Blog Post:

Presentation to the Special Legislative Committee on Review of the B.C. Personal Information Protection Act (PIPA) June 9, 2020

Thank you for this opportunity to appear before you today.

I listened to the testimony last week, and I do not want to repeat what you heard from Michael McEvoy.  PIPA is dated.  There have been two statutory reviews and nothing has been done to update the law.  Despite what you will hear from others about this being a practical statute that balances the rights of the individual with the needs of business on the basis of reasonable expectations, I have to say that I do not think the law is working particularly well.  I see a lot of non-compliance in my daily interactions with businesses in BC.  You will have seen a poll from the Freedom of Information and Privacy Association. Only 33% of those polled believe that organizations are open and transparent about how they collect and use personal information.  Only 32% were aware of the existence of PIPA.   We are living in a world of far greater awareness of privacy as a social and political issue, as well as far higher levels of concern over the lack of individual control over our personal data.

I will present a more detailed submission later, but for now, I thought I would offer some more high-level thoughts about how the social, political, technological, and legal environment has changed since PIPA came into force in 2004.

First, the COVID-19 pandemic has brought home the fact that we are dependent on global digital services.  We and our businesses are increasingly reliant on digital platforms which are processing our data in different parts of the world.  We need to trust these platforms and privacy and security are the central building-blocks of that trust.

Second, privacy protection is a far more important political issue than it was in 2004.  As personal data is the main resource of surveillance or informational capitalism, privacy protection goes to the heart of the way that wealth is now created.   Laws like PIPA are not just consumer protection statutes, they perform central functions in the regulation of the global informational economy and that is why Big Tech companies have spent millions of dollars lobbying against them in different parts of the world.

Third, and despite that lobbying, information privacy (data protection) laws, have proliferated.   When PIPA came into force in 2004, there were only around 30 jurisdictions in the world with such legislation.  Now, the count is at around 130 jurisdictions.  Legal reform has been triggered by growing concerns about privacy protection.  It is also motivated by trade-related concerns, and the perceived need to provide safe harbors for domestic businesses to freely import personal data from overseas without having to negotiate detailed and costly individual contracts.  Strong privacy laws place jurisdictions in the club of countries around which personal data can flow more freely.

Fourth, that global process of trading up data protection standards was, and is still, being driven by the European Union.  PIPA was passed in response to PIPEDA which was, in part, passed in reaction to the 1995 EU Data Protection Directive; this Directive stipulated that, unless individual contracts had been negotiated or the individual had consented, personal data could only flow out from the EU to countries with adequate levels of protection.  PIPEDA was judged adequate in terms of European standards back in 2002, and BC’s PIPA was judged substantially similar to PIPEDA.  Now we have the General Data Protection Regulation (GDPR), just 4-years old, and widely regarded as setting the standard for privacy protection around the world.   The GDPR not only revises the 1995 Data Protection Directive to produce a single harmonized regulation for the entire EU, but it is also a more multi-faceted instrument, embracing and combining policy instruments that have tended to originate in non-European jurisdictions.  European law now requires a standard of essential equivalence requiring the basic privacy principles, good levels of enforcement and compliance, and effective methods of individual redress.

Fifth, unlike in 2004, data protection standards are not just being driven by the EU.  The more countries that belong to the data protection club the greater the pressure on those without laws to join.   And some of those countries, which have been granted adequacy status, are also passing provisions stipulating that personal data should not flow out of their countries unless the receiving jurisdiction has equivalent protections.  For instance, the new Japanese data protection law establishes a white list of countries.  The countries of the EU are on that list, and so presumably will other jurisdictions that have been granted adequacy by the EU.  It is expected that S. Korea will follow a similar path.  This question is not just about flows of personal data from Europe to Canada, therefore, but implicates our trading relationships with other economies, including those in the Asia-Pacific.

Sixth, back in 2004 business could credibly worry that compliance with data protection statutes in Canada would put them at a competitive disadvantage with competitors south of the border.  U.S. privacy protection laws have generally been weaker and more fragmented than those in other democratic states.  But this is changing.  In particular, I would draw your attention to the new California Consumer Privacy Act, which is being emulated in other states and is raising standards across the entire country.  Canadian businesses can no longer make the argument about a loss of competitiveness.  In fact, and with respect to data breaches, many U.S. states have far stronger provisions than those in Canada.

Seventh, therefore, data breaches are now commonplace and can have massive consequences for corporate share prices and reputations.   Data breach notification is now a standard component of international privacy laws.   It is required by the GDPR.  Since 2018, under the federal Digital Privacy Act (amending PIPEDA), every organization that collects, uses and discloses personal information in the course of commercial activity in Canada (with a few exceptions) must follow new mandatory data breach record-keeping, reporting and notification rules, or face significant consequences for non-compliance.  B.C. is out of step. PIPA will not be substantially similar to PIPEDA unless mandatory data breach notification is included in the law.  Businesses that are responsible for significant data breaches that affect the rights and interests of citizens should be mandated to report those breaches to the Commissioner, and under certain circumstances to the individuals themselves.

Finally, primarily complaints-based statutes do not cut it anymore.  PIPA was written to regulate the simple bilateral relationship between the individual and a business.   You find an infraction and you complain.  The Commissioner investigates, mediates, or makes an order.   Now, our relationships with businesses are a lot more complex, multilateral, and opaque.   In many cases, we do not even know of the entities that capture data about us in this complex digital environment.  In many instances, we are not even aware of how we are being identified, and by whom. Judgments about us are often not made through human intervention but by AI and machine-learning.

Complaints resolution, investigation and individual redress are important, but more crucial powers are those that are general and anticipatory, rather than specific and remedial.  The law has to give the Commissioner more powers to act pro-actively, as well as to address the systemic issues using the entire repertoire of policy tools:  educational, technological and regulatory.  I fully support the Commissioner’s call for the power to issue administrative monetary penalties, when necessary, as well as his request to issue orders in the absence of a complaint.  Three decades of experience and research have demonstrated that the presence of the regulatory stick often assists the exercise of softer instruments of persuasion.

Advocates and experts are looking for modernization of our law, which will strengthen consumer privacy rights, give the Commissioner the tools he needs to protect our privacy, and thereby assist our businesses, especially those in the high-tech sector, to compete.  Despite what you will no doubt hear, PIPA can be modernized without increasing red-tape and without strapping BC businesses at a time when they are under considerable stress because of the pandemic.

There is some urgency. I hope your committee and the BC government will act to reform PIPA this time around.    I look forward to your questions, and to assisting you in any other ways over the coming months.