October 18, 2021, British Columbia first announced its proposal to update the province’s privacy legislation, Bill 22 – British Columbia's Freedom of Information and Protection of Privacy Act (FIPA). One of the most significant proposed changes to the private sector includes the requirement for mandatory breach reporting – where companies must disclose and report on data breaches within their business.
British Columbia is the only province in Canada that does not have any statutory obligation for businesses to report a data/privacy beach to affected individuals. Though Bill 22 came into effect immediately on November 25th, 2021 it still does not require that companies disclose breaches to affected individuals. The three major changes that came into effect with the are:
- Repeal of data localization requirements
- Protection of information of Indigenous peoples that could be harmful to Indigenous rights
- Information access fees
Repeal of data localization requirements
The amendments to data localization requirements now allows public bodies to store and access personal information inside of Canada and disclose outside. There are few options for exemptions permitting access and disclosure of this information.
Protection of information related to Indigenous peoples rights
The amendments now prohibit the disclosure of information if that information could harm the rights of Indigenous people including cultural heritage, traditional knowledge, expressions, sciences, cultures and or technologies unless the Indigenous peoples provide written consent otherwise. This is perhaps a step forward in terms of ending systemic racism and discrimination in the province.
Fees for information access
A nominal fee of $10 is required to access information from public bodies. For some this may seem significant, however the idea that consumers will spend significant amounts on information access seems unlikely.
Shortly after the amendment came into effect late November, The Special Committee to Review the Personal Information Protection Act (SCPIPA) released their recommendations on December 6th in this report. The report makes 34 recommendations to modernize PIPA. Of the 34 recommendations here are a few highlights.
Consent and impact of new technology
The report emphasizes the need to update the current PIPA legislation with increased consent requirements for both businesses and consumers. The report mentions that “67% of Canadians feel little to no control over how businesses use their personal information”. It recommends that individuals must be fully aware of how businesses collect their information.
Data breach requirements and consistency across the rest of Canada
Another key recommendation by the Special Committee, is to ensure that PIPA remains similar to the Federal legislative changes to the Personal Information Protection and Electronic Documents act and that PIPA becomes consistent with other provinces in Canada. Furthermore, the report recommends mandatory breach notifications that require businesses to notify the privacy commissioner and affected individuals of breaches of sensitive information. As mentioned earlier in this post, British Columbia is the only province in Canada whose private sector is not required to notify affected individuals of a data breach.
As the OIPC is in support of this recommendation, businesses should prepare themselves for breach reporting protocol as potential provisions are expected to be fairly strict along with penalties to follow.
Significant penalties for compliance failure
The Special Committee recommends greater enforcement powers to the OIPC allowing for audits to identify systemic issues, audits of private organizations, requiring organizations to enter compliance agreements, reporting, and issuing of fines to organizations who violate PIPA.
In addition, the current penalties under PIPA are not sufficient, and according to the recommendations the Committee suggests using proportionality and scalability to address appropriate fines for businesses and individuals who violate PIPA.
Although the recommendations have not been addressed yet by the British Columbia Legislature, it seems likely these recommendations will be adopted.
What to do as a business moving forward?
As fines and reporting are expected for businesses who are involved with data breaches it is pertinent that businesses start to focus on prioritizing protection of sensitive data. Breaches occur not only from malicious actors outside of organizations, but often information can be made vulnerable by internal employee actions whether malicious or unintentional. Employers should introduce appropriate safeguards to prevent data breaches. This includes employee training, revisiting your privacy program, creating breach plans and implementing protocol to protect sensitive information.