional and unceded territories of the Musqueam, Tsleil-Waututh and Squamish peoples.

Thank you very much for the opportunity to present today on this important topic. I’ve got a few remarks which I’ve included in a written submission, but I’m going to highlight the key points for you now.

First of all, just to explain the interests of B.C. Tech and our members in this legislation, trust and trust of consumers are critical parts of the business of every tech company. We also want to express interest in privacy regulation, because sometimes there can be some unintended consequences that members may not be aware about. We’re happy to provide information and input that takes a balanced approach — what’s working really well with the legislation today and should be preserved, what’s maybe not working so well and could be improved, and then some ideas and opportunities for what you might want to consider as you look at the legislation.

Starting with what works well today, there are four key things that we find compelling about the current legislation. First, it’s a principles-based approach, which we find very valuable because it provides flexibility and the opportunity to focus on the real and actual risks.

Secondly, it’s technology- and business-neutral, which is helpful, especially as our world is changing faster than maybe we ever thought. Its privacy principles are non-prescriptive and generally consistent with commonsense ideas and thinking, which makes it really useful for businesses to understand what the purpose and intent of the legislation is and, therefore, to comply with it.

And finally, it generally balances privacy considerations with business requirements well. Those are four key things that we would really want to see preserved and maintained.

There are a couple of things that don’t work so well. The first is that it is a consent and consent-only based statute, and whilst consent is really important, we also want to reflect on the practical limitations of meaningful consent in today’s world. I think we’ve all had the experience of being presented with a long list of what we’re consenting to when we attempt to download software. Sometimes I think it’s challenging to ask how many consumers actually read through that long list of requirements and actually, when they click the “I agree” button, are giving meaningful consent. So consent is certainly a relevant criteria, but there are others as well that could be usefully modelled.

The second limitation of today’s legislation is that with technology moving as quickly as it can and, frankly, with the challenges that we’re facing in the world, whether those are the challenges that were thrown up by the pandemic or the challenges that were thrown up by our recent heatwave in British Columbia, we can’t always anticipate what the challenges are that we’re going to face, and we can’t always anticipate what data might help us to address those challenges.

[9:55 a.m.]

So just maintaining that data has value. It’s absolutely critical that the privacy of individuals be maintained. But we also want to have flexibility to use the data that we have to tackle the real-world situations that we encounter, even if we didn’t anticipate that that was a use of the data in the first place. The key is privacy and anonymity rather than limiting the use of data. Those are the two things where we think there’s room for improvement.

I would just perhaps step back and give a couple of general comments, which are that I do think it’s really important to remember that whenever we’re introducing legislation or regulation in British Columbia, we are a relatively small subnational market in a global world and to pay due attention to what’s happening in the major jurisdictions.

GDPR is the EU’s regime, and that’s one that I generally look to. If you’re a tech company today, you need to be compliant with GDPR. To the extent that B.C.’s regulations are consistent with that, you’re not in any sense providing a B.C. tech company with additional challenges that it wouldn’t face in a global world. So if there are opportunities to align, that’s a good approach to take.

Generally, if we’re deviating from major global standards like that, we really want to challenge whether it’s essential and necessary in B.C. If not, what we’ll accidentally do is create a disincentive, a barrier to the success of B.C. tech companies and a disincentive to establish headquarters or to grow operations in British Columbia, which wouldn’t be the intent.

If I move to some specific improvements to the current legislation…. I’m going to list seven, but don’t be overwhelmed. Some of them are quite interrelated. The first one is look at the GDPR consent grounds. Consent is one ground for privacy there, but the rules for processing information shouldn’t be limited just to consent situations. GDPR offers six different grounds in addition to consent, and those are really worth looking at, I think, for B.C.

Looking to exclude de-identified data from regulation. Once we’ve removed the connections that would create the privacy concerns, having more flexibility to how that de-identified data can be used will help us to tackle those unanticipated global challenges that we may encounter.

Then, if we think about what we might want to avoid, we want to avoid any prescriptive rules that are B.C.-specific that are outside the realms of general considerations. We want to avoid creating new data residency requirements. I think Quebec is an example to look at and learn from — to learn not to make the mistakes that they made, which have been quite onerous to comply with.

Look, also, at enactment of new rules around or be very careful about enacting new rules around data portability or how we might use things or how data might be transferred, largely because anticipating technological changes of the future is beyond the crystal ball of many of us. We’ll end up creating a shelf life for legislation that isn’t particularly helpful or meeting the needs of British Columbia’s citizens.

A few points here on penalties and consequences of non-compliance. As always, with any penalty, pay due regard to the proportionality of the B.C. market so that, again, we’ve not accidentally created a situation where the only lesson a business would learn is avoid doing business in B.C. Avoid penalties that aren’t tied to harm. In all cases, what we’re trying to do is make sure that people are compliant with legislation in all regards in order to protect individuals from harm.

Avoid enforcement powers that don’t comply with the general rules of law. Stay within the realms of anticipated audits and regular rules enforcement, rather than having a specific enforcement regime.

A final point from me, which is a bit of an industry and a personal story that I’d like to share. Very, very sadly, the father of one of our tech leaders in B.C. suffered an attack due to the very extreme heat measures that we had last week. Unfortunately, the emergency services could not reach him in time, and his father passed away.

It’s been a bit of a call to action for those of us in the community to say: “Is there a way that we can engage with the health system and with the emergency health system, in particular?” We know that with greater adoption of technology, we can expand the capacity of that sector.

[10:00 a.m.]

I think that when we all saw some of the really tragic and needless deaths and suffering that happened recently…. I think we need to acknowledge that we must make sure that we’ve expanded the capacity of our health service, using every means we possibly can, to support those essential workers and to make sure that health care is delivered when it’s needed. Technology is part of the solution there.

That leads me to my final point, which is: avoid health sector–specific regulation that might get in the way of efficient delivery of care. We really need to stay grounded in the very real challenges that we face today in B.C., pulling together to solve those, and stay very focused and grounded in those real, day-to-day challenges and not more theoretical concepts.

I’ll end my prepared remarks there, and I’m happy to answer any questions you might have.

M. Elmore (Chair): Perfect. Thank you very much for your presentation.

Members, do you have questions for Jill, or comments?

A. Wilkinson: I think something that we’re starting to see a focus on is: how is the term “de-identified” defined? It’s a big threshold in terms of being within and controlled by this legislation at various levels or being excluded from it, but the prospect, with smarter and smarter computer science graduates to connect data sets and boil it back to an identifiable source…. They may not care. I mean, do they really care who’s buying widgets on Amazon? They may send you an ad, but that’s not exactly malignant.

There’s a widespread concern about re-identification and that becoming more possible with clever people turning their minds to it. Do you have a sense of how we can properly define “de-identification” and, perhaps, make it a one-way street? It’s very difficult to do, and there are probably legitimate reasons to re-identify ISIS members as they cross borders in the Middle East.

J. Tipping: Yeah. It’s a really tricky challenge, and I will not pretend that I myself am fully conversant with all of the technological requirements to do either the de-identification or the re-identification matchups. But what I’ve learned in the world of technology is that if you can imagine it, it can happen, if there is an interest in doing it.

I think what you’ve highlighted there is that in the case of that example of, you know, identifying ISIS-affiliated individuals, that motive is what unleashes the power of governments and almost unlimited budgets in order to tackle those problems. But in the day-to-day world of business, it’s a little more prosaic. We are focused more on capturing the 80 percent of value that one has useful and productive business needs for and not in a more purpose-oriented battle to unmask individuals, if that makes sense.

We’re not so focused or motivated by the concept of re-identifying specific individuals. We’re interested in learning from the patterns in the data so that we can unlock what the business insight might be about what new products and services people are interested in. We’re structurally more interested in the one-way street of de-identification and then use of the data and not structurally interested in the re-identification of specific individuals. I’m sorry I can’t offer something more concise and compelling for you as a definition, but I think you’re grappling with exactly the right question and topic.

M. Elmore (Chair): Do we have any further questions?

R. Glumac: Hi, Jill. Just to confirm what I heard, the GDPR is kind of the highest standard internationally in terms of privacy legislation, from my understanding, and what you’re saying is that it would be better for B.C. tech companies to adhere to that standard because it is the leading standard. Is that correct?

[10:05 a.m.]

J. Tipping: Yeah. It’s really a practical impact. Every tech company is an exporting tech company. There’s no such thing as a tech company that’s only interested in making sales in British Columbia. If you’re interested in making sales globally, you need to be compliant with GDPR. That has become the default standard that is accepted. Whether you’re a major multinational tech company or you’re a small but ambitious tech company, you’re understanding that you need to build your business on a basis that will be compliant with GDPR.

R. Glumac: Do you have any comment on companies having to change how they operate to conform with GDPR? Has it been difficult, or has it been fairly straightforward? Is there an appreciation…? Is there clarity there that makes it straightforward? I’m just curious to hear your comments.

J. Tipping: The most important thing for business, with any regulation, is that the regulation be clear and well explained, even if it’s harsh. That might sound counterintuitive, but we’re really more interested in understanding what the rules are, and clearly what they are, and getting rid of any ambiguity. It’s with that clarity that we can move ahead with investment decisions or modifying whatever we need to in our processes, our products or our ways of doing business.

That’s where the EU, which has a very extensive bureaucracy that does an excellent job…. One of the benefits of that regime is that things are spelled out in enormous detail, and there are lots of opportunities to ask questions and get clarifying rulings on things. That has been more talked about than any specifics of the rules themselves. It’s the ability to get clarity on the rules, to understand what the regime is, to understand what might change, what won’t change. Then with that certainty, we can make the investments we need to, to be compliant.

M. Elmore (Chair): Any other questions from members?

I want to thank you very much, Jill, for your presentation. We appreciate it. Certainly very important insight and recommendations that you’re bringing from the tech sector. In terms of our deliberations, we’re very cognizant of that. I want to thank you for taking the time to make the presentation and bring it forward to the committee. Thank you very much, and I hope you have a great day.

Our next presenter this morning is Stergios Vlioras.

Thank you for joining us. You’ll have up to 15 minutes for your presentation. Before you begin, I’ll ask members to introduce themselves.

My name is Mable Elmore. I’m the MLA for Vancouver-Kensington and the Chair of the Special Committee to Review the Personal Information Protection Act.

I’m joining you today from the traditional territories of the Musqueam, Squamish and Tsleil-Waututh Nations.

D. Ashton (Deputy Chair): Hi, Stergios. I’m Dan Ashton. I represent the area from Penticton to Peachland.

A. Wilkinson: Hello. I’m the MLA for Vancouver-Quilchena.

K. Greene: Hi. I’m Kelly Greene, MLA for Richmond-Steveston.

I’m coming to you from the traditional territory of the Musqueam people. Welcome.

G. Begg: Hi, Stergios. I’m Garry Begg, the MLA for Surrey-Guildford.

I’m joining you today from the traditional territories of the Coast Salish peoples, including the Kwantlen, Semiahmoo and Katzie First Nations.

R. Glumac: Hi. I’m Rick Glumac. I’m the MLA for Port Moody–Coquitlam.

I’m on the traditional territory of the Coast Salish peoples.

M. Elmore (Chair): Thank you so much, Members.

Please begin when you’re ready, Stergios.

[10:10 a.m.]

STERGIOS VLIORAS

S. Vlioras: I’m going to be reading off a script in order to keep my flow of thought. Thank you for accepting my request to present to your committee. I will be reading off a statement I’ve prepared in writing so as not to forget my trail of thoughts.

I will point out a few experiences of the many I’ve had over the roughly three decades of freedom-of-information and privacy laws here in B.C. At face value, they may seem like disconnected statements, even rambling. I can’t do the legwork for your committee, obviously, unless you need a consultant with firsthand experience. You will need to access all my files with the OIPC B.C. to make sense of what I’m trying to incorporate in 15 minutes.

There’s a Greek saying that says rotting fish make good bargains. We live in a society where I can handle toxic chemicals under a hood in a chem lab at school without affecting 40 students in the same room, yet the same society accepts as natural paying $2 million for a detached home where cooking fish or garlic causes the whole house to reek. This and other tendencies or processes are troubling.

Years ago, in researching how to submit an FOI request to NARA in the USA, I came across a lovely template from a gentleman — I don’t remember his name — who outlined some interesting terms to include in the request, such as “do-not-file files,” etc. That was an eye-opener at the time.

Since then, with the introduction of freedom-of-information and privacy laws here in B.C., it has been one troubling experience after another. I’ve heard on TV a line, which I will paraphrase here, that says that no law is so well-written that a determined person will not find a way to circumvent it, in one way or another, legally. I’m going to be presenting examples.

For example, I’ve had transit police use cell phones to take statements and to take pictures. Yet, in response to FOI and FIPPA requests, the reply was that the transit police were not in custody of the records. You also need to see the OIPC B.C. responses to make sense of the matter. Basically, this almost looks like a class-action lawsuit on my end, but it’s something that you will need to explore when you’re going through all these files.

Pardons. Twenty years ago, there was a split at the VPD’s database. The database was home for the 911 call centre, which exists down by Hastings at the Second Narrows Bridge. They advised all parties to contact both VPD and 911 to erase their files for pardons. What they did not tell everyone is that each task force, private security firm, etc. had their own database, which tapped into the VPD’s database at the time. They did not explain to us how to scrub those databases from the information.

There was another outfit that opened up, BackCheck — again, same problem. They were tapping into the U.S. and bringing the information back here. It reached the point where the pardon system didn’t really do what it was supposed to do. I didn’t see the OIPC address it properly to resolve the issue. Obviously, the OIPC, the review committees, advisors, observers, etc., had my name in their database since ’95-96, when the law first came into effect.

At first, a common tactic of the OIPC B.C. was to be turned down for a deemed refusal so that you would contact the other party again, which contributed to an additional 30-day delay. When you would explain to the OIPC B.C. that you already confirmed they did not have anything, you would still need to wait that extra 30 days and get back to the OIPC B.C. Some of these employees who were doing so back then are still employed with the OIPC B.C. today.

Then it was companies not responding to me. There was a store chain here in B.C. to which I’ve attempted, half a dozen times over 30 years, to submit an FOI. They would ask it to be sent in writing and then deny ever receiving it. In the mid-90s, the word on the street was to send it registered, because that’s what was going on. My last request was for security camera footage from the store in regards to an accident that I was party to. I never, ever heard back.

Can I prove it? Well, I do have the email somewhere showing that I contacted them requesting info on how to submit an FOI request. I might have a scan of the envelope and letters I sent to them on a few occasions. Do I have something registered? Probably not. I did not know the privacy laws were that ineffective and that companies were thumbing it.

Then there are the instances where they fail to disclose all the files requested, and upon contacting the OIPC B.C., the same extra 30-day song and dance. It happens once, and it’s a mistake. Twice, it’s a coincidence. Three times, a happenstance exception. Four times, we need to look into it, etc. My records will show the repeat offenders I’ve been dealing with all this time.

Ask for a particular file, which, when they gain a record or an official version of theirs — from the deemed refuser, obviously — and these always tend to disappear. For example, the security camera footage of a bus driver who explains to me the eccentricities of their employer. A shop steward bus driver who explains why shifts are sold and how much over the actual rate in order for the disadvantaged drivers to become full-time with benefits. Someone’s kid — not anyone’s — who was being abusive, yet the security camera footage disappears because of another malfunction. A lady who instigates a whole bus to gang up on me with verbal abuse and makes a statement — I’m paraphrasing here — “Pull the brakes and put the finger up there.”

[10:15 a.m.]

This statement never makes it to the officer’s report, and Transit Police releases the security footage, but muted. Even though I have been getting such non-muted footage for years from TransLink, Transit Police has refused to issue the footage with the audio, for some reason. There are thousands of pages and gigabytes of released footage and such, and I am still going through this.

I was involved in an ICBC claim where I lost my balance and fell when I had a car barreling towards me, where all I could do was close my eyes. The vehicle, luckily, veered out of the way.

After this near-death experience, in an automobile crash on Granville in downtown Vancouver, I witnessed firemen, who were first on the scene, take witness statements and jot down IDs from witnesses. A young adult, working on the second floor of some firm on the opposite side of the street from the accident, advised them he’d viewed most of it. There was at least one other person who gave a statement and ID to them.

Upon doing a FIPPA-PIPA request to both the fire department and ICBC, these people’s statements and IDs, their records, did not exist. Both of the organizations were adamant that no such records existed. Where did they go? Who has the power to make written records, created in the course of one’s job, disappear? I don’t know.

I had an audio recording from start to finish of the accident, and it was provided to those who needed it, at my lawyer’s office. On it, you can hear these witnesses state their names and IDs to the firemen, including how one person had a video pic of the crash, as well as others and what they saw. In the combo claims towards ICBC, I also have a bus driver who outright lied in regard to what happened on the bus. The video footage of this event completely disappeared because of a malfunction.

You know what my settlement was from being subjected to this situation? Not enough to cover the blatant abuse, the implied intimidation through omissions, the amount of bullying, etc., let alone all the future costs. My rights? A joke. How can this happen if the OIPC of B.C. is respected in this province? There are all the front-line staff of all levels of government, hospitals, etc., that you give your info to, just so that they can repeat it out loud to everyone to hear in the vicinity, or write it down in a way that someone can circumvent your privacy and get it. Why?

Medical clinics can charge to release records to you because the Medical Association said it was okay. I was told this by many front-line staffers at clinics. Tell me: beyond the human element I am dealing with, do I argue with the OIPC of B.C. or with the clinics? Do I protect my health or my rights? Do I spend months on end to rectify these events through the OIPC of B.C.? I didn’t know I was obligated to do so.

B.C. Housing service providers and Downtown Eastside shelter providers state that they are private entities and, hence, not under the obligation to release records, even though the contracts that they have are through B.C. Housing, the city of Vancouver, the province of British Columbia, etc.

After all these years, I can still not track a pre-authorization on a credit card or account through there or through my online statements or online access on my bank account. If there’s one loophole that might be prone to abuse, that is it, because I can do the math and figure out what my debits are and figure out what my credits are, but if there’s a way to [audio interrupted] abuse those numbers through the pre-authorizations, that would be it.

Living in the Downtown Eastside for years, I would hear about all these backroom settlements, as well as from elderly residents who kept some detailed records of their abuse over the years, and in the face of overwhelming data presented in courts, these people finally managed to get some form of restitution by the judge.

How many of these settlements have contributed to improving treatment of people lost in B.C.? Probably none. First, the OIPC of B.C. would need to be made aware of them, and secondly, have legal access to them. Although it would have been nice to hear that the OIPC of B.C. had made some effort in accessing this info to improve the shortcomings of the law and the way that it gets circumvented by organizations through the organization staff, these are all issues that have been printed in the press yet never rectified.

Dear committee, the OIPC of B.C. and you have more than you need of my files to address the “shortcomings” of privacy law. I would have been appreciative of at least a yearly video or presentation by the OIPC of B.C. as to resolving these and other shortcomings. I wish you good luck in your endeavours, but mine will be in court.

When any government — we have had many of these over the last 30 years — that enacts a law such that you cannot sue the law firm that handles a class action lawsuit or that you cannot sue the OIPC of B.C. for whatever reason, it makes me question the intent. You will need to access my records. You will need to verify the information, and if it’s missing there, you will need to understand what the limits are of conjecture, of coincidence.

I’m not saying that the OIPC of B.C. has not gone to bat for me. On the contrary, all the time. But it took years of being subjected to these situations and learning how to push back to the OIPC of B.C. employees, whose shortcomings I experience on a daily basis or very frequently.

I know this and all the other previous committees have had the experience and the knowledge to review the law, but I’m not sure that that you have had the data presented to you in a way to comprehend it as experienced by me and the public.

[10:20 a.m.]

Living in the Downtown Eastside has taken a toll on me over the years, where something as simple as this presentation tongue-ties me and gives me a headache. I thank the committee for taking the time to listen to me, and I’m happy to answer any questions to the best of my ability at the moment.

M. Elmore (Chair): Thank you very much for your presentation, Stergios. Really appreciate it.

Now, do we have any questions from committee members?

Stergios, I want to really acknowledge and thank you for taking the time for a very comprehensive presentation and recognize all the time and effort that you’ve put in — just a very wide breadth of experience that you’ve had, certainly, on this issue.

I don’t see any questions from committee members. I want to thank you for taking the time and for being so thoughtful and providing us with the information in our deliberations. Hope you have a good day.

S. Vlioras: Thank you all for the opportunity. Have a great day.

M. Elmore (Chair): Okay, there we go. That was our fourth presenter.

Susan, we are taking a break?

S. Sourial (Clerk Assistant, Committees and Interparliamentary Relations): This next presenter is at 10:45.

M. Elmore (Chair): Okay. See you back just before 10:45, everyone.

The committee recessed from 10:21 a.m. to 10:43 a.m.

[M. Elmore in the chair.]

M. Elmore (Chair): All right. We’ll get started now. Our next presenter is Gordon Yusko.

Thank you for joining us today. I understand you’ll be presenting by audio only. You have up to 15 minutes for your presentation. Hansard Services has provided a timer, which will be visible on your screen if you’re using gallery view.

Before you begin, I’m going to ask the members to introduce themselves. My name is Mable Elmore. I’m the MLA for Vancouver-Kensington, and I’m the Chair of the Special Committee to Review the Personal Information Protection Act.

I’m joining you from the traditional territories of the Musqueam, Squamish and Tsleil-Waututh Nations.

I’ll now pass it off to our vice-Chair, Dan.

D. Ashton (Deputy Chair): Good morning, Gordon. Dan Ashton. I represent the area from Penticton to Peachland. I’ll pass you over to Andrew.

A. Wilkinson: I’m Andrew Wilkinson, the MLA for Vancouver-Quilchena.

K. Greene: I’m Kelly Greene, MLA for Richmond-Steveston.

I’m coming to you today from the traditional territory of the Musqueam people. Welcome.

G. Begg: Hi, Gordon. I’m Garry Begg, the MLA for Surrey-Guildford.

I’m joining you today from the traditional territories of the Coast Salish peoples, including the Kwantlen, Katzie and Semiahmoo First Nations.

M. Elmore (Chair): Thank you, Members.

Gordon, please begin when you’re ready.

[10:45 a.m.]

GORDON YUSKO

G. Yusko: Okay. Thank you. I’m Gordon Yusko. I live in the city of Vancouver on the traditional, unceded and ancestral lands of the Musqueam, Tsleil-Waututh and Squamish First Nations.

I decided to submit to this committee because I’m just an ordinary citizen trying to access the rights that this legislation provides to me. I’ve had some experience, both with the….

[Interruption.]

I have no control over this. As an ordinary citizen, I’m trying to access the rights afforded to me under the Personal Information Protection Act.

Also, I have been doing the same thing with the Freedom of Information and Protection of Privacy Act. I’ve encountered some challenges. I feel like I’m well educated and, generally speaking, able to understand legislation even if it’s not written in plain language. But I came across some issues that I highlighted in the submission.

The first being around the ability of WorkSafeBC to share personal health information, really, without a proper process, a fulsome process or proper consent of an applicant or a claimant. It was quite surprising to me when I filed a claim. There were at least two, possibly three, different people who served as intake officers just, kind of, going over the initial parts of my application as a claimant.

During one of those calls during the intake process, I was told at least twice that the only information that was releasable to my employer was my name, the date of my claim and the category for which I was applying as a claimant. I had the intake officer repeat that, and I made contemporaneous notes at the time.

Fast forward to when I then got transferred into a group within WorkSafe where they began…. I think there were two different people who recorded for me over the phone the details of the injury and the harm that I had received from my employer. It was quite detailed, quite extensive, quite personal of course. Anyway, it then took place over…. Then there was consideration of my claim.

I was told on the phone after the time had passed that my claim would be considered based on the information that I was given and that I would be getting a letter on the decision of whether or not to move forward.

I did get the letter, and I was a bit surprised that it contained a four-page account of my personal health information and most concerned that it was also shared with my employer without me really understanding that in advance, without me really having an opportunity to review and vet and correct some of the information in advance.

[10:50 a.m.]

I’ve talked to the OIPC about this and also to a legal adviser, and they seemed rather nonchalant. They sort of said: “Oh yes, this happens.” I guess there are reasons for it. However, I don’t think the reasons are entirely defensible, particularly when a claim is denied, which my claim was. I don’t think it’s appropriate for WorkSafeBC to be sharing detailed personal health information when a claim is denied. That’s No. 1.

I put into place, in the document that I sent you, some recommendations that I think could be considered when these sorts of things occur — that at least two written notifications be given to a claimant that detailed health information will be shared with the employer and that the claimant be given a period of time, at least 48 hours, between the two notifications. As you can imagine, a claimant is stressed out and challenged by this process. So they really need to be given a chance by WorkSafeBC to understand that health information will be shared, and they should be given a chance to review and correct the information before it is shared, with a reasonable deadline.

The other things that are related are that…. I would like the claimant to be able to know the specific contact information, as defined in this act, to which WorkSafeBC will be disclosing the health information. In addition to what’s already in the act, I think the contact information should include the email address used by WorkSafeBC that it’s using to disclose the information.

With those recommendations, I do think it requires a review of the definitions of “employee personal information” and “personal information” to be very clear for claimants and for WorkSafeBC. Then, secondly, sections 18 and 19 of PIPA should be analyzed, and I think a much higher burden on WorkSafeBC than is currently the case should be placed before they share personal health information with the employer or anyone else.

I’m going to move along. I see I have six minutes left. That is really the most important point that I want to make.

I think that, looking at the legislation, the definition for “work product information” within the context of trade unions or employee associations is really unclear and vague and needs to be clarified. I had some experience where what would be defined as a work product information piece was not available to me from my employee association. I wasn’t asking for personal information. I was really just asking for confirmation of my own notes of when an event happened and how many people were there. I was told by my employee association that they couldn’t find it. It had probably been deleted.

[10:55 a.m.]

This was a meeting that the employee association called themselves and members attended. The employee association took minutes, and it was a pretty formal process, I thought. So to be told months later, when I wanted just the numbers of people there and the confirmation of the date, that they couldn’t find it and it didn’t exist was a big surprise to me.

I would like some changes made for employees to have this right to access non-personal information from their trade union or employee association.

Mostly, I’ve been working under the FIPPA, but this review of the Personal Information Protection Act, for me, raises the issue of the inclusion of trade unions and employee associations within the scope of FIPPA. Currently it seems to apply only to public bodies, but I actually recommend that trade unions and employee associations be included with FIPPA in the scope. I don’t want it to be burdensome, so it should probably apply to trade unions and employee associations of a certain size and above so that they do have the resources to deal with FIPPA.

Fourthly, I made a point that the resources for public awareness and education about this legislation and FIPPA are not really easily accessible or broadly available or easy to understand. I think an effort needs to be put and more resources need to be placed for the commissioner’s office to undertake a public education and awareness initiative using social media appropriately with experts, with partnerships to get that education out in public and to inform people more thoroughly than is the case.

Lastly, since I have two minutes left, I just made the point that my discussions with the commissioner’s office over some time and the time I’ve waited for an inquiry in my case and the number of occasions that a time extension has been applied has been really surprising. It wasn’t clear at the beginning, when I started this process, that so many delays would be put in place.

The example I gave is that 21 months have passed since the initial 90-day review period for my records request expired, and we still haven’t even reached the point of having an inquiry. I’m told that it’s coming soon, but here we are all this time later. It’s really frustrating. If this legislation does not allow a timely process to unfold, and if the commissioner’s office is not properly resourced to make that happen, then I believe it should be. I think the committee should look at additional resources to the commissioner’s office to ensure that accessing and using and following the rules under this legislation are done more quickly.

I’ll stop there.

M. Elmore (Chair): Thank you for your presentation, Gordon.

Do we have any questions from committee members for the presentation?

[11:00 a.m.]

G. Begg: Just a point of clarity. My notes indicate — and I could be wrong; I could have misheard you — that sensitive medical information should not be provided to the employer, particularly when a WCB claim is denied. My question, of course, is: if the claim is allowed, should the information be shared?

G. Yusko: Yes, but I don’t think the current process used by WorkSafeBC is rigorous enough to really properly, transparently and fully inform the claimant that this will happen. The only time that this was sort of discussed with me was during the intake process, which I mentioned. I believe there’s a training issue, because I was essentially misinformed during the intake process. So there’s a training issue within WorkSafeBC.

Then the document that I signed for giving approval to release is so carte blanche, and it was handled in a very pro forma way. So there needs to be a much more focused, concentrated process for WorkSafeBC to really help claimants understand that their employer is going to see everything that they’ve shared with WorkSafe about their health.

M. Elmore (Chair): Okay. Thank you for that question, and thank you for clarifying that, Gordon. I don’t see any further questions, so I want to thank you for taking the time to share your experience with us and also thank you for your submission to the committee. We will consider that as we continue through our deliberations. Thank you, and I hope you have a great remainder of your day.

G. Yusko: Okay. Thank you very much.

M. Elmore (Chair): Our next presenter this morning is Anthony Green, who is the vice-president of the Vancouver chapter of the Information Systems Audit and Control Association.

Thank you for joining us today, Anthony. You have up to 15 minutes for your presentation. Hansard Services has provided a timer which will be visible on your screen if you are using the gallery view. Before you begin, I’ll ask members to introduce themselves.

My name is Mable Elmore. I’m the MLA for Vancouver-Kensington and the Chair of the Special Committee to Review the Personal Information Protection Act.

Next I’ll hand it off to the vice-Chair, Dan.

D. Ashton (Deputy Chair): Thank you, Mable.

Welcome. I represent an area from Penticton to Peachland, and I’ll pass you over to Andrew.

A. Wilkinson: I’m Andrew Wilkinson, the MLA for Vancouver-Quilchena.

K. Greene: I’m Kelly Greene, MLA for Richmond-Steveston.

I’m coming to you today from the traditional territory of the Musqueam First People. Thank you.

G. Begg: Hi, Anthony. I’m Garry Begg. I’m the MLA for Surrey-Guildford.

I’m coming to you today from the traditional territories of the Coast Salish peoples, including the Kwantlen, the Katzie and the Semiahmoo First Nations.

M. Elmore (Chair): Thank you, Members.

I’m joining from the traditional territories of the Musqueam, Squamish and Tsleil-Waututh nations.

Please begin when you’re ready, Anthony.

INFORMATION SYSTEMS
AUDIT AND CONTROL ASSOCIATION
VANCOUVER CHAPTER

A. Green: Awesome. Thank you, everyone. As you mentioned, my name is Anthony Green, and this year I am the vice-president of ISACA.

We’d like to thank you again for the opportunity to provide input into the evolution of B.C.’s primary privacy legislation. I will be starting with an outline of today’s brief presentation. First we will start with an introduction of ISACA international and ISACA Vancouver’s unique perspective on PIPA. Then we’ll move on to our consultation approach, then our findings, our recommendations and, finally, we’ll end with our conclusion. We truly value this opportunity to represent our members in the evolution of this very important piece of B.C. privacy legislation.

To start with introductions to ISACA international, ISACA has served our professional community for more than 50 years. Today ISACA serves 145,000 professionals in 180 countries, who span several roles in assurance, governance, risk, enterprise IT, privacy and information security.

[11:05 a.m.]

ISACA international is a credential-granting entity and is especially known for its CISA, CISM and CDPSE certifications and its COBIT enterprise IT governance framework. ISACA Vancouver is a chapter with over 600 members located in the B.C. Lower Mainland and B. C. Interior, and this submission represents this chapter.

At ISACA Vancouver, we have three different mandates. The first is to lead the development of professionals in information technology, audit, risk, governance, privacy and cybersecurity within the business and academic communities of British Columbia. Two, we promote industry best practices among its members. Lastly, three, we raise awareness on cybersecurity and privacy topics within B.C.’s business and government communities.

This chapter is run by ISACA volunteer members who meet monthly and elect the board at their annual general meeting. The goal of the Vancouver chapter is to promote ISACA global standards in the practices and development of B.C.-based professionals in IT risk, governance of enterprise IT, information security management and IT assurance in industry, academia, government and not-for-profit organizations. A primary focus of ISACA Vancouver is also to deliver educational seminars and workshops towards professionals and student members. This chapter operates many outreach programs for mentorships, certifications and training and increasing diversity in the workforce.

ISACA Vancouver values being included in the public consultation of PIPA’s reform because many of our members work with PIPA on a regular basis and attempt to keep their employers on side with it, alongside compliance with other privacy legislation around the world. Hence, we believe we bring an impartial, pragmatic and tactile perspective on PIPA that is unique to any of your other consultation stakeholders.

As for our consultation approach, our submission includes an overview of what we believe to be the next steps towards drafting revisions to the existing version of PIPA so that it may be more aligned to both the current privacy environment demands in B.C. as well as those around the globe. To prepare our recommendations for PIPA, we brought together over a dozen professional members who are ISACA CDPSE. That’s the certification I mentioned earlier. It’s the certified data privacy solution engineer. These represent a cross-section of experienced professionals in the public and private sectors.

We hosted three consultation sessions along with virtual collaboration [audio interrupted] to prepare our recommendation, which will be included within a written response and within our presentation to this special committee. This ISACA Vancouver group discussed the shortcomings of the current PIPA legislation and what would need to be improved in the next iteration so as to better protect consumers and enable businesses to more efficiently comply to PIPA requirements.

One of our initial points of discussion was whether B.C. should adopt privacy legislative changes that are more aligned with international standards or if it was more prudent to keep the legislation focused on B.C.-specific issues. To tackle this question, the working group was split into multiple smaller subgroups where each became responsible for researching the current PIPA legislation as it relates to other key privacy legislation. These groups included PIPEDA, which is for Canada; GDPR, with Europe; Bill 64 in Quebec; and the CCPA, which is now the CPRA, from California.

It was felt that these four pieces of legislation were most relevant to B.C. practitioners, employers and clients, due to them being the most influential in shaping general, global and international trends. Research from the subgroups was compiled into this report, and the final recommendations from the ISACA PIPA working group called for PIPA to evolve into legislation that is more aligned with key international legislation.

At this time, it is recognized that at the time of writing, many of the most important pieces of legislation were themselves in flux, whether due to local or regional politics or simply due to their own deliberations around the need to modernize themselves.

One of the challenging aspects of this exercise has been the acceptance of so many discrete and interdependent timelines around the world with respect to upcoming revisions, particularly between provincial and national regimes of privacy law. Further, it was recognized that the sheer importance and urgency implicit in the evolution of privacy law is driven by the ongoing rapid technological change, essentially the digital transformation of the global economy and, in particular, the emergence of companies whose profit is principally derived from acquiring some subset of personal information from one digital source and selling it to another.

[11:10 a.m.]

The chief concern to observers in the field like ISACA members is that personal data is at particular risk between the time that new digital emergent technologies and business processes emerge and the time that the privacy law catches up to address that. It is during this lag time, or transition period, that true personal privacy for thousands or millions of individuals is being lost.

Once personal information in digital form has traded hands without a citizen’s true understanding or consent, that information can trade hands many more times and can, each time, be exposed to unwanted, unauthorized access by those who may have more nefarious, illegal motives for acquiring the data. Hence, both the urgency and the agility of privacy law that works in the moment rather than lags is of tantamount importance and serves the citizenry before their data can be manipulated outside of their control. This is the key point in our message, in addition to the recommendation and area of focus, which are summarized below.

In summarizing the premise for our approach, we believe PIPA harmonization with other key privacy legislation around the world makes it easier for our members who are privacy practitioners, or their employees, to comply with them. We believe our working group of over a dozen seasoned privacy professionals from our membership advocated unanimously for this position in our recommendations.

We are looking forward to continuing to work with other members of this community and of the community in B.C. to make B.C. PIPA the best legislation it can be, in the name of B.C. citizenry whose private information must be protected at all times.

As for our findings, globally, we believe that GDPR is the most influential privacy legislation in years, and as there are many B.C. companies with European residents as clients, we began our research there. On May 25, 2018, the GDPR came into force, requiring private sector organizations to comply with new data protection requirements when they process the personal information of individuals located in the EU. But I just want to mention a few highlights.

The GDPR has more descriptive personal privacy laws, such as the right to access. The right to access, essentially, is three things. It’s the right to obtain confirmation as to whether their personal data is being processed, where and for what purpose; the right to access their personal data; and the right to correct errors in their personal data. They also have the right to be forgotten. That means the ability to erase their personal data and object to having their personal data processed.

Additionally, they also bolstered their data portability laws by allowing their citizens to receive a copy of any personal data stored and transfer that data to another vendor or controller. Lastly, they also updated their breach protocol by requiring that any breach notice has to be done within 72 hours of first having become aware of the problem.

In the current PIPA legislation, customer notification of a data breach is not required but is highly recommended as a best practice. Comparing that to GDPR’s 72-hour notice requirement and resultant financial sanction if not met, PIPA’s requirement does not induce noticeable behaviour changes among organizations in B.C.

GDPR sanctions range from €10 million or 2 percent of annual worldwide turnover for lesser infringements all the way up to €20 million or 4 percent of annual worldwide turnover for more serious offences. In comparison, PIPA sanctions are also underwhelming, with fines amounting to $10,000 for individuals and no more than $100,000 for non-compliant organizations. That is an equivalent of half of 1 percent of GDPR’s maximum fine. The shortcomings in PIPA are clear here, and so is the opportunity for improvement.

Now, I’d like to move on to the California Consumer Protection Act. The CCPA came into force on January 1, 2020, and was intended to clarify and strengthen the privacy rights of California residents in response to the increasing amount of personal information being entrusted to private companies, necessitating the need to have a framework around the protection and use of that data.

The CCPA grants Californians three basic rights when it comes to relationship with business: the right to know what information companies have, the right to delete that information and the right to tell companies not to sell their information. The CCPA has been influential within California, and numerous stakeholders, including consumer groups, have steadied along almost immediate improvements from this 2018 legislation. Because of this success, a new piece of legislation — the CPRA, the California Privacy Rights Act — was passed in 2020 and will come into effect on June 1, 2023.

[11:15 a.m.]

The CPRA legislation differs primarily in the following ways. The CPRA has created a rule-making, educating and enforcement body that appears to work much like the Information Commissioner in other jurisdictions around the world. It is called the California Privacy Protection Agency and presides over the CPRA and the CCPA. Enforcements have also tightened up, requiring businesses to react instantly to reported violations, having to pay three times the penalties for infractions involving data related to children as well as facing civil penalties in the case of blatant data theft. On these last various points, that is the most obvious potential for deriving recommendations for B.C.’s PIPA act.

The last thing that I’d like to mention is Bill 64, which is from Quebec. That states that a business which collects personal information when offering a technological product or service will be required that, by default, the parameters of that product or service are set to the highest level of confidentiality. Businesses will now be required to also conduct a privacy impact assessment in order to ensure that their personal information — that they would receive equivalent protection afforded under the Private Sector Act. Bill 64 also requires consent to be requested for each specific use, separately from any other information. There is no implied consent.

Lastly, Bill 64 also contains mandatory breach obligation to the commissioner and individuals of confidentiality incidents that present a risk of serious injury, where the failure to comply can result in the maximum fine equivalent of 4 percent of worldwide revenue or $25 million, whichever is higher.

Now I’d like to move on to our recommendations section for the PIPA reform. One of the main recommendations is mandatory breach notification. It is one of the more effective measures that a privacy law jurisdiction can impose, because it makes data breach public and, therefore, possibly reputation-harming. This impact on reputation can be effective in changing behaviour and formalizing a privacy data breach response plan, for example.

Secondly, this feature provides affected individuals of breached data an earlier warning system so that they can react and protect themselves upon hearing of a data breach. The more time a data breach goes undetected by the owner of the personal information, the more likely it will be used successfully by unauthorized parties once breached. The most effective privacy law jurisdictions have a mandatory data breach notification mechanism, and PIPA’s adoption of such a feature would promote harmonization with them.

The other thing I’d like to mention is that financial sanctions provide a second important impetus for promptly reporting a data breach and process it with best-practice incident responses. Penalties should be clear and avoid appearing as punitive. Rather, they should be scaled to provide a strong deterrent for sweeping a major data breach under the proverbial rug and not more. Punitive-level sanctions are difficult to swallow in an environment where cyberattacks per day count in the hundreds of thousands. Virtually every company is exposed to some cybersecurity risk.

In summary to our conclusion, reactions to privacy laws in B.C. are too slow, and continuing this trend causes harm to B.C. consumers. Thank you for your time, everybody.

M. Elmore (Chair): Thank you for your presentation.

Are there any questions from committee members for Anthony?

A. Wilkinson: It appears that you’re able to provide some level of certification for individuals and, I gather, enterprises and possibly even individual items of software, if I can put it that way. You’re also, gladly, doing your best to synthesize GDPR and the Californian emerging legislation.

So if you have a package of what would constitute a certifiable enterprise or product, that could be extremely helpful to us. I’m not sure if that actually exists or if you approach it on a principles basis, but if you can provide us with more detail in writing, I think that that would be very helpful. It’s the sort of thing that can make its way into an appendix of a report that we produce, saying: “Here are some very helpful and sophisticated thoughts on this.” So if you’ve got that, I would encourage you to provide it.

[11:20 a.m.]

I think the concern is that all these major markets develop their legislation, California being an obvious one, with 40 million people and probably half of the world’s major software enterprises, and the GDPR…. They become the big bears in the zoo, nd so we have to find our way into the small-animals cages at the zoo, compared with the big ones.

This issue of fines has always struck me, that if our sanctions are one half of 1 percent of the GDPR, well that’s exactly what the combined American and European Union population is compared to ours. We are 1 percent of North America. We are one-half of 1 percent of North America and Europe. So if we’re talking proportionality, maybe our fines are in the right place.

If you’ve got thoughts on these things — obviously you’re coming at it from a fairly sophisticated point of view — it would be very helpful to provide them to us in writing.

A. Green: Absolutely. That’s something that we wanted to do as well. We actually have a lot more in our written submission. Part of the challenge was cutting it down to keep it under 15 minutes, so that’s something that we’d gladly provide.

As for your second comment, that’s a very good point, but I just also would like to point out Bill 64 in Quebec. They are actually equaling GDPR, with up to $25 million and up to 4 percent of total revenue. I’m not saying that’s something that we’re suggesting at the moment. I’m just saying that’s something that I’d like to point out.

A. Wilkinson: I think the concern is if we have a small software enterprise here with ten employees and they’ve just gotten financing and are planning to move to 30 employees and they get hit with a $25 million fine, they’ll just go out of business.

A. Green: You’re absolutely right. That’s actually why we think it should be scaled with the business, as there are more and more attacks happening, and the small businesses don’t need that $25 million fine. However, for the big businesses, we just need the fine to have enough teeth that they don’t want to sweep it under the rug. That’s essentially what we’re suggesting.

M. Elmore (Chair): Okay. Other questions from committee members for Anthony?

Anthony, I’d like to thank you for your excellent presentation. I look forward to your written submission in terms of more details there. I appreciate that. Thank you for taking the time to present and have a conversation with us today. We really appreciate it. It’s very helpful. I hope you enjoy the rest of your day.

A. Green: Thank you very much. Looking forward to submitting that written presentation for you guys.

M. Elmore (Chair): Our next presenter is 11:35. We’ve got ten minutes, folks, and then we’ll have our last presenters. I’ll see you back before 11:35.

The committee recessed from 11:23 a.m. to 11:31 a.m.

[M. Elmore in the chair.]

M. Elmore (Chair): Our final presenter today is Andrew Clement, who is professor emeritus with the faculty of information at the University of Toronto.

Thank you for joining us today, Andrew. You have up to 15 minutes for your presentation. Before you begin, I’ll ask members to introduce themselves.

My name is Mable Elmore. I’m the MLA for Vancouver-Kensington and the Chair of the Special Committee to Review the Personal Information Protection Act.

D. Ashton (Deputy Chair): Sir, welcome. My name is Dan Ashton. I represent the people from Penticton to Peachland, here in the Okanagan Valley.

A. Wilkinson: Hello. I’m the MLA for Vancouver-Quilchena.

K. Greene: Hi, I’m Kelly Greene, MLA for Richmond-Steveston.

I’m coming to you today from the traditional unceded territory of the Musqueam people. Welcome.

G. Begg: Hi, Andrew. I’m Garry Begg. I’m the MLA for Surrey-Guildford.

I’m coming to you today from the traditional territories of the Coast Salish peoples, including the Kwantlen, Katzie and Semiahmoo First Nations. Welcome.

M. Elmore (Chair): Thank you, Members. I’m joining from the traditional territories of the Musqueam, Squamish and Tsleil-Waututh Nations.

ANDREW CLEMENT

A. Clement: Thank you, Madam Chair and members of this Special Committee to Review the Personal Information Protection Act, for the invitation to appear before you, which I was pleasantly surprised to receive two days ago. I’m Andrew Clement.

I’m joining you from my home on Saltspring Island in the unceded territories of the W̱SÁNEĆ Nations and other Coast Salish peoples.

I grew up in B.C. but have spent the bulk of my professional career at the University of Toronto. There, I received my PhD in computer science and, since 1989, have been a professor in the faculty of information. My research has focused on trying to better understand what the rapid computerization of our economy and society means for people’s lives. In particular, I’ve specialized in the areas of surveillance and privacy, with a view to the public policies for achieving the promise, while avoiding the perils, of digital technologies.

Speaking on my own behalf, I hope to assist the committee in its vital work of bringing B.C.’s PIPA up to the needs of the 21st century, particularly in light of Bill C-11 and the European Union’s General Data Protection Regulation. I’m familiar with the B.C. Information and Privacy Commissioner’s recommendations to the PIPA committee, as well as those of Profs. Colin Bennett and Teresa Scassa and Commissioner Daniel Therrien. In general, I endorse their views and will avoid unnecessarily repeating their many fine points.

As Professor Scassa noted yesterday: “The context in which we find ourselves today is fundamentally and substantially different from that of the early 2000s.” I will review some of these key changes in the data industry since PIPA and PIPEDA were enacted that are most relevant for data protection reform.

[11:35 a.m.]

While many digital innovations over the past two decades have been very valuable, I’ll focus on the troublesome explosion of the data surveillance business model and how its success defies privacy ideals and regulatory practices. This is the model behind what Shoshana Zuboff has popularized as surveillance capitalism. Based on this analysis, I’ll identify some of the problematic areas where the current privacy regime fails to meet the challenge of the surveillance business model and contributes to the data protection crisis, as Commissioner Therrien calls it.

I’ll highlight where C-11 falls short of what’s needed and offer suggestions for how a revised PIPA can address these shortcomings. In many areas, the GDPR provides a better model for updating B.C.’s legislation, but even it should be improved on if the goal is to rein in the data surveillance businesses while enabling more responsible areas of the digital economy to thrive.

Of all the many notable innovations in electronic commerce since 2000, arguably the most spectacularly lucrative but socially irresponsible has been the development of programmatic advertising. At the heart of the advertising technology industry is real-time bidding, a near-instantaneous auction among competing advertisers for various pieces of screen real estate, where ads that can catch your attention encourage you to click and then, hopefully, to buy.

Imagine that you visit a webpage or scroll through Facebook on your phone and see an ad. There’s a very good chance that an advertiser software agent has been notified that your “eyeballs,” as you are known in the industry, are available for sale and kicks into action. In the fraction of a second that it takes to display that particular screen, the agent has figured out that you are worth targeting, bid a particular sum of money, and won an auction for the opportunity to get you to click on their ad.

A very similar process occurs for displaying other content, such as automatically deciding what YouTube videos to recommend to you or what social media posts to bring to your attention. Scroll further or jump to another page, and the auction process begins all over again. The overriding goal in both the ad and content display scenarios is to keep you “engaged” and clicking on the site, rather than wandering off where others can monetize you instead.

This business model is enormously lucrative, with Google and Facebook the dominant giants. Between them, these two companies alone capture roughly 60 percent of the digital advertising revenues, earning on the order of $100 billion annually in North America. What’s wrong with this picture? Plenty. We’re hearing a lot these days about the monopolistic and anti-competitive market practices and the politically polarizing effects of this surveillance business model. Violations of privacy norms are just as serious and are at the root of the problems in these other areas.

For a start, a wide array of invisible data enterprises are collecting and processing the massive amounts of fine-grained personal information that are fed into the automatic decision processes that assess whether you are worth targeting and how valuable your attention is. These organizations play distinct roles, such as data supplier, aggregator, network targeter and ad server at various stages along complex data supply chains. The U.K.’s Information Commissioner estimates that potentially hundreds of organizations have access to the personal data involved in a single ad auction alone. Overwhelmingly, these organizations acquire your data without your legitimate consent or even knowledge.

Bill C-11 is known as the Digital Charter Implementation Act. The digital charter’s core privacy principle is control and consent, number 3, which states: “Canadians will have control over what data they are sharing, who is using their personal data and for what purposes….” How can you have control over your data when it is widely dispersed among so many enterprises that you don’t even know exist? How can a regulator, or anyone else, hold organizations accountable that conduct their operations away from public view?

PIPEDA and PIPA rely on an outdated model of data handling in which there is a readily identifiable organization, like a bank or a store, that offers goods or services to an individual from whom it needs to collect information in order to conduct the transaction. The collecting organization may need to pass on this information to another service-providing organization, but it doesn’t contemplate long, entangled, data supply chains, such as the ones I’ve just mentioned.

[11:40 a.m.]

The GDPR does a much better job of holding all the actors in this supply chain accountable, principally using the categories of controller and processor. It would help if PIPA adopted something similar. C-11 continues with PIPEDA’s and PIPA’s legacy data protection model and, as a result, risks not meeting GDPR compliance standards.

Another way to address the invisibility of data supply chains is to require that every organization that handles personal information register publicly that it is in the business and provide key details about its activities. The U.K. has a basic data register like this. They are also found in other parts of the world but not yet in North America. When even food cart operators must obtain a licence from the city — which involves registering, paying a fee, showing proof of health inspection and meeting a long list of other requirements — isn’t it about time that organizations that collect or otherwise handle our precious personal data do something similar?

Such a public data register would represent a modest but important step in addressing one of the fundamental challenges of the surveillance model: the enormous asymmetry of power between you as an individual data subject and the organizations controlling your data. It would also enable the development of innovative digital enterprises that build tools for individuals to better manage their data as well as their relations with data-handling organizations.

Along with registration, data enterprises like the street vendor should pay an annual fee. This would be tiered according to the number of data subjects and the volume of personal information the organization handles. Even modest per-capita fees would raise substantial funds that would help offset expanding the support for increasingly stretched regulators. There’s plenty of money available for this. The average cost per click for a Google ad in Canada is currently over $1. Facebook’s average annual revenue per user in the U.S. and Canada is currently over $66.

Back to data collection. Even when you do consent by clicking “accept” on a terms of service statement — for instance, for an app you’ve just downloaded — it’s very likely this does not meet legal standards. PIPEDA’s consent requirement reads, in part: “An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.” PIPA has similar language, which is routinely violated and almost never enforced.

If you have the time and patience to actually read the terms of service, you’ll typically find that you are agreeing to data collection well beyond what is “required to fulfil the explicitly specified, and legitimate purposes.” This massive loophole has greatly enabled the trafficking in personal information that the surveillance industry depends on. Sadly, C-11 repeats the old wording almost verbatim.

A minor change that could help improve compliance with the consent principle would be to require that an enterprise that wants to use the information collected for purposes beyond what is necessary to fulfil the stated purpose must provide additional consent options, none of which can be the default. In other words, in the case of opt-out consent, if an individual simply presses “enter,” this indicates the organization can only use their information for what is strictly necessary. Thanks to GDPR, we’re beginning to see some of this coming in with cookie consents.

Another way data businesses, especially social media companies, exercise inordinate power over individuals is by holding their data hostage. You may not be comfortable with how Facebook handles your data, but getting off incurs too heavy a price for most people to pay, in terms of maintaining their social connections. Facebook may give you all of the data it has on you, as required by law, but under current conditions, it would not allow you to keep your connections to friends and family alive.

Ideally, you should be able to move your data and your connections with others to a competing platform operating with a better business model, but there are two key obstacles. First, Facebook will not provide an interface that offers interoperability with a potentially competing social media service, and in the absence of that interoperability, no compatible alternative service would be viable. The GDPR attempts to crack this chicken-and-egg problem and does a much better job than C-11 in terms of its data portability and platform interoperability provisions.

[11:45 a.m.]

I could go on. I’d like to discuss with you such key issues as transported data flows and automated decision-making systems. However, I’ll save this for my written submission.

I hope the examples I’ve provided so far illustrate the fact that the current law is simply not working, especially when it comes to grappling with the surveillance business model in advertising. C-11 has yet to adequately address many of the core issues and likely will not meet GDPR adequacy standards. This means your committee has an important job in leading the way here.

British Columbians know that the digital world has changed in the past 20 years and their lives are under greater surveillance than ever before. They don’t like it, but they don’t know what they can do about it. To regain their trust, updated privacy law needs to effectively reign in the now widespread, irresponsible surveillance business practices. Otherwise, it’s not fit for purpose.

I hope you’ll find my suggestions help complement the valuable recommendations others have made, such as to expand the powers of the commissioner, based on legislation and the fundamental human right to privacy; require a privacy-by-design approach; require privacy impact assessments, at least in high-risk situations; and develop cross-jurisdictional harmonization, amongst many others.

I’d be glad to assist the committee in your important work ahead. In the meantime, I’d be pleased to answer any questions you may have. Thank you very much for your attention.

M. Elmore (Chair): Thank you for your presentation. Members, do you have any questions for Andrew?

You covered a lot of ground. Andrew, we do appreciate that.

I’ll get things rolling. I appreciate your presentation. My question has to do with — and also sharing — concerns that you’ve raised with respect to the rise and expansion of the surveillance business model in advertising now.

In terms of GDPR, do you feel that GDPR addresses that adequately — specifically around requiring the registration in a public registry and also applying annual fees?

A. Clement: Thank you for that question. It’s an important one.

The GDPR, as I’ve indicated, goes quite a bit further than the discussions in Canada have so far about addressing the surveillance business model. Now, the GDPR was developed some years ago. They are now working on other legislation — digital services and digital markets and things like that — that address some of the things that have come to light since then.

In terms of the GDPR being adequate overall, I think it’s a great next step, but I think we need to go further. The GDPR does not, at this point, have a requirement for registration or for fees. As I mentioned, the U.K. has a registration requirement. It’s long-standing, but it’s a bit weak at this point. It’s a very basic registration requirement.

What I have in mind is that much of the information that an individual who is asked to consent to collection or the use of and other handling of their information, which is the information that’s required for an organization to present to an individual in that transaction, actually be made public to everybody so that it can be much more open to scrutiny.

I also imagine that a registry would be kind of a repository — at least the summaries, at the right stage of complaints or rulings by the commissioner, and so on — so that you could go to the registry and find out whether that organization is a legitimate organization, whether it is actually even registered and claims to meet the requirements.

There’s a lot that could be done. The details haven’t been worked out. There’s no particular model for a registry that I would point to at this point that you could say: “Well, just take that.” But I think it’s an important area to begin exploring.

[11:50 a.m.]

I mean, registration and fees are a standard practice across many other areas of consumer protection. It surprises me that in the data protection area, which, arguably, is more sensitive than many others, we don’t see such an approach.

M. Elmore (Chair): In terms of being responsive to harmonization across the board, what would the implications be, for example, if we adopted that in British Columbia for crime registration and annual fees, out ahead of even GDPR or C-11 or what Canada will come up with?

A. Clement: Well, first of all, to the point of harmonization more generally, this is very complex, as you probably know better than most, because you’ve got so many jurisdictions across Canada and, because of constitutional differences between the federal and provincial level, you’ve got a lot of negotiation to do. Not all provinces are like B.C., which has actually developed its own legislation that fills in areas where the federal legislation doesn’t.

Then you’ve got to consider the GDPR. In the international jurisdictions, it’s very important, I think, from the point of view both of individuals and for businesses that want to operate across jurisdictions, that they have a common basis for the rules of what they’re allowed to do and what they’re not. That, in itself, is an enormous problem.

The other thing, of course, is that this field is very dynamic. The business model we’re talking about here is relatively recent. It’s less than two decades old, and it’s changing very quickly. Within the ad surveillance business, that’s incredibly dynamic, so you’re trying to harmonize to a situation which isn’t stable. That’s another challenge.

As for your particular point about a registry and fees, that, I recognize, is currently outside the frame of other jurisdictions and what they have done, at least in terms of the GDPR and in terms of Canada. It’s done elsewhere in the world. So that presents a difficulty.

The idea about a registry and fees is that they should be fairly straightforward to comply with, not looking for complex materials to be presented. It’s conceivable that a business that wanted to operate in B.C…. Hopefully, B.C. can set a trend, as it has in other areas, that can spread. I would say that would be a relatively light additional requirement if B.C. is alone in proposing or implementing a registry and fees. Hopefully, by talking about it, you might get other jurisdictions to do something similar.

I’m concerned. At the federal level, the Office of the Privacy Commissioner gets approximately 66 cents per Canadian for its operation annually, right? That just seems ridiculously low as an amount of money to protect Canadians’ privacy. Its budget has not substantially changed in ten years, while the revenues of these other companies have grown exponentially.

I don’t want to go on too long if others have questions, but I hope that gives at least a clue.

K. Greene: I appreciate that the digital market is incredibly lucrative. Data has been said to be the new oil. I’m just wondering if I can get your thoughts on non-profits, because they aren’t necessarily in the same category yet do handle personal data and collect data and use it as a necessary way of delivering services. Just hoping to have some thoughts on that.

A. Clement: Right. Well, just on this question of registration and fees, I mentioned that it would be a tiered fee structure and that non-profits could be in their own category.

[11:55 a.m.]

If they are only collecting small amounts of information on relatively few people, the fees and the registration requirements would be extremely light comparatively, compared to what you would expect of Facebook, and so on.

This is a new area, at least from the federal point of view. I’m pleased that PIPA includes political parties, for instance, at this point. But I think there need to be distinctions in the legislation, not just for non-profits but between types of organizations, or at least their business models, and that the greater attention and burden of regulatory compliance should be on those that seek to use large amounts of personal information in ways that are complex and inscrutable, whereas I’d hope that non-profit organizations would have a much easier time just being open and basic. They’re not trying to monetize your attention, so they would have a much lighter burden.

M. Elmore (Chair): I want to thank you for your presentation. It’s really a great addition to our discussion. Now, did you say you have a written submission you’ll be submitting?

A. Clement: I will be submitting, but I understand I need to do this by the end of the month. It was on short notice for this, so I didn’t have time to actually make that submission, but I’ll do so based on my notes.

M. Elmore (Chair): Perfect. Appreciate that. Thank you very much for taking the time to present to us today. It’s been fascinating. We really appreciate it and want to thank you.

A. Clement: Well, good luck with your important work. It’s not easy.

M. Elmore (Chair): Okay. I want to thank everybody. This concludes the committee’s public hearings. On behalf of the committee, I’d like to thank everyone who took the time to share their input with us.

I’ll now entertain a motion to adjourn.

Kelly Greene, MLA for Richmond-Steveston, thank you very much for the motion.

Motion approved.

The committee adjourned at 11:57 a.m.