B.C. Special Committee Releases Report Recommending Modernization of Private Sector Privacy Law
Yesterday, the Special Committee to Review the Personal Information Protection Act appointed by the Legislative Assembly of British Columbia issued a report containing 34 recommendations to modernize the province's private sector privacy statute, the Personal Information Protection Act (PIPA BC).
The Special Committee's recommendations focus on the alignment and harmonization of PIPA BC with the “changing federal, provincial and international privacy landscape, including the European Union’s General Data Protection Regulation (GDPR)."
Key recommendations include:
- Enhancing the powers granted to Office of the Information and Privacy Commissioner, including:
- the power to levy administrative monetary penalties “set at an amount that is a sufficient deterrent to contraventions of the Act”;
- strengthening the Commissioner’s power to enforce PIPA BC and expand audits of private sector organizations;
- A mandatory breach notification regime “with consideration for proportionality regarding the severity of the breach”;
- A "data portability" right of individuals to obtain their own personal information in a structured, commonly used, and machine-readable format;
- Implementing a privacy impact assessment (PIA) requirement “prior to beginning a new project that will require the processing of sensitive information with a high degree of risk to individuals”;
- The inclusion of definitions of pseudonymized information as a type of personal information regulated by PIPA BC, and clarifying that anonymized information is outside the scope of PIPA BC;
- A requirement to notify individuals if automated processes were used to make a significant decision about them and allow individuals to request human intervention in the decision-making process;
- Aligning the exemptions to consent in PIPA BC with the GDPR, which includes five additional legal bases for processing personal data:
- performance of a contract;
- compliance with legal obligations;
- vital interest of data subject;
- public interest; and
- legitimate interest;
- Defining new sensitive categories of information that would require explicit consent, including biometric data, political views, religion, sexual orientation, medical information, and information related to children and youth;
- An express consent requirement for the “sale” of personal information;
- Creating a distinct section on employee privacy, and including requirements that specifically address the increased use of employee personal devices in the workplace; and
- Creating separate provincial health privacy legislation, as in other provinces.
As with legislative reform developments across the country, AccessPrivacy will continue to follow developments in B.C.'s private sector regime in its Legislative Reform Portal, available to AccessPrivacy Knowledge Portal subscribers.