Time to Update the Personal Information Protection Act
By Mike Larsen, June 11, 2020
The Personal Information Protection Act (PIPA) is the key statute governing the collection, use, and disclosure of personal information by private and nonprofit organizations in BC. It is the counterpart to the Freedom of Information and Protection of Privacy Act (FIPPA), which deals with public bodies. Right now, a special committee of the BC Legislative Assembly is conducting a mandatory review of the PIPA. Hearings are being held via Zoom, on account of the pandemic, and a variety of groups, agencies, and offices are making submissions.
The BC Freedom of Information and Privacy Association (FIPA) made its initial submission on June 9. This was an oral presentation accompanied by a slide deck. We will be making a more detailed written submission in August.
FIPA is a nonprofit organization dedicated to the protection and advancement of freedom of information and privacy rights, both in BC and across Canada. I have been involved with FIPA in one capacity or another for almost a decade, and I have been the President of the organization for the last few years.
Section 59 of the PIPA requires a special committee of the legislature to review the statute every six years, and there have been two such reviews since the Act came into force in 2004. As is often the case with such processes, the recommendations made by the previous committees were sound, unanimous, progressive - and completely ignored by the government of the day.
The current process feels different, though.
In part, this is because the Committee is considering issues at the intersection of privacy and digital technology while also holding its proceedings via Zoom due to the COVID-19 pandemic. This is lending a certain immediacy and authenticity to the discussions. On a related note, the review of the PIPA comes at a time when private businesses and nonprofits - the bodies subject to the Act - are rapidly adopting remote working and online service practices, many of which involve expanded means of collecting, using, and sharing personal information. Add to this the fact that, since the last review of the PIPA, we have seen many high-profile data breaches, a growing understanding of the power of Big Data and surveillance capitalism, and increasing concerns about the privacy implications of machine learning technologies (Clearview AI comes to mind).
My hope is that this mix of factors will contribute to a context where the recommendations of the special committee will not only be thorough and progressive but also serve as the basis for actual law reform.
Substantive reform is definitely needed. FIPA has prepared a comprehensive analysis of the legislation, and we have made numerous recommendations for reform. Highlights include:
• Mandatory breach notification, so that organizations have an obligation to inform both the Office of the Information and Privacy Commissioner and affected parties when personal information is improperly accessed;
• Requirements for organizations to conduct privacy impact assessments (PIAs) on privacy-impacting technologies and practices, and to make their privacy policies publicly available;
• Increased accountability for organizations regarding the transfer of personal information to third parties and between jurisdictions;
• The granting of fining powers to the OIPC so that the Commissioner can enforce privacy standards and hold organizations accountable for inaction or negligence;
• Algorithmic transparency, enshrining a right for people to know how machine learning algorithms are making decisions about them (getting away from the ‘black box’ model of machine learning programs);
• A tightening up of the PIPA to address the current practice of public bodies outsourcing important work to private entities and then using the ‘corporate veil’ to restrict access to information about this work.
You can listen to the audio recording of our presentation to the Committee here. We present at 3:38 pm. I also recommend listening to the presentation of Colin Bennett (of the University of Victoria) at 2:50 pm.
To prepare for our presentation, we conducted some polling through Ipsos. In general, we found that there is a strong public mandate for privacy reform.
Of particular interest to me are the results of our poll questions regarding privacy and education: 75% of British Columbians believe that it is important to have a targeted curriculum for K-12 schools relating to privacy rights, and 78% believe that privacy rights should be part of our postsecondary curriculum.
Right now, privacy is not a meaningful part of curriculum at either level. Considerable effort is spent teaching students how to use various software systems and applications, but prevailing conceptualizations of ‘digital literacy’ fail to encompass the social and political dimensions of surveillance, Big Data, and privacy as they pertain to technologies. This needs to change.
I will prepare an update after the Committee finishes its hearings. Once their report is tabled, there will be a concerted effort by various groups to ensure that the government commits to acting on the recommendations.
If this issue is of interest, I encourage you to support - and ideally join - an organization that is working to advance privacy rights. Both the BC Freedom of Information and Privacy Association (FIPA) and the BC Civil Liberties Association (BCCLA) are making submissions to the special committee, and both organizations are actively seeking members and volunteers who care about the intersection of privacy, surveillance, and social justice.