The Special Committee appointed by the Legislative Assembly of British Columbia has reviewed the Personal Information Protection Act (PIPA) and released their recommendations for modernization. Read all about it here.
In February 2020, the Legislative Assembly of British Columbia appointed a Special Committee to review the Personal Information Protection Act (“PIPA”) of the province. The Committee has reviewed the law and released their recommendations for the modernization of the Personal Information Protection Act (PIPA). Read about Canada's newly proposed Consumer Privacy Protection Act - CPPA.
If you operate from British Columbia or have users from the province, you should be aware of these recommendations. They are not embedded into the law yet, but it will likely happen soon. It brings stricter requirements compared to the current data privacy laws applicable in Canada, so you must be aware and prepare accordingly.
Explore more privacy compliance insights and best practices
Due to the political and administrative organization of Canada, there are multiple data protection laws that businesses need to comply with.
Canada has a data protection law on a federal level called the Personal Information Protection and Electronic Documents Act (PIPEDA). Entities that are subject to PIPEDA, which process personal information must adhere to 10 fair information principles. Every business in Canada needs to comply with federal law, with some exceptions.
The provinces of Alberta, British Columbia and Quebec have their own private-sector privacy laws and are generally exempt from PIPEDA when it comes to the collection, use, or disclosure of personal information that occurs within their respective provinces. However, PIPEDA still applies to federally regulated organizations (such as banks, airlines, and telecom companies) in those provinces, and when data processing by businesses in those provinces crosses provincial or national borders.
Aside from PIPEDA, every province can pass its own data privacy law. The federal and provincial laws coexist and apply simultaneously.
Businesses that operate from Canada have to comply with federal law, as well as the law of the province where they operate from. In addition, they need to comply with all the provincial laws applicable to their customers.
If the business operates in a regulated industry, such as health or insurance, there may be some other industry-specific data privacy law that they need to comply with.
This makes the situation quite complicated. Fortunately, data protection laws at both the federal and provincial level are aligned with each other, which makes for easier compliance.
However, technology moves fast and laws do not. Laws are becoming outdated for the modern world, hence the need to be updated. The recommendations of the Committee aim to show legislators the way to the modernization and alignment of British Columbia law with new global trends in data protection regulations.
The report contains a long list of recommendations; we will sum up the most important ones and explain them briefly.
The recommendations include:
Since the consent requirements of the PIPA are outdated, the Committee recommends to:
The Committee expresses its concern regarding “consent fatigue” and therefore does not recommend explicit consent requirements for every single case of processing data, as the GDPR requires. Businesses can still rely on implied consent in some situations, while they’ll have to obtain explicit consent in other situations.
In the future, PIPA should require organizations to notify for every data breach, just like other data protection laws require so.
In addition, it should allow for easy communication of the breaches. This means that businesses should report in any way they find suitable at the moment. That could be over the phone, email, regular mail, text, or another method. There should be no constraints to the communication of breaches.
The Committee recommended that PIPA should be more similar to the GDPR in terms of transparency. PIPA currently allows businesses to refuse data subject requests on too many grounds. It also does not guarantee all the rights that data subjects enjoy in Europe.
The report also notes that the transparency obligations regarding third-party service providers are outdated and need to be changed to reflect the way data processing is being done nowadays.
Having said that, the recommendations are to:
The Privacy Commission Officer may be given powers for efficient enforcement of the PIPA. In practice this means that they could:
As mentioned above, this report only contains the recommendations. These recommendations have been made after comprehensive reviews and consultations with relevant stakeholders, so it is reasonable to expect that most of them will be included in legislation updates in near future.
In the meantime, you can meet the requirements of PIPEDA and set your business on the easy track to compliance with the PIPA once the updates come into effect.
Secure Privacy can help you with compliance with cookie banners, website scanner, privacy policy generator, and other tools.
Schedule a call to learn more
![Everything You Need To Know About Quebec's Law 25: A Comprehensive Guide to Privacy and Data Protection in Canada [Updated 2024]](/_next/image?url=https%3A%2F%2Fimages.prismic.io%2Fsecure-privacy%2FZeihPHUurf2G3K1J_Quebec%2527sLaw25.png%3Fauto%3Dformat%2Ccompress&w=3840&q=75)